Safenet Lunasa HSM First Configuration

Serial port is connected first

[email protected]<hostname>’s password: chrysalis

the password is changed.

Date Settings

[CeyHSM] lunash:>status date

[CeyHSM] lunash:>sysconf -timezone -set Europe/Istanbul

Network Settings

[CeyHSM] lunash:>net show

[CeyHSM] lunash:>net hostname CeyHSM

[CeyHSM] lunash:>net -dns -nameserver 172.16.128.100

[CeyHSM] lunash:>net interface -static -device eth0 -ip 172.16.128.111 -netmask 255.255.255.0 -gateway 172.16.128.1

Firmware Update

[CeyHSM] lunash:>hsm show

[CeyHSM] lunash:>hsm u f

HSM init

[CeyHSM] lunash:>hsm init -label CeyHSM

[CeyHSM] lunash:>hsm ped vector init

For making HSM FIPS-Compliant

hsm -changePolicy -policy 12 -value 0 ( Allow Non-FIPS algorithms,works when no)

Generate HSM Server certificate

[CeyHSM] lunash:>sysconf regenCert

[CeyHSM] lunash:>ntls bind eth0 -bind 172.16.128.111

Remote ped Connection

On Host computer

C:\HSM_SafeNetLunaSA>PedServer.exe -m start

[CeyHSM] lunash:>hsm ped connect -ip 172.16.128.116 -port 1503

Create Partition

[CeyHSM] lunash:>hsm login

[CeyHSM] lunash:>partition -create -name partitionceyhun

[CeyHSM] lunash:>partition -showpolicies -partition partitionceyhun

[CeyHSM] lunash:>partition changePolicy -partition partitionceyhun -policy 22 -value 1

[CeyHSM] lunash:>partition changePolicy -partition partitionceyhun -policy 23 -value 1

[CeyHSM] lunash:>partition activate -par partitionceyhun -pass AdHP-XYZ0-0XYZ/ZYX0

[CeyHSM] lunash:>partition autoActivate -p partitionceyhun -on

Link host with HSM

c:\Program Files\LunaSA>ctp [email protected]:server.pem .

c:\Program Files\LunaSA>dir

c:\Program Files\LunaSA>vtl addServer -n 172.16.128.111 -c server.pem

Generate Client cert

c:\Program Files\LunaSA>vtl createCert -n 172.16.128.116

c:\Program Files\LunaSA>ctp cert\client\172.16.128.116.pem [email protected]:

Register client to HSM

[CeyHSM] lunash:>client -register -client ftClient2 -ip 172.16.128.116

[CeyHSM] lunash:>client assignPartition -client ftClient2 -partition ftPartition2

[CeyHSM] lunash:>sysconf rem di

[CeyHSM] lunash:>ntls bind eth0

c:\Program Files\LunaSA>vtl verify

Linux Client

cd /usr/lunasa/bin

./ctp [email protected]:server.pem .

./vtl addServer -n 172.16.128.111 -c server.pem

./vtl createCert -n 172.16.128.116

./ctp ../cert/client/172.16.128.116.pem [email protected]:

Generate Key Pair

c:\Program Files\LunaSA>cmu generateKeyPair -modulusBits=2048 -publicExp=65537 -sign=1 -verify=1 -labelPublic=PublicKey -labelPrivate=PrivateKey -modifiable=1

Generate Request Certificate

c:\Program Files\LunaSA>cmu requestCertificate -privateHandle=10 -publicHandle=9 -cn=”test Certificate” -outputFile=cert01-company.req

Importing the certificate:

c:\Program Files\LunaSA>cmu import -inputFile= cert01-company.cer -label=Sample Certificate

Note :The object imported with the ckdemo application must be copied and its private property changed to false.

syslog tail entries 9999 logname hsm

Generate Key Pair Self Signed Certificate

c:\Program Files\LunaSA>cmu selfSignCertificate -publichandle=9 -privatehandle=10 -serialNumber=a1a1a1a1 -C=TR -keyusage=digitalsignature -label= cert01-company -CN=ceyhun

**********************************

**Luna CSP ile Generate Key Pair**

**********************************

Registering partition to CSP:

C:\Program Files\LunaSA\CSP>register

Generating certificate requests:

C:\Users\Administrator\Desktop>Certreq -New policy.inf ceyhun-cert.req

Policy.inf

[NewRequest]

Subject = “CN = Ceyhun Certificate Request,OU = Signature,O = SD,L = Izmir,S = Izmir,C = TR”

KeyLength=2048

ProviderName=”Luna Cryptographic Services for Microsoft Windows”

Associating the generated certificate with LunaCSP in CertificateStore:

C:\Users\Administrator\Desktop>certutil.exe -f -csp “Luna Cryptographic Services for Microsoft Windows” -repairstore MY 2B0EDF1D71D84445ED7B28EFEEB3BC92

If SSH service does not work:

sysconf setAdmin show

sysconf setAdmin device eth0

Partition01: AdHP-XYZ0-0XYZ/ZYX0

Partition02: JSSxXYZ0tPHEABCDd

When HSM is closed and applications cannot be logged in:

ssh [email protected]

>hsm login

At this stage, the blue hsm admin pad is attached.

>partition activate -partition Partition01 -password AdHP-XYZ0-0XYZ/ZYX0

Here, the black pad (partition admin pad) is attached.