Configuring Cryptographic Security Platform Vault as a Luna HSM Client with Individual Node Certificates
ipcheck feature enabled, you must use unique node certificates.
The following procedure describes how to configure Cryptographic Security Platform Vault as an HSM client that uses unique certificates for each node in the cluster. If you want to use a single certificate that will be shared by all nodes in the cluster, see Configuring Cryptographic Security Platform Vault as a Luna HSM Client with a Single Cluster Certificate.
Before You Begin
For
- The HSM server name.
- The user name and password for an HSM account with Admin privileges.
-
The HSM partition name and password.
- The client name you want to assign to Cryptographic Security Platform Vault on all of the HSM servers.
You will also need:
- A Cryptographic Security Platform Vault account with Security Admin privileges.
- Access to the HSM server via a shell account. The following procedure uses
sshto connect to the server.
Note: The following instructions are specific to the Luna HSM.
Procedure
-
Download the HSM server certificate file
server.pemfromserver.pemcertificate file so that youFor example, if your HSM server is
hsm1.my-company.com, you could enter:# scp admin@hsm1.my-company.com:server.pem ./hsm1cert.pem admin@hsm1.my-company.com's password: server.pem 100% 1155 1.1KB/s 00:00
- Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges.
- In the top right, click the Switch to Appliance Management link.
- In the top menu bar, click Settings.
- In the System Settings section, click HSM Server Settings.
- On the HSM Server Settings page, select Thales Luna HSM from the Type drop-down list.
-
On theLuna HSM Server Settings page, select the Luna HSM tab and then specify the options you want to use for the HSM server.
Field
Description
State
Make sure this field is set to Enabled.
Hostname
Enter the hostname for
Partition Label or HA Group Name
Enter the partition label for the partition on
Note: Make sure you enter the partition label and not the partition name in this field.
Partition or
Crypto Officer (CO) PasswordEnter the password for the Cryptographic Security Platform Vault partition or the Crypto Officer (CO) password for Luna HSM modules version 7 and above.
Server Certificate
Click Browse and open the appropriate HSM server certificate file.
Client Certificate Mode
Select the Individual Node Certificates radio button so that Cryptographic Security Platform Vault will use a unique certificate for each node in the cluster.
Admin Key ID
Indicates whether an Admin Key already exists on the HSM.
- Click Apply, then click Proceed at the prompt. Do not test the connection yet.
- Navigate to the Client List tab. You should see one entry for each Cryptographic Security Platform Vault node in the cluster.
-
Select the first node in the list, then select Actions > Generate Client Certificate for node-name.domain-name. Cryptographic Security Platform Vault automatically generates a unique certificate for that node called
node-name.domain-name.pemand downloads it to your browser's default download location.For example, if the name of the node is
KC-1and it is running on the domainmy-company.com, the certificate file would be calledKC-1.my-company.com.pem. - Repeat the previous step for each Cryptographic Security Platform Vault node in the cluster.
-
Upload all certificates to the root directory on
# scp KC-1.my-company.com.pem admin@hsm1.my-company.com: admin@hsm1.my-company.com's password: KC-1.my-company.com.pem 100% 1164 1.1KB/s 00:00 # scp KC-2.my-company.com.pem admin@hsm1.my-company.com: admin@hsm1.my-company.com's password: KC-2.my-company.com.pem 100% 1164 1.1KB/s 00:00
-
Using a shell account, log into
-
Register the new Cryptographic Security Platform Vault client using
"node-name.domain-name"for both the client name and hostname. The double quotes are required because of the period in the client name.Tip: If the registration fails because a client of that name already exists, you either need to delete the existing client or go back to the webGUI, enter an new client name, click Apply, and then download a new cluster certificate that you can upload to the HSM server.
- Assign a partition to the Cryptographic Security Platform Vault client.
For example, if you want the Cryptographic Security Platform Vault client to be assigned to
KC_partition1onhsm1.my-company.com, you could enter:# ssh admin@hsm1.my-company.com admin@hsm1.my-company.com's password: [hsm1] lunash:>client register -client "KC-1.my-company.com" -hostname "KC-1.my-company.com" 'client register' successful Command Result : 0 (Success) [hsm1] lunash:>client register -client "KC-2.my-company.com" -hostname "KC-2.my-company.com" 'client register' successful Command Result : 0 (Success) [hsm1] lunash:>client assignPartition -client "KC-1.my-company.com" -partition KC_partition1 'client assignPartition' successful Command Result : 0 (Success) [hsm1] lunash:>client assignPartition -client "KC-2.my-company.com" -partition KC_partition1 'client assignPartition' successful Command Result : 0 (Success) [hsm1] lunash:>exit
-
-
Return to the Thales HSM Server Settings page and click Test. You should see a message that says the HSM connection is OK and that the Admin Key needs to be regenerated.
To regenerate the Admin key, go to Settings > General Settings > Admin Key Parts, then click Generate New Key. You should get a message that the Admin Key was successfully generated and distributed. To verify this, go back to Settings > System Settings > HSM Server Settings. The Admin Key ID field should display a GUID for the new Admin Key.
