Configuring KeyControl as a Luna Cloud HSM Client

The following procedure describes how to configure KeyControl as a Luna Cloud HSM Client.

Important: You can only configure both the Luna Cloud HSM and the Luna HSM if you are forming a cluster.

Before You Begin 

For the HSM server that you want to connect to KeyControl, make sure you have the following information available:

  • The service client bundle for the HSM. When you create a service client, you will be prompted to download the service client bundle.

  • The HSM partition name and password.

You will also need:

  • A KeyControl account with Security Admin privileges.
  • Access to the HSM server via a shell account. The following procedure uses ssh to connect to the server.

Procedure 

  1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Settings.
  4. In the System Settings section, click HSM Server Settings.
  5. On the HSM Server Settings page, select Thales Luna HSM from the Type drop-down list.

  6. On the Luna HSM Server Settings page, select the Luna Cloud HSM tab and then specify the options you want to use for the HSM server.

    Field

    Description

    State

    Make sure this field is set to Enabled.

    Partition Label or HA Group Name

    Enter the partition label for the partition on the HSM server that KeyControl will be using.

    Note: Make sure you enter the partition label and not the partition name in this field.

    Crypto Officer (CO) Password

    Enter the password for the Crypto Officer (CO) password.

    Service Client Bundle

    Click Browse to specify the location of the service client bundle that you downloaded.

    Session Timeout

    The length of time KeyControl keeps the communication session open with an HSM server. When the session expires, a new session is created with the same timeout value. The default is 30 minutes.

  7. Click Apply, then click Proceed at the prompt.  Do not test the connection yet.

  8. Select Actions > Generate Client Certificate to download the cluster certificate that all KeyControl nodes can use. KeyControl automatically saves client-name.pem file to your browser's default download location.

    For example, if you use the default client name KC_Cluster, the cluster certificate name would be KC_Cluster.pem.

  9. Select Actions > Test Connection to test your connection. You should see a message that says the HSM connection is OK.