Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority
A trusted Certificate Authority (CA) can provide authentication for your NTLS connections. This can be a commercial third-party CA or your organization's own signing station. This type of connection is created in the following stages:
1.The Luna Network HSM 7 can be authenticated using either a self-signed certificate or a trusted CA, depending on your preference and installed Luna Appliance Software version:
•Registering a Self-Signed Appliance Certificate to the Client
•Authenticating an Appliance Certificate With a Trusted CA and Registering the CA Chain (requires Luna Appliance Software 7.7.0 or newer)
2.The Luna HSM Client can be authenticated using either a self-signed certificate or a trusted CA:
•Creating a Self-Signed Client Certificate
•Authenticating a Client Certificate With a Trusted CA and Registering the CA Chain (requires Luna HSM Client 10.1.0 or newer).
3.The Luna HSM Client must be registered using the self-signed client certificate, the client certificate and CA cert chain, or the CA cert chain alone (requires Luna Appliance Software 7.8.3 or newer), depending on your preference and installed Luna Appliance Software version.
See Registering the Client on the Appliance.
Registering a Self-Signed Appliance Certificate to the Client
Use the following procedure to transfer the appliance's self-signed certificate to the client and register it.
Prerequisites
>You must have admin- or operator-level access to LunaSH on the appliance, or access to a custom LunaSH account.
>You must have Administrator privileges on the client workstation.
To register the appliance certificate to the client
1.Use pscp (Windows) or sftp (Linux/UNIX) to import the HSM Appliance Server Certificate (server.pem) from the appliance to the client workstation. You require admin- or operator-level account access to complete this step. If you do not have SSL access to the appliance, or a firewall blocks file transfer over the network, the appliance admin must provide this certificate by other secure means.
TIP If you are importing certificates from multiple appliances to this client, rename each incoming certificate during the pscp/sftp transfer. This will prevent you from accidentally overwriting one server.pem certificate with another.
•pscp <user>@<host/IP>:server.pem <target_filename>
•sftp <user>@<host/IP>:server.pem <target_filename>
NOTE When using pscp/sftp over an IPv6 network, enclose addresses in square brackets.
You must accept the SSH certificate the first time you open a pscp/sftp or SSH link. You can check the SSH fingerprint in LunaSH to confirm the secure connection.
lunash:> sysconf fingerprint ssh
If the HSM appliance IP or hostname is changed, SSH detects a mismatch in the HSM appliance's server certification information and warns you of a potential security breach. To resolve this issue, delete the server's certificate information from the client’s known host file at: /<user home dir>/.ssh/known_hosts2, and re-import the server certificate.
2.Register the HSM Server Certificate with the client, using the vtl utility from the command line or shell prompt. If using a host name, ensure the name is reachable over the network (ping <hostname>). Thales Group recommends specifying an IP address to avoid network issues.
>vtl addServer-n <Network_HSM_hostname/IP> -c <server_certificate>
Next, you must create a client certificate, either self-signed or to be signed by the CA:
>Creating a Self-Signed Client Certificate
>Authenticating a Client Certificate With a Trusted CA and Registering the CA Chain
Authenticating an Appliance Certificate With a Trusted CA and Registering the CA Chain
Use the following procedure to authenticate the appliance by having its certificate signed by your trusted CA.
Prerequisites
>You must have admin-level access to LunaSH on the appliance.
To authenticate the appliance using a certificate signed by a trusted CA
1.Log in to LunaSH as admin (see Logging In to LunaSH).
2.Regenerate the Luna Network HSM 7 server certificate, specifying the -csr option to create a Certificate Signing Request (CSR)—an unsigned certificate to be signed by a Certificate Authority (CA). You have the option to specify other information about the certificate.
CAUTION! Regenerating the server certificate will break any existing NTLS/STC connections, when a subsequent restart of the service is performed.
lunash:> sysconf regenCert -csr
3.Transfer the CSR (serverCSR.pem) from the appliance to a workstation using sftp or pscp.
pscp <user>@<host/IP>:serverCSR.pem <target_filename>
sftp<user>@<host/IP>:serverCSR.pem <target_filename>
NOTE When using pscp or sftp over an IPv6 network, enclose addresses in square brackets.
You must accept the SSH certificate the first time you open an SFTP/PSCP or SSH link. You can check the SSH fingerprint in LunaSH to confirm the secure connection.
lunash:> sysconf fingerprint ssh
4.Submit the serverCSR.pem certificate file to be signed by the Certificate Authority, as directed by the documentation of the particular Certificate Authority. You require the following artifacts from the CA:
•Signed, base64-encoded, PEM-formatted client certificate
•The CA's base64-encoded, PEM formatted certificate, including the root certificate
5.Upon receiving the signed server certificate, transfer the signed server certificate and the CA certificate chain to the admin user on the appliance using sftp or pscp. The files arriving at the appliance are automatically placed in the appropriate directory. Do not specify a target directory.
6.Log in to LunaSH as admin and register the CA certificate chain in the appliance trust store. Specify each certificate's filename, minus the .pem extension. Repeat this step until the entire certificate chain is registered.
lunash:> client addCA <filename>
7.[Optional] Display a list of CA certificates registered on the appliance.
lunash:> client listCAs
8.Install the signed appliance server certificate. This replaces the appliance's server.pem with the signed certificate.
lunash:> sysconf installCert <filename>
9.Restart the NTLS, STC and CBS services.
lunash:> service restart <service>
Next, you must create a client certificate, either self-signed or to be signed by the CA:
>Creating a Self-Signed Client Certificate
>Authenticating a Client Certificate With a Trusted CA and Registering the CA Chain
Creating a Self-Signed Client Certificate
Use the following procedure to create a self-signed client certificate.
Prerequisites
>Read/write access to the Luna HSM Client installation directory is required.
To create a self-signed client certificate
1.Create a certificate and private key for the client. If you specify a client hostname, it must match exactly the hostname reported by the hostname command.
CAUTION! If you are registering this client with multiple Luna Network HSM 7 appliances, you only need to complete this step once. Register the same client certificate for all appliances. If you recreate the client certificate and key, any existing NTLS connections will be broken.
>vtl createCert -n <client_hostname/IP>
The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname/IP>.pem and <client_hostname/IP>Key.pem, respectively. The command output displays the filepath.
Next, you must register the client certificate on the appliance. See Registering the Client on the Appliance
Authenticating a Client Certificate With a Trusted CA and Registering the CA Chain
Use the following procedure to authenticate the client by having its certificate signed by your trusted CA.
Prerequisites
>You must have Administrator privileges on the client workstation.
To authenticate a client using a certificate signed by a trusted CA
1.On the client workstation, open a command prompt and navigate to the Luna HSM Client directory.
NOTE On Windows, ensure that you open a command prompt with Administrator privileges.
•Windows: C:\Program Files\SafeNet\LunaClient
•Linux/AIX: /usr/safenet/lunaclient/bin
•Solaris: /opt/safenet/lunaclient/bin
2.Create a Certificate Signing Request (CSR) for the client—an unsigned certificate to be signed by a third-party Certificate Authority (CA). You must specify the client hostname or IP. You have the option to specify other information about the certificate.
CAUTION! Regenerating the server certificate will break any existing NTLS/STC connections, when a subsequent restart of the service is performed.
> vtl createCSR -n <client_hostname/IP>
The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname/IP>CSR.pem and <client_hostname/IP>Key.pem, respectively. The command output displays the filepath.
3.Submit the CSR file to be signed by your preferred or in-house Certificate Authority. You require the following artifacts from the CA:
•Signed base64-encoded, PEM-formatted client certificate. The certificate must include the extension "Enhanced Key Usage : client authentication".
•The CA's base64-encoded, PEM-formatted certificate chain, including the root certificate
4.Register the CA certificate chain in the client's trust store. Specify the full path and filename for each certificate. Repeat this step until the entire certificate chain is registered.
> vtl addCA -n <cert_name> -c <cert_filepath/name>
5.Copy the signed client certificate to the following location in the Luna HSM Client directory:
•Windows: C:\Program Files\SafeNet\LunaClient\cert\client\
•Linux/AIX: /usr/safenet/lunaclient/cert/client/
•Solaris: /opt/safenet/lunaclient/cert/client/
6.Add the IP/hostname of any Luna Network HSM 7 appliance where the client will access application partitions. The CA chain used to sign the certificate must be added to the trust store of the appliance, as described in Authenticating an Appliance Certificate With a Trusted CA and Registering the CA Chain.
> vtl addServerNoCert -n <IP/hostname>
7.[Optional] Edit crystoki.ini/Chrystoki.conf to enable server IP/hostname validation on the client. Do this only if the appliance server certificate was created with Subject Alternate Names (SANs).
[Misc] ValidateHost=1
Next, see Registering the Client on the Appliance
Registering the Client on the Appliance
Finally, you must register the client on the appliance. This is accomplished by either registering the client certificate itself, or providing its IP or hostname, depending on your installed version of the Luna Appliance Software.
Prerequisites
>The CA chain used to sign the certificate must be added to both the client's and the appliance's trust store.
>You must have admin-level access to LunaSH on the appliance.
NOTE The following procedure assumes that you are configuring an NTLS client-partition connection for the first time. If an NTLS client-partition connection has been established and the client certificate is being periodically replaced, for example in the case of client certificate renewals or deployment on multiple virtual machines, the new client certificate must be transferred to and registered with the appliance only if it was authenticated by the CA under a new host name or IP; that is, the appliance will continue trusting the CA-signed client certificate based on the registered certificate chain and maintain the NTLS client-partition connection if the new client certificate has been authenticated by the CA under a previously used client host name or IP. In such cases, where client certificates must be periodically replaced while maintaining an NTLS client-partition connection, Thales recommends that you replace the client certificate in the client and leave the expired client certificate in the appliance to avoid incurring application downtime.
To register a client to the appliance
1.If the Luna Network HSM 7 has Luna Appliance Software 7.8.1 or older installed, or if you are using a self-signed client certificate, transfer the client certificate to the admin account (or a custom account with admin-level privileges) on the Luna Network HSM 7.
This step is not required if you are using Luna Appliance Software 7.8.3 or newer to register a CA-signed client; only the CA cert chain is required to authenticate the client.
•pscp <cert_path/filename> admin@<host/IP>:[<target_filename>]
•sftp<cert_path/filename> admin@<host/IP>:[<target_filename>]
2.Log in to LunaSH as admin or the custom admin account (see Logging In to LunaSH).
3.If you are registering a CA-signed client, verify that the appropriate CA is in the appliance's trust store.
lunash:> client listCAs
If the CA is not already in the appliance's trust store (for example, if you used a self-signed certificate to authenticate the appliance), you must register it now:
a.Transfer the CA certificate chain to the admin user on the appliance using sftp or pscp.
b.Register the CA certificate chain in the appliance trust store. Specify each certificate's filename, minus the .pem extension. Repeat this step until the entire certificate chain is registered.
lunash:> client addCA <filename>
4.Register the client on the appliance. Specify the client's IP address or hostname.
•Using Luna Appliance Software 7.8.1 or older, specify the IP or hostname that was used to name the certificate:
lunash:> client register -client <clientname> {-hostname <hostname> | -ip <IPaddress>}
•Using Luna Appliance Software 7.8.3 or newer, include the -nocert option:
lunash:> client register -client <clientname> {-hostname <hostname> | -ip <IPaddress>} -nocert
You can now assign partitions to the client (see Assigning or Revoking NTLS Client Access to a Partition).
Updating a Registered Client Certificate
If the client certificate is expiring, or your security policy requires you to rotate certificates on a schedule, you might prefer to perform the action without closing currently working connections. Using Luna Appliance Software 7.8.3 and newer, the client update command allows you to update the certificate such that it takes effect for all new connections, but current open connections remain open with the pre-update certificate. The CA issuing certificate for clients should be registered on the Luna Network HSM 7 appliance and the CA issuing certificate for the appliance should be registered on the client.
