Service Quickstart Guide
This document provides a single article view of the steps required to provision a Luna Cloud HSM Service and initialize a Luna Cloud HSM Service partition. For more information about the procedures, see the linked article in each procedural section.
To provision and configure a Luna Cloud HSM Service for use, you need to complete the following:
- Provision the service
- Create a partition
- Add a client
- Unpack the client
- Initialize the service partition
Tip
Luna Cloud HSM Services provisioned through the Thales Data Protection on Demand marketplace user interfaces refer to a service client. Luna Cloud HSM Services provisioned through external marketplaces user interfaces refer to a partition client. The documentation refers to these components as the client.
Provision the service
Provision a Luna Cloud HSM Service. For more information about Luna Cloud HSM Services see Services and the Luna Cloud HSM Service Guide.
-
Log in to your DPoD enterprise tenant as a user with tenant administrator or application owner privileges.
-
Open the Services tab and select the Add Service heading. Navigate the marketplace categories and click Create Service on the service that you would like to provision. If you have not Purchased a Service Subscription or previously completed a trial for the service, the option will display as Try Service.
-
The Add Service wizard displays. Review the Terms of Service and click Next.
-
On the Configure Service page, enter the required criteria for the service. You can optionally enable the use of algorithms that are not FIPS compliant by selecting the Remove FIPS restrictions check box.
Caution
You cannot alter the FIPS setting after creating the service.
Click Next.
-
Review your configuration summary page, and if you are satisfied click Finish. If you would like to adjust the service configuration click Go Back.
DPoD initializes provisioning of the service, this may take a few moments. After provisioning completes the service will be visible under the View Services table in DPoD with the
Provisioned
status.
Luna Cloud HSM Services are available from the following external service marketplaces:
When you provision a Luna Cloud HSM Service through an external marketplace a Thales Data Protection on Demand subscriber tenant is generated and the user is registered as the primary tenant administrator. The DPoD Subscriber Tenant provides access to features such as Reporting and User and Account Management. For more information about DPoD and Tenants see the DPoD Platform Documentation.
Luna Cloud HSM Services provisioned through external marketplaces do not benefit from the following DPoD features: Service Credentials, Purchasing a Service Subscription through DPoD marketplace.
Create a partition
Luna Cloud HSM Services provide users access to partitions. If using an external marketplace, create a partition. For more information see Create Partition.
Luna Cloud HSM Services provisioned through the Thales Data Protection on Demand platform provide access to a single partition per service. The partition is automatically generated and registered on service creation.
Users of Luna Cloud HSM Services provisioned through external (non-DPoD) marketplaces can create and manage the number of partitions defined by the Service Plan.
-
Access the service page and view HSM Partitions by clicking the service's name in the Services table of your DPoD tenant.
The service page displays. If you are directly accessing the service page for the first time you must provide your DPoD tenant hostname/URL and user credentials.
-
Click Create Partition.
The Create Partition wizard displays.
-
On the Configure Partition screen, provide a Partition Name. You can optionally enable the use of algorithms that are not FIPS compliant by selecting the Remove FIPS restrictions. check box.
Click Next.
Caution
You cannot alter the FIPS setting after creating the partition.
-
Review your configuration summary page and if acceptable, click Finish. If you would like to make changes to the configuration, click Go Back.
The DPoD server generates the partition, this may take a few moments.
Once added, the new partition is listed under HSM Partitions and you are redirected to the service page which lists the partition details and the partition clients. See the Service Page for more information about available service, partition, and partition client details. See Add and Configure Client for more information about using the partition client.
Add a client
Download a client using your DPoD tenant. For information about adding a Luna Cloud HSM Service to an existing client see Adding a Luna Cloud HSM Service in the Luna Client Guides.
Note
The client downloaded from the Luna Cloud HSM Service is a minimal client package. It does not contain Luna Universal Client utilities such as the Luna Software Development Kit (SDK), or pscp. To use these tools with the Luna Cloud HSM Service you must complete the Luna HSM Client Software Installation and configure the client to communicate with the Luna Cloud HSM service as describe in Adding a Luna Cloud HSM Service.
-
Access the Service Page and click the service or the partition name that you would like to generate a client for.
-
Click Create Client, if this is your first client, or click New Client. The Create Client window displays.
-
In the Create Client window, enter a Client Name (Example:
Luna-Cloud-HSM-Client_1
) and select Create Client.A new client (in this case
Luna-Cloud-HSM-Client_1_client.zip
) generates and is provided for downloading and installing on your client machine.Note
The client is a zip file that contains system information needed to connect your client machine to an HSM partition. See the section client Contents for client content details.
Unpack the client
Complete the following procedures to unpack the client .zip for your operating system.
-
Transfer the client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the client.
-
Using the Windows GUI or an unzip tool, unzip the file -
Service_Windows-Client_1_client.zip
. -
Decompress the
cvclient-min.zip
.Note
Extract the
cvclient-min.zip
within the directory you created in the previous step. Do not extract to a newcvclient-min.zip
directory.
Linux operating systems support installing multiple clients on a single host system. See the section Installing multiple clients on Linux.
-
Transfer the client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the client.
-
Unzip the client.
unzip Service_Linux-Client_1_client.zip
Note
The Linux client contains Windows client materials. If you do not require the Windows client, you may delete the
cvclient-min.zip
. -
Untar the
cvclient-min
file.tar xvf cvclient-min.tar
Note
Extract the
cvclient-min.tar
within the directory you created in the previous step. Do not extract to a newcvclient-min.tar
directory.
Initialize the service partition
Initialize the partition and required Service Client Roles to begin using the Luna Cloud HSM Service. For more information about client configuration parameters see client Configuration Requirements.
To launch lunacm
with logging enabled see Logging.
-
Start LunaCM. From the directory where you unzipped the
cvclient-min.zip
file.Execute
lunacm
./bin/64/lunacm
-
If the command executes with no errors, your connection is working correctly.
Tip
If you are unable to connect to the Luna Cloud HSM Service see Client Network Connectivity and Client Troubleshooting for more information about resolving client connection issues.
lunacm (64-bit) v10.4.0-417. Copyright (c) 2021 SafeNet. All rights reserved. Available HSMs: Slot Id -> 3 Label -> Serial Number -> 1285336687861 Model -> Cryptovisor7 Firmware Version -> 7.3.0 CV Firmware Version -> 1.4.2 Plugin Version -> Cloud 2.1.0-554 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> FM Not Supported Current Slot Id: 3 lunacm:>
-
Set the active slot to the uninitialized Luna Cloud HSM Service partition. You can verify the slot number by executing
slot list
in LunaCM.slot set -slot <slotnum>
-
Initialize the Luna Cloud HSM Service partition. Execute the following and complete the wizard to create the partition security officer (
po
), and set the initial password and cloning domain.partition init -label <par_label>
-
Log in as partition SO (
po
).role login -name partition so
-
Initialize the crypto officer (
co
) and set the initial password.role init -name crypto officer
-
Log out of the partition security officer role and log in as the crypto officer.
role logout role login -n crypto officer
Caution
On their first log in, the crypto officer (
co
) must change the credential password set by the partition so (po
). -
Update the crypto officer password.
role changepw -n crypto officer
Applications can now use the crypto officer credentials to perform cryptographic operations using keys and objects created in the partition.