Creating a One-Step NTLS Registration Role

TIP   This page concerns authentication and management of roles that govern network administrative access to the appliance.

That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:

>for Luna PCIe HSM 7 installed in a workstation that you provide, and

>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.

On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.

Creating NTLS links between a client and partition using the one-step method (see One-Step NTLS Connection Procedure) usually requires administrative access to the Luna Network HSM 7 appliance. You can set up a custom role that allows a third party to use only the commands necessary for one-step NTLS.

To create a one-step NTLS registration role

1.Create a role definition .txt file on your local workstation, listing the following commands:

partition list
client list
client register
client assignPartition
sysconf forceSOlogin show

NOTE   All lines must end with a UNIX-style linefeed (lf) character. If you create your file in Windows, be sure to convert it to use UNIX line endings before transferring it to an HSM appliance.

These are the commands necessary for creating one-step NTLS links. You can include any other commands for your registration purposes. See client for the complete set of commands.

2.Transfer the role definition file (registerclient.txt in the example below) to the appliance using pscp or scp.

pscp registerclient.txt admin@<server_host/IP>:

3.Log in to the appliance by SSH as the admin user.

4.Import the role definition file to create the registerclient role.

lunash:> user role import -file registerclient.txt -role registerclient

5.Create the register user account.

lunash:> user add -username register

6.Assign the role to the register user.

lunash:> user role add -username register -role registerclient

7.Open a new SSH connection to the appliance and log in as register with the default password "PASSWORD".

login as: register
register@'s password:

You will be prompted to set a new password for the register user. This will be the password you provide to the third-party client. Ensure it is both secure and distinct from the admin user password.

LunaSH passwords must be at least eight characters in length, and include characters from at least three of the following four groups:
>  lowercase alphabetic: abcdefghijklmnopqrstuvwxyz
>  numeric: 0123456789
>  special (spaces allowed):  !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~

8.If you are using Luna Appliance Software 7.0.0, custom users do not automatically have access to the appliance's Server Certificate (server.pem). You must transfer the certificate from the appliance's admin account to the custom register account. This step is unnecessary if you have installed Luna Appliance Software 7.1.0 or newer.

pscp admin@<server_host/IP>:server.pem .

pscp server.pem register@<server_host/IP>:

9.Provide the register password and the partition name to the client operator. The client can now establish a one-step NTLS connection by specifying the register user and password in LunaCM.

lunacm:> clientconfig deploy -server <server_host/IP> -client <client_host/IP> -partition <name> -user register