Cluster-Client Connections

Thales provides a client-side script, LNHClientRegistration, to connect Luna HSM Client to a cluster. You must run the script on any Luna HSM Client computers that will create or use keyrings on the cluster. The client requires a specified member Luna Network HSM 7 to use as an entry point to the cluster. All traffic from the client will be directed to this member appliance, although the operations may be performed by other cluster members.

NOTE   Thales recommends Luna Appliance Software 7.8.3 with cluster package 1.0.3, Luna HSM Firmware 7.8.2, and Luna HSM Client 10.6.0 to use clusters.

If this client will be used by a customer with monitor privileges in a service provider deployment, you can specify a LunaSH username to associate with the client. This can be the default monitor role, or a custom user with the monitor role assigned (see Creating Custom Appliance User Accounts). The specified user must already exist on the appliance.

Connecting Luna HSM Client to a Cluster

The following procedure will allow you to connect a Luna HSM Client computer to a Luna Network HSM 7 cluster. Each cluster is assigned an index number from 00 to 09 on the client. In this release, the configuration can be viewed only in the crystoki.ini / Chrystoki.conf configuration file; the following entries for each cluster are added to the LunaSA Client section (see Configuration File Summary):

LNHServer##
LNHServerClientCert##
LNHServerClientKey##
LNHServerCAFile##
LNHServerCN##

Prerequisites

>Ensure that you have a supported Luna HSM Client version installed. Thales recommends Luna Appliance Software 7.8.3 with cluster package 1.0.3, Luna HSM Firmware 7.8.2, and Luna HSM Client 10.6.0 to use clusters.

Refer to Updating the Luna HSM Client Software.

>Ensure that you have the following information about each cluster you want to access using this client:

the Cluster ID

the IP address for an authorized member appliance that will accept this client's traffic

>If you customize the port numbers for admin and/or crypto traffic to the appliance, you must edit the LNHClientRegistration script to account for these port numbers, or client registration will fail. To update the script, replace all instances of the default admin port 50070 with your configured admin port, and instances of the default crypto port 50052 with your configured crypto port.

CAUTION!   In this release, changing the default port used for crypto operations on the cluster (50052) can cause communication problems between cluster members. Refer to known issue LUNA-26485.

To connect Luna HSM Client to a cluster member

1.Run the LNHClientRegistration script to connect the client to the cluster, specifying the Cluster ID (-c), the IP address of the member the client will connect to (-i), a Common Name for the client certificate (-n), an optional label for the client (-l), and an optional LunaSH username with a monitor role to associate with this client (-u). This assigns the cluster to the 00 index position on the client.

Linux/AIX:

# ./LNHClientRegistration.sh -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>]

Windows PowerShell:

./LNHClientRegistration.ps1 -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>]

Windows command prompt:

powershell.exe -command "LNHClientRegistration.ps1 -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>]"

2.Run the script again for each additional cluster you wish to add, including the -m option to indicate that you are adding multiple clusters. Each new cluster added will be assigned to the next incremental index position (01, 02, 03... 09). If all the positions are filled, an error message is returned.

CAUTION!   Running the script again without the -m option will overwrite the cluster configuration at the 00 index position.

Linux/AIX:

# ./LNHClientRegistration.sh -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>] -m

Windows PowerShell:

LNHClientRegistration.ps1 -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>] -m

Windows command prompt:

powershell.exe -command "LNHClientRegistration.ps1 -n <client Common Name> -i <IPaddress> -c <clusterID> [-l <optional_client_label>] [-u <monitor_LunaSH_user>] -m"

Removing a Cluster From the Luna HSM Client

In this release, to remove a cluster from the client, you must manually delete it from the index by editing the LunaSA Client section of the crystoki.ini / Chrystoki.conf configuration file. Delete the entries for the cluster you wish to remove and save the configuration file.

LunaSA Client = {
   ReceiveTimeout = 20000;
   SSLConfigFile = /usr/safenet/lunaclient/bin/openssl.cnf;
   ClientPrivKeyFile = /usr/safenet/lunaclient/cert/client/ClientNameKey.pem;
   ClientCertFile = /usr/safenet/lunaclient/cert/client/ClientNameCert.pem;
   ServerCAFile = /usr/safenet/lunaclient/cert/server/CAFile.pem;
   NetClient = 1;
   TCPKeepAlive = 1;

   LNHServer00 = 1.2.3.4:50052;
   LNHServerClientCert00 = /usr/safenet/lunaclient/cert/client/c2c94c40-6491-409e-bd3d-16e236544b7f/2.3.4.5.pem;
   LNHServerClientKey00 = /usr/safenet/lunaclient/cert/client/c2c94c40-6491-409e-bd3d-16e236544b7f/2.3.4.5Key.pem;
   LNHServerCAFile00 = /usr/safenet/lunaclient/cert/server/c2c94c40-6491-409e-bd3d-16e236544b7f/lnh_ca.pem;
   LNHServerCN00 = lnh.thalesgroup.com;
   LNHServer01 = 5.6.7.8:50052;
   LNHServerClientCert01 = /usr/safenet/lunaclient/cert/client/3fed78e8-58ad-4aec-be5f-4a12a04ff073/2.3.4.5.pem;
   LNHServerClientKey01 = /usr/safenet/lunaclient/cert/client/3fed78e8-58ad-4aec-be5f-4a12a04ff073/2.3.4.5Key.pem;
   LNHServerCAFile01 = /usr/safenet/lunaclient/cert/server/3fed78e8-58ad-4aec-be5f-4a12a04ff073/lnh_ca.pem;
   LNHServerCN01 = lnh.thalesgroup.com;
}