Creating an NTLS Connection Using Self-Signed Certificates

To create an NTLS connection, the Luna Network HSM and the client must exchange certificates. Each registers the other's certificate in a trusted list. When both certificates are registered, the Network Trust Link is ready, and the appliance administrator can assign application partitions to the client for cryptographic operations. By default, this procedure uses self-signed certificates. To register your clients using certificates signed by a trusted Certificate Authority, see Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority.

NOTE   Secure Trusted Channel (STC) offers enhanced HSM-client message integrity, and an additional layer of protection for client-to-HSM communications, even over unsecured networks. To take advantage of this feature, see Creating an STC Connection. For more on the differences between NTLS and STC connections, see Comparing NTLS and STC.

There are two methods of assigning partitions to a client via a self-signed NTLS connection:

>Multi-Step NTLS Connection Procedure: performed by the appliance administrator and a client administrator

>One-Step NTLS Connection Procedure: automates the multi-step process. It can be used when the client administrator has admin-level access to the appliance, or through a custom registration account.

Multi-Step NTLS Connection Procedure

The multi-step procedure is performed by the appliance administrator and the client administrator.

Prerequisites

>You must have admin-level access to LunaSH on the appliance to register a client, or a custom account created to handle client registration (see Creating a One-Step NTLS Registration Role).

>By default, you do not need to log in as HSM SO. You can force the appliance to require HSM SO login for this procedure with lunash:> sysconf forcesologin enable.

>Luna HSM Client software must be installed on the client workstation (see Luna HSM Client Software Installation in the Installation Guide)

>The client workstation must have an SSH client installed to provide secure shell access to the Luna Network HSM appliance. The PuTTY SSH client (putty.exe) is included in the Windows client installation.

>Read/write access to the Luna HSM Client installation directory is required for the certificate exchange.

>The client workstation must have network access to the Luna Network HSM appliance. The appliance auto-negotiates network bandwidth. See Recommended Network Characteristics for more information.

NOTE   Administration commands can take a few seconds to be noted by NTLS. If you have added or deleted a client, wait a few seconds before connecting.

To create a multi-step NTLS connection between the appliance and a client

1.On the client workstation, open a command prompt and navigate to the Luna HSM Client directory.

NOTE   On Windows, ensure that you open a command prompt with Administrator privileges.

Windows: C:\Program Files\SafeNet\LunaClient

Linux/AIX: /usr/safenet/lunaclient/bin

Solaris: /opt/safenet/lunaclient/bin

2.Use pscp or scp to import the HSM Appliance Server Certificate (server.pem) from the appliance to the client workstation. You require admin- or operator-level account access to complete this step. If you do not have SSL access to the appliance, or a firewall blocks file transfer over the network, the appliance admin must provide this certificate by other secure means.

TIP   If you are importing certificates from multiple appliances to this client, rename each incoming certificate during the pscp/scp transfer. This will prevent you from accidentally overwriting one server.pem certificate with another.

pscp <user>@<host/IP>:server.pem <target_filename>

NOTE   When using pscp or scp over an IPv6 network, enclose addresses in square brackets.

You must accept the SSH certificate the first time you open a pscp/scp or SSH link. You can check the SSH fingerprint in LunaSH to confirm the secure connection.

lunash:> sysconf fingerprint ssh

If the HSM appliance IP or hostname is changed, SSH detects a mismatch in the HSM appliance's server certification information and warns you of a potential security breach. To resolve this issue, delete the server's certificate information from the client’s known host file at: /<user home dir>/.ssh/known_hosts2, and re-import the server certificate.

3.Register the HSM Server Certificate with the client, using the vtl utility from the command line or shell prompt. If using a host name, ensure the name is reachable over the network (ping <hostname>). Thales recommends specifying an IP address to avoid network issues.

>vtl addServer -n <Network_HSM_hostname/IP> -c <server_certificate>

4.Create a certificate and private key for the client. If you specify a client hostname, it must match exactly the hostname reported by the hostname command.

CAUTION!   If you are registering this client with multiple Luna Network HSM appliances, you only need to complete this step once. Use the same client certificate for all appliances. If you recreate the client certificate and key, any existing NTLS connections will be broken.

>vtl createCert -n <client_hostname/IP>

The certificate and private key are saved to the <client_install_dir>/cert/client directory and are named <client_hostname/IP>.pem and <client_hostname/IP>Key.pem, respectively. The command output displays the filepath.

5.Use pscp or scp to export the client certificate to the admin account (or an admin-level custom account) on the Network HSM appliance. The file arriving at the appliance is automatically placed in the appropriate directory. Do not specify a target directory.

pscp <cert_path/filename> admin@<host/IP>:[<target_filename>]

6.Connect to the appliance via SSH or a serial connection, and log in to LunaSH using an admin- or operator-level account (see Logging In to LunaSH).

7.Register the client certificate with the appliance, selecting a client name that can be used to easily identify the client. Specify either the -hostname or -ip option, according to which one you used to create the certificate.

lunash:> client register -client <client_name> {-hostname <client_hostname> | -ip <client_IP>}

8.[Optional] Verify the client registration.

lunash:> client list

Now that the NTLS connection is established, the Luna Network HSM appliance admin can assign partitions for the client to access (see Assigning or Revoking NTLS Client Access to a Partition).

One-Step NTLS Connection Procedure

The Luna HSM Client provides a one-step NTLS setup option, which automates the multi-step procedure described above.

The One-Step NTLS procedure is performed by the client administrator, and requires SSL access to an admin-level account (or a specialized NTLS registration account) on the Luna Network HSM appliance. If you do not have SSL access to the appliance, an authorized user must provide the appliance certificate by other secure means, and you must use the multi-step procedure to manually register certificates.

This procedure uses pscp/scp to exchange certificates over the network. If a firewall prevents this file transfer, the procedure will fail. You must exchange the certificates by other secure means and perform the manual procedure.

One-Step NTLS can only be used to create a new NTLS connection, and not to assign additional partitions to the client. If an NTLS connection already exists between the client and the appliance, or if one has already registered the other's certificate, the operation fails.

Older Clients Can Fail to Complete One-Step NTLS with Newer Appliance Software

Newer Luna Network HSM can have outdated (weaker) ciphers removed from file transfer protocols, as a security measure. If your installed Luna Client is version 10.3.0 or older, it might not be possible to negotiate a common cipher for a secure link. You might see an error similar to: FATAL ERROR: Couldn't agree a host key algorithm (available: ecdsa-sha2-nistp256,ssh-ed25519).

To resolve this issue, you can download a new version of PuTTY from PuTTY.org at: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Copy pscp.exe and plink.exe to C:\Program Files\SafeNet\LunaClient and retry One-Step NTLS.

Alternatively, install UC-10.4 or newer, which includes plink and pscp 0.76 or newer.

Luna Network HSM Prerequisites

>The appliance certificate (server.pem) must be available on the appliance (see Generating the HSM Server Certificate).

>An application partition must be available on the HSM (see Creating or Deleting an Application Partition).

>The client must not have a certificate already registered on the appliance.

Luna HSM Client Prerequisites

>Client software must be installed (see Luna HSM Client Software Installation).

>The client administrator must have access to an admin-level account, or a specialized NTLS registration account, on the appliance (see Creating a One-Step NTLS Registration Role).

>The client administrator must know the name of an existing application partition that will be assigned to the client.

>The appliance must not have a certificate already registered with the client.

>If you are running Luna HSM Client 10.3.0 or older on a Linux platform, the plink executable included in the Luna HSM Client package requires one of the following 32-bit C/C++ standard libraries:

glibc.i686 for Red Hat Enterprise Linux (RHEL) distributions. Install glibc.i686 by running the following command:

yum install glibc.i686

gcc-multilib for Ubuntu distributions. Install gcc-multilib by running the following command:

sudo apt-get install gcc-multilib

If you do not wish to install the C/C++ standard library, use the Multi-Step NTLS Connection Procedure instead.

To create a One-Step NTLS connection between the appliance and a client

1.Launch LunaCM on the client workstation.

2.Initiate the One-Step NTLS procedure by specifying the appliance and client hostnames/IPs, and the name of the application partition to assign to this client. By default, the request is sent to the admin account, but you can specify any other account.

lunacm:> clientconfig deploy -server <server_hostname/IP> -client <client hostname/IP> -partition <partition_name> [-user <appliance_username>] [-password <password>] [-verbose]

NOTE   After you enter the account password, LunaCM appears to pause for 1-2 minutes while the registration procedure is completed. This is expected behavior.

The NTLS connection is now active, and the specified partition has been assigned to the client. If you want this client to have access to more partitions on this HSM, see Assigning or Revoking NTLS Client Access to a Partition.

To initialize the application partition, see Initializing an Application Partition.

To restore a broken NTLS client connection, see Restoring Broken NTLS or STC Connections.