Windows Luna HSM Client Installation
This section describes how to invoke the Windows Luna HSM Client perform unattended or scripted installations on Windows platforms.
NOTE The GUI interactive installer (see Windows Interactive Luna HSM Client Installation) is deprecated, and will be removed from a future release.
Use the /quiet switch (see below) to ensure no pauses or prompting during installation. The following procedures are described:
>Command line options overview
>Installing the Luna HSM Client for the Luna Network HSM 7
>Installing the Luna HSM Client for the Luna PCIe HSM 7
>Installing the Luna HSM Client for the Luna USB HSM 7
>Installing the Luna HSM Client for the Luna Backup HSM
>Installing the Luna HSM Client for Remote PED
>ChrystokiConfigurationPath Environment Variable
>Uninstalling the Luna HSM Client
If you want to perform an interactive installation, using the graphical, interactive installer, see Windows Interactive Luna HSM Client Installation
NOTE Unattended installation stores the root certificate in the certificate store and marks the publisher (Thales) as trusted for future installations. You are not prompted to trust Thales as a driver publisher during unattended installation.
Command line options overview
The following command-line options are available:
| Option | Values | Description |
|---|---|---|
| addlocal= | Various (see below) | Takes one-or-more device values, and one-or-more feature values, as a comma-separated list. Case insensitive. Values may be quoted or not. |
| installdir= | A fully qualified folder path to install the client software | Case insensitive. Default value is “c:\program files\safenet\lunaclient”. Enclose paths containing spaces in “”. |
| /install | N/A | Install the product and features. |
| /uninstall | N/A | Remove the product and features. |
| /quiet | N/A |
Performs a silent installation; no prompts or messages. NOTE Windows defaults to launching the interactive graphical installer, unless you specify /quiet at the command line. Always include the /quiet option for scripted/unattended Luna HSM Client installation. |
| /norestart | N/A | Prevents a reboot, post-installation. Any reboots must be performed manually. |
| /log | The name of a log file | Generates a highly detailed series of logs of the installation progress. This is required only for product support. |
The following devices or components are available for use with the addlocal= option:
| Device identifier value | Can be used with these installable features |
|---|---|
| NETWORK | CSP_KSP, JSP, SDK, JCProv* |
| PCI | CSP_KSP, JSP, SDK, JCProv |
| USB | CSP_KSP, JSP, SDK, JCProv |
| BACKUP | SNMP (this device performs backup and restore operations and is not enabled for cryptographic applications) |
| PED | N/A (Used for remotely authenticating to multifactor quorum-authenticated HSMs; not used by cryptographic applications - use of this device requires hands-on presence) |
The device names are not case-sensitive.
* The Luna Network HSM 7 appliance contains its own SNMP support; therefore the SNMP feature is not installed on clients where the Luna Network HSM 7 is the only HSM to be used.)
The following features are available for use with the addlocal= option:
| Feature identifier value | Can be installed with these Luna devices | Description |
|---|---|---|
| CSP_KSP | NETWORK, PCI, USB | Microsoft CSP and KSP |
| FMSDK | NETWORK, PCIe * | Functionality Modules Software Development Kit |
| FMTOOLS | NETWORK, PCIe * | Tools for use when preparing Functionality Modules |
| JCProv | NETWORK, PCIe, USB | JCPROV PKCS#11 |
| JSP | NETWORK, PCIe, USB | Java Provider component |
| SDK | NETWORK, PCIe, USB | Software SDK – Java / C++ samples |
The features can be installed together with the listed device(s) only - they cannot be installed separately - and need to be included only once in the command line. For example, if you are installing the NETWORK and PCI devices and you wish to install the CSP / KSP feature, specify CSP_KSP one time. The feature names are not case-sensitive.
NOTE * If you install FMTOOLS for NETWORK only, then just mkfm and the library are installed.
If you install FMTOOLS for PCI, then mkfm and the library along with ctfm and fmrecover are installed.
If you install FMTOOLS for both NETWORK and PCIe devices, then all four elements are installed.
If you install the FM SDK, the Luna SDK is installed as well, to satisfy dependencies.
Options for addlocal= are separated by spaces. Device and feature values are separated by commas, with no spaces, unless the whole list is enclosed between quotation marks. If a space is encountered, outside of paired quotation marks, the next item found is treated as a command option.
Installing all components and features
NOTE CSP or KSP registration includes a step that verifies the DLLs are signed by our certificate that chains back to the DigiCert root of trust G4 (in compliance with industry security standards).
This step can fail if your Windows operating system does not have the required certificate. If you have been keeping your Windows OS updated, you should already have that certificate.
If your Luna HSM Client host is connected to the internet, use the following commands to update the certificate manually:
certutil -urlcache -f http://cacerts.digicert.com/DigiCertTrustedRootG4.crt DigiCertTrustedRootG4.crt
certutil -addstore -f root DigiCertTrustedRootG4.crt
To manually update a non-connected host
1. Download the DigiCert Trusted Root G4 ( http://cacerts.digicert.com/DigiCertTrustedRootG4.crt DigiCertTrustedRootG4.crt ) to a separate internet-connected computer.
2.Transport the certificate , using your approved means, to the Luna Client host into a <downloaded cert path> location of your choice
3.Add the certificate to the certificate store using the command:
certutil -addstore -f root <downloaded cert path>
Subsequent sections detail how to install the Luna HSM Client software, drivers (if necessary), and optional features (like Java support and the SDK), for individual HSMs. This section describes how to install everything at once, so that all Luna HSMs
Use the ADDLOCAL= option together with the value all to install the base client software and the drivers for all Luna devices, along with all the features.
To install the Luna HSM Client software and drivers for all Luna devices and all features
From the location of LunaHSMClient.exe run the following command:
> Install the full Luna HSM Client software with drivers for all Luna HSMs (Luna Network HSM 7, Luna PCIe HSM 7, Luna Backup HSM
LunaHSMClient.exe /install /quiet ADDLOCAL=all
NOTE You can omit the /quiet option to see all options in the GUI dialog.
> [Optional logging] Install the full Luna HSM Client software with drivers for all Luna HSMs (Luna Network HSM 7, Luna PCIe HSM 7, Luna Backup HSM
LunaHSMClient.exe /install /log install.log /quiet ADDLOCAL=all
NOTE The setting /log is optional and saves the installation logs to the file named install.log in the example. The install.log file (whatever name you give it) is required only if troubleshooting an issue with Thales GroupTechnical Support.
Installing the Luna HSM Client for the Luna Network HSM 7
Use the ADDLOCAL=NETWORK option to install the base client software for the Luna Network HSM 7. Include the values for any optional, individual software components you desire. The base software must be installed first.
To install the Luna HSM Client for the Luna Network HSM 7
From the location of LunaHSMClient.exe run one of the following commands:
> Install the base Luna HSM Client software necessary to communicate with Luna Network HSM 7
LunaHSMClient.exe /install /quiet ADDLOCAL=NETWORK
[Optional] Install the base Luna HSM Client software and any of the optional components for the Luna Network HSM 7 that you desire:
For example, the following command installs the base software and all of the optional components:
LunaHSMClient.exe /install /quiet ADDLOCAL=NETWORK,CSP_KSP,JSP,SDK,JCProv
If you wish to install only some of the components, just specify the ones you want after the product name (NETWORK in this example).
Installing the Luna HSM Client for the Luna PCIe HSM 7
Use the ADDLOCAL=PCI option to install the base client software for the Luna PCIe HSM 7. Include any features you desire. The base software must be installed first.
To install the Luna HSM Client for the Luna PCIe HSM 7
From the location of LunaHSMClient.exe run one of the following commands:
> Install the base Luna HSM Client software for Luna PCIe HSM 7
LunaHSMClient.exe /install /quiet ADDLOCAL=PCI
>Install the base Luna HSM Client software and any of the optional features for the Luna PCIe HSM 7 that you desire:
For example, the following command installs the base software and all of the optional components:
LunaHSMClient.exe /install /quiet ADDLOCAL=PCI,CSP_KSP,JSP,SDK,JCProv,SNMP
If you wish to install only some of the components, just specify the ones you want after the product name (PCI in this example).
Installing the Luna HSM Client for the Luna USB HSM 7
Use the ADDLOCAL=USB option to install the base client software for the Luna USB HSM 7. Include any features you desire. The base software must be installed first.
To install the Luna HSM Client for the Luna USB HSM 7
From the location of LunaHSMClient.exe run one of the following commands:
> Install for Luna USB HSM 7
LunaHSMClient.exe /install /quiet ADDLOCAL=USB
>Install the base Luna HSM Client software and any of the optional features for the Luna USB HSM 7 that you desire:
For example, the following command installs the base software and all of the optional components:
LunaHSMClient.exe /install /quiet ADDLOCAL=USB,CSP_KSP,JSP,SDK,JCProv
If you wish to install only some of the components, just specify the ones you want after the product name (USB in this example).
Installing the Luna HSM Client for the Luna Backup HSM
Use the ADDLOCAL=BACKUP option to install the base client software for the Luna Backup HSM, and the optional feature, if desired. For the Backup HSM, which performs backup and restore operations and is not enabled for use with cryptographic applications, the feature you might add is SNMP, if applicable in your environment.
To install the Luna HSM Client for the Luna Backup HSM
From the location of LunaHSMClient.exe run one of the following commands:
> Install the base Luna HSM Client software for Luna Backup HSM
LunaHSMClient.exe /install /quiet /norestart ADDLOCAL=BACKUP
>Install the base Luna HSM Client software and an optional component for the Luna Backup HSM:
For example, the following command installs the base software and the optional component:
LunaHSMClient.exe /install /quiet /norestart ADDLOCAL=backup
Installing the Luna HSM Client for Remote PED
Use the ADDLOCAL= option with component value PEDto install the client software for the Remote PED Server.
To install the Luna HSM Client for the Remote PED Server
>From the location of LunaHSMClient.exe run the following command:
LunaHSMClient.exe /install /quiet addlocal=ped
Installation Location
Specify the installation location, if the default location is not suitable for your situation.
This applies to installation of any Luna Device. Provide the INSTALLDIR= option, along with a fully qualified path to the desired target location. For example:
LunaHSMClient.exe /install /quiet addlocal=all installdir=c:\lunaclient
That command silently installs all of the Luna device software and features to the folder c:\lunaclient (in this example). The software is installed into the same subdirectories per component and feature, under that named folder, as would be the case if INSTALLDIR was not provided. That is, INSTALLDIR changes the prefix or primary client installation folder to the one you specify, and the libraries, devices, tools, certificate folders, etc. are installed in their predetermined relationship, but under the new main folder location.
ChrystokiConfigurationPath Environment Variable
During installation of Luna HSM Client components, a new entry is added to the Windows environment variables: ChrystokiConfigurationPath. This variable contains the path to the Luna HSM Client configuration file, Chrystoki.ini (see Configuration File Summary for a full description).
NOTE After first-time installation or a re-installation where the path to Chrystoki.ini changed, any open command prompts must be closed and reopened to recognize the new ChrystokiConfigurationPath environment variable setting.
Logging
If problems are encountered during installation or uninstallation of the software and you wish to determine the reason, or if Thales Technical Support has requested you to do so, detailed logs can be generated and captured by specifying the /log option and providing a filename to capture the log output. Two logs are generated – one according to the name given and the other similarly named, with a number appended. Both log files must be sent to Thales support if assistance is required.
Example commands that include logging are:
LunaHSMClient.exe /install /quiet /log install.log /norestart ADDLOCAL=backup,snmp
LunaHSMClient.exe /uninstall /quiet /log uninstall.log
Uninstalling the Luna HSM Client
You can also perform scripted/unattended uninstallation.
To uninstall the Luna HSM Client
>From the location of LunaHSMClient.exe run the following command:
LunaHSMClient.exe /uninstall /quiet
>To log the uninstallation process, run the following command:
LunaHSMClient.exe /uninstall /quiet /log uninstall.log
