Installing ProtectToolkit 7 on Unix/Linux
This section describes how to use the Unix Installation Utility (safeNet-install.sh) to install ProtectToolkit components on a Unix client and change the Cryptoki provider. For more information about this utility, refer to Unix Installation Utility (safeNet-install.sh).
Note
If you are installing a patch version of ProtectToolkit on an AIX system, first install the initial release of the matching minor version of ProtectToolkit.
Prerequisites
Complete the following steps before installing ProtectToolkit 7:
-
Review the Operating modes as they apply to your HSM deployment.
-
Review Supported platforms to ensure that your operating system is supported.
-
Ensure that your ProtectServer 3 HSM is installed and configured for access over a network (if applicable):
If you are setting up ProtectToolkit to run in Software Emulation Mode, HSM setup is unnecessary.
-
If you are operating the ProtectServer 3 HSM in PCIe mode on Linux, install the dkms package on the client machine.
-
Become the super-user on the host system.
Installing a package
This section describes how to use safeNet-install.sh to install a package. If you encounter issues installing packages, refer to ProtectToolkit 7 installation troubleshooting.
To install a package
-
Select install a package from this CD from the utility's main menu.
A list of installable SafeNet packages is displayed. For more information about available components, refer to refer to Available ProtectToolkit 7 components.
-
Select the package required by typing the appropriate menu number followed by Enter.
The utility verifies the action and executes the appropriate command for your platform.
-
Add a -nodeps option to suppress the checking of dependencies. These options should be selected with appropriate care.
-
You may now need to respond to any platform-specific messages (for example, to confirm you wish to proceed with the installation).
-
After installation, the utility will return Success or Failure, scan the system again, and display the current installation status. Press the Enter key to continue.
Note
If you install SafeNet ProtectServer PCIe HSM Access Provider (K7) - device driver, you must run an additional script (driver-install.sh located in /opt/safenet/protecttoolkit7/pcihsm/driver/driver-install.sh) to install the PCIe driver. If a non-root user is installing the driver, complete the following steps:
-
Add the non-root user to the hsmuser group. For more information about adding users to this group, see Controlling user access to the HSM.
-
Log out of the current ssh session and log back in as the non-root user.
-
Run driver-install.sh to complete the driver installation.
If you plan to configure the client for Secure Boot, sign the PCIe driver before running the script. For more information about signing the PCIe driver for UEFI secure boot, see Signing the ProtectServer 3 PCIe driver for UEFI Secure Boot for UEFI Secure Boot.
-
Setting up your environment
After installing the software on Linux platforms, you must run the ProtectToolkit setvars.sh script to configure your environment for the ProtectToolkit software. You cannot run the script directly, but instead you must source it or add it to a startup file (for example, .bashrc). If you source the script, your environment will be set for the current session only. If you add it to your startup file, your environment will be set each time you log on.
To set up your environment
-
Go to the PTK software installation directory:
cd /opt/safenet/protecttoolkit7/ptk
-
Source the setvars.sh script:
. ./setvars.sh
Once installed and configured, the software is ready to use under /opt/safenet.
When you have completed the installation, refer to Configuration items for additional PTK configuration options, then to the guides for your installed components. Refer to the following sections:
Changing the Cryptoki provider
This section applies to the ProtectToolkit-C SDK package only.
Different ProtectToolkit-C Cryptoki provider files are required, depending on whether you are using ProtectToolkit-C SDK with a ProtectServer 3 HSM (PCI or Network operating mode) or without a ProtectServer 3 HSM (Software Emulator operating mode). For more information about operating modes, refer to Operating modes.
Both Cryptoki provider files are installed with the ProtectToolkit-C SDK package. On Unix/Linux systems, the Software Emulator Cryptoki provider file is made active by default.
To change the Cryptoki provider with the Unix Installation Utility
-
From the main menu, select Set the default cryptoki and/or HSM link.
The Cryptoki Selection screen is displayed.
Gemalto Unix Installation Utility: Hostname: 66 (Linux 2.6.32-504.16.2.el6.i686) Main Menu >> Check/Set Default Cryptoki & HSM Menu -------------------- Cryptoki Selection -------------------- 1 SafeNet ProtectToolkit C SDK Software (emulator) 2 * SafeNet ProtectToolkit C SDK Runtime (hardware) 3 * SafeNet Network HSM Access Provider b back q quit the utility Choice (1 2 3 b q) [Redraw]:
-
Select SafeNet ProtectToolkit C SDK Runtime (hardware) and confirm your selection.
Uninstalling a package
If you encounter issues uninstalling packages, refer to ProtectToolkit 7 Installation Troubleshooting.
To uninstall a package
-
Select Uninstall a SafeNet package from the utility's main menu.
A list of installed SafeNet packages is displayed. For more information about available components, refer to refer to Available ProtectToolkit 7 components
-
Select the required package by typing the appropriate menu number and pressing Enter.
The utility verifies the action and executes the appropriate command for your platform.
-
On some platforms, you may be prompted for additional uninstallation options. For example, on Linux you can add a -nodeps option to suppress the checking of dependencies. These options should be selected with appropriate care.
-
After completing uninstallation, the utility will return Success or Failure, scan the system again, and display the current installation status.
-
You may now need to respond to any platform-specific messages to confirm that you wish to proceed with the uninstallation. Press the Enter key to continue.
Boot service operation on Unix/Linux platforms
To enable and start the service, run the following command:
systemctl start etnetserver
Controlling user access to the HSM
By default, only the root user has access to the HSM. If you are using ProtectToolkit 7 in PCI mode (see Operating modes), you can specify a set of non-root users that are permitted to access the HSM by adding them to the hsmuser group.
Note
The PTK client software installation automatically creates the hsmuser group if one does not already exist on your system. The hsmuser group is retained when you uninstall PTK, allowing you to upgrade the client software while retaining the hsmuser group configuration.
Tip
Users that are not members of the hsmuser group cannot see slots when using applications or PTK utilities. If a user runs a PTK utility such as ctconf and no slots are visible, check that the user is a member of hsmuser before troubleshooting.
Before adding or removing users from the hsmuser group, ensure that you have sudo privileges on the client workstation.
Adding users to hsmuser group
To allow non-root users or applications to access the HSM, assign the users to the hsmuser group by running the following command:
sudo gpasswd --add <username> hsmuser
The users being assigned to the hsmuser group must exist on the client workstation.
Removing users from hsmuser group
To rescind a user's access to the HSM, remove from the hsmuser group by running the following command:
sudo gpasswd -d <username> hsmuser
Note
The user you delete will continue to have access to the HSM until you restart the client workstation.