24/10/2014

8.3. Setting up SafeNet LunaSA LinOTP 2.7 documentation

LinOTP 2.7 documentation

PRE VI OU S|N E XT |I ND EX

8.3. Setting up SafeNet LunaSA

TABLE OF CONTENTS
1.LinOTPManagementGuide

Warning
This documentation does not replace the SafeNet LunaSA documentation. The HSM is a
sophisticateddeviceyoushouldconsultthemanualandknowwhatyouaredoing.

8.3.1. Requirements
YouneedtoinstallthefollowingsoftwarepackagesontheLinOTPserverthatweredelivered
withyourHSM:
ctp4.5.0
libcryptoki4.5.0
vtl4.5.0
Thecomponentsareinstalledto/usr/lunasa.Theexecutablesarelocatedat/usr/lunasa/bin.

2.LinOTPInstallationGuide
1.SupportedOperatingSystems
2.Checklist
3.Serverinstallation
4.InstallingManagementClients
5.InstallingAuthenticationModules
6.Customization
7.Databaseconnection
8.SecurityModules
8.1.DefiningSecurityModules
8.2.DefiningSafeNetLunaSA
8.3.SettingupSafeNetLunaSA

8.3.2. Network settings

8.3.1.Requirements
8.3.2.Networksettings

Note
For connecting to the Luna SA you need to connect the Luna SA appliance with the client
computerviaanullmodemcablewiththefollowingsettings:Serialportbaudrate:115200
N,8,1(noparity,8databits,onestopbit)VT100terminalemulation.Hardwareflow
AlternativelytheHSMisaccessibleviaIP192.168.0.1.Afterthefirstloginwiththeusername
adminandthepassword chrysalisthepasswordisrequestedtobechanged.Furthermorethe
timeneedstobesetandthenetworkshouldbeconfigured:
# setting time zone

8.3.3.LunaSAservercertificate
8.3.4.InitializationofHSM
8.3.5.SettingupHSMclientsand
assigningclientstoHSMpartitions
8.3.6.Troubleshooting
8.4.CreateAESKeys
8.5.Backupandrestorewith

lunash:> sysconf timezone -set Europe/Berlin

LunaSA

# setting time

8.6.SettingupHAandLoad

lunash:> sysconf -time 12:55 20071223

balancingforLunaSA

# setting hostname
lunash:> net hostname hsm1
# set domain name

8.7.ManagingPasswordswith
LunaSA

lunash:> net domain example.com

9.Integrationexamples

# set multiple nameservers

10.Updates

lunash:> net dns -nameserver 172.16.16.6

lunash:> net dns -nameserver 172.16.16.7

11.MigratingfromLinOTP1.3or

# set multiple search domains

LinOTP1.0

lunash:> net dns -search example.com

12.Securityadvisories

# set eth0. (eth1 may also be set)

13.Troubleshooting

lunash:> net interface -static -device eth0 \

-ip 172.16.16.102 -netmask 255.255.255.224 \

3.LinOTPUserGuide

-gateway 172.16.1

4.LinOTPApplianceManual

# control the settings

lunash:> net show

NowtheLunaSAcanbecontactedviassh.Whenthenetworkconnectionisworkingcorrectly
anntpservicecanbesetup.SettingupthedomaincontrollerinforestrootasNTPservers:

5.LinOTPModuleDevelopmentGuide

SEARCH

lunash:> sysconf ntp -addserver 172.16.16.6

8.3.3. LunaSA server certificate

Go

Entersearchtermsoramodule,classor
functionname.

Note
For communication the LunaSA generates a certificate. For correct generation the LunaSA
needstobeinsertedintheDNSserversorin/etc/hosts.
WhentheDNSserverresolvethehsm1correctlytheservercertificatecanbegenerated:
lunash:> sysconf regenCert
CAUTION: Current Server Certificate and Private Key will be
overwritten. All clients will have to add the server

http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html

1/4

24/10/2014

8.3. Setting up SafeNet LunaSA LinOTP 2.7 documentation

again with new certificate.

Type proceed to generate cert or quit to cancel
> proceed

TobeabletousetheLunaSAvianetwork,thetrustedinterfacehastobedefined:
lunash:>ntls bind eth0

8.3.4. Initialization of HSM

TobeabletoinitializetheHSMtheLunaPEDneedstobeconnectedtotheLunaSAappliance
andyouneedtogotasetofPEDKeys.TheLunaSAisconfiguredviathe hsm initcommand.
MostoftheparametersforthiscommandareenteredviatheLunaPED.:
lunash:> hsm init -label hsm1

Note
Youshouldsticktothewebbaseddocumentationclosely,sincethisisasensitiveprocess.
Roughlyafterhavingissuedthehsminitcommandtheprocessisasfollows:

8.3.4.1. Create HSM Admin PED Key

InsertthebluePEDkey.ThiswillbetheHSMAdminPEDKey.
Asthefreshkeyisblank,anewPEDPINneedstobechosen.
by Copy this PED KeybackupcopiesofthePEDkeycanbegenerated.
LoginasHSMAdmin(SecurityOfficer/SO).

8.3.4.2. Create Domain PED Key

InsertasecondPEDkey.ThiswillbetheDomainPEDKey.
Ifthisisafreshkey,anewPEDPINshouldalsobeset.
Backupscanbegenerated.
TheinitializationoftheHSMhasfinishednow.CopiesofthePEDKeyscanalsobemadelater.

8.3.4.3. HSM security polices

Usingthecommand:
hsm showPol -c

youcandisplaythepolicies:
Description

Value

Code

Destructive

===========

=====

====

===========

Allow cloning

On

Yes

Allow non-FIPS algorithms

On

12

Yes

Allow MofN auto-activation

On

13

No

SO can reset partition PIN

On

15

Yes

Allow network replication

On

16

No

Allow Remote Authentication

On

20

Yes

Force user PIN change after set/reset

Off

21

No

For performing Backups the policy Allow cloning must be ON. For a redundant HA setup the
policiesAllowcloningandAllownetworkreplicationmustbeON.
ToswitchapolicytoONusethecommand:
hsm changePol -p 7 -v 1

8.3.4.4. Create HSM Partitions

The LunaSA HSM can be partitioned that way, that each LinOTP is using an own partition of
theHSM.TocreateanewpartitionontheHSMyoumustconnecttheLunaPEDandlogonas
HSMadminissuingthecommand:
lunash:> hsm login

andinsertingtheblueHSMAdminPEDKey.
Anewpartitioniscreatedissuingthecommand:
lunash:> partition create -name yourPartition

AblackPartitionOwnerPEDKeyisgenerated.APINfortheblackPEDKeyneedstobeset.
When asked Are you duplicating this PED Key Y/N? backups of the black PED Key may be
generated.
The Luna PED will now display the Password that clients (the LinOTP server) will use to
authenticatetothispartition.Asthispasswordwillnevershowagainanywhereelse,itneeds
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html

2/4

24/10/2014

8.3. Setting up SafeNet LunaSA LinOTP 2.7 documentation

toberecorded/remembered:
Login secret value
btqx-EFGH-3456-7/K9
Please write it down.
(Press ENTER)

Afterdisplayingtheclientpasswordthecreationofthepartitionhasfinished.
Ifyouhavemorepartitions,createallotherpartitionswithnewblackpartitionownerkeys.
For each partition a separate black Partition Owner PED Key should be used. Otherwise the
LunaSAwillcreateasocalledGroupPEDKey.
Note
WhencreatingGroupPEDKeystheaccessrightstotheHSMoftheLinOTPserverscannot
beseparated!ItisrecommendedtouseaseparatePEDKeyforeachpartition.

8.3.4.5. Partition policies

PartitionpoliciescanbeviewedontheLunaSAusingthecommand:
lunash:> partition showPolicies -partition yourPartition

8.3.4.6. Activate Partitions

In order for an application to access the partition without the black partition owner key
plugged in, the Partition needs to be activated. Therefor the Policy Allow activation needs to
besetto1:
lunash:> partition changePolicy -partition
yourPartition -policy 22 -value 1

ForsettingthepartitionpolicyyouneedtohavetheblueSOPEDkey.Afterwardsthepartition
canbeactivated:
lunash:> partition activate -partition partitionPolicyCA

Whenactivatingthepartitionyouneedtoentertheclientpasswordthatwasgeneratedwhen
thepartitionwasinitialized.ForactivatingthepartitionyouneedtohavethePartitionOwner
PEDkey.
IftheHSMlostpowerandyoustarttheHSMagain,thepartitionneedstobeactivatedagain.
Toavoidthis,youcanturnthe Autoactivationpolicyon:
lunash:> partition changePolicy -partition
yourPartition -policy 23 -value 1

8.3.5. Setting up HSM clients and assigning clients to HSM partitions

A LinOTP server talking to the HSM is called a HSM client. The connection is encrypted and
authenticated via certifcates on both sides. The certificate of the LunaSA was already
generated.ThisservercertificateneedstobetransferredtoeachLinOTPserver.
CopytheservercertificatetoeachLinOTPbyissuingthecommand:
./ctp admin@hsm1:server.pem .

YouneedtoaddtheHSMserverontheclientside:
./vtl addServer -n hsm1 -c server.pem

Nowtheclientneedstogetaclientcertificatecreated:
./vtl createCert -n linotp

CopytheclientcertificatetotheLunaSA:
./ctp cert/client/linotp.pem admin@hsm1:

NowtheclientneedstoberegisteredontheLunaSAandbeassignedtoapartition.Therefore
ontheLunaSAtheadminmustissuethefollowingcommands:
# register the client
lunash:> client register -client linotp -hostname linotp
# assign a client to partition
lunash:> client assignPartition -client linotp -partition yourPartition

Verifytheworkingconnectionby:
./vtl verify

Youshouldseealistwiththeavailableslots.Youalsoneedtheslotnumbertoconfigurelater
inLinOTP.

8.3.6. Troubleshooting
The names must resolve successfully. Try to ping the HSM from the LinOTP server by name
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html

3/4

24/10/2014

8.3. Setting up SafeNet LunaSA LinOTP 2.7 documentation

andtheLinOTPserverfromtheHSM:
lunash:> net ping linotp

Itcouldbethatthentlsserviceneedstoberestarted:
lunash:> service restart ntls

8.4. Create AES Keys

YoucancreateAESkeysontheHSMusingthesecuritymodule:
python linotpee/lib/security/pkcs11.py

PREVIOUS|NEXT|INDEX
SHOWSOURCE
Copyright2014,LSELeadingSecurityExpertsGmbH.CreatedusingSphinx1.1.3.

http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html

4/4