How clients are verified in Safenet Luna SA HSM?

Question

How Safenet Luna SA HSM clients are verified when the clients are registered using hostname ?

Answer 1

HSM verifies clients based on the NTL ((Network Trust Link) connection. Establishing NTL connection is mandatory before clients makes a call to HSM via Crytoki. The procedure to establish NTL connection is explained by @Keith Bucher

Answer 2

Looking at you comments after Keith helped with the process of trust/cert exchange. Below is the command that you might need-

ntls ipcheck disable

Answer 3

Safenet Luna HSMs use certificate based authentication for clients. The certificate must be copied to the HSM and have a filename that matches the hostname used in the client register command on the HSM.

A typical process for registration is:

1. Copy the server certificate to the client installation.

   scp admin@10.41.4.98:server.pem /usr/lunasa/cert/server

2. Register the server locally

   vtl addServer -n 10.10.10.10 -c /usr/lunasa/cert/server/server.pem

3. Create the client certificate on the client:

   vtl createCert -n HOSTNAME

   This creates a certificate and private key in the cert/client directory named:

   HOSTNAME.pem (certificate)
   HOSTNAMEKey.pem (private key)

4. Copy the client certificate to the Luna SA HSM using scp.

   scp /usr/lunasa/cert/client/HOSTNAME.pem admin@10.10.10.10:

5. On the HSM, register the client and assign it to a partition.

   client register -client HOSTNAME -hostname HOSTNAME
   client assignPartition -client HOSTNAME -partition PARTITIONNAME

6. On the client, verify that the client is registered and operating properly:

   $ vtl verify

   The following Luna SA Slots/Partitions were found:

   Slot Serial # Label
   ==== ======== =====
   1 123456789 myPartition1