CA API Gateway 9.1

9.4 9.1

Configure the SafeNet Luna SA HSM

gateway83
The
API Gateway
 supports the use of the SafeNet Luna SA Hardware Security Module. This section provides basic step-by-step instructions on how to install this HSM. For more information, refer to the .
The client software on the
API Gateway
 machine must already have a partition assigned to it in the Luna HSM.
Step 1: Install the Luna Client Software
The first step is to install the Luna client.
Before proceeding, make sure you have access to the Luna client installation files and client patch files (in the case of Luna 5).
To install the Luna client software
:
  1. Use SCP to copy the Linux 64-bit SafeNet client files over to a temporary directory on the
    API Gateway
    .
  2. While logged in as the
    root
     user, navigate to the directory on the
    API Gateway
     containing the client files and then run the install script:
    # ./install.sh
  3. Enter
    y
     to agree to the license.
  4. Enter
    y
     to install the Luna SA client.
  5. Enter
    y
     to install the JSP for Luna.
  6. Enter
    n
     to not install the SDK for Luna.
Step 2: Connect Client to a Partition
After the Luna client is installed, the next step is to connect it to the Luna partition. The following assumes that DNS is used.
(1) This procedure requires access to the Luna appliance admin password (available from your Luna administrator). (2) CA recommends that each
API Gateway
 cluster be assigned its own Luna partition for its exclusive use.
To connect the Luna client to a partition
:
  1. Navigate to the Luna SA command directory:
    # cd /usr/lunasa/bin
  2. Copy the Luna appliance server certificate to the client:
    # ./ctp admin@<LunaBoxHostname>:server.pem . (for Luna 4)
# ./scp admin@<LunaBoxHostname>:server.pem . (for Luna 5)
  3. Register the server with the client:
    # ./vtl addServer -n <LunaBoxHostname> -c server.pem
  4. Generate a client certificate:
    # ./vtl createCert -n <ClientHostname>
  5. Copy the client certificate to the server:
    # ./ctp /usr/lunasa/cert/client/<ClientHostname>.pem admin@<LunaBoxHostname>: (for Luna 4)
# ./scp /usr/lunasa/cert/client/<ClientHostname>.pem admin@<LunaBoxHostname>: (for Luna 5)
  6. Log in to the Luna HSM appliance to register the client with the server, then assign the client to a server partition:
    # ssh admin@lunaboxhostname
   lunash:> client register -client <ClientHostname> -hostname
<ClientHostname>
   lunash:> client assignPartition -client <ClientHostname> 
-partition <GatewayPartition>
  7. Run the following command only if the hostname is not resolvable:
    lunash:> client hostip map <ClientHostname> <ClientIP>
 (for Luna 4)
lunash:> client hostip map -client <ClientHostname> -ip <ClientIP>
(for Luna 5)
  8. Log out from the Luna HSM:
    lunash:> exit
  9. Set the read permissions for the certificate files in the following directories:
    # chmod a+r /usr/lunasa/cert/server/*.pem
# chmod a+r /usr/lunasa/cert/client/*.pem
  10. Verify that the client is connected to its assigned partition:
    # ./vtl verify
    When the verification is successful, the Luna slots partitions will be displayed.If the verification is unsuccessful, edit the file
    Chrystoki.conf
     within the /etc directory and then try again. The setting should be disabled, as shown:
    Misc = {
    PE1746Enabled = 0;
}
  11. Run the following command to verify that your token client PIN is correct for this partition and that the partition is empty:
    # ./cmu list
    Enter the partition password and follow the instructions on the Luna PED pad. If the verification is successful, you will see a display similar to the following back on the command line:
nExitCode returned was =0
Please enter password for token in slot 1 : *******************
handle=9??????? label=root.ame2.l7tech.com
handle=11?????? label=root.ame2.l7tech.com--cert0
handle=30?????? label=SSL--cert0
handle=32?????? label=SSL
handle=48?????? label=hmm--cert0
handle=49?????? label=hmm
handle=55?????? label=ame2.l7tech.com--cert0
handle=56?????? label=ame2.l7tech.com
handle=121????? label=peanuts--cert0
handle=128????? label=ssl_x4150upgrade
handle=130????? label=ssl_x4150upgrade--cert0
handle=133????? label=peanuts
handle=175????? label=ca
handle=180????? label=caec
handle=183????? label=caec--cert0
handle=189????? label=ca--cert0
handle=266????? label=test--cert0
handle=269????? label=test
handle=296????? label=testca
handle=298????? label=testca--cert0
handle=308????? label=peanuts2
handle=310????? label=peanuts2--cert0
handle=419????? label=NEWSSL--cert1
handle=432????? label=NEWSSL--cert0
handle=495????? label=peanuts2_ca
handle=503????? label=peanuts2_ca--cert0
Step 3: Configure the JDK
The final step involves copying the .JAR files from the JSP into the JDK (Java Development Kit) for the
API Gateway
 appliance.
To configure the JDK for the
API Gateway
:
  1. Navigate to the following directory on the Gateway:
    # cd /usr/lunasa/jsp/lib
  2. Copy the Luna .JAR files over to the Gateway:
    # cp libLunaAPI.so Luna*.jar /opt/SecureSpan/JDK/jre/lib/ext
  3. Change the file permissions of the Luna files to make them readable by the Gateway:
    # chmod a+r /opt/SecureSpan/JDK/jre/lib/ext/*Luna*
  4. Open the following file in a text editor:
    /opt/SecureSpan/JDK/jre/lib/security/java.security 
  5. Add the following line to the file and then save and close the file:
    com.safenetinc.luna.provider.createExtractableKeys=true
    If your Luna machine has FIPS mode enabled, insert the following line to the java.security file as an addition:
    security.provider.10=com.safenetinc.luna.provider.LunaProvider
  6. Set the file permissions for the Luna client as follows:
    # chmod -R 655 /usr/safenet
  7. Restart the C
    API Gateway
    :
    service ssg restart
Step 4: Enable SafeNet Luna on the
API Gateway
At this point, you may now enable the SafeNet Luna HSM on the
API Gateway
. Do one of the following:
  • If you will be accessing the
    API Gateway
     using the Policy Manager (either browser or desktop client) over the default ports 8443/9443, follow both
    "To reset the default list"
     and
    "To enable SafeNet Luna"
     below.
  • If you will be accessing the
    API Gateway
     only using the browser client over a custom port, follow
    "To enable SafeNet Luna"
     only.
To reset the default list
:
The following procedure corrects an issue that may occur when using the Policy Manager browser client over the default ports.
  1. Start the Policy Manager
    desktop
     client and connect to the
    API Gateway
    . Alternatively, you may use the browser client over port 8443.
  2. Run the
    Manage Listen Ports
     task. The Manage Listen Ports dialog is displayed.
  3. Select port
    9443
     and then click [
    Properties
    ]. The Listen Port Properties are displayed.
  4. Select the [
    SSL/TLS Settings
    ] tab.
  5. Click [
    Use Default List
    ] and then click [
    OK
    ] to close the dialog box.
Repeat the steps above for port
2124
 if the Gateway continues to show a "starting" status.
To enable SafeNet Luna
:
  1. Run the
    Manage Private Keys
    task. The Manage Private Keys dialog is displayed.
  2. Click [
    Manage Keystores
    ] to display the Manage Keystore dialog.
  3. Click [
    Enable SafeNet HSM
    ]. The "Current keystore type" should now display "SafeNet Luna HSM".
  4. Enter the
    API Gateway
     partition password when prompted.
  5. Restart the
    API Gateway
    .
You can confirm that the SafeNet Luna HSM is in effect by doing any of the following:
  • Under the Manage Private Keys task, check that the default SSL key shows location "HSM Luna".
  • When creating a new private key, the location should be "HSM Luna".
  • You should be unable to export a private key.
If the SafeNet Luna HSM is enabled but the
API Gateway
 is unable to connect to it on startup, the
API Gateway
 will fall back to the software keystore.

Content feedback and comments