Configure a Thales Luna client on the ADC
After you have configured the Thales Luna HSM and created the required partitions, you must create clients and assign them to partitions. Begin by configuring the Thales Luna clients on the Citrix ADC and setting up the network trust links (NTLs) between the Thales Luna clients and the Thales Luna HSM. A sample configuration is given in the Appendix.
-
Change the directory to /var/safenet and install the Thales Luna client. At the shell prompt, type:
cd /var/safenet <!--NeedCopy-->
To install Thales Luna client version 6.0.0, type:
install_client.sh -v 600 <!--NeedCopy-->
To install Thales Luna client version 6.2.2, type:
install_client.sh -v 622 <!--NeedCopy-->
To install Thales Luna client version 7.2.2, type:
install_client.sh -v 722 <!--NeedCopy-->
-
Configure the NTLs between Thales Luna client (ADC) and HSM.
After the ‘/var/safenet/’ directory is created, perform the following tasks on the ADC.
a) Change the directory to ‘/var/safenet/config/’ and run the ‘safenet_config’ script. At the shell prompt, type:
cd /var/safenet/config sh safenet_config <!--NeedCopy-->
This script copies the “Chrystoki.conf” file into the /etc/ directory. It also generates a symbolic link ‘libCryptoki2_64.so’ in the ‘/usr/lib/’ directory.
b) Create and transfer a certificate and key between the ADC and the Thales Luna HSM.
To communicate securely, the ADC and the HSM must exchange certificates. Create a certificate and key on the ADC and then transfer it to the HSM. Copy the HSM certificate to the ADC.
i) Change directory to /var/safenet/safenet/lunaclient/bin.
ii) Create a certificate on the ADC. At the shell prompt, type:
./vtl createCert -n <ip address of Citrix ADC> <!--NeedCopy-->
This command also adds the certificate and key path to the “/etc/Chrystoki.conf” file.
iii) Copy this certificate to the HSM. At the shell prompt, type:
scp /var/safenet/safenet/lunaclient/cert/client/<ip address of NS>.pem <LunaSA_HSM account>@<IP address of Luna SA> <!--NeedCopy-->
iv) Copy the HSM certificate to the Citrix ADC. At the shell prompt, type:
scp <HSM account>@<HSM IP>:server.pem /var/safenet/safenet/lunaclient/server_<HSM ip>.pem <!--NeedCopy-->
-
Register the Citrix ADC as a client and assign it a partition on the Thales Luna HSM.
Log on to the HSM and create a client. Enter the NSIP as the client IP. This address must be the IP address of the ADC from which you transferred the certificate to the HSM. After the client is successfully registered, assign a partition to it. Run the following commands on the HSM.
a) Use SSH to connect to the Thales Luna HSM and enter the password.
b) Register the Citrix ADC on the Thales Luna HSM. The client is created on the HSM. The IP address is the client’s IP address. That is, the NSIP address.
At the prompt, type:
client register –client <client name> -ip <Citrix ADC ip> <!--NeedCopy-->
c) Assign the client a partition from the partition list. To view the available partitions, type:
<luna_sh> partition list <!--NeedCopy-->
Assign a partition from this list. Type:
<lunash:> client assignPartition -client <Client Name> -par <Partition Name> <!--NeedCopy-->
-
Register the HSM with its certificate on the Citrix ADC.
On the ADC, change the directory to “/var/safenet/safenet/lunaclient/bin” and, at the shell prompt, type:
./vtl addserver -n <IP addr of HSM> -c /var/safenet/safenet/lunaclient/server_<HSM_IP>.pem <!--NeedCopy-->
To remove the HSM that is enrolled on the ADC, type:
./vtl deleteServer -n <HSM IP> -c <cert path> <!--NeedCopy-->
To list the HSM servers configured on the ADC, type:
./vtl listServer <!--NeedCopy-->
Note:
Before removing the HSM by using
vtl
, make sure all the keys for that HSM are manually removed from the appliance. HSM keys cannot be deleted after the HSM server is removed. -
Verify the network trust links (NTLs) connectivity between the ADC and HSM. At the shell prompt, type:
./vtl verify <!--NeedCopy-->
If verification fails, review all the steps. Errors are due to an incorrect IP address in the client certificates.
-
Save the configuration.
The preceding steps update the “/etc/Chrystoki.conf” configuration file. This file is deleted when the ADC is started. Copy the configuration to the default configuration file, which is used when an ADC is restarted.
At the shell prompt, type:
root@ns# cp /etc/Chrystoki.conf /var/safenet/config/ <!--NeedCopy-->
Recommended practice is to run this command every time there is a change to the Thales Luna related configuration.
-
Start the Thales Luna gateway process.
At the shell prompt, type:
sh /var/safenet/gateway/start_safenet_gw <!--NeedCopy-->
-
Configure automatic start of the gateway daemon at boot time.
Create the “safenet_is_enrolled” file, which indicates that Thales Luna HSM is configured on this ADC. Whenever the ADC restarts and this file is found, the gateway is automatically started.
At the shell prompt, type:
touch /var/safenet/safenet_is_enrolled <!--NeedCopy-->