发布日期:2025-01-10 浏览次数:
Thales Luna Network HSM 7(原名SafeNet Luna SA)是一款网络 HSM,允许用户创建分区来存储密钥,例如对 DigiCert® Trust Lifecycle Manager 进行强身份验证所需的 RA 密钥。它包含许多功能,可提高专用和共享安全应用程序的安全性、连接性和易管理性。
要访问 SafeNet Network HSM 7 的分区,请通过网络信任链接服务 (NTLS) 使用 Luna HSM 客户端。
按照以下步骤在客户端计算机上安装 Luna HSM 客户端软件:
以管理员身份运行LunaHSMClient.exe 。
选择安装选项和功能。
检查以下Luna 设备(某些选项和功能是可选的,具体取决于您的环境):
网络
(可选)远程 PED
检查以下功能(可选功能取决于您的环境):
CSP(CAPI)/ KSP(CNG)
(可选)JCE / JCA 提供程序 (JSP)
(可选)PKCS #11 (JCProv)
检查软件许可协议,然后选择安装。
等待完成。窗口底部将显示进度条。
安装完成后,选择OK。 显示 UNINSTALL and MODIFY按钮。选择QUIT。
在执行下面列出的步骤之前,必须创建一个分区。在本文档中,这被称为<PARTITION-NAME>。
按照以下步骤配置 Luna HSM 客户端:
打开命令提示符窗口并运行以下命令:
> cd C:\Program Files\SafeNet\LunaClient > lunacm.exe
创建网络信任链接 (NTL) - 这是一个单步设置。如果您已经创建了 NTL,请继续执行 步骤4。
lunacm:> clientconfig deploy -server <SERVER-HOSTNAME> -client <CLIENT-HOSTNAME> -par <PARTITION-NAME> Please wait while we set up the connection to the HSM. This may take several minutes... Please enter appliance admin role user's password: Command Result : No Error lunacm.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved. Slot Id -> 1 Label -> <PARTITION-NAME> Serial Number -> 1314971349473 Model -> LunaSA 7.2.0 Firmware Version -> 7.0.3 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> Net Token Slot FM H Status -> FM Ready Current Slot Id: 1 lunacm:> clientconfig v The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ================ ===== 1 1314971349473 <PARTITION-NAME> Command Result : No Error
如果您不想遵循一步设置(上面的第 2 步),请按照以下步骤操作:
获取服务器证书。
服务器证书已在HSM上创建,因此需要从服务器复制。
> pscp -scp admin@<SERVER-HOSTNAME>:server.pem
为客户端添加服务器。
> vtl addServer -n <SERVER-HOSTNAME> -c server.pem New server <SERVER-HOSTNAME> successfully added to server list.
创建客户端证书。
> vtl createCert -n <CLIENT-HOSTNAME> Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\<CLIENT-HOSTNAME>Key.pem Certificate created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\<CLIENT-HOSTNAME>.pem
将客户端证书上传到服务器。
> pscp -scp cert\client\<CLIENT-HOSTNAME>.pem admin@<SERVER-HOSTNAME>: admin@<SERVER-HOSTNAME>'s password: <CLIENT-HOSTNAME>.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
接下来,在服务器上:
注册客户端并通过 SSH 连接到 HSM。
lunash:> client register -client <CLIENT-HOSTNAME> -hostname <CLIENT-HOSTNAME> 'client register' successful. Command Result : 0 (Success)
将分区分配给客户端并通过 SSH 连接到 HSM。
lunash:> client assignPartition -client <CLIENT-HOSTNAME> -partition <PARTITION-NAME> 'client assignPartition' successful. Command Result : 0 (Success)
现在,在客户端:
确认连接设置。
工作目录是C:\Program Files\SafeNet\LunaClient
> vtl listServers Server: <SERVER-HOSTNAME> HTL required: no > vtl verifyvtl (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved. The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ================ ===== 1 1314971349473 <PARTITION-NAME>
配置日志记录(可选)。工作目录为C:\Program Files\SafeNet\LunaClient。以下示例中的日志文件夹名称为c:\temp,可以更改。
> vtl logging configure c:\temp Success setting log path to c:\temp > vtl logging show Client logging written to: c:\temp\LunaCryptokiLog.htm
创建 HA 组。
打开命令提示符窗口并运行以下客户端命令:
> cd C:\Program Files\SafeNet\LunaClient > lunacm.exe lunacm:> slot set -s <SLOT-NUMBER >lunacm:> hagroup creategroup -se <SERIALNUMBER> -label <HA-LABEL> Enter the password: ************ New group with label "HAGroup" created with group number <SERIALNUMBER>. Group configuration is: HA Group Label: <HA-LABEL> HA Group Number: 11336489553517 HA Group Slot ID: Not Available Synchronization: enabled Group Members: 1336489553517 Needs sync: no Standby Members: <none> Slot # Member S/N Member Label Status ====== ========== ============ ====== 1 1336489553517 <PARTITION-NAME>alive Command Result : No Error lunacm.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved. Available HSMs: Slot Id -> 1 Label -> <PARTITION-NAME> Serial Number -> 1336489553517 Model -> LunaSA 7.2.0 Firmware Version -> 7.0.3 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> FM Ready Slot Id -> 5 HSM Label -> <HA-LABEL> HSM Serial Number -> 11336489553517 HSM Model -> LunaVirtual HSM Firmware Version -> 7.0.3 HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode HSM Status -> N/A - HA Group Current Slot Id: 1
如果运行上述步骤,则必须重新配置配置CSP和配置 KSP 。
仅启用HA
lunacm:> slot set -s <HA-SLOT-NO> Current Slot Id: <HA-SLOT-NO> (Virtual HSM 7.0.3 (PED) SigningWith Cloning Mode) Command Result : No Error lunacm:> hagroup ho -e "HA Only" has been enabled. Command Result : No Error lunacm:> hagroup ho -s This system is configured to show only HA slots. (HA Only is enabled) Command Result : No Error
对于自动注册服务器的部署,您需要配置 CSP。
对于 SafeNet CSP,实用程序 register.exe (64 位版本)负责处理注册表。要配置 CSP,请打开命令提示符窗口并运行以下命令:
注册 CSP 库
C:\Program Files\SafeNet\LunaClient\CSP>register.exe /library register.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved. Success registering SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Luna enhanced RSA and AES provider for Microsoft Windows. Success registering SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Luna Cryptographic Services for Microsoft Windows. Success registering SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Luna SChannel Cryptographic Services for Microsoft Windows.
注册分区
C:\Program Files\SafeNet\LunaClient\CSP>register.exe register.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved. *************************************************************************** * * * Safenet LunaCSP, Partition Registration * * * * Protect the HSM's challenge for the selected partitions. * * * * NOTE: * * This is a WEAK protection of the challenge. * * After you have configured all applications that will use * * the LunaCSP and ran them once, you MUST run: * * register /partition /strongprotect * * to strongly protect the registered challenges. * * * *************************************************************************** This is a destructive procedure and will overwrite any previous registrations. Do you wish to continue?: [y/n]y Do you want to register the partition named '<PARTITION-NAME>'?[y/n]: y Enter challenge for partition '<PARTITION-NAME>' : <Only hit "Enter" then the PED Authentication will be requested> Success registering the ENCRYPTED challenge for partition '<PARTITIONNAME>:1'. Only the LunaCSP will be able to use this data. Registered 1 partition(s) for use by the LunaCSP.
注册 HA 分区
如果配置了 HA,请运行以下命令。
c:\Program Files\SafeNet\LunaClient\CSP>register.exe /h register.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved. *************************************************************************** * * * Safenet LunaCSP, Partition Registration * * * * Protect the HSM's challenge for the selected partitions. * * * * NOTE: * * This is a WEAK protection of the challenge. * * After you have configured all applications that will use * * the LunaCSP and ran them once, you MUST run: * * register /partition /strongprotect * * to strongly protect the registered challenges. * * * *************************************************************************** This is a destructive procedure and will overwrite any previous registrations. Do you wish to continue?: [y/n]y Do you want to register the partition named ''?[y/n]: y Enter challenge for partition '' :************ Success registering the ENCRYPTED challenge for partition ':1'. Only the LunaCSP will be able to use this data. Registered 1 partition(s) for use by the LunaCSP.
要配置 KSP(CNG),请运行 KspConfig.exe(默认位置是C:\Program Files\SafeNet\LunaClient\KSP\)。
按照 SDK 参考指南中 KSP for CNG 中所述的图形化KspConfig.exe的使用说明进行操作。
将出现以下窗口:
双击 注册或查看安全库,然后确认值C:\Program Files\SafeNet\LunaClient\cryptoki.dll。
选择管理员
选择<域名>
选择HA 组的可用 插槽
输入插槽密码
选择 注册槽。
双击“为 SYSTEM/NT AUTHORITY注册 HSM 槽”。
选择系统
选择 NT AUTHORITY
选择HA 组的可用 插槽
输入插槽密码
选择注册槽。
当你点击注册槽位时,已注册槽位没有任何变化,但这一步是必需的。
注册 Luna KSP(使用 Luna KSPConfig 实用程序)时,请使用以下用户和域组合:
执行这些过程的用户和域。
运行 Web 应用程序并使用私钥的用户和域。
本地用户和 NT Authority 域用户。
系统的 LoCAlSystem 和 NTAuthority。
如果您实施自动注册服务器,您还必须安装并注册 Luna CSP。有关详细信息,请参阅 SafeNet 产品文档。
创建 CSR 的信息文件。要通过 CSP 使用 certreq.exe 生成 CSR,ProviderName 必须是Luna Cryptographic Services for Microsoft Windows。.inf 文件如下所示:
[NewRequest] KeyUsageProperty = "NCRYPT_ALLOW_ALL_USAGES" RequestType = PKCS10 ProviderName = "Luna Cryptographic Services for Microsoft Windows" ProviderType = 1 Subject = "CN=Registration Authority" KeyContainer = "CSPRA20220725" MachineKeySet = TRUE HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048
通过 HSM 生成 CSR。
<inf-file>是步骤 1 中创建的文件, <csr-file>是输出文件。
获取客户端身份验证证书。
安装RA证书
更多关于Thales Luna HSM的资料,欢迎联系揽阁信息获取。
揽阁信息 · 值得您信赖的信息安全顾问!
服务热线
