HSM Partition - quick build

Summary

  • Install the Luna client on the CA;

  • Create a partition on the HSM;

  • Configure the client for NTLS;

  • Initialise the partition; and

  • Configure the KSP.

(.venv) $ pip install lumache

Prerequisites and Dependencies:

  • the HSM appliance is already networked and initialized;

  • Software, PED Keys are all available

Install the Luna client on the CA

  • Right click Luna LunaHSMClient.exe (10.4.1), select Run as administrator, and select the following as install options:

    • Install location: C:Program FilesSafeNetLunaClient

    • Luna Devices Network

    • Luna Devices USB

    • Luna Devices Backup

    • Luna Devices Remote PED

    • Features CSP (CAPI) / KSP (CNG)

    • Select the “I agree to the terms of the Thales Licence Agreement”

  • Click Install

  • Edit the crystoki.ini file to include the RSAKeyGenMechRemap=1 under the [MISC] section.

Create a partition on the HSM

  • ssh to the HSM

  • Login into the HSM as the HSM SO hsm login (usually need the remote PED)

  • Create the partition using the following command where “myhsmpartition” is the partition name: partition create -partition <myhsmpartition>

Configure the client for NTLS

  • run the clientconfig to set up NTLS between the CA server and the HSM: clientconfig deploy -server <hsm ip> -client <ca server ip> -partition <myhsmpartition> -user <hsm user name> -v

Initialise the partition

  • initialize the partition with the command: partition init -label myhsmpartition

  • insert the Blue and Red PED keys when prompted (and orange assuming this is being done remotely)

  • Setup the CO:

    • login as partition SO: role logi -n partition so

    • initialise the CO: role init -n co

    • create a challenge passsword for the CO: role createchallenge -n co

  • Set the partition policies:

partition changepolicy -policy 18 -value 0
partition changepolicy -policy 20 -value 5
partition changepolicy -policy 21 -value 1
partition changepolicy -policy 22 -value 1
partition changepolicy -policy 23 -value 1
  • Login as CO and change the password and PIN

    • Login as the CO: role logi -n co

    • change the CO primary credential (challenge password): role changepw -n co -prompt

    • change the CO secondary credential (PIN): role changepw -n co

Configure the KSP

to be completed