Professional Documents
Culture Documents
TABLE OF CONTENTS
1.LinOTPManagementGuide
Warning
This documentation does not replace the SafeNet LunaSA documentation. The HSM is a
sophisticateddeviceyoushouldconsultthemanualandknowwhatyouaredoing.
8.3.1. Requirements
YouneedtoinstallthefollowingsoftwarepackagesontheLinOTPserverthatweredelivered
withyourHSM:
ctp4.5.0
libcryptoki4.5.0
vtl4.5.0
Thecomponentsareinstalledto/usr/lunasa.Theexecutablesarelocatedat/usr/lunasa/bin.
2.LinOTPInstallationGuide
1.SupportedOperatingSystems
2.Checklist
3.Serverinstallation
4.InstallingManagementClients
5.InstallingAuthenticationModules
6.Customization
7.Databaseconnection
8.SecurityModules
8.1.DefiningSecurityModules
8.2.DefiningSafeNetLunaSA
8.3.SettingupSafeNetLunaSA
8.3.1.Requirements
8.3.2.Networksettings
Note
For connecting to the Luna SA you need to connect the Luna SA appliance with the client
computerviaanullmodemcablewiththefollowingsettings:Serialportbaudrate:115200
N,8,1(noparity,8databits,onestopbit)VT100terminalemulation.Hardwareflow
AlternativelytheHSMisaccessibleviaIP192.168.0.1.Afterthefirstloginwiththeusername
adminandthepassword chrysalisthepasswordisrequestedtobechanged.Furthermorethe
timeneedstobesetandthenetworkshouldbeconfigured:
# setting time zone
8.3.3.LunaSAservercertificate
8.3.4.InitializationofHSM
8.3.5.SettingupHSMclientsand
assigningclientstoHSMpartitions
8.3.6.Troubleshooting
8.4.CreateAESKeys
8.5.Backupandrestorewith
LunaSA
# setting time
8.6.SettingupHAandLoad
balancingforLunaSA
# setting hostname
lunash:> net hostname hsm1
# set domain name
8.7.ManagingPasswordswith
LunaSA
9.Integrationexamples
10.Updates
11.MigratingfromLinOTP1.3or
LinOTP1.0
12.Securityadvisories
13.Troubleshooting
3.LinOTPUserGuide
-gateway 172.16.1
4.LinOTPApplianceManual
NowtheLunaSAcanbecontactedviassh.Whenthenetworkconnectionisworkingcorrectly
anntpservicecanbesetup.SettingupthedomaincontrollerinforestrootasNTPservers:
5.LinOTPModuleDevelopmentGuide
SEARCH
Go
Entersearchtermsoramodule,classor
functionname.
Note
For communication the LunaSA generates a certificate. For correct generation the LunaSA
needstobeinsertedintheDNSserversorin/etc/hosts.
WhentheDNSserverresolvethehsm1correctlytheservercertificatecanbegenerated:
lunash:> sysconf regenCert
CAUTION: Current Server Certificate and Private Key will be
overwritten. All clients will have to add the server
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html
1/4
24/10/2014
TobeabletousetheLunaSAvianetwork,thetrustedinterfacehastobedefined:
lunash:>ntls bind eth0
Note
Youshouldsticktothewebbaseddocumentationclosely,sincethisisasensitiveprocess.
Roughlyafterhavingissuedthehsminitcommandtheprocessisasfollows:
youcandisplaythepolicies:
Description
Value
Code
Destructive
===========
=====
====
===========
Allow cloning
On
Yes
On
12
Yes
On
13
No
On
15
Yes
On
16
No
On
20
Yes
Off
21
No
For performing Backups the policy Allow cloning must be ON. For a redundant HA setup the
policiesAllowcloningandAllownetworkreplicationmustbeON.
ToswitchapolicytoONusethecommand:
hsm changePol -p 7 -v 1
andinsertingtheblueHSMAdminPEDKey.
Anewpartitioniscreatedissuingthecommand:
lunash:> partition create -name yourPartition
AblackPartitionOwnerPEDKeyisgenerated.APINfortheblackPEDKeyneedstobeset.
When asked Are you duplicating this PED Key Y/N? backups of the black PED Key may be
generated.
The Luna PED will now display the Password that clients (the LinOTP server) will use to
authenticatetothispartition.Asthispasswordwillnevershowagainanywhereelse,itneeds
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html
2/4
24/10/2014
toberecorded/remembered:
Login secret value
btqx-EFGH-3456-7/K9
Please write it down.
(Press ENTER)
Afterdisplayingtheclientpasswordthecreationofthepartitionhasfinished.
Ifyouhavemorepartitions,createallotherpartitionswithnewblackpartitionownerkeys.
For each partition a separate black Partition Owner PED Key should be used. Otherwise the
LunaSAwillcreateasocalledGroupPEDKey.
Note
WhencreatingGroupPEDKeystheaccessrightstotheHSMoftheLinOTPserverscannot
beseparated!ItisrecommendedtouseaseparatePEDKeyforeachpartition.
ForsettingthepartitionpolicyyouneedtohavetheblueSOPEDkey.Afterwardsthepartition
canbeactivated:
lunash:> partition activate -partition partitionPolicyCA
Whenactivatingthepartitionyouneedtoentertheclientpasswordthatwasgeneratedwhen
thepartitionwasinitialized.ForactivatingthepartitionyouneedtohavethePartitionOwner
PEDkey.
IftheHSMlostpowerandyoustarttheHSMagain,thepartitionneedstobeactivatedagain.
Toavoidthis,youcanturnthe Autoactivationpolicyon:
lunash:> partition changePolicy -partition
yourPartition -policy 23 -value 1
YouneedtoaddtheHSMserverontheclientside:
./vtl addServer -n hsm1 -c server.pem
Nowtheclientneedstogetaclientcertificatecreated:
./vtl createCert -n linotp
CopytheclientcertificatetotheLunaSA:
./ctp cert/client/linotp.pem admin@hsm1:
NowtheclientneedstoberegisteredontheLunaSAandbeassignedtoapartition.Therefore
ontheLunaSAtheadminmustissuethefollowingcommands:
# register the client
lunash:> client register -client linotp -hostname linotp
# assign a client to partition
lunash:> client assignPartition -client linotp -partition yourPartition
Verifytheworkingconnectionby:
./vtl verify
Youshouldseealistwiththeavailableslots.Youalsoneedtheslotnumbertoconfigurelater
inLinOTP.
8.3.6. Troubleshooting
The names must resolve successfully. Try to ping the HSM from the LinOTP server by name
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html
3/4
24/10/2014
andtheLinOTPserverfromtheHSM:
lunash:> net ping linotp
Itcouldbethatthentlsserviceneedstoberestarted:
lunash:> service restart ntls
PREVIOUS|NEXT|INDEX
SHOWSOURCE
Copyright2014,LSELeadingSecurityExpertsGmbH.CreatedusingSphinx1.1.3.
http://www.linotp.org/doc/2.6/part-installation/HSM/setting_up_lunasa.html
4/4