Installation

For information on installing SafeNet Luna, refer to the SafeNet documentation on https://safenet.gemalto.com.

Misc = {
 RSAKeyGenMechRemap = 1;
}

Configuration

For configuration instructions, refer to the Luna SA Online Help – Document # 800274-xxx document provided on your installation CD.

Perform all of the steps in section A - Configuration (Setup Appliance after Installing) and note the following regarding the setup:

• Step 3: Note that changing many of the policies will reset the HSM and you will not be able to change any of these policies later on.

• Step 4: A new partition could be added at any time. Each partition will be represented as a PKCS#11 slot. Make sure to write the Record Partition Client Password (TP) in a text file. In the example, the password is btqx-EFGH-3456-7/K9 for the first created partition (slot 1). The TP will later be used as PIN for the slot.

• Step 5: We recommend allowing partitions (p11 slots) to be "activated". If a partition is not activated, you will have to insert the black key in the PED and enter the PIN each time a resource in the HSM is used by the client. The following displays an example command to allow activating a partition:

  lunash:>partition changePolicy -partition partition1 -policy 22 -value 1

• Step 6: We recommend running from a directory owned by yourself (not having to use sudo) instead of running from the /usr/LunaSA/bin directory.
  The following shows and example of running from your own directory:

  $ /usr/lunasa/bin/ctp admin@lunasa.int.primekey.com:server.pem .

  The following shows examples of when sudo must be used: registration of server and adding client certificates (root owned files and directories are used and updated):

  $ sudo /usr/lunasa/bin/vtl addServer -n lunasa.int.primekey.com -c server.pem

  $ sudo /usr/lunasa/bin/vtl createCert -n milton

• Step 7: Each partition assigned to a client will be represented by a PKCS#11 slot for this client. Each newly added partition will be put last in the slot list, and the number of a slot will be slot list index plus 1 (list index starting with 0 and slot number starting with 1). To view the partition slot mapping on the client, run the following. The client may then use these slots with EJBCA and its tools.

  $ /usr/lunasa/bin/vtl verify

   

  The following Luna SA Slots/Partitions were found:

   

  Slot Serial # Label

  ==== ======== =====

  1 950784001 partition1

  2 950784002 partition2

Activating Slots

A partition (slot) must be activated before it can be used by a client as described in B - Administration & Maintenance > Activating and AutoActivating Partitions of the Luna SA Online Help – Document # 800274-xxx document provided on your installation CD. The partition policy required to do the activation must have been set (see step 5 above). The following displays an example for activating a partition using the password from the configuration in step 4 above:

Generate Keys on a Slot

The following displays an exeample for generating keys on a slot using the password btqx-EFGH-3456-7/K9 from the step 4 above:

List and Test Keys Used by EJBCA

The following displays an example of listing and testing all keys that could be used by EJBCA:

Sample Hard Token Properties

The following displays a sample configuration of the Hard Token Properties for PKCS#11 token when creating a new CA:

Useful Luna Commands

The following lists useful native Luna cmu commands.

To list objects and their handles:

If you have created keys with native commands, or imported keys, there is probably no certificate object as required by Java PKCS#11 provider. To create a self-signed certificate referencing the private handle, run:

Note that 87 needs to be replaced with the handle of the private key found when running the list command.