Skip to main content

SafeNet Client Setup on Key Manager Servers

This section describes the procedures for setting up Safenet Clients on Key Manager Servers, which enables Key Manager Servers to connect to a SafeNet Network HSM partition.

The instructions in this section are to be performed on the Key Manager Servers. Unless otherwise stated, these instructions must be repeated for each Key Manager Server in your Key Manager deployment.

  1. Gain root terminal access to the Key Manager Server.

  2. Install the necessary SafeNet Client software packages. Note that the packages must be installed in the presented order:

    • On the Key Manager Server machine you can install the packages with the following commands: 
      # yum install configurator-*.x86_64.rpm 
      # yum install lunacmu-*.x86_64.rpm
      # yum install libcryptoki-*.x86_64.rpm  
      # yum install vtl-*.x86_64.rpm

  3. If using SafeNet Network HSM version 7.4 or later, add the Key Manager user (typically sshmgr) to the hsmusers group:

    # usermod -a -G hsmusers sshmgr

  4. Register the HSM in the Key Manager Server. We recommend first checking that the Key Manager Server is able to reach the HSM (replace hsm.example.com with the address of your HSM):

    # ping hsm.example.com

    After you have verified connectivity with the HSM, register the HSM as follows (replace hsm.example.com with the address of your HSM appliance, replace server.pem with the path to the HSM Appliance Server Certificate):

    # /usr/lunasa/bin/vtl addServer -n hsm.example.com -c server.pem

    You should get a confirmation similar to the following after the HSM has been registered successfully:

    New server hsm.example.com successfully added to server list.

  5. Create a certificate, which shall be used for authenticating the Key Manager Server to the HSM (replace 192.0.2.10 with the IP address of the Key Manager Server):

    # /usr/lunasa/bin/vtl createCert -n 192.0.2.10

    The command outputs the path to which the certificate file was created, similarly to the following:

    Certificate created and written to: /usr/lunasa/cert/client/192.0.2.10.pem

    Copy the certificate file to your HSM. This can be performed, for example, using scp:

    scp /usr/lunasa/cert/client/192.0.2.10.pem admin@hsm.example.com
    note

    You must scp to the admin account on the HSM appliance, or the client certificate will not register correctly. Do not specify a target directory in the scp command: the file arriving at the HSM is automatically placed in the appropriate directory.

After you have set up the SafeNet Client on a Key Manager Server, you will still need to register the Key Manager Server on the HSM side. Instructions for doing this are provided in SafeNet Client Setup on the HSM.

Keep in mind that you must set up the SafeNet Client on all your Key Manager Servers.