Jake Zack
2017-02-16 21:13:20 UTC
Hey all,
I've mostly hobbled through the setup of a few Luna demo units by cobbling together their documentation and some previous posts to this list.
I feel like I'm close...but missing one step and hoping someone out there might be able to offer direction.
Configured the HSM for network, created a partition, etc.
Partitions created on HSM:
==========================
Partition: 535775014, Name: dotCA
Partition: 535775018, Name: dotTLD
Added a new repository in conf.xml:
<Repository name="dotCA">
<Module>/usr/lib/libCryptoki2_64.so</Module>
<TokenLabel>dotCA</TokenLabel>
<PIN>4xWA-E3q5-E/S3-5S9X</PIN> (No clue if this is right, but when I created the partition it told me to record and use this later - so I used it during lunaclient setup, and now here as well)
</Repository>
Added a new policy in kasp.xml:
<Policy name="dotCA">
<Description>Safenet Luna HSM</Description>
...
<Repository>dotCA</Repository>
LunaCM says that it can talk to the HSM...
[***@dns-test-tld opendnssec]# /usr/safenet/lunaclient/bin/lunacm LunaCM v6.2.2-4. Copyright (c) 2006-2015 SafeNet, Inc.
Available HSMs:
Slot Id -> 0
HSM Label -> dotCA
HSM Serial Number -> <SNIP>
HSM Model -> LunaSA
HSM Firmware Version -> 6.10.9
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK
And a (safenet) 'vtl verify' works:
[***@dns-test-tld bin]# ./vtl verify
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
==== ================ =====
0 <SNIP> dotCA
If I look on the HSM itself, I see:
[PRD-HSM-01] lunash:>ntls info show
NTLS Information:
Operational Status: 1 (up)
Connected Clients: 1
Links: 1
Successful Client Connections: 15
Failed Client Connections: 0
...and in the syslog:
2017 Feb 16 15:32:26 PRD-HSM-01 local5 info NTLS[2107]: info : 0 : NTLS Client "192.168.0.254" connected and authenticated : 192.168.0.254/41014.
And yet an "ods-hsmutil" comes back with:
[***@dns-test-tld opendnssec]# ods-hsmutil info
Unknown error
An "ods-ksmutil key generate" comes back with:
[***@dns-test-tld bin]# ods-ksmutil key generate --policy=dotCA --interval P5Y
Key sharing is On
Info: converting P5Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
hsm_open() result: HSM error
Any guidance or ideas here would be appreciated.
Thanks all,
-Jacob Zack
DNS Architect - CIRA (.CA TLD)
I've mostly hobbled through the setup of a few Luna demo units by cobbling together their documentation and some previous posts to this list.
I feel like I'm close...but missing one step and hoping someone out there might be able to offer direction.
Configured the HSM for network, created a partition, etc.
Partitions created on HSM:
==========================
Partition: 535775014, Name: dotCA
Partition: 535775018, Name: dotTLD
Added a new repository in conf.xml:
<Repository name="dotCA">
<Module>/usr/lib/libCryptoki2_64.so</Module>
<TokenLabel>dotCA</TokenLabel>
<PIN>4xWA-E3q5-E/S3-5S9X</PIN> (No clue if this is right, but when I created the partition it told me to record and use this later - so I used it during lunaclient setup, and now here as well)
</Repository>
Added a new policy in kasp.xml:
<Policy name="dotCA">
<Description>Safenet Luna HSM</Description>
...
<Repository>dotCA</Repository>
LunaCM says that it can talk to the HSM...
[***@dns-test-tld opendnssec]# /usr/safenet/lunaclient/bin/lunacm LunaCM v6.2.2-4. Copyright (c) 2006-2015 SafeNet, Inc.
Available HSMs:
Slot Id -> 0
HSM Label -> dotCA
HSM Serial Number -> <SNIP>
HSM Model -> LunaSA
HSM Firmware Version -> 6.10.9
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK
And a (safenet) 'vtl verify' works:
[***@dns-test-tld bin]# ./vtl verify
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
==== ================ =====
0 <SNIP> dotCA
If I look on the HSM itself, I see:
[PRD-HSM-01] lunash:>ntls info show
NTLS Information:
Operational Status: 1 (up)
Connected Clients: 1
Links: 1
Successful Client Connections: 15
Failed Client Connections: 0
...and in the syslog:
2017 Feb 16 15:32:26 PRD-HSM-01 local5 info NTLS[2107]: info : 0 : NTLS Client "192.168.0.254" connected and authenticated : 192.168.0.254/41014.
And yet an "ods-hsmutil" comes back with:
[***@dns-test-tld opendnssec]# ods-hsmutil info
Unknown error
An "ods-ksmutil key generate" comes back with:
[***@dns-test-tld bin]# ods-ksmutil key generate --policy=dotCA --interval P5Y
Key sharing is On
Info: converting P5Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
hsm_open() result: HSM error
Any guidance or ideas here would be appreciated.
Thanks all,
-Jacob Zack
DNS Architect - CIRA (.CA TLD)