Connecting to the HSM Using a Serial Connection

These instructions are written for using the free PuTTY terminal client software.

  1. In Session tab, select Serial as connection type and speed as 115200.
  2. In Terminal -> Keyboard tab, select Control-H and VT100+
  3. In Connection -> Serial tab, verify the following
  4. Optionally, you can go use the Session tab and save your config

 

Setting up HSM for Windows

Warning: The following steps walk you through resetting your HSM (also known as zeroing). If you do this and there are existing keys on the HSM, you will lose them all. Only perform these steps if you do not have existing keys on the HSM or if you know that you do not need any of the existing keys. Ensure all keys that you need are backed up in a secure location.
  1. Connect to the HSM through the serial port (this is crucial) through PuTTY. If you see a blank screen, you might need to press ENTER a few times to see the login prompt.
  2. Enter username. Failing to login 3 times will force factory resetting the HSM.
  3. After a few failed attempts, you see a prompt to reset the HSM
  4. Type quit and press ENTER to skip recovering and type proceed to zeroize the HSM.
  5. Login again with factory default username and password.
  6. You will be forced to change the password.

Configure Network Connection

  1. Type set hostname hostname
    • Replace hostname in the command with the actual device name that you want to use for the HSM.
  2. Type net domain your_fully_qualified_domain_name and then press ENTER
    • Replace your_fully_qualified_domain_name with your organization's actual domain name, such as corp.contoso.com.
  3. Type net interface delete -dev eth0 and then press ENTER
    • Ignore the reported error
  4. Type service restart network and then press ENTER
  5. Type net show to see the configuration setup. This includes the hostname, domain name, and IP information.
  6. To set the device to use DHCP, type net interface dhcp -device eth0 and then press ENTER.
  7. Type proceed and press ENTER confirm the change.
    1. Consider reserving a static IP address for the HSM.
    2. Add an A (host) Record on the DNS server for the HSM.
  8. Type net interface delete -device eth0 and then press ENTER.
  9. Type net dns nameserver IP_Address (replace IP_Address with the one of the DNS server for your domain) and then press ENTER.
  10. Type net dns searchdomain your_fully_qualified_domain_name and then press ENTER.
    • Replace the bold italicized text in the command with the appropriate domain name.
    • Type net interface static -device eth0 -ip IP_Address -netmask Subnet_Mask -gateway IP_Address_of_Gateway and then press ENTER.
      • Replace the bold italicized text in the command above with the appropriate IP settings.
  11. Tyep proceed and then press ENTER to confirm.
  12. Type net ping domain_name and then press ENTER to test the connection.
    • Replace the bold italicized text in the command above with the appropriate domain name.

Generate a New LunaSA Server Cert

  1. Type sysconf regenCert and then press ENTER.
  2. Type proceed and then press ENTER to confirm.
    • Note: Ensure DNS is working before running this command. If there is no DNS in the environment, type sysconf regenCert IP_Address and then press ENTER. Replace the bold italicized text in the command with the IP address.
  3. Type ntls bind eth0 and then press ENTER.
  4. Type proceed and then press ENTER to confirm.

Initialize the HSM

  1. Plugin the keypad. When you see SCP mode… Awaiting command… Type hsm init -label MyLuna and then press ENTER.
  2. Type proceed and then press ENTER to confirm.
  3. Plugin the Blue PED keys to the keypad
  4. Follow the instructions on screen. Enter the pin for the Blue key. You may be prompted to remove all data. If you are initially setting this up, then that is a safe operation. Otherwise, check to ensure there is not already valuable information on the Blue key.
  5. You will be prompt to plugin the Red key. Follow the on-screen instructions.

Create a Partition on the HSM

  1. Type hsm login and then press ENTER to confirm (use the Blue key)
  2. Type partition create -partition CLMPartition1 and then press ENTER to confirm
  3. Type proceed and then press ENTER to confirm.
  4. Plugin the Black key and follow the on screen instructions. You might be asked to use a group PED Key, choose NO

Important: Write down the key on screen. It will only be shown once.

Setup the Network Trust Link (NTL)

  1. Install 64-bit version of “LunaSA Client software v4.3” on the client (FIM CM Server) 
    • Only install CSP, the JSP is not required.
    • You may need to restart the FIM CM Server.
  2. On the client (FIM CM Server), open a Command Prompt and navigate to type CD %program files%\LunaSA and then press ENTER.
  3. Type ctp admin@CLMLuna:server.pem. (notice the DOT at the end)
  4. Type vtl addServer -n CLMLuna -c server.pem
  5. Type vtl createCert -n domainname and then press ENTER.
    • Warning: Type only the domainname and not the FQDN.
    • You should see that domainname.pem (private key) and domainname.pem (cert) are generated under .\cert\client directory.
  6. Type ctp cert\client\domainname.pem admin@CLMLuna and then press ENTER.
    • Replace the bold italicized text in the command with the appropriate information.
  7. On the HSM, type client register -c CLMServer -hostname domainname and then press ENTER.

Important note about De-Registration: If you have multiple Luna appliances connected and registered with a client and you de-register that client from one of the Luna appliances, then you must also de-register that Luna appliance on the client side. Failure to do so will result in a “Broken pipe” error, which indicates an incomplete registration

Assign the Partition to the Client

  1. On the HSM, type client assignPartition -client CLMServer -partition CLMPartition1 and then press ENTER.
  2. Verify the settings on the HSM, type client show -client CLMServer and then press ENTER.
  3. Verify the settings on the client (CLMServer), type vtl verify

Activate the Partition with FIM CM Partition

  1. On the HSM, type partition changePolicy -partition CLMPartition1 -policy 22 -value 1 and then press ENTER.
  2. Type partition changePolicy -partition CLMPartition1 -policy 23 -value 1 and then press ENTER.

3. Type partition activate -partition CLMPartition1 and then press ENTER. 

Register LunaCSP on FIM CM Server

  1. On the FIM CM server, from the \Program Files\LunaSA\CSP directory, type register
  2. Type y and then press ENTER.
  3. At "Do you want to register the partition named 'CLMPartition1'?[y/n] prompt, type y and then press ENTER.
  4. At Enter challenge for partition 'CLMPartition1' : enter the 16 digit partition password and then press ENTER. A success message is displayed regarding the registration of the ENCRYPTED challenge for partition 'CLMPartition1:1'.

Installing a CA to Support LunaSA HSM

 When you install a Certification Authority (CA) using an HSM, you must use the appropriate CSP (as shown in the figure).

  

Test the HSM using MMC Snap-In

  1. Open the CA MMC
  2. Right click Certificate Templates and then click Manage
  3. Right click on User, and then click Duplicate
  4. Select Windows 2003 Server, Enterprise Edition
    •  
  5. Change the Template display name to HSM User
  6. In the Request Handling tab, clear Allow private key to be exported and then click CSPs
  7. Ensure that only Luna Cryptographic Services for Microsoft Windows is selected.
  8. Click OK on all open dialog boxes to create the template.
  9. In the Certification Authority MMC, right click Certificate Templates, click New, and then click Certificate Template to Issue. Issue the HSM User Template.
  10. Run certmgr.msc as an Administrator. To do so, click Start. Type certmgr.msc and then right-click certmgr.msc when it appears in the Start menu and then click Run as administrator.
  11. In CertMgr.msc, right-click Personal, click All Tasks, and then click Request New Certificate.
  12. Select the HSM User certificate.

Configuring FIM CM to use the HSM

  1. Run the Certificate Management Config Wizard. The typical options should be selected (see Test Lab Guide: Demonstrate FIM CM for basic overview). 
  2. Except: When configuring Certificates, be sure that use the Luna certificates when performing the configuration. This will generate the cert from the hsm and import it to the agent’s personal store and add the thumbprint in web.config.

 

Note: If you use this method, you do not need to login using each account manually and then request the certificate, and then insert the thumbprint of each in the web.config file.

Post Configuration Testing

  1. Use a Manager account to Enroll Subscriber, which involves using the clmEnrollAgent.
  2. Run a recovery operation, which involves using the clmKRAgent account.
  3. Generate a Server Key
    1. Duplicate default User template as SKGUser
    2. Property of SKGUser
    3. Request Handling tab, select Archive subject’s encryption private key
    4. Publish SKGUser from the CA so others can enroll for it
    5. Add SKGUser to a profile template (you probably want to ONLY include SKGUser)
    6. Click Change General Settings in the profile template
    7. Check Generate encryption keys on the server
    8. Select custom server key generator
    9. Server key generator type, “Microsoft.Clm.BusinessLayer.StrongSkg, Microsoft.Clm.BusinessLayer”
    10. Server key generator data,  “Luna Cryptographic Services for Microsoft Windows|20”. The format is “<CSP Name>|<seed for random number generator>”
  4. If you run into issues, check the Web.config file for <add name="Microsoft.Clm.BusinessLayer.Skg" value="4" /> (change 0 to 4)
  5. Run iisreset

Additional Information

See Also