SafeNet Luna

For information on how to install, configure, and integrate EJBCA with SafeNet Luna Hardware Security Modules (HSM), refer to the Gemalto EJBCA SafeNet Luna HSM Integration Guide.

To find the latest version of the guidesearch for EJBCA on the Gemalto website.

Installation

For information on installing SafeNet Luna, refer to the SafeNet documentation on https://safenet.gemalto.com.

Using Luna 6.x/7.x in FIPS Mode

Under FIPS 186-3/4, the RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. Therefore, RSA PKCS and X9.31 key generation are no longer approved for operation in a FIPS compliant Luna HSM. If you are using the SafeNet Luna HSM in FIPS mode, set the following setting in the configuration file to redirect the older calling mechanism to a new approved mechanism when in FIPS mode:

Misc = {
 RSAKeyGenMechRemap = 1;
}


Configuration

For configuration instructions, refer to the Luna SA Online Help – Document # 800274-xxx document provided on your installation CD.

Perform all of the steps in section A - Configuration (Setup Appliance after Installing) and note the following regarding the setup:

  • Step 3: Note that changing many of the policies will reset the HSM and you will not be able to change any of these policies later on.
  • Step 4: A new partition could be added at any time. Each partition will be represented as a PKCS#11 slot. Make sure to write the Record Partition Client Password (TP) in a text file. In the example, the password is btqx-EFGH-3456-7/K9 for the first created partition (slot 1). The TP will later be used as PIN for the slot.
  • Step 5: We recommend allowing partitions (p11 slots) to be "activated". If a partition is not activated, you will have to insert the black key in the PED and enter the PIN each time a resource in the HSM is used by the client. The following displays an example command to allow activating a partition:
    lunash:>partition changePolicy -partition partition1 -policy 22 -value 1
  • Step 6: We recommend running from a directory owned by yourself (not having to use sudo) instead of running from the /usr/LunaSA/bin directory.
    The following shows and example of running from your own directory:
    $ /usr/lunasa/bin/ctp admin@lunasa.int.primekey.com:server.pem .
    The following shows examples of when sudo must be used: registration of server and adding client certificates (root owned files and directories are used and updated):
    $ sudo /usr/lunasa/bin/vtl addServer -n lunasa.int.primekey.com -c server.pem
    $ sudo /usr/lunasa/bin/vtl createCert -n milton
  • Step 7: Each partition assigned to a client will be represented by a PKCS#11 slot for this client. Each newly added partition will be put last in the slot list, and the number of a slot will be slot list index plus 1 (list index starting with 0 and slot number starting with 1). To view the partition slot mapping on the client, run the following. The client may then use these slots with EJBCA and its tools.
    $ /usr/lunasa/bin/vtl verify
    
    The following Luna SA Slots/Partitions were found: 
    
    Slot    Serial #        Label
    ====    ========        =====
     1      950784001       partition1
     2      950784002       partition2

Activating Slots

A partition (slot) must be activated before it can be used by a client as described in B - Administration & Maintenance > Activating and AutoActivating Partitions of the Luna SA Online Help – Document # 800274-xxx document provided on your installation CD. The partition policy required to do the activation must have been set (see step 5 above). The following displays an example for activating a partition using the password from the configuration in step 4 above:

lunash:>hsm login
lunash:>partition activate -partition partition1 -password btqx-EFGH-3456-7/K9

Generate Keys on a Slot

The following displays an exeample for generating keys on a slot using the password btqx-EFGH-3456-7/K9 from the step 4 above:

$ ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so 2048 rsa2048_1 1
0    [main] INFO  org.ejbca.util.keystore.KeyTools  - Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token [SunPKCS11-Luna] Password: 
Created certificate with entry rsa2048_1.
$ ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so secp160r1 secp160r1_1 1
0    [main] INFO  org.ejbca.util.keystore.KeyTools  - Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token [SunPKCS11-Luna] Password: 
Created certificate with entry secp160r1_1.

List and Test Keys Used by EJBCA

The following displays an example of listing and testing all keys that could be used by EJBCA:

$ ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lunasa/lib/libCryptoki2_64.so 1
Test of keystore with ID 1.
0    [main] INFO  org.ejbca.util.keystore.KeyTools  - Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token [SunPKCS11-libCryptoki2_64.so-slot2] Password: 

Testing of key: rsa2048_1
SunJCE version 1.7SunPKCS11-libCryptoki2_64.so-slot2 version 1.7; modulus length: 2048; byte length 245. The docoded byte string is equal to the original!
Signature test of key rsa2048_1: signature length 256; first byte 28; verifying true
Key statistics. 
Signings per second: 369; Decryptions per second: 135

Testing of key: secp160r1_1
Signature test of key secp160r1_1: signature length 48; first byte 30; verifying true
Key statistics. 
Signings per second: 68 No crypto available for this key. 

Sample Hard Token Properties

The following displays a sample configuration of the Hard Token Properties for PKCS#11 token when creating a new CA:

sharedLibrary=/usr/lunasa/lib/libCryptoki2_64.so
slotLabelType=SLOT_NUMBER
slotLabelValue=1
certSignKey=myECCKey
crlSignKey=myECCKey
defaultKey=default

Useful Luna Commands

The following lists useful native Luna cmu commands.

To list objects and their handles:

./cmu list -display=index,handle,class,keyType,label

If you have created keys with native commands, or imported keys, there is probably no certificate object as required by Java PKCS#11 provider. To create a self-signed certificate referencing the private handle, run:

./cmu selfSign -privatehandle=87 -CN="caSign00001" -startDate=20020101
-endDate=20451231 -serialNum=0133337f

Note that 87 needs to be replaced with the handle of the private key found when running the list command.