...
- Download luna 7 client 610-013144-006_SW_Client_SDK_SafeNet_HSM_7.3.0_Linux_RevA.tar
- Sudo su
- Untar it using the following command
tar -xf 610-013144-006_SW_Client_SDK_SafeNet_HSM_7.3.0_Linux_RevA.tar
You will get LunaClient_7.3.0-165_Linux/ folder - cd LunaClient_7.3.0-165_Linux/64/
- bash install.sh
- If you select 'no' or 'n', this product will not be installed.
(y/n) y
Products
Choose Luna Products to be installed
[1]: Luna Network HSM
[2]: Luna PCIe HSM
[3]: Luna USB HSM
[4]: Luna Backup HSM
[N|n]: Next
[Q|q]: Quit
Enter selection: 1 - Choose Luna Products to be installed
*[1]: Luna Network HSM
[N|n]: Next
[Q|q]: Quit
Enter selection: n - Choose Luna Components to be installed
*[1]: Luna SDK
*[2]: Luna JSP (Java)
*[3]: Luna JCProv (Java)
[B|b]: Back to Products selection
[I|i]: Install
[Q|q]: Quit
Enter selection: i
[Q|q]: Quit
Enter selection: select 1 2 and 3 and then type i - Navigate to the Luna SA command directory:
cd /usr/safenet/lunaclient/bin ls
(you should get the following directories/files)Info title Output ckdemo cmu common configurator lunacm multitoken openssl.cnf plink pscp salogin uninstall.sh vtl Copy the Luna appliance server certificate to the client host:
scp admin@<LunaBoxHostname>:server.pem .
(grant permission chmod 777 and chown kms:kms)ls
(you should get the following directories)Info title Output of ls command ckdemo cmu common configurator lunacm multitoken openssl.cnf plink pscp salogin server.pem uninstall.sh vtl
(server.pem is added)
Register the server with the client:
Do below step using kms user.
su -l kms
./vtl addServer -n <LunaBoxHostname> -c server.pem
(you should get the output like this)Info title Output vtl (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.
New server <LunaBoxHostname> successfully added to server list.
Generate a client certificate:
./vtl createCert -n <ClientHostname>
(you should get the output like this)Info title Output vtl (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.
Private Key created and written to: /usr/safenet/lunaclient/cert/client/<ClientHostname>Key.pem
Certificate created and written to: /usr/safenet/lunaclient/cert/client/<ClientHostname>.pem
(grant permission chmod 777 and chown kms:kms)- Copy the client certificate to the Luna 7 HSM server:
scp /usr/safenet/lunaclient/cert/client/<ClientHostname>.pem admin@<LunaBoxHostname>: SSH to luna hsm server host
ssh admin@<LunaBoxHostname>
(you should get the output like this)Info title SSH Last login: Fri Dec 19 03:59:38 2019 from 114.143.87.94
Luna Network HSM Command Line Shell v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.
[LunaBoxHostname] lunash:>
- Register the client with the server, then assign the client to a server partition:
lunash:> client register -client <ClientHostname> -hostname <ClientHostname> - check the existing partions
lunash:> partition list
Storage (bytes)
----------------------------
Partition Name Objects Total Used Free
===========================================================================
1254277068838 GatewayPartition 0 325896 0 325896 - Assign client to the partition
lunash:> client assignPartition -client <ClientHostname> -partition <GatewayPartition> - client show -client <GatewayPartition>
Shows details of Client ID, Hostname and Partition Name - Log out from the Luna HSM:
lunash:> exit - Set the read permissions for the certificate files in the following directories:(make sure ur you are logged in via root user)
chmod a+r /usr/safenet/lunaclient/cert/server/*.pem
chmod a+r /usr/safenet/lunaclient/cert/client/*.pem
(grant permission chmod 777 and chown kms:kms to above .pem files) - Verify that the client is connected to its assigned partition:
(make sure
...
- you are logged in via kms user)
cd /usr/safenet/lunaclient/bin/
./vtl verify
vtl (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.
The following Luna SA Slots/Partitions were found:
...
SlotSerial # Label
=========================
...
- 0
...
- 1254277068838 <GatewayPartition>
./lunacm
Info title Output lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.
...
Available HSMs:
...
Slot Id ->
...
0
Label -> <ClientHostname>
Serial Number ->
...
1254277068842
Model -> LunaSA 7.3.
...
0
Firmware Version -> 7.3.
...
0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Current Slot Id: 0- role login -n co
enter password:
...
- ______
- par con
The 'Crypto Officer' is currently logged in. Looking for objects
...
- accessible to the 'Crypto Officer'.
No objects viewable to 'Crypto Officer' are currently stored in the partition.
Command Result : No Error - Navigate to the following directory on the Gateway:
# cd /usr/safenet/lunaclient/jsp/lib/
(grant permission chmod 777 and chown kms:kms to all the at this location) - Copy the Luna .JAR files over to the Gateway:
# cp libLunaAPI.so Luna*.jar /usr/lib/jvm/jre/lib/ext/ - Set the file permissions for the JDK library as follows:
chmod a+r /usr/lib/jvm/jre/lib/ - Open the following file in a text editor:
vim /usr/lib/jvm/jre/lib/security/java.security
Java SDK/JRE 1.6.x or 1.7.x installation to read as follows:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=com.safenetinc.luna.provider.LunaProvider
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
Add these two lines
security.provider.6=com.safenetinc.luna.provider.LunaProvider
com.safenetinc.luna.provider.createExtractableKeys=true - Set the file permissions for the Luna client as follows:
chmod -R 777 /usr/safenet
chown kms:kms - Go to ambari Ambari / CM and enable luna hsm in ranger kms
Add partition name and password
Restart Ranger KMS(Note: ranger kms restart will fail) - Execute below command on cluster where Ranger KMS is installed via kms user
python /usr/hdp/current/ranger-kms/ranger_credential_helper.py -l "/usr/hdp/current/ranger-kms/cred/lib/*" -f /etc/ranger/kms/rangerkms.jceks -k ranger.kms.hsm.partition.password -v <Partition_Password> -c 1
Eg
python /usr/hdp/current/ranger-kms/ranger_credential_helper.py -l "/usr/hdp/current/ranger-kms/cred/lib/*" -f /etc/ranger/kms/rangerkms.jceks -k ranger.kms.hsm.partition.password -v
...
- dummyPassword -c 1
Using Java:/usr/lib/jvm/java/bin/java
Alias ranger.kms.hsm.partition.password created successfully! - Start Ranger Kms
Migration
...
- Stop the Ranger KMS server if running
- Go to Ranger KMS directory. eg: /usr/hdp/<version>/ranger-kms
Note :
...
DB details from which Ranger KMS needs migration should be proper (in xml config file of Ranger KMS) .
HSM details should be the KMS HSM to which we are migrating to.- Run: ./DBMK2HSM.sh <provider> <HSM_PARTITION_NAME>
e.g : ./DBMK2HSM.sh LunaProvider <HSM_PARTITION_NAME>
Enter Password for the Partition <HSM_PARTITION_NAME> : _________
Master Key from Ranger KMS DB has been successfully imported into HSM. - After the migration is completed if you want to run Ranger KMS according to the new configuration (either with HSM enabled or disabled) update the Ranger KMS properties if required.
- Start Ranger KMS
Note : After Migration when Ranger KMS is up and running fine with HSM enabled, from DB table “ranger_masterkey” delete the Master Key row if it’s not required as Master Key already being migrated to HSM.
...
- Stop the Ranger KMS server if running
- Go to Ranger KMS directory. eg: /usr/hdp/<version>/ranger-kms
Note : DB details should be proper (in xml config file of Ranger KMS) to which KMS needs migration to. - Edit HSMMK2DB.sh file (note this step is a work around for java.security.UnrecoverableKeyException HADOOP-15473)
vi HSMMK2DB.
...
- sh
#if [ "$JAVA_HOME" != "" ];
...
- then
# export PATH=$JAVA_HOME/bin:
...
- $PATH
...
- #else
# exit ;
...
...
- #fi
RANGER_KMS_HOME=`dirname
...
- $0`
cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/
:${RANGER_KMS_HOME}/ews/webapp/WEB-INF/classes/lib/*:${RANGER_KMS_HOME}/ews/webapp/config
:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF"
...
###Adding option to fix java serializer
...
- issue##
RANGER_KMS_OPTS="-Djceks.key.serialFilter=org.apache.hadoop.crypto.key.JavaKeyStoreProvider*"
...
#java -cp "${cp}" org.apache.hadoop.crypto.key.JKS2RangerUtil ${1} ${2}
...
###Pass RANGER_KMS_OPTS to the java
...
- command
java -cp "${cp}" "$RANGER_KMS_OPTS" org.apache.hadoop.crypto.key.JKS2RangerUtil ${1} ${2} - Run: ./HSMMK2DB.sh <provider> <HSM_PARTITION_NAME>
e.g : ./HSMMK2DB.sh LunaProvider - Enter the partition password crypto1: ______
- After the migration is completed if you want to run Ranger KMS according to the new configuration (either with HSM enabled or disabled) update the Ranger KMS properties if required.
- Start Ranger KMS
Note : After Migration when Ranger KMS is up and running fine with HSM disabled, from HSM clear the Master Key object from the partition if it’s not required as Master Key already being migrated to DB
...
- SSH to the HSM Appliance Server
E.g : ssh admin@<HSM_server_host>
<Enter Password for HSM Appliance Server when prompted> - Check the Partition Objects which you want to clear, command is
Partition showContents -par <partition_name>
E.g : partition showContents -par par14
<Enter Password for Partition when prompted>
Note : Please make it sure after step 3 all objects listed from the above command will get destroyed - Clear the objects from HMS partition using following command
Partition clear -par <partition_name>
<Enter Password for Partition when prompted>
<proceed when prompted>
E.g : partition clear -par par14