Configure a Thales Luna client on the ADC

September 14, 2021

Contributed by:

After you have configured the Thales Luna HSM and created the required partitions, you must create clients and assign them to partitions. Begin by configuring the Thales Luna clients on the Citrix ADC and setting up the network trust links (NTLs) between the Thales Luna clients and the Thales Luna HSM. A sample configuration is given in theAppendix.

Change the directory to /var/safenet and install the Thales Luna client. At the shell prompt, type:
```
cd /var/safenet 
```
To install Thales Luna client version 6.0.0, type:
```
install_client.sh -v 600 
```
To install Thales Luna client version 6.2.2, type:
```
install_client.sh -v 622 
```
To install Thales Luna client version 7.2.2, type:
```
install_client.sh -v 722 
```
Configure the NTLs between Thales Luna client (ADC) and HSM.
After the ‘/var/safenet/’ directory is created, perform the following tasks on the ADC.
a) Change the directory to ‘/var/safenet/config/’ and run the ‘safenet_config’ script. At the shell prompt, type:
```
cd /var/safenet/config sh safenet_config 
```
This script copies the “Chrystoki.conf” file into the /etc/ directory. It also generates a symbolic link ‘libCryptoki2_64.so’ in the ‘/usr/lib/’ directory.
b) Create and transfer a certificate and key between the ADC and the Thales Luna HSM.
To communicate securely, the ADC and the HSM must exchange certificates. Create a certificate and key on the ADC and then transfer it to the HSM. Copy the HSM certificate to the ADC.
i) Change directory to /var/safenet/safenet/lunaclient/bin.
ii) Create a certificate on the ADC. At the shell prompt, type:
```
./vtl createCert -n  
```
This command also adds the certificate and key path to the “/etc/Chrystoki.conf” file.
这个证书HSM iii)副本。在替代高能激光l prompt, type:
```
scp /var/safenet/safenet/lunaclient/cert/client/.pem @ 
```
iv) Copy the HSM certificate to the Citrix ADC. At the shell prompt, type:
```
scp < HSM账户> @ < HSM IP >:服务器。pem /var/safenet/safenet/lunaclient/server_.pem 
```
Register the Citrix ADC as a client and assign it a partition on the Thales Luna HSM.
Log on to the HSM and create a client. Enter the NSIP as the client IP. This address must be the IP address of the ADC from which you transferred the certificate to the HSM. After the client is successfully registered, assign a partition to it. Run the following commands on the HSM.
a) Use SSH to connect to the Thales Luna HSM and enter the password.
b) Register the Citrix ADC on the Thales Luna HSM. The client is created on the HSM. The IP address is the client’s IP address. That is, the NSIP address.
At the prompt, type:
```
client register –client  -ip  
```
c) Assign the client a partition from the partition list. To view the available partitions, type:
```
 partition list 
```
Assign a partition from this list. Type:
```
 client assignPartition -client  -par  
```
Register the HSM with its certificate on the Citrix ADC.
On the ADC, change the directory to “/var/safenet/safenet/lunaclient/bin” and, at the shell prompt, type:
```
./vtl addserver -n  -c /var/safenet/safenet/lunaclient/server_.pem 
```
To remove the HSM that is enrolled on the ADC, type:
```
./vtl deleteServer -n  -c  
```
To list the HSM servers configured on the ADC, type:
```
./vtl listServer 
```
Note:

Before removing the HSM by usingvtl, make sure all the keys for that HSM are manually removed from the appliance. HSM keys cannot be deleted after the HSM server is removed.
Verify the network trust links (NTLs) connectivity between the ADC and HSM. At the shell prompt, type:
```
./vtl verify 
```
If verification fails, review all the steps. Errors are due to an incorrect IP address in the client certificates.
Save the configuration.
The preceding steps update the “/etc/Chrystoki.conf” configuration file. This file is deleted when the ADC is started. Copy the configuration to the default configuration file, which is used when an ADC is restarted.
在替代高能激光l prompt, type:
```
root@ns# cp /etc/Chrystoki.conf /var/safenet/config/ 
```
Recommended practice is to run this command every time there is a change to the Thales Luna related configuration.
Start the Thales Luna gateway process.
在替代高能激光l prompt, type:
```
sh /var/safenet/gateway/start_safenet_gw 
```
Configure automatic start of the gateway daemon at boot time.
Create the “safenet_is_enrolled” file, which indicates that Thales Luna HSM is configured on this ADC. Whenever the ADC restarts and this file is found, the gateway is automatically started.
在替代高能激光l prompt, type:
```
touch /var/safenet/safenet_is_enrolled 
```

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configure a Thales Luna client on the ADC

September 14, 2021

Contributed by:

September 14, 2021

Contributed by:

Configure a Thales Luna client on the ADC

In this article