Product Documentation

Configure a SafeNet client on the ADC

After you have configured the SafeNet HSM and created the required partitions, you must create clients and assign them to partitions. Begin by configuring the SafeNet clients on the Citrix ADC and setting up the network trust links (NTLs) between the SafeNet clients and the SafeNet HSM. A sample configuration is given in the Appendix.

1. Change directory to /var/safenet and install the Safenet client. At the shell prompt, type:

cd /var/safenet

To install Safenet client version 6.0.0, type:

install_client.sh -v 600

To install Safenet client version 6.2.2, type:

install\_client.sh -v 622

Note

SafeNet client version 6.2.2 is supported in release 12.0 build 51.x and later.

2. Configure the NTLs between SafeNet client (ADC) and HSM.

After the ‘/var/safenet/’ directory is created, perform the following tasks on the ADC.

     a) Change directory to ‘/var/safenet/config/’ and run the ‘safenet_config’ script. At the shell prompt, type:

cd /var/safenet/config

sh safenet_config

This script copies the “Chrystoki.conf” file into the /etc/ directory. It also generates a symbolic link ‘libCryptoki2_64.so’ in the ‘/usr/lib/’ directory.

     b) Create and transfer a certificate and key between the ADC and the SafeNet HSM.

          In order to communicate securely, the ADC and the HSM must exchange certificates. Create a certificate and key on the ADC and then transfer it to the HSM. Copy the HSM certificate to the ADC.

               i) Change directory to /var/safenet/safenet/lunaclient/bin.

               ii) Create a certificate on the ADC. At the shell prompt, type:

./vtl createCert -n <ip address of Citrix ADC>

This command also adds the certificate and key path to the “/etc/Chrystoki.conf” file.

               iii) Copy this certificate to the HSM. At the shell prompt, type:

scp /var/safenet/safenet/lunaclient/cert/client/<ip address of NS>.pem <LunaSA_HSM account>@<IP address of Luna SA>

               iv) Copy the HSM certificate to the Citrix ADC. At the shell prompt, type:

scp <HSM account>@<HSM IP>:server.pem  /var/safenet/safenet/lunaclient/server_<HSM ip>.pem

3) Register the Citrix ADC as a client and assign it a partition on the SafeNet HSM.

     Log on to the HSM and create a client. Enter the NSIP as the client IP. This must be the IP address of the ADC from which you transferred the certificate to the HSM. After the client is successfully registered, assign a partition to it. Run the following commands on the HSM.

     a) Use SSH to connect to the SafeNet HSM and enter the password.

     b) Register the Citrix ADC on the SafeNet HSM. The client is created on the HSM. The IP address is the client’s IP address. That is, the NSIP address.

          At the prompt, type:

client register –client <client name> -ip <Citrix ADC ip>

     c) Assign the client a partition from the partition list. To view the available partitions, type:

<luna_sh> partition list

          Assign a partition from this list. Type:

<lunash:> client assignPartition -client <Client Name> -par <Partition Name>

4) Register the HSM with its certificate on the Citrix ADC.

On the ADC, change directory to “/var/safenet/safenet/lunaclient/bin” and, at the shell prompt, type:

./vtl addserver -n <IP addr of HSM> -c /var/safenet/safenet/lunaclient/server_<HSM_IP>.pem

To remove the HSM that is enrolled on the ADC, type:

./vtl deleteServer -n <HSM IP> -c <cert path>

To list the HSM servers configured on the ADC, type:

./vtl listServer

Note:

Before removing the HSM by using vtl, make sure all the keys for that HSM are manually removed from the appliance. HSM keys cannot be deleted after the HSM server is removed.

5) Verify the network trust links (NTLs) connectivity between the ADC and HSM.  At the shell prompt, type:

./vtl verify

If verification fails, review all the steps. Errors are generally due to an incorrect IP address in the client certificates.

6)  Save the configuration.

The above steps update the “/etc/Chrystoki.conf” configuration file. This file is deleted when the ADC is started. Copy the configuration to the default configuration file, which is used when an ADC is restarted.

At the shell prompt, type:

root@ns# cp /etc/Chrystoki.conf /var/safenet/config/

Recommended practice is to run this command every time there is a change to the SafeNet-related configuration.

7) Start the SafeNet gateway process.

At the shell prompt, type:

sh /var/safenet/gateway/start_safenet_gw

8) Configure automatic start of the gateway daemon at boot time.

Create the “safenet_is_enrolled” file, which indicates that SafeNet HSM is configured on this ADC. Whenever the ADC restarts and this file is found, the gateway is automatically started.

At the shell prompt, type:

touch /var/safenet/safenet_is_enrolled

Configure a SafeNet client on the ADC

In this article