Product Documentation

Configuring a SafeNet Client on the NetScaler ADC

Sep 01, 2016

After you have configured the SafeNet HSM and created the required partitions, you must create clients and assign them to partitions. Begin by configuring the SafeNet clients on the NetScaler ADC and setting up the network trust links (NTLs) between the SafeNet clients and the SafeNet HSM. A sample configuration is given in the Appendix.

1) Create a safenet directory on the NetScaler ADC.

When you load the NetScaler build by using the installns script, the safenet_dirs.tar file is copied into the /var/ directory. If no“/var/safenet/” directory is present, the installns script creates a “safenet” directory in the /var/ directory.

2) Configure the NTLs between SafeNet client (ADC) and HSM.

After the “/var/safenet/” directory is created, perform the following tasks on the ADC.   

     a) Change directory to /var/safenet/config/ and run the “safenet_config” script. At the shell prompt, type:

          cd /var/safenet/config

          sh safenet_config

          This script copies the “Chrystoki.conf” file into the /etc/ directory. It also generates a symbolic link “” in the “/usr/lib/” directory.     

     b) Create and transfer a certificate and key between the ADC and the SafeNet HSM.

          In order to communicate securely, the ADC and the HSM must exchange certificates. Create a certificate and key on the ADC and then transfer it to the HSM. Copy the HSM certificate to the ADC.

               i) Change directory to /var/safenet/safenet/lunaclient/bin.

               ii) Create a certificate on the ADC. At the shell prompt, type:

                    ./vtl createCert -n <ip address of NetScaler>

                   This command also adds the certificate and key path to the “/etc/Chrystoki.conf” file.

               iii) Copy this certificate to the HSM. At the shell prompt, type:

                    scp /var/safenet/safenet/lunaclient/cert/client/<ip address of NS>.pem <LunaSA_HSM account>@<IP address of Luna SA>

               iv) Copy the HSM certificate to the NetScaler ADC. At the shell prompt, type:

                    scp <HSM account>@<HSM IP>:server.pem  /var/safenet/safenet/lunaclient/server_<HSM ip>.pem


3) Register the NetScaler ADC as a client and assign it a partition on the SafeNet HSM.

     Log on to the HSM and create a client. Enter the NSIP as the client IP. This must be the IP address of the ADC from which you transferred the certificate to the HSM. After the client is successfully registered, assign a partition to it. Run the following commands on the HSM.

     a) Use SSH to connect to the SafeNet HSM and enter the password.

     b) Register the NetScaler ADC on the SafeNet HSM. The client is created on the HSM. The IP address is the client's IP address. That is, the NSIP address. 

          At the prompt, type:

          client registerclient <client name> -ip <netscaler ip>

     c) Assign the client a partition from the partition list. To view the available partitions, type:

          <luna_sh> partition list

          Assign a partition from this list. Type:

          <lunash:> client assignPartition -client <Client Name> -par <Partition Name>


4) Register the HSM with its certificate on the NetScaler ADC.

On the ADC, change directory to “/var/safenet/safenet/lunaclient/bin” and, at the shell prompt, type:

          ./vtl addserver -n <IP addr of HSM> -c /var/safenet/safenet/lunaclient/server_<HSM_IP>.pem

To remove the HSM that is enrolled on the ADC, type:

          ./vtl deleteServer -n <HSM IP> -c <cert path>

To list the HSM servers configured on the ADC, type:

          ./vtl listServer

5) Verify the network trust links (NTLs) connectivity between the ADC and HSM.  At the shell prompt, type:

          ./vtl verify

If verification fails, review all the steps. Errors are generally due to an incorrect IP address in the client certificates.

6)  Save the configuration.

The above steps update the “/etc/Chrystoki.conf” configuration file. This file is deleted when the ADC is started. Copy the configuration to the default configuration file, which is used when an ADC is restarted.

At the shell prompt, type:

          root@ns# cp /etc/Chrystoki.conf /var/safenet/config/

Recommended practice is to run this command every time there is a change to the SafeNet-related configuration. 

7) Start the SafeNet gateway process.

At the shell prompt, type:

sh /var/safenet/gateway/start_safenet_gw

8) Configure automatic start of the gateway daemon at boot time.

Create the “safenet_is_enrolled” file, which indicates that SafeNet HSM is configured on this ADC. Whenever the ADC restarts and this file is found, the gateway is automatically started.

At the shell prompt, type:

          touch /var/safenet/safenet_is_enrolled