建立网络信任链路 (NTL)
网络信任链路 (NTL) 是 Hardware Security Module (HSM) 与客户机进行通信的安全通道。 NTL 双向使用证书来验证和加密 HSM 服务器分区与客户端之间传输的数据。
请注意,信任链路要求在 NTLS 和 NTLA (双向) 协议中都可以访问 TCP 端口 1792。 此安排保证所有进程和实用程序正常工作。
要建立 NTL,请执行以下过程:
-
导航至
/var/safenet/safenet/lunaclient/bin
目录,使用 VTL 实用程序创建证书。root@IBMADC690867-s6dr# cd /var/safenet/safenet/lunaclient/bin root@IBMADC690867-s6dr# vtl createcert -n 10.121.229.224 Private Key created and written to: /var/safenet/safenet/lunaclient/cert/client/10.121.229.224Key.pem Certificate created and written to: /var/safenet/safenet/lunaclient/cert/client/10.121.229.224.pem
客户证书使用的标识符是分配给它的专用 IP。 稍后将使用该标识并由 HSM 引用。
-
使用 SmartCloud Provisioning 将证书文件传输到 HSM 服务器:
root@IBMADC690867-s6dr# scp /var/safenet/safenet/lunaclient/cert/client/ 10.121.229.224.pem hsm_admin@10.121.229.201: The authenticity of host '10.121.229.201 (10.121.229.201)' can't be established. ECDSA key fingerprint is SHA256:UBltOfaDojRlUVxDXh6zI3CPMF8FRaJnls0uxeWgrCY. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.121.229.201' (ECDSA) to the list of known hosts. hsm_admin@10.121.229.201's password: 10.121.229.224.pem 100% 818 1.6MB/s 00:00
要了解有关虚拟令牌库 (VTL) 的更多信息,请访问 Utilities Reference Guide{:外部。
-
使用 SmartCloud Provisioning 将 HSM 服务器证书文件传输到 Citrix Netscaler VPX 客户端,然后添加服务器:
root@IBMADC690867-s6dr# scp hsm_admin@10.121.229.201:server.pem . hsm_admin@10.121.229.201's password: server.pem 100% 1180 2.3MB/s 00:00 root@IBMADC690867-s6dr# vtl addServer -n 10.121.229.201 -c server.pem New server 10.121.229.201 successfully added to server list.
前面的示例使用了以下语法:
vtl addServer -n <SA_hostname_or_IP> -c <server_certificate>
-
确认服务器是否已添加:
root@IBMADC690867-s6dr# vtl listservers Server: 10.121.229.201 HTL required: no
-
在 HSM 中,运行以下命令查看任何现有客户端:
[jpmongehsm2] lunash:>client list registered client 1: NS-IBMADC690867-d85b registered client 2: NS-IBMADC690867-4v36 registered client 3: NS-jpmongevsi05win2012vsi-4v3 registered client 4: NS-IBMADC690867-k8ru registered client 5: NS-IBMADC690867-wnzs Command Result : 0 (Success)
-
将 VPX 注册为新客户机:
[jpmongehsm2] lunash:>client register -c NS-IBMADC690867-s6dr -ip 10.121.229.224 'client register' successful. Command Result : 0 (Success)
上面的命令使用以下语法:
client register -client <client_name> -ip <client_IP_address>
但是,客户机名称不必与 IBM Cloud分配和使用的标识匹配。 这种安排使名称保持一致。
-
确认客户端已添加:
[jpmongehsm2] lunash:>client list registered client 1: NS-IBMADC690867-d85b registered client 2: NS-IBMADC690867-4v36 registered client 3: NS-jpmongevsi05win2012vsi-4v36 registered client 4: NS-IBMADC690867-k8ru registered client 5: NS-IBMADC690867-wnzs registered client 6: NS-IBMADC690867-s6dr Command Result : 0 (Success)
-
为客户机分配分区。 确保引用之前创建的分区。 请确保该名称与上一步中显示的客户机标识相匹配。
[jpmongehsm2] lunash:>client assignPartition -c NS-IBMADC690867-s6dr -p partition6 'client assignPartition' successful. Command Result : 0 (Success)
上面的输出使用以下语法:
client assignPartition -client <clientname> -partition <partition name
-
验证 Citrus NetScaler VPX 的连接:
root@IBMADC690867-s6dr# vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ================ ===== 0 534071053 partition6
vtl verify
显示的输出将列出分区的“插槽编号”、序列号以及与此信任链接绑定的分区名称。 其他任何输出都指示有问题。此外,最好还在
/etc
目录下的 Chrystoki 文件中确认证书和服务器的路径。 为此,请执行以下操作:root@IBMADC690867-s6dr# cd /etc/ root@IBMADC690867-s6dr# cat /etc/Chrystoki.conf Chrystoki2 = { LibUNIX64 = /var/safenet/safenet/lunaclient/lib/libCryptoki2_64.so; } [OUTPUT OMMITED] ClientPrivKeyFile = /var/safenet/safenet/lunaclient/cert/client/10.121.229.224Key.pem; ClientCertFile = /var/safenet/safenet/lunaclient/cert/client/10.121.229.224.pem; ServerCAFile = /var/safenet/safenet/lunaclient/cert/server/CAFile.pem; NetClient = 1; HtlDir = /var/safenet/safenet/lunaclient/htl/; ServerName00 = 10.121.229.201; ServerPort00 = 1792; ServerHtl00 = 0; } [OUTPUT OMITTED]
-
保存配置:
root@IBMADC690867-s6dr# cp /etc/Chrystoki.conf /var/safenet/config/
这里使用的复制命令可使配置在 VPX 重启时保持不变。
-
启动加密操作所需的安全网络网关客户端进程:
root@IBMADC690867-s6dr# sh /var/safenet/gateway/start_safenet_gw
-
确认进程正在运行:
root@IBMADC690867-s6dr# ps aux | grep safenet_gw root 6817 0.0 0.0 10068 1500 ?? Ss 4:48PM 0:00.00 /var/safenet/gateway/safenet_gw
-
最后,确保该进程在重启过程中自动启动:
root@IBMADC690867-s6dr# touch /var/safenet/safenet_is_enrolled
现在,网络信任链路已建立。