8.2. Defining SafeNet LunaSA¶
Note
Please also refer to the original Luna SA HTML documentation for more detailed information!
LinOTP is well tested with the SafeNet LunaSA 4.5 PED.
To have the encryption handled by the LunaSA a PKCS11 security module is used.
You need to define it in the linotp.ini like this:
linotpSecurity.lunasa.module = linotpee.lib.security.pkcs11.Pkcs11SecurityModule
linotpActiveSecurityModule = lunasa
linotpSecurity.lunasa.library = libCryptoki2_64.so
linotpSecurity.lunasa.configLabel =config
linotpSecurity.lunasa.valueLabel =value
linotpSecurity.lunasa.tokenLabel =token
linotpSecurity.lunasa.defaultLabel =token
linotpSecurity.lunasa.password = /RMF-At5F-p6XJ-HR64
linotpSecurity.lunasa.slotid = 1
The parameters “library”, “configLabel”, “valueLabel”, “tokenLabel”, “defaultLabel”, “password” and “slotid” are module dependent parameters. Other future modules may have other parameters.
- library
- This is the PKCS11 library. In case of the LunaSA this is the libCryptoki2_4.so.
- password
- The password of the PKCS11 slot aka. the smartcard PIN.
- slotid
- This is the slot where the AES keys are located. In case of the LunaSA this is the partition. You can check for the slot number by issuing the command vtl verify.
- configHandle, valueHandle, tokenHandle, defaultHandle
- These are the handles of the AES key objects in the slot. configHandle, valueHandle and tokenHandle are used. If on of the parameters is missing, the defaultHandle is used.
- configLabel, valueLabel, tokenLabel, defaultLabel
- These are the labels of the AES Key objects in the slot.
Note
If you are running a LunaSA HA group you must use the labels. The handles will not work.
- password
- Here you can enter the password of the partition. If the password is not specified, you can pass it to LinOTP later.
Note
Instead of using the name “lunasa” you can use any other specifier.
8.2.1. Partition Password¶
If you do not want to store the password in the linotp.ini you can pass this to LinOTP manually.
After starting the LinOTP service you can check the security module like this:
linotpadm.py -U https://localhost -a admin -C securitymodule
You will get the following response:
{ u'status': True,
u'value': { u'setupSecurityModule': { u'activeSecurityModule': u'lunasa',
u'connected': True}}}
If connected is False then you need to provide the partition password for the HSM slot:
linotpadm.py -U https://localhost -a admin -C securitymodule --module=lunasa
Now you will be asked for the password of the partition.