7.2. Defining SafeNet LunaSA

Note

Please also refer to the original Luna SA HTML documentation for more detailed information!

LinOTP is well tested with the SafeNet LunaSA 4.5 PED.

To have the encryption handled by the LunaSA a PKCS11 security module is used.

You need to define it in the /etc/linotp2/linotp.ini like this:

linotpSecurity.lunasa.module = linotp.lib.security.pkcs11.Pkcs11SecurityModule

linotpActiveSecurityModule = lunasa

linotpSecurity.lunasa.library = libCryptoki2_64.so
linotpSecurity.lunasa.configLabel =config
linotpSecurity.lunasa.valueLabel =value
linotpSecurity.lunasa.tokenLabel =token
linotpSecurity.lunasa.defaultLabel =token
linotpSecurity.lunasa.password = /RMF-At5F-p6XJ-HR64
linotpSecurity.lunasa.slotid = 1

The parameters “library”, “configLabel”, “valueLabel”, “tokenLabel”, “defaultLabel”, “password” and “slotid” are module dependent parameters. Other future modules may have other parameters.

library

This is the PKCS11 library. In case of the LunaSA this is the libCryptoki2_4.so.

password

The password of the PKCS11 slot aka. the smartcard PIN.

slotid

This is the slot where the AES keys are located. In case of the LunaSA this is the partition. You can check for the slot number by issuing the command vtl verify.

configHandle, valueHandle, tokenHandle, defaultHandle

These are the handles of the AES key objects in the slot. configHandle, valueHandle and tokenHandle are used. If on of the parameters is missing, the defaultHandle is used.

configLabel, valueLabel, tokenLabel, defaultLabel

These are the labels of the AES key objects in the slot.

Note

If you are running a LunaSA HA group you must use the labels. The handles will not work.

password

Here you can enter the password of the partition. If the password is not specified, you can pass it to LinOTP later.

Note

Instead of using the name “lunasa” you can use any other specifier.

7.2.1. Partition Password

If you do not want to store the password in the linotp.ini you can pass this to LinOTP manually.

After starting the LinOTP service you can check the security module like this:

linotpadm.py -U https://localhost -a admin -C securitymodule

You will get the following response:

{   u'status': True,
 u'value': {   u'setupSecurityModule': {   u'activeSecurityModule': u'lunasa',
                                           u'connected': True}}}

If connected is False then you need to provide the partition password for the HSM slot:

linotpadm.py -U https://localhost -a admin -C securitymodule --module=lunasa

Now you will be asked for the password of the partition.