Info: setting up SafeNet Luna SA HSM(Gemalto)

Applies to

SafeNet Luna HSM. Trust Protection Platform 14.x and above.



The idea of this article is to provide some useful information to get your Luna setup and integrated with your TPP server, it is by no means best practice and should only be used to setup a test environment.




You already have the basics of the HSM setup i.e. network configured, PED/Authentication configured.

You have created a partition to assign clients to and you have a copy of the secret value for that partition.

You can login and authenticate via SSH to your HSM.




Please be aware that depending on the Luna client version of software installed the locations of the below may have changed.

For example:

Old location C:\Program Files\LunaSA\cert\server

New location C:\Program Files\SafeNet\LunaClient\cert\server

  • You should first install the SafeNet provided client software on your TPP server, it’s a very simple next, next, next scenario
  • You need to create the Network Transport Layer Security(NTLS) between your TPP server(client) and the HSM
    • Download certificate from the server to the client (you will need the admin password for HSM), make sure you keep all the full stops in

C:\Program Files\LunaSA\ > pscp admin@your_HSM_IP:server.pem .  

  • Move the above certificate to the C:\Program Files\LunaSA\cert\server folder
  • Register the server certificate with the client

C:\Program Files\LunaSA > vtl addServer -n your_HSM_IP -c .\cert\server\server.pem

  • Create a client certificate, this will be stored in the C:\Program Files\LunaSA\cert\client folder

C:\Program Files\LunaSA\ >vtl createCert -n your_TPP_server_name

  • Upload the client certificate to the HSM

C:\Program Files\LunaSA\ > pscp cert\client\your_TPP_server_name.pem admin@your_HSM_IP:

  • Register the client certificate on the HSM

lunash:> client register -client your_TPP_server_name -hostname your_TPP_server_name

  • To check that it has registered correctly

lunash:> Client list

  • You now need to assign the client to the partition you have pre-prepared

lunash:> client assignPartition -client your_TPP_server_name -partition your_partition_name

  • To verify that the client is assigned correctly

lunash:> client show –client your_TPP_server

  • To verify that the client can connect to the HSM server

vtl verify



Creating a test key on the HSM

The key should be an AES key, Venafi QA is performed against a 256 bit key.

    • Ckdemo
    • Option 1 for open session
    • Pick the relevant HSM slot
    • Option 1 for normal user
    • Option 3 for login
    • Option 1 for crypto officer
    • Enter the partition passphrase as the PIN
    • Option 45 to create key
    • Pick a key type for example AES(option 16)
    • For the key attributes select 32,1,1,1,1,1,0,0,0,0,0


For newer versions of the Luna client, after running Ckdemo and before opening a session:            

  • 98 – Options
  • 16 - Role Support
  • 0 – Finished
  • Then 1 to open a session and then the rest should be the same as previous


Setup HSM encryption driver

    • Login to Windows Administration Console on your TPP server
    • Select the Encryption drop down
    • And select add PKCS11 HSM

    • Give the entry a name
    • Provide the location for the cryptoki.dll
    • Select the slot ID * see below for more information
    • Select Crypto Officer
    • Enter the partition login secret
    • Test and load keys, then select the AES key created earlier and apply 

 * beware that certain versions of TPP might add 1 to the slot number, so if VTL verify shows slot 1 for the partition you want, enter 0 in TPP)

Also if the slot is 0 and hence you can't put -1 in TPP to get to 0, you can add the following line right at the bottom of the file \program file\lunasa\crystoki.ini where the Luna client is installed(probably the TPP server).




This will force the slot to be represented at slot 1

**From Luna software version 6.2.1 onwards Luna changed their indexing of slots to start at 0, were as previous they started at 1.


Useful HSM commands

  • Power off HSM

            sysconf appliance poweroff

  • Reboot HSM

            sysconf appliance reboot

  • To get network status – including IP, MAC, DNS etc.

           Network show



More Information

High Availability - By default the client library presents both physical slots and virtual slots for the HA group. Directing applications at the physical slots will bypass the high availability and load balancing functionality. An application must be directed at the virtual slots to activate the high availability and load balancing functionality. There is a configuration setting referred to as “HAonly” that hides the physical slots. SafeNet recommends using this setting to prevent incorrect application configurations it also simplifies the PKCS #11 slot ordering given a dynamic HA group

After applying HAonly mode the HA cluster is usually referred to as slot 0


Post is closed for comments.