# Luna Cloud HSM

{% hint style="info" %}
Para testar ou comprar a solução acesse: [Luna Cloud HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm).
{% endhint %}

## Download do client

1. Acesse o painel de serviços no Luna Cloud.\ <br>
2. Ao acessar o site ou DPoD, em Services > Add Service, adicione o `Luna Cloud HSM` ou `Luna Cloud HSM for Java Code Signer`.\ <br>
3. Em Services > View Services, clique no serviço criado e adicione um *client* clicando em Create Service Client.\ <br>
4. Ao finalizar, um pop-up aparecerá com a opção de download do *client* no formato `.zip`, efetue o download.\ <br>
5. Envie o arquivo `.zip` para o servidor em que o *client* será instalado.

## Instalação do client no servidor

1. Crie uma pasta em `usr` e descompacte o arquivo `.zip`:

   ```sh
   cdir -p /usr/safenet/lunaclient
   unzip setup-rangerkms1.zip -d /usr/safenet/lunaclient
   cd /usr/safenet/lunaclient
   ```
2. Por padrão, o *client* vem com arquivos do Windows. Delete os seguintes arquivos:

   ```sh
   rm -f lch-support-win-64bit.exe
   rm -f cvclient-min.zip
   ```
3. Descompacte o arquivo `.tar` com o *client* para Linux na mesma pasta do passo anterior:

   ```sh
   tar -xvf cvclient-min.tar
   ```
4. Configure as variáveis de ambiente executando o script `setenv` da seguinte forma:

   ```sh
   source ./setenv
   ```
5. Para melhor gestão, adicione os seguintes comandos no `~/.bashrc`:

   ```sh
   cd /usr/safenet/lunaclient/
   source setenv
   cd ~/

   export PATH=$PATH:/usr/safenet/lunaclient/bin/64/
   ```

## Inicialização da partição

1. Execute o `lunacm`:

   ```sh
   ./bin/64/lunacm
   ```

   Output:

   ```
   lunacm (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved.

        Available HSMs:

        Slot Id ->              3
        Label ->
        Serial Number ->        1334054181693
        Model ->                Cryptovisor7
        Firmware Version ->     7.3.0
        CV Firmware Version ->  2.0.0
        Plugin Version ->       Cloud 2.2.0-740
        Configuration ->        Luna User Partition With SO (PW) SigningWith    Cloning Mode
        Slot Description ->     Net Token Slot
        FM HW Status ->         FM Not Supported

        Current Slot Id: 3

   lunacm:>
   ```
2. Configure o *slot* ativo para a partição do Luna Cloud que será criada:

   Para listar o *slot*:

   ```sh
   slot list
   ```

   Para configurar o *slot*:

   ```sh
   slot set -slot <slotnum>
   ```

   Output:

   ```
   slot set -slot 3

        Current Slot Id:  3  (Luna User Slot 7.3.0 (PW) Signing With Cloning Mode)

   Command Result : No Error

   lunacm:>
   ```
3. Inicialize o serviço de partição:

   ```sh
   partition init -label <par_label>
   ```

   Durante o *wizard*, forneça as seguintes informações quando solicitadas:

   * *Enter password for Partition SO*: `Griaule.123`
   * *Enter the domain name*: `localhost`\ <br>

   Output:

   ```
   lunacm:>partition init -label rangerkms1

        You are about to initialize the partition.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

        Enter password for Partition SO: ***********

        Re-enter password for Partition SO: ***********

        Neither option -domain nor -defaultdomain nor -importpeddomain was specified. One is required.

        Enter the domain name: *********

        Re-enter the domain name: *********

   Command Result : No Error

   lunacm:>
   ```
4. Efetue o *login* com o *security officer* (po):

   ```sh
   role login -name partition so
   ```

   Output:

   ```
   lunacm:>role login -name partition so

        enter password: ***********

   Command Result : No Error

   lunacm:>
   ```
5. Inicialize o *crypto officer* (co) e configure a senha inicial:

   ```sh
   role init -name crypto officer
   ```

   Output:

   ```
   lunacm:>role init -name crypto officer

        enter new password: ***********

        re-enter new password: ***********

   Command Result : No Error
   ```
6. Faça o *logout* e *login* novamente:

   ```sh
   role logout
   role login -n crypto officer
   ```

   Output:

   ```
   lunacm:>role logout

   Command Result : No Error

   lunacm:>role login -n crypto officer

        enter password: ***********

   Command Result : No Error

   lunacm:>
   ```
7. Em seguida, é necessário alterar a senha do *crypto officer* no procedimento de *setup*. Caso contrário, poderá dar erro ou o cliente não irá funcionar corretamente:

   ```sh
   role changepw -name crypto officer
   ```

{% hint style="info" %}
TIP A senha pode ser alterada para a mesma, caso necessário.
{% endhint %}

8. Inicialize o *crypto user*, executando o seguinte comando:

   ```sh
   role init -name crypto user
   ```
9. Saia do `lunacm` apertando `Ctrl + C`.\ <br>
10. Para se certificar de que está tudo funcionando corretamente, execute o seguinte *script*:

    ```sh
    ./lch-support-linux-64bit
    ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.griaule.com/ferramentas-auxiliares/lunacloudhsm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.