# Luna Cloud HSM

{% hint style="info" %}
To test or purchase the solution visit: [Luna Cloud HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm).
{% endhint %}

## Client download

1. Access the services dashboard in Luna Cloud.\ <br>
2. When accessing the site or DPoD, in Services > Add Service, add the `Luna Cloud HSM` or `Luna Cloud HSM for Java Code Signer`.\ <br>
3. In Services > View Services, click the created service and add a *client* by clicking Create Service Client.\ <br>
4. When finished, a pop-up will appear with the download option for the *client* in the format `.zip`, download it.\ <br>
5. Send the file `.zip` to the server where the *client* will be installed.

## Client installation on the server

1. Create a folder in `usr` and unzip the file `.zip`:

   ```sh
   cdir -p /usr/safenet/lunaclient
   unzip setup-rangerkms1.zip -d /usr/safenet/lunaclient
   cd /usr/safenet/lunaclient
   ```
2. By default, the *client* comes with Windows files. Delete the following files:

   ```sh
   rm -f lch-support-win-64bit.exe
   rm -f cvclient-min.zip
   ```
3. Unpack the file `.tar` with the *client* for Linux in the same folder as the previous step:

   ```sh
   tar -xvf cvclient-min.tar
   ```
4. Configure the environment variables by running the script `setenv` as follows:

   ```sh
   source ./setenv
   ```
5. For better management, add the following commands to `~/.bashrc`:

   ```sh
   cd /usr/safenet/lunaclient/
   source setenv
   cd ~/

   export PATH=$PATH:/usr/safenet/lunaclient/bin/64/
   ```

## Partition initialization

1. Run the `lunacm`:

   ```sh
   ./bin/64/lunacm
   ```

   Output:

   ```
   lunacm (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved.

        Available HSMs:

        Slot Id ->              3
        Label ->
        Serial Number ->        1334054181693
        Model ->                Cryptovisor7
        Firmware Version ->     7.3.0
        CV Firmware Version ->  2.0.0
        Plugin Version ->       Cloud 2.2.0-740
        Configuration ->        Luna User Partition With SO (PW) SigningWith    Cloning Mode
        Slot Description ->     Net Token Slot
        FM HW Status ->         FM Not Supported

        Current Slot Id: 3

   lunacm:>
   ```
2. Configure the *slot* active for the Luna Cloud partition that will be created:

   To list the *slot*:

   ```sh
   slot list
   ```

   To configure the *slot*:

   ```sh
   slot set -slot <slotnum>
   ```

   Output:

   ```
   slot set -slot 3

        Current Slot Id:  3  (Luna User Slot 7.3.0 (PW) Signing With Cloning Mode)

   Command Result : No Error

   lunacm:>
   ```
3. Initialize the partition service:

   ```sh
   partition init -label <par_label>
   ```

   During the *wizard*, provide the following information when prompted:

   * *Enter password for Partition SO*: `Griaule.123`
   * *Enter the domain name*: `localhost`\ <br>

   Output:

   ```
   lunacm:>partition init -label rangerkms1

        You are about to initialize the partition.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

        Enter password for Partition SO: ***********

        Re-enter password for Partition SO: ***********

        Neither option -domain nor -defaultdomain nor -importpeddomain was specified. One is required.

        Enter the domain name: *********

        Re-enter the domain name: *********

   Command Result : No Error

   lunacm:>
   ```
4. Perform the *login* with the *security officer* (po):

   ```sh
   role login -name partition so
   ```

   Output:

   ```
   lunacm:>role login -name partition so

        enter password: ***********

   Command Result : No Error

   lunacm:>
   ```
5. Initialize the *crypto officer* (co) and set the initial password:

   ```sh
   role init -name crypto officer
   ```

   Output:

   ```
   lunacm:>role init -name crypto officer

        enter new password: ***********

        re-enter new password: ***********

   Command Result : No Error
   ```
6. Run the *logout* and *login* again:

   ```sh
   role logout
   role login -n crypto officer
   ```

   Output:

   ```
   lunacm:>role logout

   Command Result : No Error

   lunacm:>role login -n crypto officer

        enter password: ***********

   Command Result : No Error

   lunacm:>
   ```
7. Next, it is necessary to change the *crypto officer* password in the *setup*procedure. Otherwise, it may error or the client may not function correctly:

   ```sh
   role changepw -name crypto officer
   ```

{% hint style="info" %}
TIP The password can be changed to the same one, if necessary.
{% endhint %}

8. Initialize the *crypto user*, by running the following command:

   ```sh
   role init -name crypto user
   ```
9. Exit the `lunacm` by pressing `Ctrl + C`.\ <br>
10. To ensure everything is working correctly, run the following *script*:

    ```sh
    ./lch-support-linux-64bit
    ```