# Luna Cloud HSM

{% hint style="info" %}
To test or purchase the solution visit: [Luna Cloud HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm).
{% endhint %}

## Client download

1. Access the services dashboard in Luna Cloud.\ <br>
2. When accessing the site or DPoD, in Services > Add Service, add the `Luna Cloud HSM` or `Luna Cloud HSM for Java Code Signer`.\ <br>
3. In Services > View Services, click the created service and add a *client* by clicking Create Service Client.\ <br>
4. When finished, a pop-up will appear with the download option for the *client* in the format `.zip`, download it.\ <br>
5. Send the file `.zip` to the server where the *client* will be installed.

## Client installation on the server

1. Create a folder in `usr` and unzip the file `.zip`:

   ```sh
   cdir -p /usr/safenet/lunaclient
   unzip setup-rangerkms1.zip -d /usr/safenet/lunaclient
   cd /usr/safenet/lunaclient
   ```
2. By default, the *client* comes with Windows files. Delete the following files:

   ```sh
   rm -f lch-support-win-64bit.exe
   rm -f cvclient-min.zip
   ```
3. Unpack the file `.tar` with the *client* for Linux in the same folder as the previous step:

   ```sh
   tar -xvf cvclient-min.tar
   ```
4. Configure the environment variables by running the script `setenv` as follows:

   ```sh
   source ./setenv
   ```
5. For better management, add the following commands to `~/.bashrc`:

   ```sh
   cd /usr/safenet/lunaclient/
   source setenv
   cd ~/

   export PATH=$PATH:/usr/safenet/lunaclient/bin/64/
   ```

## Partition initialization

1. Run the `lunacm`:

   ```sh
   ./bin/64/lunacm
   ```

   Output:

   ```
   lunacm (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved.

        Available HSMs:

        Slot Id ->              3
        Label ->
        Serial Number ->        1334054181693
        Model ->                Cryptovisor7
        Firmware Version ->     7.3.0
        CV Firmware Version ->  2.0.0
        Plugin Version ->       Cloud 2.2.0-740
        Configuration ->        Luna User Partition With SO (PW) SigningWith    Cloning Mode
        Slot Description ->     Net Token Slot
        FM HW Status ->         FM Not Supported

        Current Slot Id: 3

   lunacm:>
   ```
2. Configure the *slot* active for the Luna Cloud partition that will be created:

   To list the *slot*:

   ```sh
   slot list
   ```

   To configure the *slot*:

   ```sh
   slot set -slot <slotnum>
   ```

   Output:

   ```
   slot set -slot 3

        Current Slot Id:  3  (Luna User Slot 7.3.0 (PW) Signing With Cloning Mode)

   Command Result : No Error

   lunacm:>
   ```
3. Initialize the partition service:

   ```sh
   partition init -label <par_label>
   ```

   During the *wizard*, provide the following information when prompted:

   * *Enter password for Partition SO*: `Griaule.123`
   * *Enter the domain name*: `localhost`\ <br>

   Output:

   ```
   lunacm:>partition init -label rangerkms1

        You are about to initialize the partition.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

        Enter password for Partition SO: ***********

        Re-enter password for Partition SO: ***********

        Neither option -domain nor -defaultdomain nor -importpeddomain was specified. One is required.

        Enter the domain name: *********

        Re-enter the domain name: *********

   Command Result : No Error

   lunacm:>
   ```
4. Perform the *login* with the *security officer* (po):

   ```sh
   role login -name partition so
   ```

   Output:

   ```
   lunacm:>role login -name partition so

        enter password: ***********

   Command Result : No Error

   lunacm:>
   ```
5. Initialize the *crypto officer* (co) and set the initial password:

   ```sh
   role init -name crypto officer
   ```

   Output:

   ```
   lunacm:>role init -name crypto officer

        enter new password: ***********

        re-enter new password: ***********

   Command Result : No Error
   ```
6. Run the *logout* and *login* again:

   ```sh
   role logout
   role login -n crypto officer
   ```

   Output:

   ```
   lunacm:>role logout

   Command Result : No Error

   lunacm:>role login -n crypto officer

        enter password: ***********

   Command Result : No Error

   lunacm:>
   ```
7. Next, it is necessary to change the *crypto officer* password in the *setup*procedure. Otherwise, it may error or the client may not function correctly:

   ```sh
   role changepw -name crypto officer
   ```

{% hint style="info" %}
TIP The password can be changed to the same one, if necessary.
{% endhint %}

8. Initialize the *crypto user*, by running the following command:

   ```sh
   role init -name crypto user
   ```
9. Exit the `lunacm` by pressing `Ctrl + C`.\ <br>
10. To ensure everything is working correctly, run the following *script*:

    ```sh
    ./lch-support-linux-64bit
    ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.griaule.com/gbs/en/auxiliary-tools/lunacloudhsm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.