Configure Luna Hardware Security Module Access

Connect PegaSys Plus to a Luna hardware security module (HSM) to use the node’s keys stored on the device.

Important

The Luna HSM plugin can only be used to store the node’s public and private key file. The plugin cannot be used to store transaction signing keys.

Prerequisites:

  • The Luna client software and Luna HSM must be configured before configuring PegaSys Plus access.

    Important

    Set the environment variables that specify the location of the Luna HSM library and Chrystoki.conf file if not located in the default locations. For example:

    export LD_LIBRARY_PATH=/home/myuser/luna-hsm/elab/jsp/lib/
    export ChrystokiConfigurationPath=/home/myuser/luna-hsm/
    
  • The nodes private and public keys have been created in the HSM.

Configure PegaSys Plus

  1. Copy the Luna client’s LunaProvider.jar file into the PegaSys Plus plugins directory.

    Note

    The plugins directory is located in the pegasys-plus-<release> directory when installed from a packaged binary.

  2. Create a plain text file containing the password to access the HSM. Ensure the password is located on the first line of the file.

  3. Start PegaSys Plus:

    besu --security-module=luna-hsm \
    --plugin-luna-hsm-private-key-alias="node1PrivateKey" \
    --plugin-luna-hsm-public-key-alias="node1PublicKey" \
    --plugin-luna-hsm-slot=0 \
    --plugin-luna-hsm-password-file=./password.txt \
    --metrics-enabled --metrics-category=JVM,RPC,LUNA_HSM
    

    The command line:

    Note

    The LUNA_HSM metric’s category allows you to monitor the PegaSys Plus and Luna HSM connection. The category is not enabled by default.