Luna Network HSM
Luna Network HSM connections are required for two use cases:
-
To use a Luna Network HSM partition as a key source for CipherTrust Cloud Key Manager (CCKM). Luna keys managed by CCKM are usually part of broader integrations with cloud providers.
-
To use a Luna Network HSM partition for an HSM-anchored domain. All keys and secrets within an HSM-anchored domain are wrapped and unwrapped by the HSM itself.
Managing Luna Network HSM Client
You can register the CipherTrust Manager as client in the following modes :
Using NTLS Mode
To register the CipherTrust Manager as client in NTLS mode:
-
Download the client certificate on the CipherTrust Manager.
-
Register the client certificate on HSM server.
-
Assign the partition to the client.
Using STC Mode
To register the CipherTrust Manager as client in STC mode:
-
Download the client identity on the CipherTrust Manager.
-
Register the CipherTrust Manager as an additional client on the first client where partition is registered.
For more information, refer to https://thalesdocs.com/gphsm/luna/7/docs/network/Content/admin_partition/connections/stc/multi_client.htm
The client identity is returned in the base64 format in the APIs, make sure to convert it to normal text format before saving to the file.
Managing LUNA HSM Connections using GUI
For both current purposes, you must configure Luna Network connection and HSM server.
It is mandatory to create one or more HSM Servers before creating an HSM Connection.
Adding an Internal Connection (Server)
It allows you to add the HSM Server and download the Luna Client certificate.
Currently, you can add only HSM Servers.
To configure an HSM server:
Click Add HSM Server in the INTERNAL CONNECTIONS section to add an HSM Server.
-
HSM Hostname/IP - provide the hostname/IP of the server
-
HSM Certificate - upload the HSM certificate
-
HSM Description - provide the HSM description
-
HSM Products - select the check boxes in the Products list to select a product associated with the HSM server. Select Cloud Key Manager to use this connection as a key source for CCKM. Do not select any products to use this connection for HSM-anchored domains.
Click Download Luna Client Cert in the INTERNAL CONNECTIONS section to download the Luna client certificate.
Note
-
Currently, the only product available in the GUI for HSM Server is Cloud Key Manager. To use this connection for HSM-anchored domains, don't select any check boxes.
-
Luna Network HSMs can only be added at the CipherTrust Manager root domain.
Click Create to add the HSM Server. The new server is now listed in the INTERNAL CONNECTIONS list.
Configuring the Luna Network HSM Connection
To configure the Luna Network HSM connection:
-
Partition Server Hostname/IP - select the hostname/IP of the server from the drop-down list
-
Partition Label - label of the HSM partition
-
Partition Serial No - serial number of the HSM Partition
-
Add Partition - click this button to add the multiple partitions
-
Partition Password - password of the HSM partition(s)
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK else the status is Fail.
Click Next to move to the next step.
Note
The two products available are HSM-anchored domain and Cloud Key Manager.
Managing LUNA HSM Connections using ksctl
Luna network HSM management is divided into:
Luna Network HSM Servers
The following operations can be performed:
-
Add/delete/get a Luna network HSM server
-
List all Luna network HSM servers
-
Enable/Disable STC on Luna Servers
-
Get Luna client details such as certificate and hostname
The Luna servers are used to create a connection of type Luna network HSM.
Adding a Luna Server
To use HSM partition in STC mode, make sure to enable STC for the HSM Server.
To add a Luna Server, run:
Syntax
ksctl connectionmgmt luna-hsm servers add --hostname <Hostname/IP> --hsm-cert-file <HSM-Certificate>
This command requires a hostname or IP of the server and a valid certificate.
Example Request
ksctl connectionmgmt luna-hsm servers add --hostname host --hsm-cert-file ~/server.pem
Example Response
{
"hostname": "host",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMRUwEwYDVQQDDAwxMC4xNjQuNTYuODYwHhcNMjAwODIwMDg1OTQ0\nWhcNMzAwODIyMDg1OTQ0WjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJp\nbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMRUwEwYD\nVQQDDAwxMC4xNjQuNTYuODYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCi7oMYdb8IcoqkdsAYNlcqzW32MxSeIwbThImdm1rvwQcwmggOyUhRqnUaiFH4\nsEVVNVDk0bqgAXKoLwauO63XEpu9NU+vHYrtcTkMZ6JxGe0z9LrCYcmqhcrxwPF6\nKSNFWmIpAXbRZ3utsziMlRSwd250pdBwo7idjubMHAWQAjJ16ouTD4maipbdAGtp\nXP/HnKO29aWpPZhj/zSasmwo6S9SvMdzBuT0/zATFYPsjdaGrbq7pbHwhJYmAP7h\nThG8aqdLNxATT36CEy2Tblw0YAGrcdMbLA4bgptt35OZYKcSXB9lm5RTPaaLkz0b\nEURdHGAVIYBAk/DAJCnoBhRxAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFN1DUkX\nIXroQaX7yeyK5yK6YtPN8FthZ7k3L+FY18JKbnG8DqO8eocvncXtomZ12rLRAnmt\nsyV86fI5gBtoyyydFqqc4ejRfgjMnNwuD3hNLdDY2HuGgjWH+2N6Wl/Z1FVG1PZU\nGCaAlNGFRYOUxlzz3hltNwQmFX4PhdT8RlCApah7bhuozvSAzdAoHnl2qwE/PoS1\nMeTBtJHgJ+LH5Xob/hADnOAJb7jIB3GSBdpBH7VJhQ5VU5sNHqg4ZiNi1vLZPPed\n9HdJPTtbN4019SgY2kSwg1nky8jZY8uA9Qh05izWz3S1p9ZY9kpgRaBCTGCAF/C2\nobI+LA8a7DlU9PQ=\n-----END CERTIFICATE-----\n",
"id": "83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:host-83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:25:27.163022185Z",
"service": "luna network"
}
Getting Details of Luna Server
To get details of a Luna Server already registered with the Connection Manager, run:
Syntax
ksctl connectionmgmt luna-hsm servers get --id <Hostname/Id>
This command requires an identifier that can either be ID or hostname of the server.
Example Request
ksctl connectionmgmt luna-hsm servers get --id host
Example Response
{
"hostname": "host",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMRUwEwYDVQQDDAwxMC4xNjQuNTYuODYwHhcNMjAwODIwMDg1OTQ0\nWhcNMzAwODIyMDg1OTQ0WjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJp\nbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMRUwEwYD\nVQQDDAwxMC4xNjQuNTYuODYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCi7oMYdb8IcoqkdsAYNlcqzW32MxSeIwbThImdm1rvwQcwmggOyUhRqnUaiFH4\nsEVVNVDk0bqgAXKoLwauO63XEpu9NU+vHYrtcTkMZ6JxGe0z9LrCYcmqhcrxwPF6\nKSNFWmIpAXbRZ3utsziMlRSwd250pdBwo7idjubMHAWQAjJ16ouTD4maipbdAGtp\nXP/HnKO29aWpPZhj/zSasmwo6S9SvMdzBuT0/zATFYPsjdaGrbq7pbHwhJYmAP7h\nThG8aqdLNxATT36CEy2Tblw0YAGrcdMbLA4bgptt35OZYKcSXB9lm5RTPaaLkz0b\nEURdHGAVIYBAk/DAJCnoBhRxAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFN1DUkX\nIXroQaX7yeyK5yK6YtPN8FthZ7k3L+FY18JKbnG8DqO8eocvncXtomZ12rLRAnmt\nsyV86fI5gBtoyyydFqqc4ejRfgjMnNwuD3hNLdDY2HuGgjWH+2N6Wl/Z1FVG1PZU\nGCaAlNGFRYOUxlzz3hltNwQmFX4PhdT8RlCApah7bhuozvSAzdAoHnl2qwE/PoS1\nMeTBtJHgJ+LH5Xob/hADnOAJb7jIB3GSBdpBH7VJhQ5VU5sNHqg4ZiNi1vLZPPed\n9HdJPTtbN4019SgY2kSwg1nky8jZY8uA9Qh05izWz3S1p9ZY9kpgRaBCTGCAF/C2\nobI+LA8a7DlU9PQ=\n-----END CERTIFICATE-----\n",
"id": "83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:host-83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:25:27.163022Z",
"service": "luna network"
}
Deleting a Luna Server
To delete a Luna Server, run:
Syntax
ksctl connectionmgmt luna-hsm servers delete --id <Hostname/Id>
This command requires an identifier that can either be ID or hostname of the server.
There will be no response if server is deleted successfully.
Getting List of Luna Servers
To list all the Luna Servers already registered with the Connection Manager, run:
Syntax
ksctl connectionmgmt luna-hsm servers list
Example Request
ksctl connectionmgmt luna-hsm servers list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"hostname": "host",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMRUwEwYDVQQDDAwxMC4xNjQuNTYuODYwHhcNMjAwODIwMDg1OTQ0\nWhcNMzAwODIyMDg1OTQ0WjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJp\nbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMRUwEwYD\nVQQDDAwxMC4xNjQuNTYuODYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCi7oMYdb8IcoqkdsAYNlcqzW32MxSeIwbThImdm1rvwQcwmggOyUhRqnUaiFH4\nsEVVNVDk0bqgAXKoLwauO63XEpu9NU+vHYrtcTkMZ6JxGe0z9LrCYcmqhcrxwPF6\nKSNFWmIpAXbRZ3utsziMlRSwd250pdBwo7idjubMHAWQAjJ16ouTD4maipbdAGtp\nXP/HnKO29aWpPZhj/zSasmwo6S9SvMdzBuT0/zATFYPsjdaGrbq7pbHwhJYmAP7h\nThG8aqdLNxATT36CEy2Tblw0YAGrcdMbLA4bgptt35OZYKcSXB9lm5RTPaaLkz0b\nEURdHGAVIYBAk/DAJCnoBhRxAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFN1DUkX\nIXroQaX7yeyK5yK6YtPN8FthZ7k3L+FY18JKbnG8DqO8eocvncXtomZ12rLRAnmt\nsyV86fI5gBtoyyydFqqc4ejRfgjMnNwuD3hNLdDY2HuGgjWH+2N6Wl/Z1FVG1PZU\nGCaAlNGFRYOUxlzz3hltNwQmFX4PhdT8RlCApah7bhuozvSAzdAoHnl2qwE/PoS1\nMeTBtJHgJ+LH5Xob/hADnOAJb7jIB3GSBdpBH7VJhQ5VU5sNHqg4ZiNi1vLZPPed\n9HdJPTtbN4019SgY2kSwg1nky8jZY8uA9Qh05izWz3S1p9ZY9kpgRaBCTGCAF/C2\nobI+LA8a7DlU9PQ=\n-----END CERTIFICATE-----\n",
"id": "83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:host-83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:25:27.163022Z",
"service": "luna network"
}
]
}
Enabling STC on Luna Servers
To enable STC channel of HSM Connection run:
Syntax
ksctl connectionmgmt luna-hsm servers enable-stc --id <Connection-name/ID>
Example Request
ksctl connectionmgmt luna-hsm servers enable-stc --id 7ba5172a-39e6-47bb-a115-2f97b6347b76
Example Response
{
"hostname": "10.164.10.37",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMQ8wDQYDVQQDDAY2MjkyNDEwHhcNMjAwODA2MTMwNzEyWhcNMzAw\nODA4MTMwNzEyWjBZMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0G\nA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMQ8wDQYDVQQDDAY2\nMjkyNDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDepnClyc8h+vrt\nnFY+/ovQVf4PnXO0xPX5b8cXKEiWB/R0y9cGNcaHx5S1O6/gajfaLD4tsG43degz\nsgnWl3yaVESvz3f0KP33P44I/aT8d7k2AUEEEv1KYaZleUcxKKN9M5oK9mfLyruW\n391KpFGdwpM93QUg9eNY5V/wT5WmvfsRSNRA19hd3LWYDQCc/XL+ijqpa9mX1IDX\nncy6jco6KP/veckxWLMn69Ukved/KH6JHM+M1TUjXDB7UTGNf863UeMcP0zBBIVa\nGasp4wJRynJzLIiExwAON/ZeBt44qKbhiy2fxoljkFfpKJpgd/Fq0sum+mE1EiI0\nIzlwAtYTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADj5mJb7myhdpPOGmTkxUCSD\n8QujrCmel3n8hA3FePNp2t584yOIvQGn3Ht8nOPzJvNbgZGeTWWrXltjHic6wrc7\nWFTudeDWHgTvN0wPeyQPgzJ/naoop7jIc+x3JCumneEu7WR6A3mYZiCs0OSty99M\nBISITYaYqrB0yWLr9EUDQ4CfpmWX2lHqirTMlMXkZMv9WYRC5CFHltgZqyODnob+\ncUE72FwxiVjrm3foFtFSraxGttfNBqaPiBKr7W5b1CFVaBhIcG/q/30KxQ7vA8Vm\nZAjEQhkdE0e1kwtXYk2goa2cH4UY7azCWwlcoSH8e6IKXh4H/AZZWlrHn0+HD4I=\n-----END CERTIFICATE-----",
"products": [
"cckm"
],
"meta": {
"color": "blue"
},
"id": "7ba5172a-39e6-47bb-a115-2f97b6347b76",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:10-164-10-37-7ba5172a-39e6-47bb-a115-2f97b6347b76",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-09-19T07:21:51.191164Z",
"service": "luna network",
"channel": "STC"
}
Disabling STC on Luna Servers
To disable STC channel of HSM Connection run:
Syntax
ksctl connectionmgmt luna-hsm servers disable-stc --id <Connection-name/ID>
Example Request
ksctl connectionmgmt luna-hsm servers disable-stc --id 7ba5172a-39e6-47bb-a115-2f97b6347b76
Example Response
{
"hostname": "10.164.10.37",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMQ8wDQYDVQQDDAY2MjkyNDEwHhcNMjAwODA2MTMwNzEyWhcNMzAw\nODA4MTMwNzEyWjBZMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0G\nA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMQ8wDQYDVQQDDAY2\nMjkyNDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDepnClyc8h+vrt\nnFY+/ovQVf4PnXO0xPX5b8cXKEiWB/R0y9cGNcaHx5S1O6/gajfaLD4tsG43degz\nsgnWl3yaVESvz3f0KP33P44I/aT8d7k2AUEEEv1KYaZleUcxKKN9M5oK9mfLyruW\n391KpFGdwpM93QUg9eNY5V/wT5WmvfsRSNRA19hd3LWYDQCc/XL+ijqpa9mX1IDX\nncy6jco6KP/veckxWLMn69Ukved/KH6JHM+M1TUjXDB7UTGNf863UeMcP0zBBIVa\nGasp4wJRynJzLIiExwAON/ZeBt44qKbhiy2fxoljkFfpKJpgd/Fq0sum+mE1EiI0\nIzlwAtYTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADj5mJb7myhdpPOGmTkxUCSD\n8QujrCmel3n8hA3FePNp2t584yOIvQGn3Ht8nOPzJvNbgZGeTWWrXltjHic6wrc7\nWFTudeDWHgTvN0wPeyQPgzJ/naoop7jIc+x3JCumneEu7WR6A3mYZiCs0OSty99M\nBISITYaYqrB0yWLr9EUDQ4CfpmWX2lHqirTMlMXkZMv9WYRC5CFHltgZqyODnob+\ncUE72FwxiVjrm3foFtFSraxGttfNBqaPiBKr7W5b1CFVaBhIcG/q/30KxQ7vA8Vm\nZAjEQhkdE0e1kwtXYk2goa2cH4UY7azCWwlcoSH8e6IKXh4H/AZZWlrHn0+HD4I=\n-----END CERTIFICATE-----",
"products": [
"cckm"
],
"meta": {
"color": "blue"
},
"id": "7ba5172a-39e6-47bb-a115-2f97b6347b76",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:10-164-10-37-7ba5172a-39e6-47bb-a115-2f97b6347b76",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-09-19T07:21:51.191164Z",
"service": "luna network",
"channel": "NTLS"
}
Getting Details of a Luna Client
To get details of a Luna Client registered with a Luna Server, run:
Syntax
ksctl connectionmgmt luna-hsm servers client-get
Example Request
ksctl connectionmgmt luna-hsm servers client-get
Example Response
{
"id": "5fc757bd-8e95-4352-8d1c-4bc861d252d9",
"uri": "kylo:kylo:doorway:Certificate:5fc757bd-8e95-4352-8d1c-4bc861d252d9",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-03T12:22:46.061088Z",
"updatedAt": "2020-12-03T12:22:46.056696Z",
"hostname": "cckm-client-51437b79-4f10-490e-9769-3d5b0526af46",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDezCCAmOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCQ0Ex\nEDAOBgNVBAgMB09udGFyaW8xDzANBgNVBAcMBk90dGF3YTETMBEGA1UECgwKTXkg\nY29tcGFueTE5MDcGA1UEAwwwY2NrbS1jbGllbnQtNTE0MzdiNzktNGYxMC00OTBl\nLTk3NjktM2Q1YjA1MjZhZjQ2MB4XDTIwMTIwMjEyMjI0NloXDTMwMTIwMTEyMjI0\nNlowgYAxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZP\ndHRhd2ExEzARBgNVBAoMCk15IGNvbXBhbnkxOTA3BgNVBAMMMGNja20tY2xpZW50\nLTUxNDM3Yjc5LTRmMTAtNDkwZS05NzY5LTNkNWIwNTI2YWY0NjCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBANyjU9u2iVR0N5foHjZy7e4jMX5TX6BKiqAL\nc3Zn5MjpHZWdd82U1+UYjOgAdgU1IMKr84pxPoMDVrpcK0pk1U07sVqgSYM0WXd1\nB78n8n13CS6xYNL6rHoGXwO3LR0XW45Sa2NvhX/QFiTXsAYQgBZmW3urNj/kx1sd\n2xD0umeTxK+2DnLG8ccxeBxE+bahfxGHH2v+ln5FjVncsSjYLFlOrafI2ZSQLSZK\nXmLp4///Ca3l4SeIvgPCjgWfPiXQ7ZFSEOMcCbCptNuTOuYLbTG9AF2j7BmXMJ3S\n6lG4O/CenKC0JfVKHmfHiy0KcbyQY5zFNvuYjht6Enua58q4hYUCAwEAATANBgkq\nhkiG9w0BAQsFAAOCAQEAqHUSkv9rv5DhZmIRyWw+CrrXFFxxsrezPGWpHSIoKuFo\nFwTgXrru2K8O4mDvByHqcXKDjn/mKzhY9GHTAj3bLjbe3PbW6wAQVvGd8ovLVLEH\nvNY6wATVtafmvSwL/hBWmcdmj5HX3f/OV6h3h+Ck6rHrNzcbw4v25o+89kmEMgi4\njeuXNBSLC/1TrKoChr5nVBugU3BrKZgwm9yrMntuzCqmIVl2dstlbL9R+LSoCns5\na/PreKkP4DbxqxxgeE7RTqtv+qhjrKyMQVMDsHfCDc1Je+NBHkwVrfIdXJrJVuuh\nxZC/isR370yet+J4HM57xsNswI3/YG4l4nXl5jt9dQ==\n-----END CERTIFICATE-----\n"
}
Luna Network HSM Connections
The following operations can be performed:
-
Create/Get/Update/Delete a Luna Network HSM connection
-
List all Luna Network HSM connections
-
Test an existing Luna Network HSM connection
-
Test the newly created connection
A Luna Network HSM connection can be an HA or non-HA.
HA stands for High Availability, that means there will be more than one partition to ensure availability and load balancing.
In an HA connection, there are multiple partitions of one or more HSM Servers. Whereas, in a non-HA connection there is a single partition of an HSM Server.
Creating a Luna Connection
To create a connection of Luna Network HSM type, run:
Syntax
ksctl connectionmgmt luna-hsm connections create --name <Connection-Name> --conn-password <Partition-Password> --partitions-json-file <xxx.json> --ha-enable <Yes/No> --products <"cckm" or "hsm_anchored_domain">
This command requires:
-
Name of the connection
-
Partition file of JSON type
-
Password of the Luna partitions
-
Product type, either
cckmorhsm_anchored_domain.
The HA flag is optional, and the default value is FALSE.
To create a connection with multiple partitions (with an HA group), the HA flag should be specified as TRUE.
The format of the JSON file to create a connection:
[
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label1","serial_number": "xxxxxx"},
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label2","serial_number": "xxxxxx"}
]
Note
-
If a Luna HSM partition and the associated Luna HSM connection are deleted from the CipherTrust Manager, the Luna source key link from Azure Keys page will not work. To work around this issue:
-
Add the Luna HSM connection again.
-
Add the Luna HSM partitions in the same order in which they were added before deletion.
-
-
After deleting and re-adding a partition to CCKM, a refresh should be performed on the CCKM partition. Refer to Refreshing Specific Partitions for details.
Example Request
ksctl connectionmgmt luna-hsm connections create --name demo1 --conn-password passcode --partitions-json-file partitions.json --ha-enable yes
Example Response
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592526537Z",
"updatedAt": "2020-12-04T09:30:20.591321554Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
"is_ha_enabled": true
}
Getting Details of a Luna Connection
To get details of a Luna Network connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections get --id <Id/Connection-Name>
This command requires a connection identifier that can be either ID or name of the connection.
Example Request
ksctl connectionmgmt luna-hsm connections get --id demo1
Example Response
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592527Z",
"updatedAt": "2020-12-04T09:30:20.591322Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"id": "39c7775c-a72c-4b31-9745-d1e9adbf8946",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-39c7775c-a72c-4b31-9745-d1e9adbf8946",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.597013Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"id": "e3b7914d-3a88-40de-9385-649c5f019e3f",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-e3b7914d-3a88-40de-9385-649c5f019e3f",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.598614Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
"is_ha_enabled": true,
"max_session_count": 0,
"session_count": 0,
"max_rw_session_count": 0,
"rw_session_count": 0,
"max_pin_len": 0,
"min_pin_len": 0,
"total_public_memory": 0,
"free_public_memory": 0,
"total_private_memory": 0,
"free_private_memory": 0,
"operation_status": "",
"operation_error": ""
}
Updating a Luna Connection
To update a Luna Network connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections update --id <Id/Name> --conn-password <New-Password>
This command requires:
-
A connection identifier that can either be ID or name of the connection
-
One or more parameters to update
The Luna Connection Update supports updating the password and other meta information.
This command does not support updating a partition information.
Example Request
ksctl connectionmgmt luna-hsm connections update --id demo1 --conn-password newPasscode
Example Response
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592526537Z",
"updatedAt": "2020-12-04T09:30:20.591321554Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
}
Deleting a Luna Connection
To delete a Luna Network connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections delete --id <Id/Name>
There will be no response if LUNA Network connection is deleted successfully.
Getting List of Luna Connections
To list all the connections of Luna Network HSM type, run:
Syntax
ksctl connectionmgmt luna-hsm connections list
Example Request
ksctl connectionmgmt luna-hsm connections list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592527Z",
"updatedAt": "2020-12-04T09:30:20.591322Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"id": "39c7775c-a72c-4b31-9745-d1e9adbf8946",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-39c7775c-a72c-4b31-9745-d1e9adbf8946",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.597013Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"id": "e3b7914d-3a88-40de-9385-649c5f019e3f",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-e3b7914d-3a88-40de-9385-649c5f019e3f",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.598614Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
"is_ha_enabled": true
}
]
}
Adding a partition to the Luna Connection
To add a partition to the Luna Connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections add-partition --id <Id/Name> --partitions-json-file <xxx.json>
A parition can only be added to a connection if HA flag is TRUE.
The format of the JSON file to add a partition:
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label2","serial_number": "xxxxxx"}
Example Request
ksctl connectionmgmt luna-hsm connections add-partition --id demo1 --partitions-json-file partition.json
Example Response
{
"id": "288b05a9-0e08-4b76-be6c-3713b0e10751",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-288b05a9-0e08-4b76-be6c-3713b0e10751",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-05T06:01:27.482393059Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "1429964054509",
"partition_label": "sample-label"
}
Deleting a Partition from the Luna Connection
To delete a partition from the Luna Connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections delete-partition --id <Id/Name> --partition-id <Partition-Id>
There will be no response if partition is deleted successfully.
Testing an Existing Luna Connection
To test an existing Luna Network connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections test --id <Id/Name>
This command requires a connection identifier that can either be ID or name of the connection.
This command is asynchronous; therefore, it initiates a connection test and gives the status as in_progress.
You can fetch the actual status by using the get command for the same connection.
Example Request
ksctl connectionmgmt luna-hsm connections test --id demo1
Example Response
{
"id": "b1c8597a-670e-456f-b2e4-a452311e2916",
"uri": "kylo:kylo:hsm:connections:b1c8597a-670e-456f-b2e4-a452311e2916",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-04T09:37:17.578573227Z",
"updatedAt": "2020-12-04T09:37:17.575470994Z",
"connection_status": "in_progress"
}
Testing a New Luna Connection
To test a New Luna Network connection parameters, run:
Syntax
ksctl connectionmgmt luna-hsm connections test --conn-password <Partitions-Password> --partitions-json-file <xxx.json> --ha-enable <Yes/No>
This command requires a partition file of JSON type and a password of the luna partitions.
HA flag is optional, and the default value is FALSE. To test connection parameters with multiple partitions (with an HA group), the HA flag should be specified as TRUE.
The format of the JSON file to create a connection:
[
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label1","serial_number": "xxxxxx"},
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label2","serial_number": "xxxxxx"}
]
This command is asynchronous; therefore, it initiates a connection test and gives the status as in_progress.
The test-status command can be used to fetch the actual status by using the ID returned with this command.
Example Request
ksctl connectionmgmt luna-hsm connections test --conn-password passcode --partitions-json-file partitions.json --ha-enable yes
Example Response
{
"id": "00eb8941-a787-4440-a46d-8f658b7f97d3",
"uri": "kylo:kylo:hsm:connections:00eb8941-a787-4440-a46d-8f658b7f97d3",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-23T13:27:20.281086901Z",
"updatedAt": "2020-11-23T13:27:20.277119471Z",
"connection_status": "in_progress"
}
Getting a Test Status
To get the status of the Luna connection parameters test performed earlier, run:
Syntax
ksctl connectionmgmt luna-hsm connections test-status --id <Test-Identifier>
This command requires a test ID that is returned as a part of the test command.
Example Request
ksctl connectionmgmt luna-hsm connections test-status --id 00eb8941-a787-4440-a46d-8f658b7f97d3
Example Response
{
"id": "00eb8941-a787-4440-a46d-8f658b7f97d3",
"uri": "kylo:kylo:hsm:connections:de7b1255-9ded-4222-8e1b-408110413a19",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-23T13:32:57.450956Z",
"updatedAt": "2020-11-23T13:32:57.505909Z",
"connection_status": "connection ok"
}
Managing Luna Network HSM Partitions in STC Mode using ksctl
To use HSM partitions in the STC mode:
-
Download/scp the partition identity public key (pid) file from the first client or HSM.
-
Register the partition identity public key on the CipherTrust Manager.
-
Add label to the HSM partition in the
partition_labelfield. -
Add serial number to the HSM partition in the
serial_numberfield.
The following operations can be performed:
-
Create/Get/Delete a Luna Network HSM STC partition
-
List all Luna Network HSM STC partitions
-
Get test status of a new STC partition
Creating a Luna Network HSM STC Partition
HSM-anchored domains are not supported with STC partitions.
To create a Luna Network HSM STC-partition, run:
Syntax
ksctl connectionmgmt luna-hsm stc-partition create --name <connection-name> --products <product-names> --meta <key:value> --partition_identity <partitions-identity-file> --partition_label <partition-label-name> --serial_number <serial-number>
Example Request
ksctl connectionmgmt luna-hsm stc-partition create --name T1332 --products cckm --serial-number 14655971025300 --partition-identity 1465065595818.pid --label T123
Example Response
{
"id": "fda66b48-1191-4c06-b1f7-076b5f59dcbe",
"uri": "kylo:kylo:connectionmgmt:hsm-stc-partition:t1332-fda66b48-1191-4c06-b1f7-076b5f59dcbe",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-09-19T12:20:30.481081209Z",
"updatedAt": "2022-09-19T12:20:30.476753184Z",
"service": "luna network",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "T1332",
"products": [
"cckm"
],
"label": "T123",
"serial_number": "14655971025300"
}
Getting Details of Luna Network HSM STC Partition
To get details of a Luna Network HSM partition in the STC mode, run:
Syntax
ksctl connectionmgmt luna-hsm stc-partition get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt luna-hsm stc-partition get --id fda66b48-1191-4c06-b1f7-076b5f59dcbe
Example Response
{
"id": "fda66b48-1191-4c06-b1f7-076b5f59dcbe",
"uri": "kylo:kylo:connectionmgmt:hsm-stc-partition:t1332-fda66b48-1191-4c06-b1f7-076b5f59dcbe",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-09-19T12:20:30.481081Z",
"updatedAt": "2022-09-19T12:20:30.476753Z",
"service": "luna network",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "T1332",
"products": [
"cckm"
],
"label": "T123",
"serial_number": "14655971025300"
}
Deleting Luna Network HSM STC Partitions
To delete Luna Network HSM partition in the STC mode, run:
Syntax
ksctl connectionmgmt luna-hsm stc-partition delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt luna-hsm stc-partition delete --id fda66b48-1191-4c06-b1f7-076b5f59dcbe
Example Response
{
"status": 204
}
The above response appears if the Luna Network HSM partition in the STC mode deletes successfully. In case of failure, it will throw an error.
Getting Test Status of a New STC Partition
To get a status of a new Luna network STC partition, run:
Syntax
ksctl connectionmgmt luna-hsm stc-partition delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt luna-hsm stc-partition status --id fda66b48-1191-4c06-b1f7-076b5f59dcbe
Example Response - if partition is created successfully
{
"connection_ok": true,
}
Example Response - if partition is not created
{
"connection_ok": false,
"connection_error": "Cannot list STC partition slot"
}