Luna HSM Partition APIs
This section describes how CCKM manages the Luna HSM partitions that have their data, access controls, security policies, and separate administration access for at least some roles, independent of other Luna HSM partitions (if your Luna HSM supports more than one). CCKM can manage a single partition or a group of partitions that form an HA group.
Use the Luna HSM partition APIs to:
-
Add, list, and update Luna HSM partitions
-
View details of Luna HSM partitions
-
Grant permissions to users or groups to perform specific actions on the Luna HSM partitions
-
Delete Luna HSM partitions
Adding Luna HSM Partitions
Use the post /v1/cckm/hsm/luna/add-partition API to add a new Luna HSM partition.
Syntax
curl -k '<IP>/api/v1/cckm/hsm/luna/add-partition' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "connection": "<hsm-connection>"\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| connection | string | Name or ID of the connection. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/hsm/luna/add-partition' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxZDQyNWE3Ny1jZjU3LTQwNDItYWRhOC04NWE2MTBjZjcyYWIiLCJzdWIiOiJsb2NhbHxmM2ExYTQ5MS0yMzIzLTQ5MTQtODZhYS03ODM4MjRlZGMyZGYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMzE2YTI1ODItODdmNi00M2ZhLTk2YzYtY2YwOGExNDQwMjY5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM5Nzk4MDlhLTMxMWYtNDFhZS1hNzQ1LWIyNGUzOTNlYzIyMiIsImlhdCI6MTYwNzk0MzIzMSwiZXhwIjoxNjA3OTQzNTMxfQ.s4cXZzKrNFrc8frI-ceq7ok4gJKMnMU3Lj1IXTd7AEM' -H 'Content-Type: application/json' --data-binary $'{\n "connection": "hsm-connection"\n}' --compressed
Example Response
{
"id": "fe192148-82eb-403f-96b2-125bf28d3824",
"uri": "kylo:kylo:cckm:luna-partitions:fe192148-82eb-403f-96b2-125bf28d3824",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-14T10:49:17.331641485Z",
"updatedAt": "2020-12-14T10:49:17.330136109Z",
"label": "cckm-1607942872",
"manufacturer_id": "Safenet, Inc.",
"model": "LunaVirtual",
"flags": 1069,
"max_session_count": 0,
"session_count": 0,
"max_rw_session_count": 0,
"rw_session_count": 0,
"max_pin_len": 255,
"min_pin_len": 7,
"total_public_memory": 409783,
"free_public_memory": 329839,
"total_private_memory": 409783,
"free_private_memory": 329839,
"firmware_version": "7.4",
"ha_enabled": true,
"members": {
"1429964054507": "cckm1",
"1429964054508": "cckm2",
"1429964054509": "user1",
"1429964054510": "user2"
},
"connection": "hsm-connection"
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Listing Luna HSM Partitions
Use the get /v1/cckm/hsm/luna/partitions API to list the existing Luna HSM partitions.
Syntax
curl -k '<IP>/api/v1/cckm/hsm/luna/partitions' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | ID of the partition. |
| connection | string | Name or ID of the connection. |
| model | string | Name of the Luna HSM model. |
| label | string | Label of the partition. |
| ha_enabled | string | Whether HA is enabled. |
| skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
| limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter ) will be displayed in the output. |
| sort | string | Comma-delimited list of properties to sort the results. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/hsm/luna/partitions?skip=0&limit=10&sort=updatedAt' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxZDQyNWE3Ny1jZjU3LTQwNDItYWRhOC04NWE2MTBjZjcyYWIiLCJzdWIiOiJsb2NhbHxmM2ExYTQ5MS0yMzIzLTQ5MTQtODZhYS03ODM4MjRlZGMyZGYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMzE2YTI1ODItODdmNi00M2ZhLTk2YzYtY2YwOGExNDQwMjY5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM5Nzk4MDlhLTMxMWYtNDFhZS1hNzQ1LWIyNGUzOTNlYzIyMiIsImlhdCI6MTYwNzk0MzIzMSwiZXhwIjoxNjA3OTQzNTMxfQ.s4cXZzKrNFrc8frI-ceq7ok4gJKMnMU3Lj1IXTd7AEM' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "fe192148-82eb-403f-96b2-125bf28d3824",
"uri": "kylo:kylo:cckm:luna-partitions:fe192148-82eb-403f-96b2-125bf28d3824",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-14T10:49:17.331641Z",
"updatedAt": "2020-12-14T10:49:17.330136Z",
"label": "cckm-1607942872",
"manufacturer_id": "Safenet, Inc.",
"model": "LunaVirtual",
"flags": 1069,
"max_session_count": 0,
"session_count": 0,
"max_rw_session_count": 0,
"rw_session_count": 0,
"max_pin_len": 255,
"min_pin_len": 7,
"total_public_memory": 409783,
"free_public_memory": 329839,
"total_private_memory": 409783,
"free_private_memory": 329839,
"firmware_version": "7.4",
"ha_enabled": true,
"members": {
"1429964054507": "cckm1",
"1429964054508": "cckm2",
"1429964054509": "user1",
"1429964054510": "user2"
},
"connection": "hsm-connection",
"last_refreshed": "2020-12-21T10:09:49.066875Z"
}
]
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of Luna HSM Partitions
Use the get /v1/cckm/hsm/luna/partitions/{id} API to view the details of a Luna HSM partition.
Syntax
curl -k '<IP>/api/v1/cckm/hsm/luna/partitions/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the ID of the partition.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/hsm/luna/partitions/fe192148-82eb-403f-96b2-125bf28d3824' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxZDQyNWE3Ny1jZjU3LTQwNDItYWRhOC04NWE2MTBjZjcyYWIiLCJzdWIiOiJsb2NhbHxmM2ExYTQ5MS0yMzIzLTQ5MTQtODZhYS03ODM4MjRlZGMyZGYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMzE2YTI1ODItODdmNi00M2ZhLTk2YzYtY2YwOGExNDQwMjY5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM5Nzk4MDlhLTMxMWYtNDFhZS1hNzQ1LWIyNGUzOTNlYzIyMiIsImlhdCI6MTYwNzk0MzIzMSwiZXhwIjoxNjA3OTQzNTMxfQ.s4cXZzKrNFrc8frI-ceq7ok4gJKMnMU3Lj1IXTd7AEM' --compressed
Example Response
{
"id": "fe192148-82eb-403f-96b2-125bf28d3824",
"uri": "kylo:kylo:cckm:luna-partitions:fe192148-82eb-403f-96b2-125bf28d3824",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-14T10:49:17.331641Z",
"updatedAt": "2020-12-14T10:49:17.330136Z",
"label": "cckm-1607942872",
"manufacturer_id": "Safenet, Inc.",
"model": "LunaVirtual",
"flags": 1069,
"max_session_count": 0,
"session_count": 0,
"max_rw_session_count": 0,
"rw_session_count": 0,
"max_pin_len": 255,
"min_pin_len": 7,
"total_public_memory": 409783,
"free_public_memory": 329839,
"total_private_memory": 409783,
"free_private_memory": 329839,
"firmware_version": "7.4",
"ha_enabled": true,
"members": {
"1429964054507": "cckm1",
"1429964054508": "cckm2",
"1429964054509": "user1",
"1429964054510": "user2"
},
"connection": "hsm-connection",
"last_refreshed": "2020-12-21T10:09:49.066875Z"
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Updating Luna HSM Partitions
Use the patch /v1/cckm/hsm/luna/partitions/{id} API to update the connection in a Luna HSM partition. The connection and partition must be of the same type - HA or single.
Syntax
curl -k '<IP>/api/v1/cckm/hsm/luna/partitions/{id}' -X PATCH -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "connection": "<hsm-connection>"\n}' --compressed
Here, {id} represents the ID of the partition.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| connection | string | Name or ID of the connection. The connection and partition must be of the same type - HA or single. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/hsm/luna/partitions/fe192148-82eb-403f-96b2-125bf28d3824' -X PATCH -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxZDQyNWE3Ny1jZjU3LTQwNDItYWRhOC04NWE2MTBjZjcyYWIiLCJzdWIiOiJsb2NhbHxmM2ExYTQ5MS0yMzIzLTQ5MTQtODZhYS03ODM4MjRlZGMyZGYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMzE2YTI1ODItODdmNi00M2ZhLTk2YzYtY2YwOGExNDQwMjY5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM5Nzk4MDlhLTMxMWYtNDFhZS1hNzQ1LWIyNGUzOTNlYzIyMiIsImlhdCI6MTYwNzk0MzIzMSwiZXhwIjoxNjA3OTQzNTMxfQ.s4cXZzKrNFrc8frI-ceq7ok4gJKMnMU3Lj1IXTd7AEM' -H 'Content-Type: application/json' --data-binary $'{\n "connection": "hsm-connection"\n}' --compressed
Example Response
{
"id": "fe192148-82eb-403f-96b2-125bf28d3824",
"uri": "kylo:kylo:cckm:luna-partitions:fe192148-82eb-403f-96b2-125bf28d3824",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-14T10:49:17.331641Z",
"updatedAt": "2020-12-14T10:49:17.330136Z",
"label": "cckm-1607942872",
"manufacturer_id": "Safenet, Inc.",
"model": "LunaVirtual",
"flags": 1069,
"max_session_count": 0,
"session_count": 0,
"max_rw_session_count": 0,
"rw_session_count": 0,
"max_pin_len": 255,
"min_pin_len": 7,
"total_public_memory": 409783,
"free_public_memory": 329839,
"total_private_memory": 409783,
"free_private_memory": 329839,
"firmware_version": "7.4",
"ha_enabled": true,
"members": {
"1429964054507": "cckm1",
"1429964054508": "cckm2",
"1429964054509": "user1",
"1429964054510": "user2"
},
"connection": "hsm-connection",
"last_refreshed": "2020-12-21T10:09:49.066875Z"
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Deleting a Luna HSM Partition
Use the delete /v1/cckm/hsm/luna/partitions/{id} API to delete a Luna HSM partition from CCKM.
Syntax
curl -k '<IP>/api/v1/cckm/hsm/luna/partitions/{id}' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the ID of the partition.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/hsm/luna/partitions/fe192148-82eb-403f-96b2-125bf28d3824' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxZDQyNWE3Ny1jZjU3LTQwNDItYWRhOC04NWE2MTBjZjcyYWIiLCJzdWIiOiJsb2NhbHxmM2ExYTQ5MS0yMzIzLTQ5MTQtODZhYS03ODM4MjRlZGMyZGYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMzE2YTI1ODItODdmNi00M2ZhLTk2YzYtY2YwOGExNDQwMjY5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM5Nzk4MDlhLTMxMWYtNDFhZS1hNzQ1LWIyNGUzOTNlYzIyMiIsImlhdCI6MTYwNzk0MzIzMSwiZXhwIjoxNjA3OTQzNTMxfQ.s4cXZzKrNFrc8frI-ceq7ok4gJKMnMU3Lj1IXTd7AEM' --compressed
Example Response
response
204
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Granting Permissions to Users or Groups
Use the post /v1/cckm/hsm/luna/partitions/{id}/update-acls API to grant permissions to users or groups to perform specified operations on a Luna HSM partition.
User ID and group are mutually exclusive – specify either. For the first time users or group, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate, keyupdate, and keyrotate. Now, to permit one more action keydelete to the user or group, set "permit":true and "actions": "keydelete" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.
Refer to Actions for actions supported by different APIs.
Syntax
curl -k '<IP>/api/v1/cckm/hsm/luna/partitions/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "<group>",\n "actions": [\n "<action1>"\n ],\n "<action2>": <true|false>\n }\n ]\n}' --compressed
Here, {id} represents the ID of the partition.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| acls | array of JSONs | Permissions to be granted to users and groups. Refer to ACLs for details. |
ACLs
| Parameter | Type | Description |
|---|---|---|
| actions | array of strings | List of actions. The actions can be: • keycreate • keydelete • keyreplicate • keyupdate • view • refresh • synchronize Refer to Actions for details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive – specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions | Description |
|---|---|---|
| Create | keycreate | Permission to create Luna HSM keys. |
| Replicate | keyreplicate | Permission to replicate keys on Luna HSM partitions. |
| Delete | keydelete | Permission to delete keys. |
| Update | keyupdate | Permission to update keys. |
| Refresh | refresh | Permission to refresh Luna HSM partitions. |
| Synchronize | synchronize | Permission to synchronize Luna HSM keys. |
| List | view | Permission to view partitions and their keys. |
| Get (Luna HSM partition keys) | view | Permission to view details of a Luna HSM key. |
| List (Luna HSM partition) | view | Permission to view Luna HSM partitions and their keys. |
| Get (Luna HSM partition) | view | Permission to view details of a Luna HSM partition. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/hsm/luna/partitions/fe192148-82eb-403f-96b2-125bf28d3824/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxZDQyNWE3Ny1jZjU3LTQwNDItYWRhOC04NWE2MTBjZjcyYWIiLCJzdWIiOiJsb2NhbHxmM2ExYTQ5MS0yMzIzLTQ5MTQtODZhYS03ODM4MjRlZGMyZGYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMzE2YTI1ODItODdmNi00M2ZhLTk2YzYtY2YwOGExNDQwMjY5Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImM5Nzk4MDlhLTMxMWYtNDFhZS1hNzQ1LWIyNGUzOTNlYzIyMiIsImlhdCI6MTYwNzk0MzIzMSwiZXhwIjoxNjA3OTQzNTMxfQ.s4cXZzKrNFrc8frI-ceq7ok4gJKMnMU3Lj1IXTd7AEM' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "CCKM Users",\n "actions": [\n "view"\n ],\n "permit": true\n }\n ]\n}' --compressed
Example Response
{
"id": "fe192148-82eb-403f-96b2-125bf28d3824",
"uri": "kylo:kylo:cckm:luna-partitions:fe192148-82eb-403f-96b2-125bf28d3824",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-14T10:49:17.331641Z",
"updatedAt": "2020-12-14T10:54:12.327087698Z",
"label": "cckm-1607942872",
"manufacturer_id": "Safenet, Inc.",
"model": "LunaVirtual",
"flags": 1069,
"max_session_count": 0,
"session_count": 0,
"max_rw_session_count": 0,
"rw_session_count": 0,
"max_pin_len": 255,
"min_pin_len": 7,
"total_public_memory": 409783,
"free_public_memory": 329839,
"total_private_memory": 409783,
"free_private_memory": 329839,
"firmware_version": "7.4",
"ha_enabled": true,
"members": {
"1429964054507": "cckm1",
"1429964054508": "cckm2",
"1429964054509": "user1",
"1429964054510": "user2"
},
"connection": "hsm-connection",
"last_refreshed": "2020-12-21T10:09:49.066875Z",
"acls": [
{
"group": "CCKM Users",
"actions": [
"view"
]
}
]
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.