Luna Network HSM
LUNA HSM connections to the CipherTrust Manager can be configured using the following:
Managing LUNA HSM Connections using GUI
To use Luna Network HSM as a key source, you must configure Luna Network connection and HSM server.
Warning
It is mandatory to create one or more HSM Servers before creating an HSM Connection.
Adding an Internal Connection (Server)
Note
Currently, you can add only HSM Servers.
Click the + Add HSM Server button in the INTERNAL CONNECTIONS section to add the HSM Server.
HSM Hostname/IP - provide the hostname/IP of the server
HSM Certificate - upload the HSM certificate
HSM Description - provide the HSM description
HSM Products - select the check boxes in the Products list to select a product associated with the HSM server
Note
Currently, the only product supported for HSM Server is Cloud Key Manager.
Click Create to add the HSM Server. The new server is now listed in the INTERNAL CONNECTIONS Management table.
Configuring the Luna Network HSM Connection
To configure the Luna Network HSM connection:
Partition Server Hostname/IP - select the hostname/IP of the server from the drop-down list
Partition Label - label of the HSM partition
Partition Serial No - serial number of the HSM Partition
Add Partition - click this button to add the multiple partitions
Partition Password - password of the HSM partition(s)
Click the Test Connection button to test if you have configured your connection correctly. If the test was successful, the message will be Status: OK. Otherwise, you will see a message Status: Fail.
Click Next to move to the next step.
Note
Currently, the only product supported for LUNA Network HSM connection is Cloud Key Manager.
Managing LUNA HSM Connections using ksctl
Luna network HSM management is divided into:
Luna Network HSM Servers
The following operations can be performed:
Add/delete/get a Luna network HSM server
List all Luna network HSM servers
Get Luna client details such as certificate and hostname
The Luna servers are used to create a connection of type Luna network HSM.
Adding a Luna Server
To add a Luna Server, run:
Syntax
This command requires a hostname or IP of the server and a valid certificate.
Example Request
Example Response
Getting Details of Luna Server
To get details of a Luna Server already registered with the Connection Manager, run:
Syntax
This command requires an identifier that can either be ID or hostname of the server.
Example Request
Example Response
Deleting a Luna Server
To delete a Luna Server, run:
Syntax
This command requires an identifier that can either be ID or hostname of the server.
There will be no response if server is deleted successfully.
Getting List of Luna Servers
To list all the Luna Servers already registered with the Connection Manager, run:
Syntax
Example Request
Example Response
Getting Details of a Luna Client
To get details of a Luna Client registered with a Luna Server, run:
Syntax
Example Request
Example Response
Luna Network HSM Connections
The following operations can be performed:
Create/Get/Update/Delete a Luna Network HSM connection
List all Luna Network HSM connections
Test an existing Luna Network HSM connection
Test the newly created connection
A Luna Network HSM connection can be an HA or non-HA.
HA stands for High Availability, that means there will be more than one partition to ensure availability and load balancing.
In an HA connection, there are multiple partitions of one or more HSM Servers. Whereas, in a non-HA connection there is a single partition of an HSM Server.
Creating a Luna Connection
To create a connection of Luna Network HSM type, run:
Syntax
This command requires:
Name of the connection
Partition file of JSON type
Password of the Luna partitions
The HA flag is optional, and the default value is FALSE.
To create a connection with multiple partitions (with an HA group), the HA flag should be specified as TRUE. The format of the JSON file to create a connection:
Example Request
Example Response
Getting Details of a Luna Connection
To get details of a Luna Network connection, run:
Syntax
This command requires a connection identifier that can be either ID or name of the connection.
Example Request
Example Response
Updating a Luna Connection
To update a Luna Network connection, run:
Syntax
This command requires:
A connection identifier that can either be ID or name of the connection
One or more parameters to update
The Luna Connection Update supports updating the password and other meta information.
Note
This command does not support updating a partition information.
Example Request
Example Response
Deleting a Luna Connection
To delete a Luna Network connection, run:
Syntax
There will be no response if LUNA Network connection is deleted successfully.
Getting List of Luna Connections
To list all the connections of Luna Network HSM type, run:
Syntax
Example Request
Example Response
Adding a partition to the Luna Connection
To add a partition to the Luna Connection, run:
Syntax
A parition can only be added to a connection if HA flag is TRUE.
The format of the JSON file to add a partition:
Example Request
Example Response
Deleting a Partition from the Luna Connection
To delete a partition from the Luna Connection, run:
Syntax
There will be no response if partition is deleted successfully.
Testing an Existing Luna Connection
To test an existing Luna Network connection, run:
Syntax
This command requires a connection identifier that can either be ID or name of the connection.
This command is asynchronous; therefore, it initiates a connection test and gives the status as in_progress
. You can fetch the actual status by using the get
command for the same connection.
Example Request
Example Response
Testing a New Luna Connection
To test a new Luna Network connection parameters, run:
Syntax
This command requires a partition file of JSON type and a password of the luna partitions.
HA flag is optional, and the default value is FALSE. To test connection parameters with multiple partitions (with an HA group), the HA flag should be specified as TRUE. The format of the JSON file to create a connection:
This command is asynchronous; therefore, it initiates a connection test and gives the status as in_progress
.
The test-status
command can be used to fetch the actual status by using the ID returned with this command.
Example Request
Example Response
Getting a Test Status
To get the status of the Luna connection parameters test performed earlier, run:
Syntax
This command requires a test ID that is returned as a part of the test command.
Example Request
Example Response