Luna Network HSM
Luna Network HSM connections are required for two use cases:
To use a Luna Network HSM partition as a key source for CipherTrust Cloud Key Manager (CCKM). Luna keys managed by CCKM are usually part of broader integrations with cloud providers.
To use a Luna Network HSM partition for an HSM-anchored domain. All keys and secrets within an HSM-anchored domain are wrapped and unwrapped by the HSM itself.
Note
There are compatibility limits for the Luna configuration based on use case:
CCKM doesn't support FM-enabled Luna HSM as a key source.
HSM-anchored domains are not supported with STC partitions.
Warning
Thales strongly discourages using a Luna HSM partition containing the CipherTrust Manager root of trust keys for CCKM or HSM-anchored domains. Do not add a connection to a Luna HSM root-of-trust partition with Connection Manager.
Managing Luna Network HSM Client
You can register the CipherTrust Manager as client in the following modes :
STC mode is only supported for the CCKM use case.
Using NTLS Mode
To register the CipherTrust Manager as client in NTLS mode:
Download the client certificate on the CipherTrust Manager.
Register the client certificate on HSM server.
Assign the partition to the client.
Using STC Mode
To register the CipherTrust Manager as client in STC mode for CCKM:
Download the client identity on the CipherTrust Manager.
Register the CipherTrust Manager as an additional client on the first client where partition is registered.
For more information, refer to https://thalesdocs.com/gphsm/luna/7/docs/network/Content/admin_partition/connections/stc/multi_client.htm
Note
The client identity is returned in the base64 format in the APIs, make sure to convert it to normal text format before saving to the file.
Managing LUNA HSM Connections using GUI
For both current purposes, you must configure Luna Network connection and HSM server.
Warning
It is mandatory to create one or more HSM Servers before creating an HSM Connection.
Adding an Internal Connection (Server)
It allows you to add the HSM Server and download the Luna Client certificate.
Note
Currently, you can add only HSM Servers.
To configure an HSM server:
Click Add HSM Server in the INTERNAL CONNECTIONS section to add an HSM Server.
HSM Hostname/IP - provide the hostname/IP of the server
HSM Certificate - upload the HSM certificate
HSM Description - provide the HSM description
HSM Products - select the check boxes in the Products list to select a product associated with the HSM server. Select Cloud Key Manager to use this connection as a key source for CCKM. Do not select any products to use this connection for HSM-anchored domains.
Click Download Luna Client Cert in the INTERNAL CONNECTIONS section to download the Luna client certificate.
Note
Currently, the only product available in the GUI for HSM Server is Cloud Key Manager. To use this connection for HSM-anchored domains, don't select any check boxes.
Luna Network HSMs can only be added at the CipherTrust Manager root domain.
Click Create to add the HSM Server. The new server is now listed in the INTERNAL CONNECTIONS list.
Configuring the Luna Network HSM Connection
To configure the Luna Network HSM connection:
Partition Server Hostname/IP - select the hostname/IP of the server from the drop-down list
Partition Label - label of the HSM partition
Partition Serial No - serial number of the HSM Partition
Add Partition - click this button to add the multiple partitions
Partition Password - password of the HSM partition(s)
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK
else the status is Fail
.
Click Next to move to the Add Products screen of the Add Connection wizard.
Note
The two products available are HSM-anchored domain and Cloud Key Manager.
Managing LUNA HSM Connections using ksctl
Luna network HSM management is divided into:
Luna Network HSM Servers
The following operations can be performed:
Add/delete/get a Luna network HSM server
List all Luna network HSM servers
Enable/Disable STC on Luna Servers
Get Luna client details such as certificate and hostname
The Luna servers are used to create a connection of type Luna network HSM.
Adding a Luna Server
Note
To use HSM partition in STC mode, make sure to enable STC for the HSM Server.
To add a Luna Server, run:
Syntax
ksctl connectionmgmt luna-hsm servers add --hostname <Hostname/IP> --hsm-cert-file <HSM-Certificate>
This command requires a hostname or IP of the server and a valid certificate.
Example Request
ksctl connectionmgmt luna-hsm servers add --hostname host --hsm-cert-file ~/server.pem
Example Response
{
"hostname": "host",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMRUwEwYDVQQDDAwxMC4xNjQuNTYuODYwHhcNMjAwODIwMDg1OTQ0\nWhcNMzAwODIyMDg1OTQ0WjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJp\nbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMRUwEwYD\nVQQDDAwxMC4xNjQuNTYuODYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCi7oMYdb8IcoqkdsAYNlcqzW32MxSeIwbThImdm1rvwQcwmggOyUhRqnUaiFH4\nsEVVNVDk0bqgAXKoLwauO63XEpu9NU+vHYrtcTkMZ6JxGe0z9LrCYcmqhcrxwPF6\nKSNFWmIpAXbRZ3utsziMlRSwd250pdBwo7idjubMHAWQAjJ16ouTD4maipbdAGtp\nXP/HnKO29aWpPZhj/zSasmwo6S9SvMdzBuT0/zATFYPsjdaGrbq7pbHwhJYmAP7h\nThG8aqdLNxATT36CEy2Tblw0YAGrcdMbLA4bgptt35OZYKcSXB9lm5RTPaaLkz0b\nEURdHGAVIYBAk/DAJCnoBhRxAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFN1DUkX\nIXroQaX7yeyK5yK6YtPN8FthZ7k3L+FY18JKbnG8DqO8eocvncXtomZ12rLRAnmt\nsyV86fI5gBtoyyydFqqc4ejRfgjMnNwuD3hNLdDY2HuGgjWH+2N6Wl/Z1FVG1PZU\nGCaAlNGFRYOUxlzz3hltNwQmFX4PhdT8RlCApah7bhuozvSAzdAoHnl2qwE/PoS1\nMeTBtJHgJ+LH5Xob/hADnOAJb7jIB3GSBdpBH7VJhQ5VU5sNHqg4ZiNi1vLZPPed\n9HdJPTtbN4019SgY2kSwg1nky8jZY8uA9Qh05izWz3S1p9ZY9kpgRaBCTGCAF/C2\nobI+LA8a7DlU9PQ=\n-----END CERTIFICATE-----\n",
"id": "83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:host-83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:25:27.163022185Z",
"service": "luna network"
}
Getting Details of Luna Server
To get details of a Luna Server already registered with the Connection Manager, run:
Syntax
ksctl connectionmgmt luna-hsm servers get --id <Hostname/Id>
This command requires an identifier that can either be ID or hostname of the server.
Example Request
ksctl connectionmgmt luna-hsm servers get --id host
Example Response
{
"hostname": "host",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMRUwEwYDVQQDDAwxMC4xNjQuNTYuODYwHhcNMjAwODIwMDg1OTQ0\nWhcNMzAwODIyMDg1OTQ0WjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJp\nbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMRUwEwYD\nVQQDDAwxMC4xNjQuNTYuODYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCi7oMYdb8IcoqkdsAYNlcqzW32MxSeIwbThImdm1rvwQcwmggOyUhRqnUaiFH4\nsEVVNVDk0bqgAXKoLwauO63XEpu9NU+vHYrtcTkMZ6JxGe0z9LrCYcmqhcrxwPF6\nKSNFWmIpAXbRZ3utsziMlRSwd250pdBwo7idjubMHAWQAjJ16ouTD4maipbdAGtp\nXP/HnKO29aWpPZhj/zSasmwo6S9SvMdzBuT0/zATFYPsjdaGrbq7pbHwhJYmAP7h\nThG8aqdLNxATT36CEy2Tblw0YAGrcdMbLA4bgptt35OZYKcSXB9lm5RTPaaLkz0b\nEURdHGAVIYBAk/DAJCnoBhRxAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFN1DUkX\nIXroQaX7yeyK5yK6YtPN8FthZ7k3L+FY18JKbnG8DqO8eocvncXtomZ12rLRAnmt\nsyV86fI5gBtoyyydFqqc4ejRfgjMnNwuD3hNLdDY2HuGgjWH+2N6Wl/Z1FVG1PZU\nGCaAlNGFRYOUxlzz3hltNwQmFX4PhdT8RlCApah7bhuozvSAzdAoHnl2qwE/PoS1\nMeTBtJHgJ+LH5Xob/hADnOAJb7jIB3GSBdpBH7VJhQ5VU5sNHqg4ZiNi1vLZPPed\n9HdJPTtbN4019SgY2kSwg1nky8jZY8uA9Qh05izWz3S1p9ZY9kpgRaBCTGCAF/C2\nobI+LA8a7DlU9PQ=\n-----END CERTIFICATE-----\n",
"id": "83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:host-83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:25:27.163022Z",
"service": "luna network"
}
Deleting a Luna Server
To delete a Luna Server, run:
Syntax
ksctl connectionmgmt luna-hsm servers delete --id <Hostname/Id>
This command requires an identifier that can either be ID or hostname of the server.
There will be no response if server is deleted successfully.
Getting List of Luna Servers
To list all the Luna Servers already registered with the Connection Manager, run:
Syntax
ksctl connectionmgmt luna-hsm servers list
Example Request
ksctl connectionmgmt luna-hsm servers list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"hostname": "host",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMRUwEwYDVQQDDAwxMC4xNjQuNTYuODYwHhcNMjAwODIwMDg1OTQ0\nWhcNMzAwODIyMDg1OTQ0WjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJp\nbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMRUwEwYD\nVQQDDAwxMC4xNjQuNTYuODYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCi7oMYdb8IcoqkdsAYNlcqzW32MxSeIwbThImdm1rvwQcwmggOyUhRqnUaiFH4\nsEVVNVDk0bqgAXKoLwauO63XEpu9NU+vHYrtcTkMZ6JxGe0z9LrCYcmqhcrxwPF6\nKSNFWmIpAXbRZ3utsziMlRSwd250pdBwo7idjubMHAWQAjJ16ouTD4maipbdAGtp\nXP/HnKO29aWpPZhj/zSasmwo6S9SvMdzBuT0/zATFYPsjdaGrbq7pbHwhJYmAP7h\nThG8aqdLNxATT36CEy2Tblw0YAGrcdMbLA4bgptt35OZYKcSXB9lm5RTPaaLkz0b\nEURdHGAVIYBAk/DAJCnoBhRxAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFN1DUkX\nIXroQaX7yeyK5yK6YtPN8FthZ7k3L+FY18JKbnG8DqO8eocvncXtomZ12rLRAnmt\nsyV86fI5gBtoyyydFqqc4ejRfgjMnNwuD3hNLdDY2HuGgjWH+2N6Wl/Z1FVG1PZU\nGCaAlNGFRYOUxlzz3hltNwQmFX4PhdT8RlCApah7bhuozvSAzdAoHnl2qwE/PoS1\nMeTBtJHgJ+LH5Xob/hADnOAJb7jIB3GSBdpBH7VJhQ5VU5sNHqg4ZiNi1vLZPPed\n9HdJPTtbN4019SgY2kSwg1nky8jZY8uA9Qh05izWz3S1p9ZY9kpgRaBCTGCAF/C2\nobI+LA8a7DlU9PQ=\n-----END CERTIFICATE-----\n",
"id": "83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:host-83a24275-65ff-42cf-9e22-edd1b7f0c4f3",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:25:27.163022Z",
"service": "luna network"
}
]
}
Enabling STC on Luna Servers
To enable STC channel of HSM Connection run:
Syntax
ksctl connectionmgmt luna-hsm servers enable-stc --id <Connection-name/ID>
Example Request
ksctl connectionmgmt luna-hsm servers enable-stc --id 7ba5172a-39e6-47bb-a115-2f97b6347b76
Example Response
{
"hostname": "10.164.10.37",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMQ8wDQYDVQQDDAY2MjkyNDEwHhcNMjAwODA2MTMwNzEyWhcNMzAw\nODA4MTMwNzEyWjBZMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0G\nA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMQ8wDQYDVQQDDAY2\nMjkyNDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDepnClyc8h+vrt\nnFY+/ovQVf4PnXO0xPX5b8cXKEiWB/R0y9cGNcaHx5S1O6/gajfaLD4tsG43degz\nsgnWl3yaVESvz3f0KP33P44I/aT8d7k2AUEEEv1KYaZleUcxKKN9M5oK9mfLyruW\n391KpFGdwpM93QUg9eNY5V/wT5WmvfsRSNRA19hd3LWYDQCc/XL+ijqpa9mX1IDX\nncy6jco6KP/veckxWLMn69Ukved/KH6JHM+M1TUjXDB7UTGNf863UeMcP0zBBIVa\nGasp4wJRynJzLIiExwAON/ZeBt44qKbhiy2fxoljkFfpKJpgd/Fq0sum+mE1EiI0\nIzlwAtYTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADj5mJb7myhdpPOGmTkxUCSD\n8QujrCmel3n8hA3FePNp2t584yOIvQGn3Ht8nOPzJvNbgZGeTWWrXltjHic6wrc7\nWFTudeDWHgTvN0wPeyQPgzJ/naoop7jIc+x3JCumneEu7WR6A3mYZiCs0OSty99M\nBISITYaYqrB0yWLr9EUDQ4CfpmWX2lHqirTMlMXkZMv9WYRC5CFHltgZqyODnob+\ncUE72FwxiVjrm3foFtFSraxGttfNBqaPiBKr7W5b1CFVaBhIcG/q/30KxQ7vA8Vm\nZAjEQhkdE0e1kwtXYk2goa2cH4UY7azCWwlcoSH8e6IKXh4H/AZZWlrHn0+HD4I=\n-----END CERTIFICATE-----",
"products": [
"cckm"
],
"meta": {
"color": "blue"
},
"id": "7ba5172a-39e6-47bb-a115-2f97b6347b76",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:10-164-10-37-7ba5172a-39e6-47bb-a115-2f97b6347b76",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-09-19T07:21:51.191164Z",
"service": "luna network",
"channel": "STC"
}
Disabling STC on Luna Servers
To disable STC channel of HSM Connection run:
Syntax
ksctl connectionmgmt luna-hsm servers disable-stc --id <Connection-name/ID>
Example Request
ksctl connectionmgmt luna-hsm servers disable-stc --id 7ba5172a-39e6-47bb-a115-2f97b6347b76
Example Response
{
"hostname": "10.164.10.37",
"hsm_certificate": "-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDQTEQ\nMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5\nc2FsaXMtSVRTMQ8wDQYDVQQDDAY2MjkyNDEwHhcNMjAwODA2MTMwNzEyWhcNMzAw\nODA4MTMwNzEyWjBZMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0G\nA1UEBwwGT3R0YXdhMRYwFAYDVQQKDA1DaHJ5c2FsaXMtSVRTMQ8wDQYDVQQDDAY2\nMjkyNDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDepnClyc8h+vrt\nnFY+/ovQVf4PnXO0xPX5b8cXKEiWB/R0y9cGNcaHx5S1O6/gajfaLD4tsG43degz\nsgnWl3yaVESvz3f0KP33P44I/aT8d7k2AUEEEv1KYaZleUcxKKN9M5oK9mfLyruW\n391KpFGdwpM93QUg9eNY5V/wT5WmvfsRSNRA19hd3LWYDQCc/XL+ijqpa9mX1IDX\nncy6jco6KP/veckxWLMn69Ukved/KH6JHM+M1TUjXDB7UTGNf863UeMcP0zBBIVa\nGasp4wJRynJzLIiExwAON/ZeBt44qKbhiy2fxoljkFfpKJpgd/Fq0sum+mE1EiI0\nIzlwAtYTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADj5mJb7myhdpPOGmTkxUCSD\n8QujrCmel3n8hA3FePNp2t584yOIvQGn3Ht8nOPzJvNbgZGeTWWrXltjHic6wrc7\nWFTudeDWHgTvN0wPeyQPgzJ/naoop7jIc+x3JCumneEu7WR6A3mYZiCs0OSty99M\nBISITYaYqrB0yWLr9EUDQ4CfpmWX2lHqirTMlMXkZMv9WYRC5CFHltgZqyODnob+\ncUE72FwxiVjrm3foFtFSraxGttfNBqaPiBKr7W5b1CFVaBhIcG/q/30KxQ7vA8Vm\nZAjEQhkdE0e1kwtXYk2goa2cH4UY7azCWwlcoSH8e6IKXh4H/AZZWlrHn0+HD4I=\n-----END CERTIFICATE-----",
"products": [
"cckm"
],
"meta": {
"color": "blue"
},
"id": "7ba5172a-39e6-47bb-a115-2f97b6347b76",
"uri": "kylo:kylo:connectionmgmt:hsm-servers:10-164-10-37-7ba5172a-39e6-47bb-a115-2f97b6347b76",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-09-19T07:21:51.191164Z",
"service": "luna network",
"channel": "NTLS"
}
Getting Details of a Luna Client
To get details of a Luna Client registered with a Luna Server, run:
Syntax
ksctl connectionmgmt luna-hsm servers client-get
Example Request
ksctl connectionmgmt luna-hsm servers client-get
Example Response
{
"id": "5fc757bd-8e95-4352-8d1c-4bc861d252d9",
"uri": "kylo:kylo:doorway:Certificate:5fc757bd-8e95-4352-8d1c-4bc861d252d9",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-03T12:22:46.061088Z",
"updatedAt": "2020-12-03T12:22:46.056696Z",
"hostname": "cckm-client-51437b79-4f10-490e-9769-3d5b0526af46",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDezCCAmOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCQ0Ex\nEDAOBgNVBAgMB09udGFyaW8xDzANBgNVBAcMBk90dGF3YTETMBEGA1UECgwKTXkg\nY29tcGFueTE5MDcGA1UEAwwwY2NrbS1jbGllbnQtNTE0MzdiNzktNGYxMC00OTBl\nLTk3NjktM2Q1YjA1MjZhZjQ2MB4XDTIwMTIwMjEyMjI0NloXDTMwMTIwMTEyMjI0\nNlowgYAxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZP\ndHRhd2ExEzARBgNVBAoMCk15IGNvbXBhbnkxOTA3BgNVBAMMMGNja20tY2xpZW50\nLTUxNDM3Yjc5LTRmMTAtNDkwZS05NzY5LTNkNWIwNTI2YWY0NjCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBANyjU9u2iVR0N5foHjZy7e4jMX5TX6BKiqAL\nc3Zn5MjpHZWdd82U1+UYjOgAdgU1IMKr84pxPoMDVrpcK0pk1U07sVqgSYM0WXd1\nB78n8n13CS6xYNL6rHoGXwO3LR0XW45Sa2NvhX/QFiTXsAYQgBZmW3urNj/kx1sd\n2xD0umeTxK+2DnLG8ccxeBxE+bahfxGHH2v+ln5FjVncsSjYLFlOrafI2ZSQLSZK\nXmLp4///Ca3l4SeIvgPCjgWfPiXQ7ZFSEOMcCbCptNuTOuYLbTG9AF2j7BmXMJ3S\n6lG4O/CenKC0JfVKHmfHiy0KcbyQY5zFNvuYjht6Enua58q4hYUCAwEAATANBgkq\nhkiG9w0BAQsFAAOCAQEAqHUSkv9rv5DhZmIRyWw+CrrXFFxxsrezPGWpHSIoKuFo\nFwTgXrru2K8O4mDvByHqcXKDjn/mKzhY9GHTAj3bLjbe3PbW6wAQVvGd8ovLVLEH\nvNY6wATVtafmvSwL/hBWmcdmj5HX3f/OV6h3h+Ck6rHrNzcbw4v25o+89kmEMgi4\njeuXNBSLC/1TrKoChr5nVBugU3BrKZgwm9yrMntuzCqmIVl2dstlbL9R+LSoCns5\na/PreKkP4DbxqxxgeE7RTqtv+qhjrKyMQVMDsHfCDc1Je+NBHkwVrfIdXJrJVuuh\nxZC/isR370yet+J4HM57xsNswI3/YG4l4nXl5jt9dQ==\n-----END CERTIFICATE-----\n"
}
Luna Network HSM Connections
The following operations can be performed:
Create/Get/Update/Delete a Luna Network HSM connection
List all Luna Network HSM connections
Test an existing Luna Network HSM connection
Test the newly created connection
A Luna Network HSM connection can be an HA or non-HA.
HA stands for High Availability, that means there will be more than one partition to ensure availability and load balancing.
In an HA connection, there are multiple partitions of one or more HSM Servers. Whereas, in a non-HA connection there is a single partition of an HSM Server.
Creating a Luna Connection
To create a connection of Luna Network HSM type, run:
Syntax
ksctl connectionmgmt luna-hsm connections create --name <Connection-Name> --conn-password <Partition-Password> --partitions-json-file <xxx.json> --ha-enable <yes/no> --key-mgmt-mode <clone/key-export> --products <"cckm" or "hsm_anchored_domain">
Here,
name
- Name of the connection.partitions-json-file
- Partition file of JSON type.conn-password
- Password of the Luna partitions.ha-enable
- Signifies if it is High Availability(HA) group or not. The default value isno
.key-mgmt-mode
- The mode defined inkey_mgmt_mode
is only valid for CCKM product. This mode is used for handling private keys. Thekey-mgmt-mode
parameter is applicable only whenha-enable
is set toyes
. The individual partitions can be configured by using one of the supported modes.key-export
- CCKM supports the replication of private asymmetric keys within the partition's HA group.clone
- All keys/objects in CCKM are replicated automatically within the partition's HA group.
Note
If a wrong mode is selected, CCKM RSA key creation on Luna will be affected. Refer to note for error details.
It is mandatory that all the partitions should be in the same mode. The default value is FALSE. If no value or empty string ("") is provided, then a connection will be created without any mode. For creating partitions and handling keys in a specific mode in HSM, click here.
products
- Product type, eithercckm
orhsm_anchored_domain
.
To create a connection with multiple partitions (with an HA group), the HA flag should be specified as TRUE. The format of the JSON file to create a connection:
[
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label1","serial_number": "xxxxxx"},
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label2","serial_number": "xxxxxx"}
]
Note
If a Luna HSM partition and the associated Luna HSM connection are deleted from the CipherTrust Manager, the Luna source key link from Azure Keys page will not work. To work around this issue:
Add the Luna HSM connection again.
Add the Luna HSM partitions in the same order in which they were added before deletion.
After deleting and re-adding a partition to CCKM, a refresh should be performed on the CCKM partition. Refer to Refreshing Specific Partitions for details.
Example Request 1
ksctl connectionmgmt luna-hsm connections create --name demo1 --conn-password passcode --partitions-json-file partitions.json --ha-enable yes
Example Response 1
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592526537Z",
"updatedAt": "2020-12-04T09:30:20.591321554Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
"is_ha_enabled": true
}
Example Request 2
ksctl connectionmgmt luna-hsm connections create --name demo1 --conn-password passcode --partitions-json-file partitions.json --ha-enable yes --key-mgmt-mode clone
Example Response 2
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592526537Z",
"updatedAt": "2020-12-04T09:30:20.591321554Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
"is_ha_enabled": true,
"key_mgmt_mode": "clone"
}
Getting Details of a Luna Connection
To get details of a Luna Network connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections get --id <Id/Connection-Name>
This command requires a connection identifier that can be either ID or name of the connection.
Example Request
ksctl connectionmgmt luna-hsm connections get --id demo1
Example Response
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592527Z",
"updatedAt": "2020-12-04T09:30:20.591322Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"id": "39c7775c-a72c-4b31-9745-d1e9adbf8946",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-39c7775c-a72c-4b31-9745-d1e9adbf8946",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.597013Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"id": "e3b7914d-3a88-40de-9385-649c5f019e3f",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-e3b7914d-3a88-40de-9385-649c5f019e3f",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.598614Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
"is_ha_enabled": true,
"key_mgmt_mode": "clone",
"max_session_count": 0,
"session_count": 0,
"max_rw_session_count": 0,
"rw_session_count": 0,
"max_pin_len": 0,
"min_pin_len": 0,
"total_public_memory": 0,
"free_public_memory": 0,
"total_private_memory": 0,
"free_private_memory": 0,
"operation_status": "",
"operation_error": ""
}
Updating a Luna Connection
To update a Luna Network connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections update --id <Id/Name> --conn-password <New-Password> --key-mgmt-mode <New-Mode>
This command requires:
A connection identifier that can either be ID or name of the connection
One or more parameters to update
The Luna Connection Update supports updating the password and other meta information.
Note
This command does not support updating a partition information.
Example Request 1
ksctl connectionmgmt luna-hsm connections update --id demo1 --conn-password newPasscode
Example Response 1
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592526537Z",
"updatedAt": "2020-12-04T09:30:20.591321554Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
}
Example Request 2
ksctl connectionmgmt luna-hsm connections update --id demo1 --key-mgmt-mode key-export
Example Response 2
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592526537Z",
"updatedAt": "2020-12-04T09:30:20.591321554Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
"is_ha_enabled": true,
"key_mgmt_mode": "key-export"
}
Deleting a Luna Connection
To delete a Luna Network connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections delete --id <Id/Name>
There will be no response if LUNA Network connection is deleted successfully.
Note
Deleting a Luna Network connection does not delete the HA group. The HA group is kept for future references. If the existing HA group is updated by adding a new partition or by removing a partition that is already part of the existing HA group, the HA group will be updated after performing the test connection.
Getting List of Luna Connections
To list all the connections of Luna Network HSM type, run:
Syntax
ksctl connectionmgmt luna-hsm connections list
Example Request
ksctl connectionmgmt luna-hsm connections list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"uri": "kylo:kylo:connectionmgmt:connections:demo1-c8c1cd6b-1f37-405c-9e12-de2f6bec2c36",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.592527Z",
"updatedAt": "2020-12-04T09:30:20.591322Z",
"service": "luna network",
"category": "hsm",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "demo1",
"partitions": [
{
"id": "39c7775c-a72c-4b31-9745-d1e9adbf8946",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-39c7775c-a72c-4b31-9745-d1e9adbf8946",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.597013Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "14",
"partition_label": "sample-label"
},
{
"id": "e3b7914d-3a88-40de-9385-649c5f019e3f",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-e3b7914d-3a88-40de-9385-649c5f019e3f",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-04T09:30:20.598614Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "12",
"partition_label": "sample-label"
}
],
"is_ha_enabled": true,
"key_mgmt_mode": "key-export"
}
]
}
Adding a partition to the Luna Connection
To add a partition to the Luna Connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections add-partition --id <Id/Name> --partitions-json-file <xxx.json>
A parition can only be added to a connection if HA flag is TRUE.
The format of the JSON file to add a partition:
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label2","serial_number": "xxxxxx"}
Example Request
ksctl connectionmgmt luna-hsm connections add-partition --id demo1 --partitions-json-file partition.json
Example Response
{
"id": "288b05a9-0e08-4b76-be6c-3713b0e10751",
"uri": "kylo:kylo:connectionmgmt:luna-network-partition:demo1-288b05a9-0e08-4b76-be6c-3713b0e10751",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2020-12-05T06:01:27.482393059Z",
"hostname": "xx.xxx.xx.xx",
"serial_number": "1429964054509",
"partition_label": "sample-label"
}
Deleting a Partition from the Luna Connection
To delete a partition from the Luna Connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections delete-partition --id <Id/Name> --partition-id <Partition-Id>
There will be no response if partition is deleted successfully.
Testing an Existing Luna Connection
To test an existing Luna Network connection, run:
Syntax
ksctl connectionmgmt luna-hsm connections test --id <Id/Name>
This command requires a connection identifier that can either be ID or name of the connection.
This command is asynchronous; therefore, it initiates a connection test and gives the status as in_progress
. You can fetch the actual status by using the get
command for the same connection.
Example Request
ksctl connectionmgmt luna-hsm connections test --id demo1
Example Response
{
"id": "b1c8597a-670e-456f-b2e4-a452311e2916",
"uri": "kylo:kylo:hsm:connections:b1c8597a-670e-456f-b2e4-a452311e2916",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-12-04T09:37:17.578573227Z",
"updatedAt": "2020-12-04T09:37:17.575470994Z",
"connection_status": "in_progress"
}
Testing a New Luna Connection
To test a New Luna Network connection parameters, run:
Syntax
ksctl connectionmgmt luna-hsm connections test --conn-password <Partitions-Password> --partitions-json-file <xxx.json> --ha-enable <Yes/No>
This command requires a partition file of JSON type and a password of the luna partitions.
HA flag is optional, and the default value is FALSE. To test connection parameters with multiple partitions (with an HA group), the HA flag should be specified as TRUE. The format of the JSON file to create a connection:
[
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label1","serial_number": "xxxxxx"},
{"hostname": "xx.xxx.xx.xx","partition_label": "sample-label2","serial_number": "xxxxxx"}
]
This command is asynchronous; therefore, it initiates a connection test and gives the status as in_progress
.
The test-status
command can be used to fetch the actual status by using the ID returned with this command.
Example Request
ksctl connectionmgmt luna-hsm connections test --conn-password passcode --partitions-json-file partitions.json --ha-enable yes
Example Response
{
"id": "00eb8941-a787-4440-a46d-8f658b7f97d3",
"uri": "kylo:kylo:hsm:connections:00eb8941-a787-4440-a46d-8f658b7f97d3",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-23T13:27:20.281086901Z",
"updatedAt": "2020-11-23T13:27:20.277119471Z",
"connection_status": "in_progress"
}
Getting a Test Status
To get the status of the Luna connection parameters test performed earlier, run:
Syntax
ksctl connectionmgmt luna-hsm connections test-status --id <Test-Identifier>
This command requires a test ID that is returned as a part of the test command.
Example Request
ksctl connectionmgmt luna-hsm connections test-status --id 00eb8941-a787-4440-a46d-8f658b7f97d3
Example Response
{
"id": "00eb8941-a787-4440-a46d-8f658b7f97d3",
"uri": "kylo:kylo:hsm:connections:de7b1255-9ded-4222-8e1b-408110413a19",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-11-23T13:32:57.450956Z",
"updatedAt": "2020-11-23T13:32:57.505909Z",
"connection_status": "connection ok"
}
Managing Luna Network HSM Partitions in STC Mode using ksctl
Note
HSM-anchored domains are not supported with STC partitions.
To use HSM partitions in the STC mode:
Download/scp the partition identity public key (pid) file from the first client or HSM.
Register the partition identity public key on the CipherTrust Manager.
Add label to the HSM partition in the
partition_label
field.Add serial number to the HSM partition in the
serial_number
field.
The following operations can be performed:
Create/Get/Delete a Luna Network HSM STC partition
List all Luna Network HSM STC partitions
Get test status of a new STC partition
Creating a Luna Network HSM STC Partition
To create a Luna Network HSM STC-partition, run:
Syntax
ksctl connectionmgmt luna-hsm stc-partition create --name <connection-name> --products <product-names> --meta <key:value> --partition_identity <partitions-identity-file> --partition_label <partition-label-name> --serial_number <serial-number>
Example Request
ksctl connectionmgmt luna-hsm stc-partition create --name T1332 --products cckm --serial-number 14655971025300 --partition-identity 1465065595818.pid --label T123
Example Response
{
"id": "fda66b48-1191-4c06-b1f7-076b5f59dcbe",
"uri": "kylo:kylo:connectionmgmt:hsm-stc-partition:t1332-fda66b48-1191-4c06-b1f7-076b5f59dcbe",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-09-19T12:20:30.481081209Z",
"updatedAt": "2022-09-19T12:20:30.476753184Z",
"service": "luna network",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "T1332",
"products": [
"cckm"
],
"label": "T123",
"serial_number": "14655971025300"
}
Getting Details of Luna Network HSM STC Partition
To get details of a Luna Network HSM partition in the STC mode, run:
Syntax
ksctl connectionmgmt luna-hsm stc-partition get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt luna-hsm stc-partition get --id fda66b48-1191-4c06-b1f7-076b5f59dcbe
Example Response
{
"id": "fda66b48-1191-4c06-b1f7-076b5f59dcbe",
"uri": "kylo:kylo:connectionmgmt:hsm-stc-partition:t1332-fda66b48-1191-4c06-b1f7-076b5f59dcbe",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-09-19T12:20:30.481081Z",
"updatedAt": "2022-09-19T12:20:30.476753Z",
"service": "luna network",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "T1332",
"products": [
"cckm"
],
"label": "T123",
"serial_number": "14655971025300"
}
Deleting Luna Network HSM STC Partitions
To delete Luna Network HSM partition in the STC mode, run:
Syntax
ksctl connectionmgmt luna-hsm stc-partition delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt luna-hsm stc-partition delete --id fda66b48-1191-4c06-b1f7-076b5f59dcbe
Example Response
{
"status": 204
}
The above response appears if the Luna Network HSM partition in the STC mode deletes successfully. In case of failure, it will throw an error.
Getting Test Status of a New STC Partition
To get a status of a new Luna network STC partition, run:
Syntax
ksctl connectionmgmt luna-hsm stc-partition delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt luna-hsm stc-partition status --id fda66b48-1191-4c06-b1f7-076b5f59dcbe
Example Response - if partition is created successfully
{
"connection_ok": true,
}
Example Response - if partition is not created
{
"connection_ok": false,
"connection_error": "Cannot list STC partition slot"
}