Home > |
---|
Cryptographic applications that are not specifically adapted to use an HSM Server can nevertheless be run using SafeNet Luna HSMs, with the aid of the salogin utility. This section provides the settings required for some widely-used applications.
An example of a situation where you might use salogin is where you wish to use a SafeNet Luna HSM appliance with openssl, which can be used with HSMs, but which has no inherent ability to provide credentials to the HSM.
Note: The applications in the integrations documents have been explicitly integrated by SafeNet, to work with your SafeNet Luna HSM product. Contact your SafeNet representative. If you are a developer, you might prefer to create or modify your own application to include support for the HSM or appliance. Refer to the Software Development Kit and the Extensions sections of this document set.
Note: The salogin utility does not work with STC-enabled slots. If you require salogin with your applications, you must use NTLS client links.
The salogin client-side utility is provided to assist clients that do not include the requisite HSM login and logout capability within the client application. Run the utility from a shell or command prompt, or include it in scripts.
The salogin utility has a single command, with several arguments, as follows:
>salogin -h
Luna Login Utility 1.0 Arguments:
o |
|
open application access |
c |
|
close application access |
i |
hi:lo |
application id; high and low component |
s |
slot |
token slot id number (default = 1) |
u |
|
specifies that login should be performed as the Crypto-User if no user type is supplied, the Crypto-Officer will be used |
p |
pswd |
challenge password - if not included, login will not be performed |
r | server IP | remote ped server ip |
v |
|
verbose |
h |
|
this help |
salogin -o -s 1 -i 1:1
# open a persistent application connection
# on slot 1 with app id 1:1
salogin -o -s 1 -i 1:1 -p HT7bHTHPRp/4/Cdb
# open a persistent application connection
# and login with Luna HSM challenge
salogin -c -s 1 -i 1:1
# close persistent application connection 1:1
# on slot 1
lunacm:>slot list
Slot Id -> 0
Label -> stc_ppso
Serial Number -> 1213429268189
Model -> LunaSA
Firmware Version -> 7.0.1
Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
Current Slot Id: 0
Command Result : No Error
lunacm:>stc status
Enabled: Yes
Status: Connected
Channel ID: 3
Cipher Name: AES 256 Bit with Cipher Block Chaining
HMAC Name: HMAC with SHA 512 Bit
Command Result : No Error
lunacm:>stc identityshow
Client Identity Name: mySTCclientID
Public Key SHA1 Hash: 58feec48e485762c39a8c32f94cf535bf545699e
List of Registered Partitions:
Partition Identity Partition Partition Public Key SHA1 Hash
Label Serial Number
________________________________________________________________________________
par1 1213429268189 d4d4d65d281fd17580c56ddf09439c79c466a09a
Command Result : No Error
lunacm:>clientconfig listservers
Server ID Server Channel HTL Required
__________________________________________________________________
0 192.20.11.184 STC no
Command Result : No Error
lunacm:>exit
# ./salogin -o -s 0 -i 1:1 -p userpin
CA_OpenApplicationID: failed to open application id. err 0x80000030
token not present or app id already open?
For java applications you could consider the KeyStore interface. It is internally consistent with the service provider interface defined by SUN/Oracle and does not require any proprietary code or applications.
If you are using an integration that does not refer to a KeyStore then the salogin method might be required. You are then limited to working with 1 partition. The type of HSM doesn’t matter, as long as it is SafeNet and visible by the client at the time that the library is initialized.