HSM
The HSM tab contains commands related to the HSM or partition you want to work with. Depending on how you want to authenticate, and to which element, there are different drop-down menus for each method and machine. The HSM and Partition menu Login buttons are used for password-based or local PED-based authentication, while the PED menu is specifically for connecting a remote PED. Login to the HSM or partition you want to use is required before you can use any other functions from the menus.
Figure 1: HSM Tab
The tables below list each command button you see on the HSM tab in the client. Each command has a short description of what it does as well as its corresponding resource. The resources can be input into the Custom IO tab manually if you become very familiar with them.
NOTE There are some commands that are not included as buttons on the client. They must be input manually in the Custom IO tab. A complete repository of resources you can query with REST API can be found in the REST API Command Reference documentation.
Commands are grouped by the element with which you are communicating.
HSM
There are a few different ways to login depending on how you typically access your HSM.
>If you have direct access to your HSM and are using password-based authentication, click Login and input your HSM serial number and password. Click submit.
>If you have indirect access to your HSM via PED, click Login and input your user role and PED identifier number. Use 0 if you are using local PED; 1 or greater for remote PED. Click submit. Use the PED to complete your login.
When you are finished using REST API, or if you need to login to a different server or as a different user, click Login and change the HSM serial number, role, and/or password values.
The table below defines each command available under the HSM menu and references its corresponding resource.
| Command | Function | Resource |
|---|---|---|
| Login |
Opens a dialog box through which you can login to your HSM. Login can be done through an HSM Serial number and password, or through a role and PED depending on the type of authentication set for your device. |
POST /api/lunasa/hsms/{HsmSerial}/login |
| List Hsms | Lists all HSMs associated with appliance. | GET /api/lunasa/hsms |
| Get HSM | Gets information associated with specific HSM. | GET /api/lunasa/hsms/{hsmid} |
| Get App | Gets information associated with the appliance . | POST /api/lunasa/hsms/{hsmid}/firmware/actions/upgrade |
| Upgrade Firmware | Updates HSM firmware to most recent version. | POST /api/lunasa/hsms/{hsmid}/firmware/actions/rollback |
| Rollback Firmware | Downgrades HSM firmware to previously installed version. | PUT /api/lunasa/hsms/{hsmid}/policies/{policyid} |
| Set Policy | Sets a specific HSM policy. | POST /api/lunasa/hsms/{hsmid}/updates/{updateid} |
| Apply Update | Applies a specific HSM update. | PUT /api/lunasa/hsms/{hsmid}/ |
| Initialize | Initializes the HSM. | POST /api/lunasa/hsms/{hsmid}/actions/zeroize |
| Zeroize |
>Removes all partitions and keys from the HSM. >Does not reset HSM policies, erase RPV, or delete Auditor role. |
GET /api/lunasa/hsms/{hsmid}/roles |
| List Roles | Lists all roles associated with the HSM. | GET /api/lunasa/hsms/{hsmid}/roles/{roleid} |
| Get Role | Gets the information associated with a specific HSM role. | PATCH /api/lunasa/hsms/{hsmid}/roles/{roleid} |
| Set Password |
Opens a dialog box in which you can set a new HSM password. 1.Appropriately complete the form with your new password and old password. 2.Optionally change secret and/or challenge secret associated with a particular HSM or role by changing false to true and specifying HSM serial number and role. |
POST /api/lunasa/hsms/{hsmid}/actions/factoryReset |
| Factory Reset | Sets the HSM back to its factory default settings, deleting the HSM SO, all users, and all objects. | GET /api/lunasa/hsms |
Partition
There are a few different ways to login depending on how you typically access your partition.
>If you have direct access to your partition on an HSM and are using password-based authentication, click Login and input your partition serial number and password. Click submit.
>If you have indirect access to your partition via PED, click Login and input your user role and PED identifier number. Use 0 if you are using local PED; 1 or greater for remote PED. Click submit. Use the PED to complete your login.
When you are finished using REST API, or if you need to login to a different server or as a different user, click Login and change the partition serial number, role, and/or password values.
The table below defines each command available under the Partition menu and references its corresponding resource.
| Command | Function | Resource |
|---|---|---|
| Login |
Opens a dialog box through which you can login to your HSM partition. Login can be done through a partition serial number and password, or through a role and PED depending on the type of authentication set for your device. |
POST /api/lunasa/hsms/{PartSerial}/partitions/{role}/login |
| List | Lists all partitions associated with the HSM. | GET /api/lunasa/hsms/{hsmid}/partitions |
| Info | Gets information associated with a specific partition. | GET /api/lunasa/hsms/{hsmid}/partitions/{partitionid} |
| Create | Creates a partition.* | POST /api/lunasa/hsms/{hsmid}/partitions |
| Delete | Removes a specific partition from the HSM. | DELETE /api/lunasa/hsms/{hsmid}/partitions/{partitionid} |
| Set Policy | Sets a specific partition policy. | PUT /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/policies/{policyid} |
| Delete All | Removes all partitions from the HSM. | DELETE /api/lunasa/hsms/{hsmid}/partitions |
| Initialize |
Initializes the partition.* (Applicable to PPSO partitions) |
PUT /api/lunasa/hsms/{hsmid}/partitions/{partitionid} |
| Initialize Role | Initializes the partition role. | PUT /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/roles/{roleid} |
| List Roles | Lists all roles associated with the partition. | GET /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/roles |
| Get Role | Gets information associated with a specific partition role. | GET /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/roles/{roleid} |
| Set Password |
Opens a dialog box in which you can set a new partition password. 1.Appropriately complete the form with your new password and old password 2.Optionally change secret and/or challenge secret associated with a particular HSM, partition, and/or role by changing false to true and specifying HSM serial number, partition serial number, and role. |
PATCH /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/roles/{roleid} |
* If you only plan to use REST API to manage partitions, you can name them as you prefer. If you plan to use a combination of REST API and LunaSH, partition names/labels must conform to LunaSH naming conventions. In this case, name partitions using only the following characters:
!#$%'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
PED
To use a remote PED for executing any tasks, you must connect to a remote PED before trying to use any of its commands.
The table below defines each command available under the PED menu and its corresponding resource.
| Command | Function | Resource |
|---|---|---|
| Connect | Connects to a Remote PED. | POST /api/lunasa/hsms/{hsmid}/peds/{pedid}/actions/connect |
| Disconnect | Disconnects the currently active Remote PED. | POST /api/lunasa/hsms/{hsmid}/peds/{pedid}/actions/disconnect |
| Vector Init |
>Initializes a Remote PED Vector (RPV). >Creates a new Remote PED Key (RPK). >Imprints RPV onto HSM and RPK. |
POST /api/lunasa/hsms/{hsmid}/peds/{pedid}/actions/vectorInitialize |
| Vector Erase | Erases the Remote PED vector (RPV) from the current HSM. | POST /api/lunasa/hsms/{hsmid}/peds/{pedid}/actions/vectorErase |
