Setting up STC
This recipe will describe how to set up STC. It is assumed that you have already exchanged certs with the appliance. For a recipe on how to exchange certificates with the appliance see Setting up NTLS.
This Recipe requires both Admin API authentication and HSM API authentication.
Step 1: Initialize client token and create identity
Step 4: Export and register partition
Step 1: Initialize client token and create identity
To initialize the client token, run lunacm -q stc tki -l <clientName> -f, where <clientName> is the name of the client you wish to use.
Example:
lunacm:> stc tki -l myClient -f
Successfully initialized the client token.
Command Result : No Error
To create the client identiy we run 'lunacm -q stc idc -l <clientName> -f', replace clientName with the one used above.
Example:
lunacm:> stc idc -l myClient -f
Client identity myClient successfully created and exported to file C:\Program Files\SafeNet\LunaClient\data\client_identities\myClient
Command Result : No Error
Step 2: Set HSM policy
To set the HSM policy, PUT to /api/lunasa/hsms/<HSM_Serial>/policies/39 with the value of 1.
Example:
----------------Request----------------
URL:
PUT:/api/lunasa/hsms/155532/policies/39
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{"value": 1}
----------------Result----------------
Headers:
{'access-control-allow-origin': '*', 'content-type': 'application/json', 'location': '/api/lunasa/hsms/155532/policies/39', 'content-length': '0', 'access-control-allow-credentials': 'true'}
Data:
""
Step 3: Register client
To register a client, the identity file created in Step 1 must be encoded using base64. Once complete, it may be uploaded using a POST to /api/lunasa/hsms/<HSM_Serial>/partitions/<Partition_Serial>/stc/clients including the base64 identity and label.
Example:
----------------Request----------------
URL:
POST:/api/lunasa/hsms/155532/partitions/362126088871/stc/clients
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{"identity": "U2FmZU5ldFN0Y0NsaWVudElkZW<.............>FVCTElDIEtFWS0tLS0tCg==", "label": "testClient"}
----------------Result----------------
Headers:
{'access-control-allow-origin': '*', 'content-type': 'application/json', 'location': '/api/lunasa/hsms/155532/partitions/362126088871/stc/clients/testClient', 'content-length': '23', 'access-control-allow-credentials': 'true'}
Data:
{"client": "testClient"}
Step 4: Export and register partition
To export the partition, GET on /api/lunasa/hsms/<HSM_Serial>/partitions/<Partition_Serial>/stc, decode the public key and save to a file, i.e. "myPartition"
Example:
----------------Request----------------
URL:
GET:/api/lunasa/hsms/155532/partitions/362126088871/stc
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{}
----------------Result----------------
Headers:
{'access-control-allow-origin': '*', 'content-type': 'application/json', 'content-length': '1037', 'access-control-allow-credentials': 'true'}
Data:
{"activationTimeout": 120, "clients": "/api/lunasa/hsms/155532/partitions/362126088871/stc/clients", "ciphers": "/api/lunasa/hsms/155532/partitions/362126088871/stc/ciphers", "publicKey": "U2FmZU5ldFN0<...................................>tLS0tLQo=","fingerprint": "81f23180aad8d29b66d8a9285ceb5638ea923984", "replayWindow": 120, "hmacs": "/api/lunasa/hsms/155532/partitions/362126088871/stc/hmacs", "rekeyThreshold": 400}
The next step in the process is to register the partition, run lunacm -q stc parr -f <fileCreatedInLastStep> -l <anyName>
Example:
lunacm:> stc parr -f 362126088871 -l myPartition
Partition identity 362126088871 successfully registered.
Command Result : No Error
Step 5: Set partition policy
To set the partition policy, PUT on /api/lunasa/hsms/<HSM_Serial>/partitions/<Partition_Serial>/policies/37
Example:
----------------Request----------------
URL:
PUT:/api/lunasa/hsms/155532/partitions/362126088871/policies/37
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{"value": 1}
----------------Result----------------
Headers:
{'access-control-allow-origin': '*', 'content-type': 'application/json', 'location': '/api/lunasa/hsms/155532/partitions/362126088871/policies/37', 'content-length': '0', 'access-control-allow-credentials': 'true'}
Data:
""
Step 6: Enable
Run lunacm -q stc e -i 0 -f
Example:
lunacm:> stc e -i 0
You are about to enable STC to server 172.20.9.22.
This will initiate an automatic restart of this application. All sessions
logged in through the application will be closed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Successfully enabled STC to connect to server 172.20.9.22.
Command Result : No Error