Setting up STC

This recipe will describe how to set up STC. It is assumed that you have already exchanged certs with the appliance. For a recipe on how to exchange certificates with the appliance see Setting up NTLS.

This Recipe requires both Admin API authentication and HSM API authentication.

 

Step 1: Initialize client token and create identity

Step 2: Set HSM policy

Step 3: Register client

Step 4: Export and register partition

Step 5: Set partition policy

Step 6: Enable

 

Step 1: Initialize client token and create identity

To initialize the client token, run lunacm -q stc tki -l <clientName> -f, where <clientName> is the name of the client you wish to use.

Example:
lunacm:> stc tki -l myClient -f
Successfully initialized the client token.
Command Result : No Error
 

To create the client identiy we run 'lunacm -q stc idc -l <clientName> -f', replace clientName with the one used above.

Example:
lunacm:> stc idc -l myClient -f
Client identity myClient successfully created and exported to file C:\Program Files\SafeNet\LunaClient\data\client_identities\myClient
Command Result : No Error

 

Step 2: Set HSM policy

To set the HSM policy, PUT to /api/lunasa/hsms/<HSM_Serial>/policies/39 with the value of 1.

Example:
----------------Request----------------
URL:
PUT:/api/lunasa/hsms/155532/policies/39
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{"value": 1}
----------------Result----------------
Headers:
{'access-control-allow-origin': '*', 'content-type': 'application/json', 'location': '/api/lunasa/hsms/155532/policies/39', 'content-length': '0', 'access-control-allow-credentials': 'true'}
Data:
""

 

Step 3: Register client

To register a client, the identity file created in Step 1 must be encoded using base64. Once complete, it may be uploaded using a POST to /api/lunasa/hsms/<HSM_Serial>/partitions/<Partition_Serial>/stc/clients including the base64 identity and label.

Example:
----------------Request----------------
URL:
POST:/api/lunasa/hsms/155532/partitions/362126088871/stc/clients
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{"identity": "U2FmZU5ldFN0Y0NsaWVudElkZW<.............>FVCTElDIEtFWS0tLS0tCg==", "label": "testClient"}
----------------Result----------------
Headers:
{'access-control-allow-origin': '*', 'content-type': 'application/json', 'location': '/api/lunasa/hsms/155532/partitions/362126088871/stc/clients/testClient', 'content-length': '23', 'access-control-allow-credentials': 'true'}
Data:
{"client": "testClient"}

 

Step 4: Export and register partition

To export the partition, GET on /api/lunasa/hsms/<HSM_Serial>/partitions/<Partition_Serial>/stc, decode the public key and save to a file, i.e. "myPartition"

Example:
----------------Request----------------
URL:
GET:/api/lunasa/hsms/155532/partitions/362126088871/stc
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{}
----------------Result----------------
Headers:
{'access-control-allow-origin': '*', 'content-type': 'application/json', 'content-length': '1037', 'access-control-allow-credentials': 'true'}
Data:
{"activationTimeout": 120, "clients": "/api/lunasa/hsms/155532/partitions/362126088871/stc/clients", "ciphers": "/api/lunasa/hsms/155532/partitions/362126088871/stc/ciphers", "publicKey": "U2FmZU5ldFN0<...................................>tLS0tLQo=","fingerprint": "81f23180aad8d29b66d8a9285ceb5638ea923984", "replayWindow": 120, "hmacs": "/api/lunasa/hsms/155532/partitions/362126088871/stc/hmacs", "rekeyThreshold": 400}
 

The next step in the process is to register the partition, run lunacm -q stc parr -f <fileCreatedInLastStep> -l <anyName>

Example:
lunacm:> stc parr -f 362126088871 -l myPartition
Partition identity 362126088871 successfully registered.
Command Result : No Error

 

Step 5: Set partition policy

To set the partition policy, PUT on /api/lunasa/hsms/<HSM_Serial>/partitions/<Partition_Serial>/policies/37

Example:
----------------Request----------------
URL:
PUT:/api/lunasa/hsms/155532/partitions/362126088871/policies/37
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{"value": 1}
----------------Result----------------
Headers:
{'access-control-allow-origin': '*', 'content-type': 'application/json', 'location': '/api/lunasa/hsms/155532/partitions/362126088871/policies/37', 'content-length': '0', 'access-control-allow-credentials': 'true'}
Data:
""

 

Step 6: Enable

Run lunacm -q stc e -i 0 -f

Example:
lunacm:> stc e -i 0
You are about to enable STC to server 172.20.9.22.
This will initiate an automatic restart of this application. All sessions
logged in through the application will be closed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Successfully enabled STC to connect to server 172.20.9.22.
Command Result : No Error
 


Customer Support Portal

SafeNet Luna Network HSM 7.2 Product Documentation  25 November 2019  Copyright 2001-2019 Thales. All rights reserved.