salogin
Cryptographic applications that are not specifically adapted to use an HSM Server can be run using SafeNet Luna HSMs, with the aid of the salogin utility. This section provides the settings required for some widely-used applications.
The salogin client-side utility is provided to assist clients that do not include the requisite HSM login and logout capability within the client application. OpenSSL, for example, can be used with HSMs, but has no inherent ability to provide credentials to the HSM.
NOTE The salogin utility does not work with STC-enabled slots. If you require salogin with your applications, you must use NTLS client links.
Using salogin
Run the utility from a shell or command prompt, or include it in scripts.
Syntax
salogin {-o | -c} [-p <password>] [-s <slot> | -l <label>] [-i <hi:lo>] [-u] [-r <server_IP>] [-q <port>] [-v] [-h]
| Argument(s) | Description |
|---|---|
| -c | Close application access. |
| -h | Display this help. |
| -i <hi:lo> | Specifies the application ID high and low components. |
| -l <label> | Specifies the partition label. Include either -l or -s to specify the desired partition. |
|
-o |
Open application access. |
| -p <password> | Specifies the challenge password - if a challenge password exists and this argument is not included, login will not be performed. |
| -q <port> |
Specifies the remote PED server port. Default: 1503 |
| -r <server_IP> | Specifies the remote PED server IP. |
| -s <slot> |
Specifies the slot ID number. Include either -l or -s to specify the desired partition. Default: 0 |
| -u | Specifies that login should be performed as the Crypto User. If this argument is not included, the Crypto Officer will be logged in. |
| -v | Show verbose logs. |
Examples
salogin -o -s 1 -i 1:1
# open a persistent application connection
# on slot 1 with app id 1:1
salogin -o -s 1 -i 1:1 -p HT7bHTHPRp/4/Cdb
# open a persistent application connection
# and login with Luna HSM challenge
salogin -c -s 1 -i 1:1
# close persistent application connection 1:1
# on slot 1
Attempting to use salogin on an STC-enabled slot
lunacm:>slot list
Slot Id -> 0
Label -> stc_ppso
Serial Number -> 1213429268189
Model -> LunaSA
Firmware Version -> 7.0.1
Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
Current Slot Id: 0
Command Result : No Error
lunacm:>stc status
Enabled: Yes
Status: Connected
Channel ID: 3
Cipher Name: AES 256 Bit with Cipher Block Chaining
HMAC Name: HMAC with SHA 512 Bit
Command Result : No Error
lunacm:>stc identityshow
Client Identity Name: mySTCclientID
Public Key SHA1 Hash: 58feec48e485762c39a8c32f94cf535bf545699e
List of Registered Partitions:
Partition Identity Partition Partition Public Key SHA1 Hash
Label Serial Number
________________________________________________________________________________
par1 1213429268189 d4d4d65d281fd17580c56ddf09439c79c466a09a
Command Result : No Error
lunacm:>clientconfig listservers
Server ID Server Channel HTL Required
__________________________________________________________________
0 192.20.11.184 STC no
Command Result : No Error
lunacm:>exit
# ./salogin -o -s 0 -i 1:1 -p userpin
CA_OpenApplicationID: failed to open application id. err 0x80000030
token not present or app id already open?
Other Options
For Java applications, consider using the KeyStore interface. It is internally consistent with the service provider interface defined by SUN/Oracle and does not require any proprietary code or applications.
If you are using an integration that does not refer to a KeyStore then the salogin utility might be required. You are then limited to working with one partition. The utility will work with any SafeNet HSM, as long as it is visible to the client at the time the library is initialized.
