REST API  8.0.0
REST API for SafeNet Luna Network HSMs
Indirect Login

The indirect login capability allows you to use one SafeNet Luna Network HSM to provide login credentials for a group of others. This can be useful when you need to configure multiple HSMs. The instructions below will allow you to configure indirect login.

In the examples below, "adminHSMid" refers to the serial number of the HSM that holds the private key used for indirect login, and "serviceHSMid" is the serial number of the HSM being configured.

Setting Up Indirect Login

  1. Log in to an application partition on adminHSMid as the crypto officer ("co").
  2. Export the public key to be used for indirect login. 
    GET
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/indirect/key
    Output: 
    {
  "exponent": "AQAB",
  "modulus": "tGHiZBb/Ou+VVutU/I9XZhvF410zw307r+..."
}
  3. Log in to serviceHSMid as HSM SO ("so").
  4. Load the indirect login public key onto the service HSM. 
    POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/indirect/key
{
  "exponent":"<as above>",
  "modulus":"<as above>"
}
    Output: 
    {
  'Access-Control-Allow-Origin': '*',
  'Content-Type': 'application/json',
  'Location': '/api/lunasa/hsms/{serviceHSMid}/indirect/challenges',
  'Content-Length': '{length}}',
  'Access-Control-Allow-Credentials': 'true'
}
  5. Log out of serviceHSMid.

Using Indirect Login

  1. Log in to serviceHSMid as HSM SO ("so").
  2. Get the token wrapping certificate required for indirect login. 
    GET
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/certificate
    Output: 
    {
  "certificate": "AwAAADCCBAswggHzoAMCAQICAQAwDQYJKoZ..."
}
  3. Get the indirect login challenge (certificate) from serviceHSMid. 
    POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/indirect/challenges
{
  "role":"so",
  "ped":"1",
  "certificate":"<as above>"
}
    Output: 
    {
  'Access-Control-Allow-Origin': '*',
  'Content-Type': 'application/json',
  'Location': '/api/lunasa/hsms/{serviceHSMid}/indirect/challenges/{challengeid}',
  'Content-Length': '{length}',
  'Access-Control-Allow-Credentials': 'true'
}
{
  "challenge": "AAEAAHlUqZ5blhyvdl/bW9EqXwY9xwlVA..."
}
    Note: This object is persistent for the duration of the session. There is no GET indirect/challenges to obtain a list of objects. The challenge can be retrieved with GET /api/lunasa/hsms/{serviceHSMid}/indirect/challenges/{challengeid}.
  4. Get the indirect login response required by serviceHSMid from a user partition on adminHSMid. 
    POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/indirect/responses
{
  "challenge":"<as above>"
}
    Output: 
    {
  'Access-Control-Allow-Origin': '*',
  'Content-Type': 'application/json',
  'Location': '/api/lunasa/hsms/{adminHSMid}/indirect/responses/{responseid}',
  'Content-Length': '{length}',
  'Access-Control-Allow-Credentials': 'true'
}
{
  "response": "GZvvxqRYqk6LD3fRKm6MtikoBLjUOsgfMdclectEvoo="
}
    Note: This object is persistent for the duration of the session. There is no GET indirect/responses to obtain a list of objects. The response can be retrieved with GET /api/lunasa/hsms/{serviceHSMid}/indirect/responses/{responseid}.
  5. Use the challenge response to log in to serviceHSMid. 
    POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/login
{
  "response":"<as above>"
}
    Output: 
    {
  'Access-Control-Allow-Origin': '*',
  'Content-Type': 'application/json',
  'Location': '/api/lunasa/hsms/{adminHSMid}/roles/{roleid}',
  'Content-Length': '{length}',
  'Access-Control-Allow-Credentials': 'true'
}
    You are now logged into serviceHSMid as the Security Officer ("so").

REST API for SafeNet Luna Network HSMs 8.0.0 Reference Guide
007-000406-001 Rev. ALPHA1 Copyright 2019  Gemalto. All rights reserved.