Authentication

This section contains the following information about authenticating to the webserver on the Luna Network HSM appliance using REST API:

>Sessions

>Basic Authorization

>Certificate-Based Authorization

Sessions

REST API sessions store valuable information required to use the service. Two types of sessions are available:

User Sessions: This is the default session type, used for basic authorization. User sessions do not require a session header. They are shared with all clients of the same user and are, therefore, granted limited access to resources.

Private Sessions: These are created using a resource (see POST /auth/session). Private sessions can only be used by the user who created them.

Basic Authorization

To use basic authorization, you must include the following in the Authorization header:

>keyword: Basic

>base64-encoded blob containing your colon-separated appliance username and password

Example: base64(admin:password123)

Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM

Certificate-Based Authorization

Certificate-based authorization requires you to upload a user certificate and perform a login handshake.

1.Log in to the appliance with your username and password.

2.Upload the certificate for the specified user. Replace newline characters within the certificate string.

POST
https://LUNAIPADDRESS:PORT/users/{userid}/certificates
{"certificate": "-----BEGIN CERTIFICATE-----\n...{certificate}...\n-----END CERTIFICATE-----\n"}

3.Generate a challenge for the user by specifying the username and client public certificate.

POST
https://LUNAIPADDRESS:PORT/auth/login/challenge
{
  "username": "{username}",
  "certificate": "-----BEGIN CERTIFICATE-----\n...{certificate}...\n-----END CERTIFICATE-----\n"
}

The webserver responds with a base64-encoded cryptographic challenge and nonce parameters.

4.Decode the challenge and nonce from base64.

5.Decrypt the decoded challenge using the client private key.

6.XOR the decoded and decrypted challenge with the decoded nonce. The result is the plaintext challenge answer.

7.Encrypt the answer with the webserver's public key. The result is the challenge response expected by the server.

8.Encode the challenge response to base64 so that it can be transmitted via REST API.

9.Answer the challenge with the encrypted base64 response.

POST
https://LUNAIPADDRESS:PORT/auth/login/basic
{"challengeResponse": "{challenge_response}"}



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2026, Thales Group Last Updated: 2026-05-28 08:28:43 GMT-05:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information