Indirect Login
The indirect login capability allows you to use one Luna Network HSM to provide login credentials for a group of others. This can be useful when you need to configure multiple HSMs. The instructions below will allow you to configure indirect login.
As per the latest changes made in firmware 7.7.0, indirect login can be used in one of the following ways:
>Indirect Login on fw 7.4-and-older partitions
>Indirect Login on fw 7.7 partitions using key
>Indirect Login on fw 7.7 partitions using pkc
Indirect Login on FW 7.4-and-Older Partitions
In the examples below, adminHSMid refers to the serial number of the HSM (with appliance/firmware 7.7.0 and above) which contains the application partition (v0 or v1) that holds the private key used for indirect login, and serviceHSMid refers to the serial number of the HSM (with appliance/firmware 7.4.0 and below) which contains the administrator partition being configured.
Setting Up Indirect Login
1.Log in to an application partition on adminHSMid as the crypto officer (CO).
2.Export the public key to be used for indirect login.
GET
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/indirect/key?type=legacyKey
Output:
{
"exponent": "AQAB",
"modulus": "tGHiZBb/Ou+VVutU/I9XZhvF410zw307r+..."
}
3.Log out from an application partition on adminHSMid.
4.Log in to serviceHSMid as HSM SO (SO).
5.Load the indirect login public key onto the service HSM.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/indirect/key
{
"exponent":"<as above>",
"modulus":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{serviceHSMid}/indirect/challenges',
'Content-Length': '{length}}',
'Access-Control-Allow-Credentials': 'true'
}
6.Log out of serviceHSMid.
Using Indirect Login
1.Log in to application partition of adminHSMid as the crypto officer (CO).
2.Get the token wrapping certificate required for indirect login.
GET
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate?type=legacyKey
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate/{certificateid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"certificate": "AwAAADCCBAswggHzoAMCAQICAQAwDQYJKoZ..."
}
NOTE This object is persistent for the duration of the session. There is no GET partitions/{partitionid}/certificate to obtain a list of objects. The certificate can be retrieved withLuna OpenAPI Reference GET /api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate/{certificateid}.
3.Get the indirect login challenge (certificate) from serviceHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/indirect/challenges
{
"role":"so",
"ped":"1",
"certificate":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{serviceHSMid}/indirect/challenges/{challengeid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"challenge": "AAEAAHlUqZ5blhyvdl/bW9EqXwY9xwlVA..."
}
NOTE This object is persistent for the duration of the session. There is no GET indirect/challenges to obtain a list of objects. The challenge can be retrieved with GET /api/lunasa/hsms/{serviceHSMid}/indirect/challenges/{challengeid}.
4.Get the indirect login response required by serviceHSMid from a user partition on adminHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/indirect/responses?type=legacyKey
{
"challenge":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/indirect/responses/{responseid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"response": "GZvvxqRYqk6LD3fRKm6MtikoBLjUOsgfMdclectEvoo="
}
NOTE This object is persistent for the duration of the session. There is no GET indirect/responses to obtain a list of objects. The response can be retrieved with GET /api/lunasa/hsms/{serviceHSMid}/indirect/responses/{responseid}.
5.Use the challenge response to log in to serviceHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/login
{
"response":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/roles/{roleid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
You are now logged into service HSMid as Security Officer ("so").
Indirect Login on FW 7.7 Partitions Using Key
In the examples below, adminHSMid refers to the serial number of the HSM (with appliance/firmware 7.7.0 and above) which contains the application partition (v0 or v1) that holds the private key used for indirect login protocol v1.1, and serviceHSMid refers to the serial number of the HSM (with appliance/firmware 7.7.0 and above) which contains the administrator partition being configured.
NOTE Indirect Login V1.1 setup cannot be done on Partitions with Partition Version policy value set to 1.
Setting Up Indirect Login
1.Log in to an application partition on adminHSMid as the crypto officer (CO).
2.Export the public key to be used for indirect login v1.1.
GET
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/indirect/key?type=key
Output:
{
"exponent": "AQAB",
"modulus": "tGHiZBb/Ou+VVutU/I9XZhvF410zw307r+..."
}
3.Log out from an application partition on adminHSMid.
4.Log in to serviceHSMid as HSM SO (SO).
5.Load the indirect login public key onto the service HSM.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/indirect/key?type=key
{
"exponent":"<as above>",
"modulus":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{serviceHSMid}/indirect/challenges',
'Content-Length': '{length}}',
'Access-Control-Allow-Credentials': 'true'
}
6.Log out of service HSMid.
Using Indirect Login
1.Log in to application partition of adminHSMid as the crypto officer (CO).
2.Get the token wrapping certificate required for indirect login.
GET
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate?type=key
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate/{certificateid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"certificate": "AwAAADCCBAswggHzoAMCAQICAQAwDQYJKoZ..."
}
NOTE This object is persistent for the duration of the session. There is no GET partitions/{partitionid}/certificate to obtain a list of objects. The certificate can be retrieved with GET /api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate/{certificateid}.
3.Get the indirect login challenge (certificate) from serviceHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/indirect/challenges
{
"role":"so",
"ped":"1",
"certificate":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{serviceHSMid}/indirect/challenges/{challengeid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"challenge": "AAEAAHlUqZ5blhyvdl/bW9EqXwY9xwlVA..."
}
NOTE This object is persistent for the duration of the session. There is no GET indirect/challenges to obtain a list of objects. The challenge can be retrieved with GET /api/lunasa/hsms/{serviceHSMid}/indirect/challenges/{challengeid}.
4.Get the indirect login response required by serviceHSMid from a user partition on adminHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/indirect/responses?type=key
{
"challenge":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/indirect/responses/{responseid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"response": "GZvvxqRYqk6LD3fRKm6MtikoBLjUOsgfMdclectEvoo="
}
NOTE This object is persistent for the duration of the session. There is no GET indirect/responses to obtain a list of objects. The response can be retrieved with GET /api/lunasa/hsms/{serviceHSMid}/indirect/responses/{responseid}.
5.Use the challenge response to log in to serviceHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/login
{
"response":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/roles/{roleid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
You are now logged into serviceHSMid as the Security Officer (SO).
Indirect Login on FW 7.7 Partition Using PKC
To make Indirect Login operation eIDAS and CC compliant, the HA Login setup step has changed. Now the PKC (Public Key Confirmation) chain from the HA Login Private Key can be extracted from the primary partition and passed as a parameter to initiate Indirect Login on a secondary partition. This provides some level of assurance that the HA Login private Key resides in an HSM.
In the examples below, adminHSMid refers to the serial number of the HSM (with appliance/firmware 7.7.0 and above) which contains the application partition (v0 or v1) that holds the private key used for extracting public key confirmation (pkc) for indirect login protocol v2.0, and serviceHSMid refers to the serial number of the HSM (with appliance/firmware 7.7.0 and above) which contains the administrator partition (v0 or v1) being configured.
Setting Up Indirect Login
1.Log in to an application partition on adminHSMid as the crypto officer (CO).
2.Export the PKC cto be used for indirect login.
GET
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/indirect/key?type=pkc
Output:
{
"pkcChain": "tGHiZBb/Ou+VVutU/I9XZhvF410zw307r+..."
}
3.Log out from an application partition on adminHSMid.
4.Log in to serviceHSMid as HSM SO (SO).
5.Load the indirect login PKC chain onto the service HSM to initialize primary roles for HA Login.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/indirect/key?type=pkc
{
"roles":"so,co,cu,lco",
"pkcChain": "tGHiZBb/Ou+VVutU/I9XZhvF410zw307r+..."
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{serviceHSMid}/indirect/challenges',
'Content-Length': '{length}}',
'Access-Control-Allow-Credentials': 'true'
}
6.Log out of serviceHSMid.
Using Indirect Login
1.Log in to application partition of adminHSMid as the crypto officer (CO).
2.Get the token wrapping certificate required for indirect login.
GET
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate?type=pkc
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate/{certificateid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"certificate": "AwAAADCCBAswggHzoAMCAQICAQAwDQYJKoZ..."
}
NOTE This object is persistent for the duration of the session. There is no GET partitions/{partitionid}/certificate to obtain a list of objects. The certificate can be retrieved with GET /api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/certificate/{certificateid}.
3.Get the indirect login challenge (certificate) from serviceHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/indirect/challenges
{
"role":"so",
"ped":"1",
"certificate":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{serviceHSMid}/indirect/challenges/{challengeid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"challenge": "AAEAAHlUqZ5blhyvdl/bW9EqXwY9xwlVA..."
}
NOTE This object is persistent for the duration of the session. There is no GET indirect/challenges to obtain a list of objects. The challenge can be retrieved with GET /api/lunasa/hsms/{serviceHSMid}/indirect/challenges/{challengeid}.
4.Get the indirect login response required by serviceHSMid from a user partition on adminHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{adminHSMid}/partitions/{partitionid}/indirect/responses?type=pkc
{
"challenge":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/indirect/responses/{responseid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
{
"response": "GZvvxqRYqk6LD3fRKm6MtikoBLjUOsgfMdclectEvoo="
}
NOTE This object is persistent for the duration of the session. There is no GET indirect/responses to obtain a list of objects. The response can be retrieved with GET /api/lunasa/hsms/{serviceHSMid}/indirect/responses/{responseid}.
5.Use the challenge response to log in to serviceHSMid.
POST
https://LUNAIPADDRESS:PORT/api/lunasa/hsms/{serviceHSMid}/login
{
"response":"<as above>"
}
Output:
{
'Access-Control-Allow-Origin': '*',
'Content-Type': 'application/json',
'Location': '/api/lunasa/hsms/{adminHSMid}/roles/{roleid}',
'Content-Length': '{length}',
'Access-Control-Allow-Credentials': 'true'
}
You are now logged into serviceHSMid as the Security Officer (SO).
