Certificate-Based monitor Role Authentication

When operating a cluster in a service provider deployment, you may want to provide customers with some ability to see information about the cluster and its keyrings. The Luna Network HSM 7's monitor role allows limited access to this information via LunaSH or REST API. Luna Appliance Software 7.8.0 and newer allows a monitor user to access the available cluster information more securely, using certificate-based authentication. The following special procedure is required to perform certificate-based authentication for the monitor user to access cluster REST API resources.

To register the monitor user's certificate to the cluster REST API

1.Get the cluster CA certificate (ca_cert.pem) from the Luna Network HSM 7.

GET /?fcertName=ca_cert.pem

2.Generate an ECC private key and Certificate Signing Request (CSR) for the monitor user, or a custom user with a monitor role assigned. The following example uses openssl.

openssl ecparam -name secp384r1 -out secp384r1.pem

openssl req -sha256 -nodes -newkey ec:secp384r1.pem -keyout monitor_key.pem -out monitor_cert.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=Safenet-Inc/OU=Client/GN=monitor/CN=myclient"

3.Edit the CSR file to match the following example:

NOTE Replace all line breaks in the CSR string with newline characters: \n

{
    "csr":"-----BEGIN CERTIFICATE REQUEST-----\n <certificate string>\n -----END CERTIFICATE REQUEST-----\n ", 
    "clientLabel":"myLunaClient",
    "userName":"monitor"
}

4.Register the modified client CSR to the cluster REST API on the appliance. If you are using Luna HSM Client 10.5.1 or newer, you can specify a user (monitor or a custom user with an assigned monitor role) to associate with this client.

POST /api/clusters/{clusterID}/clients

{
    "data":
        {
            "csr":"-----BEGIN CERTIFICATE REQUEST-----\n <certificate string>\n -----END CERTIFICATE REQUEST-----\n ",
            "clientLabel":"myLunaClient",
            "userName":"monitor"
        }
}

The signed client certificate is returned (monitor_cert.pem).

5. Edit the client certificate file to remove the first line, containing the client UUID string. Save the string elsewhere.

6.Convert the client UUID string to base64.

echo -n '13e2dc08-bebc-4f0f-96de-151c0184cddd' | base64

MTNlMmRjMDgtYmViYy00ZjBmLTk2ZGUtMTUxYzAxODRjZGRk

The base64 string is what the monitor role will use to authenticate this client to the cluster REST API, using the following format:

'Authorization: ApiKey MTNlMmRjMDgtYmViYy00ZjBmLTk2ZGUtMTUxYzAxODRjZGRk'

For example, use the following curl command to get the cluster label and UUID as the monitor user:

curl -X GET --resolve "lnh.thalesgroup.com:50070:1.2.3.4" "https://lnh.thalesgroup.com:50070/api/clusters/" -H 'Content-Type: application/json' -H "Authorization: ApiKey MTNlMmRjMDgtYmViYy00ZjBmLTk2ZGUtMTUxYzAxODRjZGRk" --cert monitor_cert.pem --key monitor_key.pem  --cacert ca_cert.pem



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-11-12 15:48:31 GMT-05:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information