REST API  14
REST API for Luna Network HSMs
PATCH /api/lunasa/webServer

PATCH /api/lunasa/webServer

Changes the configuration of the web server providing the REST API.

User Privileges

Users with the following role privileges can perform this command:

  • admin

Parameters

cipherList

Cipherlist is the cipher suite the REST API service is to accept for applications requesting connection to the web server. Cipherlist is a sub-set of the ciphers known to the REST API service.

Use: Not Required

JSON Schema: 

   Object
   type: string
   minLength: 1
   maxLength: 1024
   pattern: [a-zA-Z0-9-:_]

Note:

REST API accepts colon separated cipher list.

By default, REST API uses both TLS1.2 and TLS1.3. TLS version can be changed by providing ciphers. REST API supports following TLS version:

  1. Both TLS1.2 and TLS1.3
  2. TLS1.2 Only
  3. TLS1.3 Only

Supported Webserver Ciphers to support both TLS1.2 and TLS1.3

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256

Supported Webserver Ciphers to enable TLS1.2 individually

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256

Supported Webserver Ciphers to enable TLS1.3 individually

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

netDevice

netDevice is the interface to which the REST API service is bound. Valid interfaces for SA7 are: eth0, eth1, eth2, eth3, all, all_ipv4, bond0 and bond1. ("all" includes all ipv6 and ipv4 addresses.) Valid interfaces for SA6 are: eth0, eth1, all, bond0. ("all" includes all ipv4 addresses.)

Use: Not Required

JSON Schema: 

   Object
   type: string
   minLength: 1
   maxLength: 8
   pattern: [a-z0-9_]

port

port is the logical end-point number reserved for the REST API service. The port must be within the range: 80 to 65535.

Use: Not Required

JSON Schema: 

   Object
   type: integer
   minLength: 80
   maxLength: 65535

threads

threads is the number of simultaneous connections the REST API service supports. A small number of threads implies restricted administrative access to the appliance.

Use: Not Required

JSON Schema: 

   Object
   type: integer
   minLength: 4
   maxLength: 64

corsOrigins

corsOrigins is the list that determines the Access-Control-Allow-Origin header of responses.

Use: Not Required

JSON Schema: 

   Object
   type: array
       corsOrigins: Object
                      type: string

maxFileSize

maxFileSize is the allowed maximum size of files uploaded by client. Changing maxFileSize may reset the webserver and affect timeout values of all existing or future sessions and connections. The unit of maxFileSize is kilo byte. The range is between 0 and 10000000.

Use: Not Required

JSON Schema: 

   Object
   type: integer
   minLength: 1
   maxLength: 10000000

sessionTimeout

sessionTimeout is the allowed maximum time for which the session will remain alive. Changing sessionTimeout may reset the webserver and affect timeout values of all existing or future sessions and connections.

Use: Not Required

JSON Schema: 

   Object
   type: integer
   minLength: 600
   maxLength: 1200

Responses

204

Success

400

APICONFIG_INVALID_CIPHERLIST

If cipher list is not valid

APICONFIG_NO_CORS_ORIGIN

Cors origin has not been provided

APICONFIG_INVALID_CORS_ORIGIN

If cors origin is not valid

APICONFIG_INVALID_NETDEVICE

If net device is not valid

APICONFIG_INVALID_PORT

If port is not valid

APICONFIG_INTERNAL_ERROR

If unexpected error has occurred

Example Request

   PATCH
   https://1.2.3.4:8443/api/lunasa/webServer
   {
      "netDevice" : "eth1",
      "port" : 8443,
      "corsOrigins" :["*"],
      "maxFileSize" : 1000000,
      "sessionTimeout" : 900
   }

Example Request to support both TLS1.2 and TLS1.3

   PATCH
   https://1.2.3.4:8443/api/lunasa/webServer
   {
      "cipherList" : "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256"
   }

Example Request to support TLS1.2 individually

   PATCH
   https://1.2.3.4:8443/api/lunasa/webServer
   {
      "cipherList" : "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256"
   }

Example Request to support TLS1.3 individually

   PATCH
   https://1.2.3.4:8443/api/lunasa/webServer
   {
      "cipherList" : "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
   }

Example Result

{
}

Notes

  • WebServer needs to be explicitly restarted after setting/updating the ciphers through RESTAPIs.
  • TLS1.3 ciphers need to be manually enabled after upgrading to appliance S/W version - 7.8.4 or later.

See Also

GET /api/lunasa/webServer

REST API for Luna Network HSMs VERSION" Reference Guide
007-013322-007 Rev. A Copyright 2023  Thales. All rights reserved.