salogin
Cryptographic applications that are not specifically adapted to use an HSM Server can be run using Luna HSMs, with the aid of the salogin utility. This section provides the settings required for some widely-used applications.
The salogin client-side utility is provided to assist clients that do not include the requisite HSM login and logout capability within the client application. OpenSSL, for example, can be used with HSMs, but has no inherent ability to provide credentials to the HSM.
NOTE The salogin utility does not work with STC-enabled slots. If you require salogin with your applications, you must use NTLS client links.
Using salogin
Run the utility from a shell or command prompt, or include it in scripts.
Syntax
salogin {-o | -c} [-a <applicationID>] [-p <password>] [-s <slot> | -l <label>] [-i <hi:lo>] [-u] [-r <server_IP>] [-q <port>] [-v] [-h]
| Argument(s) | Description |
|---|---|
| -a <applicationID> | Specifies the application ID in hexadecimal format (1-32 characters). |
| -c | Close application access. |
| -h | Display this help. |
| -i <hi:lo> | Specifies the application ID high and low components. This option is deprecated and will be removed in a future update. |
| -l <label> | Specifies the partition label. Include either -l or -s to specify the desired partition. |
|
-o |
Open application access. |
| -p <password> | Specifies the challenge password - if a challenge password exists and this argument is not included, login will not be performed. |
| -q <port> |
Specifies the remote PEDserver port. Default: 1503 |
| -r <server_IP> | Specifies the remote PEDserver IP. |
| -s <slot> |
Specifies the slot ID number. Include either -l or -s to specify the desired partition. Default: 0 |
| -u | Specifies that login should be performed as the Crypto User. If this argument is not included, the Crypto Officer will be logged in. |
| -v | Show verbose logs. |
Examples
salogin -o -s 1 -i 1:1
# open a persistent application connection
# on slot 1 with app id 1:1
salogin -o -s 1 -i 1:1 -p HT7bHTHPRp/4/Cdb
# open a persistent application connection
# and login with Luna HSM challenge
salogin -c -s 1 -i 1:1
# close persistent application connection 1:1
# on slot 1
Attempting to use salogin on an STC-enabled slot
lunacm:>slot list Slot Id -> 0 Label -> stc_ppso Serial Number -> 1213429268189 Model -> LunaSA Firmware Version -> 7.0.1 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Current Slot Id: 0 Command Result : No Error lunacm:>stc status Enabled: Yes Status: Connected Channel ID: 3 Cipher Name: AES 256 Bit with Cipher Block Chaining HMAC Name: HMAC with SHA 512 Bit Command Result : No Error lunacm:>stc identityshow Client Identity Name: mySTCclientID Public Key SHA1 Hash: 58feec48e485762c39a8c32f94cf535bf545699e List of Registered Partitions: Partition Identity Partition Partition Public Key SHA1 Hash Label Serial Number ________________________________________________________________________________ par1 1213429268189 d4d4d65d281fd17580c56ddf09439c79c466a09a Command Result : No Error lunacm:>clientconfig listservers Server ID Server Channel ___________________________________________________ 0 192.20.11.184 STC Command Result : No Error lunacm:>exit # ./salogin -o -s 0 -i 1:1 -p myuserpin CA_OpenApplicationID: failed to open application id. err 0x80000030 token not present or app id already open?
Other Options
For Java applications, consider using the KeyStore interface. It is internally consistent with the service provider interface defined by SUN/Oracle and does not require any proprietary code or applications.
NOTE The Luna Keystore is not a physical file like a regular JKS. It is a virtual interface to the HSM and contains only handles for the private key objects.
If you are using an integration that does not refer to a KeyStore then the salogin utility might be required. You are then limited to working with one partition. The utility will work with any Luna HSM, as long as it is visible to the client at the time the library is initialized.
