Service Client Roles
The security of an HSM and its cryptographic contents depend on well-controlled access to that HSM. The Luna Cloud HSM Service Client imposes a software role hierarchy that enforces restricted tiers of administrative and utilization roles when accessing the software. A controlled access policy is defined by:
- the set of users with valid login credentials for the Luna Cloud HSM Service partition
- the actions each user is allowed to perform when logged in (the user's role)
For example, an access policy that adheres to the PKCS#11 standard requires two roles: the security officer (PO), who administers the user account(s), and the standard user, who performs cryptographic operations. When a user logs in to the HSM, they can perform only those functions that are permitted to their role.
When the application owner creates the Luna Cloud HSM Service they use a Luna Cloud HSM Service Client to access and use the Luna Cloud HSM Service for cryptographic operations. The Luna Cloud HSM Service Client separates out administrative duties and operational duties by role.
The Luna Cloud HSM Service Client roles are a separate function from the DPoD platform user roles, that is the service provider, tenant administrator, and application owner. The platform user roles allow for administration and access to Luna Cloud HSM Services. Alternatively, the Luna Cloud HSM Service Client roles allow for administration and access to the HSM that is bound to the Luna Cloud HSM Service Client.
You provision your Luna Cloud HSM Service by initializing the service and initalizing the following user roles:
Security Officer (PO)
The security officer is necessary for initializing the Luna Cloud HSM Service partition and configuring partition policies, access to this role should be restricted to the service partition administrator.
The security officer has the following roles and responsibilities:
- Initializes the service partition, creates the PO credential and sets the cloning domain.
- Initializes the crypto officer role and can reset the CO credential.
- Configures partition policies.
Crypto Officer (CO)
The crypto officer creates and administers cryptographic objects on Luna Cloud HSM Service partition. Most supported integration applications require access to the crypto officer account credentials. This allows the integration application to access the Luna Cloud HSM Service to create, use, modify, and delete cryptographic objects on the Luna Cloud HSM Service partition.
The crypto officer has the following roles and responsibilities:
- Creates and modifies cryptographic objects on the service partition.
- Manages backup and restore operations for the service partition.
- Performs cryptographic functions via user applications.
- Initializes the crypto user role and can reset the CU credential.
Crypto User (CU)
The crypto user role can be used to restrict access to the Luna Cloud HSM Service partition. If you are sharing access to the Luna Cloud HSM Service with a team member solely for the purpose of access to objects for cryptographic operations, you should create and provide them Crypto User credentials.
The crypto user has the following responsibilities:
- Performs cryptographic functions via user applications (optional read-only role).
- Can create public objects only.
- Can perform backup/restore of public objects on the partition.
See Installing a Linux Luna Cloud HSM Service Client or Installing a Windows Luna Cloud HSM Service Client for procedures to initialize the security officer, crypto officer, and crypto user roles.