Password-authenticated HSM Planning
Planning for configuration of a password-authenticated SafeNet Luna Network HSM is straightforward. You must determine:
>Whether the HSM authentication secrets should fall under your organization's rules for password change cycles.
>HSM and partition labels, in keeping with your organization's requirements.
>Passwords for each role:
•HSM Security Officer (SO)
•Partition Security Officer (PO) for each application partition
•Crypto Officer (CO) for each application partition
•Crypto User (CU) for each application partition (optional)
•Auditor (Au, optional)
>Cloning domain for each partition.
HSM Initialization
When you initialize, you are creating an HSM SO (security officer) identity and attaching it to the Admin partition on the HSM. This is an administrative position and the only keys or objects that are ever stored there are system keys, not user keys. The HSM SO sets policy for the overall HSM, and creates partitions.
When creating an access secret for the HSM SO, you are creating a secret for an administrator who sets up the HSM and is rarely needed thereafter. You might have a single person who has the job of overseeing several HSMs, in which case you could re-use the HSM SO password.
The Partition SO is a completely separate role from the HSM SO. As long as they do not use the same secret, the HSM SO is completely excluded from the application partition.
HSM Cloning Domain
Like all secrets for a Password-authenticated SafeNet Luna Network HSM, the cloning domain is a simple text string. It governs whether an HSM can clone its contents to another HSM for backup. There is no provision to change the cloning domain without re-initializing, unlike a password for one of the roles, which can be reset or changed when desired.
You have the option to use the same cloning domain for the HSM as for an application partition on that HSM, or different domain secrets if desired.
Crypto Officer/Crypto User
SafeNet Luna Network HSM application partitions can divide administrative and cryptographic access to the partition into an unrestricted Crypto Officer and restricted Crypto User role.
A Password-authenticated HSM's application partition has a single text string for Owner or Crypto Officer that grants both administrative access and application access to the partition. It has a single text string for Crypto User that grants both restricted administrative access and restricted application access to the partition. This contrasts with a PED-authenticated application partition, where a black PED key allows administrative access as Owner/Crypto Officer, while a separate challenge secret is used by unrestricted Client applications. A black PED key allows administrative access as Crypto User, while a separate challenge secret is used by restricted Client applications.
Application Partition Cloning Domain
The application partition requires a cloning domain, which must match the cloning domain of any other application partition (on any HSM) to which it should be able to clone objects. The domain is required to match for backup or for HA group creation and operation.
See Domain Planning.
Auditor
The Audit role is completely separate from other roles on the HSM. It is optional for operation of the HSM, but might be mandatory according to your security regime. The Audit role can be created at any time, and does not require that the HSM already be initialized.