Partition Roles
The security of an HSM and its cryptographic contents depends on well-controlled access to that HSM. A controlled access policy is defined by:
>the set of users with valid login credentials for
>the actions each user is allowed to perform when logged in (the user's role)
For example, an access policy that adheres to the PKCS#11 standard requires two roles: the security officer (SO), who administers the user account(s), and the standard user, who performs cryptographic operations. When a user logs in to the HSM, they can perform only those functions that are permitted for their role.
All cryptographic operations take place on an application partition. This partition is created on the HSM by the HSM SO and assigned to a registered client over a network (see Application Partitions). Partition roles allow the partition to function as an independent virtual HSM, with its own Security Officer and users. This design provides more flexibility in meeting the security needs of your organization. Personnel holding the roles described below must have administrative access to a client workstation with a partition assigned to it and Luna HSM Client installed. They do not require SSH access to LunaSH on the SafeNet Luna Network HSM appliance.
The partition-level roles are as follows:
Partition Security Officer (PO)
The Partition SO handles all administrative and configuration tasks on the application partition, including:
>Initializing the partition, setting the PO credential, and setting a cloning domain for the partition (see Initializing an Application Partition)
>Configuring partition policies (see Partition Capabilities and Policies)
>Initializing the Crypto Officer role (see Initializing the Crypto Officer Role)
>Activating the partition (see Activation and Auto-activation on Multi-factor- (PED-) Authenticated Partitions)
Managing the Partition SO Role
Refer also to the following procedures to manage the PO role:
>Logging In to the Application Partition
>Changing a Partition Role Credential
Crypto Officer (CO)
The Crypto Officer is the primary user of the application partition and the cryptographic objects stored on it. The Crypto Officer has the following responsibilities:
>Creating, deleting, and modifying cryptographic objects via user applications
>Performing cryptographic operations via user applications
>Managing backup and restore operations for partition objects:
•Backup and Restore Using a G5-Based Backup HSM
•Backup and Restore Using a G7-Based Backup HSM
>Create and configure HA groups (see Setting Up an HA Group)
>Initializing the Crypto User role (see Initializing the Crypto User Role)
Managing the Crypto Officer Role
Refer also to the following procedures to manage the CO role:
>Logging In to the Application Partition
>Changing a Partition Role Credential
Crypto User (CU)
The Crypto User is an optional role that can perform cryptographic operations using partition objects in a read-only capacity, but can create only public objects. This role is useful in that it provides limited access; the Crypto Officer is the only role that can make significant changes to the contents of the partition. The Crypto User has the following capabilities:
>Performing operations like encrypt/decrypt and sign/verify using objects on the partition
>Creating and backing up public objects:
•Backup and Restore Using a G5-Based Backup HSM
•Backup and Restore Using a G7-Based Backup HSM
>The CU can increment usage counters but, unlike CO, cannot change/set the limit
Managing the Crypto User Role
Refer also to the following procedures to manage the CU role: