You are here: Administration & Maintenance Manual > HSM Administration > Partitions (logical HSM spaces for clients) > Activation & AutoActivation - About

About Activation & AutoActivation

Client access to Partitions, on an HSM with Trusted Path Authentication, needs to be as efficient and convenient as Client access to a Password Authenticated HSM . Activation and autoActivation are ways to manage the additional layer of authentication - the PED and PED Keys, so that Clients can reliably connect using just their passwords.

Authentication in General

Luna SA, in general, requires authentication from anyone wishing to use the appliance. Access falls into two categories, defined by purpose:

Administrative - you can log in locally via a terminal connected to the serial interface, or remotely via ssh session, to perform administration/maintenance/housekeeping tasks (detailed elsewhere)
Client - you can connect remotely via ssh to perform "production" activities, using objects and cryptographic functions on an HSM Partition within the HSM

Administrative

To perform any administrative task on the HSM appliance, you must first login at the console or via an ssh session and provide the "admin" password, in order to reach the lunash prompt. This is how you access the lunash commands. At that first level of authentication and administrative access you can perform some basic, appliance-wide administrative functions(such as configuring or modifying network settings, time setting, handling of logs, updating the system with update packages, etc.) that do not involve the HSM or any of the Partitions(virtual HSMs that you might have created within the HSM -- you need to create and assign Partitions if you are to use the HSM appliance in any meaningful way) .

Subsets of the lunash command menu require a further level of authentication in order to perform HSM or Partition administrative commands. The HSM and Partition commands require the appropriate blue and black PED Keys. Click here for a summary of PED Key roles.

When a command is issued to the HSM appliance that requires HSM or Partition authentication, the HSM with Trusted Path looks to the PED. The PED responds by prompting you for actions involving the appropriate PED Keys and the PED keypad. If the PED gets the appropriate response, it confirms the authentication back to the HSM, via the PED interface (the Trusted Path). The required PED Keys would be:

the blue key(s) needed when the HSM Admin logs in, or issues an hsm command.
the black key(s), needed when the Partition Owner (or Crypto Officer, if you are working under that model) issues Partition administration commands, or creates, deletes (or otherwise manipulates) non-public objects.

Those PED Keys (as appropriate), are demanded by Luna PED when you perform administrative operations via the lunash interface (meaning that you must be logged in as the appliance admin first, either at a local, serial console, or via ssh). The authentication can consist of:

presenting the required PED Key(s) and pressing [ENTER] on the keypad, or
presenting the required PED Key(s), pressing [ENTER], entering a PED PIN (if one had been assigned at initialization) and pressing [ENTER] again.

Performing the above actions gets you to a login state in which HSM appliance will carry out HSM or Partition commands (according to the level of authentication that you invoked).

Authentication and Access Control for Clients

However, the point of the HSM appliance is that authorized remote Client applications must be able to access their Partitions, in order to perform useful work (such as signing, verifying, encrypting, decrypting), and also that unauthorized clients be prevented from doing so. Before authorized access can happen, the Partition must be in a logged-in state (as described above) by means of the black PED Key.

To preclude access by unauthorized clients/applications, the HSM appliance requires that three authentication conditions be in place:

The Client and HSM appliance certificates must have been exchanged, and the Client registered to the Partition (during Setup and Configuration). This gives provisional access to the appliance, but not yet to the HSM or any of its Partitions. The Certificate exchange and registration can be initiated by a potential client, but are controlled at the HSM appliance. That is, no potential Client can register without the explicit approval of the HSM appliance administrator.
The Partition must be readied to accept Client access in a login state authenticated by the black PED Key which is accepted only via the PED (this gives administrative access to the Partition, and opens the Partition to Client access, but only if the third authentication element is supplied),
The Client must provide its credentials in the form of an authentication (a text-string password).

The Client authentication is the Partition Password that was displayed by the PED, and recorded by you, at the time the Partition was created (or it is the string to which you changed that original Partition Password, for your convenience, or to fit your security scheme).

If you provide that Partition Password only to registered, authorized Clients, and if they in turn keep it secret, then no unauthorized client can ever access the HSM appliance or its HSM. If you place an HSM Partition into a login state, then any registered application that presents the Partition Password is welcomed as an authorized Client.

The login state continues as long as a Client has the connection open to the Partition.

Activation

Activation is just a login with explicit caching of the Partition login data, on the HSM. This is convenient so that you can remove the black PED key (perhaps to allow other uses of the PED, such as administrative logins by the HSM Admin), while ensuring that access by Clients is not stopped, and that nobody is required to be present to press [ENTER] on the keypad for the benefit of Clients.

To use Activation, you must first allow it by setting Partition Policy 22 (Allow Activation) to on, for each Partition that you create. If the Policy (22, Allow Activation) is on, then the Partition Owner (or Crypto Officer) can issue the partition activate command. The PED prompts for the black PED Key(s) and PED PIN if appropriate. Once you provide it, the HSM appliance caches that authentication and the Partition remains in a login state (Activated) until:

you explicitly deactivate (with lunash command partition deactivate), or
power is lost to the HSM appliance.

You can remove the black PED Key and keep it in your pocket or in safe storage. Activation remains on, and any registered Client with the Partition Password is able to connect and perform operations on the Partition.

Activation is not a big advantage for Clients that connect and remain connected. It is an indispensable advantage in cases where Clients repeatedly connect to perform a task and then disconnect.

AutoActivation

AutoActivation allows automatic re-activation of the Partition, using the cached Partition-Owner/Crypto-Officer authentication data, in the event of a restart or a short power outage (up to 2 hours). That is, the Activated state can recover to allow Clients to re-connect and continue using the Partition, without need for human intervention to insert the black PED Key and press [ENTER] on the PED keypad.

AutoActivation, which you set by the partition changePolicy command, requires that Partition Policy 23 (Allow AutoActivation) be on, for the affected Partition.

When you run the partition activate command, autoactivation is set as well (if you set policy 23 for that partition). You are directed to the PED(which must be connected, powered on, and in the "Awaiting command.." state before you issue the partition autoActivate command) , depending upon the current status of cashed data. If the authentication data requires refreshing, then the PED prompts you to insert the appropriate(that is, a black PED Key that was imprinted with the Partition authentication data for the particular Partition) black PED Key and press [ENTER]. Once control returns to the lunash command line, and lunash announces success, you can remove the black PED Key and store it away. Clients can begin connecting and using the HSM Partition.

We anticipate that most customers will set Partition Policy 23 Allow auto-activation (battery-backed caching of partition authentication) to "On" for their partitions, to ensure the convenience (uptime) of their clients.

Customers who prefer to not set auto-activation On, but who keep their Luna appliances located remotely from their administrative staff, might prefer to 'manually' resume partition activation by means of Remote PED. These options are entirely a matter of your preference and of your security policy.