Show the Table of Contents
About Password Authentication
This section applies to versions of Luna HSM that control access via
typed text-string authentication, or passwords, at all authentication
levels. For Luna HSMs, this is sometimes referred to as "FIPS 140-2 Level 2" or simply "FIPS Level 2" or "FIPS 2" authentication.
If you received
a Luna PED and PED Keys, then your Luna appliance's HSM probably uses
Trusted Path Authentication, and not
Password Authentication (verify with the hsm
displayLicenses command), and this page does not apply to you.
We also can refer to that version as "FIPS 140-2 Level 3" authentication.
See "About Trusted
Path Authentication", instead.
In general, there are two paths to access the Luna appliance and its
administrative path, via SSH or via local serial link, which uses
Client path, via SSL, by which client applications use the Luna
SA API to perform cryptographic functions within pre-assigned virtual
HSMs (called Partitions) on the Luna system.
For Luna HSMs with Password Authentication (see the left-hand side of
this diagram), the various, layered roles are protected
When you login to the Luna appliance via lunash
the only accepted ID is "admin" which requires the admin password.
As the appliance admin, you can connect and login locally, via a serial
terminal, or remotely via SSH. With no other authentication, admin can
perform general, appliance-level administration.
To access the HSM to perform HSM-specific administration tasks (set HSM-wide
policies, update firmware and capabilities, backup and restore the HSM,
create and remove HSM Partitions, etc.), you must be logged in to lunash as admin,
then you must further be logged in as HSM Admin(of which
there can be only one per Luna HSM)
Good security practices suggest that the HSM Admin password should be
different from the appliance admin password. However, your corporate policies
may differ. As the HSM Admin, you can connect locally, via a serial terminal,
or remotely via SSH – you must
first be logged in as admin to have access to lunash
To access HSM Partitions, in order to perform Partition-specific administration
tasks (set Partition-specific policies, assign Partition to Clients, revoke
Clients, etc.), you must be logged in to lunash
as admin, then you must further be logged in as Partition Owner(of which
there can be several -- one for each Partition in the HSM)
using the Partition Password. Good security practices suggest that the
Partition Password should be different from the appliance admin password,
different than the HSM Admin password, and different than other Partition
Passwords (for other Partitions). However, your corporate policies may
differ. As the Partition Owner, you can connect locally, via a serial
terminal, or remotely via SSH –
you must first be logged in as admin to have access to lunash
access HSM Partitions with an application to perform cryptographic operations
on data, you must connect remotely via SSL (called NTLS in our implementation) as a Client(one
that has been registered by certificate exchange and assigned by the Partition
Owner to this Partition)
then pass a User-type (this is done invisibly by your client application),
and present the Partition Password (also done automatically by your application).
The password used by a Client is the same Partition Password that is used
by the Partition Owner for the particular Partition. What limits the scope
of operations that a registered, authenticated Client can perform on a
Partition is the fact that Partition administrative commands can be issued
only via lunash.
Thus, for security, Clients must not be allowed to learn the appliance
admin password that gives access to lunash.
How about two sentences?
Objects on the HSM are encrypted by the owner of the HSM Admin space or of the User space (partition), and can be decrypted and accessed only by means of the specific secret (password) imparted by the HSM Admin or the partition User respectively.
If you cannot present the secret (the password) that encrypted the objects, then the HSM is just a secure storage device to which you have no access, and those objects might as well not exist.
Show the Table of Contents