Show the Table of Contents
Activate a Partition
For Luna SA
with Trusted Path Authentication (those requiring Luna PED for authentication),
a persistent login-like state called Activation must be engaged, using
the appropriate black PED Key (along with the PED PIN and/or the requisite
MofN keys, if those optional authentication features have been implemented).
Once the Partition has been activated, the Client supplies the HSM Partition Password(or the
Crypto Officer or Crypto User password, as appropriate)
whenever it needs access to the HSM Partition to perform cryptographic
operations.
(moreThe HSM Partition authentication (the PIN imprinted on the black PED
Key) is never passed outside the trusted path between Luna HSM and Luna PED. Instead, the
HSM Partition Password in a Luna SA with PED (Trusted Path) Authentication
is a challenge secret that grants access to the partition only if the
owner password (the black PED Key) has already been accepted.
That contrasts with the Luna HSM with Password Authentication,
where the complete HSM Partition Password is passed as text in the SSH
and NTL pipe.
)
To activate a Partition for use by registered Clients:
- Ensure that the partition policy "Allow activation" has been switched on.
partition changepolicy -par <partitionname> -policy 23 -value 1
- To start activation of the desired partition, type:
partition activate -par <partitionname>
Activation persists until it is explicitly switched off with the partition deactivate name
<partitionname> command, or until the Luna appliance loses power.
Once you have Activated an HSM Partition, you can remove the black PED
Key from the Luna PED, and store it securely. Activation remains in force
until terminated by command or by power loss.
Activation is not the same as “login”, so you cannot use the Activated
state to perform HSM or Partition maintenance. For that, you must login
via the secure command line interface, lunash. You can login as HSM Admin
without disturbing Activated Partitions.
To allow Partition Activation to persist through / recover after a power outage, you can enable AutoActivation.
See Also
Show the Table of Contents