NAME
partition activate - Cache Partition PED Key data [Luna PCI-E with PED (Trusted Path) Authentication only]
SYNOPSIS
lunacm:> partition activate -password <partition_user_password>
DESCRIPTION
Caches a Partition's PED Key data. Clients can then connect, authenticate with their Partition password (challenge secret), and perform operations with Partition objects, without need for hands-on PED operations each time. Activation/caching endures until explicitly terminated with "partition deactivate" or host computer power off. If a Partition has not been activated, then each access attempt by a Client causes a login call which initiates a Luna PED operation (requiring the appropriate black PED Key). Unattended operation is possible while the Partition is activated.
If you wish to activate a Partition, then Partition policy number 22 "Allow activation" must be set to "On" for the named partition. Use "partition showPolicies" to view the current settings and use "partition changePolicy" to change the setting.
The policy shows as "Off" or "On", but to change the policy you must give a numeric value of "0" or "1".
If you wish to activate a Partition, then Partition policy number 23 "Allow auto-activation" can be set to "On" for the partition. Use "partition showPolicies" to view the current settings and use "partition changePolicy" to change the setting.
The policy shows as "Off" or "On", but to change the policy you must give a numeric value of "0" or "1".
Autoactivation caches the activation authentication data in battery-backed memory so that activation can persist/recover following a shutdown/restart or a power outage up to 2 hours duration. If Partition Policy 23 is set, then partition activation includes autoactivation. If Partition Policy 23 is not set, then partition activation persists only while the host computer is powered on, and requires your intervention to reinstate activation following a shutdown or power outage.
OPTIONS
Options
Short
Description
---------------------------------------------------------
-password -p
Partition
User Password
-cu -c
Perform login as Crypto-User
-ped -ped PED ID (0=local, 1=remote)
-password The
password to be used as login credential by the Partition User. As shown,
you can supply the password at the command line (useful for scripting).
Normally, however, you should leave out the password when issuing the
command. If the password is not provided, you are prompted for it, and
your response is obscured by asterisk (****) symbols. This a more secure
method of providing the password.
NOT USED for PED-authenticated HSMs, which need the data from the black PED Key instead, however the challenge-secret/password is still needed by the client application.
-cu Selects to perform the login as Crypto-User, which has a limited subset of "User". Use this option only if your security scheme makes use of the Crypto-Officer/Crypto-User distinction.
-ped This parameter is optional. If it is not specified, then the value of the "PEDId" parameter in the "Luna" section of Chrystoki.conf (cryptoki.ini) is used. Otherwise the default is "0" or local PED.
SAMPLE OUTPUT
For password-authenticated HSM:
lunacm:> partition activate -password Userpa55word!
Command Result : No Error
lunacm:>
The password in the example follows strong password guidelines, with mixed upper-and lowercase, the use of numeric characters and the use of a punctuation character.
For PED-authenticated HSM:
lunacm:> partition activate
Option -password was not supplied. It is required.
Enter the password: ****************
User is not activated, please attend to the PED.
Command Result : No Error
lunacm:>
The password in the example follows strong password guidelines, with mixed upper-and lowercase, the use of numeric characters and the use of a punctuation character. It was generated by the PED when you issued "partition createchallenge", and is sixteen mixed characters. You could change that to a more memorable challenge, at your option.