|
Home > |
|---|
Client access to Partitions, on a Luna HSM with PED (Trusted Path) Authentication, needs to be as efficient and convenient as Client access to a Password Authenticated Luna HSM . Activation and autoActivation are ways to manage the additional layer of authentication - the Luna PED and PED Keys, so that Clients can reliably connect using just their passwords.
Activation caches the partition black PED Key authentication data (on the HSM) for the duration of the current session.
Autoactivation caches the partition data and preserves it through a brief power outage. Autoactivation applies only to standalone Luna HSM appliance products where the battery provides the power to the cache memory during a power outage (up to 2 hours).
When a command is issued to the Luna HSM that requires HSM or Partition authentication, the Luna HSM with PED (Trusted Path) Authentication looks to the PED. Luna PED responds by prompting you for actions involving the appropriate PED Keys and the Luna PED touchpad. If Luna PED gets the appropriate response, it confirms the authentication back to the Luna HSM, via the PED interface (the Trusted Path). The required PED Keys would be:
•the blue key needed when the Security Officer or HSM Admin logs in, or issues an hsm command.
•the black key (possibly several black PED Keys, but only if you invoked M of N when you initialized the HSM), needed when the Partition Owner (or Crypto Officer, if you are working under that model) issues Partition administration commands, or creates, deletes (or otherwise manipulates) non-public objects.
Those PED Keys (as appropriate), are demanded by Luna PED when you perform administrative operations via the lunacm interface. The authentication can consist of:
•presenting the required PED Key(s) and pressing [ENTER] on the touchpad, or
•presenting the required PED Key(s), pressing [ENTER], entering a PED PIN (if one had been assigned at initialization) and pressing [ENTER] again
Performing the above actions gets you to a login state in which Luna HSM will carry out HSM or Partition commands (according to the level of authentication that you invoked). User challenge text strings are still required, in addition to the black PED Key, when the Crypto Officer [the partition administrator] or Crypto User [the operational entity that runs application programs to use the HSM's objects and services] wishes to perform actions in the partition.
Activation is just a login with explicit caching of the Partition black PED Key login data, on the Luna HSM. This is convenient so that you can remove the black PED key (perhaps to allow other uses of the Luna PED, such as administrative logins by the HSM Admin or SO), while ensuring that access by Clients is not stopped, and that no-one is required to be present to press [ENTER] on the touchpad for the benefit of Clients.
Note: For the Crypto Officer and Crypto User, a challenge secret MUST be created in order for activation to work. If you are familiar with some other Luna HSM products (like Luna SA) the Luna G5 HSM differs slightly, such that the challenge is not automatically created when the user is created. You must run the createChallenge command (and record the resulting challenge secret/password for each entity, to be able to provide it when that entity needs to use the activated HSM partition).
We emphasize that it is the authentication data from the PED Key(s) that is cached, because the partition challenge secret - or optionally the Crypto User challenge secret - is not cached. That secret must still be supplied by your application in order to make use of objects on the partition. Thus, you have the challenge secret (the one that you recorded from the screen of the Luna PED during Partition creation or User creation) embedded in your Client application. The Client can make use of that challenge only if the Partition is in login state. That can be an explicit login by somebody who is present and ready to act with the PED Key(s) and any PED PIN (optional), or it can be the presence of cached login data (Activation) which the HSM looks for every time a client access request comes in.
To use Activation, you must first allow it by setting Partition Policy 22 (Enable Activation) to on, for each Partition that you create. If the Policy (22, Enable Activation) is on, then the Partition Owner (or Crypto Officer) can issue the lunacm partition activate command. Luna PED prompts for the black PED Key and any other authentication input that might be appropriate (PED PIN, M of N). Once you provide it, the Luna HSM caches that authentication and the Partition remains in a login state (Activated) until:
After activating, you can remove the black PED Key and keep it in your pocket or in safe storage. Activation remains on, and any registered Client with the Partition Password (challenge secret) is able to perform operations on the Partition.
When AutoActivation is added to Activation, the User authentication data is cached in such a way that it can survive a power outage of approximately 2 hours in duration.
Ensure that the Partition Policy number 23 "Allow auto-activation" is switched on (set to 1).
When that policy is on (and policy 22 as well) then whenever you issue the lunacm command "partition activate", the User authentication data is cached for auto-activation.
You can turn off Activation for an HSM Partition by issuing the deactivate
command.
Type:
lunacm:> partition deactivate
The User's (black) PED Key data is de-cached. On HSM types with a single partition, the command has no options or arguments. The next time access to the Partition is attempted (to run a lunacm partition command or to perform cryptographic operations on behalf of the client application), you are directed to the Luna PED, to provide the black PED Key (and PED PIN if applicable).