|
Home > |
|---|
A partition and its users are created when you configure the HSM. To destroy an existing HSM Partition, issue the lunacm partition create command. The difference between creating a partition the first time and creating a partition where one already existed is the warning from lunacm, so that you do not inadvertently destroy a valuable partition.
lunacm:> partition create
The existing Partition will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Please attend to the PED.
Command Result : No Error
lunacm:>
For the PED Authenticated HSM version, as shown above, the Luna PED gives you the usual opportunity to imprint a new Partition authentication secret on a new black PED Key, or to overwrite an existing secret on a PED Key, or to accept an existing secret (only if it is a Partition secret - existing HSM SO or Domain secrets are not accepted for this purpose).
For the Password Authenticated version, obviously there would be no mention of a PED, and you would be prompted to supply a new Partition password.
On a PED Authenticated HSM, the User or Owner [ - the term User is a standard PKCS#11 nomenclature, from the days before HSMs, while the term Owner arrived from a different tradition, which included HSMs and HSM appliances that could house multiple, virtual HSMs and might be used in non-PKCS environments.
The Owner is equivalent to Crypto Officer. The Owner is created when the Partition is created by the lunacm "partition create", and a 16-character challenge secret is generated by the PED.
The User is equivalent to Crypto User. The User is created by separate lunacm "partition createChallenge" command. A second, different 16-character challenge secret is generated by the PED.] of the Partition is the holder of the black PED Key for the Partition, and is the person who performs any Partition maintenance tasks (other than creating/destroying the Partition, which is done by the SO).
To allow your Client application(s) to work with the HSM means that they work with the Partition (the SO space is not normally used for operational and cryptographic purposes). Therefore, they must have an authentication secret to use when calling the HSM Partition to perform crypto operations. The basic authentication is the black PED Key, with which you login or Activate (cached login). If you have set up only the basic Partition arrangement, then the login or activation with the black PED Key is the only authentication that either the administrative User or the Client application needs.
You also have the option to impose an additional level of security by creating a text-based secret that the Client application can present (use the lunacm partition createchallenge command). The Luna PED generates that secret, and shows it on the PED screen, one time. You record it (preferably by typing into a text editor - handwritten text is easy to confuse...). That secret is then given to your Client application software when you configure that software to work with the HSM. Thereafter, the Client application presents the challenge secret whenever required (when a new session is opened and the Client app logs in).
However, because that challenge secret (also called Partition secret) has been imposed, it is also required when the Partition User/Owner wishes to use lunacm and run partition commands. The partition activate command caches only the black PED Key data, not the text challenge secret.
Finally, you can create a limited user, called the Crypto User (in other contexts, the regular Partition User / Owner might be called the Crypto Officer, to pair with this Crypto User designation). The Crypto User has a different Partition secret (the text challenge secret), and is able to use Partition objects, but not to manage/manipulate them (create, destroy, modify). The usual scenario would be to setup your HSM as SO, and to populate your HSM Partition with the required secrets, keys, certificates, while logged in as User/Owner, then finally to give out the Crypto User secret for use by the Client application, so that the Client app could use the existing Partition objects, but not modify them.
For Password Authenticated HSMs, the situation is simpler. There is no authentication hardware (no PED, no PED Keys). The Partition authentication is the Partition Password, and there is no separate challenge secret.