|
Home > |
|---|
Client access to Partitions, on an HSM with Trusted Path Authentication, needs to be as efficient and convenient as Client access to a Password Authenticated HSM. Activation manages the additional layer of authentication - the PED and PED Keys, so that Clients can reliably authenticate using just their passwords.
A Luna HSM, in general, requires authentication from anyone wishing to use the HSM. Access falls into two categories, defined by purpose:
•Administrative - you can log in locally via a command-prompt interface (terminal window/console), or remotely via ssh session, to perform administration/maintenance/housekeeping tasks (detailed elsewhere)
•Client
- your application can connect using the client API to perform "production" activities,
using objects and cryptographic functions on an HSM Partition within the
HSM.
To perform any administrative task on the HSM launch the lunacm administrative utility, in a command-prompt window (console session). Several lunacm commands allow you to perform some basic administrative functions that do not require HSM or Partition (a virtual HSM that you might have created within the HSM -- you need to create and assign a Partition if you are to use the HSM in any meaningful way) login.
Subsets of the lunacm command menu require authentication in order to perform HSM or Partition administrative commands. Those HSM and Partition commands require the appropriate blue and black PED Keys. See "PED Keys and Operational Roles".
When a command is issued to the HSM that requires HSM or Partition authentication, the HSM with Trusted Path looks to the PED. The PED responds by prompting you for actions involving the appropriate PED Keys and the PED keypad. If the PED gets the appropriate response, it confirms the authentication back to the HSM, via the PED interface (the Trusted Path). The required PED Keys would be:
•the blue key needed when the HSM Admin logs in, or issues an hsm command
•the black key, needed when the Partition Owner (or Crypto Officer, if you are working under that model) issues Partition administration commands, or creates, deletes (or otherwise manipulates) non-public objects
•the red key if you are cloning from one HSM to another
•possibly a purple key if you had invoked Secure Transport Mode or the HSM had suffered a tamper event
•possibly an orange key if you have set up Remote PED authentication service.
Those PED Keys (as appropriate), are demanded by HSM PED when you perform administrative operations via the lunacm interface. The authentication can consist of:
•presenting the required PED Key(s) and pressing [ENTER] on the keypad, or
•presenting the required PED Key(s), pressing [ENTER], entering a PED PIN (if one had been assigned at initialization) and pressing [ENTER] again.
Performing the above actions gets you to a login state in which the HSM will carry out HSM or Partition commands (according to the level of authentication that you invoked).
However, the point of the HSM is that authorized remote Client applications must be able to access their Partitions, in order to perform useful work (such as signing, verifying, encrypting, decrypting), and also that unauthorized clients be prevented from doing so. Before authorized access can happen, the Partition must be in a login state (as described above) by means of the black PED Key. One possibility might be for the Owner to perform a login via lunacm, insert the black PED Key when prompted by the PED, press [ENTER], and then leave the black key inserted.
A Client could then access an HSM Partition to perform work. However, if that was the extent of the access control, it would not represent very secure protection of the HSM Partition and any objects on it. To preclude access by unauthorized clients/applications, the HSM requires that two authentication conditions be in place:
•The Partition must be readied to accept Client access in a login state authenticated by the black PED Key which is accepted only via the PED (this gives administrative access to the Partition, and opens the Partition to Client access, but only if the second authentication element is supplied),
•The Client must provide its credentials in the form of an authentication (a text-string password).
The Client authentication is the Partition Password or challenge secret that was displayed by the PED, and recorded by you, at the time the Partition was created (or it is the string to which you changed that original Partition Password, for your convenience, or to fit your security scheme).
The login state continues as long as a Client has the connection open to the Partition.
Activation is just a login with explicit caching of the Partition login data, on the HSM. This is convenient so that you can remove the black PED key (perhaps to allow other uses of the PED, such as administrative logins by the HSM Admin/SO), while ensuring that access by Clients is not stopped, and that no-one is required to be present to press [ENTER] on the keypad for the benefit of Clients.
To use Activation, you must first allow it by setting Partition Policy 22 (Allow Activation) to on, for each Partition that you create. If the Policy (22, Allow Activation) is on, then the Partition Owner (or Crypto Officer) can issue the partition activate command. The PED prompts for the black PED Key (or Keys if M of N is in force on that partition) and a PED PIN if appropriate. Once you provide it, the HSM caches that authentication and the Partition remains in a login state (Activated) until:
•you explicitly deactivate (with lunacm command partition deactivate), or
•power is lost to the HSM.
You can remove the black PED Key and keep it in your pocket or in safe storage. Activation remains on, and any registered Client with the Partition Password is able to connect and perform operations on the Partition.
Activation is not a big advantage for Clients that connect and remain connected. It is an indispensable advantage in cases where Clients repeatedly start a session to perform a task and then disconnect/close the session when each task is done.
Although options for auto-activation appear in the lunacm commands and in the HSM/partition capabilities and policies, auto-activation is not supported on Luna PCI-E and Luna G5.