|
Home > |
|---|
A basic concept for cryptographic operations with HSMs is the separation of roles. For security and oversight, it is desirable to separate administrative functions from operational cryptographic functions. To that end, Luna HSM products support a variety of roles and users. The different types of HSM, and the options available to them, support a variety of operational and security regimes.
The following diagram summarizes the Cryptoki roles.
The Crypto Officer and Crypto User roles, described on the right-hand side of the diagram (above) exist only for Luna HSM with Trusted Path Authentication. They don't exist for a Luna HSM with Password Authentication.
In addition to providing the Crypto User password, a Client application must also pass the user type CKU_RESTRICTED_USER (or the alias CKU_CRYPTO_USER).
To work with a Partition as Crypto Officer, OR for applications that use the existing standard, your application must pass the user type CKU_USER (along with the Crypto Officer / Partition Owner password). However, this type now has an alias CKU_CRYPTO_OFFICER, which you might prefer to use for reasons of clarity. (This concerns you only if you are an application developer.)