Home > |
---|
Client access to Partitions, on an HSM with PED Authentication, needs to be as efficient and convenient as Client access to a Password Authenticated HSM . Activation and autoActivation are ways to manage the additional layer of authentication - the PED and PED Keys, so that Clients can reliably connect using just their passwords.
Activation is just a login with explicit caching of the login data, on the HSM.
•For legacy partitions, the cached authentication data is referred to as partition login data, handled by partition commands.
•For PPSO partitions, the cached authentication data is referred to as role login data, handled by role commands.
Login caching, or Activation, is convenient so that you can remove the black or gray PED key (perhaps to allow other uses of the PED, such as administrative logins by the HSM SO, or moving the PED to another HSM), while ensuring that access by Clients is not stopped, and that nobody is required to be present to press [ENTER] on the keypad on behalf of Clients.
To use Activation, you must first allow it by setting Partition Policy 22 (Allow Activation) to on, for each partition that you create. This is done by the HSM SO for legacy application partitions, and by the Partition SO for PPSO application partitions. If the Policy (22, Allow Activation) is on, then the partition Crypto Officer) can issue the partition activate command for legacy partitions. For PPSO partitions, once the policy is active it requires just role login to activate. The PED prompts for the black PED Key(s) and PED PIN if appropriate. Once you provide a black PED Key (Crypto Officer) or gray PED Key (Crypto User), the HSM appliance caches that authentication and the partition remains in a login state (Activated) until:
•you explicitly deactivate (with lunash command partition deactivate, or lunacm command partition deactivate or role deactivate, as appropriate)
•power is lost to the HSM.
You can remove the black PED Key (or gray PED Key) and keep it in your pocket or in safe storage. Activation remains on, and any registered Client with the Partition challenge password is able to connect and perform operations on the partition.
Activation is not a big advantage for Clients that connect and remain connected. It is an indispensable advantage in cases where Clients repeatedly connect to perform a task and then disconnect or close the cryptographic session following completion of each task.
1.Ensure that the partition policy "Allow activation" has been switched on.
For Luna PCI-E or Luna G5 legacy application partition, type:
partition changepolicy -policy 22 -value 1
For Luna PCI-E or Luna G5 or Luna SA PPSO application partition, type:
partition changepolicy -slot <slot number> -policy 22 -value 1
2.To start activation of the desired partition, type:
partition activate -par <partitionname>
for legacy application partitions, or type:
role login -name <name of role to log in>
for PPSO application partitions.
Respond to the PED prompts.
AutoActivation is supported for Luna SA and for Luna PCI-E, but not for Luna G5.
AutoActivation extends the Activation feature, and allows automatic re-activation of the partition or the role, using the cached Crypto Officer or Crypto User authentication data, in the event of a restart or a short power outage (up to 2 hours). That is, the Activated state can recover to allow Clients to re-connect and continue using the application partition, without need for human intervention to insert the black PED Key (or gray PED Key) and press [ENTER] on the PED keypad.
AutoActivation, which you set by the partition changePolicy command, requires that Partition Policy 23 (Allow AutoActivation) be on, for the affected partition.
When you run the partition activate command for legacy partitions, or when you simply role login for PSO partitions, autoactivation is set as well (if you set policy 23 for that partition). You are directed to the PED , depending upon the current status of cashed data.
If the authentication data requires refreshing, then the PED prompts you to insert the appropriate black or gray PED Key (that is, a PED Key that was imprinted with the partition authentication data for the particular partition [legacy] or role [PPSO]) and press [ENTER]. Once control returns to the command line, and the system announces success, you can remove the black PED Key and store it away. Clients can begin connecting and using the application partition.
We anticipate that most customers will set Partition Policy 23 Allow auto-activation (battery-backed caching of partition authentication) to on for their partitions, to ensure the convenience (uptime) of their clients.
Customers who prefer to not set auto-activation on, but who keep their Luna appliances located remotely from their administrative staff, might prefer to 'manually' resume partition activation by means of Remote PED. These options are entirely a matter of your preference and of your security policy.
1.Ensure that Activation is switched on (see previous section).
2.Log in as the partition's administrator (HSM SO for legacy partition, Partition SO for PPSO partition).
3.Ensure that the partition policy "Allow auto-activation" has been switched on.
For Luna PCI-E or Luna G5 legacy application partition, type:
partition changepolicy -policy 23 -value 1
For Luna PCI-E or Luna G5 or Luna SA PPSO application partition, type:
partition changepolicy -slot <slot number> -policy 23 -value 1