Home >

LunaCM Command Reference Guide > LunaCM Commands > role > role createChallenge

role createChallenge

Creates a challenge secret for a role - either Crypto Officer or Crypto User - for a PPSO partition. The challenge is a text-string secret used by an application to access the application partition with either Crypto Officer or Crypto User access level, respectively.

Note:  Creating a challenge is optional, and applies only to PED-authenticated Luna HSMs.  
Role activation (caching of the black or gray PED Key credential following Crypto Officer or Crypto User login) is permitted only if a challenge secret has been created for the role, and the Allow Activation policy is set for the partition.

The application partition must be the current slot.

For firmware 6.22.0 (or newer), in a PPSO partition, this command is used by the Partition SO, who must be logged in, to create a challenge for the Crypto Officer.
Or, this command is used by the Crypto Officer, who must be logged in, to create a challenge for the Crypto User.

Both the role initiating the command and the target role must exist on the same application partition, and the initiating role must be logged in, at the current slot; therefore, no "-slot" parameter is needed.

For a legacy partition, the Crypto Officer challenge is created by the HSM SO, while logged into the HSM administrative partition, and therefore the partition createchallenge command is used instead (see "partition createchallenge").

Before you can use the role createChallenge command, the target role must already exist. See "role init".

When the current slot is an HSM with firmware older than version 6.22.0, lunacm supports the commands you have always used, and does not make available the role commands, nor any newer parameters and options for other commands.

Syntax

command -name <string> [-defchallenge]

Parameter Shortcut Description
-name -n name of role for which the challenge is to be created
-defchallenge -d Use Default Challenge Password .   [Optional] This is intended as a convenience when provisioning or integrating. The challenge must be changed before you can perform cryptographic operations.  

Example

lunacm:> role createChallenge -name Crypto Officer

        Please attend to the PED.

Command Result : No Error

lunacm:>