role login

Home >	Lunacm Command Reference Guide > LunaCM Commands > role > role login

role login

Logs the named user into the partition at the current slot.
For Password-authenticated HSM, the entire credential is the password. You can provide it at the command line, in the clear, or you can wait and be prompted, and then type it in with your typed characters disguised by asterisks (*). This is the administrative password (Crypto Officer or Crypto User), and it is also the same password that is presented by your application program when it performs cryptographic operations on the application partition.

For PED-authenticated HSM, the authentication is the black PED Key and the password/challenge for Crypto Officer, or the gray PED Key and the password/challenge for Crypto User.

If Partition Policy 22: Allow activation is not set (value = 0), then the full authentication is required for each login, including authentication by your application program.
If Partition Policy 22: Allow activation is set (value = 1 see partition changepolicy), then the PED Key secret is cached, and only the password/challenge string is required for each subsequent login. That is, if the partition is activated, you are not prompted to respond to the PED.
At that point, your application program can authenticate with just the password/challenge string, as if the HSM was PW-authenticated.

Activation (caching of the PED Key secret) persists until you explicitly deactivate (see role deactivate) or until the HSM is restarted or loses power.

CAUTION: If too many bad login attempts are made against a role, the appropriate security policy for that role is enacted. For example, three bad attempts to log into the HSM SO role causes all HSM contents to be zeroized. Too many attempts on the Crypto Officer role causes that role to be locked out until reset by the SO. The bad-login count is reset by a successful login.

Note: For the Auditor role, if the bad login attempt threshold is exceeded, the HSM locks out that role for 60 seconds. The output of role show, during that time, gives a status of "Locked out".

However, role show continues to show a state of "Locked out" even after the lockout time has expired; the displayed status does not reset until after a successful login.

Note: PKCS#11 permits one role to be logged into a slot, per session. If a role is logged in, and you attempt to log in as a different role, the HSM presents an error message like USER_ALREADY_LOGGED_IN, indicating that some other user role is logged into the current slot via the current session. If you need to log in, your options are:
- log out the other user and log in as the desired user, in the current session
or
- launch another session (lunacm or other tool), select the slot, and log in from there.

Note: Slots retain login state when current-slot focus changes.

For HSMs with firmware earlier than version 6.22.0, when you used slot set to move the focus from an HSM partition or slot with logged in session(s), to another partition or slot, any sessions on the original slot were automatically closed (thus logged out).

For HSMs with firmware version 6.22.0 of newer, you can use slot set to repeatedly shift focus among slots, and whatever login state was in force when you were previously focused on a slot is still in effect when you return to that slot.

Syntax

role login -name <name of role> [-password <password>]

Parameter	Shortcut	Description
-name	-n	Specifies the name of the role that is logging in. Note: If you specify multiple users (for example role login -n Crypto Officer -n Partition SO, the last one entered (in this example, Partition SO), is used.
-password	-p	Specifies the password for the role. Omit this parameter to be prompted for a password, which will be obscured by * characters when entered.

Parameter

Shortcut

Description

-name

-n

Specifies the name of the role that is logging in.

Note: If you specify multiple users (for example role login -n Crypto Officer -n Partition SO, the last one entered (in this example, Partition SO), is used.

-password

-p

Specifies the password for the role. Omit this parameter to be prompted for a password, which will be obscured by * characters when entered.

Example

Logging in to the administrative slot as the HSM SO

lunacm:> role list

        Roles 
        ============== 
        SO                                  
        Admin User                       
        Auditor            

Command Result : No Error

lunacm:> role login -name SO

        Please attend to the PED.

Command Result : No Error

lunacm:>

Logging in to the application partition slot as the Partition SO

lunacm:> role list

        Roles 
        ============== 
        Partition SO                    
        Crypto Officer                  
        Crypto User                     

Command Result : No Error

lunacm:> role login -name Partition SO

        Please attend to the PED.

Command Result : No Error

Bad log in attempt as the HSM SO

lunacm:> role list

        Roles 
        ============== 
        SO                                      
        Admin User                             
        Auditor                             

Command Result : No Error

lunacm:> role login -name SO

        Please attend to the PED.
 Caution: You have only 2 Administrator login attempts left. If you fail 2
 more consecutive login attempts (i.e. with no successful
 logins in between) the HSM will be ZEROIZED!!!

Error in execution: CKR_PIN_INCORRECT.

Command Result : 0xa0 (CKR_PIN_INCORRECT)