|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 9] Configure PPSO Application Partitions > Initialize the Crypto User Role on a PED-Auth PPSO Partition
|
|---|
These instructions assume
•a PED-authenticated SafeNet HSM has been initialized,
•an application partition has been created,
•a Crypto Officer has been created for the partition, and
•the Crypto Officer PED Key has been conveyed to the person responsible for the Crypto Officer role. See Initialize the Partition SO and Crypto Officer Roles on a PED-Auth PPSO Partition.
As Crypto Officer, you can do the following:
•Create a Crypto User (limited access user) for the application partition
•Create, delete, change and manipulate cryptographic objects on the application partition, either for your own use or for use by the Crypto User
•Activate the partition for use by applications.
To create a Crypto User for the partition, you will need:
•SafeNet PED and the black Crypto Officer PED Key(s) assigned to you by the SO, as well as blank PED Key(s) with labels for the Crypto User that you are about to create. These instructions assume that your SafeNet PED is locally connected. These instructions assume that you have already made your decisions whether to use all-new, blank PED Keys, or to re-use any existing, imprinted PED Keys for any of the steps.
1.Set the active slot to the desired application partition, where the Crypto Officer was just created.
Type slot set -slot <slot number>
lunacm:> slot set -slot 0
Current Slot Id: 0 (Luna User Slot 6.22.0 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:>
2.Log in as the Crypto Officer.
Type role login -name Crypto Officer
lunacm:> role login -name Crypto Officer
Please attend to the PED.
Respond to SafeNet PED prompts...
Command Result : No Error lunacm:>
3.Create the Crypto User.
Type role init -name Crypto User
lunacm:> role init -name Crypto User
Please attend to the PED.
Respond to SafeNet PED prompts...
Command Result : No Error lunacm:>
The Crypto User can now log in to use applications to perform cryptographic operations using keys and objects created in the partition by the Crypto Officer.
It is possible for all three of Partition SO, Crypto Officer, and Crypto User to perform their functions against a SafeNet Network HSM partition, from the same SafeNet HSM Client host computer, simply taking turns at the keyboard and the SafeNet PED. It is also possible to work from different computers, as long as any such computer is a registered user of the partition - that is, a working network trust link (NTL) connection is required for each.
In addition, if those persons and their respective SafeNet HSM Client host computers are not co-located, then they must arrange to manage their sharing of the Remote PED. Either
•one person must maintain the single Remote PED setup, and the others must coordinate closely with the PED-keeper when authentication to the HSM is required,
or
•all three can have their own separate PEDs and PedServer instances, but they must coordinate with the appliance administrator to hsm ped disconnect any current Remote PED channel before hsm ped connect -ip <new-ip> -port <new-port> to establish a Remote PED session with one of the other PedServers.
At this point, the Crypto User, or an application using the CU's challenge secret/password can perform cryptographic operations in the partition, as soon as the Crypto User logs in with role login -name Crypto User.However, any event that causes that session to close, including action by the application, requires that the CU must log in again (with the gray PED Key), before the application partition can be used again. For an application that maintains an open session, that is not a handicap. For an application that opens a session for each action, performs the cryptographic action, then closes the session, the CU must be constantly logging in and using the PED and PED Key.
To bypass this limitation, use the Activation feature. See Activate a PED-Auth PPSO Partition for the Crypto Officer Role or Activate a PED-Auth PPSO Partition for the Crypto User Role.