|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 9] Configure PPSO Application Partitions > Activate a PED-Auth PPSO Partition for the Crypto User Role
|
|---|
In this section the Partition SO and the Crypto User configure the partition to allow Activation (caching of the authentication), and then Activate it.
These instructions assume
•you are running lunacm on a SafeNet HSM Client host computer containing, or connected to, an HSM with a PPSO application partition,
•that partition has a Crypto User created,
•that partition is the currently selected slot
•you have not already performed these actions for Crypto Officer
As Crypto User of an application partition that is configured for Activation, you can log in once and have your credentials cached, and ready in cache as your application opens and closes sessions, without need to re-log-in each time. If the Partition SO already set the Activation policy on behalf of the Crypto Officer, then it applies for both the CO and the CU roles and you can skip to step 4.
1.Set the active slot to the desired application partition, .
Type slot set -slot <slot number>
lunacm:> slot set -slot 0
Current Slot Id: 0 (Luna User Slot 6.22.0 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:>
2.Log in as the Partition Security Officer.
Type role login -name Partition SO
lunacm:> role login -name Crypto Officer
Please attend to the PED.
Respond to SafeNet PED prompts...
Command Result : No Error lunacm:>
3.Switch on the activation policy for the partition.
Type partition changePolicy -slot <slot number> -policy <policy number> -value <policy value>
lunacm:> partition changePolicy -slot 0 -policy 22 -value 1
Command Result : No Error
lunacm:>
4.Log in as the Partition Crypto User.
Type role login -name Crypto User
lunacm:> role login -name Crypto User
Please attend to the PED.
Respond to SafeNet PED prompts...
If the PED prompts for black PED Key, for the Crypto User login, substitute the gray-labeled PED Key, as appropriate.
Command Result : No Error lunacm:>
Once the partition activation policy is set, the act of logging in by the Crypto User role is sufficient to cache the CU gray PED Key credential. Now, only the partition challenge secret / password is required to be presented by your application whenever it requires access. The CU credential remains cached until the HSM loses power, or you explicitly log out as CU. The credential is re-cached the next time the CU logs in.
Note: You can stop the automatic caching of the CU credential by having the partition SO switch off the activation policy (22); however doing so also ends activation of the Crypto Officer role, if that was in effect.
When the CO and CU roles were created, we said you could log in and start using the partition for cryptographic operations by your application(s). Now, with activation in place, you can log in once and put your CO black PED Key or your CU gray PED Key away in a safe place, and the cached credentials will continue to allow your application(s) to open and close sessions and perform their operations within those sessions.
For SafeNet Network HSM and for SafeNet PCIe HSM, you can also set partition policy 23 on (-value 1), for Autoactivation, which goes one step further and preserves the cached credentials through power outages up to 2 hours in duration. Autoactivation does not exist for SafeNet USB HSM; therefore policy 23 cannot be switched on.