|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 9] Configure PPSO Application Partitions > Initialize the Partition SO and Crypto Officer Roles on a PED-Auth PPSO Partition
|
|---|
These instructions assume a PED-authenticated SafeNet HSM that has been initialized, and an application partition has been created, capable of having its own Security Officer.
You will need:
•An HSM that has firmware 6.22.0, or later, and the Per-Partition SO capability installed.
•SafeNet PED and PED Keys with labels. These instructions assume that your SafeNet PED is available locally, but has a working Remote PED connection to the SafeNet Network HSM.
•These instructions assume that you have already made your decisions whether to use all-new, blank PED Keys, or to re-use any existing, imprinted PED Keys for any of the steps.
This step is performed by the root user on the SafeNet HSM client workstation. If you are using STC to provide the client-partition link, do not perform this procedure, since you already initialized the partition when configuring the STC link. See Creating an STC Link Between a Client and a Partition for more information, and skip ahead in this page to Step 2: Initialize the Crypto Officer role.
1.Set the active slot to the created, uninitialized, application partition.
Type slot set -slot <slot number>
lunacm:> slot set -slot 0
Current Slot Id: 0 (Luna User Slot 6.22.0 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:>
2.Initialize the application partition, to create the partition's Security Officer (SO).
Type partition init -label <a label>
lunacm:> par init -label ppsopar
You are about to initialize the partition.
All partition objects will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Please attend to the PED.
Respond to SafeNet PED prompts...
Command Result : No Error lunacm:>
1.The SO of the application partition can now assign the first operational role within the new partition.
Type role login -name Partition SO
lunacm:> role login -name Partition SO
Please attend to the PED.
Command Result : No Error
lunacm:>
2.Type role init -name Crypto Officer
lunacm:> role init -name Crypto Officer
Please attend to the PED.
Respond to SafeNet PED prompts...
Command Result : No Error lunacm:>
3.The application partition SO can create the Crypto Officer, but only the Crypto Officer can create the Crypto User. Therefore, the SO must log out to allow the Crypto Officer to log in.
Type role logout
lunacm:> role logout Command Result : No Error lunacm:>
At this point, the Crypto Officer, or an application using the CO's challenge secret/password can perform cryptographic operations in the partition, as soon as the Crypto Officer logs in with role login -name Crypto Officer. However, the Crypto Officer can create, modify and delete crypto objects within the partition, in addition to merely using existing crypto objects (sign/verify). You can also create a limited-capability role called Crypto User that can use the objects created by the Crypto Officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.
The next sequence of configuration actions is performed by the Crypto Officer, just now created for the application partition. See Initialize the Crypto User Role on a PED-Auth PPSO Partition .