Home > |
---|
Activation is a cached login state for PED-authenticated HSM application partitions.
A partition on a password-authenticated HSM does not need this, because the password (text string) is the only level of authentication, which can be supplied by an administrative user when required, or by an application needing to perform cryptographic operations.
A PED-authenticated HSM requires both PED Key authentication and the password/challenge secret (text string).
The partition activate command caches a Partition's PED Key data - that is, it caches a login state. Clients can then connect, authenticate with their Partition password, and perform operations with Partition objects, without need for hands-on PED operations each time. This makes it the same action as is done for a partition on a password-authenticated HSM, except that the PED Key operation must have preceded the application's attempt to access the partition with passwords/challenge secrets.
Activation/caching endures until explicitly terminated with partition deactivate or appliance power off. If a Partition has not been activated, then each access attempt by a Client causes a login call which initiates a PED operation (requiring the appropriate black PED Key). Unattended operation is possible while the Partition is activated. It is also possible for administrative users to temporarily suspend client access, without changing the partition password, by simply deactivating the partition (de-cacheing the PED Key data for that partition).
This action applies to an application partition that is administratively owned by the HSM SO (a.k.a. legacy partitions). Contrast with PPSO partitions, where the HSM SO cannot activate or deactivate an application partition that has its own Security Officer (SO). For SafeNet application partitions that have Partition SO, the partition is accessed via the client connection, and administrative actions like activation and deactivation use commands in the lunacm utility, while the currently selected slot is the partition in question.
If you wish to activate a Partition, then Partition policy number 22 "Allow activation" must be set to "On" for the named partition. Use partition showPolicies to view the current settings and use partition changePolicy to change the setting. The policy shows as "Off" or "On", but to change the policy you must give a numeric value of "0" or "1".
If you wish to automatically activate a Partition, then Partition policy number 23 "Allow auto-activation" can be set to "On" for the named partition. Use partition showPolicies to view the current settings and use partition changePolicy to change the setting. The policy shows as "Off" or "On", but to change the policy you must give a numeric value of "0" or "1". Autoactivation caches the activation authentication data in battery-backed memory so that activation can persist/recover following a shutdown/restart or a power outage up to 2 hours duration. If Partition Policy 23 is set, then partition activation includes autoactivation. If Partition Policy 23 is not set, then partition activation persists only while the appliance is powered on, and requires your intervention to reinstate activation following a shutdown or power outage.
partition activate -partition <name> [-password <password>] [-cu]
Parameter | Shortcut | Description |
---|---|---|
-partition | -par | Specifies the name of the HSM partition to activate. Obtain the HSM partition name by using the partition list command. |
-password | -pas | Specifies the password needed to access the HSM partition. This is the partition string provided by the SafeNet PED when you created the partition - associated with the partition Owner black PED Key. For password-authenticated HSMs, it is the entire authentication for the named partition. If you omit the password in the command, you are prompted for it. |
-cu | -c | Perform the task as the Crypto-User. This option is required if you have invoked the Crypto Officer / Crypto User roles and are performing this action as the Crypto User. |
lunash:> partition activate -partition b1
Please enter the password for the partition:
> *******
Luna PED operation required to activate partition on HSM - use User or Partition Owner (black) PED key.
'partition activate' successful
Command Result : 0 (Success)