Home >

LunaCM Command Reference Guide > LunaCM Commands > role > role login

role login

Logs the named user into the partition at the current slot.

For Password-authenticated HSM, the entire credential is the password. When using the ‘role login’ command, you can enter your password at the command line where it will be visible on screen, or omit it and wait to be prompted after pressing enter. Passwords entered at the prompt are masked by ‘*’ characters. This is the administrative password (Crypto Officer or Crypto User), and it is also the same password that is presented by your application program when it performs cryptographic operations on the application partition.

For PED-authenticated HSM, the authentication is the black PED Key and the password/challenge for Crypto Officer, or the gray PED Key and the password/challenge for Crypto User. You can create a challenge secret with command role createChallenge .  The challenge secret will be needed, in addition to the PED Key secret, for you application to perform cryptographic operations.

If Partition Policy 22: Allow activation is not set (value = 0), then you must present both the black PED Key and the challenge secret for each login, including authentication by your application program.   

If Partition Policy 22: Allow activation is set (value = 1 see partition changepolicy), then the PED Key secret is cached, and you can present only the password/challenge string at each subsequent login. That is, if the partition is activated, you are not prompted to respond to the PED.
At that point, your application program can authenticate with just the password/challenge string, as if the HSM was PW-authenticated.

Activation (caching of the PED Key secret) persists until you explicitly deactivate (see role deactivate) or until the HSM is restarted or loses power.

CAUTION:  If too many bad login attempts are made against a role, the appropriate security policy for that role is enacted. For example, three bad attempts to log into the HSM SO role causes all HSM contents to be zeroized. Too many attempts on the Crypto Officer role causes that role to be locked out until reset by the SO. The bad-login count is reset by a successful login.

Note:  For the Auditor role, if the bad login attempt threshold is exceeded, the HSM locks out that role for 60 seconds. The output of role show, during that time, gives a status of "Locked out".

However, role show continues to show a state of "Locked out" even after the lockout time has expired; the displayed status does not reset until after a successful login.

Note:  PKCS#11 permits one role to be logged into a slot, per session. If a role is logged in, and you attempt to log in as a different role, the HSM presents an error message like USER_ALREADY_LOGGED_IN, indicating that some other user role is logged into the current slot via the current session. If you need to log in, your options are:
- log out the other user and log in as the desired user, in the current session
  or
- launch another session (lunacm or other tool), select the slot, and log in from there.

Note:  Slots retain login state when current-slot focus changes.

For HSMs with firmware earlier than version 6.22.0, when you used slot set to move the focus from an HSM partition or slot with logged in session(s), to another partition or slot, any sessions on the original slot were automatically closed (thus logged out).

For HSMs with firmware version 6.22.0 of newer, you can use slot set to repeatedly shift focus among slots, and whatever login state was in force when you were previously focused on a slot is still in effect when you return to that slot.

Syntax

role login -name <name of role> [-password <password>]

Parameter Shortcut Description
-name -n

Specifies the name of the role that is logging in.

Note: If you specify multiple users (for example role login -n Crypto Officer -n Partition SO, the last one entered (in this example, Partition SO), is used.

-password -p Specifies the password for the role. Omit this parameter to be prompted for a password, which will be obscured by * characters when entered.

Example

Logging in to the administrative slot as the HSM SO
lunacm:> role list

        Roles 
        ============== 
        SO                                  
        Admin User                       
        Auditor            

Command Result : No Error

lunacm:> role login -name SO

        Please attend to the PED.

Command Result : No Error

lunacm:> 
Logging in to the application partition slot as the Partition SO
lunacm:> role list

        Roles 
        ============== 
        Partition SO                    
        Crypto Officer                  
        Crypto User                     

Command Result : No Error

lunacm:> role login -name Partition SO

        Please attend to the PED.

Command Result : No Error
Bad log in attempt as the HSM SO

lunacm:> role login -name SO

        Please attend to the PED.
 Caution: You have only 2 Administrator login attempts left. If you fail 2
 more consecutive login attempts (i.e. with no successful
 logins in between) the HSM will be ZEROIZED!!!

Error in execution: CKR_PIN_INCORRECT.

Command Result : 0xa0 (CKR_PIN_INCORRECT)