Activation and Auto-Activation on PED-Authenticated Partitions
By default, PED-authenticated partitions require that a PED key and PED PIN be provided each time a user or application authenticates to the HSM. For some use cases, such as key vaulting, it may be desirable to require a physical key to access the HSM. For most application use cases, however, it is impractical to require this credential every time.
To address this limitation, you can enable partition policy 22: Allow activation on PED-authenticated HSM partitions. When partition policy 22 is enabled, the PED key secret for the CO or CU role is cached on the HSM the first time you authenticate. Clients can then connect to the partition without presenting the PED key. All that is required to authenticate is the PED challenge secret (password) for the activated role.
NOTE Activation requires that a challenge secret is set for the role you want to activate. If the role does not have a challenge secret, you will continue to be prompted for the PED key, regardless of the policy setting.
Activation is not a big advantage for clients that connect and remain connected. It is an indispensable advantage in cases where clients repeatedly connect to perform a task and then disconnect or close the cryptographic session following completion of each task.
Tamper events and activation/auto-activation
When a tamper event occurs, or if an uncleared tamper event is detected on reboot, the cached PED key data is zeroized, and activation/auto-activation is disabled. See Tamper Events and Partition Capabilities and Policies for more information.
Enabling Activation on a Partition
Activation is controlled by partition policy 22: Allow activation. The Partition SO can set this policy in LunaCM, using the partition changepolicy command. When partition policy 22 is enabled, the HSM checks for the following conditions each time the Crypto Officer (CO) or Crypto User (CU) perform an action that requires authentication:
>Is PED key secret for the role cached on the HSM?
>Has a challenge secret been created for the role?
The HSM responds as follows:
> If the PED key secret is not currently cached, you are prompted for the PED key. The PED key secret is cached when you provide the PED key.
> If the PED key secret is already cached, but a challenge secret has not been created for the role, you are prompted for the PED key.
After the role is activated and a challenge secret is set, the PED key is no longer required for that role to login to the partition, and it can be stored safely. The CO or CU can connect to the partition and perform role-specific operations from any registered client, using only the PED challenge password.
To enable activation on an application partition:
1.Log in to the partition as the Partition SO.
role login -name Partition SO
2.Enable partition policy 22: Allow activation.
partition changepolicy -slot <slot number> -policy 22 -value 1
Activating a Role
After enabling partition policy 22, activate the CO and/or CU roles on the partition. You must set a PED challenge password for each role you want to activate. The Partition SO must set the initial challenge secret for the Crypto Officer, who must set it for the Crypto User. The role will become activated the first time the role logs in to the partition.
To activate a role (Partition SO):
1.Ensure that partition policy 22: Allow activation is enabled (set to 1):
partition showpolicies
If it is not set, log in as the Partition SO and use the partition changepolicy command to enable the policy, as described in Enabling Activation on a Partition.
2.Create an initial challenge secret for the Crypto Officer.
role createchallenge -name co
lunacm:>role createchallenge -name co
Please attend to the PED.
enter new challenge secret: ********
re-enter new challenge secret: ********
Command Result : No Error
3.Provide the initial challenge secret to the Crypto Officer by secure means. The CO will need to change the challenge secret before using the partition for any crypto operations.
4.Log out as Partition SO.
role logout
To activate a role (Crypto Officer):
1.Login as Crypto Officer (or enter any command that requires authentication).
role login -name co
lunacm:>role login -n co
enter password: ********
Please attend to the PED.
Command Result : No Error
The Crypto Officer PED secret is cached, and the role is now activated.
2.If you have not already done so on a previous login, change the initial CO PED secret. By default, the PED secret provided by the Partition SO expires after the initial login. If HSM policy 21: Force user PIN change after set/reset is set to 0 (off), you can continue to use the PED secret provided.
role changepw -name co
lunacm:> role changepw -name co This role has secondary credentials. You are about to change the primary credentials. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error
3.Change the initial CO challenge secret. You must include the -oldpw option to indicate that you wish to change the challenge secret (referred to as the secondary credential), rather than the black PED key (primary credential).
role changepw -name co -oldpw <initial_challenge> -newpw <new_challenge>
lunacm:>role changepw -name co -oldpw password -newpw Pa$$w0rd
This role has secondary credentials.
You are about to change the secondary credentials.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Please attend to the PED.
Command Result : No Error
4.[Optional] Create an initial challenge secret for the Crypto User.
role createchallenge -name cu
lunacm:>role createchallenge -name cu
Please attend to the PED.
enter new challenge secret: ********
re-enter new challenge secret: ********
Command Result : No Error
5.[Optional] Provide the initial challenge secret to the Crypto User by secure means. The CU will need to change the challenge secret before using the partition for any crypto operations.
6.Log out as Crypto Officer.
role logout
With activation in place, you can log in once and put your black CO PED key away in a safe place. The cached credentials will allow your application(s) to open and close sessions and perform their operations within those sessions.
To activate a role (Crypto User):
1.Login to the partition as the Crypto User. When prompted, enter the initial challenge secret.
role login -name cu
lunacm:>role login -n cu
enter password: ********
Please attend to the PED.
Command Result : No Error
2.If you have not already done so on a previous login, change the initial CU PED secret. By default, the PED secret provided by the Crypto Officer expires after the initial login. If HSM policy 21: Force user PIN change after set/reset is set to 0 (off), you can continue to use the PED secret provided.
role changepw -name cu
lunacm:> role changepw -name cu This role has secondary credentials. You are about to change the primary credentials. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error
3.Change the initial CU challenge secret. You must include the -oldpw option to indicate that you wish to change the challenge secret (referred to as the secondary credential), rather than the gray PED key (primary credential).
role changepw -name cu -oldpw <initial_challenge> -newpw <new_challenge>
lunacm:>role changepw -name cu -oldpw password -newpw Pa$$w0rd
This role has secondary credentials.
You are about to change the secondary credentials.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Please attend to the PED.
Command Result : No Error
With activation in place, you can log in once and put your gray CO PED key away in a safe place. The cached credentials will allow your application(s) to open and close sessions and perform their operations within those sessions.
Deactivating a Role on an Activated Partition
An activated role on a partition remains activated until one of the following actions occurs:
>You explicitly deactivate the role using the LunaCM role deactivate command. The role is deactivated until the next time you perform an action (such as role login) that requires authentication for the role, at which time the authentication credential is re-cached.
>Power is lost to the HSM. You can use auto-activation to automatically reactivate a partition after a short power loss, if desired. See Auto-Activation.
To deactivate a role on a partition (Partition SO):
1.Enter the following command to deactivate an activated role on a partition:
role deactivate -name <role>
This deletes the cached authentication credential for the role. The next time a login or activation is performed, the credential is re-cached.
2. If you wish to disable activation entirely, so that credentials are not re-cached at the next login, the Partition SO can disable partition policy 22: Allow activation.
partition changepolicy -policy 22 -value 0
3.If partition policy 22 is disabled, auto-activation is also disabled (even though partition policy 23: Allow auto-activation is set to 1). When partition policy 22 is enabled again, auto-activation resumes. To turn off auto-activation, you must disable partition policy 23.
partition changepolicy -policy 23 -value 0
Auto-Activation
Auto-activation enables PED key credentials to be cached even in the event of a restart or a short power outage (up to 2 hours). Clients can re-connect and continue using the application partition without needing to re-authenticate using a PED key.
The ability to auto-activate a partition is controlled by partition policy 23: Allow auto-activation. To enable auto-activation, the Partition SO can use the LunaCM partition changepolicy command to set partition policy 23 to 1.
When partition policy 23 is enabled, auto-activation is set for the partition the first time an activated role (CO or CU) logs in. If the authentication data requires refreshing, the PED prompts you for the appropriate black or gray PED key and PIN. Once login is complete, the PED credential is cached, and the client can begin using the activated application partition.
To auto-activate an application partition (Partition SO):
1.Ensure that partition policy 22: Allow activation is enabled.
2.Login to the partition as Partition SO.
role login -name po
3.Set partition policy 23: Allow auto-activation to 1.
partition changepolicy -policy 23 -value 1
Auto-activation will begin for each affected role (CO or CU) the next time the role is authenticated.