Initialize the Crypto User Role on a PW-Authenticated Partition

These instructions assume:

>A password-authenticated SafeNet Luna Network HSM has been initialized

>An application partition has been created

>A Crypto Officer has been created for the partition

>The Crypto Officer password has been conveyed to the person responsible for the Crypto Officer role. See Initialize the Partition SO and Crypto Officer Roles on a PW-Auth Partition.

As Crypto Officer, you can:

>Create a Crypto User (limited access user) for the application partition.

>Create, delete, change and manipulate cryptographic objects on the application partition, either for your own use or for use by the Crypto User.

To initialize the Crypto User role

1.Set the active slot to the desired application partition, where the Crypto Officer was just created.

lunacm:>slot set -slot <slotnum>

lunacm:> slot set -slot 0

        Current Slot Id:    0     (Luna User Slot 7.0.0 (PW) Signing With Cloning Mode)

Command Result : No Error

2.Log in as the Crypto Officer. You can also use the shortcut co.

lunacm:>role login -name Crypto Officer

lunacm:>role login -name co
 
        enter password: ********
 
Command Result : No Error

NOTE   The password for the Crypto Officer role is valid for the initial login only. You must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when you perform role-dependent actions.

3.If you have not already done so, change the initial password set by the Partition SO.

lunacm:>role changepw -name Crypto Officer

lunacm:>role changepw -name co
 
        enter existing password: ********
        enter new password: ********
        re-enter new password: ********
 
Command Result : No Error

4.Create the Crypto User. You can also use the shortcut cu.

lunacm:>role init -name Crypto User

lunacm:>role init -name cu
 
        enter new password: ********
        re-enter new password: ********
 
Command Result : No Error

NOTE   The password for the Crypto User role is valid for the initial login only. The CU must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when they perform role-dependent actions.

The Crypto User can now login with the credentials provided by the Crypto Officer, and change the initial password. The Crypto User can now use applications to perform cryptographic operations using keys and objects created in the partition by the Crypto Officer.


Customer Support Portal

SafeNet Luna Network HSM 7.2 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.