Activate a PED-Authenticated Partition
In this section, the Partition SO configures the partition to allow Activation (caching of the authentication credential). Once the Activation policy is set, credentials are cached the next time the Crypto Officer or Crypto User logs in. This allows the Crypto Officer or Crypto User to log in once using their PED key, and open and close subsequent sessions using only a challenge secret (password). The Partition SO can optionally allow Auto-Activation, which preserves the cached PED credentials in the event of a restart or a brief power outage (up to 2 hours). For more information, see Activation and Auto-Activation on PED-Authenticated Partitions in the Administration Guide.
The Partition SO must set an initial challenge secret for the Crypto Officer, and the Crypto Officer must set one for the Crypto User. See the correct section below for your user role:
Partition SO
These instructions are for the Partition SO. They assume that:
>You are running LunaCM on a SafeNet Luna HSM Client host computer containing, or connected to, an HSM with an application partition.
>The partition has at least a Crypto Officer role initialized. If the Crypto User role is also initialized, activation will be enabled for both roles.
To enable activation of a PED-authenticated application partition:
1.Set the active slot to the desired application partition.
lunacm:>slot set -slot <slotnum>
lunacm:> slot set -slot 0
Current Slot Id: 0 (Luna User Slot 7.1.0 (PED) Signing With Cloning Mode)
Command Result : No Error
2.Log in as the Partition Security Officer.
lunacm:>role login -name po
3.Set partition policy 22: Allow activation for the partition.
lunacm:>partition changepolicy -policy 22 -value 1
lunacm:> partition changePolicy -policy 22 -value 1
Command Result : No Error
4.[Optional] Set partition policy 23: Allow auto-activation for the partition.
lunacm:>partition changepolicy -policy 23 -value 1
lunacm:> partition changePolicy -policy 22 -value 1
Command Result : No Error
5.Create an initial challenge secret for the Crypto Officer.
lunacm:>role createchallenge -name co
lunacm:>role createchallenge -name co
Please attend to the PED.
enter new challenge secret: ********
re-enter new challenge secret: ********
Command Result : No Error
6.Provide the initial challenge secret to the Crypto Officer by secure means. The CO will need to change the challenge secret before using the partition for any crypto operations.
7.Log out as Partition SO.
lunacm:>role logout
Once policy 22 is set, the black CO PED key credential will be cached the next time the CO logs in. From that point on, only the CO partition challenge secret is required to access the partition. The CO credential remains cached until the HSM loses power, or the role is explicitly deactivated using the command role deactivate. The credential is re-cached the next time the CO logs in.
NOTE The Partition SO can stop automatic caching of the CO and CU credentials at any time by disabling partition policy 22: Allow activation (setting its value to 0).
Crypto Officer
These instructions are for the Crypto Officer. Ensure that you have the initial challenge secret password provided by the Partition SO.
To activate the Crypto Officer role on an application partition:
1.Login to the partition as the Crypto Officer. When prompted, enter the initial challenge secret.
lunacm:>role login -name co
lunacm:>role login -n co
enter password: ********
Please attend to the PED.
Command Result : No Error
The Crypto Officer PED secret is cached, and the role is now activated.
2.If you have not already done so on a previous login, change the initial CO PED secret. By default, the PED secret provided by the Partition SO expires after the initial login. If HSM policy 21: Force user PIN change after set/reset is set to 0 (off), you can continue to use the PED secret provided.
lunacm:>role changepw -name co
lunacm:> role changepw -name co
This role has secondary credentials.
You are about to change the primary credentials.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
3.Change the initial CO challenge secret. You must include the -oldpw option to indicate that you wish to change the challenge secret (referred to as the secondary credential), rather than the black PED key (primary credential).
lunacm:>role changepw -name co -oldpw <initial_challenge> -newpw <new_challenge>
lunacm:>role changepw -name co -oldpw password -newpw Pa$$w0rd
This role has secondary credentials.
You are about to change the secondary credentials.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Please attend to the PED.
Command Result : No Error
4.[Optional] Create an initial challenge secret for the Crypto User.
lunacm:>role createchallenge -name cu
lunacm:>role createchallenge -name cu
Please attend to the PED.
enter new challenge secret: ********
re-enter new challenge secret: ********
Command Result : No Error
5.[Optional] Provide the initial challenge secret to the Crypto User by secure means. The CU will need to change the challenge secret before using the partition for any crypto operations.
6.Log out as Crypto Officer.
lunacm:>role logout
With activation in place, you can log in once and put your black CO PED key away in a safe place. The cached credentials will allow your application(s) to open and close sessions and perform their operations within those sessions.
Crypto User [Optional]
These instructions are for the Crypto User. Ensure that you have the initial challenge secret password provided by the Crypto Officer.
To activate the Crypto User role on an application partition:
1.Login to the partition as the Crypto User. When prompted, enter the initial challenge secret.
lunacm:>role login -name cu
lunacm:>role login -n cu
enter password: ********
Please attend to the PED.
Command Result : No Error
2.Change the initial CU challenge secret. You must include the -oldpw option to indicate that you wish to change the challenge secret (referred to as the secondary credential), rather than the gray PED key (primary credential).
lunacm:>role changepw -name cu -oldpw <initial_challenge> -newpw <new_challenge>
lunacm:>role changepw -name cu -oldpw password -newpw Pa$$w0rd
This role has secondary credentials.
You are about to change the secondary credentials.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Please attend to the PED.
Command Result : No Error
With activation in place, you can log in once and put your gray CO PED key away in a safe place. The cached credentials will allow your application(s) to open and close sessions and perform their operations within those sessions.
