Initialize the Partition SO and Crypto Officer Roles on a PW-Auth Partition

These instructions assume a password-authenticated SafeNet Luna Network HSM has been initialized, and an application partition has been created.

To initialize the Partition SO and Crypto Officer roles:

Step 1: Initialize the Partition SO role

This step is performed by an Administrator user on the SafeNet Luna Network HSM client workstation. If you are using STC to provide the client-partition link, do not perform this procedure, since you already initialized the partition when configuring the STC link. See Creating an STC Link Between a Client and a Partition for more information.

1.Set the active slot to the uninitialized application partition:

lunacm:>slot set -slot <slotnum>

lunacm:> slot set -slot 0
 
        Current Slot Id:    0     (Luna User Slot 7.0.1 (PW) Signing With Cloning Mode)
 
Command Result : No Error

2.Initialize the application partition, to create the partition's Security Officer (SO), and set the initial password and cloning domain.

lunacm:>partition init -label <par_label>

lunacm:>par init -label myLunapar
 
        You are about to initialize the partition.
        All contents of the partition will be destroyed.
 
        Are you sure you wish to continue?
 
        Type 'proceed' to continue, or 'quit' to quit now ->proceed
 
        Enter password for Partition SO: ********
        Re-enter password for Partition SO: ********
 
        Option -domain was not specified.  It is required.
 
        Enter the domain name: *********
        Re-enter the domain name: *********
 
Command Result : No Error

Step 2: Initialize the Crypto Officer role

The SO of the application partition can now assign the first operational role within the new partition.

1.First, login as Partition SO. You can also use the shortcut po.

role login -name Partition SO

2.Initialize the Crypto Officer role and set the initial password. You can also use the shortcut co.

role init -name Crypto Officer 

lunacm:>role init -name co
 
        enter new password: ********
        re-enter new password: ********
 
Command Result : No Error
 

3.The Partition SO can create the Crypto Officer, but only the Crypto Officer can create the Crypto User. Therefore, you must log out to allow the Crypto Officer to log in with the newly-set password.

role logout

NOTE   The password for the Crypto Officer role is valid for the initial login only. The CO must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when they perform role-dependent actions.

Once the Crypto Officer logs in and changes the initial credential set by the Partition SO, applications using the CO's challenge secret/password can perform cryptographic operations in the partition. The Crypto Officer can create, modify and delete crypto objects within the partition, and use existing crypto objects (sign/verify). You can also create a limited-capability role called Crypto User that can use the objects created by the Crypto Officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.

The next sequence of configuration actions is performed by the Crypto Officer, just created for the application partition. See Initialize the Crypto User Role on a PW-Authenticated Partition.


Customer Support Portal

SafeNet Luna Network HSM 7.2 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.