Initializing the Crypto Officer and Crypto User Roles

The following procedures will allow you to initialize the Crypto Officer (CO) and Crypto User (CU) roles and set an initial credential.

Initializing the Crypto Officer Role

The Crypto Officer (CO) is the primary user of the application partition and the cryptographic objects stored on it. The Partition Security Officer (PO) must initialize the CO role and assign an initial credential.

To initialize the Crypto Officer role

1.In LunaCM, log in to the partition as Partition SO (see Logging In to the Application Partition).

lunacm:>role login -name po

2.Initialize the Crypto Officer role (role init). If you are using a password-authenticated partition, specify a CO password. If you are using a PED-authenticated partition, ensure that you have a blank or rewritable black PED key available. Refer to Creating PED Keys for details on creating PED keys.

lunacm:>role init -name co

lunacm:> role init -name co
 
 
        enter new password: ********
 
 
        re-enter new password: ********
 
 
Command Result : No Error

3.Provide the CO credential to your designated Crypto Officer.

NOTE   If HSM policy 21: Force user PIN change after set/reset is enabled, the CO must change the credential before any other actions are permitted. See Changing a Partition Role Credential.

Initializing the Crypto User Role

The Crypto User (CU) is an optional role that can perform cryptographic operations using partition objects in a read-only capacity, but can only create public objects. The Crypto Officer must initialize the CO role and assign an initial credential.

To initialize the Crypto User role

1.In LunaCM, log in to the partition as Crypto Officer (see Logging In to the Application Partition).

lunacm:>role login -name co

2.Initialize the Crypto User role (role init). If you are using a password-authenticated partition, specify a CU password. If you are using a PED-authenticated partition, ensure that you have a blank or rewritable gray PED key available. Follow the instructions on the Luna PED screen. Refer to Creating PED Keys for details on creating PED keys.

lunacm:>role init -name cu

lunacm:> role init -name cu
 
 
        enter new password: ********
 
 
        re-enter new password: ********
 
 
Command Result : No Error

3.Provide the CU credential to your designated Crypto User.

NOTE   If HSM policy 21: Force user PIN change after set/reset is enabled, the CU must change the credential before any other actions are permitted. See Changing a Partition Role Credential.


Customer Support Portal

SafeNet Luna Network HSM 7.3 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.