Partition Roles and Procedures
All cryptographic operations take place on an application partition. This partition is created on the HSM by the HSM SO and assigned to a registered client over a network (see Partitions). Partition roles allow the partition to function as an independent virtual HSM, with its own Security Officer and users. This design provides more flexibility in meeting the security needs of your organization. Personnel holding the roles described below must have administrative access to a client workstation with a partition assigned to it and SafeNet Luna HSM Client installed. They do not require SSH access to LunaSH on the SafeNet Luna Network HSM appliance.
The partition-level roles are as follows:
Partition Security Officer (PO)
The Partition SO handles all administrative and configuration tasks on the application partition, including:
>Initializing the partition, setting the PO credential, and setting a cloning domain for the partition (see Configure Application Partitions)
>Configuring partition policies (see Partition Capabilities and Policies)
>Initializing the Crypto Officer role (see Initializing the Crypto Officer Role)
>Activating the partition (see Activation and Auto-Activation on PED-Authenticated Partitions)
Managing the Partition SO Role
Refer also to the following procedures to manage the PO role:
>Logging In to the Application Partition
>Changing a Partition Role Credential
Crypto Officer (CO)
The Crypto Officer is the primary user of the application partition and the cryptographic objects stored on it. The Crypto Officer has the following responsibilities:
>Creating, deleting, and modifying cryptographic objects via user applications
>Performing cryptographic operations via user applications
>Managing backup and restore operations for partition objects (see Backup and Restore HSMs and Partitions)
>Create and configure HA groups (see Setting Up an HA Group)
>Initializing the Crypto User role (see Initializing the Crypto User Role)
Managing the Crypto Officer Role
Refer also to the following procedures to manage the CO role:
>Logging In to the Application Partition
>Changing a Partition Role Credential
Crypto User (CU)
The Crypto User is an optional role that can perform cryptographic operations using partition objects in a read-only capacity, but can create only public objects. This role is useful in that it provides limited access; the Crypto Officer is the only role that can make significant changes to the contents of the partition. The Crypto User has the following capabilities:
>Performing operations like encrypt/decrypt and sign/verify using objects on the partition
>Creating and backing up public objects (see Backup and Restore HSMs and Partitions)
Managing the Crypto User Role
Refer also to the following procedures to manage the CU role:
>Logging In to the Application Partition