Initialize the Partition SO and Crypto Officer Roles on a PED-Auth Partition
These instructions assume a PED-authenticated SafeNet Luna PCIe HSM has been initialized, and an application partition has been created.
You will need:
These instructions assume that you have already made your decisions whether to use all-new, blank PED keys, or to re-use any existing, imprinted PED keys for any of the steps.
To initialize the Partition SO and Crypto Officer roles:
Step 1: Initialize the Partition SO role
Have a blue HSM SO PED key and a red Domain PED key ready.
1.Set the active slot to the uninitialized application partition:
lunacm:>slot set -slot <slotnum>
lunacm:> slot set -slot 0
Current Slot Id: 0 (Luna User Slot 7.0.1 (PW) Signing With Cloning Mode)
Command Result : No Error
2.Initialize the application partition, to create the partition's blue Security Officer (SO) PED key and the red cloning domain PED key.
lunacm:>partition init -label <par_label>
lunacm:>par init -label myLunapar
You are about to initialize the partition.All partition objects will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Please attend to the PED.
Respond to Luna PED prompts...
Command Result : No Error
Step 2: Initialize the Crypto Officer role
The SO of the application partition can now assign the first operational role within the new partition. Have a black Crypto Officer PED key ready.
1.First, login as Partition SO. You can also use the shortcut po.
lunacm:>role login -name Partition SO
2.Initialize the Crypto Officer role. You can also use the shortcut co.
lunacm:>role init -name Crypto Officer
lunacm:> role init -name co
Please attend to the PED.
Respond to Luna PED prompts...
Command Result : No Error
3.The Partition SO can create the Crypto Officer, but only the Crypto Officer can create the Crypto User. Therefore, you must log out to allow the Crypto Officer to log in.
lunacm:>role logout
NOTE If HSM policy 21: Force user PIN change after set/reset is set to 1 (the default setting), the Crypto Officer must change the initial CO credential before using the partition for cryptographic operations
Step 3 (OPTIONAL): Enable Partition activation
Activation allows the Crypto Officer/User PED credentials to be cached when the role logs in, and open and close subsequent sessions using a challenge secret (password). To activate the partition, follow the steps for the Partition SO.
For more about activation, see Activation and Auto-Activation on PED-Authenticated Partitions in the Administration Guide.
Once the Crypto Officer logs in and changes the initial credential set by the Partition SO, applications using the CO's challenge secret/password can perform cryptographic operations in the partition. The Crypto Officer can create, modify and delete crypto objects within the partition, and use existing crypto objects (sign/verify). You can also create a limited-capability role called Crypto User that can use the objects created by the Crypto Officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.
The next sequence of configuration actions is performed by the Crypto Officer, just now created for the application partition. See Initialize the Crypto User Role on a PED-Authenticated Partition.
