Initializing the Crypto Officer and Crypto User Roles

The following procedures will allow you to initialize the Crypto Officer (CO) and Crypto User (CU) roles and set an initial credential.

Initializing the Crypto Officer Role

The Crypto Officer (CO) is the primary user of the application partition and the cryptographic objects stored on it. The Partition Security Officer (PO) must initialize the CO role and assign an initial credential.

To initialize the Crypto Officer role

1.In LunaCM, log in to the partition as Partition SO (see Logging In to the Application Partition).

lunacm:> role login -name po

2.Initialize the Crypto Officer role. If you are using a password-authenticated partition, specify a CO password. If you are using a PED-authenticated partition, ensure that you have a blank or rewritable black PED key available. Refer to Creating PED Keys for details on creating PED keys.

In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.

lunacm:> role init -name co

3.Provide the CO credential to your designated Crypto Officer.

NOTE   If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CO must change the credential before any other actions are permitted. See Changing a Partition Role Credential.

Initializing the Crypto User Role

The Crypto User (CU) is an optional role that can perform cryptographic operations using partition objects in a read-only capacity, but can only create public objects. The Crypto Officer must initialize the CU role and assign an initial credential.

To initialize the Crypto User role

1.In LunaCM, log in to the partition as Crypto Officer (see Logging In to the Application Partition).

lunacm:> role login -name co

2.Initialize the Crypto User role. If you are using a password-authenticated partition, specify a CU password. If you are using a PED-authenticated partition, ensure that you have a blank or rewritable gray PED key available. Follow the instructions on the Luna PED screen. Refer to Creating PED Keys for details on creating PED keys.

In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.

lunacm:> role init -name cu

3.Provide the CU credential to your designated Crypto User.

NOTE   If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CU must change the credential before any other actions are permitted. See Changing a Partition Role Credential.