Initializing the Crypto Officer and Crypto User Roles
The following procedures will allow you to initialize the Crypto Officer (CO) and Crypto User (CU) roles and set an initial credential.
Initializing the Crypto Officer Role
The Crypto Officer (CO) is the primary user of the application partition and the cryptographic objects stored on it. The Partition Security Officer (PO) must initialize the CO role and assign an initial credential.
To initialize the Crypto Officer role
1.In LunaCM, log in to the partition as Partition SO (see Logging In to the Application Partition).
lunacm:> role login -name po
2.Initialize the Crypto Officer role.
In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.
lunacm:> role init -name co
3.Provide the CO credential to your designated Crypto Officer.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CO must change the credential before any other actions are permitted. See Changing a Partition Role Credential.
Initializing the Crypto User Role
The Crypto User (CU) is an optional role that can perform cryptographic operations using partition objects in a read-only capacity, but can only create public objects. The Crypto Officer must initialize the CU role and assign an initial credential.
To initialize the Crypto User role
1.In LunaCM, log in to the partition as Crypto Officer (see Logging In to the Application Partition).
lunacm:> role login -name co
2.Initialize the Crypto User role.
In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.
lunacm:> role init -name cu
3.Provide the CU credential to your designated Crypto User.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CU must change the credential before any other actions are permitted. See Changing a Partition Role Credential.