Initialize the Crypto User Role on a PED-Authenticated Partition

These instructions assume:

>A PED-authenticated SafeNet Luna Network HSM has been initialized

>An application partition has been created

>A Crypto Officer has been created for the partition

>The Crypto Officer PED key has been conveyed to the person responsible for the Crypto Officer role. See Initialize the Partition SO and Crypto Officer Roles on a PED-Auth Partition.

As Crypto Officer, you can:

>Create a Crypto User (limited access user) for the application partition.

>Create, delete, change and manipulate cryptographic objects on the application partition, either for your own use or for use by the Crypto User.

>Activate the partition for use by applications.

To create a Crypto User for the partition, you will need:

>Luna PED and the black Crypto Officer PED key(s) assigned to you by the SO.

>Blank PED key(s) with labels for the Crypto User that you are about to create.

>A local PED connection.

These instructions assume that you have already made your decisions whether to use all-new, blank PED keys, or to re-use any existing, imprinted PED keys for any of the steps.

To create the Crypto User role on a PED-authenticated application partition:

1.Set the active slot to the desired application partition, where the Crypto Officer was just created.

lunacm:> slot set -slot <slotnum>

2.Log in as the Crypto Officer. You can also use the shortcut co.

lunacm:>role login -name Crypto Officer

Respond to Luna PED prompts...

NOTE   The black Crypto Officer PED key is valid for the initial login only. You must change the initial credential on the key using the command role changepw during the initial login session, or a subsequent login. Failing to change the credential will result in a CKR_PIN_EXPIRED error when you perform role-dependent actions.

3.If you have not already done so, change the initial credential set by the Partition SO.

lunacm:>role changepw -name Crypto Officer

Respond to Luna PED prompts. You must first present the black Crypto Officer key and PIN created by the Partition SO. When you are prompted to present a new black CO key, you can create a new key, or overwrite the original PED key by:

a.Replying No to "Would you like to reuse an existing keyset?"

b.Pressing Enter (without removing the key) when prompted to present a new black PED key

c.Replying Yes when asked if you want to overwrite the original key.

4.Create the Crypto User. You can also use the shortcut cu. Have a gray Crypto User PED key ready.

role init -name Crypto User

Respond to Luna PED prompts...

NOTE   The gray Crypto User PED key is valid for the initial login only. The CU must change the initial credential on the key using the command role changepw during the initial login session, or a subsequent login. Failing to change the credential will result in a CKR_PIN_EXPIRED error when they perform role-dependent actions.

The Crypto User can now log in to use applications to perform cryptographic operations using keys and objects created in the partition by the Crypto Officer.

It is possible for all three of Partition SO, Crypto Officer, and Crypto User to perform their functions against a SafeNet Luna Network HSM partition, from the same SafeNet Luna HSM Client host computer, simply taking turns at the keyboard and the Luna PED. It is also possible to work from different computers, as long as any such computer is a registered user of the partition - that is, a working network trust link (NTL) connection is required for each.

In addition, if those persons and their respective SafeNet Luna HSM Client host computers are not co-located, then they must arrange to manage their sharing of the Remote PED. Either

>One person must maintain the single Remote PED setup, and the others must coordinate closely with the PED-keeper when authentication to the HSM is required,

or

>All three can have their own separate PEDs and PedServer instances, but they must coordinate with the appliance administrator to hsm ped disconnect any current Remote PED channel before hsm ped connect -ip <new-ip> -port <new-port> to establish a Remote PED session with one of the other PedServers.

Crypto Officer or Crypto User Must Remain Logged In

At this point, the Crypto User, or an application using the CU's challenge secret/password can perform cryptographic operations in the partition, as soon as the Crypto User logs in with role login -name cu. However, any event that causes that session to close, including action by the application, requires that the CU must log in again (with the gray PED key) before the application partition can be used again. For an application that maintains an open session, that is not a handicap. For an application that opens a session for each action, performs the cryptographic action, then closes the session, the CU must be constantly logging in and using the PED and PED key.

To bypass this limitation, use the Activation feature. See Activate a PED-Authenticated Partition.


Customer Support Portal

SafeNet Luna Network HSM 7.4 Product Documentation  16 December 2019  Copyright 2001-2019 Thales. All rights reserved.