Initialize the Crypto User Role on a PW-Authenticated Partition

These instructions assume:

>A password-authenticated SafeNet Luna Network HSM has been initialized

>An application partition has been created

>A Crypto Officer has been created for the partition

>The Crypto Officer password has been conveyed to the person responsible for the Crypto Officer role. See Initialize the Partition SO and Crypto Officer Roles on a PW-Auth Partition.

As Crypto Officer, you can:

>Create a Crypto User (limited access user) for the application partition.

>Create, delete, change and manipulate cryptographic objects on the application partition, either for your own use or for use by the Crypto User.

To initialize the Crypto User role

1.Set the active slot to the desired application partition, where the Crypto Officer was just created.

lunacm:>slot set -slot <slotnum>

2.Log in as the Crypto Officer. You can also use the shortcut co.

lunacm:>role login -name Crypto Officer

NOTE   The password for the Crypto Officer role is valid for the initial login only. You must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when you perform role-dependent actions.

3.If you have not already done so, change the initial password set by the Partition SO.

In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.

lunacm:>role changepw -name co

4.Create the Crypto User. You can also use the shortcut cu.

lunacm:>role init -name Crypto User

NOTE   The password for the Crypto User role is valid for the initial login only. The CU must change the initial password using the command role changepw during the initial login session, or a subsequent login. Failing to change the password will result in a CKR_PIN_EXPIRED error when they perform role-dependent actions.

The Crypto User can now login with the credentials provided by the Crypto Officer, and change the initial password. The Crypto User can now use applications to perform cryptographic operations using keys and objects created in the partition by the Crypto Officer.


Customer Support Portal

SafeNet Luna Network HSM 7.4 Product Documentation  16 December 2019  Copyright 2001-2019 Thales. All rights reserved.