Initialize the Partition SO and Crypto Officer Roles on a PW-Auth Partition
These instructions assume a password-authenticated SafeNet Luna Network HSM has been initialized, and an application partition has been created.
Label, Domain, and Password Rules
The partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>`~
Question marks (?) and double quotation marks (") are not allowed.
Spaces are allowed; enclose the label in double quotation marks if it includes spaces.
On password-authenticated HSMs, the domain string must be 1-128 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*-_=+[]{}/:',.~
The following characters are problematic or invalid and must not be used in a domain string: "&;<>\`|()
Spaces are allowed, as long as the leading character is not a space; to specify a domain string that includes spaces using the -domain option, enclose the string in double quotation marks.
In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.
For more information, refer to Name, Label, and Password Requirements.
To initialize the Partition SO and Crypto Officer roles:
Step 1: Initialize the Partition SO role
This step is performed by an Administrator user on the SafeNet Luna Network HSM client workstation. If you are using STC to provide the client-partition link, do not perform this procedure, since you already initialized the partition when configuring the STC link. See Creating an STC Link Between a Client and a Partition for more information.
1.Set the active slot to the uninitialized application partition:
lunacm:>slot set -slot <slotnum>
2.Initialize the application partition, to create the partition's Security Officer (SO), and set the initial password and cloning domain.
lunacm:>partition init -label <par_label>
Step 2: Initialize the Crypto Officer role
The SO of the application partition can now assign the first operational role within the new partition.
1.First, login as Partition SO. You can also use the shortcut po.
role login -name Partition SO
2.Initialize the Crypto Officer role and set the initial password. You can also use the shortcut co.
role init -name Crypto Officer
3.he Partition SO can create the Crypto Officer, but only the Crypto Officer can create the Crypto User. Therefore, you must log out to allow the Crypto Officer to log in with the newly-set password.
role logout
NOTE If HSM policy 21: Force user PIN change after set/reset is set to 1 (the default setting), the Crypto Officer must change the initial CO credential before using the partition for cryptographic operations
Once the Crypto Officer logs in and changes the initial credential set by the Partition SO, applications using the CO's challenge secret/password can perform cryptographic operations in the partition. The Crypto Officer can create, modify and delete crypto objects within the partition, and use existing crypto objects (sign/verify). You can also create a limited-capability role called Crypto User that can use the objects created by the Crypto Officer, but cannot modify them. The separation of roles is important in some security regimes and operational situations, and where you might be required to satisfy audit criteria for industry or government oversight.
The next sequence of configuration actions is performed by the Crypto Officer, just created for the application partition. See Initialize the Crypto User Role on a PW-Authenticated Partition.
