Partition Roles and Procedures

All cryptographic operations take place on an application partition. This partition is created on the SafeNet Luna PCIe HSM by the HSM SO and is designed to function independently of the Admin partition, with its own Security Officer and users. This provides more flexibility in meeting the security needs of your organization. Personnel holding the roles described below must have administrative access to the SafeNet Luna PCIe HSM host workstation.

The partition-level roles are as follows:

Partition Security Officer (PO)

The Partition SO handles all administrative and configuration tasks on the application partition, including:

>Initializing the partition, setting the PO credential, and setting a cloning domain for the partition (see Initializing an Application Partition)

>Configuring partition policies (see Partition Capabilities and Policies)

>Initializing the Crypto Officer role (see Initializing the Crypto Officer Role)

>Activating the partition (see Activation and Auto-activation on PED-Authenticated Partitions)

Managing the Partition SO Role

Refer also to the following procedures to manage the PO role:

>Logging In to the Application Partition

>Changing a Role Credential

Crypto Officer (CO)

The Crypto Officer is the primary user of the application partition and the cryptographic objects stored on it. The Crypto Officer has the following responsibilities:

>Creating, deleting, and modifying cryptographic objects via user applications

>Performing cryptographic operations via user applications

>Managing backup and restore operations for partition objects (see Backup and Restore)

>Initializing the Crypto User role (see Initializing the Crypto User Role)

Managing the Crypto Officer Role

Refer also to the following procedures to manage the CO role:

>Logging In to the Application Partition

>Changing a Role Credential

Crypto User (CU)

The Crypto User is an optional role that can perform cryptographic operations using partition objects in a read-only capacity, but can create only public objects. This role is useful in that it provides limited access; the Crypto Officer is the only role that can make significant changes to the contents of the partition. The Crypto User has the following capabilities:

>Performing operations like encrypt/decrypt and sign/verify using objects on the partition

>Creating and backing up public objects (see Backup and Restore)

Managing the Crypto User Role

Refer also to the following procedures to manage the CU role:

>Logging In to the Application Partition

>Changing a Role Credential