Appliance Users and Roles

The security of an HSM and its cryptographic contents depends on well-controlled access to that HSM. A controlled access policy is defined by:

>the set of users with valid login credentials for the appliance, the HSM and the application partition

>the actions each user is allowed to perform when logged in (the user's role)

For example, an access policy that adheres to the PKCS#11 standard requires two roles: the security officer (SO), who administers the user account(s), and the standard user, who performs cryptographic operations. When a user logs in to the HSM, they can perform only those functions that are permitted for their role.

Configuration and maintenance tasks on the Luna Network HSM appliance (including network setup, file management, and system monitoring) are completed by executing commands in the LunaSH command line interface.

When you log in to LunaSH via SSH or a serial connection, the set of available commands depends on the role assigned to your user account. Appliance roles are defined by their associated command privileges. Clear separation of duties is beneficial to a secure production environment and allows you to easily delegate responsibilities according to your organization's needs. For optimal security, assign each user the lowest-level role necessary to fulfill their responsibilities.

Managing Appliance Users and Roles

Refer to the following procedures to manage appliance roles:

>Logging In to LunaSH

>Enabling/Disabling Appliance User Accounts

>Changing Appliance User Passwords

>Creating Custom Appliance User Accounts

>Creating Custom Appliance Roles

>Creating a One-Step NTLS Registration Role

>Backing Up/Restoring the Appliance User Role Configuration

>Recovering the Admin Account Password

>Name, Label, and Password Requirements

Default Appliance Users and Roles

The default Luna Network HSM appliance user accounts are named after their respective default roles. You cannot delete the default user accounts. For a comprehensive list of the LunaSH commands available to the default roles, see LunaSH Command Summary.

By default, only the admin and recover user accounts are active. The default password for all accounts is "PASSWORD" (see Logging In to LunaSH).

admin

The admin user is the highest-level default user account. This user (or a custom user assigned an admin role) has access to the full set of LunaSH commands (except some specialized audit commands) and can perform all configuration and maintenance tasks on the Luna Network HSM appliance. Users with an admin role can also activate or deactivate the other default user accounts, reset their passwords to default, and create custom user accounts and roles.

The admin role is required to access LunaSH commands for configuring and maintaining the HSM within the appliance, so the HSM Security Officer must be assigned an admin role to fulfill all HSM SO responsibilities (see HSM Security Officer (SO)).

operator

The operator user is a limited-access default user account that can perform most configuration and maintenance tasks on the Luna Network HSM appliance. For example, the operator cannot perform the following procedures:

>activating or deactivating other roles on the appliance or resetting passwords

>backup/restore of the LunaSH user configuration

>regenerating the NTLS certificate on the appliance

>setting TLS ciphers

This user (or a custom user assigned an operator role) cannot access HSM configuration commands. While it is possible for a user with an operator role to log in to the HSM using the HSM SO credential, many of the commands required by the HSM SO are inaccessible. It is therefore not recommended to assign an operator role to the HSM SO.

The operator user account must be activated by an admin user before it can log in to LunaSH (see Enabling/Disabling Appliance User Accounts).

monitor

The monitor user is an information-only default user account that can observe the appliance and HSM status. This user (or a custom user assigned a monitor role) has access to only those LunaSH commands that present information about the Luna Network HSM, including current HSM policies, created partitions, registered clients, and appliance settings. The monitor role cannot affect the appliance or HSM in any way.

The monitor user account must be activated by an admin user before it can log in to LunaSH (see Enabling/Disabling Appliance User Accounts).

audit

The audit user is the account used by the HSM Auditor to log in to the appliance and access the HSM audit logging functions. This user (or a custom user assigned an audit role) has access to a unique subset of commands that configure audit logging, as well as some informational commands, and commands to manage the audit user's account and files. The Auditor credential is required for some commands, and therefore the Auditor must be assigned an audit role on the appliance to fulfill all Auditor responsibilities (see Auditor (AU)).

The audit user account must be activated by an admin user before it can log in to LunaSH (see Enabling/Disabling Appliance User Accounts).

recover

The recover user account's only function is to reset the password for the admin user. This account cannot access any LunaSH commands, and there is no recover role that can be assigned to a custom user. The recover account cannot be locked out, and its default password does not expire.

As a security measure, recover can log in via the local serial connection only. The admin user's account password can be changed remotely by anyone who already knows it, but the admin user's password cannot be arbitrarily reset unless the person doing so has physical access to the appliance, to make the serial connection. See Recovering the Admin Account Password.

Custom Appliance Users and Roles

If the default set of users and roles do not conform to your organization's specific security profile, you can customize the user configuration on your Luna Network HSM appliance to fit your needs. This system of users and roles gives you complete control over how your Luna Network HSM is accessed.

Custom User Accounts

LunaSH allows you to create custom, named user accounts. These users are assigned one of the default appliance roles, or a custom role that you create. For example, the following user configuration options are available:

>Multiple admin-level users, each with a different name

>Multiple operator-level users (or none), each with a different name

>Multiple monitor-level users (or none), each with a different name

>Multiple audit-level users (or none), each with a different name

>Multiple custom users, each with a different name, with custom roles defined by the users' responsibilities

Named user accounts can be useful in distinguishing the actions of different people in the logs. For example, a user named john executing the command syslog tail in LunaSH would appear in the April 13 log as:

Apr 13 14:17:15 172 -lunash: Command: syslog tail  : john : 192.20.10.133/3107

If you have personnel performing similar functions at physically separate locations, or assigned to teams or shifts for 24-hour coverage, it could be useful (or required by your security auditors) be able to show which specific person performed which actions on the system.

See Creating Custom Appliance User Accounts.

Custom Roles

You can also create custom roles with access to a specified subset of LunaSH commands. This allows you to delegate specific tasks to personnel according to your organization's security structure. Like the default roles, a custom role is defined by the commands it can access in LunaSH. When a custom role is assigned to any existing user, that user can see and use only those commands associated with the role. This ensures that a given user does not obtain access beyond their security clearance. The admin user can create custom roles, assign them to users, or revoke them as required.

See Creating Custom Appliance Roles.

Security of LunaSH User Accounts

In most cases anticipated by the design and target markets for Luna Network HSM, both the Luna Network HSM appliance and any computers that make network connections for administrative purposes would reside inside your organization's secure premises, behind well-maintained firewalls. Site-to-site connections would be undertaken via VPN. Therefore, attacks on the shell account(s) would normally not be an issue.

However, if your application requires placing the Luna Network HSM appliance in an exposed position (e.g., in a cloud implementation), your shell account(s) may be vulnerable to attackers. It is your responsibility to protect your sensitive data.

Some recommendations for enhancing your security include using strong passwords, changing the SSH port number from its default, or using certificate-based authentication.