Logging In to the Application Partition

Before you can perform administrative tasks on the partition or its stored cryptographic objects, you must log in with the appropriate role:

>Partition Security Officer (specify po for <role>)

>Crypto Officer (specify co for <role>)

>Crypto User (specify cu for <role>)

To log in to the application partition

1.Launch LunaCM on the Luna PCIe HSM host workstation.

2.Set the active slot to the desired partition.

lunacm:> slot set -slot <slotnum>

3.Log in by specifying your role on the partition.

lunacm:> role login -name <role>

You are prompted for the role's credential.

Failed Partition Login Attempts

The consequences of multiple failed login attempts vary by role, depending on the severity of the security risk posed by that role being compromised. This is a security feature meant to thwart repeated, unauthorized attempts to access your cryptographic material.

NOTE   The system must actually receive some erroneous/false information before it logs a failed attempt; if you merely forget to insert a PED key, or insert the wrong color key, that is not counted as a failed attempt. You must insert an incorrect PED key of the correct type, or enter an incorrect PED PIN or challenge secret, to fail a login attempt.

Partition Security Officer

If you fail ten consecutive Partition SO login attempts, the partition is zeroized and all cryptographic objects are destroyed. The Partition SO must re-initialize the partition and Crypto Officer role, who can restore key material from a backup device.

Crypto Officer

If you fail ten consecutive Crypto Officer login attempts, the CO and CU roles are locked out. The default lockout threshold of 10 is governed by partition policy 20: Max failed user logins allowed, and the Partition SO can set this threshold lower if desired (see Partition Capabilities and Policies). Recovery depends on the setting of HSM policy 15: Enable SO reset of partition PIN:

>If HSM policy 15 is set to 1 (enabled), the CO and CU roles are locked out. The Partition SO must unlock the CO role and reset the credential (see Resetting the Crypto Officer , Limited Crypto Officer, or Crypto User Credential).

>If HSM policy 15 is set to 0 (disabled), the CO and CU roles are permanently locked out and the partition contents are no longer accessible. The Partition SO must re-initialize the partition and the Crypto Officer role, who can restore key material from a backup. This is the default setting.

CAUTION!   If this is not the desired outcome, ensure that the HSM SO enables this destructive policy before creating and assigning partitions to clients.

Crypto User

If you fail ten consecutive Crypto User login attempts, the CU role is locked out. The default lockout threshold of 10 is governed by partition policy 20: Max failed user logins allowed, and the Partition SO can set this threshold lower if desired (see Partition Capabilities and Policies). The CO must unlock the CU role and reset the credential (see Resetting the Crypto Officer , Limited Crypto Officer, or Crypto User Credential).