role login
Logs the named user into the partition at the current slot.
For password-authenticated HSMs, the entire credential is the password. You can enter your password visibly on-screen with the -password option, or wait to be prompted after pressing enter. Passwords entered at the prompt are masked by asterisks (*). This is the administrative password (Crypto Officer or Crypto User), and it is also the same password that is presented by your application program when it performs cryptographic operations on the application partition.
For PED-authenticated HSMs, the authentication is the black PED key and the password/challenge for Crypto Officer, or the gray PED key and the password/challenge for Crypto User.
NOTE The PED screen prompts for a Black PED Key for any of "User", "Crypto Officer", "Limited Crypo Officer", "Crypto User". The PED is not aware that the key you present has a black or a gray sticker on it. The colored stickers are visual identifiers for your convenience in keeping track of your PED Keys. You differentiate by how you label, and how you use, a given physical key that the PED sees as "black" (once it has been imprinted with a secret).
>If Partition Policy 22: Allow activation is not set (value = 0), then the black PED key and the password/challenge are both required for each login, including those initiated by your application program.
>If Partition Policy 22: Allow activation is set (value = 1 see partition changepolicy), then the PED Key secret is cached, and only the password/challenge string is required for each subsequent login. That is, if the partition is activated, you are not prompted to respond to the PED.
At that point, your application program can authenticate with just the password/challenge string, as if the HSM was PW-authenticated.
Activation (caching of the PED key secret) persists until you explicitly deactivate (see role deactivate) or until the HSM is restarted or loses power.
CAUTION! If too many bad login attempts are made against a role, the appropriate security policy for that role is enacted.
PKCS#11 permits one role to be logged into a slot, per session. If a role is logged in, and you attempt to log in as a different role, the HSM presents an error message like USER_ALREADY_LOGGED_IN, indicating that some other user role is logged into the current slot via the current session. If you need to log in, your options are:
>Log out the other user and log in as the desired user, in the current session,
or
>Launch another session (lunacm or other tool), select the slot, and log in from there.
Syntax
role login -name <role> [-password <password>]
Argument(s) | Shortcut | Description |
---|---|---|
-name <role> | -n |
Specifies the name of the role that is logging in. Use the command role list to see the roles available on the partition. Note: If you specify multiple users (for example role login -n Crypto Officer -n Partition SO, the last one entered (in this example, Partition SO), is used. |
-password <password> | -p | Specifies the password for the role. Omit this parameter to be prompted for a password, which will be obscured by * characters when entered. |
Example
lunacm:> role list Roles (short) ======================== SO so Administrator ad Auditor au Command Result : No Error lunacm:> role login -name SO Please attend to the PED. Command Result : No Error