Enabling/Disabling Appliance User Accounts

TIP   This page concerns authentication and management of roles that govern network administrative access to the appliance.

That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:

>for Luna PCIe HSM 7 installed in a workstation that you provide, and

>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.

On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.

By default, admin is the only active user account on the Luna Network HSM 7 appliance. The other default accounts (operator, monitor, audit) exist and cannot be deleted. The admin account (or a custom user account with an admin role) must first enable them using the procedure below.

To enable a default appliance user account

1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).

2.Enable the desired account.

lunash:> user enable -username <account_name>

The user of this account can now log in to LunaSH with the account name and default password "PASSWORD". See Logging In to LunaSH.

To disable any appliance user account

1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).

2.Disable the desired account.

lunash:> user disable -username <username>