Initializing Crypto Officer and Crypto User Roles for an Application Partition
The following procedures will allow you to initialize the Crypto Officer (CO) and Crypto User (CU) roles and set an initial credential.
As of Luna Appliance Software 7.7.1 (and newer), in addition to creating an application partition, the administrator (HSM SO) can also initialize the partition, creating the PSO role. The administrator can then use the new PSO credential on that partition to initialize the Crypto Officer role. The Crypto User role is still created from the client side, via lunacm.
Initializing the Crypto Officer Role
The Crypto Officer (CO) is the primary user of the application partition and the cryptographic objects stored on it. The Partition Security Officer (PO) must initialize the CO role and assign an initial credential.
To initialize the Crypto Officer role using LunaCM on the Luna HSM Client
1.In LunaCM, log in to the partition as Partition SO (see Logging In to the Application Partition).
lunacm:> role login -name po
2.Initialize the Crypto Officer role.
In LunaCM, passwords abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
lunacm:> role init -name co
3.Provide the CO credential to your designated Crypto Officer.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CO must change the credential before any other actions are permitted. See Changing a Partition Role Credential.
To initialize the Crypto Officer role using LunaSH on the Luna Network HSM 7
NOTE This command requires Luna Appliance Software 7.8.1 or newer. It cannot be used on STC partitions; the Partition SO must use LunaCM at the client for partition management.
The following steps assume that the Network HSM administrator has created the partition (partition create) and has initialized the partition (partition init), thus initializing the PSO role for that partition. You do not need to log in to initialize the CO, because the command requires you to provide the credential of the Partition Owner/Partition Security Officer that was created at partition initialization.
1.Initialize the Crypto Officer role, providing the partition name, the PSO credential and the credential for the CO that is being created.
In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~
The following characters are invalid or problematic and must not be used within passwords: "&;<>\`|
Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks.
lunash:> partition init co -partition <partition name> -psopin <PSO's password> -copin <CO's password>
2.Provide the CO credential to your designated Crypto Officer, if you are not retaining/performing all roles. The CO should then change the credential, unless HSM policy 21 has been unset/disabled - see Note. If you are managing and performing all roles (no separation of responsibilities), then "provide the CO credential means to provide it to your application(s) that will be using that credential to access the partition for read-write operations.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CO must change the credential before any other actions are permitted. See Changing a Partition Role Credential.
Any crypto operations, performed by the CO, are done from a registered client via a suitable API.
Initializing the Crypto User Role
The Crypto User (CU) is an optional role that can perform cryptographic operations using partition objects in a read-only capacity, but can only create public objects. The Crypto Officer must initialize the CU role and assign an initial credential.
To initialize the Crypto User role using LunaCM on the Luna HSM Client
1.In LunaCM, log in to the partition as Crypto Officer (see Logging In to the Application Partition).
lunacm:> role login -name co
2.Initialize the Crypto User role.
In LunaCM, passwords abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
lunacm:> role init -name cu
3.Provide the CU credential to your designated Crypto User.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CU must change the credential before any other actions are permitted. See Changing a Partition Role Credential.
To initialize the Crypto User role using LunaSH on the Luna Network HSM 7
NOTE This command requires Luna Appliance Software 7.8.1 or newer. It cannot be used on STC partitions; the Partition SO must use LunaCM at the client for partition management.
You do not need to log in to initialize the crypto user because, as part of the command, you supply the credential of the Crypto Officer:
>who already exists (has already been initialized), and
>whose password has been changed from the one that the CO was given when first initialized (unless HSM policy 21 was changed from default).
1.Initialize the Crypto User role.
lunash:> partition init cu -partition<partition name> [-copin <crypto officer credential>] [-cupin <crypto user initial credential>]
2.Provide the CU credential to your designated Crypto User. If you are managing and performing all roles (no separation of responsibilities), then "provide the CU credential means to provide it to your application(s) that will be accessing the partition for read-only operations.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CU must change the credential before any other actions are permitted. See Changing a Partition Role Credential.