Logging In to the Application Partition
Before you can perform administrative tasks on the partition or its stored cryptographic objects, you must log in with the appropriate role:
>Partition Security Officer (specify po for <role>)
>Crypto Officer (specify co for <role>)
>Crypto User (specify cu for <role>)
To log in to the application partition
1.Launch LunaCM on the Luna USB HSM 7
2.Set the active slot to the desired partition.
lunacm:> slot set -slot <slotnum>
3.Log in by specifying your role on the partition.
lunacm:> role login -name <role>
You are prompted for the role's credential.
Failed Partition Login Attempts
The consequences of multiple failed login attempts vary by role, depending on the severity of the security risk posed by that role being compromised. This is a security feature meant to thwart repeated, unauthorized attempts to access your cryptographic material.
NOTE The system must actually receive some erroneous/false information before it logs a failed attempt; if you merely forget to insert the iKey, or insert the wrong color key, that is not counted as a failed attempt. You must insert an incorrect iKey of the correct type, or enter an incorrect PIN or challenge secret, to fail a login attempt.
Partition Security Officer
If you fail ten consecutive Partition SO login attempts, the partition is zeroized and all cryptographic objects are destroyed. The Partition SO must re-initialize the partition and Crypto Officer role, who can restore key material from a backup device.
Crypto Officer
If you fail ten consecutive Crypto Officer login attempts, the CO and CU roles are locked out. But see below for the exception. The default lockout threshold of 10 is governed by partition policy 20: Max failed user logins allowed, and the Partition SO can set this threshold lower if desired (see Partition Capabilities and Policies).
Is recovery possible from lockout or loss of the partition role credential?
Yes, and no, depending on configuration options you might choose.
Separation of roles ensures that,
>while the Partition Crypto Officer (and subsidiary roles) can see and manage the content of an application partition,
>the partition SO cannot access or manage the content of a partition; SO manages at the provisioning and security level for the partition.
If you lose the use of your CO credential, the contents of the partition are no longer accessible. The Partition SO might not be able to help in that situation, for the following reason.
The partition SO cannot just reset the password of the partition CO if you have disallowed it
>If HSM policy 15 is set to 1 (enabled), the CO and CU and LCO roles are temporarily locked out by too many bad authentication attempts. The Partition SO must unlock the CO role and reset the credential (see Resetting the Crypto Officer or Crypto User Credential).
>If HSM policy 15 is set to 0 (disabled), the CO and CU and LCO roles are permanently locked out and the partition contents are no longer accessible. The Partition SO must re-initialize the partition (destroying all contents) and the Crypto Officer role, who can restore key material from a backup. This is the default setting.
NOTE If you have a backup and know its password, you can recover material. If you do not have a backup, or the backup that you have is not secured by a known password, then the material is lost.
CAUTION! If loss of partition contents is not the desired outcome, ensure that the HSM SO enables this destructive policy before creating partitions and assigning to clients.
Crypto User
If you fail ten consecutive Crypto User login attempts, the CU role is locked out. The default lockout threshold of 10 is governed by partition policy 20: Max failed user logins allowed, and the Partition SO can set this threshold lower if desired (see Partition Capabilities and Policies). The CO must unlock the CU role and reset the credential (see Resetting the Crypto Officer or Crypto User Credential).