role createchallenge
Create a challenge secret for the Crypto Officer (CO) or Crypto User (CU) role on the current partition (slot). This command applies to PED-authenticated partitions only.
The challenge secret is a text string (password) that provides an additional level of authentication for PED-authenticated partitions. If you create a challenge secret for a role, the role authenticates to the partition as follows:
>If the role is not activated on the partition, the role must provide both the PED key and challenge secret to gain access to the partition.
>If the role is activated on the partition, the role is able to access the partition using the challenge secret only.
See Activation on Multifactor Quorum-Authenticated Partitions for more information.
You must be logged in as the Partition SO to create a challenge for the Crypto Officer. You must be logged in as the Crypto Officer to create a challenge for the Crypto User. The target role must already exist. See role init.
NOTE This command is not applicable on DPoD Luna Cloud HSM services.
Passwords
The following characters are allowed:
!#$%'()*+,-./0123456789:=? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
This character set is enforced when using Luna HSM Client 10.8.0 or newer, and recommended for all previous versions. Previously-set passwords and challenge secrets are unaffected, but the new character set is enforced when these passwords are changed.
Syntax
role createchallenge -name <role> [-challengesecret <string>]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -name <role> | -n | Name of role for which the challenge is to be created |
| -challengesecret | -c | The challenge secret (password) you wish to create for this role. If this option is not included, you will be prompted to enter a challenge secret, masked by asterisks (*). |
Example
lunacm:> role createchallenge -name co
Please attend to the PED.
enter new challenge secret: ********
re-enter new challenge secret: ********
Command Result : No Error
