TIP This page concerns authentication and management of roles that govern network administrative access to the appliance.
That is, access, management, and use of the HSM and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:
>for Luna PCIe HSM installed in a workstation that you provide, and
>for the same HSM inside a Luna Network HSM appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.
On the appliance, the HSM has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createchallenge, partition changepw, partition activate, and audit changepwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.
The security of an HSM and its cryptographic contents depends on well-controlled access to that HSM. A controlled access policy is defined by:
>the set of users with valid login credentials for
>the actions each user is allowed to perform when logged in (the user's role)
For example, an access policy that adheres to the PKCS#11 standard requires two roles: the security officer (SO), who administers the user account(s), and the standard user, who performs cryptographic operations. When a user logs in to the HSM, they can perform only those functions that are permitted for their role.
Configuration and maintenance tasks on the Luna Network HSM appliance (including network setup, file management, and system monitoring) are completed by executing commands in the LunaSH command line interface.
When you log in to LunaSH via SSH or a serial connection, the set of available commands depends on the role assigned to your user account. Appliance roles are defined by their associated command privileges. Clear separation of duties is beneficial to a secure production environment and allows you to easily delegate responsibilities according to your organization's needs. For optimal security, assign each user the lowest-level role necessary to fulfill their responsibilities.
Managing Appliance Users and Roles
Refer to the following procedures to manage appliance roles:
Default Appliance Users and Roles
The default Luna Network HSM appliance user accounts are named after their respective default roles. You cannot delete the default user accounts. For a comprehensive list of the LunaSH commands available to the default roles, see LunaSH Command Summary.
By default, only the admin and recover user accounts are active. The default password for all accounts is "PASSWORD" (see Logging In to LunaSH).
The admin user is the highest-level default user account. This user (or a custom user assigned an admin role) has access to the full set of LunaSH commands (except some specialized audit commands) and can perform all configuration and maintenance tasks on the Luna Network HSM appliance. Users with an admin role can also activate or deactivate the other default user accounts, reset their passwords to default, and create custom user accounts and roles.
The admin role is required to access LunaSH commands for configuring and maintaining the HSM within the appliance, so the HSM Security Officer must be assigned an admin role to fulfill all HSM SO responsibilities (see HSM Security Officer (SO)).
The operator user is a limited-access default user account that can perform most configuration and maintenance tasks on the Luna Network HSM appliance. For example, the operator cannot perform the following procedures:
>activating or deactivating other roles on the appliance or resetting passwords
>backup/restore of the LunaSH user configuration
>regenerating the NTLS certificate on the appliance
>setting TLS ciphers
This user (or a custom user assigned an operator role) cannot access HSM configuration commands. While it is possible for a user with an operator role to log in to the HSM using the HSM SO credential, many of the commands required by the HSM SO are inaccessible. It is therefore not recommended to assign an operator role to the HSM SO.
The operator user account must be activated by an admin user before it can log in to LunaSH (see Enabling/Disabling Appliance User Accounts).
The monitor user is an information-only default user account that can observe the appliance and HSM status. This user (or a custom user assigned a monitor role) has access to only those LunaSH commands that present information about the Luna Network HSM, including current HSM policies, created partitions, registered clients, and appliance settings. The monitor role cannot affect the appliance or HSM in any way.
The monitor user account must be activated by an admin user before it can log in to LunaSH (see Enabling/Disabling Appliance User Accounts).
The audit user is the account used by the HSM Auditor to log in to the appliance and access the HSM audit logging functions. This user (or a custom user assigned an audit role) has access to a unique subset of commands that configure audit logging, as well as some informational commands, and commands to manage the audit user's account and files. The Auditor credential is required for some commands, and therefore the Auditor must be assigned an audit role on the appliance to fulfill all Auditor responsibilities (see Auditor (AU)).
The audit user account must be activated by an admin user before it can log in to LunaSH (see Enabling/Disabling Appliance User Accounts).
The recover user account's only function is to reset the password for the admin user. This account cannot access any LunaSH commands, and there is no recover role that can be assigned to a custom user. The recover account cannot be locked out, and its default password does not expire.
As a security measure, recover can log in via the local serial connection only. The admin user's account password can be changed remotely by anyone who already knows it, but the admin user's password cannot be arbitrarily reset unless the person doing so has physical access to the appliance, to make the serial connection. See Recovering the Admin Account Password.
Custom Appliance Users and Roles
If the default set of users and roles do not conform to your organization's specific security profile, you can customize the user configuration on your Luna Network HSM appliance to fit your needs. This system of users and roles gives you complete control over how your Luna Network HSM is accessed.
Custom User Accounts
LunaSH allows you to create custom, named user accounts. These users are assigned one of the default appliance roles, or a custom role that you create. For example, the following user configuration options are available:
>Multiple admin-level users, each with a different name
>Multiple operator-level users (or none), each with a different name
>Multiple monitor-level users (or none), each with a different name
>Multiple audit-level users (or none), each with a different name
>Multiple custom users, each with a different name, with custom roles defined by the users' responsibilities
Named user accounts can be useful in distinguishing the actions of different people in the logs. For example, a user named john executing the command syslog tail in LunaSH would appear in the April 13 log as:
Apr 13 14:17:15 172 -lunash: Command: syslog tail : john : 220.127.116.11/3107
If you have personnel performing similar functions at physically separate locations, or assigned to teams or shifts for 24-hour coverage, it could be useful (or required by your security auditors) be able to show which specific person performed which actions on the system.
You can also create custom roles with access to a specified subset of LunaSH commands. This allows you to delegate specific tasks to personnel according to your organization's security structure. Like the default roles, a custom role is defined by the commands it can access in LunaSH. When a custom role is assigned to any existing user, that user can see and use only those commands associated with the role. This ensures that a given user does not obtain access beyond their security clearance. The admin user can create custom roles, assign them to users, or revoke them as required.
NOTE The commands that can be recruited for this operation include all those available to the appliance admin user, or roles subordinate to admin.
The appliance audit user is not a subordinate role under admin, and those commands cannot be included in a custom role definition file.
Security of LunaSH User Accounts
In most cases anticipated by the design and target markets for Luna Network HSM, both the Luna Network HSM appliance and any computers that make network connections for administrative purposes would reside inside your organization's secure premises, behind well-maintained firewalls. Site-to-site connections would be undertaken via VPN. Therefore, attacks on the shell account(s) would normally not be an issue.
However, if your application requires placing the Luna Network HSM appliance in an exposed position (e.g., in a cloud implementation), your shell account(s) may be vulnerable to attackers. It is your responsibility to protect your sensitive data.
Some recommendations for enhancing your security include using strong passwords, changing the SSH port number from its default, or using certificate-based authentication.