Creating Custom Appliance Roles

TIP   This page concerns authentication and management of roles that govern network administrative access to the appliance.

That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:

>for Luna PCIe HSM 7 installed in a workstation that you provide, and

>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.

On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.

LunaSH allows you to create custom roles that can be assigned to custom users, to specify exactly which commands that user is able to access. This allows you to delegate specific tasks to personnel according to your organization's security needs. An admin-level user can use the following procedure to create custom roles.

See LunaSH Command Summary for a complete list of available commands. Thales recommends using the following template file to create your custom role; simply delete all commands that you want to restrict:

NOTE   The template file (CustomRoleTemplate.txt), as provided here, contains multiple commands that are not available in all versions of LunaSH -- you must delete the commands that do not apply to your version of the Luna Appliance Software.

For example, the cluster and keyring commands are available only if you have installed the lnh_cluster package; presence of other commands depends on the HSM firmware version, and the appliance software version, being new enough to support a given command and the related functionality.

If you include commands that are not available in your installed version of LunaSH, the returned output for user role import lists the commands that prevent you from creating the role.


TIP   Lettercase/spelling is important when creating a role definition file. If you adjust an existing role file, to add some commands, we recommend that you do so by copy/pasting from the above template sample file, to ensure that commands you add are correct.

If your role definition file is rejected, it could be

>because you included some commands for a newer appliance software or cryptographic module firmware version that supports additional commands not supported in your appliance's or crypto module's version as installed, or

>because you included some commands for features that need separate package installation, that are not on the current appliance or its crypto module, or

>because you included some commands with typographical errors, including incorrect lettercase.

The rejection message will identify the commands that were not acceptable for any of those reasons, allowing you to correct the issue. Failure of user role commands.

The following commands allow you to import, add, or remove a custom user role to your Luna Network HSM 7 appliance:

>user role import

>user role add

>user role delete

NOTE   The commands that can be recruited for this operation include all those available to the appliance admin user, or roles subordinate to admin.(*)

The appliance audit user is not a subordinate role under admin, and those commands cannot be included in a custom role definition file.

(* Availability of commands also depends on whether or not a command exists in the particular appliance or the cryptographic module within the appliance. Thus an older software or firmware version might not include commands that were introduced in later versions. Similarly, some commands might be present only if specific optional secure packages are installed. In either case the attempt to import a role definition file with unavailable commands would be rejected. Rejection can also occur if commands in a role definition file are misspelled or do not have exact lettercase. The rejection message will name any rejected commands to help you troubleshoot.)

To create a custom appliance role and assign it to a user

1.Create a text file on your local workstation that lists each command that you want the role to be able to access (the role definition file), one command per line.

For example, if you wanted the user Alex to be able to perform backup operations on your HSM but not restore operations, you would create a role definition file including partition backup and token backup commands, and not partition restore.

NOTE   All lines must end with a UNIX-style linefeed (lf) character. If you create your file in Windows, be sure to convert it to use UNIX line endings before transferring it to an HSM appliance.

2. Transfer the role definition file to the appliance using pscp or scp. You require the Luna Network HSM 7 appliance admin password (or an account with an admin role) to complete this step. The file is automatically placed in the appropriate directory on the appliance; do not specify a target directory.

3.Log into LunaSH as admin (or the user you specified when transferring the file).

4.Import the role definition file and specify a name for the new role.

LunaSH role names can be 1-255 characters in length. The following characters are allowed:
No spaces are allowed. Creating a role name that begins with a number is not recommended. As with any secure system, no two roles can have the same name.

lunash:> user role import -file <filename> -role <rolename>

lunash:>user role import -file backuprole -role backup

"backuprole" was successfully imported.

Command Result : 0 (Success)

5.Create the user account that you want to assign the role to, if it does not already exist.

lunash:> user add -username <username>

6.Assign the role to the desired user.

lunash:> user role add -username <username> -role <rolename>