Creating Custom Appliance User Accounts

TIP   This page concerns authentication and management of roles that govern network administrative access to the appliance.

That is, access, management, and use of the HSM and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:

>for Luna PCIe HSM 7 installed in a workstation that you provide, and

>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.

On the appliance, the HSM has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.

LunaSH allows you to create custom, named user accounts on the Luna Network HSM 7 appliance. These users are assigned one of the standard appliance roles, or a custom role that you create (see Creating Custom Appliance Roles). Use this procedure to create custom user accounts.

To create a custom user account

1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin or a custom user with an admin role (see Logging In to LunaSH).

2.Create the custom user account by specifying a name.

LunaSH user names can be 1-32 characters in length, chosen from letters a-z, or A-Z, numbers 0-9, the dash, the dot, or the underscore:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._
No spaces are allowed. User names cannot begin with a dot, dash, or number. As with any secure system, no two users (regardless of role) can have the same name.

lunash:> user add -username <username>

lunash:>user add -username james

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]


Command Result : 0 (Success)

3.Assign a role to the new user account.

lunash:> user role add -username <username> -role <rolename>

lunash:>user role add -username james -role admin


User james was successfully modified.


Command Result : 0 (Success)

The user of this account can now log in to LunaSH with the account name and the initial password you just created for them (formerly, default password was "PASSWORD"). See Logging In to LunaSH.