Initializing the Crypto Officer and Crypto User Roles

The following procedures will allow you to initialize the Crypto Officer (CO) and Crypto User (CU) roles and set an initial credential.

As of Luna Appliance Software 7.7.1 (and newer), in addition to creating an application partition, the administrator (HSM SO) can also initialize the partition, creating the PSO role. The administrator can then use the new PSO credential on that partition to initialize the Crypto Officer role. The Crypto User role is still created from the client side, via lunacm.

Initializing the Crypto Officer Role

The Crypto Officer (CO) is the primary user of the application partition and the cryptographic objects stored on it. The Partition Security Officer (PO) must initialize the CO role and assign an initial credential.

To initialize the Crypto Officer role from the Client via lunacm

1.In LunaCM, log in to the partition as Partition SO (see Logging In to the Application Partition).

lunacm:> role login -name po

2.Initialize the Crypto Officer role. If you are using a password-authenticated partition, specify a CO password. If you are using a multifactor quorum-authenticated partition, ensure that you have a blank or rewritable black PED key available. Refer to Creating PED keys for details on creating PED keys.

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

lunacm:> role init -name co

3.Provide the CO credential to your designated Crypto Officer.

NOTE   If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CO must change the credential before any other actions are permitted. See Changing a Partition Role Credential.

To initialize the Crypto Officer role from the Network appliance via lunash

The following steps assume that the Network HSM administrator has created the partition (partition create) and has initialized the partition (partition init), thus initializing the PSO role for that partition.

1.In LunaSH, log in to the HSM as SO if you are not already logged in.

lunash:> hsm login

2.Initialize the Crypto Officer role, providing the partition name, the PSO credential (already created) for that partition, and the credential for the CO that is being created. If you are using a password-authenticated partition, specify a CO password. If you are using a multifactor quorum-authenticated partition, ensure that you have a blank or rewritable black PED key available. Refer to Creating PED keys for details on creating PED keys.

In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~
The following characters are invalid or problematic and must not be used in passwords: "&;<>\`|
Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks.

lunash:> partition init co -partition <partition name> -psopin <PSO'spassword> -copin <CO's password>

(Text credentials presented at the command line are ignored for multifactor quorum-authenticated HSMs.)

3.Provide the CO credential to your designated Crypto Officer.

NOTE   If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CO must change the credential before any other actions are permitted. This is done from a registered client, via lunacm commands -- see Changing a Partition Role Credential.

Any crypto operations, as well as initialization of the Crypto User role, performed by the CO, are done from a registered client via a suitable API, or lunacm commands, respectively.

Initializing the Crypto User Role

The Crypto User (CU) is an optional role that can perform cryptographic operations using partition objects in a read-only capacity, but can only create public objects. The Crypto Officer must initialize the CU role and assign an initial credential.

To initialize the Crypto User role

1.In LunaCM, log in to the partition as Crypto Officer (see Logging In to the Application Partition).

lunacm:> role login -name co

2.Initialize the Crypto User role. If you are using a password-authenticated partition, specify a CU password. If you are using a multifactor quorum-authenticated partition, ensure that you have a blank or rewritable gray PED keys available. Follow the instructions on the Luna PED screen. Refer to Creating PED keys for details on creating PED keys.

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

lunacm:> role init -name cu

3.Provide the CU credential to your designated Crypto User.

NOTE   If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CU must change the credential before any other actions are permitted. See Changing a Partition Role Credential.