role login

Logs the named user into the partition at the current slot.

For password-authenticated HSMs, the entire credential is the password. You can enter your password visibly on-screen with the -password option, or wait to be prompted after pressing enter. Passwords entered at the prompt are masked by asterisks (*). This is the administrative password (Crypto Officer or Crypto User), and it is also the same password that is presented by your application program when it performs cryptographic operations on the application partition.

For multifactor quorum-authenticated HSMs, the authentication is the black PED key and the password/challenge for Crypto Officer, or the gray PED key and the password/challenge for Crypto User.

NOTE   The Luna PED screen prompts for a black PED key for any of


>"Crypto Officer",

>"Limited Crypto Officer",

>"Crypto User".

The Luna PED is not aware that the key you present has a black or a gray sticker on it. The colored stickers are visual identifiers for your convenience in keeping track of your PED keys. You differentiate by how you label, and how you use, a given physical key that the Luna PED sees as "black" (once it has been imprinted with a secret).

>If Partition Policy 22: Allow activation is not set (value = 0), then the black PED key and the password/challenge are both required for each login, including those initiated by your application program.

>If Partition Policy 22: Allow activation is set (value = 1 see partition changepolicy), then the PED key secret is cached, and only the password/challenge string is required for each subsequent login. That is, if the partition is activated, you are not prompted to respond to the PED. At that point, your application program can authenticate with just the password/challenge string, as if the HSM was password-authenticated.

Activation (caching of the PED key secret) persists until you explicitly deactivate (see role deactivate) or until the HSM is restarted or loses power.

CAUTION!   If too many bad login attempts are made against a role, the appropriate security policy for that role is enacted. For example, three bad attempts to log into the HSM SO role causes all HSM contents to be zeroized. Too many attempts on the Crypto Officer role causes that role to be locked out until reset by the Partition Security Officer. The bad-login count is reset by a successful login. For the Auditor role, if the bad login attempt threshold is exceeded, the HSM locks out that role for 60 seconds. The output of role show, during that time, gives a status of "Locked out". However, role show continues to show a state of "Locked out" even after the lockout time has expired; the displayed status does not reset until after a successful login.

PKCS#11 permits one role to be logged into a slot, per session. If a role is logged in, and you attempt to log in as a different role, the HSM presents an error message like USER_ALREADY_LOGGED_IN, indicating that some other user role is logged into the current slot via the current session. If you need to log in, your options are:

>Log out the other user and log in as the desired user, in the current session,


>Launch another session (lunacm or other tool), select the slot, and log in from there.


role login -name <role> [-password <password>]

Argument(s) Shortcut Description
-name <role> -n

Specifies the name of the role that is logging in. Use the command role list to see the roles available on the partition.

Note: If you specify multiple users (for example role login -n Crypto Officer -n Partition SO, the last one entered (in this example, Partition SO), is used.

-password <password> -p Specifies the password for the role. Omit this parameter to be prompted for a password, which will be obscured by * characters when entered.


lunacm:> role list
        Roles                (short)
        Partition SO            po
        Crypto Officer          co 
        Limited Crypto Officer  lco   
        Crypto User             cu

Command Result : No Error

lunacm:>role login -name po

        Please attend to the PED.

Command Result : No Error