Creation

Main menu option: Create

Creates new users in HSM. Users can be of two types, according to the permissions they receive: User and Operator. The Operator type has all the system permissions. The User type has only the system permissions they have been given.

The creation of a new user implies the creation of the corresponding partition (referenced by the user's own name).

The attributes required to create a new user are:

  1. Type: User (regular user) or Operator ( HSM administrator).

  2. Name (User ID): uniquely and globally identifies the user in the HSMis also the name that identifies this user's partition to other users; it can be up to 16 characters long and only alphanumeric characters can be used (set a-zA-Z0-9). Underlined characters (_) and dash (-) no can be used. This identification of users is case-sensitive (case-sensitive), i.e. there is a differentiation between uppercase and lowercase characters.

  3. Password: password for HSM authentication; must be at least 08 characters long.

  4. Authorization by M of N scheme: configures the partition to require authorization using cards in the M of N scheme. The association of the partition with a specific set of cards and the authorization to use the partition's keys are done via the HSM's local console, using the HSM's card reader. The use and management of the keys (creation, export, blocking, destruction) will depend on the status of the partition and the permissions enabled in the HSM's local management console.

  5. Permissions: defines the user's system permissions.

User permissions on the partition itself are implicit and non-revocable, so they don't need to be set. When the partition is created, no permissions on the partition are given to another user or HSM administrator. These must be given explicitly and by the user themselves.

User creation
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

Users - Create

Type:
 1 - User
 2 - Operator (all permissions enabled)
Option : 1

User ID: keyadm
Password: ********
Confirm password: ********

Require Authorization on Local Console with M of N Scheme (y/[n]):

Authorization on Local Console with M of N Scheme disabled.

Require Two Factor Authentication (y/[n]):

Require User to Change Password at Next LogOn (y/[n]):

System permissions:
Create/Remove Users (y/[n]):
List Users (y/[n]):
Monitor Remote Log (y/[n]):
Backup/Restore (y/[n]):
Firmware Update (y/[n]):


User 'keyadm' successfully created.

Press ENTER key to continue...

When creating an Operator user, all permissions are assigned.

Creating an operator user
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

Users - Create

Type:
 1 - User
 2 - Operator (all permissions enabled)
Option : 2

User ID: keyop
Password: ********
Confirm password: ********

Require Authorization on Local Console with M of N Scheme (y/[n]):

Authorization on Local Console with M of N Scheme disabled.

Require Two Factor Authentication (y/[n]):

Require User to Change Password at Next LogOn (y/[n]):


User 'keyop' successfully created.

Press ENTER key to continue...

Partition with M of N schema authorization

The steps for creating a user with partition

  1. Create a user/partition by enabling the partition authorization flag via M of N;

  2. Open a session with the user and create the keys on the partition. The keys can be created but not yet used before authorization;

  3. Create a set of M of N cards for partition authorization. You need to define the size of the set (N) and the number of cards required from the set for authorization (M), such as 2 out of 2, 2 out of 4, 3 out of 5, 4 out of 12, etc. This step is carried out in the local console.

  4. Associate the set with the user/partition created. This step is done in the local console.

  5. Authorize the use of the keys for encryption operations on the user's partition using the set of cards M of N. This step is carried out on the local console.

  6. Open a session with the user and test the use of the existing keys (for example with the remote console's test option). Existing keys can be used, and new keys cannot be created while the partition is in the authorized state (remote consoleI).