Changing the HSM operator role

The operator role for the HSM determines the available operations for the HSM in a DataPower® Gateway.

Before you begin

The HSM provides the Cryptographic User (CU) and Cryptographic Officer (CO) operator roles.

The CU role provides normal operations. When the HSM operates under this role, all operations are available, except cloning key-wrapping keys.
The CO role supports cloning key-wrapping keys, changing the operator role, and initializing the HSM.

About this task

To change the HSM operator role, you can use the GUI or CLI.

The operator role determines that available operations against the HSM. Change the operator role from CU to CO when you need to clone key-wrapping keys. After you clone key-wrapping keys, change the operator role from CO to CU.

After you change the operator role, restart the DataPower Gateway for the change to take effect.

Procedure

Change the operator role from the GUI.
1. Log in to the GUI.
2. In the Search field, enter tools.
3. From the search results, click Crypto tools.
4. Click the Set HSM FIPS role tab.
5. From the FIPS 140-3 role list, select the operator role.
6. Click Confirm to change of the operator role.
7. Restart the DataPower Gateway.
Change the operator role from the CLI.
1. Log in to the CLI.
2. Enter the following command sequence to access the hsm-set-role command.
```
# configure terminal
Global configuration mode
(config)# crypto
Crypto Configuration Mode
(config-crypto)#
```
3. Use the hsm-set-role command to change the operator role.
  The following example changes the operator role from CU to CO.
```
(config-crypto)# hsm-set-role officer
```
4. Restart the DataPower Gateway with the shutdown reboot command.

What to do next

Verify the status of the HSM.