partition domainadd
Add a cloning domain to the partition. Partitions are assigned their original/own domain when initialized, and in that default state can perform cloning/HA operations only with other partitions sharing that single domain.
Which domain is primary and how to change - All partitions, after initialization, have the current or original security/cloning domain marked as the primary, the domain that is chosen by default for cloning. For a partition with more than one domain, either of the others can be designated as primary, instead, using the partition domainadd and partition domainchangelabel commands, by invoking their -primary option.
The partition domainadd command is meant to add a domain so that the partition can clone objects with partitions that have the new/added domain, as well as with partitions that have the same domain as originally assigned to the current partition during initialization.
>A maximum of two additional domains can be added to the original partition domain; they can be either password-authenticated or multifactor quorum-authenticated.
•If you are adding a text domain for some other password-authenticated partition, then
–do include the -domain option with the domain string from that other partition and
–do not include the -domainped option).
•If you are adding a domain PED key secret for some other multifactor quorum-authenticated partition, then
–do not include the -domain option, and
–do include the -domainped option causing the HSM to look for a connected PED with red PED key, to retrieve that key's content as the domain to add to the current partition.
>If you have more than one domain in your partition, the system assumes that you want to be able to tell them apart, so include the -domainlabel option each time you add a domain (the label is a string between 1 and 32 characters).
>The -domainlabel is added as an option with Luna HSM Firmware 7.8.0. Pre-existing partitions (created prior to firmware 7.8.0) can continue to have no label for continuity of established procedures and processes. However if you create or import a domain, the system ensures that no two can have the same label.
• a label is necessary when adding a domain if an existing domain is not labeled.
CAUTION! Domain strings for password-authenticated HSMs and Luna Cloud HSMs are used to generate the secret key for cloning, and are as cryptographically sensitive as a user password. The domain label associated with a domain string is not sensitive, and is used only to distinguish the domain from others assigned to the same partition. Never use the same string for the domain label and the domain itself.
>Use partition domainchangelabel to change label for a domain,
•including applying a label to a domain that did not already have one.
>Primary domain - The primary domain is always used by pre-CPv4 protocols. If a clone operation is attempted between two partitions, the library looks to the partition's CPv1 policy (42) and, if that is enabled, negotiates a common domain between the current partition and the other partition. If policy 42 is off, then CPv4 is attempted.By default, the primary domain is the one that was imprinted during initialization of the current partition.The primary domain will be used if a match is found on the other partition, and the protocol does not look further to negotiate for any other domain match. If the current partition has multiple domains and no domain on the other partition matches the primary on the first partition, then the protocol looks for a match among other domains on both partitions. You can cause an added domain to become the primary by using the -primary option when adding any given domain with partition domainadd. The current primary remains the primary, even as you add domains, unless/until you add one while invoking the -primary option again.[ LUNA-25563 ]
NOTE This extended domain management command requires minimum HSM Client 10.5.0 and Luna HSM Firmware 7.8.0 (command not visible for HSMs with prior firmware versions).
Partition PO role login is required, to create or change a domain (after the first domain created by partition initialization). Use of command requires partition policy 44 to be set to ON.
Syntax
partition domainadd {-domain <string> | [-domainped} [-domainlabel <string>] [-primary]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -domain <domain> | -d |
Partition domain string for password-authenticated partitions. If this is omitted, then a connected PED with a domain on a PED key is expected. |
| -domainlabel <label> | -dl |
Partition domain label - to distinguish among domains when a partition has more than one, and to match with domains on other partitions. |
| -domainped | -dped |
Partition domain from a PED key. |
| -primary | -p |
Mark this domain as primary (always used for the older cloning protocols, prior to CPv4) |
Example with password authentication
lunacm:> partition domainadd -domain seconddomain -domainlabel brotherdaryl Command Result : No Error
Example with multifactor quorum authentication
lunacm:>par domainadd -domainped -domainlabel NewPEDDomain Please attend to the PED. Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error
Example - add an unlabeled domain while existing domain does not have a label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: Domain not created Command Result : No Error lunacm:>par domainadd -domainped Please attend to the PED. Error in execution: CKR_DATA_INVALID. Command Result : 0x20 (CKR_DATA_INVALID) lunacm:>
That attempt failed because it would have resulted in two domains with the same label "Label not set".
Example - add a third domain while second does not have a label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: Domain not created Command Result : No Error lunacm:>par domainadd -domainped -domainlabel NewPEDDomain Please attend to the PED. Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error>
This attempt succeeds because the proposed -domainlabel is different from the two existing labels "PrimaryPED" and "Label not set".
