partition domainchangelabel
The partition domainchangelabel command changes the domain label of an existing domain.
Which domain is primary and how to change - All partitions, after initialization, have the current or original security/cloning domain marked as the primary, the domain that is chosen by default for cloning. For a partition with more than one domain, either of the others can be designated as primary, instead, using the partition domainadd and partition domainchangelabel commands, by invoking their -primary option.
A partition is initialized without a domain label (default to comply with pre-firmware-7.8.0), or optionally with a domain label (1 to 32 characters).
CAUTION! Domain strings for password-authenticated HSMs and Luna Cloud HSMs are used to generate the secret key for cloning, and are as cryptographically sensitive as a user password. The domain label associated with a domain string is not sensitive, and is used only to distinguish the domain from others assigned to the same partition. Never use the same string for the domain label and the domain itself.
Where the domain label framework is in effect (Luna HSM Firmware 7.8.0 and newer with HSM Client 10.5.0 and newer):
>pre-firmware-7.8.0 partitions that are updated to Luna HSM Firmware 7.8.0 or newer can have an existing domain that is unlabeled and
•can remain unlabeled with no consequence to your existing applications and processes
•can have a domain label applied with the partition domainchangelabel command
>new partitions created under Luna HSM Firmware 7.8.0, can be initialized
•without a domain label for continuity with your existing applications and processes
•with a domain label that can remain as-is
•can have a label added or changed later with the partition domainchangelabel command
>new partitions created with Luna HSM Firmware 7.8.0 or newer, can have up to two additional domains added (typed for password-authenticated, or imported from a red PED keyy for multifactor quorum-authenticated), and the partition domainchangelabel command can ensure that the labels are applied/adjusted
•to enforce that no two domain labels would be identical (which prevents adding of a new domain label)
•to identify for which other HSM partition each additional label was added (created or imported)
NOTE This extended domain management command requires minimum HSM Client 10.5.0 and Luna HSM Firmware 7.8.0 (command not visible for HSMs with prior firmware versions).
NOTE The partition domainchangelabel command is visible as soon as the partition is created.
You must be logged in as partition SO (po) to run this command, which implies that the partition must first be initialized.
This command does not require partition policy 44 to be set.
Primary domain - The primary domain is always used by pre-CPv4 protocols. If a clone operation is attempted between two partitions, the library looks to the partition's CPv1 policy (42) and, if that is enabled, negotiates a common domain between the current partition and the other partition. If policy 42 is off, then CPv4 is attempted.
By default, the primary domain is the one that was imprinted during initialization of the current partition.
The primary domain will be used if a match is found on the other partition, and the protocol does not look further to negotiate for any other domain match. If the current partition has multiple domains and no domain on the other partition matches the primary on the first partition, then the protocol looks for a match among other domains on both partitions. You can cause an added domain to become the primary by using the -primary option when adding any given domain with partition domainadd. The current primary remains the primary, even as you add domains, unless/until you add one while invoking the -primary option again.
Syntax
partition domainchangelabel -oldlabel <label> -newlabel <label> -force
| Argument(s) | Shortcut | Description |
|---|---|---|
| -force | -f |
Change the domain label without asking for confirmation. |
| -newlabel <label> | -nl |
The new label to assign to the domain. |
| -oldlabel <label> | -ol |
The old label of the domain you wish to change. |
Example - apply a domain label to a partition that was initialized without one
lunacm:>par init -label myPEDpar
You are about to initialize the partition.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Please attend to the PED.
Command Result : No Error
lunacm:>par domainlist
Number of supported domains 3
Defined Domain
Domain #1 without label. Defined as primary domain.
Command Result : No Error
lunacm:> partition domainchangelabel
The partition SO must be logged in.
Error in execution: command cancelled.
Command Result : 0xb (User Cancelled Operation)
lunacm:> role login -name po
enter password: ********
Command Result : No Error
Now you can rename the first partition's domainlabel.
lunacm:>par domainchangelabel -nl PrimaryPED Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Domain not created Domain Label[2]: Domain not created Command Result : No Error
Example - change a password-authenticated domain label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error lunacm:>par domainchangelabel -nl MiddledPW Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: MiddledPW Domain Label[2]: NewPEDDomain Command Result : No Error
Example - change a multifactor quorum-authenticated domain label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error lunacm:>par domainchangelabel -nl MiddledPED Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: MiddledPED Domain Label[2]: NewPEDDomain Command Result : No Error
The action is the same as for a password-authenticated partition, no PED action is needed for a label change
