partition init

Initialize an application partition. This command is used within the partition being initialized.

For password-authenticated HSMs, if the password is not provided via the command line, the user is interactively prompted for it. Input is echoed as asterisks, and user is asked for password confirmation. This creates the Partition Security Officer role.

Domain matching and the default domain

If you do not specify a domain in the command line, you are prompted for it.

If you type a character string at the prompt, that string becomes the domain for the partition.

When you run the partition backup command, you are again prompted for a domain for the target partition on the backup HSM. You can specify a string at the command line, or omit the parameter at the command line and specify a string when prompted. Otherwise press Enter with no string at the prompt to apply the default domain. The domain that you apply to a backup HSM must match the domain on your source HSM partition.

Syntax

partition init -label <string> [-password <string>] [-domain <string>] [-applytemplate <filepath/filename>] [-domainlabel] [-importpeddomain] [-defaultdomain] [-auth] [-force]

Argument(s) Shortcut Description
-applytemplate <filepath/filename> -at

Apply a policy template located in the specified directory.

NOTE   If there is a mismatch between template policies and the default values of newer or dependent policies, then the attempt to apply the old policy would fail with CKR_FAILED_DEPENDENCIES.

You have the option to edit a policy file before applying it, to add newer policies.

-auth -a Log in after the initialization.
-domain -d

Partition cloning domain string. Used only on password-authenticated HSMs; ignored for multifactor quorum-authenticated. The domain secret allows for two layers of cloning security:

>The Partition SO determines which partitions can clone objects to each other by setting the same domain on the source and destination partitions.

>The Crypto Officer for the partition must authorize the cloning operation.

See Domain Planning for more information.

The domain string must be 1-128 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*-_=+[]{}/:',.~

The following characters are problematic or invalid and must not be used in a domain string: "&;<>\`|()

Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks.

For password-authenticated HSMs, the domain string should match the complexity of the partition password.

-domainlabel <string> -dl

Partition domain label. Optional.

>Used when initializing password-authenticated or multifactor quorum-authenticated partitions.

>Requires Luna HSM Firmware 7.8.0 or newer and HSM Client 10.5.0 or newer,

for use in conjunction with Extended Domain Management (partition domain|list|add|changelabel|delete commands)

facilitates the ability of a partition to have multiple cloning domains.

>Can be added later, if desired.

-force -f

Force the action (useful for scripting).

NOTE   If you are connecting to an FM-enabled Luna Network HSM 7 for the first time and have not set the LoginAllowedOnFMEnabledHSMs configuration setting to 1(see TIP   Configuration settings and Section Headings), the action will not be forced and a prompt will appear asking if you would like to proceed.

-importpeddomain -i

Import the secret from a red domain PED key to initialize the domain on a Luna Cloud HSM service. This feature allows you to clone objects between Luna Cloud HSM and multifactor quorum-authenticated application partitions.

NOTE   This option was introduced in HSM Client 10.4.1, and removed in HSM Client 10.6.0 and newer. For newer client versions, Thales recommends using Universal Cloning to manage cloning between multifactor quorum-authenticated Luna HSMs and Luna Cloud HSM.

This option is available only when the current slot is a Luna Cloud HSM service. All multifactor quorum-authenticated firmware versions are currently compatible with Luna Cloud HSM.

-label -l

Label for the partition.

In LunaCM, the partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>`~

Spaces are allowed; enclose the label in double quotation marks if it includes spaces.

-password -p

Partition Security Officer Password.

In LunaCM, passwords must be 8-255 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~

Double quotation marks (") are problematic and should not be used within passwords.

Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

Example

lunacm:> partition init -label par2

        You are about to initialize the partition.
        All contents of the partition will be destroyed.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

        Enter password for Partition SO: ********

        Re-enter password for Partition SO: ********

        Option -domain was not specified.  It is required.

        Enter the domain name: ********

        Re-enter the domain name: ********

Command Result : No Error