You are here: Configuration Manual (Set up Luna Appliance after Installing) > [Step 4] Creating Partitions > Create Partition (Trusted Path Authentication) > About Creating a Partition (TP)

About Creating a Partition (PED authenticated)

This section is HSM Partition setup for PED (Trusted Path) Authentication. The activities in this section are required in these circumstances.

if you just prepared an HSM on the HSM appliance for the first time and must now create your first HSM Partition, or
if you have purchased a Luna SA capable of supporting multiple HSM Partitions and you wish to create those additional partitions(this procedure creates one HSM Partition at a time, and you would need to repeat it once for each Partition, up to the number supported by your Luna SA) , or
if you have deleted an HSM Partition and wish to create a new one to replace it.

About HSM Partitions on the Initialized HSM

At this point, the HSM appliance should already:

have its network settings configured ( "Preparing to configure appliance network settings" ) ,
have its HSM Administrator and its Cloning Domain assigned ( "Initializing a PED-Authenticated HSM" or "About Initializing a Password-Authenticated HSM" ).

Within the HSM, separate cryptographic workspaces must be initialized and designated for clients. A workspace, or Partition, and all its contents are protected by encryption derived (in part) from its authentication. Only a Client that presents the proper authentication is allowed to see the Partition and to work with its contents.

In this section, you will:

Create an HSM Partition

First, Establish a Connection to your HSM Appliance

If you do not already have a connection open, connect your administration computer to the serial Console port of the HSM appliance, and open a Terminal session, or use ssh to connect via the network (for Windows, we provide PuTTy; for UNIX/Linux, your operating system provides the ssh client, either as part of the distribution, or as a separate downloadable utility).

Then, Login as HSM Admin / SO

To create HSM Partitions, you must login to the HSM as HSM Admin (also called Security Officer or SO). Ensure that the PED is connected to the PED port on your HSM appliance, and that the PED is powered on and "Awaiting command.."
At the HSMsh prompt, type:

HSMsh:> hsm login

Authenticate as HSM Admin:
The PED prompts for the blue PED Key

PED MESSAGE: SO LOGIN... Insert a SO / HSM Admin PED Key. Press ENTER

You must provide the blue HSM Admin PED Key that has been imprinted (initialized) for this HSM.

If you had set a PED PIN, you are prompted for that, as well.

Next, "Initialize the Partition - PED Authenticated (Trusted Path)".

If you fail three consecutive login attempts as HSM Admin (also called SO), the HSM is zeroized and cannot be used — it must be re-initialized. Re-initializing zeroizes the HSM contents. Zeroizing destroys all key encryption material. Please note that the HSM must actually receive some information before it logs a failed attempt, so if you forget to insert a PED Key, or if you insert the wrong kind (for example, if you insert a black key when a red key is called for), that is not logged as a failed attempt. Also, when you successfully login, the counter is reset to zero.

If you are not sure that you are currently logged in as HSM Admin, perform an ‘hsm logout’, then login again.

Show the Table of Contents