Show the Table of Contents

You are here: Configuration Manual (Set up Luna Appliance after Installing) > [Step 4] Creating Partitions > Create Partition (Trusted Path Authentication) > Initialize the Partition (TP)

Initialize the Partition - PED Authenticated (Trusted Path)

Having logged in, you can now use the lunash partition create command, to create an HSM Partition. You must supply a label or name for the new Partition when you issue the command.

lunash:> partition create -partition <name-for-new-Partition>

(The angle brackets “<“ and “>” indicate that you fill in text of your choice. Do not type the brackets.)

 

A partition name can be from 1 to 64 characters in length, and can include any of the following characters :

!#$%'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~

No spaces.

  1. Create and name an HSM Partition. Type:
    lunash:> partition create -partition myPartition1
    (substitute the name of your choice for "myPartition1") 
    Please ensure that you have purchased licenses for at least this number of partitions: -1
    If you are sure to continue then type 'proceed', otherwise type 'quit' 
    > proceed  
    Proceeding... 

    Please ensure that you copy the password from the Luna PED and 
    that you keep it in a safe place. 
    Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
  2. The PED inquires if you intend to reuse a pre-existing imprinted black PED Key.



    Respond "Yes" if you have a key from another HSM partition with a partition Owner ID already imprinted on it, that you wish to share/reuse.
    Respond "No" if you have a fresh, never-imprinted key, or if you have a key previously imprinted with an ID that you do not wish to preserve.
  3. The PED requests values for :



    and



    (enter "1" for both, unless you wish to invoke M of N split-secret, multi-person access control, "About M of N").
  4. The PED then demands the black Owner PED key with the message




    Insert the black HSM Partition Owner PED key[ of course, the PED Key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting ] and press [Enter].. A unique Partition Owner PIN is to be imprinted on both the PED key and the HSM Partition.
  5. The PED might continue with:




    Decide whether this should be a group PED Key ( "What is a Shared or Group PED Key?" ), enter [YES] or [NO] on the PED touchpad, and press [Enter].
  6. Next, you are asked to provide a PED PIN (optional, "What is a PED PIN?" — can be 4-to-48 digits, or can be no digits if a PED PIN is not desired).




     
    You must press [Enter] to inform the PED that you are finished entering PED PIN digits, or that you have decided not to use a PED PIN (no digits entered).
    When you provide a PED PIN – even if it is the null PIN (by just pressing [Enter] with no digits) – the PED requests it a second time, to ensure that you entered it correctly.

    Press [ENTER] again.
  7. You are then prompted




    "What is a duplicate PED Key?".
    If you respond “No”, the PED imprints just the one black HSM Admin PED Key and goes on to the next step in creation of the HSM Partition.
    If you respond “Yes”, the PED imprints the first black key and then asks for more black PED Keys, until you have imprinted (duplicated) as many as you wish.
  8. At the command-line session, the next part of the sequence is displayed

    Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key. 

    and control once again goes to the Luna PED.
  9. The PED inquires if you intend to reuse a pre-existing imprinted red Domain PED Key.





    Respond "Yes" if you have a key from another HSM partition with a cloning domain ID already imprinted on it, that you wish to share/reuse.
    Respond "No" if you have a fresh, never-imprinted key, or if you have a key previously imprinted with an ID that you do not wish to preserve.
  10. As it did for the black key, the PED now requests values for M and N. Again, enter 1 for each unless you wish to invoke M of N splitting.
  11. The PED then prompts for a red Domain PED key with the message





    Insert the red HSM Partition Domain PED key[ of course, the PED Key is generically black - we suggest that you apply the appropriate color sticker either immediately before or immediately after imprinting ] and press [Enter]. A unique Partition Owner PIN is to be imprinted on both the PED key and the HSM Partition.
  12. The PED goes through the same prompts as for the black PED Key. Respond as appropriate.
  13. Luna PED presents the generated partition challenge secret (password), which you must record:



    We suggest that you record the presented string using a text editor - in our experience, the greatest proportion of errors with the partition challenge secret involve misreading of hand-written text. The dashes (hyphens) are displayed only to enhance human readability of the string- they are not part of the 16-character partition challenge secret or partition password.

  14. Control returns to luna shell with:
    'partition create' successful. 

    Command Result : 0 (Success) 
    [myLuna] lunash:>

We recommend that you have at least one backup set of imprinted PED Keys, stored in a safe place, in case of loss or damage to the primary keys.

 

Partition creation audit log entry

Each time a partition is created, an entry is added to the audit log. Any subsequent actions logged against the partition are identified by the partition serial number that was generated when the partition was created.

Determining the serial number of a created partition from the audit log

An audit log entry similar to the following is generated when a partition is created on the HSM:

5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_AREA))

It is not obvious from this entry what the serial number is for the created partition. This information, however, can be derived from the log entry, since the partition serial number is simply a concatenation of the HSM serial number and the partition container number, which are specified in the log entry, as highlighted below:

5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_AREA))

In the example above, the HSM serial number is 150718 and the partition container number is 20. Note that the partition container number is a three-digit number with leading zeros suppressed, so that the actual partition container number is 020. To determine the partition serial number concatenate the two numbers as follows:

150718020

Use this number to identify the partition in subsequent audit log entiries.

 

Next steps

Go to the next step, "Record Partition Client Password (TP)".

 

 

 

Show the Table of Contents