Show the Table of Contents
Use hsm-init to Initialize a Password Authenticated HSM
Initialize the HSM(required
before you can create Partitions and use the HSM)
,
to set up the necessary identities, ownership and authentication at the
HSM Server level.
Start the Initialization Process
The hsm init
command takes several optionslunash:> hsm init
Usage: hsm -init -label <hsmlabel> [-domain <hsmdomain>] [-alwaysaskmofn]
[-force] [-mofn] [-mval <mvalue>] [-nval <nvalue>] [-sopw
<hsmadminpassword>]
Name (short)
Description
-----------------------------------
-domain -d
HSM
cloning domain (Password Authentication model only)
-alwaysaskmofn -a
Prompt
M of N at every SO login
-force -f
force
initialization without prompts (useful for scripting)
-label -l
HSM
label; a text label for your convenience
-mofn -mo
use
the optional M of N feature (for Trusted Path Authentication model only)
-mval -mv
value
for M; up to N, but usually less than N (for Trusted Path only)
-nval -n
value
for N; total number of shares in the optional split-knowledge secret,
up to 16 (for Trusted Path only)
-sopw -s
SO
PIN (Password Authentication model only)
.
For an HSM with Password Authentication, three of the values are
required(the
HSM label, the HSM Password, and the cloning domain)
but the
only one that you should type at the command line is a label(This
can be any string of up to 32 characters that identifies this HSM unit
uniquely. A labeling convention that conveys some information relating
to business, departmental or network function of the individual HSM is
commonly used.)
for the
HSM.
The passwordThis is a password for the HSM, within the HSM appliance. For proper
security, it should be different than the appliance admin password, and
it should employ standard password-security characteristics
- at least 8 characters,
- not easily guessable (therefore, no words that occur in any dictionary,
no dates like birthdays or anniversaries, no proper names),
- should include miXEd-CAse letters, numbers, special (non-alphanumeric,
-_!@#$%&*...).
and the
cloning domain(A domain
is a shared identifier that makes cloning possible among a group of HSMs.
Cloning is required for backup or for HA. Cloning cannot take place between
HSMs that do not share a common domain. A domain is created (new) or is
imprinted (from an existing domain) when you initialize the HSM.)
can
be typed at the command line, but this makes them visible to anyone who
can see the computer screen, or to anyone who later scrolls back in your
console or ssh session buffer. If you omit the password and the cloning(The
duplication or copying of token contents to other tokens. Cloning copies
objects (certificates, keys, data), in a secure manner, from the user
space on one HSM or token to an equivalent space on a second HSM or token.
Contents are securely wrapped for cloning, and can be unwrapped only directly
onto another HSM or token that shares the same cloning domain. That is,
cloning is a hardware-to-hardware secure transfer, with no exposure of
material in software.
domain,
lunash prompts
you for them, and hides your input with "*" characters. This
is preferable from a security standpoint. Additionally, you are prompted
to re-enter each string, thus helping to ensure that the string you type
is the one you intended to type.
Initialize a Password Authenticated HSM
Type the hsm init
command at the lunash prompt, supplying a text label for the new HSM.
lunash:> hsm -init -label myLuna
> Please enter a password for the security officer
> ********
Please re-enter password to confirm:
> ********
Please enter the cloning domain to use for initializing this
HSM (press <enter> to use the default domain):
> ********
Please re-enter domain to confirm:
> ********
CAUTION: Are
you sure you wish to re-initialize this HSM?
All partitions and data will be erased.
Type 'proceed' to initialize the HSM, or 'quit'
to quit now.
>proceed
‘hsm - init’ successful.
When activity is complete, lunash displays a “success” message.
You have initialized the HSM and created an HSM Admin identity, which
is an additional capability set, overlaid
on the HSM appliance administrator identity.
- Appliance “admin” alone
can use lunash to perform some administrator operations on the HSM server,
such as network configuration, but cannot access the HSM without additional
authentication
- HSM Admin (equivalent
to the Cryptoki “Security Officer” or “SO”) can administer the HSM, but
requires that the system “admin” be logged in first (same ssh session),
before HSM Admin can login.
In order to perform all possible administrative functions on the HSM appliance, you must have both the “admin” password for lunash and the HSM
Admin authentication.
You are ready to adjust HSM Policies (if desired) and begin creating
HSM Partitions for your Client's applications to use.
"Set HSM Policies (Password Authentication)"
Show the Table of Contents