lunash:> hsm init -label <hsmlabel> [-domain <hsmdomain>] [-password <hsmadminpassword>] [-authtimeconfig] [-force]
DESCRIPTION
The hsm init command initializes the HSM ( K6 key card) in the Luna HSM Server. Initialization assigns an HSM label, creates or associates Security Officer (SO) or HSM Admin authentication for the HSM, creates or associates a Cloning Domain (with authentication) for the HSM, and applies other settings that make the HSM available for use.
Initializing the HSM erases all existing data on the key card, including all HSM Partitions and their data. HSM Partitions then must be recreated with the partition create command.
Because this is a destructive command, the user is asked to “proceed” unless the -force switch is provided at the command line.
Invoking the hsm init command results in the
HSM Admin being logged out, and all partitions
being deactivated. These preparatory actions take place before the warning
prompt appears, with its request for you to type "Proceed" or
"Quit".
That is, if you invoke hsm init and then type "quit" at the prompt,
initialization does not take place (meaning that you do not lose existing
token/HSM contents), but any current login or activation state is closed,
whether you abort the command or not.
For more detail see the topic "What is initialization? (PED-authentication)" in the Administration Manual.
| (Option) | Parameter | Description |
|---|---|---|
| -label | -l <hsmlabel> | HSM Label |
| -domain | -d <hsmdomain> | HSM Domain Name |
| -password | -p <password> | HSM Admin Password |
| -authtimeconfig | -a . | Require SO login to config time |
| -force | -f . | Force Action |
-label label [mandatory] The label to assign to the HSM. The label has a maximum length of 32 characters, any data input over 32 chars is truncated.
-password password [mandatory in Luna HSM with Password Authentication; ignored in Luna HSM with PED (Trusted Path) Authentication] The password to be used as login credential by the HSM Admin. For PED-authenticated HSMs, the Luna PED is used for the HSM Admin PIN/password, and data input for this value is ignored.
The value is mandatory (for Password Authentication) in the sense that the operation requires it, but it is not necessary for you to include it in the command - you are prompted for it. Waiting for the prompt is a more secure option, because the prompted input is masked by asterisk characters "*".
-domain domain [optional in Luna HSM with Password Authentication; ignored in Luna HSM with Trusted Path Authentication] The string to be used as key cloning domain for the HSM. If no value is given for a Luna HSM with Password Authentication, the user is prompted interactively; the user has the choice of using the default domain. If not using the default domain, the user must confirm the domain by typing a second time. The HSM must support cloning, or this value is ignored, it is not requested if it is not supplied. Using the default domain implies that the HSM can be used in cloning operations (such as backup and restore) with any other HSM in the world that retains the default domain - allowing the HSM to retain the default domain is not recommended.
-authtimeconfig [optional] require SO login to configure the time.
-force [optional] If this option is included in the list, the HSM will be zeroized without prompting the user for a confirmation of this destructive command.
The initialization procedure differs slightly for Luna HSMs that use Password Authentication versus Luna HSMs that require Trusted Path Authentication (click the link that applies to your Luna HSM, below).