partition create - Creates an HSM Partition on the HSM
lunash:> partition create -partition <name> [-password <password>] [-domain <domain>] [-size <size>] [-allfreestorage] [-force]
The partition create command creates and initializes a new HSM Partition
on the HSM. To use the HSM partition create command you must be logged
in to the HSM as HSM Admin (a.k.a. the SO).
By default, no clients are granted access to a new HSM Partition. The
Luna appliance “admin” can run the client assignPartition command to give
a registered client access to created HSM Partitions.
For an HSM appliance with Password Authentication, if the password is not provided via the command line, the user is interactively prompted for it. Input is echoed as asterisks, and user is asked for password confirmation.
For an HSM appliance with Trusted Path Authentication, PED action is required, and a Partition Owner PED Key (black) is imprinted. Any password provided at the command line is ignored.
When creating partitions on the HSM, a check is performed to ensure that the new partition's name is unique (on that HSM). However, this check does not extend to any token HSMs that might be inserted in a connected card-reader slots. Therefore, with the introduction of PKI bundles functionality (beginning with Luna SA release 4.4.0), it became possible to create a partition on the main, onboard HSM that has the same name as a PKI token in one of the reader slots.
Avoid this by running the command token pki listDeployed, and checking the output, before launching the partition create command.
When labeling HSMs or partitions, never use a numeral as the first, or only, character in the name/label. Token backup commands allow slot-number OR label as identifier which can lead to confusion if the label is a string version of a slot number.
For example, if the token is initialized with the label "1" then the user cannot use the label to identify the target for purposes of backup, because VTL parses "1" as signifying the numeric ID of the first slot rather than as a text label for the target in whatever slot it really occupies (the target is unlikely to be in the first slot), so backup fails.
Cloning is a repeating atomic action
When you call for a cloning operation (such as backup or restore), the source HSM transfers a single object, encrypted with the source domain. The target HSM then decrypts and verifies the received blob.
If the verification is successful, the object is stored at its destination – the domains are a match. If the verification fails, then the blob is discarded and the target HSM reports the failure. Most likely the domain string or the domain PED Key, that you used when creating the target partition, did not match the domain of the source HSM partition. The source HSM moves to the next item in the object list and attempts to clone again, until the end of the list is reached.
This means that if you issue a backup command for a source partition containing several objects, but have a mismatch of domains between your source HSM partition and the backup HSM partition, then you will see a separate error message for every object on the source partition as it individually fails verification at the target HSM.
Domain Matching and the Default Domain
If you do not specify a domain in the command line when creating a partition (partition create command),then you are prompted for it.
If you type a character string at the prompt, that string becomes the domain for the partition.
If you simply press [ Enter ] without typing any characters, the system applies, to your partition, the
When you run the partition backup command, you are again prompted for a domain for the target partition on the backup HSM. You can specify a string at the command line, or omit the parameter at the command line and specify a string when prompted. Otherwise press [ Enter ] with no string at the prompt to apply the default domain. The domain that you apply to a backup HSM must match the domain on your source HSM partition.
See also Luna SA Configuration "About Creating a Partition (Password Authentication)" or "About Creating a Partition (PED authenticated)" , and "Partition Creation - Notes" for supplemental information.
| (Option) | Parameter | Description |
|---|---|---|
| -partition | -par <name> | Partition name |
| -password | -pas <password> | Partition password |
| -domain | -d <domain> | Partition Cloning Domain Name |
| -size | -s <size> | Storage Size in Bytes |
| -allfreestorage | -a . | Use All Free Storage Space |
| -force | -f . | Force the action with no prompting |
-partition name [mandatory] The name to assign to the HSM Partition. The name must be unique among all HSM Partitions on the HSM.
-password password [mandatory ] The password to be used as login credential by the HSM Partition's Owner or Client. If you omit the password from the command, for a Password authenticated Luna SA, you are prompted for it. For PED authenticated Luna SA, the password is not needed as input - one is generated and presented to you by the PED.
-domain domain [mandatory ] The cloning domain to be used when this partition needs to clone objects to/from another HSM, such as during backup/restore, or if the partition is included as a member of an HA group. For PED authenticated Luna SA, the domain is either generated on the HSM and imprinted on a red PED Key, or is accepted from an existing domain PED Key and imprinted on the HSM (for this partition).
-size <size> [optional] Specifies the size, in bytes, to allocate to the partition, from the remaining storage available on the HSM. If you specify a size, the HSM attempts to use it after calculating overhead requirements. If you do not specify a size, the HSM creates the partition with the default size, as determined by your purchased options for number of partitions and total storage on the HSM.
-allfreestorage [optional] Tells the HSM to create this partition using all the remaining, unused storage space on the HSM. After creating a partition with this option, you cannot create another without first deleting or resizing partitions to regain some space.
-force [optional] Force the partition creation with no prompting - you are still prompted by Luna PED, if yours is a PED authenticated HSM.
lunash:> partition -create -name alreadyused
Error: 'partition
-create' failed. (1006)
Error: The
name you provided for the new partition is not unique. Partitions must
have unique names.
Use 'partition -list' for a list of existing partition names.
lunash:> partition -create -name b1
Please enter password
Please enter domain
Please enter size
'partition -create' successful.