|
Home > |
Administration Guide > Slot Numbering
|
|---|
Administrative partitions and application partitions are identified as PKCS#11 cryptographic slots in Luna utilities, such as LunaCM and multitoken, and for applications that use the Luna library.
A host computer with LunaClient software and Luna libraries installed can have Luna HSMs connected in any of three ways:
•PCI-e embedded/inserted Luna PCI-E HSM card (one or multiple HSMs installed - administrative partitions and application partitions are shown separately if HSM firmware is version 6.22.0 or newer)
•USB-connected Luna G5 HSMs (one or multiple - administrative partitions and application partitions are shown separately if HSM firmware is version 6.22.0 or newer)
•Luna SA application partitions(*), registered and connected via NTLS or via STC.
Any connected HSM partitions are shown as numbered slots. Slots are numbered from zero or from one, depending on configuration settings (see "Settings Affecting Slot Order", below), and on the firmware version of the HSM(s).
(*One or multiple application partitions. Administrative partitions on Luna SA HSMs are not visible via lunacm and other client-side tools. Only registered, connected application partitions are visible, of which multiple-per-HSM, up to 100, can exist. That is, a remote Luna SA might support 100 application partitions, but your application and lunacm might see only one or two or fifteen of them if those were the only ones that had established certificate-exchange NTLS links with the current Client computer.)
In lunacm, a slot list would normally show:
•Luna SA application partitions for which NTLS links are established with the current host, followed by
•Luna PCI-E cards, followed by
•Luna G5 HSMs
For Luna SA, as seen from a client (via NTLS), only application partitions are visible. The HSM administrative partition of a remote Luna SA HSM is never seen by a LunaClient. The Luna SA slots are listed in the order they are polled, dictated by the entries in the [Luna SA] section of the Crystoki.ini / chrystoki.conf file, like this:
ServerName00=192.20.17.200 ServerPort00=1792 ServerHtl00=0 ServerName01=192.20.17.220 ServerPort01=1793 ServerHtl01=
For Luna PCI-E and Luna G5, if you have multiple of either HSM type connected on a single host, then the order in which they appear is the hardware slot number, as discovered by the host computer.
For Luna PCI-E and Luna G5, the HSM administrative slot always appears immediately after the application partition. If no application partition has yet been created, a space is reserved for it, in the slot numbering.
Settings in the [Presentation] section of the configuration file (Chrystoki.conf for UNIX/Linux, crystoki.ini for Windows) can affect the numbering that the API presents to Luna tools (like lunacm) or to your application.
[Presentation]
ShowUserSlots=<slot>(<serialnumber>)
•Sets starting slot for the identified partition.
•Default, when ShowUserSlots is not specified, is that all available partitions are visible and appear in default order.
•Can be applied, individually, to multiple partitions, by a single entry containing a comma-separated list like:
ShowUserSlots=1(351970018022),2(351970018021),3(351970018020),....
•Affects only PPSO partitions (f/w 6.22.0 or newer)
•If multiple partitions on the same HSM are connected to the LunaClient host computer, redirecting one of those partitions with ShowUserSlots= causes all the others to disappear from the slot list, unless they are also explicitly re-ordered by the same configuration setting.
ShowAdminTokens=yes
•Default is yes. Admin partitions of local HSMs are visible in a slot listing.
•Remotely connected partitions (Luna SA) are not affected by this setting, because NTLS connects only application partitions, not HSM SO (Admin) partitions to clients, so a Luna SA HSM SO administrative partition would never be visible in a client-side slot list, regardless.
ShowEmptySlots=1
•Controls how C_GetSlotList - as used by lunacm slot list command, or ckdemo command 14, and by your PKCS#11 application - displays, or does not display unused potential slots, when the number of partitions on an HSM is not at the limit.
OneBaseSlotId=1
•Causes basic slot list to start at slot number 1 (one) instead of default 0 (zero).
(Any submitted number other than zero is treated as "1". Any letter or other non-numeric character is treated as "0".)
Say, for example, you have multiple HSMs connected to your host computer (or installed inside), with any combination of firmware 6.22.0 (and newer) or pre-6.22.0 firmware, and no explicit entries exist for slot order in the config file. The defaults prevail and the slot list would start at zero.
If you set OneBaseSlotId=1 in the configuration file, then the slot list starts at "1" instead of at "0". You could set this for personal preference, or according to how your application might expect slot numbering to occur (or if you have existing scripted solutions that depend on slot numbering starting at zero or starting at one). OneBaseSlotId affects the starting number for all slots, regardless of firmware.
If you set ShowUserSlots=20(17923506), then the identified token or HSM or application partition would appear at slot 20, regardless of the locations of other HSMs and partitions, but only if the indicated partition is firmware 6.22.0 or newer and is a PPSO partition.
Note: Slots retain login state when current-slot focus changes.
For HSMs with firmware earlier than version 6.22.0, when you used slot set to move the focus from an HSM partition or slot with logged in session(s), to another partition or slot, any sessions on the original slot were automatically closed (thus logged out).
For HSMs with firmware version 6.22.0 of newer, you can use slot set to repeatedly shift focus among slots, and whatever login state was in force when you were previously focused on a slot is still in effect when you return to that slot.