|
Home > |
|---|
The HSM is able to support multiple partitions [See Note * below], each with its own cloning domain, if desired, as well as partition authentication for administrative users (black User PED Key for PED-authenticated HSMs, etc.) and for clients/applications (the partition challenge secret). It is possible to force all partitions on the HSM to use the same cloning domain as the administrative partition (the SO space), by setting the "Force Single Domain" policy to "Yes". This would normally be decided before any user partitions have been created on the HSM, because it is a destructive policy change, meaning that any existing HSM contents and partitions are destroyed when this policy changes. This is a convenience feature. It does not affect other authentication secrets that apply to individual partitions on the HSM.
•If the policy is set to "No" - not in force - then whenever a new partition is created, the SO is prompted to create a new cloning domain for that partition, or to imprint the partition with an existing domain. By re-using existing domain secrets, you can cause partitions to share domains, if desired, but that is optional and not forced while the policy is set to "No".
•If the policy is set to "Yes" - in force - then that prompt is skipped and each new partition is automatically assigned the cloning domain that is already in use for the HSM SO / administrative partition.
•If the policy is set to yes, then the Domain PED Key cannot have a PED PIN
Changing policies marked "destructive" will zeroize (erase
completely) the entire HSM.
Description Value Code Destructive
=========== ===== ==== ===========
Allow masking On 6 Yes
Allow cloning On 7 Yes
Allow non-FIPS algorithms On 12 Yes
SO can reset partition PIN On 15 Yes
Allow network replication On 16 No
Allow Remote Authentication On 20 Yes
Allow offboard storage On 22 Yes
Allow partition groups On 23 No
Allow remote PED usage On 25 No
Allow Acceleration On 29 Yes
Allow unmasking On 30 Yes
Allow FW5 compatibility mode Off 31 No
Force Single Domain On 35 Yes
Allow Unified PED Key On 36 No
The HSM is NOT in FIPS 140-2 approved operation mode.
Command Result : 0 (Success)
[local_host] lush:>
Note: For SafeNet USB HSM and SafeNet PCI-E HSM, two partitions can exist, the HSM Security Officer/adminstrative partition (as long as the HSM has been initialized), and a single User/Application partition (once that has been created).
For SafeNet Network HSM, up to 101 partitions can exist, the HSM Security Officer/adminstrative partition (as long as the HSM has been initialized), and up to 100 User/Application partitions depending on purchased-or-upgraded configuration (once those are created).