Home >

Administration Guide > Domains > Single Domain Policy

Single Domain Policy

The HSM is able to support multiple partitions [See Note * below], each with its own cloning domain, if desired, as well as partition authentication for administrative users (black User PED Key for PED-authenticated HSMs, etc.) and for clients/applications (the partition challenge secret). It is possible to force all partitions on the HSM to use the same cloning domain as the administrative partition (the SO space), by setting the "Force Single Domain" policy to "Yes". This would normally be decided before any user partitions have been created on the HSM, because it is a destructive policy change, meaning that any existing HSM contents and partitions are destroyed when this policy changes. This is a convenience feature. It does not affect other authentication secrets that apply to individual partitions on the HSM.

If the policy is set to "No" - not in force - then whenever a new partition is created, the SO is prompted to create a new cloning domain for that partition, or to imprint the partition with an existing domain. By re-using existing domain secrets, you can cause partitions to share domains, if desired, but that is optional and not forced while the policy is set to "No".

If the policy is set to "Yes" - in force - then that prompt is skipped and each new partition is automatically assigned the cloning domain that is already in use for the HSM SO / administrative partition.

If the policy is set to yes, then the Domain PED Key cannot have a PED PIN

Changing policies marked "destructive" will zeroize (erase
completely) the entire HSM.

Description                              Value        Code      Destructive
===========                              =====        ====      ===========
Allow masking                            On           6         Yes
Allow cloning                            On           7         Yes
Allow non-FIPS algorithms                On           12        Yes
SO can reset partition PIN               On           15        Yes
Allow network replication                On           16        No
Allow Remote Authentication              On           20        Yes
Allow offboard storage                   On           22        Yes
Allow partition groups                   On           23        No
Allow remote PED usage                   On           25        No
Allow Acceleration                       On           29        Yes
Allow unmasking                          On           30        Yes
Allow FW5 compatibility mode             Off          31        No
Force Single Domain                      On           35        Yes 
Allow Unified PED Key                    On           36        No

The HSM is NOT in FIPS 140-2 approved operation mode.

Command Result : 0 (Success)
[local_host] lush:>    

 

Note:  For SafeNet USB HSM and SafeNet PCI-E HSM, two partitions can exist, the HSM Security Officer/adminstrative partition (as long as the HSM has been initialized), and a single User/Application partition (once that has been created).
For SafeNet Network HSM, up to 101 partitions can exist, the HSM Security Officer/adminstrative partition (as long as the HSM has been initialized), and up to 100 User/Application partitions depending on purchased-or-upgraded configuration (once those are created).