|
Home > |
Administration Guide > Slot Numbering
|
|---|
Administrative partitions and application partitions are identified as PKCS#11 cryptographic slots in SafeNet utilities, such as LunaCM and multitoken, and for applications that use the SafeNet library.
A host computer with SafeNet HSM Client software and SafeNet libraries installed can have SafeNet HSMs connected in any of three ways:
•PCI-e embedded/inserted SafeNet PCI-E HSM card (one or multiple HSMs installed - administrative partitions and application partitions are shown separately if HSM firmware is version 6.22.0 or newer)
•USB-connected SafeNet USB HSMs (one or multiple - administrative partitions and application partitions are shown separately if HSM firmware is version 6.22.0 or newer)
•SafeNet Network HSM application partitions(*), registered and connected via NTLS or via STC.
Any connected HSM partitions are shown as numbered slots. Slots are numbered from zero or from one, depending on configuration settings (see Settings Affecting Slot Order, below), and on the firmware version of the HSM(s).
(*One or multiple application partitions. Administrative partitions on SafeNet Enterprise HSMs are not visible via lunacm and other client-side tools. Only registered, connected application partitions are visible, of which multiple-per-HSM, up to 100, can exist. That is, a remote SafeNet Network HSM might support 100 application partitions, but your application and lunacm might see only one or two or fifteen of them if those were the only ones that had established certificate-exchange NTLS links with the current Client computer.)
In lunacm, a slot list would normally show:
•SafeNet Network HSM application partitions for which NTLS links are established with the current host, followed by
•SafeNet PCI-E HSM cards, followed by
•SafeNet USB HSMs
For SafeNet Network HSM, as seen from a client (via NTLS), only application partitions are visible. The HSM administrative partition of a remote SafeNet Network HSM is never seen by a SafeNet HSM Client. The SafeNet Network HSM slots are listed in the order they are polled, dictated by the entries in the [SafeNet Network HSM] section of the Crystoki.ini / chrystoki.conf file, like this:
ServerName00=192.20.17.200 ServerPort00=1792 ServerHtl00=0 ServerName01=192.20.17.220 ServerPort01=1793 ServerHtl01=
For SafeNet PCI-E HSM and SafeNet USB HSM, if you have multiple of either HSM type connected on a single host, then the order in which they appear is the hardware slot number, as discovered by the host computer.
For SafeNet PCI-E HSM and SafeNet USB HSM, the HSM administrative slot always appears immediately after the application partition. If no application partition has yet been created, a space is reserved for it, in the slot numbering.
Settings in the [Presentation] section of the configuration file (Chrystoki.conf for UNIX/Linux, crystoki.ini for Windows) can affect the numbering that the API presents to SafeNet tools (like lunacm) or to your application.
[Presentation]
ShowUserSlots=<slot>(<serialnumber>)
•Sets starting slot for the identified partition.
•Default, when ShowUserSlots is not specified, is that all available partitions are visible and appear in default order.
•Can be applied, individually, to multiple partitions, by a single entry containing a comma-separated list like:
ShowUserSlots=1(351970018022),2(351970018021),3(351970018020),....
•Affects only PPSO partitions (f/w 6.22.0 or newer)
•If multiple partitions on the same HSM are connected to the SafeNet HSM Client host computer, redirecting one of those partitions with ShowUserSlots= causes all the others to disappear from the slot list, unless they are also explicitly re-ordered by the same configuration setting.
ShowAdminTokens=yes
•Default is yes. Admin partitions of local HSMs are visible in a slot listing.
•Remotely connected partitions (SafeNet Network HSM) are not affected by this setting, because NTLS connects only application partitions, not HSM SO (Admin) partitions to clients, so a SafeNet Network HSM SO administrative partition would never be visible in a client-side slot list, regardless.
ShowEmptySlots=1
•Controls how C_GetSlotList - as used by lunacm slot list command, or ckdemo command 14, and by your PKCS#11 application - displays, or does not display unused potential slots, when the number of partitions on an HSM is not at the limit.
OneBaseSlotId=1
•Causes basic slot list to start at slot number 1 (one) instead of default 0 (zero).
(Any submitted number other than zero is treated as "1". Any letter or other non-numeric character is treated as "0".)
Say, for example, you have multiple HSMs connected to your host computer (or installed inside), with any combination of firmware 6.22.0 (and newer) or pre-6.22.0 firmware, and no explicit entries exist for slot order in the config file. The defaults prevail and the slot list would start at zero.
If you set OneBaseSlotId=1 in the configuration file, then the slot list starts at "1" instead of at "0". You could set this for personal preference, or according to how your application might expect slot numbering to occur (or if you have existing scripted solutions that depend on slot numbering starting at zero or starting at one). OneBaseSlotId affects the starting number for all slots, regardless of firmware.
If you set ShowUserSlots=20(17923506), then the identified token or HSM or application partition would appear at slot 20, regardless of the locations of other HSMs and partitions, but only if the indicated partition is firmware 6.22.0 or newer and is a PPSO partition.
Note: Slots retain login state when current-slot focus changes.
For HSMs with firmware earlier than version 6.22.0, when you used slot set to move the focus from an HSM partition or slot with logged in session(s), to another partition or slot, any sessions on the original slot were automatically closed (thus logged out).
For HSMs with firmware version 6.22.0 of newer, you can use slot set to repeatedly shift focus among slots, and whatever login state was in force when you were previously focused on a slot is still in effect when you return to that slot.