|
Home > |
Configuration Guide > Creating an Application Partition (SO, Crypto Officer, and Domain) > Password-Authenticated Partition > Create a Legacy Password-authenticated Application Partition
|
|---|
This section is HSM Partition setup for SafeNet HSM with Password Authentication. The activities in this section are required in two circumstances.
•if you just prepared the SafeNet HSM for the first time and must now create your first application Partition, or
•if you have deleted or zeroized an HSM Partition and wish to create a new one to replace it.
At this point, SafeNet HSM should already have its Security Officer assigned by Initializing a Password Authenticated HSM.
Within the HSM, a separate cryptographic workspaces must be created. A workspace, or Partition, and all its contents are protected by encryption derived (in part) from its authentication. Only a User who presents the proper authentication is allowed to see the Partition and to work with its contents. That User and authentication can be separate from the Security Officer identity.
In this section, you will:
•Create an HSM Partition
•Set HSM Partition Policies (Optional)
1.To create HSM Partitions, you must login to the SafeNet HSM as Security Officer.
For an HSM with firmware older than version 6.22.0, at the lunacm:> prompt, type:
lunacm:> hsm login -password <your_password>
For an HSM with firmware at version 6.22.0 or newer, at the lunacm:> prompt, type:
lunacm:> role login -name SO -password <your_password>
Authenticate as Security Officer by supplying the appropriate SO password. The password must be exactly as the HSM expects it, including proper use of uppercase/lowercase.
CAUTION: If you fail three consecutive login attempts
as Security Officer, the HSM is zeroized and cannot be used as-is —
it must be re-initialized. Zeroizing
renders all key material unrecoverable.
Please
note that the SafeNet HSM must actually receive some information before it
logs a failed attempt, so if you just press [Enter] without typing a password,
that is not logged as a failed attempt. Also, when you successfully log in,
the counter is reset to zero.
If you are not sure that you are currently logged in as Security Officer,
type the command ‘hsm showinfo’.
For HSMs with older firmware, the item "SO Status ->" will say either "Logged in" or "Not logged in".
For HSMs with firmware 6.22.0 or newer, the item "Role status -->" will say "none logged in", or "SO logged in".
2.At the lunacm:> prompt, type:
lunacm:> partition create
Option -password was not supplied. It is required.
Enter the password: ********
Re-enter the password: ********
Option -domain was not specified. It is required.
Enter the domain name: ********
Re-enter the domain name: ********
Command Result : No Error
lunacm:> partition login
Option -password was not supplied. It is required.
Enter the password: ********
Command Result : No Error
lunacm:>
If an error occurs, perhaps you have requested a too-short password. The password must be at least eight characters in length unless the SO sets a different minimum.
When you first create a partition on a newly initialized HSM, the HSM goes immediately to the partition setup, as requested.
However, if you have previously created a partition on this HSM - and not initialized since then - the HSM detects that a valid partition is present and warns you that 'partition create' operation is about to destroy/overwrite that existing partition. It gives you the opportunity to back out of the operation and investigate, in case you are unsure of the status.
lunacm:> partition create
Option -password was not supplied. It is required.
Enter the password: ********
Re-enter the password: ********
Option -domain was not specified. It is required.
Enter the domain name: ********
Re-enter the domain name: ********
The existing Partition will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:>
3.View the partition information, including Capabilities and Policies, to see if you need to change anything. Type:
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
Partition Policies
0: Allow private key cloning : 0
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 0
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 0
Command Result : No Error
lunacm:>
As an example of a change, you could type:
lunacm:> partition changePolicy -policy 16 -value 0
This would have the effect of switching on RSA blinding.
Having set up your SafeNet HSM, you want to use it.
Either you have created an application of your own that can make use of an HSM, or you are using an existing third-party software. Examples might be Microsoft server applications like Certificate Services, IIS, ISA, RMS or others, which can perform their cryptographic functions in software, using local computer resources (CPU, memory, and hard disk) with their inherent security issues, or which can be configured to make use of an HSM.
If you are using one of the indicated Microsoft products, you will need to install the SafeNet CSP software and then install the server application, or else re-configure an existing installation to make use of SafeNet CSP (which provides the bridge between the application and the SafeNet HSM).
On 64-bit Windows systems, you have the option to use Microsoft's CNG (replaces CAPI), and to use our KSP provider instead of CSP.
Another option is a Java-based application, in which case you should install the SafeNet JSP, which comes with Javadocs and sample code.