|
Home > |
Configuration Guide > Initializing an HSM (SO and Cloning Domain) > Password-Authenticated HSM > Initialize a Password-Authenticated Luna HSM
|
|---|
Initialize the HSM to set up the necessary identities, ownership and authentication on the HSM. This is required before you can create Partitions and use the HSM.
The hsm init command takes several options.
See hsm init in the Lunacm Command Reference.
For an HSM with Password Authentication, you need to provide a label, password, and cloning domain. The only one that you should type at the command line is the label. The password and cloning domain can be typed at the command line, but this makes them visible to anyone who can see the computer screen, or to anyone who later scrolls back in your console or ssh session buffer.
If you omit the password and the domain, the system prompts you for them, and hides your input with "*" characters. This is preferable from a security standpoint. Additionally, you are prompted to re-enter each string, thus helping to ensure that the string you type is the one you intended to type.
The label is a string of up to 32 characters that identifies this HSM unit uniquely. A labeling convention that conveys some information relating to business, departmental or network function of the individual HSM is commonly used.
The HSM password is a password for the HSM Security Officer (SO).
It should employ standard password-security characteristics:
•at least 8 characters,
•not easily guessable (therefore, no words that occur in any dictionary)
•no dates like birthdays or anniversaries, no proper names
•should include miXEd-CAse letters, numbers, special (non-alphanumeric, -_!@#$%&*...).
The cloning domain is a shared identifier that makes cloning possible among a group of HSMs. Cloning is required for backup or for HA. Cloning cannot take place between HSMs that do not share a common domain.
Always specify a cloning domain when you initialize a Password Authenticated SafeNet HSM in a production environment. The HSM allows you to specify "defaultdomain" at initialization, the 'factory-default' domain. This is deprecated, as it is insecure. Anyone could clone objects to or from such an HSM. The default domain is provided, for the time being, for benefit of customers who have previously used the default domain. When you prepare a SafeNet HSM to go into service in a real "production" environment, always specify a proper, secure domain string when you initialize.
Type the hsm init command at the prompt, supplying a text label for the new HSM.
lunacm:> hsm init -label myluna1 Option -password was not supplied. It is required.
Enter the password: *********
Re-enter the password: ********* Option -domain not specified.
If you proceed, the default domain will be used.
You will not be creating a new domain. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error lunacm:>
When activity is complete, the system displays a “success” message.
You have initialized the HSM and created an HSM SO identity to perform global administrator activities on the HSM, including creating other identities for special roles and purposes.
You are ready to adjust HSM Policies (if desired) and begin creating HSM Partitions for your Client's applications to use.