|
Home > |
Configuration Guide > Creating an Application Partition (SO, Crypto Officer, and Domain) > About Configuring an Application Partition with Its Own SO
|
|---|
When you are ready to create and configure an application partition, it is assumed that you have already initialized and configured the HSM that is to contain the application partition.
SafeNet HSMs have two types of partition spaces:
•HSM administrative partition - where HSM-wide policies are set and changed, application partitions are created/destroyed, HSM firmware and capabilities are updated, etc.
•Application partition - where cryptographic operations are performed by your applications
Starting with SafeNet HSM firmware version 6.22.0, the ability to have an independent Security Officer per partition was implemented, which results in some changes from previous handling. To distinguish the different styles of partition we will call them "legacy" and "PPSO" application partitions. The options, when running SafeNet HSM Client software at the most current release are:
| HSM firmware version |
PPSO Capability applied? | Ownership/oversight of partition (type) | Commands visible in lunacm when this HSM partition is the currently selected slot |
|---|---|---|---|
| <6.22.0 | cannot |
legacy (see note 1) - •HSM SO has full ownership |
All commands are as they were before SafeNet HSM release 6.0 and firmware 6.22.0 |
| >=6.22 | no |
legacy option (see note 2) - •HSM SO has full ownership |
lunacm HSM and partition login commands and others are replaced by "role" commands; some other commands have new options/parameters |
| >=6.22 | yes |
PPSO option (see note 2) - •an application partition has its own SO •the HSM SO can create or delete the |
lunacm HSM and partition login commands, and others, are replaced by "role" commands; some other commands have new options/parameters |
| Note 1 - No choice. With older firmware, only legacy-style partition management is available. | |||
| Note 2 - With firmware 6.22.0 and newer, you can choose to create a partition to be owned/controlled by the HSM SO (legacy), or you can choose to create a partition to be owned and managed by its own SO (the PPSO option, invoked when you specify "slot" while creating a partition in lunacm, or when you specify "haspso" while creating a partition in lunash). | |||
To summarize, until firmware 6.22 (or newer) version of SafeNet HSM receives FIPS validation, and becomes the default version shipping from the factory, you could have a new SafeNet HSM, or one that you already owned, at a firmware version older than 6.22.0. If you install newer SafeNet HSM Client, the included lunacm utility version is capable of supporting both the older command set or the newer command set, depending on the HSM firmware of the currently selected slot. That is, if you have multiple SafeNet HSMs in, or connected to, your SafeNet HSM Client host, which could include:
•internally installed SafeNet PCI-E HSM,
•USB-connected SafeNet USB HSM, or
•network (NTLS- or STC-connected) SafeNet Network HSM partitions,
you could see different available command sets as you switch slots in lunacm, depending on the firmware version in the currently selected slot.
The high-level steps are summarized below, to go from a new or factory reset HSM to having a configured application partition, ready for keys and objects and cryptographic operations. Normally, each set of actions would be performed by a different person with different responsibilities.
1.Select/set the slot (if you have more than one HSM slot on your host).
2.Initialize the HSM; create the SO role and the cloning domain for the HSM's administrative partition (see HSM Initialization and Zeroization).
3.Log into the administrative partition, as SO.
4.Create the empty application partition.
5.Select/set the slot to the newly created application partition.
6.Initialize the SO role and the cloning domain for the application partition.
7.Log into the application partition as SO.
8.Initialize the Crypto Officer role.
9.Log out.
10.Select/set the slot to the application partition.
11.Log into the application partition as Crypto Officer.
12.Initialize the Crypto User role.
Note: Before you begin configuring and initializing a PED-authenticated SafeNet HSM, we strongly urge that you familiarize yourself with the pages at PED Authentication.
Your responses to PED prompts are required during many of the steps. Most of the PED-prompt sequences require decisions that have serious implications for ongoing use of your HSM. PED operations are subject to timeout restrictions for security reasons, meaning that, if your selections and actions are not prompt, the PED will quit the current sequence. In the event of a timeout, you must reissue the HSM command that called the PED.
For PED-authenticated SafeNet USB HSM and SafeNet PCI-E HSM, the first step is to initialize the partition; see HSM SO Configures PED-authenticated Partition with SO, Local to Client.
For Password-authenticated SafeNet USB HSM and SafeNet PCI-E HSM, the first step is to initialize the partition; see HSM SO Configures Password-authenticated Partition with SO, Local to Client.