|
Home > |
|---|
Having logged in, you can now use the ‘partition’ command.
When you issue the partition create command, to create an HSM Partition, you must supply a label or name for the new Partition.
Note: Choose a partition name that is meaningful, in the
context of your operations.
Partition names must be unique in the HSM. You are not permitted to
create two partitions with the same label on one HSM. This will be the label seen by PKCS #11 applications.
Note: A partition name or a partition label can include any of the following characters :
!#$%'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
No spaces, unless you wish to surround the name or label in double quotation marks every time it is used.
No question marks, no double quotation marks within the string.
Minimum name or label length is 1 character. Maximum is 32 characters.
Valid characters that can be used in a password or in a cloning domain, when entered via LunaSH [1]), are:
!#$%'*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
(the first character in that list is the space character)
Invalid or problematic characters, not to be used in passwords or cloning domains are
"&';<>\`|()
Valid characters that can be used in a password or in a cloning domain, when entered via lunacm, are:
!"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(the first character in that list is the space character)
Minimum password length is 7 characters;maximum is 255 characters in lunash or lunacm.
Minimum domain string length is 1 character; maximum domain length is 128 characters via lunash. No arbitrary maximum domain string length is enforced for domain strings entered via lunacm, and we have successfully input domain strings longer than 1000 characters in testing.
[1] LunaSH on the SafeNet Network HSM has a few input-character restrictions that are not present in LunaCM, run from a client host. It is unlikely that you would ever be able to access via LunaSH a partition that received a password or domain via LunaCM, but the conservative approach would be to avoid the few "invalid or problematic characters" generally.
When labeling HSMs or partitions, never use a numeral as the first, or only, character in the name/label. Token backup commands allow slot-number OR label as identifier which can lead to confusion if the label is a string version of a slot number.
For example, if the token is initialized with the label "1" then the user cannot use the label to identify the target for purposes of backup, because VTL parses "1" as signifying the numeric ID of the first slot rather than as a text label for the target in whatever slot it really occupies (the target is unlikely to be in the first slot), so backup fails.
CAUTION:
Tips for using strong passwords:
– use at least eight characters (a Partition
policy controls the minimum length)
– mix the case of alphabetic characters
– include at least one numeral
– include at least one punctuation character or special character such
as @#$%&, etc.
– avoid words that can be found in the dictionary (any language)
– avoid proper names (especially family and pets)
– avoid birthdays and other easily identifiable dates.
For password-auth HSMs, valid characters that can be used in passwords are:
!#$%'()*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
(the first character in that list is the space character)
Invalid characters, not to be used in passwords are "&';<>\`|
Minimum password length is 7 characters. Maximum is 255 characters.
1.Create and name
an HSM Partition. At the lunash prompt, for legacy (no partition SO) type:
lunash:>
partition create -partition myPartition1
for a partition with its own SO, type:
lunash:>
partition create -partition myPartition1 -haspso
2.For legacy partition (owned by the HSM SO), continue at step 3, below.
For partition with its own SO, go to About Configuring an Application Partition with Its Own SO .
3.Supply the appropriate
new HSM Partition password when you are prompted (that
is, don't supply the password as a command option
—
waiting to be prompted is generally preferable to typing the password
on the command line, because a password that is typed in response to the
prompt is hidden from view by “*” characters).
NOTE: You may not set the Password to be "PASSWORD", which is reserved as the partition creation-time default, only, and is too easy to guess for a real, operational password.
4.Write down the
application Partition password. This is the password that will be used:
a) to authenticate the administrator performing Partition management
tasks via lunash
b) to authenticate Client applications that wish to use the SafeNet HSM.
Repeat the above actions for each HSM Partition that you wish to create (to the limits of your SafeNet system's configuration).
Each time a partition is created, an entry is added to the audit log. Any subsequent actions logged against the partition are identified by the partition serial number that was generated when the partition was created.
An audit log entry similar to the following is generated when a partition is created on the HSM:
5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_AREA))
It is not obvious from this entry what the serial number is for the created partition. This information, however, can be derived from the log entry, since the partition serial number is simply a concatenation of the HSM serial number and the partition container number, which are specified in the log entry, as highlighted below:
5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_AREA))
In the example above, the HSM serial number is 150718 and the partition container number is 20. Note that the partition container number is a three-digit number with leading zeros suppressed, so that the actual partition container number is 020. To determine the partition serial number concatenate the two numbers as follows:
150718020
Use this number to identify the partition in subsequent audit log entiries.
If you have been following the instructions on these pages as part of setting up a new SafeNet appliance, then the next step is to adjust the Partition Policy settings for the new Partition that you just configured.
You might wish to adjust Set the Partition Policies for Legacy Partitions (Optional).
Otherwise, go to Creating an NTL Link Between a Client and a Partition .