|
Home > |
Configuration Guide > Creating an Application Partition (SO, Crypto Officer, and Domain) > PED-Authenticated Partition > HSM SO Configures PED-authenticated Partition with SO, Local to Client
|
|---|
An application owner/user has requested an application partition on the HSM, on which applications will run cryptographic operations. These instructions are the actions to be taken by the HSM SO. These instructions assume a PED-authenticated SafeNet HSM supporting the creation of a partition with its own Security Officer. These instructions assume a SafeNet HSM installed locally to the host computer, where SafeNet HSM Client software is installed, and where administrative access to the HSM is carried out via the lunacm utility.
You will need:
•An HSM that has firmware 6.22.0, or later, and the Per-Partition SO capability installed.
•SafeNet PED and PED Keys with labels. These instructions assume that your SafeNet PED is locally connected. These instructions assume that you have already made your decisions whether to use all-new, blank PED Keys, or to re-use any existing, imprinted PED Keys for any of the steps.
Note: If you have an existing legacy partition that shares the HSM SO as its administrator, it cannot be directly turned into a partition that has its own SO. You will need to back up any contents, delete the partition, and re-create with an application partition SO.
These instructions assume that the HSM is new, or has undergone factory reset and is in zeroized state with no HSM SO or Administrator role set. This can be verified by running the lunacm command hsm showinfo while the HSM is the selected cryptographic slot. For example:
lunacm:> slot list
Slot Id -> 0
Tunnel Slot Id -> 1
Label ->
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 2
HSM Label -> myG5
HSM Serial Number -> 701312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.1
HSM Configuration -> SafeNet USB HSM (PED) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 0
Command Result : No Error
lunacm:>
The output shows that the host computer contains a SafeNet PCI-E HSM at the desired firmware version, as slot 0, and a SafeNet USB HSM with legacy firmware as slot 2 . Both are PED-authenticated. The current slot is the SafeNet PCI-E HSM, so all commands are directed to that HSM.
lunacm:> hsm showinfo
Partition Label ->
Partition Manufacturer -> Safenet, Inc.
Partition Model -> K6 Base
Partition Serial Number -> 150022
Partition Status -> Zeroized
Token Flags ->
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
Slot Id -> 0
Tunnel Slot Id -> 1
Session State -> CKS_RW_PUBLIC_SESSION
Role Status -> none logged in
Token Flags ->
Partition OUID: Not Available
Partition Storage:
Total Storage Space: 0
Used Storage Space: 0
Free Storage Space: 0
Object Count: 0
Overhead: 2156
Firmware Version -> 6.22.0
Rollback Firmware Version -> 6.21.0
RPV Initialized -> Not Available / Not Supported
HSM Storage:
Total Storage Space: 2097152
Used Storage Space: 0
Free Storage Space: 2097152
Allowed Partitions: 0
Number of Partitions: 0
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
License Count -> 8
1. 621000026-000 K6 base configuration
1. 620127-000 Elliptic curve cryptography
1. 620114-001 Key backup via cloning protocol
1. 620109-000 PIN entry device (PED) enabled
1. 621010358-001 Enable a split of the master tamper key to be stored externally
1. 621010089-001 Enable remote PED capability
1. 621000021-001 Performance level 15
1. 621000079-001 Enable Small Form Factor Backup
Command Result : No Error
lunacm:>
The HSM in the current slot is zeroized and ready to be configured.
Have PED Keys and labels ready and have a SafeNet PED connected to the HSM, and set to Local Mode.
1.Initialize the HSM.
Type hsm init -label <a label>
lunacm:> hsm init -label mylunapci
You are about to initialize the HSM.
All contents of the HSM will be destroyed.
All roles will be destroyed.
The domain will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Please attend to the PED.
Respond to SafeNet PED prompts...
Command Result : No Error lunacm:>
Note: PKCS slot numbering starts at zero.
At least a slot zero (0) always exists, as a placeholder for partitions to be created.
For consistency in operation, the HSM administrative partition must always be the highest-numbered slot on that HSM. Before the admin partition is initialized, the placeholder is at slot 0. After the admin partition is initialized, it takes a higher slot number and leaves the placeholder for a future partition.
SafeNet HSMs and libraries uphold PKCS standards, which require that the slot number must not change during the current session. Therefore, in order for the HSM administrative slot to become slot 1 in this example, and leave room at slot 0 for creation of an application partition, you must exit lunacm (which closes the session) after initializing the HSM administrative partition and then relaunch lunacm, which starts a new session with the slots renumbered.
Also, be aware that it is possible to override the default numbering and force the starting slot number.
2.Exit and re-launch lunacm.
lunacm:> exit
C:\Program Files\SafeNet\LunaClient>lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
Available HSMs:
Slot Id -> 1
Tunnel Slot Id -> 2
Label -> mylunapci
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 3
HSM Label -> myG5
HSM Serial Number -> 701312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.1
HSM Configuration -> SafeNet USB HSM (PED) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 1
lunacm:>
3.Log in as the HSM Administrator:
Type role login -name Administrator
lunacm:> role login -name Administrator
Please attend to the PED.
Respond to SafeNet PED prompts...
Command Result : No Error lunacm:>
4.Create an application partition, intended to have its own SO, by specifying the "-slot" parameter. Note that the HSM administrative partition is always the highest numbered slot, therefore it becomes slot 1, leaving slot 0 available for the application partition that you are creating.
Type partition create -slot <slot number>
lunacm:> par create -slot 0 Command Result : No Error lunacm:> slot list
5.Verify the slot occupied by the new, empty, application partition, and check the currently active slot.
Type slot list
lunacm:> slot list
Slot Id -> 0
Tunnel Slot Id -> 2
Label ->
Serial Number -> 349297122738
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition With SO Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 1
Tunnel Slot Id -> 2
Label -> mylunapci
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 3
HSM Label -> myG5
HSM Serial Number -> 701312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.1
HSM Configuration -> SafeNet USB HSM (PED) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 1
Command Result : No Error
lunacm:>
6.The HSM SO now informs the intended application partition SO
a. the newly created, empty application partition is ready,
b.how to access it.
This concludes the HSM SO's actions for a partition with its own SO. Further action in the new partition must be initiated by the partition SO who takes over responsibility as the chief authority of that partition. The HSM SO has no visibility into the new partition. Go to "Partition SO Configures PED-authenticated PPSO Application Partition" on page 1.