|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 3] Initialize the HSM > Use hsm-init to Initialize a Password-Authenticated HSM
|
|---|
Initialize the HSM to set up the necessary identities, ownership and authentication on the HSM. This is required before you can create Partitions and use the HSM.
The hsm init command takes several options.
See hsm init in the Lunash Command Reference.
For an HSM with Password Authentication, you need to provide a label, password, and cloning domain. The only one that you should type at the command line is the label. The password and cloning domain can be typed at the command line, but this makes them visible to anyone who can see the computer screen, or to anyone who later scrolls back in your console or ssh session buffer.
If you omit the password and the domain, the system prompts you for them, and hides your input with "*" characters. This is preferable from a security standpoint. Additionally, you are prompted to re-enter each string, thus helping to ensure that the string you type is the one you intended to type.
The label is a string of up to 32 characters that identifies this HSM unit uniquely. A labeling convention that conveys some information relating to business, departmental or network function of the individual HSM is commonly used.
The HSM password is a password for the HSM Security Officer (SO).
For proper security, it should be different from the appliance admin password.
It should employ standard password-security characteristics:
•at least 8 characters,
•not easily guessable (therefore, no words that occur in any dictionary)
•no dates like birthdays or anniversaries, no proper names
•should include miXEd-CAse letters, numbers, special (non-alphanumeric, -_!@#$%&*...).
The cloning domain is a shared identifier that makes cloning possible among a group of HSMs. Cloning is required for backup or for HA. Cloning cannot take place between HSMs that do not share a common domain.
Always specify a cloning domain when you initialize a Password Authenticated SafeNet HSM in a production environment. The HSM allows you to specify "defaultdomain" at initialization, the 'factory-default' domain. This is deprecated, as it is insecure. Anyone could clone objects to or from such an HSM. The default domain is provided, for the time being, for benefit of customers who have previously used the default domain. When you prepare a SafeNet HSM to go into service in a real "production" environment, always specify a proper, secure domain string when you initialize.
Type the hsm init command at the prompt, supplying a text label for the new HSM.
lunash:> hsm -init -label myLuna
> Please enter a password for the security officer
> ********
Please re-enter password to confirm:
> ********
Please enter the cloning domain to use for initializing this
HSM :
> ********
Please re-enter domain to confirm:
> ********
CAUTION: Are you sure you wish to re-initialize this HSM?
All partitions and data will be erased.
Type 'proceed' to initialize the HSM, or 'quit'
to quit now.
>proceed
‘hsm - init’ successful.
When activity is complete, the system displays a “success” message.
You have initialized the HSM and created an HSM SO identity, which is an additional capability set, overlaid on the HSM appliance administrator identity.
•Appliance “admin” alone can use lunash to perform some administrator operations on the HSM server, such as network configuration, but cannot access the HSM without additional authentication
•HSM SO (equivalent to the Cryptoki “Security Officer” or “SO”) can administer the HSM, but requires that the system “admin” be logged in first (same ssh session), before HSM Admin can login.
In order to perform all possible administrative functions on the HSM appliance, you must have both the “admin” password for lunash and the HSM Admin authentication.
You are ready to adjust HSM Policies (if desired) and begin creating HSM Partitions for your Client's applications to use.