Home >

Appliance Administration Guide > Configuration without One-step NTLS > [Step 1] Planning Your Configuration > Password-authenticated HSM Planning

Password-authenticated HSM Planning

Planning for configuration of a password-authenticated SafeNet HSM is straightforward. LHSM-12627   

Determine whether the HSM authentication secrets should fall under your organization's rules for password change cycles.

Decide whether application partitions should be owned and administered by the HSM SO (pre-firmware 6.22.0 legacy) or by a partition SO (with firmware 6.22.0 or newer, and the Per-partition SO CUF installed)

Determine HSM and partition labels, in keeping with your organization's requirements

Determine passwords for each role

the SO of the HSM,

the SO of each application partition (optional),

the Crypto Officer and Crypto User,

and the Auditor (optional))

Determine the cloning domain for each partition.  

HSM Initialization

When you initialize, you are creating an SO (security officer) identity and attaching it to the Admin partition on the HSM. This is an administrative position and the only keys or objects that are ever stored there are system keys, not user keys. The SO sets policy for the overall HSM, and creates partitions.

When creating an access secret for the SO, you are creating a secret for an administrator who sets up the HSM and then rarely is needed thereafter. You might have a single person who has the job of overseeing several HSMs, in which case you could re-use the HSM SO password.

In the legacy model, the HSM SO is also the SO of an application partition that is created on the HSM. That means the SO can see application partition contents.

In the new, Per-Partition SO (PPSO) model, the SO of the partition is a completely separate role from the HSM SO. As long as they do not use the same secret, the HSM SO is completely excluded from the application partition. This separation of roles is important in some organizations.

HSM Cloning Domain

Like all secrets for a Password-authenticated SafeNet HSM, the cloning domain is a simple text string. It governs whether an HSM can clone its contents to another HSM (for backup, or for HA). There is no provision to change the cloning domain, without re-initializing, unlike a password for one of the roles, which can be reset or changed when desired.

You have the option to use the same cloning domain for the HSM as for an application partition on that HSM, or different domain secrets, if desired.

Application Partition Owner or Crypto-Officer/Crypto-User

SafeNet HSM application partitions can have a single "Owner" role that has unrestricted administrative and cryptographic access to the partition, or you can choose to divide the access into an unrestricted Crypto Officer and restricted Crypto User role.

A Password-authenticated HSM's application partition has a single text string for Owner or Crypto Officer that grants both administrative access and application access to the partition. It has a single text string for Crypto User that grants both restricted administrative access and restricted application access to the partition. This contrasts with a PED-authenticated application partition, where a black PED Key allows administrative access as Owner/Crypto Officer, while a separate challenge secret is used by unrestricted client applications, and a black PED Key allows administrative access as Crypto User, while a separate challenge secret is used by restricted client applications.

Application Partition Cloning Domain

The application partition requires a cloning domain, which must match the cloning domain of any other application partition (on any HSM) to which it should be able to clone objects. The domain is required to match for backup or for HA group creation and operation.

See Domain Planning.

Auditor

The Audit role is completely separate from other roles on the HSM. It is optional for operation of the HSM, but might be mandatory according to your security regime. The Audit role can be created at any time, and does not require that the HSM already be initialized.