Home >

Appliance Administration Guide > Configuration without One-step NTLS > [Step 5] Create Application Partitions > About Configuring an Application Partition with Its Own SO  

About Configuring an Application Partition with Its Own SO  

When you are ready to create and configure an application partition, it is assumed that you have already initialized and configured the HSM that is to contain the application partition.

SafeNet HSMs have two types of partition spaces:

HSM administrative partition  - where HSM-wide policies are set and changed, application partitions are created/destroyed, HSM firmware and capabilities are updated, etc.

Application partition - where cryptographic operations are performed by your applications

Starting with SafeNet HSM firmware version 6.22.0, the ability to have an independent Security Officer per partition was implemented, which results in some changes from previous handling. To distinguish the different styles of partition we will call them "legacy" and "PPSO" application partitions. The options, when running SafeNet HSM Client software at the most current release are:

 

HSM firmware
version  
PPSO Capability applied?   Ownership/oversight of partition (type)   Commands visible in lunacm when this HSM partition is the currently selected slot  
<6.22.0 cannot  

legacy (see note 1) -

HSM SO has full ownership
of application partition and
controls the application
throughout its life  

All commands are as they were
before SafeNet HSM release 6.0
and firmware 6.22.0  
>=6.22 no  

legacy option (see note 2) -

HSM SO has full ownership
of application partition and
controls the application
throughout its life  

lunacm HSM and partition login
commands and others are replaced
by "role" commands; some other
commands have new
options/parameters  
>=6.22 yes  

PPSO option (see note 2) -

an application partition has its own SO
(which is the optional newer way to
configure a new application partition)  

the HSM SO can create or delete the
partition, but has no visibility or control
in the partition through its life;
complete separation of roles  

lunacm HSM and partition login
commands, and others, are replaced
by "role" commands; some other
commands have new
options/parameters  
Note 1 - No choice. With older firmware, only legacy-style partition management is available.
Note 2 - With firmware 6.22.0 and newer, you can choose to create a partition to be owned/controlled by the HSM SO (legacy), or you can choose to create a partition to be owned and managed by its own SO (the PPSO option, invoked when you specify "slot" while creating a partition in lunacm, or when you specify "haspso" while creating a partition in lunash).

 

To summarize, until firmware 6.22 (or newer) version of SafeNet HSM receives FIPS validation, and becomes the default version shipping from the factory, you could have a new SafeNet HSM, or one that you already owned, at a firmware version older than 6.22.0. If you install newer SafeNet HSM Client, the included lunacm utility version is capable of supporting both the older command set or the newer command set, depending on the HSM firmware of the currently selected slot. That is, if you have multiple SafeNet HSMs in, or connected to, your SafeNet HSM Client host, which could include:

internally installed SafeNet PCIe HSM,

USB-connected SafeNet USB HSM, or

network (NTLS- or STC-connected) SafeNet Network HSM partitions,

you could see different available command sets as you switch slots in lunacm, depending on the firmware version in the currently selected slot.

The high-level steps are summarized below, to go from a new or factory reset HSM to having a configured application partition, ready for keys and objects and cryptographic operations. Normally, each set of actions would be performed by a different person with different responsibilities.

As the HSM Administrator or SO

1.Complete the certificate exchanges and registrations necessary to create the secure link between Client and application partitions on the appliance.

2.Initialize the HSM; create the SO role and the cloning domain for the HSM's administrative partition (see HSM Initialization and Zeroization in the Administration Guide).  

3.Log into the administrative partition, as SO.  

4.Create the empty application partition.

As the application partition Security Officer  

5.Select/set the slot to the newly created application partition.  

6.Initialize the SO role and the cloning domain for the application partition.  

7.Log into the application partition as SO.  

8.Initialize the Crypto Officer role.  

9.Log out.

As the application partition Crypto Officer

10.Select/set the slot to the application partition.  

11.Log into the application partition as Crypto Officer.  

12.Initialize the Crypto User role.

Next step

Note:  Before you begin configuring and initializing a PED-authenticated SafeNet HSM, we strongly urge that you familiarize yourself with the pages at PED Authentication.

Your responses to PED prompts are required during many of the steps. Most of the PED-prompt sequences require decisions that have serious implications for ongoing use of your HSM. PED operations are subject to timeout restrictions for security reasons, meaning that, if your selections and actions are not prompt, the PED will quit the current sequence. In the event of a timeout, you must reissue the HSM command that called the PED.

For PED-authenticated SafeNet Network HSM, the first step is to initialize the HSM; see HSM SO Configures PED-authenticated SafeNet Network HSM Partition with SO .     

For Password-authenticated SafeNet Network HSM, the first step is to initialize the HSM; see HSM SO Configures SafeNet Network HSM Password-authenticated Partition with SO .