|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 5] Create Application Partitions > HSM SO Configures SafeNet Network HSM Password-authenticated Partition with SO
|
|---|
An application owner/user has requested an application partition on the HSM, in which applications will run cryptographic operations. These instructions are the actions to be taken by the HSM Security Officer or SO. These instructions assume a Password-authenticated SafeNet HSM supporting the creation of a partition with its own Security Officer.
These instructions assume a SafeNet Network HSM. Initially it is accessed via SSH to create the partition using LunaSH (lunash:>), to create the partition. After the PPSO partition is created, administrative access to that partition moves to a host computer where SafeNet HSM Client software is installed, and where administrative actions are carried out through a Network Trust Link (NTL) via the lunacm tool.
You will need:
•The HSM has firmware 6.22.0, or newer, and the Per-Partition SO capability installed.
•The appliance is configured for network operation and server certificate was created.
•SafeNet Network HSM and your application host computer have exchanged certificates.
•The HSM is in initialized state.
Note: If you have an existing legacy partition that shares the HSM Administrator (SO) as its SO, and you prefer that it have its own SO, it cannot be directly turned into a partition that has its own SO. You will need to back up any contents, delete the partition, and re-create with an application partition SO.
You can create either type of partition. They can co-exist without conflict on the HSM..
Note: Updating from pre-6.22.0 firmware to firmware version 6.22.0 or newer is necessary to support the PPSO capability, but does not, itself, confer the capability. To enable creation of application partitions with their own Per-Partition Security Officers, you must acquire and install the PPSO capability upgrade.
The PPSO capability Upgrade is destructive. Therefore, you must back up any existing application partition on your HSM, before performing the upgrade, as all partitions and contents are destroyed by the upgrade. After the upgrade is complete, you can create new partitions with Per-Partition SOs, or with legacy-style partitions where the HSM SO retains ownership, or a mix of both, and then restore the pre-existing content to your new partitions from backup.
1.Log into the SafeNet Network HSM, if not already logged in.
[mylunasa] lunash:>hsm login 'hsm login' successful. Command Result : 0 (Success) [mylunasa] lunash:>
2.Run partition create command, specifying a partition name, and being sure to include the "-haspso" parameter.
[mylunasa] lunash:>partition create -haspso -partition mypsopar1
Please ensure that you have purchased licenses for at least this number of partitions: 1
Type 'proceed' to create the uninitialized partition, or
'quit' to quit now.
> proceed
'partition create' successful.
Command Result : 0 (Success)
[mylunasa] lunash:>
Note: The command parameters include an option "-label". This is not used when creating PPSO partitions. If you include it, an error message appears, but the "-label" is ignored.
The "-partition <name>" parameter is required.
3.Verify that the partition has been created.
[mylunasa] lunash:>hsm show
Appliance Details:
==================
Software Version: 6.0.0-22
HSM Details:
============
HSM Label: mysahsm
Serial #: 7000022
Firmware: 6.22.0
Hardware Model: Luna K6
Authentication Method: Password
HSM Admin login status: Logged In
HSM Admin login attempts left: 3 before HSM zeroization!
RPV Initialized: Yes
Audit Role Initialized: No
Remote Login Initialized: No
Manually Zeroized: No
Partitions created on HSM (1):
==============================
Partition: 16298193222733, Name: mypsopar1
FIPS 140-2 Operation:
=====================
The HSM is NOT in FIPS 140-2 approved operation mode.
HSM Storage Information:
========================
Maximum HSM Storage Space (Bytes): 2097152
Space In Use (Bytes): 20971
Free Space Left (Bytes): 2076181
Command Result : 0 (Success)
[mylunasa] lunash:>
The PPSO partition now exists, and all future configuration and management of that partition will be handed over to the person who is to become the SO of the new partition. The HSM SO can delete the partition via lunash command, but cannot reach inside the new partition to perform any further administrative actions. This is an important difference from legacy-style partitions, where the HSM SO remains the administrative owner of the application partition and can perform any desired administrative function by means of lunash commands.
In a PPSO partition, the partition SO (and any additional roles that are created for the partition) performs all configuration and management actions via a client connection using LunaCM.
The next step is [Step 7] Create a Network Trust Link Between the Client and the Appliance.