|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 5] Create Application Partitions > Prepare to Create a Partition (PED Authenticated)
|
|---|
This section is HSM application partition setup for PED Authenticated HSMs. The activities in this section are required in these circumstances.
•if you just initialized the HSM for the first time and must now create your first application Partition, or
•if you have purchased a SafeNet HSM capable of supporting multiple HSM Partitions and you wish to create those additional partitions (this procedure creates one HSM Partition at a time, and you would need to repeat it once for each Partition, up to the number supported by your SafeNet HSM) , or
•if you have deleted an HSM Partition and wish to create a new one to replace it.
At this point, the HSM should already:
•have its network settings configured (see Configuring the SafeNet Appliance Network Settings )
•have appliance and client-side certificates exchanged and registered (see [Step 7] Create a Network Trust Link Between the Client and the Appliance)
•have its HSM SO and its Cloning Domain assigned ( see About Initializing a PED-Authenticated HSM ).
Within the HSM, separate cryptographic work-spaces must be initialized and designated for client operations. A workspace, or Partition, and all its contents are protected by encryption derived (in part) from its authentication. Only a Client that presents the proper authentication is allowed to see the Partition and to work with its contents.
In this section, you will:
•Decide the type of application partition to create
•Create an HSM application partition
1.If you do not already have a connection open, connect your administration computer to the serial Console port of the HSM appliance, and open a Terminal session, or use ssh to connect via the network (for Windows, we provide PuTTy; for UNIX/Linux, your operating system provides the ssh client, either as part of the distribution, or as a separate down-loadable utility).
Note: Use of older PuTTY versions, and related tools, can result in the appliance refusing to accept a connection. This can happen if a security update imposes restrictions on connections with older versions. To ensure compatibility, always use the versions of executable files included with the current client installer.
1.To create HSM
Partitions, you must login to the HSM as HSM Security Officer or SO.
Ensure that the PED is connected to the PED port on your HSM host , and that
the PED is powered on and "Awaiting command..."
Or, ensure that you have set up a Remote PED connection, and the PED is ready (see Installing and Configuring a SafeNet Remote PED of the Installation Guide and Configuring Remote PED of the Administration Guide).
2.At the command prompt, type the login command.
lunash:> hsm login
3.Authenticate
as HSM SO:
The PED prompts for the blue PED Key
Provide the blue HSM Admin PED Key that has been imprinted (initialized) for this HSM.
If you had set a PED PIN, you are prompted
for that, as well.
4.At this point, you are about to create an application partition. The options are:
a.a legacy-style partition old firmware
- HSMs with firmware earlier than 6.22.0 (only legacy partitions possible),
- the HSM SO owns and administers the partition
- the remaining partition configuration steps are carried out at the command line, as you have been doing to this point - go to Create a PED Authenticated Legacy-style Application Partition (f/w pre-6.22.0)
b.a legacy-style partitionnewer firmware
- HSMs with f/w 6.22.0 or newer without PPSO capability installed (only legacy partitions possible),
or HSMs with f/w 6.22.0 or newer, with PPSO capability installed, but you choose to create a legacy partition, rather than a PPSO partition
- the HSM SO owns and administers the partition
- the remaining partition configuration steps are carried out at the command line, as you have been doing to this point - go to Create a PED Authenticated Legacy-style Application Partition (f/w 6.22.0 or newer)
c.a PPSO or Per-Partition SO partition
(optional in HSMs with firmware 6.22.0 or newer, and with the PPSO capability installed),
- each partition has its own SO, and the HSM SO has no access other than to delete the application partition
- the creation of an empty partition is performed next at the LunaSH command line, but subsequent steps are performed at a registered SafeNet HSM Client computer, over NTL or STC link
- go to HSM SO Configures PED-authenticated SafeNet Network HSM Partition with SO
If you don't remember whether you are logged in as HSM SO, you can use the hsm show command to find out:
[mylunasa6] lunash:>hsm show
Appliance Details:
==================
Software Version: 6.0.0-33
HSM Details:
============
HSM Label: mysa6
Serial #: 7000022
Firmware: 6.22.0
HSM Model: K6 Base
Authentication Method: PED keys
HSM Admin login status: Not Logged In (alternatively could show "Logged in")
HSM Admin login attempts left: 3 before HSM zeroization!
RPV Initialized: Yes
Audit Role Initialized: Yes
Remote Login Initialized: No
Manually Zeroized: No
Partitions created on HSM:
==============================
Partition: 16298193222733, Name: mypsopar1
Partition: 16298193222735, Name: mylegacypar1
Number of partitions allowed: 100
Number of partitions created: 2
FIPS 140-2 Operation:
=====================
The HSM is NOT in FIPS 140-2 approved operation mode.
HSM Storage Information:
========================
Maximum HSM Storage Space (Bytes): 16252928
Space In Use (Bytes): 325058
Free Space Left (Bytes): 15927870
Command Result : 0 (Success)
[mylunasa6] lunash:>