Home > |
---|
Create an application partition on a locally installed or USB-connected HSM.
The command is run from the HSM administrative partition. The HSM SO must be logged in.
partition create [-password <string>] [-label <string>] [-slot <number>] [-size <number>] [-domain <string>] [-defaultdomain] ][policyTemplate] <template name>] [-force]
Parameter | Shortcut | Description |
---|---|---|
-defaultdomain | -def | use default domain instead of a private, secure domain (deprecated; not recommended) |
-domain | -d | domain for cloning (Password-auth) |
-force | -f | force the action (useful when scripting commands) |
-label | -l | label of the partition (declares a legacy partition - not used if "-slot" is specified) |
-password | -p | user role password (Password-auth) |
-policyTemplate | -tn | policy template file to apply to the partition; useful for repetitive provisioning and deployment (see partition policytemplate and Partition Creation with Policy Template Using LunaCM ) |
-size | -si | storage size of partition (used only for HSMs supporting multiple application partitions, to specify a size other than the calculated default size - depends on HSM memory, existing application partitions, and their specifications) |
-slot | -sl |
slot where the new partition is to be created •if "-slot" is specified, the new partition will have its own Security Officer (PSO); the PSO must initialize the partition (including assigning a label), adjust policies, initialize user roles, •specify a slot number that is not already in use, usually below the number of the HSM administrative slot from which you are running the command •not used if "-label" is specified |
For HSMs with firmware 6.22.0 or newer, the partition creation does not overwrite an existing partition. If the HSM supports just a single application partition, and one already exists, the partition create command stops and throws the error "Error in execution : CKR_LICENSE_CAPACITY_EXCEEDED." To create a new application partition, delete the existing one first, with partition delete, then re-issue partition create.
The partition create command help shows the "-slot" option, and the "-label" option, which are mutually exclusive.
The "-label" option creates a legacy-style application partition that is "owned"/ administered by the HSM SO.
The "-slot" option attempts to create a partition with its own Security Officer (a separate entity from the HSM SO), but if your HSM does not contain the PSO Capability Update, then the attempt fails, and you can create only a legacy-style application partition.
In general, PSO partitions are advantageous for Network HSMs that support multiple application partitions, and confer no advantage for a PCIe HSM or USB HSM that support only a single application partition, locally administered.
A partition name or a partition label can include any of the following characters :
!#$%'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
No spaces, unless you wish to surround the name or label in double quotation marks every time it is used.
No question marks, no double quotation marks within the string.
Minimum name or label length is 1 character. Maximum is 32 characters.
Valid characters that can be used in a password or in a cloning domain, when entered via LunaSH [1]), are:
!#$%'*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
(the first character in that list is the space character)
Invalid or problematic characters, not to be used in passwords or cloning domains are
"&';<>\`|()
Valid characters that can be used in a password or in a cloning domain, when entered via lunacm, are:
!"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(the first character in that list is the space character)
Minimum password length is 7 characters; maximum is 255 characters in lunash or lunacm.
Minimum domain string length is 1 character; maximum domain length is 128 characters via lunash. No arbitrary maximum domain string length is enforced for domain strings entered via lunacm, and we have successfully input domain strings longer than 1000 characters in testing.
[1] LunaSH on the SafeNet Network HSM has a few input-character restrictions that are not present in LunaCM, run from a client host. It is unlikely that you would ever be able to access, via LunaSH, a partition that received a password or domain via LunaCM, but the conservative approach would be to avoid the few "invalid or problematic characters" generally.
partition create [-password <string>] [-domain <string>] [-defaultdomain] [-force]
Parameter | Shortcut | Description |
---|---|---|
-password | -p | user role password (Password-auth) |
-domain | -d | domain for cloning (Password-auth) |
-defaultdomain | -def | use default domain instead of a private, secure domain (deprecated; not recommended) |
-force | -f | force the action (useful when scripting commands) |
Note: For HSMs with firmware older than version 6.22.0, supporting just a single application partition, partition create overwrites (with a warning) any pre-existing application partition.
lunacm:> slot list Slot Id -> 1 Tunnel Slot Id -> 2 Label -> mypcie6 Serial Number -> 150022 Model -> K6 Base Firmware Version -> 6.22.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Slot Id -> 3 HSM Label -> myG5pw HSM Serial Number -> 7001312 HSM Model -> G5Base HSM Firmware Version -> 6.10.4 HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode HSM Status -> OK Current Slot Id: 1 Command Result : No Error lunacm:> partition create -label mypcielegacypar Please attend to the PED. Command Result : No Error lunacm:> slot list Slot Id -> 0 Tunnel Slot Id -> 2 Label -> mypcielegacypar Serial Number -> 349297122735 Model -> K6 Base Firmware Version -> 6.22.0 Configuration -> Luna User Partition, No SO (PED) Signing With Cloning Mode Slot Description -> User Token Slot Slot Id -> 1 Tunnel Slot Id -> 2 Label -> mypcie6 Serial Number -> 150022 Model -> K6 Base Firmware Version -> 6.22.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Slot Id -> 3 HSM Label -> myG5pw HSM Serial Number -> 7001312 HSM Model -> G5Base HSM Firmware Version -> 6.10.4 HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode HSM Status -> OK Current Slot Id: 1 Command Result : No Error lunacm:>
lunacm:> slot list Slot Id -> 1 Tunnel Slot Id -> 2 Label -> mypcie6 Serial Number -> 150022 Model -> K6 Base Firmware Version -> 6.22.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Slot Id -> 3 HSM Label -> myG5pw HSM Serial Number -> 7001312 HSM Model -> G5Base HSM Firmware Version -> 6.10.4 HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode HSM Status -> OK Current Slot Id: 1 Command Result : No Error lunacm:> lunacm:> partition create -slot 0 Command Result : No Error lunacm:> slot list Slot Id -> 0 Tunnel Slot Id -> 2 Label -> Serial Number -> 349297122736 Model -> K6 Base Firmware Version -> 6.22.0 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> User Token Slot Slot Id -> 1 Tunnel Slot Id -> 2 Label -> mypcie6 Serial Number -> 150022 Model -> K6 Base Firmware Version -> 6.22.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Slot Id -> 3 HSM Label -> myG5pw HSM Serial Number -> 7001312 HSM Model -> G5Base HSM Firmware Version -> 6.10.4 HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode HSM Status -> OK Current Slot Id: 1 Command Result : No Error lunacm:>
lunacm:> slot list Slot Id -> 1 Tunnel Slot Id -> 2 Label -> mypcie6 Serial Number -> 150022 Model -> K6 Base Firmware Version -> 6.22.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Slot Id -> 3 HSM Label -> myG5pw HSM Serial Number -> 7001312 HSM Model -> G5Base HSM Firmware Version -> 6.10.4 HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode HSM Status -> OK Current Slot Id: 1 Command Result : No Error lunacm:> lunacm:> partition showinfo The User has not been created. Command Result : No Error lunacm:> hsm login Option -password was not supplied. It is required. Enter the password: ******** Command Result : No Error lunacm:> partition create Option -password was not supplied. It is required. Enter the password: ******** Re-enter the password: ******** Option -domain was not specified. It is required. Enter the domain name: ******** Re-enter the domain name: ******** Command Result : No Error lunacm:> partition showinfo HSM Serial Number -> 7001312 HSM Status -> OK Token Flags -> CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED RPV Initialized -> Not Available / Not Supported Slot Id -> 3 Session State -> CKS_RW_PUBLIC_SESSION User Status-> Not Logged In Crypto Officer Failed Logins-> 0 Crypto User Failed Logins-> 0 User Flags -> CONTAINER_KCV_CREATED User OUID: 1200000745010000e0d46a00 User Storage: Total Storage Space: 2094996 Used Storage Space: 0 Free Storage Space: 2094996 Object Count: 0 *** The HSM is NOT in FIPS 140-2 approved operation mode. *** License Count -> 4 1. 621000001-000 G5 base configuration 1. 620139-000 Elliptic curve cryptography 1. 620131-000 Key backup via cloning protocol 1. 621010083-001 Performance level 15 Command Result : No Error lunacm:>
Note: In the examples above, for the newer firmware, slot list, before and after, showed that the application partition had been created.
For the older firmware, the creation of an application partition did not alter the slot list, so instead we show the output of partition showinfo, before the application partition is created, and then again afterward.