|
Home > |
|---|
Create an application partition on a locally installed or USB-connected HSM.
The command is run from the HSM administrative partition. The HSM SO must be logged in.
partition create [-password <string>] [-label <string>] [-slot <number>] [-size <number>] [-domain <string>] [-defaultdomain] ][policyTemplate] <template name>] [-force]
| Parameter | Shortcut | Description |
|---|---|---|
| -defaultdomain | -def | use default domain instead of a private, secure domain (deprecated; not recommended) |
| -domain | -d | domain for cloning (Password-auth) |
| -force | -f | force the action (useful when scripting commands) |
| -label | -l | label of the partition (declares a legacy partition - not used if "-slot" is specified) |
| -password | -p | user role password (Password-auth) |
| -policyTemplate | -tn | policy template file to apply to the partition; useful for repetitive provisioning and deployment (see "partition policytemplate" on page 1 and Partition Creation with Policy Template Using LunaCM ) |
| -size | -si | storage size of partition (used only for HSMs supporting multiple application partitions, to specify a size other than the calculated default size - depends on HSM memory, existing application partitions, and their specifications) |
| -slot | -sl |
slot where the new partition is to be created •if "-slot" is specified, the new partition will have its own Security Officer (PSO); the PSO must initialize the partition (including assigning a label), adjust policies, initialize user roles, •specify a slot number that is not already in use, usually below the number of the HSM administrative slot from which you are running the command •not used if "-label" is specified |
For HSMs with firmware 6.22.0 or newer, the partition creation does not overwrite an existing partition. If the HSM supports just a single application partition, and one already exists, the partition create command stops and throws the error "Error in execution : CKR_LICENSE_CAPACITY_EXCEEDED." To create a new application partition, delete the existing one first, with partition delete, then re-issue partition create.
The partition create command help shows the "-slot" option, and the "-label" option, which are mutually exclusive.
The "-label" option creates a legacy-style application partition that is "owned"/ administered by the HSM SO.
The "-slot" option attempts to create a partition with its own Security Officer (a separate entity from the HSM SO), but if your HSM does not contain the PSO Capability Update, then the attempt fails, and you can create only a legacy-style application partition.
In general, PSO partitions are advantageous for Network HSMs that support multiple application partitions, and confer no advantage for a PCIe HSM or USB HSM that support only a single application partition, locally administered.
A partition name or a partition label can include any of the following characters :
!#$%'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
No spaces, unless you wish to surround the name or label in double quotation marks every time it is used.
No question marks, no double quotation marks within the string.
Minimum name or label length is 1 character. Maximum is 32 characters.
Valid characters that can be used in a password or in a cloning domain, when entered via LunaSH [1]), are:
!#$%'*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
(the first character in that list is the space character)
Invalid or problematic characters, not to be used in passwords or cloning domains are
"&';<>\`|()
Valid characters that can be used in a password or in a cloning domain, when entered via lunacm, are:
!"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(the first character in that list is the space character)
Minimum password length is 7 characters; maximum is 255 characters in lunash or lunacm.
Minimum domain string length is 1 character; maximum domain length is 128 characters via lunash. No arbitrary maximum domain string length is enforced for domain strings entered via lunacm, and we have successfully input domain strings longer than 1000 characters in testing.
[1] LunaSH on the SafeNet Network HSM has a few input-character restrictions that are not present in LunaCM, run from a client host. It is unlikely that you would ever be able to access, via LunaSH, a partition that received a password or domain via LunaCM, but the conservative approach would be to avoid the few "invalid or problematic characters" generally.
partition create [-password <string>] [-domain <string>] [-defaultdomain] [-force]
| Parameter | Shortcut | Description |
|---|---|---|
| -password | -p | user role password (Password-auth) |
| -domain | -d | domain for cloning (Password-auth) |
| -defaultdomain | -def | use default domain instead of a private, secure domain (deprecated; not recommended) |
| -force | -f | force the action (useful when scripting commands) |
Note: For HSMs with firmware older than version 6.22.0, supporting just a single application partition, partition create overwrites (with a warning) any pre-existing application partition.
lunacm:> slot list
Slot Id -> 1
Tunnel Slot Id -> 2
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 3
HSM Label -> myG5pw
HSM Serial Number -> 7001312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 1
Command Result : No Error
lunacm:> partition create -label mypcielegacypar
Please attend to the PED.
Command Result : No Error
lunacm:> slot list
Slot Id -> 0
Tunnel Slot Id -> 2
Label -> mypcielegacypar
Serial Number -> 349297122735
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition, No SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 1
Tunnel Slot Id -> 2
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 3
HSM Label -> myG5pw
HSM Serial Number -> 7001312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 1
Command Result : No Error
lunacm:>
lunacm:> slot list
Slot Id -> 1
Tunnel Slot Id -> 2
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 3
HSM Label -> myG5pw
HSM Serial Number -> 7001312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 1
Command Result : No Error
lunacm:>
lunacm:> partition create -slot 0
Command Result : No Error
lunacm:> slot list
Slot Id -> 0
Tunnel Slot Id -> 2
Label ->
Serial Number -> 349297122736
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 1
Tunnel Slot Id -> 2
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 3
HSM Label -> myG5pw
HSM Serial Number -> 7001312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 1
Command Result : No Error
lunacm:>
lunacm:> slot list
Slot Id -> 1
Tunnel Slot Id -> 2
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 3
HSM Label -> myG5pw
HSM Serial Number -> 7001312
HSM Model -> G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration -> SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status -> OK
Current Slot Id: 1
Command Result : No Error
lunacm:>
lunacm:> partition showinfo
The User has not been created.
Command Result : No Error
lunacm:> hsm login
Option -password was not supplied. It is required.
Enter the password: ********
Command Result : No Error
lunacm:> partition create
Option -password was not supplied. It is required.
Enter the password: ********
Re-enter the password: ********
Option -domain was not specified. It is required.
Enter the domain name: ********
Re-enter the domain name: ********
Command Result : No Error
lunacm:> partition showinfo
HSM Serial Number -> 7001312
HSM Status -> OK
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
RPV Initialized -> Not Available / Not Supported
Slot Id -> 3
Session State -> CKS_RW_PUBLIC_SESSION
User Status-> Not Logged In
Crypto Officer Failed Logins-> 0
Crypto User Failed Logins-> 0
User Flags ->
CONTAINER_KCV_CREATED
User OUID: 1200000745010000e0d46a00
User Storage:
Total Storage Space: 2094996
Used Storage Space: 0
Free Storage Space: 2094996
Object Count: 0
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
License Count -> 4
1. 621000001-000 G5 base configuration
1. 620139-000 Elliptic curve cryptography
1. 620131-000 Key backup via cloning protocol
1. 621010083-001 Performance level 15
Command Result : No Error
lunacm:>
Note: In the examples above, for the newer firmware, slot list, before and after, showed that the application partition had been created.
For the older firmware, the creation of an application partition did not alter the slot list, so instead we show the output of partition showinfo, before the application partition is created, and then again afterward.