partition init
Initialize an application partition. This command is used within the partition being initialized.
For password-authenticated HSMs, if the password is not provided via the command line, the user is interactively prompted for it. Input is echoed as asterisks, and user is asked for password confirmation. This creates the Crypto Officer role.
For PED-authenticated HSMs, PED action is required, and a partition Crypto Officer PED key (black) is imprinted. Any password provided at the command line is ignored.
CAUTION! When labeling HSMs or partitions, never use a numeral as the first, or only, character in the name/label. Token backup commands allow a slot-number OR a label as identifier, which can lead to confusion if the label is a string version of a slot number.
For example, if the token is initialized with the label "1
", the user cannot use the label to identify the target for backup purposes, because VTL parses "1
" as the numeric ID of the first slot rather than as a text label for the target in the actual occupied slot.
Domain matching and the default domain
If you do not specify a domain in the command line, you are prompted for it.
If you type a character string at the prompt, that string becomes the domain for the partition.
When you run the partition backup command, you are again prompted for a domain for the target partition on the backup HSM. You can specify a string at the command line, or omit the parameter at the command line and specify a string when prompted. Otherwise press Enter with no string at the prompt to apply the default domain. The domain that you apply to a backup HSM must match the domain on your source HSM partition.
Partition name rules
A partition name or a partition label can include any of the following characters:
!#$%'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
>No spaces, unless you wish to surround the name or label in double quotation marks every time it is used.
>No question marks, no double quotation marks within the string.
>Minimum name or label length is 1 character. Maximum is 32 characters.
Partition password and domain rules
Valid characters that can be used in a password or in a cloning domain are:
!#$%'*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
(the first character in that list is the space character)
Invalid or problematic characters, not to be used in passwords or cloning domains are "&';<>\`|()
Minimum password length is 7 characters; maximum is 255 characters.
Minimum domain string length is 1 character; maximum domain length is 128 characters.
Names and labels have an additional restriction, in that you should avoid a leading space.
Syntax
partition init -label <string> [-password<string>] [-domain<string>] [-applytemplate <filepath/filename>] [-defaultdomain] [-auth] [-force]
Option | Shortcut | Description |
---|---|---|
-applytemplate <filepath/filename> | -at | Apply a policy template located in the specified directory. |
-auth | -a | Log in after the initialization. |
-defaultdomain | -def | Default cloning domain name. Deprecated. Used only on password-authenticated HSMs, and not recommended. Kept for compatibility with previous, existing configurations; will be discontinued in a future release. |
-domain | -d | Partition domain name. Used only on password-authenticated HSMs; ignored for PED-authenticated. |
-force | -f | Force the action (useful for scripting). |
-label | -l | Label for the partition. |
-password | -p | Partition Security Officer Password. |
Example
lunacm:> partition init -label par2
You are about to initialize the partition.
All contents of the partition will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Enter password for Partition SO: ********
Re-enter password for Partition SO: ********
Option -domain was not specified. It is required.
Enter the domain name: ********
Re-enter the domain name: ********
Command Result : No Error