hsm init
Initialize the HSM (key card) in the SafeNet Luna HSM Server. Initialization assigns an HSM label, creates or associates Security Officer (SO) or HSM Admin authentication for the HSM, creates or associates a Cloning Domain (with authentication) for the HSM, and applies other settings that make the HSM available for use.
CAUTION! Initializing the HSM erases all existing data on the key card, including all HSM Partitions and their data. HSM Partitions then must be recreated with the partition create command. Because this is a destructive command, the user is asked to “proceed” unless the -force switch is provided at the command line. If you invoke hsm init and then type quit at the prompt, initialization does not take place (meaning that you do not lose existing token/HSM contents), but any current login or activation state is closed, whether you abort the command or not.
For more information, see HSM Initialization in the Configuration Guide.
User Privileges
Users with the following privileges can perform this command:
>Admin
Syntax
hsm init -label <hsm_label> [-domain <hsm_domain>] [-password <hsm_admin_password>] [-applytemplate <filename>] [-defaultdomain] [-authtimeconfig] [-force]
Argument(s) |
Shortcut |
Description |
---|---|---|
-applytemplate <filename> | -ap | Apply an HSM policy template. |
-authtimeconfig | -a |
Specifies that the SO role must be logged in to configure the time. |
-defaultdomain | -de | This option is deprecated. The current and future HSM versions do not allow you to omit providing a domain, unless you include this "-defaultdomain" option, which is an insecure choice and generally not recommended. It is retained for benefit of existing customers who have previously set the default domain, and are constrained to continue with it until they create new objects on an HSM with a properly-named domain. The "-defaultdomain" option applies to Password-authenticated HSMs only. For PED-authenticated HSMs the PED always prompts for a physical PED Key and either reuses the value on the key that you insert, or generates a new value and imprints it on the PED Key. |
-domain <hsm_domain> | -do |
Specifies the string to be used as key cloning domain for the HSM. If no value is given for a SafeNet Luna HSM with Password Authentication, you are prompted interactively. The HSM must support cloning, or this value is ignored. This parameter is considered mandatory in password-authenticated HSMs (except if the discouraged and deprecated -defaultdomain is specified). The -domain parameter is ignored in PED-authenticated HSMs. |
-force | -f |
Force the action without prompting. |
-label <hsm_label> | -l |
Specifies the label to assign to the HSM. The label has a maximum length of 32 characters. Any data input over 32 characters is truncated. |
-password <hsm_admin_password> | -p |
Specifies the password to be used as login credential by the HSM Admin. For PED-authenticated HSMs, the Luna PED is used for the HSM Admin PIN/password, and data input for this value is ignored. This parameter is required in password-authenticated HSMs. It is ignored in PED-authenticated HSMs. |
Example
PED-authenticated HSMs
If the HSM has been factory reset, then a complete "hard" initialization is performed when you invoke the hsm init command.
lunash:> hsm init -label myluna
CAUTION: Are you sure you wish to re-initialize this HSM?
All partitions and data will be erased.
Type 'proceed' to initialize the HSM, or 'quit' to quit now.
> proceed
Luna PED operation required to initialize HSM - use Security Officer (blue) PED Key
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED Key
Luna PED operation required to generate cloning domain - use Domain (red) PED Key
'hsm init successful'
Command result : 0 (Success)
lunash:>
If the HSM is NOT in factory reset condition when you invoke the hsm init command, then a "soft" initialization is performed - while the partitions and contents are destroyed, the Security officer/HSM Administrator identity and the Domain are preserved. The SO must be logged into the HSM to run HSM init when the HSM is not in factory reset condition.
lunash:> hsm init -label myluna
Warning: This HSM is not in the factory reset (zeroized) state.
You must present the current HSM Admin login credentials
to clear the HSM contents.
CAUTION: Are you sure you wish to re-initialize this HSM?
All partitions and data will be erased.
Type 'proceed' to initialize the HSM, or 'quit'
to quit now.
> proceed
Luna PED operation required to initialize HSM - use Security Officer (blue) PED Key
'hsm -init successful'
Command result : 0 (Success)