Initializing an Application Partition
Before it can be used to store cryptographic objects or perform operations, an application partition must be initialized. Initialization is performed by the Partition Security Officer and sets the authentication credential. There are two scenarios where the Partition SO would initialize the partition:
>Preparing a new partition: On a new partition, initialization sets the Partition SO authentication credential, an identifying label for the partition, and the partition's cloning domain (see Initializing a New Partition).
>Erasing an existing partition: The Partition SO can re-initialize a partition to erase all cryptographic objects and the Crypto Officer/Crypto User roles, and select a new partition label. The Partition SO credential and the cloning domain remain the same (see Re-initializing an Existing Partition).
Initializing a New Partition
Initializing an application partition for the first time establishes you as the Partition SO and sets a cloning domain for the partition. This procedure is performed using LunaCM.
Prerequisites
>The new partition must be created on the HSM and visible in LunaCM (see Creating or Deleting an Application Partition).
>If you want to configure the partition's policies with a policy template, the template file must be available on the client (see Policy Templates).
>PED authentication: A local or remote PED connection must be established (see Local PED Setup or Remote PED Setup). Ensure that you have enough blue (Partition SO) and red (Domain) PED keys for your planned authentication scheme (see Creating PED Keys).
To initialize a new application partition
1.Launch LunaCM on the client workstation.
2.Set the active slot to the partition you want to initialize.
lunacm:> slot set -slot <slot_number>
3.Initialize the partition by specifying an identifying label. To initialize the partition using a policy template, specify the path to the template file.
The partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>`~
Question marks (?
) and double quotation marks ("
) are not allowed.
Spaces are allowed; enclose the label in double quotation marks if it includes spaces.
•Password authentication: You can specify a Partition SO password and/or a domain string with the initialization command, or enter them when prompted.
On password-authenticated HSMs, the domain string must be 1-128 characters in length. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*-_=+[]{}/:',.~
The following characters are problematic or invalid and must not be used in a domain string: "&;<>\`|()
Spaces are allowed, as long as the leading character is not a space; to specify a domain string that includes spaces using the -domain option, enclose the string in double quotation marks.
In LunaCM, passwords and challenge secrets must be 7-255 characters in length. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used in passwords.
Spaces are allowed; to specify a password that includes spaces using the -password option, enclose the password in double quotation marks.
lunacm:> partition init -label <label> [-applytemplate <template_file>] [-password <password>] [-domain <domain_string>]
•PED authentication:
lunacm:> partition init -label <label> [-applytemplate <template_file>]
Respond to the Luna PED prompts to create the blue Partition SO key and the red domain key (see Creating PED Keys).
Re-initializing an Existing Partition
The Partition SO can re-initialize an existing partition at any time. Re-initialization erases all cryptographic objects on the partition, and the login credentials for the Crypto Officer and Crypto User roles. The Partition SO login credential and cloning domain are retained.
Prerequisites
>The partition must be already initialized.
>Back up any important cryptographic objects stored on the partition.
>PED authentication: A local or remote PED connection must be established (see Local PED Setup or Remote PED Setup).
To re-initialize an existing application partition
1.Launch LunaCM on the client workstation.
2. Set the active slot to the partition you want to re-initialize.
lunacm:> slot set -slot <slot_number>
3.Initialize the partition by specifying an identifying label. You must specify a label for the partition (the same label or a new one). You are prompted for the current Partition SO credential.
lunacm:> partition init -label <label>