HSM SO Creates PED-Authenticated Partition, Local to Client
An application owner/user has requested an application partition on the HSM, on which applications will run cryptographic operations. These instructions are the actions to be taken by the HSM SO. These instructions assume a PED-authenticated SafeNet Luna PCIe HSM.
These instructions assume an HSM installed locally to the host computer, where SafeNet Luna HSM Client software is installed, and where administrative access to the HSM is carried out via the LunaCM utility.
Requirements
You will need:
>A Luna PED and PED keys with labels and a locally-connected PED.
Verification
These instructions assume that the HSM is new, or has undergone factory reset and is in zeroized state with no HSM SO or Administrator role set. This can be verified by running the lunacm command hsm showinfo while the HSM is the selected cryptographic slot. For example:
lunacm:>slot list Slot Id -> 4 Label -> Serial Number -> 532018 Model -> Luna K7 Firmware Version -> 7.0.1 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> L3 Device, Zeroized Current Slot Id: 103 Command Result : No Error
The output shows that the host computer contains a PED-authenticated SafeNet Luna PCIe HSM at the desired firmware version, as slot 103. The SafeNet Luna PCIe HSM admin partition is the currently-set slot, so all commands are directed to that HSM. When new partitions are created, or other SafeNet Luna HSMs are attached, you will need to select their slots using the LunaCM command slot set to direct commands to them.
lunacm:>hsm showinfo
Partition Label ->
Partition Manufacturer -> SafeNet
Partition Model -> Luna K7
Partition Serial Number -> 532018
Partition Status -> L3 Device, Zeroized
HSM Part Number -> 808-000048-002
Token Flags ->
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
RPV Initialized -> No
Slot Id -> 4
Session State -> CKS_RW_PUBLIC_SESSION
Role Status -> none logged in
Token Flags ->
The HSM in the current slot is zeroized and ready to be configured.
Configuration
Have a blue HSM SO PED key and a red Domain PED key ready, and have a Luna PED connected to the HSM, set to Local Mode.
1.Initialize the HSM.
hsm init -label <label>
Respond to Luna PED prompts...
PKCS slot numbering starts at zero. A slot zero (0) always exists, as a placeholder for partitions to be created. For consistency in operation, the HSM administrative partition must always be the highest-numbered slot on that HSM. The admin partition's slot number will depend on the number of possible partitions that can be created on your model of HSM.
2.List the slots to see that the HSM is no longer zeroized.
slot list
lunacm:>slot list Slot Id -> 4 Label -> myPCIeHSM Serial Number -> 532018 Model -> Luna K7 Firmware Version -> 7.0.1 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> L3 Device Current Slot Id: 103 Command Result : No Error
3.Log in as the HSM Security Officer.
role login -name SO
Respond to Luna PED prompts...
4.Create an application partition. You can specify a slot to be used for the current session by specifying the -slot option. Slots will be reordered the next time you restart LunaCM. Note that the HSM administrative partition is always the highest-numbered slot.
partition create
5.Verify the slot occupied by the new, empty, application partition, and check the currently active slot.
slot list
6.The HSM SO now informs the intended Partition SO:
a. The newly created, empty application partition is ready
b.How to access the partition
This concludes the HSM SO's actions for a partition. Further action in the new partition must be initiated by the Partition SO, who takes over responsibility as the chief authority of that partition. The HSM SO has no visibility into the new partition.
Go to Initialize the Partition SO and Crypto Officer Roles on a PED-Auth Partition.