HSM SO Creates Password-Authenticated Partition, Local to Client

An application owner/user has requested an application partition on the HSM, on which applications will run cryptographic operations. These instructions are the actions to be taken by the HSM SO. These instructions assume a Password-authenticated SafeNet Luna PCIe HSM.

These instructions assume an HSM installed locally to the host computer, where SafeNet Luna HSM Client software is installed, and where administrative access to the HSM is carried out via the LunaCM tool.

Verification

These instructions assume that the HSM is new, or has undergone factory reset and is in zeroized state with no HSM SO or Administrator role set. This can be verified by running the LunaCM command hsm showinfo while the HSM is the selected cryptographic slot. For example:

lunacm:>slot list

        Slot Id ->              103
        Label ->
        Serial Number ->        66331
        Model ->                Luna K7
        Firmware Version ->     7.0.1
        Configuration ->        Luna HSM Admin Partition (PW) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PW)
        HSM Status ->           L3 Device, Zeroized


        Current Slot Id: 4

Command Result : No Error

The output shows that the host computer contains a password-authenticated SafeNet Luna PCIe HSM at the desired firmware version, as slot 103. The SafeNet Luna PCIe HSM admin partition is the currently-set slot, so all commands are directed to that HSM. When new partitions are created, or other SafeNet Luna HSMs are attached, you will need to select their slots using the LunaCM command slot set to direct commands to them. 

lunacm:>hsm showinfo

        Partition Label ->
        Partition Manufacturer -> Gemalto
        Partition Model -> Luna K7
        Partition Serial Number -> 66331
        Partition Status -> L3 Device, Zeroized
        HSM Part Number -> 808-000048-002
        Token Flags ->
                CKF_RESTORE_KEY_NOT_NEEDED
        RPV Initialized -> Not Supported
        Slot Id -> 103
        Session State -> CKS_RW_PUBLIC_SESSION
        Role Status ->   none logged in
        Token Flags ->

The HSM in the current slot is zeroized and ready to be configured.

Configuration

1.Initialize the HSM.

hsm init -label <label>

PKCS slot numbering starts at zero. A slot zero (0) always exists, as a placeholder for partitions to be created. For consistency in operation, the HSM administrative partition must always be the highest-numbered slot on that HSM. The admin partition's slot number will depend on the number of possible partitions that can be created on your model of HSM.

2.List the slots to see that the HSM is no longer zeroized.

slot list

lunacm:>slot list

        Slot Id ->              4
        Label ->                myPCIeHSM
        Serial Number ->        66331
        Model ->                Luna K7
        Firmware Version ->     7.0.1
        Configuration ->        Luna HSM Admin Partition (PW) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PW)
        HSM Status ->           L3 Device


        Current Slot Id: 4


Command Result : No Error

3.Log in as the HSM Security Officer:

role login -name SO

4.Create an application partition. You can specify a slot to be used for the current session by specifying the -slot option. Slots will be reordered the next time you restart LunaCM. Note that the HSM administrative partition is always the highest-numbered slot.

partition create

5.Verify the slot occupied by the new, empty, application partition, and check the currently active slot.

slot list 

lunacm:>slot list

        Slot Id ->              3
        Label ->
        Serial Number ->        154438865289
        Model ->                Luna K7
        Firmware Version ->     7.0.1
        Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
        Slot Description ->     User Token Slot


        Slot Id ->              4
        Label ->                myPCIeHSM
        Serial Number ->        66331
        Model ->                Luna K7
        Firmware Version ->     7.0.1
        Configuration ->        Luna HSM Admin Partition (PW) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PW)
        HSM Status ->           L3 Device


        Current Slot Id: 4

Command Result : No Error

6.The HSM SO now informs the intended Partition SO:

a. The newly created, empty application partition is ready

b.How to access the partition

This concludes the HSM SO's actions for a partition. Further action in the new partition must be initiated by the Partition SO, who takes over responsibility as the chief authority of that partition. The HSM SO has no visibility into the new partition.

Go to Initialize the Partition SO and Crypto Officer Roles on a PW-Auth Partition.


Customer Support Portal

SafeNet Luna PCIe HSM 7.4 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.