Initializing an Application Partition

Before it can be used to store cryptographic objects or perform operations, an application partition must be initialized. Initialization is performed by the Partition Security Officer and sets the authentication credential. There are two scenarios where the Partition SO would initialize the partition:

>Preparing a new partition: On a new partition, initialization sets the Partition SO authentication credential, an identifying label for the partition, and the partition's cloning domain (see Initializing a New Partition).

>Erasing an existing partition: The Partition SO can re-initialize a partition to erase all cryptographic objects and the Crypto Officer/Crypto User roles, and select a new partition label. The Partition SO credential and the cloning domain remain the same (see Re-initializing an Existing Partition).

Initializing a New Partition

Initializing an application partition for the first time establishes you as the Partition SO and sets a cloning domain for the partition. This procedure can be performed

> from an administrative connection to the network HSM appliance (via SSH) using Luna Shell (lunash) commands

and then use the new PSO credential on that partition to initialize the Crypto Officer role), or

>from a registered client, with an NTLS or STC connection, using LunaCM commands.

The Crypto User role is created from the client side, via lunacm.

Any subsequent re-initialization of an application partition is performed from the client.

Prerequisites

>The new partition must be created on the HSM and visible in LunaCM (see Creating or Deleting an Application Partition).

>If you want to configure the partition's policies with a policy template using lunacm, the template file must be available on the client (see Setting Partition Policies Using a Template).

>If you want to configure the partition's policies with a policy template using lunash on the appliance, the pre-edited template file must be uploaded to the appliance.

>PED authentication: A local or remote PED connection must be established (see Local PED Setup or Remote PED Setup). Ensure that you have enough blue (Partition SO) and red (Domain) PED keys for your planned authentication scheme (see Creating PED Keys).

To initialize a new application partition

1.Launch LunaCM on the client workstation.

2.Set the active slot to the partition you want to initialize.

lunacm:> slot set -slot <slot_number>

3.Initialize the partition by specifying an identifying label. To initialize the partition using a policy template, specify the path to the template file.

The partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>`~
Question marks (?) and double quotation marks (") are not allowed.
Spaces are allowed; enclose the label in double quotation marks if it includes spaces.

Password authentication: You can specify a Partition SO password and/or a domain string with the initialization command, or enter them when prompted.

In LunaCM, passwords and activation challenge secrets must be 7-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks (") are problematic and should not be used within passwords.  
Spaces are allowed; to specify a password with spaces using the -password option, enclose the password in double quotation marks.

The domain string must be 1-128 characters in length. The following characters are allowed:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*-_=+[]{}/:',.~
The following characters are problematic or invalid and must not be used in a domain string: "&;<>\`|()
Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks.

lunacm:> partition init -label <label> [-applytemplate <template_file>] [-password <password>] [-domain <domain_string>]

PED authentication:

lunacm:> partition init -label <label> [-applytemplate <template_file>]

Respond to the Luna PED prompts to create the blue Partition SO key and the red domain key (see Creating PED Keys).

Re-initializing an Existing Partition

The Partition SO can re-initialize an existing partition at any time. Re-initialization erases all cryptographic objects on the partition, and the login credentials for the Crypto Officer and Limited Crypto Officer and Crypto User roles. The Partition SO login credential and cloning domain are retained.

Prerequisites

>The partition must be already initialized.

>Back up any important cryptographic objects stored on the partition.

>[PED authentication] A local or remote PED connection must be established (see Local PED Setup or Remote PED Setup).

To re-initialize an existing application partition

1.Launch LunaCM on the client workstation.

2. Set the active slot to the partition you want to re-initialize.

lunacm:> slot set -slot <slot_number>

3.Initialize the partition by specifying an identifying label. You must specify a label for the partition (the same label or a new one). You are prompted for the current Partition SO credential.

lunacm:> partition init -label <label>