Slot Numbering and Behavior

Administrative partitions and application partitions are identified as PKCS#11 cryptographic slots in SafeNet utilities, such as LunaCM and multitoken, and for applications that use the Luna library.

Order of Occurrence for Different Luna HSMs

A host computer with Luna HSM Client software and Luna libraries installed can have Luna HSMs connected in any of three ways:

>PCIe embedded/inserted Luna PCIe HSM card (one or multiple HSMs installed - administrative partitions and application partitions are shown separately)

>USB-connected Luna USB HSMs (one or multiple - administrative partitions and application partitions are shown separately)

>Luna Network HSM application partitions*, registered and connected via NTLS or STC.

Any connected HSM partitions are shown as numbered slots. Slots are numbered from zero or from one, depending on configuration settings (see Settings Affecting Slot Order, below), and on the firmware version of the HSM(s).

* One or multiple application partitions. Administrative partitions on Luna Network HSMs are not visible via LunaCM or other client-side tools. Only registered, connected application partitions are visible. The number of visible partitions (up to 100) depends on your model's capabilities. That is, a remote Luna Network HSM might support 100 application partitions, but your application and LunaCM will only see partitions that have established certificate-exchange NTLS links with the current Client computer.

In LunaCM, a slot list would normally show:

>Luna Network HSM application partitions for which NTLS links are established with the current host, followed by

>Luna PCIe HSM cards, followed by

>Luna USB HSMs

For Luna Network HSM, as seen from a client (via NTLS), only application partitions are visible. The HSM administrative partition of a remote Luna Network HSM is never seen by a Luna HSM Client. The Luna Network HSM slots are listed in the order they are polled, dictated by the entries in the Luna Network HSM section of the Crystoki.ini / chrystoki.conf file, like this:

ServerName00=192.20.17.200
ServerPort00=1792
ServerName01=192.20.17.220
ServerPort01=1793


For Luna PCIe HSM and Luna USB HSM, if you have multiple of either HSM type connected on a single host, then the order in which they appear is the hardware slot number, as discovered by the host computer.

For Luna PCIe HSM and Luna USB HSM, the HSM administrative slot always appears immediately after the application partition. If no application partition has yet been created, a space is reserved for it, in the slot numbering.

Settings Affecting Slot Order

Settings in the Presentation section of the configuration file (Chrystoki.conf for UNIX/Linux, crystoki.ini for Windows) can affect the numbering that the API presents to Luna tools (like LunaCM) or to your application.

[Presentation]
ShowUserSlots=<slot>(<serialnumber>)

>Sets starting slot for the identified partition.

>Default, when ShowUserSlots is not specified, is that all available partitions are visible and appear in default order.

>Can be applied, individually, to multiple partitions, by a single entry containing a comma-separated list (with partition serial numbers in brackets):
ShowUserSlots=1(351970018022), 2(351970018021), 3(351970018020),....

>If multiple partitions on the same HSM are connected to the Luna HSM Client host computer, redirecting one of those partitions with ShowUserSlots= causes all the others to disappear from the slot list, unless they are also explicitly re-ordered by the same configuration setting.

ShowAdminTokens=yes

>Default is yes. Admin partitions of local HSMs are visible in a slot listing.

>Remotely connected partitions (Luna Network HSM) are not affected by this setting, because NTLS connects only application partitions, not HSM SO (Admin) partitions to clients, so a Luna Network HSM SO administrative partition would never be visible in a client-side slot list, regardless.

ShowEmptySlots=1

>Controls how C_GetSlotList - as used by lunacm slot list command, or ckdemo command 14, and by your PKCS#11 application - displays, or does not display unused potential slots, when the number of partitions on an HSM is not at the limit.

OneBaseSlotId=1

>Causes basic slot list to start at slot number 1 (one) instead of default 0 (zero).
(Any submitted number other than zero is treated as "1". Any letter or other non-numeric character is treated as "0".)

Effects of Settings on Slot List

Say, for example, you have multiple HSMs connected to your host computer (or installed inside), with any combination of firmware 6.22.0 (and newer) or pre-6.22.0 firmware, and no explicit entries exist for slot order in the config file. The defaults prevail and the slot list would start at zero.

If you set OneBaseSlotId=1 in the configuration file, then the slot list starts at "1" instead of at "0". You could set this for personal preference, or according to how your application might expect slot numbering to occur (or if you have existing scripted solutions that depend on slot numbering starting at zero or starting at one). OneBaseSlotId affects the starting number for all slots, regardless of firmware.

If you set ShowUserSlots=20(17923506), then the identified token or HSM or application partition would appear at slot 20, regardless of the locations of other HSMs and partitions.

Effects of New Firmware on Slot Login State

Slots retain login state when current-slot focus changes. You can use the LunaCM command slot set to shift focus among slots, and whatever login state existed when you were previously focused on a slot is still in effect when you return to that slot.