partition init
NOTE This command is available for Network HSM software at version 7.7.1 or newer.
Initialize an application partition.
>This command might be preferred in situations where management of the appliance and HSM, and of client configuration, are owned by the same person or organization.
>For situations where the ownership, configuration, and use of application partitions is expected to be held by a separate person or organization, then you might prefer to initialize the partition via client connection and lunacm commands - see partition init and role commands instead.
For password-authenticated HSMs, if the password is not provided via the command line, the user is interactively prompted for it. Input is echoed as asterisks, and user is asked for password confirmation. This creates the Partition Security Officer role.
For PED-authenticated HSMs, PED action is required, and a Partition SO PED key (blue) is imprinted. Any password provided at the command line is ignored.
With the partition init command, you create the Partition Security Officer (PSO) credential. That credential is then needed by the person who:
>creates the CO role, if you do that on the appliance in lunash, or
>creates the CO role and performs other administrative actions from a registered client in lunacm.
Domain matching and the default domain
If you do not specify a domain in the command line (password-authenticated HSMs), you are prompted for it.
If you type a character string at the prompt, that string becomes the domain for the partition. This applies to password-auth. For PED-auth, the string is not needed and is ignored, because the HSM creates and/or imprints a PED-Key domain.
Thereafter, for any action that involves cloning, the domain on source and target will need to match (this includes backup and restore operations, HA synchronization operations, or partition clone commands via the client).
Partition init via lunash is first time only
You can initialize a partition only one time via this command. Any subsequent re-initialization must be done from the client (using lunacm commands).
After initializing a partition with this command ( partition init ),
>you can initialize the Crypto Officer role from the appliance side with the lunash command partition init co , or
>you can do it from a registered client using lunacm role commands,
>in either case, you will need the PSO credentials.
Syntax
partition init -partition <name> [-password <string>] [-domain <string>] [-pptfile <filepath/filename>] [-defaultdomain] [-auth] [-force]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -domain | -d |
Partition domain name. Used only on password-authenticated HSMs; ignored for PED-authenticated. The domain string must be 1-128 characters in length. The following characters are allowed:
The following characters are problematic or invalid and must not be used in a domain string: Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks. |
| -force | -f | Force the action (useful for scripting). |
| -label <label> | -l |
Label for the partition. This is how the partition is seen when viewed from the Client side (such as in lunacm slot list). If an explicit label value is not entered, then the value provided for the partition name is also used for the label. The partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:
Question marks ( Spaces are allowed; enclose the label in double quotation marks if it includes spaces. |
| -partition <partition name> | -par | This is the name by which the partition appears to the HSM administrator / SO in lunash. This name is meaningful to the appliance HSM administrator, and does not need to reflect how the partition is eventually used by applications (see -label, which can match or can be completely different if desired). |
| -password | -pas |
Partition Security Officer Password. In LunaSH, the SO or CO password must be 7-255 characters in length. The following characters are allowed:
The following characters are invalid or problematic and must not be used in the HSM SO password: Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks. |
| -pptfile <filepath/filename> | -pp |
Apply a policy template located in the specified directory. NOTE If there is a mismatch between template policies and the default values of newer or dependent policies, then the attempt to apply the old policy would fail with CKR_FAILED_DEPENDENCIES. You have the option to edit a policy file before applying it, to add newer policies. Lunash does not include provision for editing template files. You can edit externally, before uploading a Partition Policy Template file, if needed. |
Example without Partition Policy Template
lunash:>par init -par part1 -l my_pw_partition -pas Some!Pa55w0rd -d domain
Command Result : 0 (Success)
lunash:>
lunash:>par show -p part1
Partition Name: part1
Partition SN: 1552202447876
Partition Label: my_pw_partition
Partition Version: 0
Partition SO PIN To Be Changed: no
Partition SO Zeroized: no
Partition SO Login Attempts Left: 10
Partition SO Change Password Attempts Left: 10
Crypto Officer is not initialized.
Crypto User is not initialized.
Legacy Domain Has Been Set: no
Partition Storage Information (Bytes):
Total=6628214
Used=0
Free=6628214
Partition Object Count: 0
Partition SMK OUIDs:
SMK-FW4: Not Initialized
SMK-FW6: Not Initialized
SMK-FW7-FM: Not Initialized
SMK-FW7-Rollover: Not Initialized
SMK-FW7-Primary: Not Initialized
Command Result : 0 (Success)
lun
Example with Partition Policy Template
lunash:>par init -par part1 -l part1_pw -pas default -d domain -pp part1_pw.ppt
ID Value off-to-on Destructive on-to-off Destructive
-----------------------------------------------------------
41 1 0 1
Above Partition policy template values will be applied.
Type 'proceed' to continue, or 'quit'
to quit now.
> proceed
Command Result : 0 (Success)
lunash:>
lunash:>c as -c 10.124.79.145 -p part1 'client assignPartition' successful. Command Result : 0 (Success)
