Assigning or Revoking NTLS Client Access to a Partition

Once an NTLS connection is established between the appliance and a client, the appliance admin must determine which application partitions the client can access. Usually this is done by the HSM Security Officer after they create the partition, but any admin-level appliance user can assign or revoke existing partitions to registered NTLS clients. You can assign a partition to more than one client at a time.

After you assign a partition to a client, the client can see the partition as a slot in LunaCM, initialize it, and use it for cryptographic applications.

Prerequisites

>An NTLS connection must be established between the appliance and the client (see Client-Partition Connections)

>The HSM SO must create the application partition on the HSM (see Creating or Deleting an Application Partition)

To assign a partition to a client

1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin, or a custom user with an admin role (see Logging In to LunaSH).

2.[Optional] Display a list of available partitions.

lunash:> partition list

3.[Optional] Display a list of available registered clients.

lunash:> client list

4.Assign a partition to a registered client.

lunash:> client assignPartition -client <client_name> -partition <partition_name>

5.[Optional] Verify that the partition is assigned to the client.

lunash:> client show -client <client_name>

6.If you registered the client by hostname, the appliance uses a DNS server to look up the device IP address. To ensure that the client is reachable in the event of a DNS failure, map the client hostname to its IP address, and save the mapping locally on the appliance.

lunash:> client hostip map -client <client_name> -ip <client_IP>

7.Notify the client administrator that they can now access the partition and initialize it using LunaCM (see Initializing an Application Partition).

To revoke partition access from a client

1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin, or a custom user with an admin role (see Logging In to LunaSH).

2.[Optional] Display a list of partitions currently assigned to the client.

lunash:> client show -client <client_name>

3.Revoke the client's access to the partition.

lunash:> client revokePartition -client <client_name> -partition <partition_name>