Assigning or Revoking NTLS Client Access to a Partition
Once an NTLS connection is established between the appliance and a client, the appliance admin must determine which application partitions the client can access. Usually this is done by the HSM Security Officer after they create the partition, but any admin-level appliance user can assign or revoke existing partitions to registered NTLS clients. You can assign a partition to more than one client at a time.
After you assign a partition to a client, the client can see the partition as a slot in LunaCM, initialize it, and use it for cryptographic applications.
Prerequisites
>An NTLS connection must be established between the appliance and the client (see Client-Partition Connections)
>The HSM SO must create the application partition on the HSM (see Creating or Deleting an Application Partition)
To assign a partition to a client
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin, or a custom user with an admin role (see Logging In to LunaSH).
2.[Optional] Display a list of available partitions.
lunash:> partition list
3.[Optional] Display a list of available registered clients.
lunash:> client list
4.Assign a partition to a registered client.
lunash:> client assignPartition -client <client_name> -partition <partition_name>
5.[Optional] Verify that the partition is assigned to the client.
lunash:> client show -client <client_name>
6.If you registered the client by hostname, the appliance uses a DNS server to look up the device IP address. To ensure that the client is reachable in the event of a DNS failure, map the client hostname to its IP address, and save the mapping locally on the appliance.
lunash:> client hostip map -client <client_name> -ip <client_IP>
7.Notify the client administrator that they can now access the partition and initialize it using LunaCM (see Initializing an Application Partition).
To revoke partition access from a client
1.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin, or a custom user with an admin role (see Logging In to LunaSH).
2.[Optional] Display a list of partitions currently assigned to the client.
lunash:> client show -client <client_name>
3.Revoke the client's access to the partition.
lunash:> client revokePartition -client <client_name> -partition <partition_name>
