Initializing an Application Partition
Before it can be used to store cryptographic objects or perform operations, an application partition must be initialized. Initialization is performed by the Partition Security Officer and sets the authentication credential. There are two scenarios where the Partition SO would initialize the partition:
>Preparing a new partition: On a new partition, initialization sets the Partition SO authentication credential, an identifying label for the partition, and the partition's cloning domain (see Initializing a New Partition).
>Erasing an existing partition: The Partition SO can re-initialize a partition to erase all cryptographic objects and the Crypto Officer/Crypto User roles, and select a new partition label. The Partition SO credential and the cloning domain remain the same (see Re-initializing an Existing Partition).
Initializing a New Partition
Initializing an application partition for the first time establishes you as the Partition SO and sets a cloning domain for the partition. This procedure can be performed
> from an administrative connection to the network HSM appliance (via SSH) using Luna Shell (LunaSH) commands
•using Luna Appliance Software 7.7.1 or newer, the administrator (HSM SO) can initialize the newly created partition, creating the PSO role
• and then use the new PSO credential on that partition to initialize the Crypto Officer role), or
>from a registered client, with an NTLS or STC connection, using LunaCM commands.
Any subsequent re-initialization of an application partition is performed from the client.
The following attributes are set during a new partition initialization:
Partition Label |
The label is a string that uniquely identifies this partition. In LunaSH, the partition label created during initialization must be 1-32 characters in length. The following characters are allowed:
Spaces are allowed; enclose the label in double quotation marks if it includes spaces. In LunaCM, the partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:
Spaces are allowed; enclose the label in double quotation marks if it includes spaces. For more information, refer to Name, Label, and Password Requirements. |
Partition SO credentials |
For multifactor quorum-authenticated HSMs, create a new Partition SO (blue) PED key(set) or re-use an existing PED key(set) from a partition you want to share credentials with. If you are using multifactor quorum authentication, ensure that you have an authentication strategy before beginning. See Multifactor Quorum Authentication. For password-authenticated HSMs, specify the Partition SO password. In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:
The following characters are invalid or problematic and must not be used within passwords: Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks. In LunaCM, passwords
Double quotation marks ( Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks. |
Cloning domain for the partition |
The cloning domain is a shared identifier that makes cloning possible among a group of HSM partitions. The domain secret allows for two layers of cloning security: >The Partition SO determines which partitions can clone objects to each other by setting the same domain on the source and destination partitions. >The Crypto Officer for the partition must authorize the cloning operation. See Domain Planning for more information. For multifactor quorum-authenticated HSMs, create a new Domain (red) PED key(set) or re-use an existing PED key(set) from another partition that this partition will clone objects with. For password-authenticated HSMs, create a new domain string or re-use an existing string from another partition that this partition will clone objects with. The domain string must be 1-128 characters in length. The following characters are allowed:
The following characters are problematic or invalid and must not be used in a domain string: Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks. For password-authenticated HSMs, the domain string should match the complexity of the partition password. |
Prerequisites
>The new partition must be created and visible in LunaSH if it is to be initialized on the Luna Network HSM 7 appliance, (Luna Appliance Software 7.7.1 and newer - see partition init).
>The new partition must be assigned to the client and visible in LunaCM if it is to be initialized from that client (see Client-Partition Connections).
>If you want to configure the partition's policies with a policy template
>If you want to configure the partition's policies with a policy template using LunaSH on the appliance, the pre-edited template file must be uploaded to the appliance.
>Multifactor Quorum authentication: A local or remote Luna PED connection must be established (see Local PED Setup or About Remote PED). Ensure that you have enough blue (Partition SO) and red (Domain) PED keys for your planned authentication scheme (see Creating PED keys).
To initialize a new application partition in LunaSH on the Luna Network HSM 7 appliance
The following steps assume that the Luna Network HSM 7 admin has created the partition (partition create).
CAUTION! This command requires Luna Appliance Software 7.8.1 or newer. Do not attempt to use it to initialize an STC partition, or assigned clients will lose contact with the partition. The Partition SO must use LunaCM at the client for partition management.
1.In LunaSH, log in to the HSM as SO if you are not already logged in.
lunash:> hsm login
2.Create the partition, if it has not already been created
lunash:> partition create -partition <partition name>
Partition names created in LunaSH must be 1-32 characters in length. The following characters are allowed:abcdefghijklmnopqurstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789!@#$%^*()-_=+{}[]:',./~
Spaces are allowed; enclose the partition name in double quotes if it includes spaces.
The following characters are not allowed: &\|;<>`"?
No two partitions can have the same name.
3.Initialize the partition by specifying its partition name. You can specify an optional label for the initialized partition; if this is not specified, the label assigned will be the same as the partition name. To initialize the partition using a policy template, specify the template filename.
•Password authentication: You can specify a Partition SO password and/or a domain string with the initialization command, or enter them when prompted.
lunash:> partition init -partition <name> [-label <label>] [-applytemplate <template_file>] [-password <password>] [-domain <domain_string>]
•Multifactor Quorum authentication:
lunash:> partition init -partition <name> [-label <label>] [-applytemplate <template_file>]
Respond to the Luna PED prompts to create the blue Partition SO key and the red domain key (see Creating PED keys).
4.After the partition is initialized and the PSO created, you can create the Crypto Officer role via lunash on the appliance or with lunacm on a registered client see Initializing Crypto Officer and Crypto User Roles for an Application Partition.
To initialize a new application partition using LunaCM on the Client
1.Launch LunaCM on the client workstation.
2.Set the active slot to the partition you want to initialize.
lunacm:> slot set -slot <slot_number>
3.Initialize the partition by specifying an identifying label. To initialize the partition using a policy template, specify the path to the template file.
•Password authentication: You can specify a Partition SO password and/or a domain string with the initialization command, or enter them when prompted.
lunacm:> partition init -label <label> [-applytemplate <template_file>] [-password <password>] [-domain <domain_string>]
•Multifactor Quorum authentication:
lunacm:> partition init -label <label> [-applytemplate <template_file>]
Respond to the Luna PED prompts to create the blue Partition SO key and the red domain key (see Creating PED keys).
Re-initializing an Existing Partition
The Partition SO can re-initialize an existing partition at any time. Re-initialization erases all cryptographic objects on the partition, and the login credentials for the Crypto Officer and Limited Crypto Officer and Crypto User roles. The Partition SO login credential and cloning domain are retained.
Prerequisites
>The partition must be already initialized.
>Back up any important cryptographic objects stored on the partition.
>[Multifactor Quorum authentication] A local or remote PED connection must be established (see Local PED Setup or About Remote PED).
To re-initialize an existing application partition
1.Launch LunaCM on the client workstation.
2. Set the active slot to the partition you want to re-initialize.
lunacm:> slot set -slot <slot_number>
3.Initialize the partition by specifying an identifying label. You must specify a label for the partition (the same label or a new one). You are prompted for the current Partition SO credential.
lunacm:> partition init -label <label>