Slot Numbering and Behavior

Administrative partitions and application partitions are identified as PKCS#11 cryptographic slots in Thales utilities, such as LunaCM and multitoken, and for applications that use the Luna library.

Order of Occurrence for Different Luna HSMs

A host computer with Luna HSM Client software and Luna libraries installed can have Luna HSMs connected in any of three ways:

>PCIe embedded/inserted Luna PCIe HSM 7 card (one or multiple HSMs installed - administrative partitions and application partitions are shown separately)

>USB-connected Luna USB HSM 7s (one or multiple - administrative partitions and application partitions are shown separately)

>Luna Network HSM 7 application partitions*, registered and connected via NTLS or STC.

Any connected HSM partitions are shown as numbered slots. Slots are numbered from zero or from one, depending on configuration settings (see Settings Affecting Slot Order, below), and on the firmware version of the HSM(s).

* One or multiple application partitions. Administrative partitions on Luna Network HSM 7s are not visible via LunaCM or other client-side tools. Only registered, connected application partitions are visible. The number of visible partitions (up to 100) depends on your model's capabilities. That is, a remote Luna Network HSM 7 might support 100 application partitions, but your application and LunaCM will see only partitions that have established certificate-exchange NTLS links or STC links with the current Client computer.

In LunaCM, a slot list would normally show:

>Luna Network HSM 7 application partitions for which NTLS links or STC links are established with the current host, followed by

>Luna PCIe HSM 7 cards, followed by

>Luna USB HSM 7s

For Luna Network HSM 7, as seen from a client (via NTLS), only application partitions are visible. The HSM administrative partition of a remote Luna Network HSM 7 is never seen by a Luna HSM Client. The Luna Network HSM 7 slots are listed in the order they are polled, dictated by the entries in the Luna Network HSM section of the Crystoki.ini / chrystoki.conf file, like this:

ServerName00=192.20.17.200
ServerPort00=1792
ServerName01=192.20.17.220
ServerPort01=1793

For Luna PCIe HSM 7 and Luna USB HSM 7, if you have multiple of either HSM type connected on a single host, then the order in which they appear is the hardware slot number, as discovered by the host computer.

For Luna PCIe HSM 7 and Luna USB HSM 7, the HSM administrative slot always appears immediately after the application partition. If no application partition has yet been created, a space is reserved for it, in the slot numbering.

Settings Affecting Slot Order

Settings in the Presentation section of the configuration file (Chrystoki.conf for UNIX/Linux, crystoki.ini for Windows) can affect the numbering that the API presents to Luna tools (like LunaCM) or to your application.

[Presentation]
ShowUserSlots=<slot>(<serialnumber>)

>Sets starting slot for the identified partition.

>Default, when ShowUserSlots is not specified, is that all available partitions are visible and appear in default order.

>Can be applied, individually, to multiple partitions, by a single entry containing a comma-separated list (with partition serial numbers in brackets):
ShowUserSlots=1(351970018022), 2(351970018021), 3(351970018020),....

>If multiple partitions on the same HSM are connected to the Luna HSM Client host computer, redirecting one of those partitions with ShowUserSlots= causes all the others to disappear from the slot list, unless they are also explicitly re-ordered by the same configuration setting.

ShowAdminTokens=yes

>Default is yes. Admin partitions of local HSMs are visible in a slot listing.

>Remotely connected partitions (Luna Network HSM 7) are not affected by this setting, because NTLS connects only application partitions, not HSM SO (Admin) partitions to clients, so a Luna Network HSM SO administrative partition would never be visible in a client-side slot list, regardless.

ShowEmptySlots=1

>Controls how C_GetSlotList - as used by lunacm slot list command, or ckdemo command 14, and by your PKCS#11 application - displays, or does not display unused potential slots, when the number of partitions on an HSM is not at the limit.

OneBaseSlotId=1

>Causes basic slot list to start at slot number 1 (one) instead of default 0 (zero).
(Any submitted number other than zero is treated as "1". Any letter or other non-numeric character is treated as "0".)

Effects of Settings on Slot List

Say, for example, you have multiple HSMs connected to your host computer (or installed inside), with any combination of Luna HSM Firmware 7.0.1 and newer, and no explicit entries exist for slot order in the config file. The defaults prevail and the slot list would start at zero.

If you set OneBaseSlotId=1 in the configuration file, then the slot list starts at "1" instead of at "0". You could set this for personal preference, or according to how your application might expect slot numbering to occur (or if you have existing scripted solutions that depend on slot numbering starting at zero or starting at one). OneBaseSlotId affects the starting number for all slots, including the HA virtual slot, regardless of firmware.

TIP VISIBILITY OF PARTITION SLOTS

Slot numbering is affected by setting the LunaCM command hagroup haonly (recommended) - with HAonly set, only the virtual slot of an HA group is visible to your applications see Note below. This is important if your application relies on stable slot numbers to access partitions or services. HAonly locks the virtual slot number, such that it remains fixed when other slots are added or removed (including the primary for a group).

In situations where you have multiple HA groups configured on a client, and hagroup haonly is applied, each of the several resulting virtual slots remains in its number/position as members of any group are added/removed/dropped/restored. However the numbering would change if you explicitly deleted an entire group from the client. In that case, the assumption is that it's a planned activity and you are prepared for movement of other slot number assignments.

If HAonly is not set, then removing or adding a physical slot causes slots to renumber, including the HA virtual slot, which might not be what you want.

Individual partition slots remain visible in LunaCM when HA Only mode is enabled. They are hidden only from client applications. Use CKdemo (Option 11) to see the slot numbers to use with client applications.

If you set ShowUserSlots=20(17923506), then the identified token or HSM or application partition would appear at slot 20, regardless of the locations of other HSMs and partitions.

Options for an application to access a partition

Review the other sections on this page, while considering the requirements of your application, to decide how your application will access a partition.

>Identify a partition by reference to the partition label
For example, the Java keytool utility references by label when using the “tokenlabel:” option in the keystore file [ Keytool Usage and Examples ]

•unaffected by changes to slot numbering

•partitions might inadvertently be given the same label.

>Identify a partition by referring to its slot number
For example, the Java keytool utility references by slot nmber when using the “slot:” option in the keystore file [ Keytool Usage and Examples ]

•a reliable identifier while slot numbers are stable - if HA is invoked, the hagroup haonly command removes physical slots from view by your application and locks the slot number of the virtual partition.

•slot numbering can change if physical partitions are exposed and a partition is added to, or removed from, the slot list.

>Identify a partition by its serial number (see Note below)

•always a unique identifier, and is unaffected by changes to slot numbering,

• your application might not include that ability (example, use of KSP or EKM in an application integration).

NOTE For developers, you could use C_getTokenInfo to get a partition's serial number.

Effects of New Firmware on Slot Login State

Slots retain login state when current-slot focus changes. You can use the LunaCM command slot set to shift focus among slots, and whatever login state existed when you were previously focused on a slot is still in effect when you return to that slot.



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-04-15 13:18:27 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information