partition domainadd
Add a cloning domain to the partition. Partitions are assigned their original/own domain when initialized, and in that default state can perform cloning/HA operations only with other partitions sharing that single domain.
Which domain is primary and how to change - All partitions, after initialization, have the current or original security/cloning domain marked as the primary, the domain that is chosen by default for cloning. For a partition with more than one domain, either of the others can be designated as primary, instead, using the partition domainadd and partition domainchangelabel commands, by invoking their -primary option.
The partition domainadd command is meant to add a domain so that the partition can clone objects with partitions that have the new/added domain, as well as with partitions that have the same domain as originally assigned to the current partition during initialization.
>A maximum of two additional domains can be added to the original partition domain; they can be either password-authenticated or multifactor quorum-authenticated.
•If you are adding a text domain for some other password-authenticated partition, then
–do include the -domain option with the domain string from that other partition and
–do not include the -domainped option).
•If you are adding a domain PED key secret for some other multifactor quorum-authenticated partition, then
–do not include the -domain option, and
–do include the -domainped option causing the HSM to look for a connected PED with red PED key, to retrieve that key's content as the domain to add to the current partition.
>If you have more than one domain in your partition, the system assumes that you want to be able to tell them apart, so include the -domainlabel option each time you add a domain (the label is a string between 1 and 32 characters).
>The -domainlabel is added as an option with Luna HSM Firmware 7.8.0. Pre-existing partitions (created prior to firmware 7.8.0) can continue to have no label for continuity of established procedures and processes. However if you create or import a domain, the system ensures that no two can have the same label.
• a label is necessary when adding a domain if an existing domain is not labeled.
CAUTION! Domain secret strings for password-authenticated HSMs and Luna Cloud HSMs are used to generate the secret key for cloning, and are as cryptographically sensitive as a user password. The domain label associated with a domain string is not sensitive, and is used only to distinguish the domain from others assigned to the same partition. Never use the same string for the domain label and for the domain secret.
>Use partition domainchangelabel to change label for a domain,
•including applying a label to a domain that did not already have one.
Primary domain - On pre-firmware 7.8.0 HSM partitions the single possible domain is effectively the primary domain. For firmware 7.8.0 and newer, partitions can have as many as three domains. Of the three possible, one domain is always primary, but the status of primary can be moved to another domain if needed. "Primary" in this context means "the one that is tried first". If there is no match for the primary domain on the source partition, the systems goes on to try for other matching domains.
[Summary]
When cloning from a partition of an HSM with firmware version lower than 7.8.0 to a version 7.8.0 or higher with multiple domains, the primary domain is used.
[Explanation]
On firmware version 7.8.0-or-newer HSM partitions, the partition always has at least one domain, and can have as many as three, any of which can be a password-style text domain, or a multi-factor quorum type (PED key-secret domain. One of the three possible domains is designated primary, and is the first one looked at when a cloning/migration operation is attempted.
If a firmware version 7.8.0-or-newer target is already a member of the same domain as a pre-7.8.0 firmware source partition, and that domain is primary on the v7.8.0-or-newer partition, then cloning/migration can proceed straightaway.
If the target HSM partition is at firmware 7.8.0 or newer, then if its partition initially has a different domain from the source partition, the target partition can:
•use Extended Domain Management to add the source partition's domain as one of the three domains that the target can support and
•make the domain that was obtained from the source become the primary domain on the target by using the -primary option when adding a domain with partition domainadd, and
•cloning/migration can proceed (includes backup, HA, etc.).
NOTE This extended domain management command requires minimum Luna HSM Client 10.5.0 and Luna HSM Firmware 7.8.0 (command not visible for HSMs with prior firmware versions).
Partition PO role login is required, to create or change a domain (after the first domain created by partition initialization). Use of command requires partition policy 44 to be set to ON.
Syntax
partition domainadd {-domain <string> | [-domainped} [-domainlabel <string>] [-primary]
Argument(s) | Shortcut | Description |
---|---|---|
-domain <domain> | -d |
Partition domain string for password-authenticated partitions. If this is omitted, then a connected PED with a domain on a PED key is expected. |
-domainlabel <label> | -dl |
Partition domain label - to distinguish among domains when a partition has more than one, and to match with domains on other partitions. |
-domainped | -dped |
Partition domain from a PED key. |
-primary | -p |
Mark this domain as primary (always used for the older cloning protocols, prior to CPv4) |
Example with password authentication
lunacm:> partition domainadd -domain seconddomain -domainlabel brotherdaryl Command Result : No Error
Example with multifactor quorum authentication
lunacm:>par domainadd -domainped -domainlabel NewPEDDomain Please attend to the PED. Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error
Example - add an unlabeled domain while existing domain does not have a label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: Domain not created Command Result : No Error lunacm:>par domainadd -domainped Please attend to the PED. Error in execution: CKR_DATA_INVALID. Command Result : 0x20 (CKR_DATA_INVALID) lunacm:>
That attempt failed because it would have resulted in two domains with the same label "Label not set".
Example - add a third domain while second does not have a label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: Domain not created Command Result : No Error lunacm:>par domainadd -domainped -domainlabel NewPEDDomain Please attend to the PED. Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error>
This attempt succeeds because the proposed -domainlabel is different from the two existing labels "PrimaryPED" and "Label not set".