partition domainchangelabel
The partition domainchangelabel command changes the domain label of an existing domain.
Which domain is primary and how to change - All partitions, after initialization, have the current or original security/cloning domain marked as the primary, the domain that is chosen by default for cloning. For a partition with more than one domain, either of the others can be designated as primary, instead, using the partition domainadd and partition domainchangelabel commands, by invoking their -primary option.
A partition is initialized without a domain label (default to comply with pre-firmware-7.8.0), or optionally with a domain label (1 to 32 characters).
CAUTION! Domain secret strings for password-authenticated HSMs and Luna Cloud HSMs are used to generate the secret key for cloning, and are as cryptographically sensitive as a user password. The domain label associated with a domain string is not sensitive, and is used only to distinguish the domain from others assigned to the same partition. Never use the same string for the domain label and for the domain secret.
Where the domain label framework is in effect (Luna HSM Firmware 7.8.0 and newer with Luna HSM Client 10.5.0 and newer):
>pre-firmware-7.8.0 partitions that are updated to Luna HSM Firmware 7.8.0 or newer can have an existing domain that is unlabeled and
•can remain unlabeled with no consequence to your existing applications and processes
•can have a domain label applied with the partition domainchangelabel command
>new partitions created under Luna HSM Firmware 7.8.0, can be initialized
•without a domain label for continuity with your existing applications and processes
•with a domain label that can remain as-is
•can have a label added or changed later with the partition domainchangelabel command
>new partitions created with Luna HSM Firmware 7.8.0 or newer, can have up to two additional domains added (typed for password-authenticated, or imported from a red PED keyy for multifactor quorum-authenticated), and the partition domainchangelabel command can ensure that the labels are applied/adjusted
•to enforce that no two domain labels would be identical (which prevents adding of a new domain label)
•to identify for which other HSM partition each additional label was added (created or imported)
NOTE This extended domain management command requires minimum Luna HSM Client 10.5.0 and Luna HSM Firmware 7.8.0 (command not visible for HSMs with prior firmware versions).
NOTE The partition domainchangelabel command is visible as soon as the partition is created.
You must be logged in as partition SO (po) to run this command, which implies that the partition must first be initialized.
This command does not require partition policy 44 to be set.
Primary domain - On pre-firmware 7.8.0 HSM partitions the single possible domain is effectively the primary domain. For firmware 7.8.0 and newer, partitions can have as many as three domains. Of the three possible, one domain is always primary, but the status of primary can be moved to another domain if needed. "Primary" in this context means "the one that is tried first". If there is no match for the primary domain on the source partition, the systems goes on to try for other matching domains.
[Summary]
When cloning from a partition of an HSM with firmware version lower than 7.8.0 to a version 7.8.0 or higher with multiple domains, the primary domain is used.
[Explanation]
On firmware version 7.8.0-or-newer HSM partitions, the partition always has at least one domain, and can have as many as three, any of which can be a password-style text domain, or a multi-factor quorum type (PED key-secret domain. One of the three possible domains is designated primary, and is the first one looked at when a cloning/migration operation is attempted.
If a firmware version 7.8.0-or-newer target is already a member of the same domain as a pre-7.8.0 firmware source partition, and that domain is primary on the v7.8.0-or-newer partition, then cloning/migration can proceed straightaway.
If the target HSM partition is at firmware 7.8.0 or newer, then if its partition initially has a different domain from the source partition, the target partition can:
•use Extended Domain Management to add the source partition's domain as one of the three domains that the target can support and
•make the domain that was obtained from the source become the primary domain on the target by using the -primary option when adding a domain with partition domainadd, and
•cloning/migration can proceed (includes backup, HA, etc.).
Syntax
partition domainchangelabel -oldlabel <label> -newlabel <label> -force
Argument(s) | Shortcut | Description |
---|---|---|
-force | -f |
Change the domain label without asking for confirmation. |
-newlabel <label> | -nl |
The new label to assign to the domain. |
-oldlabel <label> | -ol |
The old label of the domain you wish to change. |
Example - apply a domain label to a partition that was initialized without one
lunacm:>par init -label myPEDpar You are about to initialize the partition. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Please attend to the PED. Command Result : No Error lunacm:>par domainlist Number of supported domains 3 Defined Domain Domain #1 without label. Defined as primary domain. Command Result : No Error lunacm:> partition domainchangelabel The partition SO must be logged in. Error in execution: command cancelled. Command Result : 0xb (User Cancelled Operation) lunacm:> role login -name po enter password: ******** Command Result : No Error
Now you can rename the first partition's domainlabel.
lunacm:>par domainchangelabel -nl PrimaryPED Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Domain not created Domain Label[2]: Domain not created Command Result : No Error
Example - change a password-authenticated domain label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error lunacm:>par domainchangelabel -nl MiddledPW Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: MiddledPW Domain Label[2]: NewPEDDomain Command Result : No Error
Example - change a multifactor quorum-authenticated domain label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error lunacm:>par domainchangelabel -nl MiddledPED Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: MiddledPED Domain Label[2]: NewPEDDomain Command Result : No Error
The action is the same as for a password-authenticated partition, no PED action is needed for a label change