audit init
Initialize the Audit role. The audit init command is available only to the audit user of the HSM appliance and initializes the Audit role on the HSM. This command attaches an audit domain and a role password for password-authenticated HSMs, and creates a white Audit PED key for PED-authenticated HSMs. For PED-auth HSMs audit init also creates an audit domain, or receives an existing domain, so that selected HSMs are able to validate each others' HSM audit log files.
NOTE Because this command destroys any existing Audit role on the HSM, the user is asked to “proceed” unless the -force switch is provided at the command line.
Audit log and syslog entries are timestamped in UTC format.
User Privileges
Only specialized Audit users can access audit commands.
Syntax
audit init [-serial <serialnum>] [-domain <auditdomain>] [-defaultdomain] [-password <password>] [-force]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -defaultdomain | -de |
Specifies that the default domain string is to be used as key cloning domain for the HSM. Using the default domain implies that the HSM can be used in HSM Audit Log file validation operations with any other HSM in the world that retains the default domain - retaining the default domain is not recommended. This option is deprecated and will be discontinued in a future release. -defaultdomain and -domain are mutually exclusive. -defaultdomain is ignored for multifactor quorum-authenticated HSMs. |
| -domain <auditdomain> | -do |
Specifies the string to be used as key cloning domain for the HSM. If no value is given for a Luna HSM with Password Authentication, you are prompted interactively. -defaultdomain and -domain are mutually exclusive. -domain is ignored for multifactor quorum-authenticated HSMs. |
| -force | -f | Force the action without prompting. |
| -password <password> | -p | Specifies the current password for the HSM Audit role. If you do not use this parameter, you are prompted for the password. This parameter applies to password-authenticated HSMs only. |
| -serial <serialnum> | -s |
Specifies the serial number of the HSM. This option allows the system to distinguish between two connected HSMs, as might occur with a PKI bundle configuration (secondary USB-attached Luna USB HSM 7). |
Example
lunash:>audit init
The AUDIT role will be initialized.
Are you sure you wish to continue?
Type proceed to continue, or quit to quit now -> proceed
Please enter a domain to use for initializing the Audit role:
> ********
Please re-enter domain to confirm:
> ********
Please enter the password:
> ********
Please re-enter password to confirm:
> ********
Command Result : 0 (Success)
NOTE For multifactor quorum-authenticated HSMs, after you type "proceed" you are referred to the Luna PED (which must be connected and 'Awaiting command...') which prompts you for domain (red PED key) and Audit authentication (white PED key).
