partition init

Initialize an application partition.

CAUTION!   This command requires Luna Appliance Software 7.8.1 or newer. Do not attempt to use it to initialize an STC partition, or assigned clients will lose contact with the partition. The Partition SO must use LunaCM at the client for partition management.

>This command might be preferred in situations where management of the appliance and HSM, and of client configuration, are owned by the same person or organization.

>For situations where the ownership, configuration, and use of application partitions is expected to be held by a separate person or organization, then you might prefer to initialize the partition via client connection and LunaCM commands - see partition init and role commands instead.

For password-authenticated HSMs, if the password is not provided via the command line, the user is interactively prompted for it. Input is echoed as asterisks, and user is asked for password confirmation. This creates the Partition Security Officer role.

For multifactor quorum-authenticated HSMs, Luna PED action is required, and a Partition SO PED key (blue) is imprinted. Any password provided at the command line is ignored.

With the partition init command, you create the Partition Security Officer (PSO) credential. That credential is then needed by the person who creates the Crypto Officer role in LunaSH or LunaCM.

Domain matching and the default domain

If you do not specify a domain in the command line (password-authenticated HSMs), you are prompted for it.

If you type a character string at the prompt, that string becomes the domain for the partition. This applies to password-authenticated HSMs. For multifactor quorum-authenticated HSMs, the string is not needed and is ignored, because the HSM creates and/or imprints a domain PED key.

Thereafter, for any action that involves cloning, the domain on source and target will need to match (this includes backup and restore operations, HA synchronization operations, or partition clone commands via the client).

Partition initialization via LunaSH is first time only

You can initialize a partition only one time via this command. Any subsequent re-initialization must be done from the client (using lunacm commands).

After initializing a partition with this command (partition init),

>you can initialize the Crypto Officer role from the appliance side with the LunaSH command partition init co, or

>you can do it from a registered client using LunaCM role commands.

In either case, you will need the PSO credentials.

User Privileges

Users with the following privileges can use this command:

>admin

>operator

Syntax

partition init -partition <name> [-password <string>] [-domain <string>] [-pptfile </filename>] [-defaultdomain] [-auth] [-force]

Argument(s) Shortcut Description
-defaultdomain -def This option is deprecated. It applies to password-authenticated HSMs only. It allows you to set a default domain that is compatible with certain legacy HSMs, instead of specifying a unique domain string with -domain. Using a default domain secret means that key cloning and backup/restore operations are protected by Crypto Officer authentication only.
-domain -d

Partition cloning domain string. Used only on password-authenticated HSMs; ignored for multifactor quorum-authenticated. The domain secret allows for two layers of cloning security:

>The Partition SO determines which partitions can clone objects to each other by setting the same domain on the source and destination partitions.

>The Crypto Officer for the partition must authorize the cloning operation.

See Domain Planning for more information.

The domain string must be 1-128 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*-_=+[]{}/:',.~

The following characters are problematic or invalid and must not be used in a domain string: "&;<>\`|()

Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks.

For password-authenticated HSMs, the domain string should match the complexity of the partition password.

-force -f Force the action (useful for scripting).
-label <label> -l

Label for the partition. This is how the partition is seen when viewed from the Client side (such as in lunacm slot list). If an explicit label value is not entered, then the value provided for the partition name is also used for the label.

In LunaSH, the partition label created during initialization must be 1-32 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~

Spaces are allowed; enclose the label in double quotation marks if it includes spaces.

-partition <partition name> -par This is the name by which the partition appears to the HSM SO in LunaSH. This name is meaningful to the appliance admin, and does not need to reflect how the partition is eventually used by applications (see -label, which can match or can be completely different if desired).
-password -pas

Partition Security Officer password. Used only on password-authenticated HSMs; ignored for multifactor quorum-authenticated.

In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~

The following characters are invalid or problematic and must not be used within passwords: "&;<>\`|

Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks.

-pptfile <filename> -pp

Apply a policy template located in the user files. This feature requires minimum Luna HSM Firmware 7.1.0.

NOTE   If there is a mismatch between template policies and the default values of newer or dependent policies, then the attempt to apply the old policy would fail with CKR_FAILED_DEPENDENCIES.

You have the option to edit a policy file before applying it, to add newer policies.

LunaSH does not include provision for editing template files. You can edit externally, before uploading a Partition Policy Template file, if needed.

Example without Partition Policy Template

lunash:>par init -par part1 -l my_pw_partition -pas Some!Pa55w0rd -d domain



Command Result : 0 (Success)
lunash:> 

lunash:>par show -p part1


   Partition Name:                                      part1
   Partition SN:                                1552202447876
   Partition Label:                           my_pw_partition
   Partition Version:                                       0
   Partition SO PIN To Be Changed:                         no
   Partition SO Zeroized:                                  no
   Partition SO Login Attempts Left:                       10
   Partition SO Change Password Attempts Left:             10
   Crypto Officer is not initialized.
   Crypto User is not initialized.
   Legacy Domain Has Been Set:                             no
   Partition Storage Information (Bytes):
                Total=6628214
                Used=0
                Free=6628214
   Partition Object Count:                                  0
   Partition SMK OUIDs:
		SMK-FW4: Not Initialized
		SMK-FW6: Not Initialized
		SMK-FW7-FM: Not Initialized
		SMK-FW7-Rollover: Not Initialized
		SMK-FW7-Primary: Not Initialized


Command Result : 0 (Success)
lun

NOTE   If you are migrating a Secure Master Key (SMK) from a Luna 6 HSM to a Luna 7 HSM, in addition to the SMK-FW6, the SMK-FW4 on the Luna 7 HSM is also overwritten by a new one (even if you have not initialized an SMK-FW4 on the Luna 6 HSM by a prior migration) and this command reports the presence of an SMK-FW4 on the Luna 7 HSM.

Example with Partition Policy Template

lunash:>par init -par part1 -l part1_pw -pas default -d domain -pp part1_pw.ppt

    ID  Value   off-to-on Destructive   on-to-off Destructive
   -----------------------------------------------------------
    41      1                       0                       1

   Above Partition policy template values will be applied.
          Type 'proceed' to continue, or 'quit'
          to quit now.
          > proceed


Command Result : 0 (Success)
lunash:>

lunash:>c as -c 10.124.79.145 -p part1


'client assignPartition' successful.


Command Result : 0 (Success)