partition init co

NOTE   This command is available using Luna Appliance Software 7.7.1 or newer.

Initialize the Crypto Officer (CO) role on an application partition where the partition has already been created (partition create) and the Partition Security Officer (PSO) role has already been initialized (partition init). To initialize the CO role on a partition, you need the PSO credentials for that partition.

>This command ( partition init co ) might be preferred in situations where management of the appliance and HSM, and of client configuration, are owned by the same person or organization.

>For situations where the ownership, configuration, and use of application partitions is expected to be held by a separate person or organization, then you might prefer to initialize the partition Crypto Officer role via client connection and LunaCM commands - see role commands instead.

For password-authenticated HSMs, if the password is not provided via the command line, the user is interactively prompted for it. Input is echoed as asterisks, and user is asked for password confirmation. This creates the Partition Security Officer role.

For multifactor quorum-authenticated HSMs, Luna PED action is required, and a Partition SO PED key (blue) is imprinted. Any password provided at the command line is ignored.

First password is temporary

Initialization of the Crypto Officer role sets the initial password; that password must be changed via lunacm commands on the client before crypto operations are permitted by the CO role user. The person undertaking the CO role on the client must be given the CO password, because

>all subsequent role password changes on CO and

>all CO activities (administrative or crypto) can be done only from the client (LunaCM).

Initialization of Crypto User and other roles is done only at the client.

Syntax

partition init co -partition <name> [-psopin <password>] [-copin <password>] [-force]

Argument(s) Shortcut Description
-copin -c

Partition Crypto Officer password, being assigned to the CO role that is being created by this command. Used only on password-authenticated HSMs; ignored for multifactor quorum-authenticated.

In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~

The following characters are invalid or problematic and must not be used within passwords: "&;<>\`|

Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks.

-force -f Force the action (useful for scripting).
-partition <partition name> -pa This is the name by which the partition appears to the HSM SO in LunaSH.
-psopin -ps

Partition Security Officer Password. Used only on password-authenticated HSMs; ignored for multifactor quorum-authenticated.

Example with all required arguments on password-authenticated HSM

lunash:>par init co -pa part1  -ps PSOs!Pa55w0rd -c Some!Pa55w0rd


Command Result : 0 (Success)
lunash:> 

lunash:>par show -p part1



   Partition Name:                                      part1
   Partition SN:                                1552202447883
   Partition Label:                                  part1_pw
   Partition Version:                                       0
   Partition SO PIN To Be Changed:                         no
   Partition SO Zeroized:                                  no
   Partition SO Login Attempts Left:                       10
   Partition SO Change Password Attempts Left:             10
   Crypto Officer PIN To Be Changed:                      yes
   Crypto Officer Locked Out:                              no
   Crypto Officer Login Attempts Left:                     10
   Crypto Officer Change Password Attempts Left:           10
   Crypto User is not initialized.
   Legacy Domain Has Been Set:                             no
   Partition Storage Information (Bytes):
                Total=6628214
                Used=0
                Free=6628214
   Partition Object Count:                                  0
   Partition SMK OUIDs:
		SMK-FW4: Not Initialized
		SMK-FW6: Not Initialized
		SMK-FW7-FM: Not Initialized
		SMK-FW7-Rollover: Not Initialized
		SMK-FW7-Primary: Not Initialized

   
Command Result : 0 (Success)

NOTE   If you are migrating a Secure Master Key (SMK) from a Luna 6 HSM to a Luna 7 HSM, in addition to the SMK-FW6, the SMK-FW4 on the Luna 7 HSM is also overwritten by a new one (even if you have not initialized an SMK-FW4 on the Luna 6 HSM by a prior migration) and this command reports the presence of an SMK-FW4 on the Luna 7 HSM.

Example with neither password provided on password-authenticated HSM

lunash:>par init co -pa part1


  Please enter the Partition owner's password:
  > *******


  Please enter the Partition Crypto Officier's initial password:
  > *******

  Please re-enter the Partition Crypto Officer's initial password:
  > ******* 
   
Command Result : 0 (Success)

Example on multifactor quorum-authenticated HSM

lunash:>par init co -pa part1 -c default


Warning:    Initial CO password will be ignored on a PED based SA.

          Type 'proceed' to continue, or 'quit'
          to quit now.
          > proceed

Luna PED operation required to initialize the CO role.
Please attend to the PED.

   
Command Result : 0 (Success)