Updating or rotating cloning domain secrets

From time to time, it might be necessary to change the secret associated with a role on an HSM or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:

>Regular credential rotation as part of your organization's security policy

>Compromise of a role or secret due to loss or theft of a PED key

>Personnel changes in your organization or changes to individual security clearances

>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)

Changing/rotating domains was not possible when each partition was allowed only one cloning domain (prior to HSM firmware 7.8.0), as changing the domain required initializing the partition, which destroyed all data. It also meant that once a partition had a new domain, it could not receive objects restored from backup HSM/partition that had only the old cloning domain.

This changed with the introduction of Extended Domain Management in Luna HSM Client 10.5.0 and Luna HSM Firmware 7.8.0 or newer, where each partition can have up to three different cloning domains, and those domains can be added or deleted as needed.

How to change or rotate the cloning domain

Prerequisites

>The partition must belong to an HSM at firmware 7.8.0 or newer.

>Partition Policy 44: Allow Extended Domain Management must be set to ON (partition showpolicies and partition changepolicy if necessary).

>The partition must have an available space for the new domain

either it currently has just one or two domains (partition domainlist),

or it has three domains (the maximum) but one can be deleted to make room for a new domain (with partition domaindelete) if necessary.

To rotate the cloning domain of an application partition,

1.Create the new domain, assigning it primary status and a label that will be used for that domain in any other partition or backup HSM with which it will need to clone objects.

partition domainadd -domain <string for PW-auth> -domainlabel <unique label for new domain> -primary

(provide a suitable text string as the domain secret

or

partition domainadd-domainped -domainlabel<unique label for new domain> -primary

(attend to the PED with an appropriate iKey [blank if creating a new domain, or else containing an existing domain to be reused here], since you have elected to add a PED-mediated domain secret)

2.If the next partition you are rotating already has three domains (partition domainlist) delete one of them that is no longer needed, to make room for the new domain secret.

partition domaindelete -domainlabel<label of domain to delete>

Otherwise, skip to the next step.

3.Continue to create the same domain, as in step 1, on each other partition/HSM that is expected to participate in cloning with the first partition

(includes any of another partition that needs to contain the same key material, such as

a backup HSM that already contains relevant backed-up material ,

other members of any HA group where the current partition is a member,

etc.)

partition domainadd -domain <string for PW-auth> -domainlabel <same new label as used in step 1, above> -primary

or

partition domainadd-domainped -domainlabel<same new label as used in step 1, above> -primary

4.Delete the old, rotated-out domain from all affected partitions/HSMs, after all other intended cloning partners possess the new domain that is being rotated in

partition domaindelete -domainlabel<label of domain to delete>

5.All the affected partitions should now have the new domain, properly labeled and identified as "primary" and should no longer have the old, superseded domain secret. You have satisfied the rotation requirement (with respect to domain secrets) for the current cycle. Carry on with normal operation.

6.[Optional] If you wish to verify before deleting all copies of the old pre-rotation domain secret, that the new, post-rotation domain is functional, and is now the domain being used for cloning,

a.Delete the old domain secret from all but one of the affected partitions.

b.Leave the old domain on just that one (source) partition (that also has the new domain) for now, so you still have a copy of it.

c.Perform a cloning operation between the partition that has both the old and new domain secrets, and any of the other partitions that have the new domain, but no longer have the old domain. Successful cloning indicates that the new domain secret is being used, as it should be the only domain in common among all the affected partitions/HSMs.

d.Delete the last remaining copy of the old domain.

NOTE   For multi-factor quorum-authenticated partitions when all partitions have been imprinted with new role credentials and new domain secrets, then it no longer matters if any iKeys retain the old secrets, as they can no longer be used to access or clone respectively, and can be re-used/overwritten if desired.