Initializing an Application Partition
Before it can be used to store cryptographic objects or perform operations, an application partition must be initialized. Initialization is performed by the Partition Security Officer and sets the authentication credential. There are two scenarios where the Partition SO would initialize the partition:
>Preparing a new partition: On a new partition, initialization sets the Partition SO authentication credential, an identifying label for the partition, and the partition's cloning domain (see Initializing a New Partition).
>Erasing an existing partition: The Partition SO can re-initialize a partition to erase all cryptographic objects and the Crypto Officer/Crypto User roles, and select a new partition label. The Partition SO credential and the cloning domain remain the same (see Re-initializing an Existing Partition).
Initializing a New Partition
Initializing an application partition for the first time establishes you as the Partition SO and sets a cloning domain for the partition. This procedure can be performed
> from an administrative connection to the network HSM appliance (via SSH) using Luna Shell (LunaSH) commands
• and then use the new PSO credential on that partition to initialize the Crypto Officer role), or
>from a registered client, with an NTLS or STC connection, using LunaCM commands.
Any subsequent re-initialization of an application partition is performed from the client.
The following attributes are set during a new partition initialization:
Partition Label |
The label is a string that uniquely identifies this partition. In LunaCM, the partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:
Spaces are allowed; enclose the label in double quotation marks if it includes spaces. For more information, refer to Name, Label, and Password Requirements. |
Partition SO credentials |
For multifactor quorum-authenticated HSMs, create a new Partition SO (blue) PED key(set) or re-use an existing PED key(set) from a partition you want to share credentials with. If you are using multifactor quorum authentication, ensure that you have an authentication strategy before beginning. See Multifactor Quorum Authentication. For password-authenticated HSMs, specify the Partition SO password. In LunaCM, passwords
Double quotation marks ( Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks. |
Cloning domain for the partition |
The cloning domain is a shared identifier that makes cloning possible among a group of HSM partitions. The domain secret allows for two layers of cloning security: >The Partition SO determines which partitions can clone objects to each other by setting the same domain on the source and destination partitions. >The Crypto Officer for the partition must authorize the cloning operation. See Domain Planning for more information. For multifactor quorum-authenticated HSMs, create a new Domain (red) PED key(set) or re-use an existing PED key(set) from another partition that this partition will clone objects with. For password-authenticated HSMs, create a new domain string or re-use an existing string from another partition that this partition will clone objects with. The domain string must be 1-128 characters in length. The following characters are allowed:
The following characters are problematic or invalid and must not be used in a domain string: Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks. For password-authenticated HSMs, the domain string should match the complexity of the partition password. |
Prerequisites
>The new partition must be created on the HSM and visible in LunaCM
>If you want to configure the partition's policies with a policy template, the template file must be available on the client (see Setting Partition Policies Using a Template).
>Multifactor Quorum authentication: A local or remote Luna PED connection must be established (see Local PED Setup or About Remote PED). Ensure that you have enough blue (Partition SO) and red (Domain) PED keys for your planned authentication scheme (see Creating PED keys).
To initialize a new application partition
1.Launch LunaCM on the client workstation.
2.Set the active slot to the partition you want to initialize.
lunacm:> slot set -slot <slot_number>
3.Initialize the partition by specifying an identifying label. To initialize the partition using a policy template, specify the path to the template file.
•Password authentication: You can specify a Partition SO password and/or a domain string with the initialization command, or enter them when prompted.
lunacm:> partition init -label <label> [-applytemplate <template_file>] [-password <password>] [-domain <domain_string>]
•Multifactor Quorum authentication:
lunacm:> partition init -label <label> [-applytemplate <template_file>]
Respond to the Luna PED prompts to create the blue Partition SO key and the red domain key (see Creating PED keys).
Re-initializing an Existing Partition
The Partition SO can re-initialize an existing partition at any time. Re-initialization erases all cryptographic objects on the partition, and the login credentials for the Crypto Officer and Limited Crypto Officer and Crypto User roles. The Partition SO login credential and cloning domain are retained.
Prerequisites
>The partition must be already initialized.
>Back up any important cryptographic objects stored on the partition.
>[Multifactor Quorum authentication] A local or remote PED connection must be established (see Local PED Setup or About Remote PED).
To re-initialize an existing application partition
1.Launch LunaCM on the client workstation.
2. Set the active slot to the partition you want to re-initialize.
lunacm:> slot set -slot <slot_number>
3.Initialize the partition by specifying an identifying label. You must specify a label for the partition (the same label or a new one). You are prompted for the current Partition SO credential.
lunacm:> partition init -label <label>