Initializing the Application Partition
Before it can be used to store cryptographic objects or perform operations, an application partition must be initialized. Initialization is performed by the Partition Security Officer and sets the authentication credential. There are two scenarios where the Partition SO would initialize the partition:
>Preparing a new partition: On a new partition, initialization sets the Partition SO authentication credential, an identifying label for the partition, and the partition's cloning domain (see Initializing a New Partition).
>Erasing an existing partition: The Partition SO can re-initialize a partition to erase all cryptographic objects and the Crypto Officer/Crypto User roles, and select a new partition label. The Partition SO credential and the cloning domain remain the same (see Re-initializing an Existing Partition).
Initializing a New Partition
Initializing an application partition for the first time establishes you as the Partition SO and sets a cloning domain for the partition. This procedure must be performed from the Luna USB HSM 7 client using LunaCM commands.
Prerequisites
>The new partition must be created on the HSM and visible in LunaCM (see Application Partitions).
>If you want to configure the partition's policies with a policy template using LunaCM, the template file must be available on the client (see Setting Partition Policies Using a Template).
>Multifactor Quorum authentication: Ensure that you have enough blue (Partition SO) and red (Domain) iKeys for your planned authentication scheme (see Creating iKey Using Luna USB HSM 7).
To initialize a new application partition
1.Launch LunaCM on the client workstation.
2.Set the active slot to the partition you want to initialize.
lunacm:> slot set -slot <slot_number>
3.Initialize the partition by specifying an identifying label. To initialize the partition using a policy template, specify the path to the template file.
In LunaCM, the partition label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>`~
Spaces are allowed; enclose the label in double quotation marks if it includes spaces.
•Password authentication: You can specify a Partition SO password and/or a domain string with the initialization command, or enter them when prompted.
In LunaCM, passwords abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~
Double quotation marks ("
) are problematic and should not be used within passwords.
Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.
The domain string must be 1-128 characters in length. The following characters are allowed:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*-_=+[]{}/:',.~
The following characters are problematic or invalid and must not be used in a domain string: "&;<>\`|()
Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks. For password-authenticated HSMs, the domain string should match the complexity of the partition password.
lunacm:> partition init -label <label> [-applytemplate <template_file>] [-password <password>] [-domain <domain_string>]
•Multifactor Quorum authentication:
lunacm:> partition init -label <label> [-applytemplate <template_file>]
Respond to the touchscreen (see Creating iKey Using Luna USB HSM 7) prompts to create the blue Partition SO key and the red domain key.
Re-initializing an Existing Partition
The Partition SO can re-initialize an existing partition at any time. Re-initialization erases all cryptographic objects on the partition, and the login credentials for the Crypto Officer and Crypto User roles. The Partition SO login credential and cloning domain are retained.
Prerequisites
>The partition must be already initialized.
>Back up any important cryptographic objects stored on the partition.
To re-initialize an existing application partition
1.Launch LunaCM on the client workstation.
2. Set the active slot to the partition you want to re-initialize.
lunacm:> slot set -slot <slot_number>
3.Initialize the partition by specifying an identifying label. You must specify a label for the partition (the same label or a new one). You are prompted for the current Partition SO credential.
lunacm:> partition init -label <label>