partition domainadd
Add a cloning domain to the partition. Partitions are assigned their original/own domain when initialized, and in that default state can perform cloning/HA operations only with other partitions sharing that single domain.
Which domain is primary and how to change - All partitions, after initialization, have the current or original security/cloning domain marked as the primary, the domain that is chosen by default for cloning. For a partition with more than one domain, either of the others can be designated as primary, instead, using the partition domainadd and partition domainchangelabel commands, by invoking their -primary option.
The partition domainadd command is meant to add a domain so that the partition can clone objects with partitions that have the new/added domain, as well as with partitions that have the same domain as originally assigned to the current partition during initialization.
>A maximum of two additional domains can be added to the original partition domain; they can be either password-authenticated or multifactor quorum-authenticated.
•If you are adding a text domain for some other password-authenticated partition, then
–do include the -domain option with the domain string from that other partition and
–do not include the -domainped option).
•If you are adding a domain iKey secret for some other multifactor quorum-authenticated partition, then
–do not include the -domain option, and
–do include the -domainped option causing the HSM to look for a connected PED with red iKey, to retrieve that key's content as the domain to add to the current partition.
>If you have more than one domain in your partition, the system assumes that you want to be able to tell them apart, so include the -domainlabel option each time you add a domain (the label is a string between 1 and 32 characters).
>The -domainlabel is added as an option with Luna USB HSM 7 Firmware 7.9.2. Pre-existing partitions (created prior to firmware
• a label is necessary when adding a domain if an existing domain is not labeled.
CAUTION! Domain secret strings for password-authenticated HSMs and Luna Cloud HSMs are used to generate the secret key for cloning, and are as cryptographically sensitive as a user password. The domain label associated with a domain string is not sensitive, and is used only to distinguish the domain from others assigned to the same partition. Never use the same string for the domain label and for the domain secret.
>Use partition domainchangelabel to change label for a domain,
•including applying a label to a domain that did not already have one.
Primary domain - On pre-firmware
[Summary]
When cloning from a partition of an HSM with a firmware version lower than
[Explanation]
On firmware version
If a firmware version
If the target HSM partition is at firmware
•use Extended Domain Management to add the source partition's domain as one of the three domains that the target can support and
•make the domain that was obtained from the source become the primary domain on the target by using the -primary option when adding a domain with partition domainadd, and
•cloning/migration can proceed (includes backup, HA, etc.).
NOTE This extended domain management command requires minimum
Partition PO role login is required, to create or change a domain (after the first domain created by partition initialization). This command requires that partition policy 44: Allow Extended Domain Management is set to ON.
See also Considerations When Cloning / Copying Between Domains.
Syntax
partition domainadd {-domain <string> | [-domainped} [-domainlabel <string>] [-primary]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -domain <domain> | -d |
Partition domain string for password-authenticated partitions. If this is omitted, then a connected PED with a domain on a iKey is expected. |
| -domainlabel <label> | -dl |
Partition domain label - to distinguish among domains when a partition has more than one, and to match with domains on other partitions. |
| -domainped | -dped |
Partition domain from a iKey. |
| -primary | -p |
Mark this domain as primary (always used for the older cloning protocols, prior to CPv4) |
Example with password authentication
lunacm:> partition domainadd -domain seconddomain -domainlabel brotherdaryl Command Result : No Error
Example with multifactor quorum authentication
lunacm:>par domainadd -domainped -domainlabel NewPEDDomain Please attend to the PED. Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error
Example - add an unlabeled domain while existing domain does not have a label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: Domain not created Command Result : No Error lunacm:>par domainadd -domainped Please attend to the PED. Error in execution: CKR_DATA_INVALID. Command Result : 0x20 (CKR_DATA_INVALID) lunacm:>
That attempt failed because it would have resulted in two domains with the same label "Label not set".
Example - add a third domain while second does not have a label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: Domain not created Command Result : No Error lunacm:>par domainadd -domainped -domainlabel NewPEDDomain Please attend to the PED. Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error>
This attempt succeeds because the proposed -domainlabel is different from the two existing labels "PrimaryPED" and "Label not set".
