partition domainchangelabel

The partition domainchangelabel command changes the domain label of an existing domain.

Which domain is primary and how to change - All partitions, after initialization, have the current or original security/cloning domain marked as the primary, the domain that is chosen by default for cloning. For a partition with more than one domain, either of the others can be designated as primary, instead, using the partition domainadd and partition domainchangelabel commands, by invoking their -primary option.

A partition is initialized without a domain label (default to comply with pre-firmware-7.9.2), or optionally with a domain label (1 to 32 characters).

CAUTION! Domain secret strings for password-authenticated HSMs and Luna Cloud HSMs are used to generate the secret key for cloning, and are as cryptographically sensitive as a user password. The domain label associated with a domain string is not sensitive, and is used only to distinguish the domain from others assigned to the same partition. Never use the same string for the domain label and for the domain secret.

Where the domain label framework is in effect (Luna USB HSM 7 Firmware 7.9.2 and newer with Luna HSM Client 10.9.2 and newer):

>pre-firmware-7.9.2 partitions that are updated to Luna USB HSM 7 Firmware 7.9.2 or newer can have an existing domain that is unlabeled and

•can remain unlabeled with no consequence to your existing applications and processes

•can have a domain label applied with the partition domainchangelabel command

>new partitions created under Luna USB HSM 7 Firmware 7.9.2 can be initialized

•without a domain label for continuity with your existing applications and processes

•with a domain label that can remain as-is

•can have a label added or changed later with the partition domainchangelabel command

>new partitions created with Luna USB HSM 7 Firmware 7.9.2 or newer, can have up to two additional domains added (typed for password-authenticated, or imported from a red iKeyy for multifactor quorum-authenticated), and the partition domainchangelabel command can ensure that the labels are applied/adjusted

•to enforce that no two domain labels would be identical (which prevents adding of a new domain label)

•to identify for which other HSM partition each additional label was added (created or imported)

NOTE This extended domain management command requires minimum Luna HSM Client 10.9.2 and Luna USB HSM 7 Firmware 7.9.2 (command not visible for HSMs with prior firmware versions).

NOTE The partition domainchangelabel command is visible as soon as the partition is created.

You must be logged in as partition SO (po) to run this command, which implies that the partition must first be initialized.

This command does not require partition policy 44 to be set.

Primary domain - On pre-firmware 7.9.2 HSM partitions the single possible domain is effectively the primary domain. For firmware 7.9.2 or newer, partitions can have as many as three domains. Of the three possible, one domain is always primary, but the status of primary can be moved to another domain if needed. "Primary" in this context means "the one that is tried first". If there is no match for the primary domain on the source partition, the systems goes on to try for other matching domains.

[Summary]

When cloning from a partition of an HSM with a firmware version lower than 7.9.2 to a version 7.9.2 or higher with multiple domains, the primary domain is used.

[Explanation]

On firmware version 7.9.2-or-newer HSM partitions, the partition always has at least one domain, and can have as many as three, any of which can be a password-style text domain, or a multi-factor quorum type (iKey-secret domain. One of the three possible domains is designated primary, and is the first one looked at when a cloning/migration operation is attempted.

If a firmware version 7.9.2-or-newer target is already a member of the same domain as a pre-7.9.2 firmware source partition, and that domain is primary on the v7.9.2-or-newer partition, then cloning/migration can proceed straightaway.

If the target HSM partition is at firmware 7.9.2 or newer, then if its partition initially has a different domain from the source partition, the target partition can:

•use Extended Domain Management to add the source partition's domain as one of the three domains that the target can support and

•make the domain that was obtained from the source become the primary domain on the target by using the -primary option when adding a domain with partition domainadd, and

•cloning/migration can proceed (includes backup, HA, etc.).

Syntax

partition domainchangelabel -oldlabel <label> -newlabel <label> -force

Argument(s)	Shortcut	Description
-force	-f	Change the domain label without asking for confirmation.
-newlabel <label>	-nl	The new label to assign to the domain.
-oldlabel <label>	-ol	The old label of the domain you wish to change.

Example - apply a domain label to a partition that was initialized without one

lunacm:>par init -label myPEDpar 

You are about to initialize the partition.

Are you sure you wish to continue?

Type 'proceed' to continue, or 'quit' to quit now ->proceed

Please attend to the PED.

Command Result : No Error

lunacm:>par domainlist

        Number of supported domains 3
        Defined Domain
                Domain #1 without label. Defined as primary domain.

Command Result : No Error 

lunacm:> partition domainchangelabel

        The partition SO must be logged in.

Error in execution: command cancelled.

Command Result : 0xb (User Cancelled Operation)


lunacm:> role login -name po


        enter password: ********


Command Result : No Error

Now you can rename the first partition's domainlabel.


lunacm:>par domainchangelabel -nl PrimaryPED

Command Result : No Error

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: Domain not created
Domain Label[2]: Domain not created

Command Result : No Error

Example - change a password-authenticated domain label

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: Label not set
Domain Label[2]: NewPEDDomain

Command Result : No Error

lunacm:>par domainchangelabel -nl MiddledPW
Command Result : No Error

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: MiddledPW
Domain Label[2]: NewPEDDomain

Command Result : No Error

Example - change a multifactor quorum-authenticated domain label

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: Label not set
Domain Label[2]: NewPEDDomain

Command Result : No Error

lunacm:>par domainchangelabel -nl MiddledPED

Command Result : No Error

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: MiddledPED
Domain Label[2]: NewPEDDomain

Command Result : No Error

The action is the same as for a password-authenticated partition, no PED action is needed for a label change



	SUPPORT	LEGAL
Luna USB HSM 7 Documentation © Copyright 2001-2026, Thales Group Last Updated: 2026-05-06 12:10:59 GMT-05:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information