Managing HSM Partitions

A partition is a secure, independent, protected area in the HSM where sensitive attributes can be stored (for example, cryptographic keys, certificate strings, or access passwords). Each partition has its own data, access controls, security policies, and separate administration access. The HSM implements a form of firewall between all partitions.

At a minimum, a partition connects to a client machine. In practice, each partition can connect to one or more clients. Each partition is assigned to a Partition Owner who holds an iKey (Black PED Key) that controls access to the partition.

Important: The black iKey must be plugged into the PED device whenever the Partition Owner needs to authenticate through his or her PIN.

Each partition is set with the following:

  • A client password (password generated by the PED device and used by the client application to authenticate against the partition).

  • A black PED key (USB key holding the Partition Owner PIN).

There are two partition types:

  • Physical partitions are also known as standard partitions.

  • Virtual partitions, for High Availability (HA) mode. This partition type does not physically exist in the HSM. It is a partition type that is visible from the client, but it points to a group of physical partitions present in the HSM that comprises this HA group. For details, see About High Availability Mode.

As delivered, Thales SafeNet Network HSMs / Thales TCT Luna SA HSMs can support a number of partitions (1, 2, or more). Each partition can store a high number of data objects (certificates or key-pairs), the exact number depends on the memory configuration. For details, contact your Thales / Thales TCT representative.

Note: Partitions are created using the Thales / Thales TCT client software. They are not created by ActivID KMS.

This option displays information related to the licenses, especially partition licenses. Display the maximum number of partitions that are available in your HSM using the following command (this sample illustrates a two-partition maximum):

Copy 
[ade_luna_sa] lunash:>hsm displayLicenses
This option returns the HSM
HSM CAPABILITY LICENSES
License ID    Description
======     ===========
0, 9768e         K5Base
0, 9765f         ECC
0, 97660         KCDSA
0, 97656         Objects320
0, 97651         Performance1200
0, 97659         2 Partitions
0, 9768d         Offboard Storage KE
0, 9764d         FIPS3
Command Result:  0 (Success)

This operation completely clears up the HSM content. For example, existing partitions, keys, or any data that are recorded in the HSM are deleted.

During this procedure, a SafeNet iKey must be plugged into the PED device and assigned with a blue sticker. This iKey is owned by the HSM administrator. The HSM administrator is prompted to enter his PED key PIN directly on the PED device.

The HSM administrator may be prompted to create a red PED key called a Domain key. The Domain key contains the Key Domain Vector (shared across a group of HSMs) which is used to duplicate partitions in a clone HSM An exact copy of a Principal HSM. The keys stored in the Clone HSM are identical to those stored in the Principal HSM, allowing you to use multiple card issuance servers with the same card issuance master keys. Created with HSM manufacturer tools.. The initialization of the red PED key is optional for use in the ActivID KMS environment.

Note: In most cases, the HSM forces you to present a red key to be able to complete the HSM initialization process.

The following sample illustrates HSM initialization with a new label: ade_luna_sa. After performing the init operation, the administrator must login again.

Copy 
lunash:> hsm init -label ade_luna_sa
[ade_luna_sa] lunash:>hsm init -label ade_luna_sa
CAUTION:      Are you sure you wish to re-initialize this HSM? All partitions and data will be erased.
              Type 'proceed' to initialize the HSM, or 'quit' to quit now.
              > proceed
Luna PED operation required to initialize HSM - use gray and blue PED keys.
Luna PED operation required to login as HSM Administrator - use blue PED key.
Luna PED operation required to generate cloning domain - use red PED key.
'hsm init' successful.
Please wait while the HSM is reset to complete the initialization process.
Command Result: 0 (Success)

Use the following command to display the HSM policies:

Copy 
[ade_luna_sa] lunash:>hsm -showPolicies  
HSM Label:   ade_luna_sa 
Serial #:    950217 
Firmware:    4.6.1  
The following capabilities describe this HSM, and cannot be altered except using firmware or capability updates.
Description                              Value 
===========                   =====
Enable PIN-based authentication          Disallowed 
Enable PED-based authentication          Allowed
Performance level                        9 
Enable M of N                            Allowed 
Enable domestic mechanisms & key sizes   Allowed 
Enable masking                           Allowed 
Enable cloning                           Allowed 
Enable special cloning certificate       Disallowed 
Enable full (non-backup) functionality   Allowed 
Enable ECC mechanisms                    Allowed 
Enable non-FIPS algorithms               Allowed 
Enable MofN auto-activation              Allowed 
Enable SO reset of partition PIN         Allowed 
Enable network replication               Disallowed 
Enable Korean Algorithms                 Allowed 
FIPS evaluated                           Disallowed 
Manufacturing Token                      Disallowed 
Enable Remote Authentication             Allowed 
Enable forcing user PIN change           Allowed 
Enable offboard storage                  Allowed 
Enable partition groups                  Disallowed 
Enable non-FIPS accelerator mode         Disallowed  
The following policies are set due to current configuration of this HSM and cannot be altered directly by the user.
  Description                              Value 
===========                     ===== 
PED-based authentication                 True 
Require M of N                           False
The following policies describe the current configuration of this HSM and maybe changed by the HSM Administrator. Changing policies marked "destructive" will zeroize (erase completely) the entire HSM.
Description                              Value        Code      Destructive ===========                  =====     ====    =========== 
Allow masking                            On           6         Yes 
Allow cloning                            On           7         Yes 
Allow non-FIPS algorithms                On           12        Yes 
Allow M of N auto-activation             On           13        No 
SO can reset partition PIN               On           15        Yes 
Allow Remote Authentication              On           20        Yes 
Force user PIN change after set/reset    Off          21        No 
Allow offboard storage                   On           22        Yes  
Command Result: 0 (Success)
Note: The M of N mechanism enables the authentication of people who must present when the administrator logs in to the HSM. These people are assigned iKeys that are marked with a green sticker. An HSM administrator can set up a policy that forces the authentication of M people among a maximum number N to permit access to the HSM. Throughout this section, the M of N mechanism is not utilized.

This operation physically creates a partition in the HSM that is identified by a partition name. During this process, the user will be asked to plug in an iKey that is assigned to the partition owner. The user must put a black sticker on the iKey, and then enter a PIN code.

In return, the PED displays a password that must be written down (see the following sample). This password is used later by the client application to authenticate to the partition.

Copy 
[luna_sa1] lunash:>par cr -partition luna_sa1_part1
(Do not forget to save the password partition; for example: pTYF-45xG-pXbE-AHs4)
Please ensure that you have purchased licenses for at least this number of partitions:      1
If you have purchased licenses for at least this number of partitions then type 'proceed'; otherwise type 'quit':
> proceed
Proceeding...
Please ensure that you copy the password from the Luna PED and that you keep it in a safe place.
Luna PED operation required to create a partition - use black PED key.
'partition create' successful.
Command Result: 0 (Success)

This operation modifies policies 22 and 23 and allows for activation and auto-activation on partitions. These changes are needed for a HSM with PED. Partition Activation (Policy 22) enables a partition holder to authenticate once to the partition and not require the partition holder to leave his or her black PED key remaining connected to the PED device.

Auto-Activation consists of an automatic re-activation of the partition in cases where short power outages occur (the client application can reconnect and continue using the partition without re-asking the partition owner’s consent). Use the following sample as a guide:

Copy 
[luna_sa1] lunash:>partition changePolicy -partition luna_sa1_part1 -policy 22 -value 1
'partition changePolicy' successful.
Policy "Allow activation" is now set to: 1
[luna_sa1] lunash:>partition changePolicy -partition luna_sa1_part1 -policy 23 -value 1
'partition changePolicy' successful.
Policy "Allow auto-activation" is now set to: 1
Notice:  Auto activation parameters will be stored during next activation. It is recommended you activate this partition now.
Command Result: 0 (Success)

This operation allows any registered client application to activate and use the partition. The client application passes the password returned by the PED device at the time the partition was created. The black PED key from the partition owner is plugged into the PED which requires the partition owner to enter the PIN for the PED key (as shown in the following sample):

Copy 
[luna_sa1] lunash:>partition activate -partition luna_sa1_part1
Please enter the password for the partition: 
> *******************
pTYF-45xG-pXbE-AHs4
Luna PED operation required to activate partition - use black PED key.
'partition activate' successful
Command Result: 0 (Success)

This option can be enabled on each of the partitions. This mode may be used if the High Availability mode is configured. The High Availability (HA) mode of operation is described briefly in this section. For details, see About High Availability Mode. For information about HSM support for HA mode, please refer to Thales / Thales Trusted Cyber Technologies documentation.

You can change the password that is used by the client to authenticate to a partition. Use the following sample as a guide:

Copy 
[luna_sa1] lunash:>partition changePw -partition luna_sa1_part1 -newpw 12365478 -oldpw pTYF-45xG-pXbE-AHs4

There are other options that are not documented in this documentation that you can use to manage (or aid your understanding of) existing partitions in the HSM. For more information, refer to the Thales / Thales Trusted Cyber Technologies documentation for details. For example, to use the Delete Partition option, the Security Officer or HSM administrator must be logged into the HSM (using a PED blue key), in addition to the partition owner using a black PED.

This section explains how to record the client (ActivID CMS/KMS) on the DNS from the network server (using TestLuna as an example). The ActivID CMS server/KMS must be known by the DNS associated with TestLuna. Using the Microsoft Terminal Services Commands and its utility, run the following commands:

Copy 
mstsc.exe in C:\WINDOWS\system32, Connect to client (192.168.xxx.xxx), 
<username>, <password>
Note: mtsct.exe enables you to control a computer remotely from either the network or from the Internet, where client and its IP address 192.168.xxx.xxx correspond to the client system under control using this utility.

  1. Under Administrative Tools, click DNS, and then under TESTLUNA right-click testluna.testval.activecard.com and then click New Host (A). The New Host window is displayed.

  2. Name—Enter the name of the client machine.

  3. IP address—Enter the corresponding IP address using dotted decimal notation.

  4. Click Add Host.