hsm init
Initialize the HSM in the Luna Network HSM 7. Initialization assigns an HSM label, creates an HSM Security Officer (HSM SO), creates or associates a Cloning Domain (with authentication) for the HSM, and applies other settings that make the HSM available for use.
CAUTION! Initializing the HSM erases all existing data, including application partitions and their data. Partitions then must be recreated with the partition create command. Because this is a destructive command, the user is asked to “proceed” unless the -force switch is provided at the command line. If you invoke hsm init and then type quit at the prompt, initialization does not take place (meaning that you do not lose existing token/HSM contents), but any current login or activation state is closed, whether you abort the command or not.
For more information, see Initializing the HSM.
User Privileges
Users with the following privileges can perform this command:
>Admin
Syntax
hsm init -label <hsm_label> [-domain <hsm_domain>] [-password <hsm_admin_password>] [-applytemplate <filename>] [-defaultdomain] [-authtimeconfig] [-force]
|
Argument(s) |
Shortcut |
Description |
|---|---|---|
| -applytemplate <filename> | -ap | Apply an HSM policy template. This feature requires minimum Luna HSM Firmware 7.1.0 and Luna Appliance Software 7.1.0. |
| -authtimeconfig | -a |
Specifies that the HSM SO role must be logged in to configure the time. |
| -defaultdomain | -de |
This option is deprecated. The current and future HSM versions do not allow you to omit providing a domain, unless you include this option, which is an insecure choice and generally not recommended. It is retained for benefit of existing customers who have previously set the default domain, and are constrained to continue with it until they create new objects on an HSM with a properly-named domain. The "-defaultdomain" option applies to Password-authenticated HSMs only. For multifactor quorum-authenticated HSMs the PED always prompts for a physical PED key and either reuses the value on the key that you insert, or generates a new value and imprints it on the PED key. |
| -domain <hsm_domain> | -do |
Specifies the string to be used as key cloning domain for the HSM. If no value is given for a Luna HSM with password authentication, you are prompted interactively. The HSM must support cloning, or this value is ignored. This parameter is considered mandatory in password-authenticated HSMs (except if the discouraged and deprecated -defaultdomain is specified). The -domain parameter is ignored in multifactor quorum-authenticated HSMs. The domain string must be 1-128 characters in length. The following characters are allowed:
The following characters are problematic or invalid and must not be used in a domain string: Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks. For password-authenticated HSMs, the domain string should match the complexity of the partition password. |
| -force | -f |
Force the action without prompting. |
| -label <hsm_label> | -l |
Specifies the label to assign to the HSM. The HSM label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. Only alphanumeric characters and the underscore are allowed:
|
| -password <HSMSO_password> | -p |
Specifies the password to be used as login credential by the HSM SO. For multifactor quorum-authenticated HSMs, the Luna PED is used for the HSM SO credential, and data input for this value is ignored. This parameter is required in password-authenticated HSMs. It is ignored in multifactor quorum-authenticated HSMs. In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:
The following characters are invalid or problematic and must not be used in passwords: Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks. |
Example
Multifactor Quorum-authenticated HSMs
If the HSM has been factory reset, then a complete "hard" initialization is performed when you invoke the hsm init command.
lunash:> hsm init -label myluna
CAUTION: Are you sure you wish to re-initialize this HSM?
All partitions and data will be erased. Type 'proceed' to initialize the HSM, or 'quit' to quit now.
> proceed
Luna PED operation required to initialize HSM - use Security Officer (blue) PED Key
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED Key
Luna PED operation required to generate cloning domain - use Domain (red) PED Key
'hsm init successful'
Command result : 0 (Success)
If the HSM is NOT in factory reset condition when you invoke the hsm init command, then a "soft" initialization is performed - while the partitions and contents are destroyed, the Security officer/HSM Administrator identity and the Domain are preserved. The SO must be logged into the HSM to run HSM init when the HSM is not in factory reset condition.
lunash:> hsm init -label myluna
Warning: This HSM is not in the factory reset (zeroized) state. You must present the current HSM Admin login credentials to clear the HSM contents. CAUTION: Are you sure you wish to re-initialize this HSM? All partitions and data will be erased. Type 'proceed' to initialize the HSM, or 'quit' to quit now. > proceed Luna PED operation required to initialize HSM - use Security Officer (blue) PED Key 'hsm -init successful' Command result : 0 (Success)
