partition domainadd

Add a cloning domain to the partition. Partitions are assigned their original/own domain when initialized, and in that default state can perform cloning/HA operations only with other partitions sharing that single domain.

Which domain is primary and how to change - All partitions, after initialization, have the current or original security/cloning domain marked as the primary, the domain that is chosen by default for cloning. For a partition with more than one domain, either of the others can be designated as primary, instead, using the partition domainadd and partition domainchangelabel commands, by invoking their -primary option.

The partition domainadd command is meant to add a domain so that the partition can clone objects with partitions that have the new/added domain, as well as with partitions that have the same domain as originally assigned to the current partition during initialization.

>A maximum of two additional domains can be added to the original partition domain; they can be either password-authenticated or multifactor quorum-authenticated.

•If you are adding a text domain for some other password-authenticated partition, then

–do include the -domain option with the domain string from that other partition and

–do not include the -domainped option).

•If you are adding a domain PED key secret for some other multifactor quorum-authenticated partition, then

–do not include the -domain option, and

–do include the -domainped option causing the HSM to look for a connected PED with red PED key, to retrieve that key's content as the domain to add to the current partition.

>If you have more than one domain in your partition, the system assumes that you want to be able to tell them apart, so include the -domainlabel option each time you add a domain (the label is a string between 1 and 32 characters).

>The -domainlabel is added as an option with Luna HSM Firmware 7.8.0. Pre-existing partitions (created prior to firmware 7.8.0) can continue to have no label for continuity of established procedures and processes. However if you create or import a domain, the system ensures that no two can have the same label.

• a label is necessary when adding a domain if an existing domain is not labeled.

CAUTION!   Domain secret strings for password-authenticated HSMs and Luna Cloud HSMs are used to generate the secret key for cloning, and are as cryptographically sensitive as a user password. The domain label associated with a domain string is not sensitive, and is used only to distinguish the domain from others assigned to the same partition. Never use the same string for the domain label and for the domain secret.

>Use partition domainchangelabel to change label for a domain,

•including applying a label to a domain that did not already have one.

 

Primary domain - On pre-firmware 7.8.0 HSM partitions the single possible domain is effectively the primary domain. For firmware 7.8.0 and newer, partitions can have as many as three domains. Of the three possible, one domain is always primary, but the status of primary can be moved to another domain if needed. "Primary" in this context means "the one that is tried first". If there is no match for the primary domain on the source partition, the systems goes on to try for other matching domains.

[Summary]

When cloning from a partition of an HSM with firmware version lower than 7.8.0 to a version 7.8.0 or higher with multiple domains, the primary domain is used.

[Explanation]

On firmware version 7.8.0-or-newer HSM partitions, the partition always has at least one domain, and can have as many as three, any of which can be a password-style text domain, or a multi-factor quorum type (PED key-secret domain. One of the three possible domains is designated primary, and is the first one looked at when a cloning/migration operation is attempted.

If a firmware version 7.8.0-or-newer target is already a member of the same domain as a pre-7.8.0 firmware source partition, and that domain is primary on the v7.8.0-or-newer partition, then cloning/migration can proceed straightaway.

If the target HSM partition is at firmware 7.8.0 or newer, then if its partition initially has a different domain from the source partition, the target partition can:

•use Extended Domain Management to add the source partition's domain as one of the three domains that the target can support and

•make the domain that was obtained from the source become the primary domain on the target by using the -primary option when adding a domain with partition domainadd, and

•cloning/migration can proceed (includes backup, HA, etc.).

Syntax

partition domainadd {-domain <string> | [-domainped} [-domainlabel <string>] [-primary]

Argument(s)	Shortcut	Description
-domain <domain>	-d	Partition domain string for password-authenticated partitions. If this is omitted, then a connected PED with a domain on a PED key is expected.
-domainlabel <label>	-dl	Partition domain label - to distinguish among domains when a partition has more than one, and to match with domains on other partitions.
-domainped	-dped	Partition domain from a PED key.
-primary	-p	Mark this domain as primary (always used for the older cloning protocols, prior to CPv4)

Example with password authentication

lunacm:> partition domainadd -domain seconddomain -domainlabel brotherdaryl

 Command Result : No Error      

Example with multifactor quorum authentication

lunacm:>par domainadd -domainped -domainlabel NewPEDDomain

Please attend to the PED.

Command Result : No Error

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: Label not set
Domain Label[2]: NewPEDDomain

Command Result : No Error 

Example - add an unlabeled domain while existing domain does not have a label

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: Label not set
Domain Label[2]: Domain not created

Command Result : No Error

lunacm:>par domainadd -domainped 

Please attend to the PED.

Error in execution: CKR_DATA_INVALID.

Command Result : 0x20 (CKR_DATA_INVALID)

lunacm:>

That attempt failed because it would have resulted in two domains with the same label "Label not set".

Example - add a third domain while second does not have a label

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: Label not set
Domain Label[2]: Domain not created

Command Result : No Error

lunacm:>par domainadd -domainped -domainlabel NewPEDDomain

Please attend to the PED.

Command Result : No Error

lunacm:>par domainlist

Domain List
Domain Label[0]: PrimaryPED - primary KCV
Domain Label[1]: Label not set
Domain Label[2]: NewPEDDomain

Command Result : No Error>

This attempt succeeds because the proposed -domainlabel is different from the two existing labels "PrimaryPED" and "Label not set".

Example - add a PED-authentication domain to a partition on a Password-authenticated HSM

 

lunacm:>audit config get

Current Logging Configuration
-----------------------------
event mask : Log failure+success+access+manage+keymanage
rotation interval : infinite
rotation size : never (2097151 KB max file size)
path to log : /root/logging

Command Result : No Error

lunacm:>audit config e f,s,a,m

Command Result : No Error

lunacm:>audit config get

Current Logging Configuration
-----------------------------
event mask : Log failure+success+access+manage
rotation interval : infinite
rotation size : never (2097151 KB max file size)
path to log : /root/logging

Command Result : No Error

Now do a partition clone in or out with any CPV4 cipher enabled (CPV=0, CPV3 disabled)

lunacm:>par clone -o 0 -slot 27 -p userpinco

Logging in to target slot 27

Checking if objects already exist on target slot 27.

Cloning the objects.
Handle 294 on slot 26 is now handle 70 on slot 27
Handle 293 on slot 26 is now handle 75 on slot 27
Handle 290 on slot 26 is now handle 76 on slot 27
Handle 289 on slot 26 is now handle 79 on slot 27
Handle 286 on slot 26 is now handle 101 on slot 27
Handle 285 on slot 26 is now handle 104 on slot 27
Handle 282 on slot 26 is now handle 105 on slot 27
Handle 281 on slot 26 is now handle 313 on slot 27
Handle 278 on slot 26 is now handle 314 on slot 27
Handle 277 on slot 26 is now handle 317 on slot 27
Handle 274 on slot 26 is now handle 318 on slot 27
Handle 273 on slot 26 is now handle 321 on slot 27
Handle 270 on slot 26 is now handle 322 on slot 27
Handle 269 on slot 26 is now handle 325 on slot 27
Handle 266 on slot 26 is now handle 326 on slot 27
Handle 265 on slot 26 is now handle 329 on slot 27
Handle 262 on slot 26 is now handle 330 on slot 27
Handle 261 on slot 26 is now handle 333 on slot 27
Handle 258 on slot 26 is now handle 334 on slot 27
Handle 257 on slot 26 is now handle 337 on slot 27
Handle 254 on slot 26 is now handle 338 on slot 27
Handle 253 on slot 26 is now handle 341 on slot 27
Handle 250 on slot 26 is now handle 342 on slot 27
Handle 249 on slot 26 is now handle 345 on slot 27
Handle 246 on slot 26 is now handle 346 on slot 27
Handle 245 on slot 26 is now handle 349 on slot 27
Handle 242 on slot 26 is now handle 350 on slot 27
Handle 241 on slot 26 is now handle 353 on slot 27
Handle 238 on slot 26 is now handle 354 on slot 27
Handle 237 on slot 26 is now handle 357 on slot 27
Handle 234 on slot 26 is now handle 358 on slot 27
Handle 233 on slot 26 is now handle 361 on slot 27
Handle 230 on slot 26 is now handle 362 on slot 27
Handle 229 on slot 26 is now handle 365 on slot 27
Handle 226 on slot 26 is now handle 366 on slot 27
Handle 225 on slot 26 is now handle 369 on slot 27
Handle 222 on slot 26 is now handle 370 on slot 27
Handle 221 on slot 26 is now handle 373 on slot 27
Handle 218 on slot 26 is now handle 374 on slot 27
Handle 217 on slot 26 is now handle 377 on slot 27
Handle 214 on slot 26 is now handle 378 on slot 27
Handle 213 on slot 26 is now handle 381 on slot 27
Handle 210 on slot 26 is now handle 382 on slot 27
Handle 209 on slot 26 is now handle 385 on slot 27
Handle 206 on slot 26 is now handle 386 on slot 27
Handle 205 on slot 26 is now handle 389 on slot 27
Handle 202 on slot 26 is now handle 390 on slot 27
Handle 201 on slot 26 is now handle 393 on slot 27
Handle 198 on slot 26 is now handle 394 on slot 27
Handle 197 on slot 26 is now handle 397 on slot 27
Handle 194 on slot 26 is now handle 398 on slot 27
Handle 193 on slot 26 is now handle 401 on slot 27
Handle 190 on slot 26 is now handle 402 on slot 27
Handle 189 on slot 26 is now handle 405 on slot 27
Handle 186 on slot 26 is now handle 406 on slot 27
Handle 185 on slot 26 is now handle 409 on slot 27
Handle 182 on slot 26 is now handle 410 on slot 27
Handle 181 on slot 26 is now handle 413 on slot 27
Handle 178 on slot 26 is now handle 414 on slot 27
Handle 177 on slot 26 is now handle 417 on slot 27
Handle 174 on slot 26 is now handle 418 on slot 27
Handle 173 on slot 26 is now handle 421 on slot 27
Handle 170 on slot 26 is now handle 422 on slot 27
Handle 169 on slot 26 is now handle 425 on slot 27
Handle 166 on slot 26 is now handle 426 on slot 27
Handle 165 on slot 26 is now handle 429 on slot 27
Handle 162 on slot 26 is now handle 430 on slot 27
Handle 161 on slot 26 is now handle 433 on slot 27
Handle 158 on slot 26 is now handle 434 on slot 27
Handle 157 on slot 26 is now handle 437 on slot 27
Handle 154 on slot 26 is now handle 438 on slot 27
Handle 153 on slot 26 is now handle 441 on slot 27
Handle 150 on slot 26 is now handle 442 on slot 27
Handle 149 on slot 26 is now handle 445 on slot 27
Handle 146 on slot 26 is now handle 446 on slot 27
Handle 145 on slot 26 is now handle 449 on slot 27
Handle 142 on slot 26 is now handle 450 on slot 27
Handle 141 on slot 26 is now handle 453 on slot 27
Handle 138 on slot 26 is now handle 454 on slot 27
Handle 137 on slot 26 is now handle 457 on slot 27
Handle 134 on slot 26 is now handle 458 on slot 27
Handle 133 on slot 26 is now handle 461 on slot 27
Handle 130 on slot 26 is now handle 462 on slot 27
Handle 129 on slot 26 is now handle 465 on slot 27
Handle 126 on slot 26 is now handle 466 on slot 27
Handle 125 on slot 26 is now handle 469 on slot 27
Handle 122 on slot 26 is now handle 470 on slot 27
Handle 121 on slot 26 is now handle 473 on slot 27
Handle 118 on slot 26 is now handle 474 on slot 27
Handle 117 on slot 26 is now handle 477 on slot 27
Handle 114 on slot 26 is now handle 478 on slot 27
Handle 113 on slot 26 is now handle 481 on slot 27
Handle 110 on slot 26 is now handle 482 on slot 27
Handle 109 on slot 26 is now handle 485 on slot 27
Handle 97 on slot 26 is now handle 486 on slot 27
Handle 85 on slot 26 is now handle 489 on slot 27
Handle 94 on slot 26 is now handle 490 on slot 27
Handle 93 on slot 26 is now handle 493 on slot 27
Handle 89 on slot 26 is now handle 494 on slot 27
Handle 86 on slot 26 is now handle 497 on slot 27

Migrated 100 objects

Command Result : No Error

lunacm:>

scroll back through the last hundred or so lines of Secure Log output- you'll see no mention of migration or insert/extract commands

9925517,22/01/14 20:38:13,S/N 18373207469733 session 5 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 5 ,60DABCE85788BEDFD0C7857D4330034EEDD747DB706547472E6DE707EB986940,8D7397408260240035DFE161000000009B24F87F487D51EBA52E81D8B51000000500000000000000000000000000000000000000
9925518,22/01/14 20:38:13,S/N 18373207469733 session 5 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 5 ,50AEBF8088ADF075AE9455A5112F3AACA09AB5E1CCE1D412D8BF357D31C1B87C,8E7397400260260035DFE161000000009B24F87F487D51EBA52E81D8B51000000500000000000000000000000000000000000000
9925519,22/01/14 20:38:23,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 5 ,49CD7DFC8D0B287E2AA3489D7E187379253AA4D68B82388DC8955810A995DC3B,8F739740826024003FDFE161000000009B24F87F487D51EBA42E81D8B51000000500000000000000000000000000000000000000
9925520,22/01/14 20:38:23,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=0 container=6 ,D9659DCEECFCD6052879937A937E4B3A92074E03A823CC93889F191FC66E0655,9073974002600D003FDFE161000000009B24F87F487D51EBA42E81D8B51000000500000006000000070000000000000000000000
9925521,22/01/14 20:39:38,S/N 18373207469732 session 6 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 6 ,4C4F730BB22262F55140F142EB27670F64D3B9393722CE278A95FA6FC3DE1816,91739740826024008ADFE161000000009B24F87F487D51EBA42E81D8B51000000600000000000000000000000000000000000000
9925522,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 7 ,FFB17D3BCFDE980AC91EBB09D62FD415A3341BB9A1211023B0FF4570F0030AA9,92739740826024008ADFE161000000009B24F87F487D51EBA52E81D8B51000000700000000000000000000000000000000000000
9925523,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=0 container=63 ,DAC77E99B544B1F9A475106F90B456AB3A1829C1C356AE7B94A7B4E0A346437B,9373974002600D008ADFE161000000009B24F87F487D51EBA52E81D8B5100000070000003F000000070000000000000000000000
9925524,22/01/14 20:39:38,S/N 18373207469732 session 6 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 6 ,1586983CA033CF8C8AB9A8E638ED971021D1D4B991945F9BB10E59FF15BCF8B2,94739740026026008ADFE161000000009B24F87F487D51EBA42E81D8B51000000600000000000000000000000000000000000000
9925525,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_LOGOUT returned RC_OK(0x00000000) roleID=0 container=63 ,A961ED9AAC4011288D8D9BDB4595FF67C28DF64D7B7D883C0003D523F526E43F,9573974002600E008ADFE161000000009B24F87F487D51EBA52E81D8B5100000070000003F000000000000000000000000000000
9925526,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 7 ,0284B1730007D473C9FC37DA8221F636592E0B35B351FF5D4E5C16D87F9DE1F4,96739740026026008ADFE161000000009B24F87F487D51EBA52E81D8B51000000700000000000000000000000000000000000000
9925527,22/01/14 20:40:18,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 5 ,8212A73324B5EEC5E2AA7DA2BBBE04F17A5E7F0D0F978B34BB7298A5B4EA0F66,9773974002602600B2DFE161000000009B24F87F487D51EBA42E81D8B51000000500000000000000000000000000000000000000