partition domainadd
Add a cloning domain to the partition. Partitions are assigned their original/own domain when initialized, and in that default state can perform cloning/HA operations only with other partitions sharing that single domain.
Which domain is primary and how to change - All partitions, after initialization, have the current or original security/cloning domain marked as the primary, the domain that is chosen by default for cloning. For a partition with more than one domain, either of the others can be designated as primary, instead, using the partition domainadd and partition domainchangelabel commands, by invoking their -primary option.
The partition domainadd command is meant to add a domain so that the partition can clone objects with partitions that have the new/added domain, as well as with partitions that have the same domain as originally assigned to the current partition during initialization.
>A maximum of two additional domains can be added to the original partition domain; they can be either password-authenticated or multifactor quorum-authenticated.
•If you are adding a text domain for some other password-authenticated partition, then
–do include the -domain option with the domain string from that other partition and
–do not include the -domainped option).
•If you are adding a domain PED key secret for some other multifactor quorum-authenticated partition, then
–do not include the -domain option, and
–do include the -domainped option causing the HSM to look for a connected PED with red PED key, to retrieve that key's content as the domain to add to the current partition.
>If you have more than one domain in your partition, the system assumes that you want to be able to tell them apart, so include the -domainlabel option each time you add a domain (the label is a string between 1 and 32 characters).
>The -domainlabel is added as an option with Luna HSM Firmware 7.8.0. Pre-existing partitions (created prior to firmware 7.8.0) can continue to have no label for continuity of established procedures and processes. However if you create or import a domain, the system ensures that no two can have the same label.
• a label is necessary when adding a domain if an existing domain is not labeled.
CAUTION! Domain secret strings for password-authenticated HSMs and Luna Cloud HSMs are used to generate the secret key for cloning, and are as cryptographically sensitive as a user password. The domain label associated with a domain string is not sensitive, and is used only to distinguish the domain from others assigned to the same partition. Never use the same string for the domain label and for the domain secret.
>Use partition domainchangelabel to change label for a domain,
•including applying a label to a domain that did not already have one.
Primary domain - On pre-firmware 7.8.0 HSM partitions the single possible domain is effectively the primary domain. For firmware 7.8.0 and newer, partitions can have as many as three domains. Of the three possible, one domain is always primary, but the status of primary can be moved to another domain if needed. "Primary" in this context means "the one that is tried first". If there is no match for the primary domain on the source partition, the systems goes on to try for other matching domains.
[Summary]
When cloning from a partition of an HSM with firmware version lower than 7.8.0 to a version 7.8.0 or higher with multiple domains, the primary domain is used.
[Explanation]
On firmware version 7.8.0-or-newer HSM partitions, the partition always has at least one domain, and can have as many as three, any of which can be a password-style text domain, or a multi-factor quorum type (PED key-secret domain. One of the three possible domains is designated primary, and is the first one looked at when a cloning/migration operation is attempted.
If a firmware version 7.8.0-or-newer target is already a member of the same domain as a pre-7.8.0 firmware source partition, and that domain is primary on the v7.8.0-or-newer partition, then cloning/migration can proceed straightaway.
If the target HSM partition is at firmware 7.8.0 or newer, then if its partition initially has a different domain from the source partition, the target partition can:
•use Extended Domain Management to add the source partition's domain as one of the three domains that the target can support and
•make the domain that was obtained from the source become the primary domain on the target by using the -primary option when adding a domain with partition domainadd, and
•cloning/migration can proceed (includes backup, HA, etc.).
NOTE This extended domain management command requires minimum Luna HSM Client 10.5.0 and Luna HSM Firmware 7.8.0 (command not visible for HSMs with prior firmware versions).
Partition PO role login is required, to create or change a domain (after the first domain created by partition initialization). This command requires that partition policy 44: Allow Extended Domain Management is set to ON.
Syntax
partition domainadd {-domain <string> | [-domainped} [-domainlabel <string>] [-primary]
Argument(s) | Shortcut | Description |
---|---|---|
-domain <domain> | -d |
Partition domain string for password-authenticated partitions. If this is omitted, then a connected PED with a domain on a PED key is expected. |
-domainlabel <label> | -dl |
Partition domain label - to distinguish among domains when a partition has more than one, and to match with domains on other partitions. |
-domainped | -dped |
Partition domain from a PED key. |
-primary | -p |
Mark this domain as primary (always used for the older cloning protocols, prior to CPv4) |
Example with password authentication
lunacm:> partition domainadd -domain seconddomain -domainlabel brotherdaryl Command Result : No Error
Example with multifactor quorum authentication
lunacm:>par domainadd -domainped -domainlabel NewPEDDomain Please attend to the PED. Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error
Example - add an unlabeled domain while existing domain does not have a label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: Domain not created Command Result : No Error lunacm:>par domainadd -domainped Please attend to the PED. Error in execution: CKR_DATA_INVALID. Command Result : 0x20 (CKR_DATA_INVALID) lunacm:>
That attempt failed because it would have resulted in two domains with the same label "Label not set".
Example - add a third domain while second does not have a label
lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: Domain not created Command Result : No Error lunacm:>par domainadd -domainped -domainlabel NewPEDDomain Please attend to the PED. Command Result : No Error lunacm:>par domainlist Domain List Domain Label[0]: PrimaryPED - primary KCV Domain Label[1]: Label not set Domain Label[2]: NewPEDDomain Command Result : No Error>
This attempt succeeds because the proposed -domainlabel is different from the two existing labels "PrimaryPED" and "Label not set".
Example - add a PED-authentication domain to a partition on a Password-authenticated HSM
lunacm:>audit config get Current Logging Configuration ----------------------------- event mask : Log failure+success+access+manage+keymanage rotation interval : infinite rotation size : never (2097151 KB max file size) path to log : /root/logging Command Result : No Error lunacm:>audit config e f,s,a,m Command Result : No Error lunacm:>audit config get Current Logging Configuration ----------------------------- event mask : Log failure+success+access+manage rotation interval : infinite rotation size : never (2097151 KB max file size) path to log : /root/logging Command Result : No Error Now do a partition clone in or out with any CPV4 cipher enabled (CPV=0, CPV3 disabled) lunacm:>par clone -o 0 -slot 27 -p userpinco Logging in to target slot 27 Checking if objects already exist on target slot 27. Cloning the objects. Handle 294 on slot 26 is now handle 70 on slot 27 Handle 293 on slot 26 is now handle 75 on slot 27 Handle 290 on slot 26 is now handle 76 on slot 27 Handle 289 on slot 26 is now handle 79 on slot 27 Handle 286 on slot 26 is now handle 101 on slot 27 Handle 285 on slot 26 is now handle 104 on slot 27 Handle 282 on slot 26 is now handle 105 on slot 27 Handle 281 on slot 26 is now handle 313 on slot 27 Handle 278 on slot 26 is now handle 314 on slot 27 Handle 277 on slot 26 is now handle 317 on slot 27 Handle 274 on slot 26 is now handle 318 on slot 27 Handle 273 on slot 26 is now handle 321 on slot 27 Handle 270 on slot 26 is now handle 322 on slot 27 Handle 269 on slot 26 is now handle 325 on slot 27 Handle 266 on slot 26 is now handle 326 on slot 27 Handle 265 on slot 26 is now handle 329 on slot 27 Handle 262 on slot 26 is now handle 330 on slot 27 Handle 261 on slot 26 is now handle 333 on slot 27 Handle 258 on slot 26 is now handle 334 on slot 27 Handle 257 on slot 26 is now handle 337 on slot 27 Handle 254 on slot 26 is now handle 338 on slot 27 Handle 253 on slot 26 is now handle 341 on slot 27 Handle 250 on slot 26 is now handle 342 on slot 27 Handle 249 on slot 26 is now handle 345 on slot 27 Handle 246 on slot 26 is now handle 346 on slot 27 Handle 245 on slot 26 is now handle 349 on slot 27 Handle 242 on slot 26 is now handle 350 on slot 27 Handle 241 on slot 26 is now handle 353 on slot 27 Handle 238 on slot 26 is now handle 354 on slot 27 Handle 237 on slot 26 is now handle 357 on slot 27 Handle 234 on slot 26 is now handle 358 on slot 27 Handle 233 on slot 26 is now handle 361 on slot 27 Handle 230 on slot 26 is now handle 362 on slot 27 Handle 229 on slot 26 is now handle 365 on slot 27 Handle 226 on slot 26 is now handle 366 on slot 27 Handle 225 on slot 26 is now handle 369 on slot 27 Handle 222 on slot 26 is now handle 370 on slot 27 Handle 221 on slot 26 is now handle 373 on slot 27 Handle 218 on slot 26 is now handle 374 on slot 27 Handle 217 on slot 26 is now handle 377 on slot 27 Handle 214 on slot 26 is now handle 378 on slot 27 Handle 213 on slot 26 is now handle 381 on slot 27 Handle 210 on slot 26 is now handle 382 on slot 27 Handle 209 on slot 26 is now handle 385 on slot 27 Handle 206 on slot 26 is now handle 386 on slot 27 Handle 205 on slot 26 is now handle 389 on slot 27 Handle 202 on slot 26 is now handle 390 on slot 27 Handle 201 on slot 26 is now handle 393 on slot 27 Handle 198 on slot 26 is now handle 394 on slot 27 Handle 197 on slot 26 is now handle 397 on slot 27 Handle 194 on slot 26 is now handle 398 on slot 27 Handle 193 on slot 26 is now handle 401 on slot 27 Handle 190 on slot 26 is now handle 402 on slot 27 Handle 189 on slot 26 is now handle 405 on slot 27 Handle 186 on slot 26 is now handle 406 on slot 27 Handle 185 on slot 26 is now handle 409 on slot 27 Handle 182 on slot 26 is now handle 410 on slot 27 Handle 181 on slot 26 is now handle 413 on slot 27 Handle 178 on slot 26 is now handle 414 on slot 27 Handle 177 on slot 26 is now handle 417 on slot 27 Handle 174 on slot 26 is now handle 418 on slot 27 Handle 173 on slot 26 is now handle 421 on slot 27 Handle 170 on slot 26 is now handle 422 on slot 27 Handle 169 on slot 26 is now handle 425 on slot 27 Handle 166 on slot 26 is now handle 426 on slot 27 Handle 165 on slot 26 is now handle 429 on slot 27 Handle 162 on slot 26 is now handle 430 on slot 27 Handle 161 on slot 26 is now handle 433 on slot 27 Handle 158 on slot 26 is now handle 434 on slot 27 Handle 157 on slot 26 is now handle 437 on slot 27 Handle 154 on slot 26 is now handle 438 on slot 27 Handle 153 on slot 26 is now handle 441 on slot 27 Handle 150 on slot 26 is now handle 442 on slot 27 Handle 149 on slot 26 is now handle 445 on slot 27 Handle 146 on slot 26 is now handle 446 on slot 27 Handle 145 on slot 26 is now handle 449 on slot 27 Handle 142 on slot 26 is now handle 450 on slot 27 Handle 141 on slot 26 is now handle 453 on slot 27 Handle 138 on slot 26 is now handle 454 on slot 27 Handle 137 on slot 26 is now handle 457 on slot 27 Handle 134 on slot 26 is now handle 458 on slot 27 Handle 133 on slot 26 is now handle 461 on slot 27 Handle 130 on slot 26 is now handle 462 on slot 27 Handle 129 on slot 26 is now handle 465 on slot 27 Handle 126 on slot 26 is now handle 466 on slot 27 Handle 125 on slot 26 is now handle 469 on slot 27 Handle 122 on slot 26 is now handle 470 on slot 27 Handle 121 on slot 26 is now handle 473 on slot 27 Handle 118 on slot 26 is now handle 474 on slot 27 Handle 117 on slot 26 is now handle 477 on slot 27 Handle 114 on slot 26 is now handle 478 on slot 27 Handle 113 on slot 26 is now handle 481 on slot 27 Handle 110 on slot 26 is now handle 482 on slot 27 Handle 109 on slot 26 is now handle 485 on slot 27 Handle 97 on slot 26 is now handle 486 on slot 27 Handle 85 on slot 26 is now handle 489 on slot 27 Handle 94 on slot 26 is now handle 490 on slot 27 Handle 93 on slot 26 is now handle 493 on slot 27 Handle 89 on slot 26 is now handle 494 on slot 27 Handle 86 on slot 26 is now handle 497 on slot 27 Migrated 100 objects Command Result : No Error lunacm:> scroll back through the last hundred or so lines of Secure Log output- you'll see no mention of migration or insert/extract commands 9925517,22/01/14 20:38:13,S/N 18373207469733 session 5 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 5 ,60DABCE85788BEDFD0C7857D4330034EEDD747DB706547472E6DE707EB986940,8D7397408260240035DFE161000000009B24F87F487D51EBA52E81D8B51000000500000000000000000000000000000000000000 9925518,22/01/14 20:38:13,S/N 18373207469733 session 5 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 5 ,50AEBF8088ADF075AE9455A5112F3AACA09AB5E1CCE1D412D8BF357D31C1B87C,8E7397400260260035DFE161000000009B24F87F487D51EBA52E81D8B51000000500000000000000000000000000000000000000 9925519,22/01/14 20:38:23,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 5 ,49CD7DFC8D0B287E2AA3489D7E187379253AA4D68B82388DC8955810A995DC3B,8F739740826024003FDFE161000000009B24F87F487D51EBA42E81D8B51000000500000000000000000000000000000000000000 9925520,22/01/14 20:38:23,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=0 container=6 ,D9659DCEECFCD6052879937A937E4B3A92074E03A823CC93889F191FC66E0655,9073974002600D003FDFE161000000009B24F87F487D51EBA42E81D8B51000000500000006000000070000000000000000000000 9925521,22/01/14 20:39:38,S/N 18373207469732 session 6 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 6 ,4C4F730BB22262F55140F142EB27670F64D3B9393722CE278A95FA6FC3DE1816,91739740826024008ADFE161000000009B24F87F487D51EBA42E81D8B51000000600000000000000000000000000000000000000 9925522,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 7 ,FFB17D3BCFDE980AC91EBB09D62FD415A3341BB9A1211023B0FF4570F0030AA9,92739740826024008ADFE161000000009B24F87F487D51EBA52E81D8B51000000700000000000000000000000000000000000000 9925523,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=0 container=63 ,DAC77E99B544B1F9A475106F90B456AB3A1829C1C356AE7B94A7B4E0A346437B,9373974002600D008ADFE161000000009B24F87F487D51EBA52E81D8B5100000070000003F000000070000000000000000000000 9925524,22/01/14 20:39:38,S/N 18373207469732 session 6 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 6 ,1586983CA033CF8C8AB9A8E638ED971021D1D4B991945F9BB10E59FF15BCF8B2,94739740026026008ADFE161000000009B24F87F487D51EBA42E81D8B51000000600000000000000000000000000000000000000 9925525,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_LOGOUT returned RC_OK(0x00000000) roleID=0 container=63 ,A961ED9AAC4011288D8D9BDB4595FF67C28DF64D7B7D883C0003D523F526E43F,9573974002600E008ADFE161000000009B24F87F487D51EBA52E81D8B5100000070000003F000000000000000000000000000000 9925526,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 7 ,0284B1730007D473C9FC37DA8221F636592E0B35B351FF5D4E5C16D87F9DE1F4,96739740026026008ADFE161000000009B24F87F487D51EBA52E81D8B51000000700000000000000000000000000000000000000 9925527,22/01/14 20:40:18,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 5 ,8212A73324B5EEC5E2AA7DA2BBBE04F17A5E7F0D0F978B34BB7298A5B4EA0F66,9773974002602600B2DFE161000000009B24F87F487D51EBA42E81D8B51000000500000000000000000000000000000000000000