Skip to main content
To segregate applications on the HSM, you must create an application partition specifically for your use case. Application partitions segment the permissions and keys between applications on an HSM. Choose one of the following methods to create an application partition:

Excrypt Manager

Perform the following steps to create an application partition by using Excrypt Manager:
1
Go to the Application Partitions menu and select [ Add ].
2
In the Basic Information tab, configure all of the fields as follows:
OptionRequired configuration
Role NameSpecify any name that you would like for this new application partition.
Logins Required Set to 1
If the HSM is in FIPS mode, you must set Logins Required to 2.
PortsSet to Prod.
Connection SourcesSet to Ethernet.
Managed RolesLeave blank because you specify the exact Permissions, Key Slots, and Commands for this application partition or role to have access to.
Use Dual FactorSet to Never.
Upgrade PermissionsLeave unchecked.
3
In the Permissions tab, select the following key permissions:
PermissionDescription
KeysTop-level permission
AuthorizedAllows for keys that require login
Import PKI Allows trusting an external PKI. Generally not recommended, but some applications use this option for PKI symmetric key wrapping.
No Usage Wrap Enables interoperable key wrapping without defining key usage as part of the wrapped key. Use this only if you want to exchange keys with external entities or use the HSM to wrap externally used keys.
4
In the Key Slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition. Within the specified range, you should have ranges for both symmetric and asymmetric keys. If the application requires more keys, configure it accordingly.
5
To use the HSM functionality, you must enable particular functions on the application partition based on application requirements. Enable the following commands under Commands:PKCS #11 communication commands:
CommandDescription
ECHOCommunication Test/Retrieve Version
HASHRetrieve device serial
GPKMRetrieve key table information
GPKRGeneral-purpose key settings get (read-only)
GPKSGeneral-purpose key settings get/change
TIMESet Time
Key operations commands:
CommandDescription
GRSAGenerate RSA Private and Public Key
LRSALoad key into RSA Key Table
GPSRGeneral-purpose RSA Operations
Signing command:
CommandDescription
GPSVGeneral purpose data sign and verify

FXCLI

Perform the following steps to create an application partition by using FXCLI:
1
Run the following role FXCLI commands to create the new application partition and enable all needed functions:
FXCLI
  role add --name Role_Name --application --key-range (0,999) --perm "Keys:Authorized" --perm "Keys:Import PKI" --perm "Keys:No Usage Wrap"
FXCLI
  role modify --name [role_name] --add-perm Excrypt:ECHO --add-perm Excrypt:HASH --add-perm Excrypt:GPKM --add-perm Excrypt:GPKS --add-perm Excrypt:GPKR --add-perm Excrypt:TIME --add-perm Excrypt:LRSA --add-perm Excrypt:GRSA --add-perm Excrypt:GPSR --add-perm Excrypt:GPSV