Configure a transaction processing connection and create an application partition

2min
﻿
Create an application partition
To segregate applications on the HSM, you must create an application partition specifically for your use case. Application partitions segment the permissions and keys between applications on an HSM. 
Choose one of the following methods to create an application partition:
Excrypt Manager
FXCLI
1
Go to the Application Partitions menu and select [ Add ].
2
In the Basic Information tab, configure all of the fields as follows:
Option
Required configuration
﻿
Role Name
Specify any name that you would like for this new application partition.
﻿
Logins Required 
Set to 1
If the HSM is in FIPS mode, you must set Logins Required to 2.
﻿
Ports
Set to Prod.
﻿
Connection Sources
Set to Ethernet.
﻿
Managed Roles
Leave blank because you specify the exact Permissions, Key Slots, and Commands for this application partition or role to have access to.
﻿
Use Dual Factor
Set to Never.
﻿
Upgrade Permissions
Leave unchecked.
﻿
3
In the Permissions tab, select the following key permissions:
Permission
Description
﻿
Keys
Top-level permission
﻿
Authorized
Allows for keys that require login
﻿
Import PKI 
Allows trusting an external PKI. Generally not recommended, but some applications use this option for PKI symmetric key wrapping.
﻿
No Usage Wrap 
Enables interoperable key wrapping without defining key usage as part of the wrapped key. Use this only if you want to exchange keys with external entities or use the HSM to wrap externally used keys.
﻿
4
In the Key Slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition. Within the specified range, you should have ranges for both symmetric and asymmetric keys. If the application requires more keys, configure it accordingly.
5
To use the HSM functionality, you must enable particular functions on the application partition based on application requirements. Enable the following commands under Commands:
PKCS #11 communication commands:
Command
Description
﻿
ECHO
Communication Test/Retrieve Version
﻿
HASH
Retrieve device serial
﻿
GPKM
Retrieve key table information
﻿
GPKR
General-purpose key settings get (read-only)
﻿
GPKS
General-purpose key settings get/change
﻿
RAND
Generate random data
﻿
TIME
Set Time
﻿
Key operations commands:
Command
Description
﻿
GPCA
General-purpose add certificate to key table
﻿
GPKD
General-purpose key slot delete/clear
﻿
GRSA
Generate RSA Private and Public Key
﻿
LRSA
Load key into RSA Key Table
﻿
Data encryption commands:
Command
Description
﻿
GPSR
General-purpose RSA encrypt/decrypt or sign/verify with recovery
﻿
1
Run the following role FXCLI commands to create the new application partition and enable all needed functions:
FXCLI
role add -–name Role_Name -–application -–key-range (0,999) -–perm "Keys:Authorized" -–perm "Keys:Import PKI" –-perm "Keys:No Usage Wrap"
role add -–name Role_Name -–application -–key-range (0,999) -–perm "Keys:Authorized" -–perm "Keys:Import PKI" –-perm "Keys:No Usage Wrap"
﻿
FXCLI
role modify --name [role_name] --add-perm Excrypt:ECHO --add-perm Excrypt:HASH --add-perm Excrypt:GPKM --add-perm Excrypt:GPKR --add-perm Excrypt:GPKS --add-perm Excrypt:GPCA --add-perm Excrypt:GPKD --add-perm Excrypt:GRSA --add-perm Excrypt:LRSA –-add-perm Excrypt:GPSR –-add-perm Excrypt:RAND –-add-perm Excrypt:TIME
role modify --name [role_name] --add-perm Excrypt:ECHO --add-perm Excrypt:HASH --add-perm Excrypt:GPKM --add-perm Excrypt:GPKR --add-perm Excrypt:GPKS --add-perm Excrypt:GPCA --add-perm Excrypt:GPKD --add-perm Excrypt:GRSA --add-perm Excrypt:LRSA –-add-perm Excrypt:GPSR –-add-perm Excrypt:RAND –-add-perm Excrypt:TIME
﻿
﻿
﻿
Load major keys
Create a new identity and associate it with the new application partition