Create an application partition for Venafi Control Plane

to segregate applications on the hsm, you must create an application partition specifically for your use case application partitions segment the permissions and keys between applications on an hsm choose one of the following methods to create an application partition excrypt manager go to the application partitions menu and select \[ add ] in the basic information tab, configure all of the fields as follows option required configuration role name specify any name that you would like for this new application partition logins required set to 1 if the hsm is in fips mode, you must set logins required to 2 ports set to prod connection sources set to ethernet managed roles leave blank because you specify the exact permissions , key slots , and commands for this application partition or role to have access to use dual factor set to never upgrade permissions leave unchecked in the permissions tab, select the following key permissions permission description keys top level permission authorized allows for keys that require login import pki allows trusting an external pki generally not recommended, but some applications use this enable for pki symmetric key wrapping no usage wrap allows for interoperable key wrapping without defining key usage as part of the wrapped key use this only if you want to exchange keys with external entities or use the hsm to wrap externally used keys in the key slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition within the specified range, you should have ranges for both symmetric and asymmetric keys if the application requires more keys, configure it accordingly to use the hsm functionality, you must enable particular functions on the application partition based on application requirements enable the following commands under commands pkcs #11 communication commands command description echo communication test/retrieve version prmd retrieve hsm restrictions rand generate random data hash retrieve device serial gpkm retrieve key table information gpkr general purpose key settings get (read only) gpks general purpose key settings get/change time get/set the hsm internal clock key operations commands command description asyl load asymmetric key into key table gecc generate an ecc key pair gpgs general purpose generate symmetric key grsa generate rsa private and public key lrsa load key into rsa key table rsac general purpose convert clear der encoded rsa key to major key cryptogram interoperable key wrapping commands command description gpkw general purpose key wrap (unrestricted) gpwb general purpose key wrap with key strength bypass data encryption commands command description gpsd general purpose symmetric decrypt gpse general purpose symmetric encrypt signing commands command description asys generate a signature using a pki private key gpsv general purpose data sign and verify fxcli run the following role fxcli commands to create the new application partition and enable all necessary functions fxcli role add –name role name –application –key range (0,999) –perm "keys\ authorized" –perm "keys\ import pki" – perm "keys\ no usage wrap" fxcli role modify name \[role name] add perm excrypt\ echo add perm excrypt\ prmd add perm excrypt\ rand add perm excrypt\ hash add perm excrypt\ gpkm add perm excrypt\ gpkr add perm excrypt\ gpks add perm excrypt\ time add perm excrypt\ asyl add perm excrypt\ gecc add perm excrypt\ gpgs add perm excrypt\ grsa add perm excrypt\ lrsa add perm excrypt\ rsac add perm excrypt\ gpkw add perm excrypt\ gpwb add perm excrypt\ gpsd add perm excrypt\ gpse add perm excrypt\ asys add perm excrypt\ gpsv