Configure a transaction processing connection and create an application partition

for this step, you need to log in with an identity that has a role with the following permissions role\ add , role\ assign all permissions , role\ modify , keys\ all slots , and command settings\ excrypt you can use the default administrator role and admin identities this integration guide treats the terms application partition and role as synonymous configure a transaction processing connection before logging in to the hsm with an authenticated user, an application connects through a transaction processing connection to the transaction processing application partition therefore, you must take steps to configure the following items to harden this partition it should not have access to the all slots permissions it should not have access to any key slots enable only the pkcs #11 communication commands choose one of the following methods to configure the transaction processing connection excrypt manager perform the following steps to configure a transaction processing connection on excrypt manager go to the application partitions menu, select the transaction processing application partition, and select \[ modify ] in the permissions tab, leave the top level keys permission checked and uncheck the all slots sub permission in the key slots tab, ensure that the settings do not specify key ranges by default, the transaction processing application partition can access the entire range of key slots on the hsm in the commands tab, make sure to enable only the following pkcs #11 communication commands command description echo communication test/retrieve version prmd retrieve hsm restrictions rand generate random data hash retrieve device serial gpkm retrieve key table information gpks general purpose key settings get/change gpkr general purpose key settings get (read only) fxcli perform the following steps to configure a transaction processing connection on fxcli run the following role modify fxcli commands to remove all permissions and key ranges that are currently assigned to the transaction processing role and enable only the pkcs #11 communication commands because the transaction processing role was previously called the anonymous role, the following commands specify anonymous in the name field fxcli role modify name anonymous clear perms clear key ranges fxcli role modify name anonymous add perm "keys" add perm excrypt\ echo add perm excrypt\ prmd add perm excrypt\ rand add perm excrypt\ hash add perm excrypt\ gpkm add perm excrypt\ gpks add perm excrypt\ gpkr create an application partition to segregate applications on the hsm, you must create an application partition specifically for your use case application partitions segment the permissions and keys between applications on an hsm the following steps outline creating and configuring a new application partition choose one of the following methods to create an application partition go to the application partitions menu and select \[ add ] in the basic information tab, configure all of the fields as follows option required configuration role name specify any name that you would like for this new application partition logins required set to 1 if the hsm is in fips mode, you must set logins required to 2 ports set to prod connection sources set to ethernet managed roles leave blank because you specify the exact permissions , key slots , and commands for this application partition or role to have access to use dual factor set to never upgrade permissions leave unchecked in the permissions tab, select the following key permissions permission description keys top level permission authorized allows for keys that require login import pki allows trusting an external pki generally not recommended, but some applications use this option for pki symmetric key wrapping no usage wrap enables interoperable key wrapping without defining key usage as part of the wrapped key use this only if you want to exchange keys with external entities or use the hsm to wrap externally used keys in the key slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition within the specified range, you should have ranges for both symmetric and asymmetric keys if the application requires more keys, configure it accordingly to use the hsm functionality, you must enable particular functions on the application partition based on application requirements enable the following commands under commands pkcs #11 communication commands command description echo communication test/retrieve version hash retrieve device serial gpkm retrieve key table information gpkr general purpose key settings get (read only) gpks general purpose key settings get/change rand generate random data prmd retrieve hsm permissions key operations commands command description apfp generate pki public key from private key asyl load asymmetric key into the key table gecc generate an ecc key pair gpca general purpose add certificate to key table gpgs general purpose generate symmetric key gpka general purpose key add gpkd general purpose key slot delete/clear grsa generate rsa private and public key lrsa load key into the rsa key table rpfp get public components from the rsa private key interoperable key wrapping command description gpku general purpose key unwrap (unrestricted) gpuk general purpose key unwrap (preserves key usage) gpkw general purpose key wrap (unrestricted) gpwk general purpose key wrap (preserves key usage) data encryption commands command description adpk pki decrypt trusted public key ghsh generate a hash (message digest) starting in firmware version 7 x, this function is enabled by default and does not need to be specified gpse general purpose symmetric encrypt gpsd general purpose symmetric decrypt gpgc general purpose generate cryptogram from key slot gpmc general purpose mac (message authentication code) gpsr general purpose rsa encrypt/decrypt or sign/verify with recovery hmac generate a hash based message authentication code rdpk get clear public key from cryptogram signing commands command description asys generate a signature using a private key asyv verify a signature using a public key gpsv general purpose data sign and verify rsas generate a signature using a private key run the following role fxcli commands to create the new application partition and enable all needed functions fxcli role add –name role name –application –key range (0,999) –perm "keys\ authorized" –perm "keys\ import pki" – perm "keys\ no usage wrap" fxcli role modify name \[role name] add perm excrypt\ echo add perm excrypt\ prmd add perm excrypt\ rand add perm excrypt\ hash add perm excrypt\ gpkm add perm excrypt\ gpks add perm excrypt\ gpkr – add perm excrypt\ apfp –add perm excrypt\ asyl – add perm excrypt\ gecc – add perm excrypt\ gpca – add perm excrypt\ gpgs –add perm excrypt\ gpka – add perm excrypt\ gpkd – add perm excrypt\ grsa – add perm excrypt\ lrsa –add perm excrypt\ rpfp – add perm excrypt\ gpku – add perm excrypt\ gpuk –add perm excrypt\ gpkw – add perm excrypt\ gpwk – add perm excrypt\ adpk – add perm excrypt\ ghsh – add perm excrypt\ gped – add perm excrypt\ gpgc –add perm excrypt\ gpmc – add perm excrypt\ gpsr – add perm excrypt\ hmac –add perm excrypt\ rdpk – add perm excrypt\ asys –add perm excrypt\ asyv –add perm excrypt\ gpsv – add perm excrypt\ rsas