Partition Authorization
Allows you to change the status of partitions configured for M of N authentication.
The status of the partitions can be changed to associate them with a set of cards and also to authorize an already associated partition.
Cryptographic keys can be created while the partition is in an unauthorized state and can be used effectively when authorization is granted.
After entering the id of the partition (this is the same as the user id), a screen will appear informing you of the current state of the partition, the permissions currently configured and options that allow you to change the state.
The actions possible with the partition keys are defined according to the permissions enabled and the status. For example, the Key Export permission may be enabled, but an (exportable) partition key can only be exported when it is in Authorized status. The table below shows the possible actions depending on the status and permissions.
To change state, you need to present the set of cards from set M of N and enter the partition's password credential.
Info
If the HSM is part of a Replication Domain, the state change in the partition will be replicated to the other nodes.
As of firmware version 5.3.0.0, it is possible to change state online, using one of the HSM consoles or via API. The user's workstation must have the HSM client software installed and a certified smart card reader plugged in (see Remote Management), as well as the presence of the partition card custodians. In remote operation there is a unique state for the specific session in which the user is connected to the HSM: Session Authorized. A change to this state is not reflected in the other sessions or in the local state of the partition in the HSM. The Authorized state can be set online if the corresponding policy is enabled.
The service must be running during the change of state.
The possible permissions for the partition are:
- Key Read: implicit, cannot be changed;
- Key Export: allows keys to be exported, provided they have the exportable attribute;
- Key Destroy: allows keys to be destroyed;
- Key Block: allows keys to be blocked, preventing them from being used, even when a1. rized;
- Partition Remove: allows the complete removal of the partition and destruction of all the keys on it, and includes the Key Destroy permission;
The actions allowed and authorized for the keys are executed via API or remote console.
The figure below illustrates the state transitions.
---
title: Transições de estado na autorização de partições via API
---
%%{ init: { 'flowchart': { 'curve': 'basis' } } }%%
stateDiagram-v2
state "Initial" as initial
state "Associated" as associated
note left of associated
Set Permissions
end note
state "Authorized" as authorized
note left of authorized
Set Permissions
end note
note right of authorized
Set online if Policy
end note
state "Session Authorized" as e_auth
note left of e_auth
Online only
end note
classDef KeyUsage fill:darkgreen
classDef KeyBlocked fill:darkred
classDef movement font-style:italic
classDef badBadEvent fill:#f00,color:white,font-weight:bold,stroke-width:2px,stroke:yellow
%% the trailing spaces are needed, do dot delete them.
initial --> associated:
associated --> authorized:
%associated --> associated: Set permissions
associated --> initial: reset
associated --> e_auth:
authorized --> initial: reset
%authorized --> authorized: Set permissions
authorized --> associated:
authorized --> e_auth:
e_auth --> associated:
e_auth --> authorized:
e_auth --> initial: reset
class e_auth KeyUsage
class authorized KeyUsage
class initial KeyBlocked
class associated KeyBlockedThe table below shows the possible actions and the necessary conditions (status and permissions) for them to be carried out successfully.
Warning
The state of the partition is maintained between reboots of the HSM.
| Action | Partition status | Necessary permission enabled |
|---|---|---|
| Key generation | Initial or Associated | - |
| Locking keys | Associated | Key Block |
| Key destruction | Associated | Key Destroy |
| Complete partition removal | Associated | Partition Remove (destroy all keys) |
| Key export | Authorized | Key Export |
| Use of keys (cryptography) | Authorized | - |
Dinamo - Local Management Console
┌───────────────────┤ nsauth ├────────────────────┐
│ │
│ │
│ State: Initial │
│ │
│ [ ] - Key Read │
│ [ ] - Key Export │
│ [ ] - Key Destroy │
│ [ ] - Key Block │
│ [ ] - Partition Remove (destroy all keys) │
│ │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌───────┐ │
│ │ Associate │ │ Authorize │ │ Close │ │
│ └─────────────┘ └─────────────┘ └───────┘ │
│ │
└─────────────────────────────────────────────────┘
Service running... Replication Domain: <none>