I have initialized the HSM on the default domain on my XI52. I have imported keys successfuly into that HSM.
Q: Can I create another HSM repository on a different domain on the same device? Or is only 1 HSM allowed per device?
Pinned topic HSM keys - Importing into other local domains
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-11-28T20:29:42Z at 2012-11-28T20:29:42Z by SystemAdmin
Re: HSM keys - Importing into other local domains2012-11-27T23:46:21ZThis is the accepted answer. This is the accepted answer.Link: http://www-01.ibm.com/support/docview.wss?uid=swg21412060
Question: Can I export HSM private keys from one domain and import them into another domain?
Answer: No. Once an HSM key generated, it has an immutable label attribute that determines its domain. Since this label cannot be changed the key cannot be moved to another domain.
inestlerode 270001CUTT166 Posts
Re: HSM keys - Importing into other local domains2012-11-28T17:23:19ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
I'm not sure what you mean by "create another HSM repository". You should only run hsm-reinit one time for the entire device; you do not rerun it once per domain. Whether the HSM is initialized is a device wide state.
However, the keys stored inside of the HSM are a per-domain state. Each domain has a different, domain-specific view of which keys are inside of the HSM for that domain. This is automatic. Once the HSM is initialized one time (for the whole device) you can generate and import private keys in the HSM separately in each domain.
Re: HSM keys - Importing into other local domains2012-11-28T20:29:42ZThis is the accepted answer. This is the accepted answer.
- inestlerode 270001CUTT