Partitions Tab
Root SOSecurity officer - UKC partition administrator role. ˃ Partitions
→ presents the following:
- Create New Partition button.
- Table of Partitions.
Table of Partitions
The table of partitions. Each row presents the following attributes:
- Name of the partition.
- FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors - (if the system operates in FIPS mode
UKC system mode that allows processing FIPS-certified and not-certified keys) specifies Partition Policy in FIPS Mode.
- Inherited - the check-mark indicates that the partition is inherited. See Part-inherit.
- Created and Last changed dates.
- [
] - see Commands.
Create New Partition
To create a new partition, proceed as follows:
Root SOSecurity officer - UKC partition administrator role. ˃ Partitions ˃ Create
→The New Partition dialog appears.
This dialog is divided into two parts:
Creating a partition also creates its first client. The client's certificate file <partition name>-<client name>.pfx
is downloaded to the browser's default folder.
Note
To run EP UCLUnbound Command Language commands targeting a partition created using UI, register EP as the partition's client. See
Registered Clients.
Partition's Bootstrapping Settings
This section of the dialog configures the minimum set of partition settings. Some of these settings are permanent. The rest of the settings are initialized to the default values that may be modified by the partition's SOSecurity officer - UKC partition administrator role.. See Partition Settings in UI.
The settings include:
- Partition name - permanent setting.
- SO
Security officer - UKC partition administrator role. password - must comply with the complex password default requirements. See Password Mandatory Special Characters.
- Inherit settings from the root partition - this option allows the Root SO
Security officer - UKC partition administrator role. to operate in this partition. See Part-inherit.
- Allow certificate propagation - it allows a partition user accessing the partition from a client appliance that possesses only the root partition's certificate. See Cert-propagation.
- FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors- see Partition Policy in FIPS Mode.
This prompt appears if the system is operating in FIPS modeUKC system mode that allows processing FIPS-certified and not-certified keys and the "
Allow external keystores
" of the partition is disabled.
- Allow external keystores - permanent setting. It allows the partition's SO
Security officer - UKC partition administrator role. to register with external keystores. See Keystores Tab.
Note
If the system is operating in FIPS modeUKC system mode that allows processing FIPS-certified and not-certified keys, all key material in such partition will be processed in non-FIPS mode
UKC system advanced execution mode that hasn't yet received the FIPS certification.
The First Client Setting
Note
This group of settings may be filled with dummy data if the partition's SOSecurity officer - UKC partition administrator role. can manage the partition without its certificate or the partition is tagged inherited, see Partition Create Tips.
This section of the dialog creates the first partition client and its certificate.
- Client name - We recommend using the designated client's appliance hostname as the Client name.
- Client alternative names - An optional field. It allows specifying additional IP addresses and host names in the
Subject Alternative Names
setting of the certificate. - Client Certificate Options:
- Default - use this option to create a certificate that is used internally by the CORE client software. The created certificate is protected by the secret password known to the CORE Client software.
Note
The client IP is assigned to the Subject alternative names setting during the client registration. - Password - use the explicit password option to create a certificate for applications that require explicit certificate import.
- Default - use this option to create a certificate that is used internally by the CORE client software. The created certificate is protected by the secret password known to the CORE Client software.
Important
It is mandatory to provide the designated client's IP address in this field if
(a) you are creating the certificate with an explicit password, and
(b) you are planning to enable the check-ip
feature on this partition.
Partition Create Advanced Topics
UI and CLI Differences
Creating a partition using the web console differs from using the
ucl partition create
command.
- In the UI case:
- The appliance running the browser does not become its certified client.
- In addition to the partition creation, you are prompted to specify its first client and the required certificate type.
- In the CLI
Command Line Interface case:
- The appliance executing the command became its first certified CORE client (named by the appliance's hostname).
Partition Create Tips
The Root SOSecurity officer - UKC partition administrator role. can create an initial set of the partition clients, users, and a key material and customize the partition's settings. To follow this approach:
- Create the partition as an inherited one.
- Navigate to the new partition by performing these steps:
- Click the
button in the Top pane.
→ The list of the inherited partitions appears. - Click the name tag of the required partition.
→ The user is redirected to the partition's management page. - Click Config Tab ˃ Partition Settings.
→ The partition's settings page appears.
- Click the
- Modify and add:
- The required partition properties
- Add users.
- Add clients.
Note
If needed, to un-inherit a partition, sign in as the partition SOSecurity officer - UKC partition administrator role., and deselect the Inherited partition check-box.
Commands
Root SOSecurity officer - UKC partition administrator role. ˃ Partitions ˃ select a partition ˃ [
]
→ The list of commands appears.
Reset SO Password
To reset the selected partition's SOSecurity officer - UKC partition administrator role. password, click the Reset
button.
→ The
Password Reset dialog appears.
Note
To reset the password of any SOSecurity officer - UKC partition administrator role. of any partition, see Rescue Tab.
Recover Partition
This action addresses an unlikely case when:
- A partition has key material
- None of the partition clients (including the EP) have the partition certificate
To recover access to a partition, click the Recover button.
→ The Recover Partition dialog appears.
The dialog presents a subset of the Create New Partition dialog.
The recovery does not change the partition settings. However:
- It deletes all the partition's clients (since they already lost their certificates).
- It creates a new client and stores its certificate in the default download folder of your browser.
Delete Partition
The system deletes the selected partition if all the following conditions are met:
- The partition has no clients.
- The partition has no key material.
- The partition has no users apart from the default SO
Security officer - UKC partition administrator role. and USER
.