Setting HSM Policies Using a Template

An HSM policy template is a file containing a set of preferred HSM policy settings, used to initialize HSMs with those settings. You can use the same file to initialize multiple HSMs, rather than changing policies manually after initialization. This can save time and effort when initializing multiple HSMs that are to function together (such as in an HA group), or must comply with your company's overall security strategy. Templates enable scalable policy management and simplify future audit and compliance requirements.

See also Setting Partition Policies Using a Template.

NOTE   This feature has software and/or firmware dependencies. See Version Dependencies by Feature for more information.

You can create a policy template file from an initialized or uninitialized HSM, and edit it using a standard text editor.

HSM policy templates cannot be used to alter settings for an initialized HSM. Once an HSM has been initialized, the SO must change individual policy values manually (see Setting HSM Policies Manually).

To zeroize the HSM and revert policies to their default values, see Resetting to Factory Condition.

To zeroize the HSM and keep the existing policy settings, use lunash:> hsm zeroize

This section provides instructions for the following procedures, and some general guidelines and restrictions:

>Creating an HSM Policy Template

>Editing an HSM Policy Template

>Applying an HSM Policy Template

Creating an HSM Policy Template

The following procedures describe how to generate an HSM policy template from the HSM. This can be done optionally at two points in the HSM setup process:

>before the HSM is initialized: this produces a template file containing the default policy settings, which can then be edited

>after initializing and setting the HSM policies manually: this produces a template file with the current HSM policy settings, which can then be used to initialize other HSMs with the same settings. The HSM SO must complete the procedure.

To create an HSM policy template

1.Login to LunaSH as admin. If you are creating a template from an initialized HSM, you must log in as HSM SO.

lunash:> hsm login

2.Create the HSM policy template file with an original filename. No file extension is required. If a template file with the same name exists, it is overwritten.

lunash:> hsm showpolicies -exporttemplate <filename>

3.On a client workstation, use scp/pscp to transfer the template file from the source appliance (see SCP and PSCP).

4.Customize the template file with a standard text editor (see Editing an HSM Policy Template).

Editing an HSM Policy Template

Use a standard text editor to manually edit HSM policy templates for custom configurations. This section provides template examples and customization guidelines.

HSM Policy Template Example

This example shows the contents of an HSM policy template created using the factory default policy settings. Use a standard text editor to change the policy values (0=OFF, 1=ON, or the desired value 0-255). You cannot edit the destructiveness of HSM policies. See HSM Capabilities and Policies for more information.

If you export a policy template from an uninitialized HSM, the Sourced from HSM header field remains blank. This field is informational and you can still apply the template.

The Policy Description field is included in the template for user readability only. Policies are verified by the number in the Policy ID field.

# Policy template FW Version 7.1.0
# Field format - Policy ID:Policy Description:Policy Value
# Sourced from HSM: myLunaHSM, SN: 66331


6:"Allow masking":0
7:"Allow cloning":1
12:"Allow non-FIPS algorithms":1
15:"SO can reset partition PIN":0
16:"Allow network replication":1
21:"Force user PIN change after set/reset":1
22:"Allow offboard storage":1
23:"Allow partition groups":0
25:"Allow remote PED usage":0
30:"Allow unmasking":1
33:"Current maximum number of partitions":100
35:"Force Single Domain":0
36:"Allow Unified PED Key":0
37:"Allow MofN":0
38:"Allow small form factor backup/restore":0
39:"Allow Secure Trusted Channel":0
40:"Decommission on tamper":0
42:"Allow partition re-initialize":0
43:"Allow low level math acceleration":0
46:"Disable Decommission":1
47:"Allow Tunnel Slot":0
48:"Do Controlled Tamper Recovery":1

Editing Guidelines and Restrictions

When creating or editing policy templates:

>You can remove a policy from the template by adding # at the beginning of the line or deleting the line entirely. When you apply the template, the HSM will use the default value for that policy.

>You may not use invalid policy values (outside the acceptable range), or values that conflict with your HSM's capabilities. For example, HSM capability 6: Enable Masking is always Disallowed, so you cannot set the corresponding HSM policy to 1. If you attempt to initialize an HSM with a template containing invalid policy values, an error is returned and initialization fails.

Applying an HSM Policy Template

The following procedure describes how to initialize the HSM using a policy template.

To apply a policy template to a new HSM

1.From a client workstation, use scp/pscp to transfer the template file to the admin user on the destination appliance (see SCP and PSCP).

2.Login to LunaSH as admin on the destination appliance, and initialize the HSM using the policy template file.

lunash:> hsm init -label <label> -applytemplate <filename>

3.Verify that the template has been applied correctly by checking the partition's policy settings.

lunash:> hsm showpolicies