Setting HSM Policies Manually

The HSM SO can change available policies to customize HSM functionality. Some policies apply to all partitions on the HSM; others enable the Partition SO to customize functionality at the partition level. Refer to HSM Capabilities and Policies for a complete list of HSM policies and their effects.

In most cases, HSM policies are either enabled (1) or disabled (0), but some allow a range of values.

To change multiple policy settings during HSM initialization, see Setting HSM Policies Using a Template.

Prerequisites

>The HSM must be initialized (see Initializing the HSM).

>If you are changing a destructive policy and you have partitions existing on the HSM, back up any important cryptographic objects (see Backup and Restore Using a G5-Based Backup HSM or Backup and Restore Using a G7-Based Backup HSM).

To manually set or change an HSM policy

1.Launch LunaCM and set the active slot to the HSM Admin partition.

lunacm:> slot set -slot <slotnum>

2.[Optional] Display the existing HSM policy settings.

lunacm:> hsm showpolicies

3.Log in as HSM SO (see Logging In as HSM Security Officer).

lunacm:> role login -name so

4.Change the policy setting by specifying the policy number and the desired value (0, 1, or a number in the accepted range for that policy).

lunacm:> hsm changehsmpolicy -policy <policy_ID> -value <value>

If you are changing a destructive policy, you are prompted to enter proceed to continue the operation.