At this point, you should have initialized the HSM and created an HSM Partition. You may need to set the policies that constrain the use of the HSM Partition by clients. Capabilities are factory settings ( "Capabilities and Policies" ). Policies are the means of modifying the adjustable capabilities.
First, display the policies (default) of the created HSM Partition.
In order to run the partition showPolicies command, you do not need to be logged into the HSM Partition.
However, to change policies of either the HSM or an individual Partition, you must login as HSM Administrator.
lunash:> partition showPolicies -partition mypartition
Partition Name: mypartition
Partition Num: 65038002
The following capabilities describe this partition and can never be changed. Description Value =========== ===== Enable private key cloning Allowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed Enable secret key cloning Allowed Enable secret key wrapping Allowed Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed Enable PED use without challenge Allowed Allow failed challenge responses Allowed Enable operation without RSA blinding Allowed Enable signing with non-local keys Allowed Enable raw RSA operations Allowed Max failed user logins allowed 10 Enable high availability recovery Allowed Enable activation Allowed Enable auto-activation Allowed Minimum pin length (inverted: 255 - min) 248 Maximum pin length 255 Enable Key Management Functions Allowed Enable RSA signing without confirmation Allowed Enable Remote Authentication Allowed Enable private key unmasking Allowed Enable secret key unmasking Allowed Enable RSA PKCS mechanism Allowed Enable CBC-PAD (un)wrap keys of any size Allowed The following policies are set due to current configuration of this partition and may not be altered directly by the user. Description Value =========== ===== Challenge for authentication not needed False The following policies describe the current configuration of this partition and may be changed by the HSM Administrator. Description Value Code =========== ===== ==== Allow private key cloning On 0 Allow private key unwrapping On 2 Allow secret key cloning On 4 Allow secret key wrapping On 5 Allow secret key unwrapping On 6 Allow multipurpose keys On 10 Allow changing key attributes On 11 Ignore failed challenge responses On 15 Operate without RSA blinding On 16 Allow signing with non-local keys On 17 Allow raw RSA operations On 18 Max failed user logins allowed 10 20 Allow high availability recovery On 21 Allow activation Off 22 Allow auto-activation Off 23 Minimum pin length (inverted: 255 - min) 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30 Allow private key unmasking On 31 Allow secret key unmasking On 32 Allow RSA PKCS mechanism On 33 Allow CBC-PAD (un)wrap keys of any size On 34
Command Result : 0 (Success)
[myluna] lunash:>
(Next, change any of the policies that you wish to change "Set Partition Policy" .)