Set any of the alterable policies that are to apply to the HSM.
Capability vs Policy Interaction
Capabilities identify the purchased features of the product and are set
at time of manufacture.
Policies represent the HSM Admin’s enabling (or restriction) of those features.
lunash:> hsm showPolicies
[myluna] lunash:>hsm showPolicies
HSM Label: myhsm
Serial #: 700022
Firmware: 6.2.1.
The following capabilities describe this HSM, and cannot be altered
except via firmware or capability updates.
| Description | Value |
|---|---|
| ============ | ===== |
| Enable PIN-based authentication | Allowed |
| Enable PED-based authentication | Disallowed |
| Performance level | 15 |
| Enable domestic mechanisms & key sizes | Allowed |
| Enable masking | Allowed |
| Enable cloning | Allowed |
| Enable special cloning certificate | Disallowed |
| Enable full (non-backup) functionality | Allowed |
| Enable ECC mechanisms | Allowed |
| Enable non-FIPS algorithms | Allowed |
| Enable SO reset of partition PIN | Allowed |
| Enable network replication | Allowed |
| Enable Korean Algorithms | Disallowed |
| FIPS evaluated | Disallowed |
| Manufacturing Token | Disallowed |
| Enable Remote Authentication | Allowed |
| Enable forcing user PIN change | Allowed |
| Enable portable masking key | Allowed |
| Enable partition groups | Disallowed |
| Enable Remote PED usage | Disallowed |
| Enable external storage of MTK split | Disallowed |
| HSM non-volatile storage space | 2097152 |
| Enable HA mode CGX | Disallowed |
| Enable Acceleration | Allowed |
| Enable unmasking | Disallowed |
The following policies are set due to current configuration of
this HSM and cannot be altered directly by the user.
| Description | Value |
|---|---|
| PIN-based authentication | True |
The following policies describe the current configuration of
this HSM and may by changed by the HSM Administrator.
Changing policies marked "destructive" will zeroize (erase
completely) the entire HSM.
| Description =========== |
Value ===== |
Code ==== |
Destructive =========== |
| Allow masking | On | 6 | Yes |
| Allow cloning | On | 7 | Yes |
| Allow non-FIPS algorithms | On | 12 | Yes |
| SO can reset partition PIN | On | 15 | Yes |
| Allow network replication | On | 16 | No |
| Allow Remote Authentication | On | 20 | Yes |
| Force user PIN change after set/reset | Off | 21 | No |
| Allow off-board storage | On | 22 | Yes |
| Allow acceleration | On | 29 | Yes |
| Allow unmasking | On | 30 | Yes |
Command Result : 0 (Success)
[myluna] lunash:>
According to the above example, the fixed capabilities require that this HSM be protected with HSM Password Authentication, meaning that the PED and PED Keys are not used for authentication, and instead values are typed from a keyboard.
The alterable policies have numeric codes. You can alter a policy with the hsm changePolicy command, giving the code for the policy that is to change, followed by the new value.
The FIPS 140-2 standard mandates a set of
security factors that specify a restricted suite of cryptographic algorithms.
The SafeNet HSM is designed to the standard, but can permit activation
of additional non-FIPS-validated algorithms if your application requires
them.
The example listing above indicates that non-validated algorithms
have been activated. The HSM is just as safe and secure as it is with the additional algorithms switched off. The only difference is that an auditor would not validate your configuration unless the set of available algorithms is restricted to the approved subset.
lunash:> hsm changePolicy -policy 15 -value 0
That command assigns a value of zero (0) to the policy for “HSM Admin can reset partition PIN”, turning it off.
Refer to the Reference section for a description of all "Capabilities and Policies" and their meanings.
If you have been following the instructions on this page as part of setting up a new HSM system, then the next step is to create virtual HSMs or HSM Partitions on the HSM that you just configured. "About Creating a Partition (Password Authentication)"