Set Policies for the HSM
Set any of the alterable policies that are to apply to the HSM.
Capability vs Policy Interaction
Capabilities identify the purchased features of the product and are set
at time of manufacture.
Policies represent the HSM Admin’s enabling (or restriction) of those features.
lunash:> hsm showPolicies
HSM Label: mysa5hsm
Serial #: 700022
Firmware: 6.2.1
The following capabilities describe this HSM, and cannot be altered
except via firmware or capability updates.
Description | Value |
=========== | ===== |
Enable PIN-based authentication | Disallowed |
Enable PED-based authentication | Allowed |
Performance level | 15 |
Enable domestic mechanisms & key sizes | Allowed |
Enable masking | Allowed |
Enable cloning | Allowed |
Enable special cloning certificate | Disallowed |
Enable full (non-backup) functionality | Allowed |
Enable ECC mechanisms | Allowed |
Enable non-FIPS algorithms | Allowed |
Enable SO reset of partition PIN | Allowed |
Enable network replication | Allowed |
Enable Korean Algorithms | Allowed |
FIPS evaluated | Disallowed |
Manufacturing Token | Disallowed |
Enable Remote Authentication | Allowed |
Enable forcing user PIN change | Allowed |
Enable portable masking key | Allowed |
Enable partition groups | Disallowed |
Enable Remote PED usage | Allowed |
Enable external storage of MTK split | Allowed |
HSM non-volatile storage space | 2097152 |
Enable HA mode CGX | Disallowed |
Enable Acceleration | Allowed |
Enable unmasking | Allowed |
The following policies are set due to current configuration of
this HSM and cannot be altered directly by the user.
Description =========== |
Value ===== |
PED-based authentication | True |
Store MTK split externally | False |
The following policies describe the current configuration of
this HSM and may by changed by the HSM Administrator.
Changing policies marked "destructive" will zeroize (erase
completely) the entire HSM.
Description =========== |
Value ===== |
Code ==== |
Destructive =========== |
Allow masking | On | 6 | Yes |
Allow cloning | On | 7 | Yes |
Allow non-FIPS algorithms | On | 12 | Yes |
SO can reset partition PIN | On | 15 | Yes |
Allow network replication | On | 16 | No |
Allow Remote Authentication | On | 20 | Yes |
Force user PIN change after set/reset | Off | 21 | No |
Allow off-board storage | On | 22 | Yes |
Allow remote PED usage | On | 25 | No |
Allow acceleration | On | 29 | Yes |
Allow unmasking | On | 30 | Yes |
Command Result : 0 (Success)
[myluna] lunash:>
According to the above example, the fixed capabilities require that this HSM be protected at FIPS 140-2 level 3, meaning that the PED and PED Keys are required for authentication, and values typed from a keyboard are ignored.
The alterable policies have numeric codes. You can alter a policy with the hsm changePolicy command, giving the code for the policy that is to change, followed by the new value.
The FIPS 140-2 standard mandates a set of
security factors that specify a restricted suite of cryptographic algorithms.
The HSM is designed to the standard, but can permit activation
of additional non-FIPS-validated algorithms if your application requires
them.
The example listing above indicates that non-validated algorithms
have been activated. The HSM is just as safe and secure as it is with the additional algorithms switched off. The only difference is that an auditor would not validate your configuration unless the set of available algorithms is restricted to the approved subset.
Example – Change of HSM Policy
lunash:> hsm changePolicy -policy 15 -value 0
That command assigns a value of zero (0) to the “HSM Admin can reset partition PIN” policy, turning it off.
The above example is a change to a destructive
policy, meaning that, if you apply this policy, the HSM is zeroized and
all contents are lost. For this reason, you are prompted to confirm if
that is what you really wish to do. You must now re-initialize the HSM.
While this is not an issue when you have just initialized
an HSM, it may be a very important consideration if your HSM system has
been in a “live” or “production” environment and the HSM contains useful
or important data, keys, certificates.
Refer to the Reference section for a description of all HSM Policies and their meanings.
If you have been following the instructions on this page as part of setting up a new HSM system, then the next step is to create virtual HSMs or HSM Partitions on the HSM that you just configured. Click the following link: Create Partition (Trusted Path Authentication)
Luna SA 5 does not currently have a secure identity management (SIM) configuration. Certain HSM policy settings exist to enable migration from Luna SA 4.x to Luna SA 5.x, specifically the “Enable masking” and “Enable portable masking key” values.