You are here: Configuration Manual (Set up Luna Appliance after Installing) > [Step 3] Setting HSM Policies > Set HSM Policies (Trusted Path Authentication)

Set HSM Policies - PED (Trusted Path) Authentication

Set Policies for the HSM

Set any of the alterable policies that are to apply to the HSM.

Capability vs Policy Interaction
Capabilities identify the purchased features of the product and are set at time of manufacture.

Policies represent the HSM Admin’s enabling (or restriction) of those features.

Type the hsm showPolicies command, to display the current policy set for the HSM.

lunash:> hsm showPolicies

HSM Label: mysa5hsm

Serial #: 700022

Firmware: 6.2.1

The following capabilities describe this HSM, and cannot be altered
except via firmware or capability updates.

Description	Value
===========	=====
Enable PIN-based authentication	Disallowed
Enable PED-based authentication	Allowed
Performance level	15
Enable domestic mechanisms & key sizes	Allowed
Enable masking	Allowed
Enable cloning	Allowed
Enable special cloning certificate	Disallowed
Enable full (non-backup) functionality	Allowed
Enable ECC mechanisms	Allowed
Enable non-FIPS algorithms	Allowed
Enable SO reset of partition PIN	Allowed
Enable network replication	Allowed
Enable Korean Algorithms	Allowed
FIPS evaluated	Disallowed
Manufacturing Token	Disallowed
Enable Remote Authentication	Allowed
Enable forcing user PIN change	Allowed
Enable portable masking key	Allowed
Enable partition groups	Disallowed
Enable Remote PED usage	Allowed
Enable external storage of MTK split	Allowed
HSM non-volatile storage space	2097152
Enable HA mode CGX	Disallowed
Enable Acceleration	Allowed
Enable unmasking	Allowed

The following policies are set due to current configuration of
this HSM and cannot be altered directly by the user.

Description ===========	Value =====
PED-based authentication	True
Store MTK split externally	False

The following policies describe the current configuration of
this HSM and may by changed by the HSM Administrator.

Changing policies marked "destructive" will zeroize (erase
completely) the entire HSM.

Description ===========	Value =====	Code ====	Destructive ===========
Allow masking	On	6	Yes
Allow cloning	On	7	Yes
Allow non-FIPS algorithms	On	12	Yes
SO can reset partition PIN	On	15	Yes
Allow network replication	On	16	No
Allow Remote Authentication	On	20	Yes
Force user PIN change after set/reset	Off	21	No
Allow off-board storage	On	22	Yes
Allow remote PED usage	On	25	No
Allow acceleration	On	29	Yes
Allow unmasking	On	30	Yes

Command Result : 0 (Success)
[myluna] lunash:>

According to the above example, the fixed capabilities require that this HSM be protected at FIPS 140-2 level 3, meaning that the PED and PED Keys are required for authentication, and values typed from a keyboard are ignored.

The alterable policies have numeric codes. You can alter a policy with the hsm changePolicy command, giving the code for the policy that is to change, followed by the new value.

The FIPS 140-2 standard mandates a set of security factors that specify a restricted suite of cryptographic algorithms.

The HSM is designed to the standard, but can permit activation of additional non-FIPS-validated algorithms if your application requires them.

The example listing above indicates that non-validated algorithms have been activated. The HSM is just as safe and secure as it is with the additional algorithms switched off. The only difference is that an auditor would not validate your configuration unless the set of available algorithms is restricted to the approved subset.

In order to change HSM policies, the HSM Administrator must first login.
lunash:> hsm login

(If you are not logged in, the above command begins the login process, directing you to the PED. If you are already logged in, the Luna SA tells you so, with an error message, that you can ignore.)
Control is passed to the PED, which prompts you for the blue PED Key.
Insert the appropriate PED Key for this HSM, and press [ENT] on the PED keypad.
If you need to modify a policy setting to comply with your operational requirements, type:
lunash:> hsm changePolicy -policy <policyCode> -value <policyValue>

As an example, change code 15 from a value of 1 (On) to 0 (Off).

Example – Change of HSM Policy

lunash:> hsm changePolicy -policy 15 -value 0

That command assigns a value of zero (0) to the “HSM Admin can reset partition PIN” policy, turning it off.

The above example is a change to a destructive policy, meaning that, if you apply this policy, the HSM is zeroized and all contents are lost. For this reason, you are prompted to confirm if that is what you really wish to do. You must now re-initialize the HSM.

While this is not an issue when you have just initialized an HSM, it may be a very important consideration if your HSM system has been in a “live” or “production” environment and the HSM contains useful or important data, keys, certificates.

Refer to the Reference section for a description of all HSM Policies and their meanings.

If you have been following the instructions on this page as part of setting up a new HSM system, then the next step is to create virtual HSMs or HSM Partitions on the HSM that you just configured. Click the following link: Create Partition (Trusted Path Authentication)

Luna SA 5 does not currently have a secure identity management (SIM) configuration. Certain HSM policy settings exist to enable migration from Luna SA 4.x to Luna SA 5.x, specifically the “Enable masking” and “Enable portable masking key” values.