lunacm hsm Commands
This command, and all the lunacm hsm commands, appear only when the current slot selected in lunacm is for a local HSM, like an installed Luna PCI-E.
HSM commands do not appear in the lunacm command menu when lunacm is directed at a slot corresponding to a remote Luna SA - lunacm has a client-only connection to a remote HSM and therefore cannot log in as SO to a remote HSM.
For Luna SA, the HSM commands are available via the Luna appliance's Luna Shell (lunash:>), which can be accessed via ssh if you have the required authentication.
NAME
hsm showpolicies - show HSM info
SYNOPSIS
lunacm:> hsm showpolicies
DESCRIPTION
Displays the HSM-level Capability and Policy settings for HSM and SO.
OPTIONS
None
SAMPLE OUTPUT
lunacm:> hsm showplicies
HSM
Capabilities
0:
Enable PIN-based authentication : 1
1:
Enable PED-based authentication : 0
2:
Performance level : 9
3:
Enable M of N : 0
4:
Enable domestic mechanisms & key sizes : 1
6:
Enable masking : 0
7:
Enable cloning : 0
8:
Enable special cloning certificate : 0
9:
Enable full (non-backup) functionality : 1
11:
Enable ECC mechanisms : 0
12:
Enable non-FIPS algorithms : 1
13:
Enable MofN auto-activation : 0
15:
Enable SO reset of partition PIN : 1
16:
Enable network replication : 0
17:
Enable Korean Algorithms : 0
18:
FIPS evaluated : 0
19:
Manufacturing Token : 0
20:
Enable Remote Authentication : 1
21:
Enable forcing user PIN change : 0
22:
Enable offboard storage : 1
23:
Enable partition groups : 0
HSM
Policies
0:
PIN-based authentication : 1
1:
PED-based authentication : 0
3:
Require M of N : 0
6:
Allow masking : 0
7:
Allow cloning : 0
12:
Allow non-FIPS algorithms : 1
13:
Allow MofN auto-activation : 0
15:
SO can reset partition PIN : 1
16:
Allow network replication : 0
20:
Allow Remote Authentication : 1
21:
Force user PIN change after set/reset : 0
22:
Allow offboard storage : 1
23:
Allow partition groups : 0
SO
Capabilities
0:
Enable private key cloning : 0
1:
Enable private key wrapping : 0
2:
Enable private key unwrapping : 1
3:
Enable private key masking : 0
4:
Enable secret key cloning : 0
5:
Enable secret key wrapping : 1
6:
Enable secret key unwrapping : 1
7:
Enable secret key masking : 0
10:
Enable multipurpose keys : 1
11:
Enable changing key attributes : 1
14:
Enable PED use without challenge : 1
15:
Allow failed challenge responses : 1
16:
Enable operation without RSA blinding : 1
17:
Enable signing with non-local keys : 1
18:
Enable raw RSA operations : 1
19:
Max non-volatile storage space : 3
20:
Max failed user logins allowed : 3
21:
Enable high availability recovery : 1
22:
Enable activation : 0
23:
Enable auto-activation : 0
25:
Minimum pin length (inverted: 255 - min) : 248
26:
Maximum pin length : 255
28:
Enable Key Management Functions : 1
29:
Enable RSA signing without confirmation : 1
30:
Enable Remote Authentication : 1
SO
Policies
0:
Enable private key cloning : 0
1:
Enable private key wrapping : 0
2:
Enable private key unwrapping : 1
3:
Enable private key masking : 0
4:
Enable secret key cloning : 0
5:
Enable secret key wrapping : 1
6:
Enable secret key unwrapping : 1
7:
Enable secret key masking : 0
10:
Enable multipurpose keys : 1
11:
Enable changing key attributes : 1
14:
Enable PED use without challenge : 1
15:
Allow failed challenge responses : 1
16:
Enable operation without RSA blinding : 1
17:
Enable signing with non-local keys : 1
18:
Enable raw RSA operations : 1
19:
Max non-volatile storage space : 3
20:
Max failed user logins allowed : 3
21:
Enable high availability recovery : 1
22:
Enable activation : 0
23:
Enable auto-activation : 0
25:
Minimum pin length (inverted: 255 - min) : 248
26:
Maximum pin length : 255
28:
Enable Key Management Functions : 1
29:
Enable RSA signing without confirmation : 1
30:
Enable Remote Authentication : 1
Command Result : No Error
lunacm:>
Note also HSM Capability 17, indicating a set of algorithms that does not come as a standard feature of your (Undefined variable: HSM-productVariableSet.LunaHSM) HSM, but which can be purchased from SafeNet, if required.
Some mechanisms (such as KCDSA) are not enabled unless you have purchased and installed the required Secure Capability Update package. If you require a particular mechanism, and do not see it listed when you generate a Mechanism List for your Luna HSM, contact SafeNet Support.