Destructive |
Modifiable |
Description |
||
Enable PIN-based authentication (HSM_CONFIG_ENABLE |
Allow PIN-based authentication |
- |
no |
If allowed, use keyboard for entering passwords. (The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.) |
Enable PED-based authentication (HSM_CONFIG_ENABLE_PED |
Allow PED-based authentication |
- |
no |
If allowed, use the Luna PED (as well as the keyboard) for entering passwords (via PED Keys). (The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.) |
Performance level (HSM_CONFIG_PERFORMANCE_LEVEL) |
- |
- |
- |
Indicates the performance level of this HSM. The HSM Admin may never
modify this capability - it has no corresponding policy. Possible levels
are |
Enable domestic mechanisms & key sizes (HSM_CONFIG_DOMESTIC) |
- |
- |
- |
If allowed, this Luna HSM is capable of full strength cryptography (i.e. no US export restrictions) |
Enable masking (HSM_CONFIG_MASKING) |
Allow masking |
yes |
yes |
If allowed, the Luna HSM is capable of SIM, and this feature can be turned on or off by the HSM Admin. If not allowed, the Luna HSM is not capable of SIM, and there is no way to for the HSM Admin to change this. |
Enable cloning (HSM_CONFIG_CLONING) |
Allow cloning |
yes |
yes |
If allowed, the Luna HSM is capable of backup to Backup tokens, and this feature can be turned on or off by the HSM Admin. If not allowed, the Luna HSM is not capable of backup and there is no way for the HSM Admin to change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature. |
Enable special cloning certificate (HSM_CONFIG_SPECIAL_CLONING) |
- |
- |
- |
If allowed, this Luna HSM can have a vendor-specific cloning certificate loaded on to it. (This policy is always set to not allowed on current Luna HSMs.) |
Enable full (non-backup) functionality (HSM_CONFIG_NONBACKUP_TOKEN) |
- |
- |
- |
If allowed, this Luna HSM can perform cryptographic functions. (This policy is always set to allowed on Luna HSMs.) |
Enable ECC mechanisms (HSM_CONFIG_ECC |
- |
- |
- |
If allowed, new changes to existing licenses may be done in the field. (This policy is always set to not allowed on Luna HSMs.) |
Enable non-FIPS algorithms (HSM_CONFIG_NONFIPS |
Allow non-FIPS algorithms |
yes |
yes |
If allowed, the Luna HSM permits use of cryptographic algorithms that are not sanctioned by the FIPS 140-2 standard, the HSM Admin can select whether to permit use of those algorithms or to adhere to strict FIPS 140-2 regulations. If not allowed, the Luna HSM will only operate with FIPS 140-2 approved algorithms, there is no way for the HSM Admin to change this. |
Enable SO reset of partition PIN (HSM_CONFIG_SO_CAN_RESET_PIN) |
SO can reset partition PIN |
yes
|
yes
|
If allowed, the Luna HSM has the ability to either lock out users or erase them upon X consecutive bad login attempts, if the HSM Admin sets the corresponding HSM policy to “on”, users will be locked out and the HSM Admin can reset their password, if the HSM Admin sets the policy to “off”, users will be erased after X consecutive bad login attempts. If this capability is not allowed, the Luna HSM will always erase users after X consecutive bad login attempts, the HSM Admin may not change this. |
Enable network replication (HSM_CONFIG_NETWORK |
Allow network replication |
no
|
yes
|
If allowed, the Luna HSM may use the SafeNet high availability feature, and the HSM Admin may turn this feature on or off. If not allowed, the Luna HSM is not capable of automatic network replication for high availability. Partition backup or partition network replication is allowed for the SafeNet high availability feature. (Does not apply to Luna PCI.) |
Enable Korean Algorithms (HSM_CONFIG_KOREAN |
|
no
|
yes
|
If allowed, the Luna HSM may use the Korean algorithm set.) |
FIPS evaluated (HSM_FIPS |
HSM has been evaluated and validated to FIPS 140 -2 (or 3) |
no
|
no
|
Deprecated - no longer used |
Enable Remote Authentication (*) |
Allow Remote Authentication |
yes |
yes |
If allowed, the Luna SA can be configured to act as a source or a target of Remote Authentication. The PED Key data required for administrating a distant (target) Luna SA can be presented at a local, Administration (source) Luna SA. The source appliance has NTLS disabled and so cannot be used by Clients. (Does not apply to Luna PCI.) (* Deprecated - Remote Admin and Remote Authentication no longer supported.) |
Enable forcing user PIN change |
Force user PIN change after set/reset |
no
|
yes |
If allowed, forces the Partition User to perform a partition changePw operation whenever the SO resets the User password (or creates the User Partition). That is, the User cannot perform any other actions on the Partition until the password change is completed. The purpose is to maintain the separation of roles between the SO/HSM Admin and the Partition User/Owner. |
Enable offboard storage |
Allow off-board storage |
no
|
yes |
Allows or disallows the use of the portable SIM key.. |
Enable partition groups |
Allow partition groups |
no
|
no |
Deprecated - not supported. |
Enable Remote PED usage |
Allow remote PED usage |
no
|
yes |
Allow authentication via remotely located Luna PED 2 (Remote Capable) and pedServer. |
Enable external storage of MTK split |
Not directly modifiable by user |
-
|
- |
Allows one of the splits of the MTK, the Secure Recovery Vector, to be stored outside the HSM on a purple Secure Recovery PED Key. Used for Secure Transport Mode, and for controlled/supervised recovery from tamper events. The policy associated with this capability is set automatically when the lunash command "hsm srk enable" is run. If that command is never run, or if the HSM is a password-authenticated version, then both MTK splits remain inside the HSM and recovery from tamper is automatic after restart. |
HSM non-volatile storage space | Not directly modifiable by user | - | - | Shows the factory-set amount of non-volatile storage that is available on the HSM. |
Enable HA mode CGX |
Not directly modifiable by user |
-
|
- |
This capability determines how "random" numbers are generated for use in the HSM. The default (disabled) mode uses an AES-based method that takes a seed from the onboard hardware RNG to produce a high-quality pseudo-random number. With HA mode enabled, the entire number is generated within the hardware RNG (no seeding), which yields results nearer to true randomness, but which can take an indeterminate (long) amount of time for the required random events to occur. |
Enable Acceleration |
Allow acceleration |
yes
|
yes |
This capability controls the mechanisms available within the HSM for key generation (RSA, DSA, KCDSA), and HAM. With the "Allow acceleration" policy switched ON, your application can choose from the full range of mechanisms supported by the HSM, for optimum performance with your application. |
Enable Unmasking |
Allow unmasking |
yes
|
yes |
If you “ALLOW” masking & unmasking on the HSM module(s) and the partition(s) “Private & Secret” keys you can securely migrate keys within a single appliance. where partition cloning domains match. |
Enable FW5 compatibility mode | Permits migration of key material from earlier-model HSMs (firmware 5.x) to current-model HSMs (firmware 6.x) |