HSM Capabilities & Policies

Description

If allowed, use keyboard for entering passwords. (The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.)

If allowed, use the Luna PED (as well as the keyboard) for entering passwords (via PED Keys). (The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.)

Indicates the performance level of this HSM. The HSM Admin may never modify this capability - it has no corresponding policy. Possible levels are
15: max performance ~7000 1024-bit RSA sigs/sec
4: ~ 1700 1024-bit RSA signatures per second

If allowed, this Luna HSM is capable of full strength cryptography (i.e. no US export restrictions)

If allowed, the Luna HSM is capable of SIM, and this feature can be turned on or off by the HSM Admin. If not allowed, the Luna HSM is not capable of SIM, and there is no way to for the HSM Admin to change this.

If allowed, the Luna HSM is capable of backup to Backup tokens, and this feature can be turned on or off by the HSM Admin. If not allowed, the Luna HSM is not capable of backup and there is no way for the HSM Admin to change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

If allowed, this Luna HSM can have a vendor-specific cloning certificate loaded on to it. (This policy is always set to not allowed on current Luna HSMs.)

If allowed, this Luna HSM can perform cryptographic functions. (This policy is always set to allowed on Luna HSMs.)

If allowed, new changes to existing licenses may be done in the field. (This policy is always set to not allowed on Luna HSMs.)

If allowed, the Luna HSM permits use of cryptographic algorithms that are not sanctioned by the FIPS 140-2 standard, the HSM Admin can select whether to permit use of those algorithms or to adhere to strict FIPS 140-2 regulations. If not allowed, the Luna HSM will only operate with FIPS 140-2 approved algorithms, there is no way for the HSM Admin to change this.

If allowed, the Luna HSM has the ability to either lock out users or erase them upon X consecutive bad login attempts, if the HSM Admin sets the corresponding HSM policy to “on”, users will be locked out and the HSM Admin can reset their password, if the HSM Admin sets the policy to “off”, users will be erased after X consecutive bad login attempts. If this capability is not allowed, the Luna HSM will always erase users after X consecutive bad login attempts, the HSM Admin may not change this.

If allowed, the Luna HSM may use the SafeNet high availability feature, and the HSM Admin may turn this feature on or off. If not allowed, the Luna HSM is not capable of automatic network replication for high availability. Partition backup or partition network replication is allowed for the SafeNet high availability feature. (Does not apply to Luna PCI.)

If allowed, the Luna HSM may use the Korean algorithm set.)

Deprecated - no longer used

If allowed, the Luna SA can be configured to act as a source or a target of Remote Authentication. The PED Key data required for administrating a distant (target) Luna SA can be presented at a local, Administration (source) Luna SA. The source appliance has NTLS disabled and so cannot be used by Clients. (Does not apply to Luna PCI.) (* Deprecated - Remote Admin and Remote Authentication no longer supported.)

If allowed, forces the Partition User to perform a partition changePw operation whenever the SO resets the User password (or creates the User Partition). That is, the User cannot perform any other actions on the Partition until the password change is completed. The purpose is to maintain the separation of roles between the SO/HSM Admin and the Partition User/Owner.

Allows or disallows the use of the portable SIM key..

Deprecated - not supported.

Allow authentication via remotely located Luna PED 2 (Remote Capable) and pedServer.

Allows one of the splits of the MTK, the Secure Recovery Vector, to be stored outside the HSM on a purple Secure Recovery PED Key. Used for Secure Transport Mode, and for controlled/supervised recovery from tamper events. The policy associated with this capability is set automatically when the lunash command "hsm srk enable" is run. If that command is never run, or if the HSM is a password-authenticated version, then both MTK splits remain inside the HSM and recovery from tamper is automatic after restart.

This capability determines how "random" numbers are generated for use in the HSM. The default (disabled) mode uses an AES-based method that takes a seed from the onboard hardware RNG to produce a high-quality pseudo-random number. With HA mode enabled, the entire number is generated within the hardware RNG (no seeding), which yields results nearer to true randomness, but which can take an indeterminate (long) amount of time for the required random events to occur.

This capability controls the mechanisms available within the HSM for key generation (RSA, DSA, KCDSA), and HAM. With the "Allow acceleration" policy switched ON, your application can choose from the full range of mechanisms supported by the HSM, for optimum performance with your application.

If you “ALLOW” masking & unmasking on the HSM module(s) and the partition(s) “Private & Secret” keys you can securely migrate keys within a single appliance. where partition cloning domains match.     
If you “ALLOW” cloning on multiple appliances that also have masking & unmasking “ALLOWED” on the HSM(s) and partition(s) “Private & Secret” keys, then you can securely migrate keys with multiple appliances on the same domain.