|
Home > |
Configuration Guide > Configuring a Password-Authenticated HSM > Setting Luna G5 HSM Policies [Optional]
|
|---|
HSM Capabilities represent the underlying factory configurations of the HSM. HSM Policies are the settings based on those configuration elements, and can be modified by the HSM Security Officer (SO). If a Capability is turned off (disabled), then it cannot be switched on with a Policy setting. Only re-manufacturing or the application of a Secure Capability Update can change a Capability from off to on (disabled to enabled). If a Capability is enabled, then the SO may be able to alter it with a Policy change, but only to make it more restrictive. The SO cannot make a Capability less restrictive.
In most cases, Configurations and Policies are either off or on (disabled or enabled, where 0 [zero] equals off/disabled and 1 [one] equals on/enabled), but some involve a range of values.
In this example, we show the initial values of the HSM Capabilities and their corresponding Policies, then we change one Policy, and show the values again.
1.First, for this example, display the basic HSM information.
lunacm:> hsm showinfo
HSM Label -> myLunaG5
HSM Manufacturer -> SafeNet, Inc.
HSM Model -> K4Base
HSM Serial Number -> 8000001
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Firmware Version -> 4.5.2
Slot Id -> 1
Session State -> CKS_RW_PUBLIC_SESSION
SO Status: Not Logged In
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
Command Result : No Error
lunacm:>
Note the message at the end, stating that the HSM is not in FIPS 140-2 approved operation mode. This is a condition that we are about to change for the purpose of providing an example; you do not need to make this particular change unless your organization's security policy calls for it.
2.Now display the controlling policies as they currently exist on the HSM.
lunacm:> hsm showpolicies
HSM Capabilities
0: Enable PIN-based authentication : 0
1: Enable PED-based authentication : 1
2: Performance level : 9
3: Enable M of N : 0
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 1
7: Enable cloning : 0
8: Enable special cloning certificate : 0
9: Enable full (non-backup) functionality : 1
11: Enable ECC mechanisms : 0
12: Enable non-FIPS algorithms : 1
13: Enable MofN auto-activation : 0
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 0
17: Enable Korean Algorithms : 0
18: FIPS evaluated : 0
19: Manufacturing Token : 0
20: Enable Remote Authentication : 1
21: Enable forcing user PIN change : 0
22: Enable offboard storage : 1
23: Enable partition groups : 0
HSM Policies
0: PIN-based authentication : 0
1: PED-based authentication : 1
3: Require M of N : 0
6: Allow masking : 0
7: Allow cloning : 0
12: Allow non-FIPS algorithms : 1 13: Allow MofN auto-activation : 0
15: SO can reset partition PIN : 1
16: Allow network replication : 0
20: Allow Remote Authentication : 1
21: Force user PIN change after set/reset : 0
22: Allow offboard storage : 1
23: Allow partition groups : 0
SO Capabilities
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 1
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 1
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 3
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
SO Policies
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 3
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
Command Result : No Error
lunacm:>
For this example, To change an HSM Policy setting, you must provide the number that identifies the Policy and then the value for the desired state. First login to the HSM - using the Luna PED if this is a PED-authenticated HSM (Luna PED must be connected and ready before you login) - then type the hsm changeHSMPolicy or the hsm changeSOPolicy command:
lunacm:> hsm login
Please attend to the PED
Note: At this time, you must respond to the prompts on the Luna PED screen.
command Result : No error
lunacm:> hsm changeHSMPolicy -policy 12 -value 0
command Result : No error
lunacm:> hsm showpolicies
HSM Capabilities
0: Enable PIN-based authentication : 0
1: Enable PED-based authentication : 1
2: Performance level : 9
3: Enable M of N : 0
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 0
7: Enable cloning : 0
8: Enable special cloning certificate : 0
9: Enable full (non-backup) functionality : 1
11: Enable ECC mechanisms : 0
12: Enable non-FIPS algorithms : 1
13: Enable MofN auto-activation : 0
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 0
17: Enable Korean Algorithms : 0
18: FIPS evaluated : 0
19: Manufacturing Token : 0
20: Enable Remote Authentication : 1
21: Enable forcing user PIN change : 0
HSM Policies
0: PIN-based authentication : 1
1: PED-based authentication : 0
3: Require M of N : 0
6: Allow masking : 0
7: Allow cloning : 0
12: Allow non-FIPS algorithms : 0 <--
13: Allow MofN auto-activation : 0
15: SO can reset partition PIN : 1
16: Allow network replication : 0
20: Allow Remote Authentication : 1
21: Force user PIN change after set/reset : 0
SO Capabilities
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 3
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
SO Policies
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 3
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
Command Result : No Error
lunacm:>
lunacm:> hsm showinfo
HSM Label -> myLunaG5
HSM Manufacturer -> SafeNet, Inc.
HSM Model -> K4Base
HSM Serial Number -> 8000001
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Firmware Version -> 4.5.2
Slot Id -> 1
Session State -> CKS_RW_PUBLIC_SESSION
SO Status: Not Logged In
*** The HSM is in FIPS 140-2 approved operation mode. ***
Command Result : No Error
lunacm:>
Note: Note in the above example that HSM Capability "12: Enable non-FIPS algorithms : 1" still has a value of 1 (meaning that it remains enabled), but the associated Policy "12: Allow non-FIPS algorithms : 0 " now has a value of 0 (meaning that it has been disallowed by the SO). Note also that the message at the top of the "show" information now says "*** The HSM is in FIPS 140-2 approved operation mode. *** " because the HSM is now restricted to using only FIPS-approved algorithms.