|
Home > |
Configuration Guide > Configuring a Password-Authenticated HSM > Setting Luna G5 Partition Policies [Optional]
|
|---|
Partition Capabilities represent the underlying factory configurations that are in force when a Partition is created. Partition Policies are the settings based on those configuration elements, and can be modified by the HSM Security Officer (SO). If a Capability is turned off (disabled), then it cannot be switched on with a Policy setting. Only re-manufacturing or the application of a Secure Capability Update can change a Capability from off to on (disabled to enabled). If a Capability is enabled, then the SO may be able to alter it with a Policy change, but only to make it more restrictive. The SO cannot make a Capability less restrictive.
For example, if a Capability setting requires that the minimum length of a Partition Password must be (say) seven characters, then the SO can use a Policy change to require a minimum password length of eight, nine, ten, or more characters (up to 255). A requirement for a longer password is considered to be a more restrictive security setting. The SO cannot use a Policy change to set the minimum password length to six or fewer characters, because that would be less restrictive than the original Capability which demands at least seven characters.
In most cases, Configurations and Policies are either off or on (disabled or enabled, where 0 [zero] equals off/disabled and 1 [one] equals on/enabled), but some involve a range of values, as in the example below.
In this example, we show the initial values of the Partition Capabilities and their corresponding Policies, then we change one Policy, and show the values again.
lunacm:> partition showPolicies
HSM Serial Number -> 65130
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_EXCLUSIVE_EXISTS
Slot Id -> 3
Session State -> CKS_RW_PUBLIC_SESSION
M of N Status ->
M of N Not Generated
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
Partition Capabilities
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
27: Enable RA-type wrapping : 0
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
Partition Policies
0: Allow private key cloning : 0
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 0
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10 <--
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
27: Allow RA-type wrapping : 0
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 0
Command Result : No Error
lunacm:>
lunacm:> hsm login -password mySOpa55word!
Command Result : No Error
lunacm:> partition changePolicy -policy 20 -value 9
Command Result : No Error
lunacm:>
Note: In the example above, we change the maximum
number of consecutive failed login attempts that is permitted on the Partition.The default maximum is 10. You can change the maximum to less than 10,
but not more than 10.
lunacm:> partition showPolicies
HSM Serial Number -> 65130
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_EXCLUSIVE_EXISTS
Slot Id -> 3
Session State -> CKS_RW_PUBLIC_SESSION
M of N Status ->
M of N Not Generated
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
Partition Capabilities
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
27: Enable RA-type wrapping : 0
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
Partition Policies
0: Allow private key cloning : 0
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 0
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 9 <--
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
27: Allow RA-type wrapping : 0
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 0
Command Result : No Error
lunacm:>
Note: Note in the above example that HSM Capability "20: Max failed user logins allowed : 10" still has a value of 10 (meaning that 10 is as many failed Partition login attempts as can be permitted), but the associated Policy "20: Max failed user logins allowed : 9" now has a value of 9 (meaning that the SO has decided that 10 bad login attempts on the Partition was too many). The SO has used the Policy to impose greater restriction than the Capability required.