|
Home > |
Configuration Guide > Creating an Application Partition (SO, Crypto Officer, and Domain) > PED-Authenticated Partition > Setting SafeNet PCI-E HSM Partition Policies [Optional]
|
|---|
Partition Capabilities represent the underlying factory configurations that are in force when a Partition is created. Partition Policies are the settings based on those configuration elements, and can be modified by the HSM Security Officer (SO). If a Capability is turned off (disabled), then it cannot be switched on with a Policy setting. Only re-manufacturing or the application of a Secure Capability Update can change a Capability from off to on (disabled to enabled). If a Capability is enabled, then the SO may be able to alter it with a Policy change, but only to make it more restrictive. The SO cannot make a Capability less restrictive.
For example, if a Capability setting requires that the minimum length of a Partition Password must be (say) seven characters, then the SO can use a Policy change to require a minimum password length of eight, nine, ten, or more characters (up to 255). A requirement for a longer password is considered to be a more restrictive security setting. The SO cannot use a Policy change to set the minimum password length to six or fewer characters, because that would be less restrictive than the original Capability which demands at least seven characters.
In most cases, Configurations and Policies are either off or on (disabled or enabled, where 0 [zero] equals off/disabled and 1 [one] equals on/enabled), but some involve a range of values, as in the example below.
In this example, we show the initial values of the Partition Capabilities and their corresponding Policies, then we change one Policy, and show the values again.
lunacm:> partition showinfo
HSM Serial Number -> 456278
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Slot Id -> 1
Tunnel Slot Id -> 2
Session State -> CKS_RW_PUBLIC_SESSION
User Status-> Not Logged In
Crypto Officer Failed Logins-> 0
Crypto User Failed Logins-> 0
User Flags ->
CONTAINER_KCV_CREATED
User OUID: 6e000000e400000056f60600
User Storage:
Total Storage Space: 2094996
Used Storage Space: 0
Free Storage Space: 2094996
Object Count: 0
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
License Count -> 9
1. 0009-020 Test K6 Base Config - 9-20
2. 620109-000 Test K3 FIPS3 Update - 620109
3. 0009-030 Test K3 HSM Cloning Update - 000009-030
4. 620127-000 Test K3 ECC Update - 620127
5. 0009-025 Test K3 External MTK Update 2 - 000009-025
6. 620111-000 Test K3 Performance 600 Update - 620111
7. 0009-015 Test K3 Remote Ped Update - 000009-015
8. 620124-000 Test K3 Partitions 20 Update - 620124
9. 620114-000 Test K3 Cloning Update - 620114
Command Result : No Error
lunacm:>
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed :10 <--
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
Command Result : No Error
lunacm:>
In the example above, we change the maximum
number of consecutive failed login attempts that is permitted on the Partition.
The default maximum is 10. You can change the maximum to less than 10,
but not more than 10.
Setting to less than ten would make the partition more secure than the default, and is allowed.
Setting to more than ten would make the partition less secure than the default, and is not allowed.
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed :9 <--
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
Command Result : No Error
lunacm:>
Note in the above example that HSM Capability "20: Max failed user logins allowed : 10" still has a value of 10 (meaning that 10 is as many failed Partition login attempts as can be permitted), but the associated Policy "20: Max failed user logins allowed : 9" now has a value of 9 - meaning that the SO has decided that 10 bad login attempts on the Partition was too many. The SO has used the Policy to impose greater restriction than the Capability required; that is, the SO has increased the security on the partition.