Home > |
Configuration Guide > Setting HSM Policies > Setting SafeNet PCI-E HSM Policies, PED-authenticated [Optional]
|
---|
HSM Capabilities represent the underlying factory configurations of the HSM. HSM Policies are the settings based on those configuration elements, and can be modified by the HSM Security Officer (SO). If a Capability is turned off (disabled), then it cannot be switched on with a Policy setting. Only re-manufacturing or the application of a Secure Capability Update can change a Capability from off to on (disabled to enabled). If a Capability is enabled, then the SO may be able to alter it with a Policy change, but only to make it more restrictive. The SO cannot make a Capability less restrictive.
In most cases, Configurations and Policies are either off or on (disabled or enabled, where 0 [zero] equals off/disabled and 1 [one] equals on/enabled), but some involve a range of values.
In this example, we show the initial values of the HSM Capabilities and their corresponding Policies, then we change one Policy, and show the values again.The settings you would see for a Password-Authenticated HSM and a PED-Authenticated HSM might differ slightly, but the general principle and the operation of policy change are the same.
1.First, for this example, display the basic HSM information.
lunacm:> hsm showinfo HSM Label -> no label HSM Manufacturer -> Safenet, Inc. HSM Model -> K6 Base HSM Serial Number -> 456278 Token Flags -> CKF_RNG CKF_LOGIN_REQUIRED CKF_RESTORE_KEY_NOT_NEEDED CKF_PROTECTED_AUTHENTICATION_PATH Firmware Version -> 6.1.3 Rollback Firmware Version -> 6.1.0 Slot Id -> 1 Tunnel Slot Id -> 2 Session State -> CKS_RW_PUBLIC_SESSION SO Status-> Not Logged In SO information is not available (HSM has not been initialized) HSM Storage: Total Storage Space: 2097152 Used Storage Space: 0 Free Storage Space: 2097152 Allowed Partitions: 20 Number of Partitions: 0 SO Storage: Total Storage Space: 262144 Used Storage Space: 0 Free Storage Space: 262144 Object Count: 0 *** The HSM is NOT in FIPS 140-2 approved operation mode. *** License Count -> 7 1. 621000026-000 621-000026-000 K6 BASE CONFIGURATION FILE,HSM UNMASKING 2. 620127-000 ECC 3. 620114-001 Cloning 4. 620127-000 Test K3 ECC Update - 620127 5. 621010358-001 621-010358-001 External MTK - STM disabled 6. 621010089-001 621-010089-001 Remote Ped 7. 621000021-001 SCU K5/K6 Performance 15 Command Result : No Error lunacm:>
Note the message near the end, stating that the HSM is not in FIPS 140-2 approved operation mode. This is a condition that we are about to change for the purpose of providing an example; you do not need to make this particular change unless your organization's security policy calls for it.
2.Now display the controlling policies as they currently exist on the HSM.
lunacm:> hsm showpolicies HSM Capabilities 0: Enable PIN-based authentication : 0 1: Enable PED-based authentication : 1 2: Performance level : 5 4: Enable domestic mechanisms & key sizes : 1 6: Enable masking : 1 7: Enable cloning : 1 8: Enable special cloning certificate : 0 9: Enable full (non-backup) functionality : 1 11: Enable ECC mechanisms : 1 12: Enable non-FIPS algorithms : 1 15: Enable SO reset of partition PIN : 1 16: Enable network replication : 1 17: Enable Korean Algorithms : 0 18: FIPS evaluated : 0 19: Manufacturing Token : 0 20: Enable Remote Authentication : 1 21: Enable forcing user PIN change : 1 22: Enable offboard storage : 1 23: Enable partition groups : 0 25: Enable remote PED usage : 1 26: Enable External Storage of MTK Split : 1 27: HSM non-volatile storage space : 2097152 28: Enable HA mode CGX : 0 29: Enable Acceleration : 1 30: Enable unmasking : 1 HSM Policies 0: PIN-based authentication : 0 1: PED-based authentication : 1 6: Allow masking : 1 7: Allow cloning : 1 12: Allow non-FIPS algorithms : 1 15: SO can reset partition PIN : 1 16: Allow network replication : 1 20: Allow Remote Authentication : 1 21: Force user PIN change after set/reset : 0 22: Allow offboard storage : 1 23: Allow partition groups : 0 25: Allow remote PED usage : 1 26: Store MTK Split Externally : 1 29: Allow Acceleration : 1 30: Allow unmasking : 1 SO Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 0 2: Enable private key unwrapping : 1 3: Enable private key masking : 0 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 0 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 14: Enable PED use without challenge : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 3 21: Enable high availability recovery : 1 22: Enable activation : 0 23: Enable auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 30: Enable Remote Authentication : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 SO Policies 0: Allow private key cloning : 1 1: Allow private key wrapping : 0 2: Allow private key unwrapping : 1 3: Allow private key masking : 0 4: Allow secret key cloning : 1 5: Allow secret key wrapping : 1 6: Allow secret key unwrapping : 1 7: Allow secret key masking : 0 10: Allow multipurpose keys : 1 11: Allow changing key attributes : 1 14: Challenge for authentication not needed : 1 15: Ignore failed challenge responses : 1 16: Operate without RSA blinding : 1 17: Allow signing with non-local keys : 1 18: Allow raw RSA operations : 1 20: Max failed user logins allowed : 3 21: Allow high availability recovery : 1 22: Allow activation : 0 23: Allow auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Allow Key Management Functions : 1 29: Perform RSA signing without confirmation : 1 30: Allow Remote Authentication : 1 31: Allow private key unmasking : 1 32: Allow secret key unmasking : 1 Command Result : No Error lunacm:>
3.For this example, to change an HSM Policy setting, you must provide the number that identifies the Policy and then the value for the desired state. First login to the HSM using SafeNet PED (SafeNet PED must be connected and ready before you login). For a password-authenticated HSM the password is needed, and no PED is involved), then type the hsm changeHSMPolicy or the hsm changeSOPolicy command:
lunacm:> hsm login
Please attend to the PED
Note: At this time, you must respond to the prompts on the SafeNet PED screen.
command Result : No error
lunacm:> hsm changeHSMPolicy -policy 12 -value 0
command Result : No error
lunacm:>
lunacm:> hsm showpolicies HSM Capabilities 0: Enable PIN-based authentication : 0 1: Enable PED-based authentication : 1 2: Performance level : 5 4: Enable domestic mechanisms & key sizes : 1 6: Enable masking : 1 7: Enable cloning : 1 8: Enable special cloning certificate : 0 9: Enable full (non-backup) functionality : 1 11: Enable ECC mechanisms : 1 12: Enable non-FIPS algorithms : 1 15: Enable SO reset of partition PIN : 1 16: Enable network replication : 1 17: Enable Korean Algorithms : 0 18: FIPS evaluated : 0 19: Manufacturing Token : 0 20: Enable Remote Authentication : 1 21: Enable forcing user PIN change : 1 22: Enable offboard storage : 1 23: Enable partition groups : 0 25: Enable remote PED usage : 1 26: Enable External Storage of MTK Split : 1 27: HSM non-volatile storage space : 2097152 28: Enable HA mode CGX : 0 29: Enable Acceleration : 1 30: Enable unmasking : 1 HSM Policies 0: PIN-based authentication : 0 1: PED-based authentication : 1 6: Allow masking : 1 7: Allow cloning : 1 12: Allow non-FIPS algorithms : 0 15: SO can reset partition PIN : 1 16: Allow network replication : 1 20: Allow Remote Authentication : 1 21: Force user PIN change after set/reset : 0 22: Allow offboard storage : 1 23: Allow partition groups : 0 25: Allow remote PED usage : 1 26: Store MTK Split Externally : 1 29: Allow Acceleration : 1 30: Allow unmasking : 1 SO Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 0 2: Enable private key unwrapping : 1 3: Enable private key masking : 0 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 0 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 14: Enable PED use without challenge : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 3 21: Enable high availability recovery : 1 22: Enable activation : 0 23: Enable auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 30: Enable Remote Authentication : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 SO Policies 0: Allow private key cloning : 1 1: Allow private key wrapping : 0 2: Allow private key unwrapping : 1 3: Allow private key masking : 0 4: Allow secret key cloning : 1 5: Allow secret key wrapping : 1 6: Allow secret key unwrapping : 1 7: Allow secret key masking : 0 10: Allow multipurpose keys : 1 11: Allow changing key attributes : 1 14: Challenge for authentication not needed : 1 15: Ignore failed challenge responses : 1 16: Operate without RSA blinding : 1 17: Allow signing with non-local keys : 1 18: Allow raw RSA operations : 1 20: Max failed user logins allowed : 3 21: Allow high availability recovery : 1 22: Allow activation : 0 23: Allow auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Allow Key Management Functions : 1 29: Perform RSA signing without confirmation : 1 30: Allow Remote Authentication : 1 31: Allow private key unmasking : 1 32: Allow secret key unmasking : 1 Command Result : No Error lunacm:>
lunacm:> hsm showinfo HSM Label -> no label HSM Manufacturer -> Safenet, Inc. HSM Model -> K6 Base HSM Serial Number -> 456278 Token Flags -> CKF_RNG CKF_LOGIN_REQUIRED CKF_RESTORE_KEY_NOT_NEEDED CKF_PROTECTED_AUTHENTICATION_PATH Firmware Version -> 6.1.3 Rollback Firmware Version -> 6.1.0 Slot Id -> 1 Tunnel Slot Id -> 2 Session State -> CKS_RW_PUBLIC_SESSION SO Status-> Not Logged In SO information is not available (HSM has not been initialized) HSM Storage: Total Storage Space: 2097152 Used Storage Space: 0 Free Storage Space: 2097152 Allowed Partitions: 20 Number of Partitions: 0 SO Storage: Total Storage Space: 262144 Used Storage Space: 0 Free Storage Space: 262144 Object Count: 0 *** The HSM is in FIPS 140-2 approved operation mode. *** License Count -> 7 1. 621000026-000 621-000026-000 K6 BASE CONFIGURATION FILE,HSM UNMASKING 2. 620127-000 ECC 3. 620114-001 Cloning 4. 620127-000 Test K3 ECC Update - 620127 5. 621010358-001 621-010358-001 External MTK - STM disabled 6. 621010089-001 621-010089-001 Remote Ped 7. 621000021-001 SCU K5/K6 Performance 15 Command Result : No Error lunacm:>
Note in the above example that HSM Capability
"12: Enable non-FIPS algorithms : 1" still has a value of 1
(meaning that it remains enabled), but the associated Policy "12:
Allow non-FIPS algorithms : 0 " now
has a value of 0 (meaning that it has been disallowed by the SO).
Note also that the message in the middle of the "show" information
now says "***
The HSM is in FIPS 140-2 approved operation mode. *** " because the
HSM is now restricted to using only FIPS-approved algorithms.
lunacm:> hsm -changeHSMPolicy -policy 15 -value 0
That command assigns a value of zero (0) to the “Enable SO reset of partition PIN” policy, turning it off.
The above example is a change to a destructive
policy, meaning that, if you apply this policy, the HSM is zeroized and
all contents are lost. For this reason, you are prompted to confirm if
that is what you really wish to do. You must now re-initialize the HSM.
While this is not an issue when you have just initialized
an HSM, it may be a very important consideration if your SafeNet HSM has been in a “live” or “production”
environment and contains useful or important data, keys, certificates.
The work-around is to backup any important HSM or partition contents before making any destructive policy change, and then restore from backup after the HSM is re-initialized and the partition re-created.