|
Home > |
|---|
Set any of the alterable policies that are to apply to the HSM.
Note: Capability vs Policy Interaction
Capabilities identify the purchased features of the product and are set
at time of manufacture. Policies represent the HSM Admin’s enabling (or restriction) of those features.
1.Type the hsm showPolicies
command, to display the current policy set for the HSM.
[myluna] lunash:>hsm showPolicies
HSM Label: myhsm
Serial #: 700022
Firmware: 6.21.0.
The following capabilities describe this HSM, and cannot be altered
except via firmware or capability updates.
Description Value
============ =====
Enable PIN-based authentication Allowed
Enable PED-based authentication Disallowed
Performance level 15
Enable domestic mechanisms & key sizes Allowed
Enable masking Allowed
Enable cloning Allowed
Enable special cloning certificate Disallowed
Enable full (non-backup) functionality Allowed
Enable ECC mechanisms Allowed
Enable non-FIPS algorithms Allowed
Enable SO reset of partition PIN Allowed
Enable network replication Allowed
Enable Korean Algorithms Disallowed
FIPS evaluated Disallowed
Manufacturing Token Disallowed
Enable Remote Authentication Allowed
Enable forcing user PIN change Allowed
Enable portable masking key Allowed
Enable partition groups Disallowed
Enable Remote PED usage Disallowed
Enable external storage of MTK split Disallowed
HSM non-volatile storage space 2097152
Enable HA mode CGX Disallowed
Enable Acceleration Allowed
Enable unmasking Disallowed
The following policies are set due to current configuration of
this HSM and cannot be altered directly by the user.
Description Value
PIN-based authentication True
The following policies describe the current configuration of
this HSM and may by changed by the HSM Administrator.
Changing policies marked "destructive" will zeroize (erase
completely) the entire HSM.
Description Value Code Destructive
=========== ===== ==== ===========
Allow masking On 6 Yes
Allow cloning On 7 Yes
Allow non-FIPS algorithms On 12 Yes
SO can reset partition PIN On 15 Yes
Allow network replication On 16 No
Allow Remote Authentication On 20 Yes
Force user PIN change after set/reset Off 21 No
Allow off-board storage On 22 Yes
Allow acceleration On 29 Yes
Allow unmasking On 30 Yes
Command Result : 0 (Success)
[myluna] lunash:>
According to the above example, the fixed capabilities require that this HSM be protected with HSM Password Authentication, meaning that the PED and PED Keys are not used for authentication, and instead values are typed from a keyboard.
The alterable policies have numeric codes. You can alter a policy with the hsm changePolicy command, giving the code for the policy that is to change, followed by the new value.
Note: The FIPS 140-2 standard mandates a set of
security factors that specify a restricted suite of cryptographic algorithms.
The SafeNet HSM is designed to the standard, but can permit activation
of additional non-FIPS-validated algorithms if your application requires
them.
The example listing above indicates that non-validated algorithms
have been activated. The HSM is just as safe and secure as it is with the additional algorithms switched off. The only difference is that an auditor would not validate your configuration unless the set of available algorithms is restricted to the approved subset.
2.In order to change
HSM policies, the HSM SO must first login.
lunash:> hsm login
(If you are not logged in, the above command logs you in, prompting
for the HSM Admin password. If you are already logged in, the HSM
tells you so, with an error message, that you can ignore.)
3.If you need to
modify a policy setting to comply with your operational requirements,
type:
lunash:> hsm changePolicy -policy <policyCode>
-value <policyValue>
As an example, change code 15 from a value of 1 (On) to 0 (Off).
lunash:> hsm changePolicy -policy 15 -value 0
That command assigns a value of zero (0) to the policy for “HSM Admin can reset partition PIN”, turning it off.
Refer to the Reference section for a description of all and their meanings.
If you have been following the instructions on this page as part of setting up a new HSM system, then the next step is to create virtual HSMs or HSM Partitions on the HSM that you just configured. Prepare to Create a Legacy Partition (Password Authenticated)