Home >

Administration Guide > HSM Partitions > Partition Creation with Policy Template Using LunaCM

Partition Creation with Policy Template Using LunaCM

Partition Policy Templates enable administrators to replicate configured application partitions, speeding the provisioning process and ensuring consistent policy assignments across partitions with similar security requirements. The Partition Policy Template feature enables scalable policy management across tens and hundreds of partitions while also simplifying future audit and compliance requirements.

Administrators can specify the initial value for each policy, as well as whether changes to the policy AFTER the partition is created will be destructive to existing user objects on the partition. This destructive or non-destructive behavior can be specified independently for the on-to-off and off-to-on transitions of the policy. Once the combined initial values and destructiveness of each partition policy are configured as desired, they can be saved as a named policy template. Multiple such policy templates can be saved on the appliance, or exported and imported between appliances.

An administrator creating an application partition can optionally specify a previously saved policy template in order to create the partition with policy settings as configured in the template. If no policy template is specified during partition creation, the HSM uses built-in default partition policy values.

Partition policy templates can not be used to alter settings for an existing application partition. Once a partition has been created, with or without the use of policy templates, the administrator continues to use the partition changePolicy command to make changes to individual policy values.

Note:  Policy destructiveness settings can not be altered on an existing application partition, as these can be specified only at the time the partition is created.

The examples on this page apply to manipulating application partitions via lunacm. (For partition policy template examples using lunash, see Partition Creation with Policy Template Using Lunash.)

Process for a New Template

The general procedure is as follows:

Create (and load for editing) a new, unnamed partition policy template. The possible policy codes, along with their default settings, are displayed.

Make changes to those default values, one at a time, until you are satisfied. Each change is echoed back.

Save the new partition policy template, applying a name that is unique and easily recognized, and also applying additional descriptive text to assist yourself and future users to recall the purpose of this specific template among any others you might create.

Create an application partition, specifying a particular partition policy template by name. This creates the partition with policies applied to it, conforming to the selected template, different from the default set for the HSM.

Create and apply a new partition policy template

For this example, before starting, here are the policy values for a default partition that was created without using a template:

 lunacm:> partition showpolicies
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 0
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 0
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 0
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 1
                23: Enable auto-activation : 1
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                30: Enable Remote Authentication : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                35: Enable private key SFF backup/restore : 1
                36: Enable secret key SFF backup/restore : 1
                37: Enable Secure Trusted Channel : 1

        Partition Policies
                 0: Allow private key cloning : 1
                 1: Allow private key wrapping : 0
                 2: Allow private key unwrapping : 1
                 3: Allow private key masking : 0
                 4: Allow secret key cloning : 1
                 5: Allow secret key wrapping : 1
                 6: Allow secret key unwrapping : 1
                 7: Allow secret key masking : 0
                10: Allow multipurpose keys : 1
                11: Allow changing key attributes : 1
                15: Ignore failed challenge responses : 1
                16: Operate without RSA blinding : 1
                17: Allow signing with non-local keys : 1
                18: Allow raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Allow high availability recovery : 1
                22: Allow activation : 0
                23: Allow auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Allow Key Management Functions : 1
                29: Perform RSA signing without confirmation : 1
                30: Allow Remote Authentication : 1
                31: Allow private key unmasking : 1
                32: Allow secret key unmasking : 1
                33: Allow RSA PKCS mechanism : 1
                34: Allow CBC-PAD (un)wrap keys of any size : 1
                35: Allow private key SFF backup/restore : 1
                36: Allow secret key SFF backup/restore : 1
                37: Force Secure Trusted Channel : 0


Command Result : No Error


 

Now, create a partition policy template and then create a new application partition using the new template.

Note:  You must be in the administrative (HSM SO) slot in order to create a partition policy template.  

1.Use command partition policyTemplateCreate to create a new partition policy template:

lunacm:> partition policytemplatecreate 

                                                            Destructive
 Code Description                                   Value Off-To-On On-To-Off
______________________________________________________________________________

  0   Allow private key cloning                      On      Yes       No
  1   Allow private key wrapping                     Off     Yes       No
  2   Allow private key unwrapping                   On      No        No
  3   Allow private key masking                      Off     Yes       No
  4   Allow secret key cloning                       On      Yes       No
  5   Allow secret key wrapping                      On      Yes       No
  6   Allow secret key unwrapping                    On      No        No
  7   Allow secret key masking                       Off     Yes       No
  10  Allow multipurpose keys                        On      Yes       No
  11  Allow changing key attributes                  On      Yes       No
  15  Ignore failed challenge responses              On      Yes       No
  16  Operate without RSA blinding                   On      Yes       No
  17  Allow signing with non-local keys              On      No        No
  18  Allow raw RSA operations                       On      Yes       No
  20  Max failed user logins allowed                 10      N/A       N/A
  21  Allow high availability recovery               On      No        No
  22  Allow activation                               On      No        No
  23  Allow auto-activation                          On      No        No
  24  Allow indirect login                           Off     No        No
  25  Minimum pin length (inverted: 255 - min)       248     N/A       N/A
  26  Maximum pin length                             255     N/A       N/A
  28  Allow Key Management Functions                 On      Yes       No
  29  Perform RSA signing without confirmation       On      Yes       No
  30  Allow Remote Authentication                    On      No        No
  31  Allow private key unmasking                    On      No        No
  32  Allow secret key unmasking                     On      No        No
  33  Allow RSA PKCS mechanism                       On      Yes       No
  34  Allow CBC-PAD (un)wrap keys of any size        On      Yes       No
  35  Allow private key SFF backup/restore           Off     Yes       No
  36  Allow secret key SFF backup/restore            Off     Yes       No
  37  Force Secure Trusted Channel                   Off     No        Yes

          Type 'proceed' to continue, or 'quit'
          to quit now.
          > proceed

Successfully created and loaded the new partition policy template.

Use 'partition policyTemplateChange' to edit the template and
'partition policyTemplateSave' to save the template once you have applied all necessary
changes.

Command Result : No Error

 

2.Use command partition policyTemplateChange to change some policy values in the new partition policy template:

 lunacm:> partition policyTemplateChange -policy 25 -value 246

                                                              Destructive
 Code Description                                   Value Off-To-On On-To-Off
 ______________________________________________________________________________

  25  Minimum pin length (inverted: 255 - min)       246     N/A       N/A

Command Result : No Error

lunacm:> partition policyTemplateChange -policy 20 -value 9

                                                              Destructive
 Code Description                                   Value Off-To-On On-To-Off
 ______________________________________________________________________________

  20  Max failed user logins allowed                  9      N/A       N/A

Command Result : No Error

lunacm:> partition policyTemplateChange -policy 7 -on non-destructive

                                                              Destructive
 Code Description                                   Value Off-To-On On-To-Off
 ______________________________________________________________________________

  7   Allow secret key masking                       Off     No        No

Command Result : No Error

 

3.Use command partition policyTemplateSave to save the new partition policy template with its modified policy values:

lunacm:> partition policyTemplateSave -name sample01

sample01 successfully saved.

Command Result : No Error

lunacm:> partition policyTemplateList

 Name                        Description
 _______________________________________________________________

 sample01

No partition policy template is currently loaded.

Command Result : No Error

 

4.Use command partition create with the -policytemplate option to create a new application partition, using the partition policy template that you previously created:

lunacm:> partition create -label parfortemplate -policyTemplate sample01

        Please attend to the PED.

Command Result : No Error

lunacm:> slot set slot 0

        Current Slot Id:    0     (Luna User Slot 6.24.0 (PED) Signing With Cloning Mode)

Command Result : No Error

lunacm:> partition showpolicies
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 0
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 0
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 0
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 1
                23: Enable auto-activation : 1
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                30: Enable Remote Authentication : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                35: Enable private key SFF backup/restore : 1
                36: Enable secret key SFF backup/restore : 1
                37: Enable Secure Trusted Channel : 1

        Partition Policies
                 0: Allow private key cloning : 1
                 1: Allow private key wrapping : 0
                 2: Allow private key unwrapping : 1
                 3: Allow private key masking : 0
                 4: Allow secret key cloning : 1
                 5: Allow secret key wrapping : 1
                 6: Allow secret key unwrapping : 1
                 7: Allow secret key masking : 0
                10: Allow multipurpose keys : 1
                11: Allow changing key attributes : 1
                15: Ignore failed challenge responses : 1
                16: Operate without RSA blinding : 1
                17: Allow signing with non-local keys : 1
                18: Allow raw RSA operations : 1
                20: Max failed user logins allowed : 9
                21: Allow high availability recovery : 1
                22: Allow activation : 0
                23: Allow auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 246
                26: Maximum pin length : 255
                28: Allow Key Management Functions : 1
                29: Perform RSA signing without confirmation : 1
                30: Allow Remote Authentication : 1
                31: Allow private key unmasking : 1
                32: Allow secret key unmasking : 1
                33: Allow RSA PKCS mechanism : 1
                34: Allow CBC-PAD (un)wrap keys of any size : 1
                35: Allow private key SFF backup/restore : 1
                36: Allow secret key SFF backup/restore : 1
                37: Force Secure Trusted Channel : 0


Command Result : No Error  

 

Modify a partition template, then apply the modified partition template

For this example, we create an application using a partition template that has only one policy modified, then change the template to modify an additional policy, and create yet another partition to which we apply the modified partition template:

Note:  You must be in the administrative (HSM SO) slot in order to create, load, and modify a partition policy template.  

1.Create and save partition policy template Sample02 with policy 22 set to On, but policy 23 not set (see previous example for steps).

2.Use command partition create with the -policytemplate option to create a new application partition, using partition policy template Sample02 previously created:

lunacm:> partition create -label parfortemplateagain -policyTemplate Sample02

        Please attend to the PED.

Command Result : No Error 

 

3.Change to the slot of the newly-created partition and use command partition showpolicies to show the policies of the new partition:

lunacm:> slot set slot 0

        Current Slot Id:    0     (Luna User Slot 6.24.0 (PED) Signing With Cloning Mode)

Command Result : No Error

lunacm:> partition showpolicies
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 0
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 0
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 0
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 1
                23: Enable auto-activation : 1
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                30: Enable Remote Authentication : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                35: Enable private key SFF backup/restore : 1
                36: Enable secret key SFF backup/restore : 1
                37: Enable Secure Trusted Channel : 1

        Partition Policies
                 0: Allow private key cloning : 1
                 1: Allow private key wrapping : 0
                 2: Allow private key unwrapping : 1
                 3: Allow private key masking : 0
                 4: Allow secret key cloning : 1
                 5: Allow secret key wrapping : 1
                 6: Allow secret key unwrapping : 1
                 7: Allow secret key masking : 0
                10: Allow multipurpose keys : 1
                11: Allow changing key attributes : 1
                15: Ignore failed challenge responses : 1
                16: Operate without RSA blinding : 1
                17: Allow signing with non-local keys : 1
                18: Allow raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Allow high availability recovery : 1
                22: Allow activation : 1
                23: Allow auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Allow Key Management Functions : 1
                29: Perform RSA signing without confirmation : 1
                30: Allow Remote Authentication : 1
                31: Allow private key unmasking : 1
                32: Allow secret key unmasking : 1
                33: Allow RSA PKCS mechanism : 1
                34: Allow CBC-PAD (un)wrap keys of any size : 1
                35: Allow private key SFF backup/restore : 1
                36: Allow secret key SFF backup/restore : 1
                37: Force Secure Trusted Channel : 0


Command Result : No Error 

 

Observe that policy 22 is on; policy 23 is off, the result of creating the partition with partition policy template Sample02 as it exists at the moment.

4.Use command partition policyTemplateList to show the available partition policy templates:  

partition policyTemplate list

 Name                        Description
_______________________________________________________________

 Sample02                    Another template
 sample01                    Sample partition policyTemplate

No partition policy template is currently loaded.

Command Result : No Error 

 

5.Go back to the administrative slot if necessary, and use command partition policyTemplateLoad to load template Sample02 for modification:

lunacm:> partition policyTemplateLoad -name Sample02

Successfully loaded Sample02 partition policy template for editing.

Command Result : No Error 

 

6.Use command partition policyTemplateChange to change policy 23 in the loaded (for editing) partition policy template:

lunacm:> partition policyTemplateChange -policy 23 -value on

                                                              Destructive
 Code Description                                   Value Off-To-On On-To-Off
 ______________________________________________________________________________

  23  Allow auto-activation                          On      No        No

Command Result : No Error 

 

Observe that we can use the text string "On" or "Off" interchangeably with the numeric setting "1" or "0" to set a policy; both options are acceptable.

7.Use command partition policyTemplateSave to save the newly modified partition policy template with its modified policy value. Do not provide a name; the loaded policy already has one (in this case, "Sample02"):


lunacm:> partition policyTemplateSave

        Saving the modified settings will overwrite the existing template "Sample02".

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Sample02 successfully saved.

Command Result : No Error 

 

8.Delete the previously-created demonstration partition, if necessary to make room.
Use command partition create with the -policytemplate option to create another new application partition, using partition policy template Sample02 previously created, and just now modified:  

lunacm:> partition create -label parfortemplateyetagain -policyTemplate Sample02

        Please attend to the PED.

Command Result : No Error 

 

9.Use command partition showpolicies to show the policies of the new partition:

lunacm:> slot set slot 0

        Current Slot Id:    0     (Luna User Slot 6.24.0 (PED) Signing With Cloning Mode)

Command Result : No Error

lunacm:> partition showpolicies
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 0
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 0
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 0
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 1
                23: Enable auto-activation : 1
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                30: Enable Remote Authentication : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                35: Enable private key SFF backup/restore : 1
                36: Enable secret key SFF backup/restore : 1
                37: Enable Secure Trusted Channel : 1

        Partition Policies
                 0: Allow private key cloning : 1
                 1: Allow private key wrapping : 0
                 2: Allow private key unwrapping : 1
                 3: Allow private key masking : 0
                 4: Allow secret key cloning : 1
                 5: Allow secret key wrapping : 1
                 6: Allow secret key unwrapping : 1
                 7: Allow secret key masking : 0
                10: Allow multipurpose keys : 1
                11: Allow changing key attributes : 1
                15: Ignore failed challenge responses : 1
                16: Operate without RSA blinding : 1
                17: Allow signing with non-local keys : 1
                18: Allow raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Allow high availability recovery : 1
                22: Allow activation : 1
                23: Allow auto-activation : 1
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Allow Key Management Functions : 1
                29: Perform RSA signing without confirmation : 1
                30: Allow Remote Authentication : 1
                31: Allow private key unmasking : 1
                32: Allow secret key unmasking : 1
                33: Allow RSA PKCS mechanism : 1
                34: Allow CBC-PAD (un)wrap keys of any size : 1
                35: Allow private key SFF backup/restore : 1
                36: Allow secret key SFF backup/restore : 1
                37: Force Secure Trusted Channel : 0


Command Result : No Error

 

Observe that both policy 22 and policy 23 are on (value = 1), as soon as the partition parfortemplateyetagain) is created, using the recently-modified partition policy template "Sample02". For more information about those frequently-used policies, see About Activation and Auto-Activation.

Note:  The chosen partition affects the policies of a partition only when a partition is created.

In the examples on this page, partition parfortemplateagain was created when policy template Sample02 was set to modify only partition policy 22. Therefore, partition parfortemplateagain does not have partition policy 23 set. The change to the policy template does not affect a partition that was already in existence. It has effect only for partitions that are created with that template after the template was modified.

Partition parfortemplateyetagain was created with the template after that modification, so it shows both policies changed.

You can change a policy manually, using partition changepolicy command.

Delete a partition policy template

If a partition policy template is no longer useful, use command partition policyTemplate delete to remove that template from the list.

Note:  You must be in the administrative (HSM SO) slot in order to delete a partition policy template.  

lunacm:> slot list

        Slot Id ->              0
        Tunnel Slot Id ->       2
        Label ->
        Serial Number ->        349297122742
        Model ->                K6 Base
        Firmware Version ->     6.24.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              1
        Tunnel Slot Id ->       2
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.24.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Current Slot Id: 1


Command Result : No Error

lunacm:> slot set slot 1

        Current Slot Id:    1     (Luna Admin Slot 6.24.0 (PED) Signing With Cloning Mode)

Command Result : No Error

lunacm:> partition policyTemplateList

 Name                        Description
 _______________________________________________________________

 Sample02                    Another template
 sample01


No partition policy template is currently loaded.

Command Result : No Error

lunacm:> partition policyTemplateDelete -name sample01

        Are you sure you wish to delete partition policy template: sample01

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Successfully deleted partition policy template: sample01

Command Result : No Error

lunacm:> slot set slot 1

        Current Slot Id:    1     (Luna Admin Slot 6.24.0 (PED) Signing With Cloning Mode)

Command Result : No Error

lunacm:> partition policyTemplateList

 Name                        Description
 _______________________________________________________________

 Sample02                    Another template

No partition policy template is currently loaded.

Command Result : No Error