|
Home > |
|---|
Partition Policy Templates enable administrators to replicate configured application partitions, speeding the provisioning process and ensuring consistent policy assignments across partitions with similar security requirements. The Partition Policy Template feature enables scalable policy management across tens and hundreds of partitions while also simplifying future audit and compliance requirements.
Administrators can specify the initial value for each policy, as well as whether changes to the policy AFTER the partition is created will be destructive to existing user objects on the partition. This destructive or non-destructive behavior can be specified independently for the on-to-off and off-to-on transitions of the policy. Once the combined initial values and destructiveness of each partition policy are configured as desired, they can be saved as a named policy template. Multiple such policy templates can be saved on the appliance, or exported and imported between appliances.
An administrator creating an application partition can optionally specify a previously saved policy template in order to create the partition with policy settings as configured in the template. If no policy template is specified during partition creation, the HSM uses built-in default partition policy values.
Partition policy templates can not be used to alter settings for an existing application partition. Once a partition has been created, with or without the use of policy templates, the administrator continues to use the partition changePolicy command to make changes to individual policy values.
Note: Policy destructiveness settings can not be altered on an existing application partition, as these can be specified only at the time the partition is created.
The examples on this page apply to manipulating application partitions via lunash. (For partition policy template examples using lunacm, see Partition Creation with Policy Template Using LunaCM.)
The general procedure is as follows:
•Create (and load for editing) a new, unnamed partition policy template. The possible policy codes, along with their default settings, are displayed.
•Make changes to those default values, one at a time, until you are satisfied. Each change is echoed back.
•Save the new partition policy template, applying a name that is unique and easily recognized, and also applying additional descriptive text to assist yourself and future users to recall the purpose of this specific template among any others you might create.
•Create an application partition, specifying a particular partition policy template by name. This creates the partition with policies applied to it, conforming to the selected template, different from the default set for the HSM.
For this example, before starting, here are the policy values for a default partition that was created without using a template:
lunash:>partition showPolicies -partition mylegacypar1 Partition Name: mylegacypar1 Partition SN: 16298193222735 Partition Label: mylegacypar1 The following capabilities describe this partition and can never be changed. Description Value =========== ===== Enable private key cloning Allowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed Enable secret key cloning Allowed Enable secret key wrapping Allowed Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed Allow failed challenge responses Allowed Enable operation without RSA blinding Allowed Enable signing with non-local keys Allowed Enable raw RSA operations Allowed Max failed user logins allowed 10 Enable high availability recovery Allowed Enable activation Allowed Enable auto-activation Allowed Minimum pin length (inverted: 255 - min) 248 Maximum pin length 255 Enable Key Management Functions Allowed Enable RSA signing without confirmation Allowed Enable Remote Authentication Allowed Enable private key unmasking Allowed Enable secret key unmasking Allowed Enable RSA PKCS mechanism Allowed Enable CBC-PAD (un)wrap keys of any size Allowed Enable private key SFF backup/restore Disallowed Enable secret key SFF backup/restore Disallowed Enable Secure Trusted Channel Allowed The following policies describe the current configuration of this partition and may be changed by the HSM Administrator. Description Value Code =========== ===== ==== Allow private key cloning On 0 Allow private key unwrapping On 2 Allow secret key cloning On 4 Allow secret key wrapping On 5 Allow secret key unwrapping On 6 Allow multipurpose keys On 10 Allow changing key attributes On 11 Ignore failed challenge responses On 15 Operate without RSA blinding On 16 Allow signing with non-local keys On 17 Allow raw RSA operations On 18 Max failed user logins allowed 10 20 Allow high availability recovery On 21 Allow activation Off 22 Allow auto-activation Off 23 Minimum pin length (inverted: 255 - min) 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30 Allow private key unmasking On 31 Allow secret key unmasking On 32 Allow RSA PKCS mechanism On 33 Allow CBC-PAD (un)wrap keys of any size On 34 Force Secure Trusted Channel Off 37 Command Result : 0 (Success)
Create a partition policy template and then create a new application partition using the new template.
1.Use command partition policyTemplate create to create a new partition policy template:
lunash:>partition policytemplate create -partition legacyfortemplate01
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
0 Allow private key cloning On Yes No
1 Allow private key wrapping Off Yes No
2 Allow private key unwrapping On No No
3 Allow private key masking Off Yes No
4 Allow secret key cloning On Yes No
5 Allow secret key wrapping On Yes No
6 Allow secret key unwrapping On No No
7 Allow secret key masking Off Yes No
10 Allow multipurpose keys On Yes No
11 Allow changing key attributes On Yes No
15 Ignore failed challenge responses On Yes No
16 Operate without RSA blinding On Yes No
17 Allow signing with non-local keys On No No
18 Allow raw RSA operations On Yes No
20 Max failed user logins allowed 10 N/A N/A
21 Allow high availability recovery On No No
22 Allow activation On No No
23 Allow auto-activation On No No
24 Allow indirect login Off No No
25 Minimum pin length (inverted: 255 - min) 248 N/A N/A
26 Maximum pin length 255 N/A N/A
28 Allow Key Management Functions On Yes No
29 Perform RSA signing without confirmation On Yes No
30 Allow Remote Authentication On No No
31 Allow private key unmasking On No No
32 Allow secret key unmasking On No No
33 Allow RSA PKCS mechanism On Yes No
34 Allow CBC-PAD (un)wrap keys of any size On Yes No
35 Allow private key SFF backup/restore Off Yes No
36 Allow secret key SFF backup/restore Off Yes No
37 Force Secure Trusted Channel Off No Yes
Type 'proceed' to continue, or 'quit'
to quit now.
> proceed
Successfully created and loaded the new partition policy template.
Use 'partition policyTemplate change' to edit the template and
'partition policyTemplate save' to save the template once you have applied all necessary
changes.
Command Result : 0 (Success)
2.Use command partition policyTemplate change to change some policy values in the new partition policy template:
lunash:>partition policytemplate change -policy 25 -value 246
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
25 Minimum pin length (inverted: 255 - min) 246 N/A N/A
Command Result : 0 (Success)
lunash:>partition policytemplate change -policy 20 -value 9
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
20 Max failed user logins allowed 9 N/A N/A
Command Result : 0 (Success)
lunash:>partition policytemplate change -policy 7 -on non-destructive
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
7 Allow secret key masking Off No No
Command Result : 0 (Success)
3.Use command partition policyTemplate save to save the new partition policy template with its modified policy values:
[mylunasa6] lunash:>partition policytemplate save -filename sample01 -description "some text meaningful to you" sample01 successfully saved. Command Result : 0 (Success) lunash:>partition policyTemplate list Name Description _______________________________________________________________ sample01 Sample partition policyTemplate No partition policy template is currently loaded. Command Result : 0 (Success)
4.If you are not already logged in as the HSM SO, log in now.
lunash:>hsm login
5.Use command partition create with the -policytemplate option to create a new application partition, using the partition policy template that you previously created:
lunash:>partition create -partition legacyfortemplate02 -label legacyfortemplate02 -policyTemplate sample01
On completion, you will have this number of partitions: 4
Type 'proceed' to create the initialized partition, or
'quit' to quit now.
> proceed
Please ensure that you copy the password from the Luna PED and
that you keep it in a safe place.
Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key.
'partition create' successful.
Command Result : 0 (Success)
lunash:>partition show
Partition Name: legacyfortemplate02
Partition SN: 16298193222737
Partition Label: legacyfortemplate02
Crypto Officer PIN To Be Changed: no
Crypto Officer Challenge To Be Changed: no
Crypto Officer Locked Out: no
Crypto Officer Login Attempts Left: 9
Crypto Officer is activated: no
Crypto User is not initialized.
Legacy Domain Has Been Set: no
Partition Storage Information (Bytes): Total=153209, Used=0, Free=153209
Partition Object Count: 0
Partition Name: legacyfortemplate01
Partition SN: 16298193222736
Partition Label: legacyfortemplate01
Crypto Officer PIN To Be Changed: no
Crypto Officer Challenge To Be Changed: no
Crypto Officer Locked Out: no
Crypto Officer Login Attempts Left: 10
Crypto Officer is activated: yes
Crypto User is not initialized.
Legacy Domain Has Been Set: no
Partition Storage Information (Bytes): Total=153209, Used=0, Free=153209
Partition Object Count: 0
Partition Name: mylegacypar1
Partition SN: 16298193222735
Partition Label: mylegacypar1
Crypto Officer PIN To Be Changed: no
Crypto Officer Challenge To Be Changed: no
Crypto Officer Locked Out: no
Crypto Officer Login Attempts Left: 9
Crypto Officer is activated: no
Crypto User is not initialized.
Legacy Domain Has Been Set: no
Partition Storage Information (Bytes): Total=153209, Used=0, Free=153209
Partition Object Count: 0
Partition Name: mypsopar1
Partition SN: 16298193222734
Partition Label: mysapsopar1
Partition SO PIN To Be Changed: no
Partition SO Challenge To Be Changed: no
Partition SO Zeroized: no
Partition SO Login Attempts Left: 10
Crypto Officer PIN To Be Changed: no
Crypto Officer Challenge To Be Changed: no
Crypto Officer Locked Out: no
Crypto Officer Login Attempts Left: 10
Crypto User is not initialized.
Legacy Domain Has Been Set: no
Partition Storage Information (Bytes): Total=153209, Used=0, Free=153209
Partition Object Count: 0
Command Result : 0 (Success)
For this example, we create an application using a partition template that has only one policy modified, then change the template to modify an additional policy, and create yet another partition to which we apply the modified partition template:
1.Partition policy template Sample02 has policy 22 set to On, but policy 23 has not been set.
Use command partition create with the -policytemplate option to create a new application partition, using partition policy template Sample02 previously created:
lunash:>partition create -partition legacyfortemplate03 -label legacyfortempate03 -policyTemplate Sample02
On completion, you will have this number of partitions: 5
Type 'proceed' to create the initialized partition, or
'quit' to quit now.
> proceed
Please ensure that you copy the password from the Luna PED and
that you keep it in a safe place.
Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key.
'partition create' successful.
Command Result : 0 (Success)
2.Use command partition showpolicies to show the policies of the new partition:
lunash:>partition showpolicies -partition legacyfortemplate03 Partition Name: legacyfortemplate03 Partition SN: 16298193222739 Partition Label: legacyfortempate03 The following capabilities describe this partition and can never be changed. Description Value =========== ===== Enable private key cloning Allowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed Enable secret key cloning Allowed Enable secret key wrapping Allowed Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed Allow failed challenge responses Allowed Enable operation without RSA blinding Allowed Enable signing with non-local keys Allowed Enable raw RSA operations Allowed Max failed user logins allowed 10 Enable high availability recovery Allowed Enable activation Allowed Enable auto-activation Allowed Minimum pin length (inverted: 255 - min) 248 Maximum pin length 255 Enable Key Management Functions Allowed Enable RSA signing without confirmation Allowed Enable Remote Authentication Allowed Enable private key unmasking Allowed Enable secret key unmasking Allowed Enable RSA PKCS mechanism Allowed Enable CBC-PAD (un)wrap keys of any size Allowed Enable private key SFF backup/restore Disallowed Enable secret key SFF backup/restore Disallowed Enable Secure Trusted Channel Allowed The following policies describe the current configuration of this partition and may be changed by the HSM Administrator. Description Value Code =========== ===== ==== Allow private key cloning On 0 Allow private key unwrapping On 2 Allow secret key cloning On 4 Allow secret key wrapping On 5 Allow secret key unwrapping On 6 Allow multipurpose keys On 10 Allow changing key attributes On 11 Ignore failed challenge responses On 15 Operate without RSA blinding On 16 Allow signing with non-local keys On 17 Allow raw RSA operations On 18 Max failed user logins allowed 10 20 Allow high availability recovery On 21 Allow activation On 22 Allow auto-activation Off 23 Minimum pin length (inverted: 255 - min) 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30 Allow private key unmasking On 31 Allow secret key unmasking On 32 Allow RSA PKCS mechanism On 33 Allow CBC-PAD (un)wrap keys of any size On 34 Force Secure Trusted Channel Off 37 Command Result : 0 (Success)
Observe that policy 22 is on; policy 23 is off, the result of creating the partition with partition policy template Sample02 as it exists at the moment.
3.Use command partition policyTemplate list to show the available partition policy templates:
lunash:>partition policyTemplate list Name Description _______________________________________________________________ Sample02 Another template sample01 Sample partition policyTemplate No partition policy template is currently loaded. Command Result : 0 (Success)
4.Use command partition policyTemplate load to load template Sample02 for modification:
lunash:>partition policyTemplate load -name Sample02 Successfully loaded Sample02 partition policy template for editing. Command Result : 0 (Success)
5.Use command partition policyTemplate change to change policy 23 in the loaded (for editing) partition policy template:
lunash:>partition policyTemplate change -policy 23 -value on
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
23 Allow auto-activation On No No
Command Result : 0 (Success)
Observe that we can use the text string "On" or "Off" interchangeably with the numeric setting "1" or "0" to set a policy; both options are acceptable.
6.Use command partition policyTemplate save to save the newly modified partition policy template with its modified policy value. Do not provide a name; the loaded policy already has one (in this case, "Sample02"):
lunash:>partition policyTemplate save
Saving the modified settings will overwrite the existing template "Sample02".
Type 'proceed' to continue, or 'quit'
to quit now.
> proceed
Sample02 successfully saved.
Command Result : 0 (Success)
7.Use command partition create with the -policytemplate option to create another new application partition, using partition policy template Sample02 previously created, and just now modified:
lunash:>partition create -partition legacyfortemplate04 -label legacyfortempate04 -policyTemplate Sample02
On completion, you will have this number of partitions: 6
Type 'proceed' to create the initialized partition, or
'quit' to quit now.
> proceed
Please ensure that you copy the password from the Luna PED and
that you keep it in a safe place.
Luna PED operation required to create a partition - use User or Partition Owner (black) PED key.
Luna PED operation required to generate cloning domain on the partition - use Domain (red) PED key.
'partition create' successful.
Command Result : 0 (Success)
8.Use command partition showpolicies to show the policies of the new partition:
lunash:>partition showpolicies -partition legacyfortemplate04 Partition Name: legacyfortemplate04 Partition SN: 16298193222740 Partition Label: legacyfortempate04 The following capabilities describe this partition and can never be changed. Description Value =========== ===== Enable private key cloning Allowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed Enable secret key cloning Allowed Enable secret key wrapping Allowed Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed Allow failed challenge responses Allowed Enable operation without RSA blinding Allowed Enable signing with non-local keys Allowed Enable raw RSA operations Allowed Max failed user logins allowed 10 Enable high availability recovery Allowed Enable activation Allowed Enable auto-activation Allowed Minimum pin length (inverted: 255 - min) 248 Maximum pin length 255 Enable Key Management Functions Allowed Enable RSA signing without confirmation Allowed Enable Remote Authentication Allowed Enable private key unmasking Allowed Enable secret key unmasking Allowed Enable RSA PKCS mechanism Allowed Enable CBC-PAD (un)wrap keys of any size Allowed Enable private key SFF backup/restore Disallowed Enable secret key SFF backup/restore Disallowed Enable Secure Trusted Channel Allowed The following policies describe the current configuration of this partition and may be changed by the HSM Administrator. Description Value Code =========== ===== ==== Allow private key cloning On 0 Allow private key unwrapping On 2 Allow secret key cloning On 4 Allow secret key wrapping On 5 Allow secret key unwrapping On 6 Allow multipurpose keys On 10 Allow changing key attributes On 11 Ignore failed challenge responses On 15 Operate without RSA blinding On 16 Allow signing with non-local keys On 17 Allow raw RSA operations On 18 Max failed user logins allowed 10 20 Allow high availability recovery On 21 Allow activation On 22 Allow auto-activation On 23 Minimum pin length (inverted: 255 - min) 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30 Allow private key unmasking On 31 Allow secret key unmasking On 32 Allow RSA PKCS mechanism On 33 Allow CBC-PAD (un)wrap keys of any size On 34 Force Secure Trusted Channel Off 37 Command Result : 0 (Success)
Observe that both policy 22 and policy 23 are on, as soon as the partition (legacyfortemplate04) is created, using the recently-modified partition policy template "Sample02". For more information about those frequently-used policies, see About Activation and Auto-Activation.
Note: The chosen partition affects the policies of a partition only when a partition is created.
In the examples on this page, partition legacyfortemplate03 was created when policy template Sample02 was set to modify only partition policy 22. Therefore, partition legacyfortemplate03 does not have partition policy 23 set. The change to the policy template does not affect a partition that was already in existence. It has effect only for partitions that are created with that template after the template was modified.
Partition legacyfortemplate04 was created with the template after that modification, so it shows both policies changed.
You can change a policy manually, using partition changepolicy command.
If a partition policy template is no longer useful, use command partition policyTemplate delete to remove that template from the list.
lunash:>partition policyTemplate list
Name Description
_______________________________________________________________
Sample02 Another template
sample01 Sample partition policyTemplate
No partition policy template is currently loaded.
Command Result : 0 (Success)
lunash:>partition policyTemplate delete -name sample01
Are you sure you wish to delete partition policy template: sample01
Type 'proceed' to continue, or 'quit'
to quit now.
> proceed
Successfully deleted partition policy template: sample01
Command Result : 0 (Success)
lunash:>partition policyTemplate list
Name Description
_______________________________________________________________
Sample02 Another template
No partition policy template is currently loaded.
Command Result : 0 (Success)
[mylunasa6] lunash:>
When you have created and saved a partition policy template, you can use it at any time on the current HSM.
You can also export a partition policy template created on the current Network HSM appliance, for use on other SafeNet HSMs. See partition policyTemplate export .
You can also import a partition policy template created on another SafeNet Network HSM appliance and apply it to partitions that you create on the current Network HSM. See partition policyTemplate import .
This feature can be useful in large-scale deployment and provisioning scenarios.