Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 4] Set HSM Policies > Set HSM Policies - PED (Trusted Path) Authentication
|
---|
Set any of the alterable policies that are to apply to the HSM.
Note: Capability vs Policy Interaction
Capabilities identify the purchased features of the product and are set
at time of manufacture. Policies represent the HSM Admin’s enabling (or restriction) of those features.
1.Type the hsm showPolicies command, to display the current policy set for the HSM.
lunash:> hsm showPolicies HSM Label: mysahsm Serial #: 7000022 Firmware: 6.22.0 The following capabilities describe this HSM, and cannot be altered except via firmware or capability updates. Description Value =========== ===== Enable PIN-based authentication Disallowed Enable PED-based authentication Allowed Performance level 15 Enable domestic mechanisms & key sizes Allowed Enable masking Disallowed Enable cloning Allowed Enable special cloning certificate Disallowed Enable full (non-backup) functionality Allowed Enable non-FIPS algorithms Allowed Enable SO reset of partition PIN Allowed Enable network replication Allowed Enable Korean Algorithms Allowed FIPS evaluated Disallowed Manufacturing Token Disallowed Enable Remote Authentication Allowed Enable forcing user PIN change Allowed Enable portable masking key Allowed Enable partition groups Disallowed Enable remote PED usage Allowed Enable External Storage of MTK Split Allowed HSM non-volatile storage space 16252928 Enable Acceleration Allowed Enable unmasking Allowed Enable FW5 compatibility mode Disallowed Maximum number of partitions 100 Enable ECIES support Disallowed Enable Single Domain Allowed Enable Unified PED Key Allowed Enable MofN Allowed Enable small form factor backup/restore Disallowed Enable Secure Trusted Channel Allowed Enable decommission on tamper Disallowed Enable Per-Partition SO Allowed Enable partition re-initialize Allowed The following policies are set due to current configuration of this HSM and cannot be altered directly by the user. Description Value =========== ===== PED-based authentication True Store MTK Split Externally False The following policies describe the current configuration of this HSM and may be changed by the HSM Administrator. Changing policies marked "destructive" will zeroize (erase completely) the entire HSM. Description Value Code Destructive =========== ===== ==== =========== Allow cloning On 7 Yes Allow non-FIPS algorithms On 12 Yes SO can reset partition PIN On 15 Yes Allow network replication On 16 No Allow Remote Authentication On 20 Yes Force user PIN change after set/reset Off 21 No Allow offboard storage On 22 Yes Allow remote PED usage On 25 No Allow Acceleration On 29 Yes Allow unmasking On 30 Yes Current maximum number of partitions 100 33 No Force Single Domain Off 35 Yes Allow Unified PED Key Off 36 No Allow MofN On 37 No Allow Secure Trusted Channel Off 39 No Allow partition re-initialize Off 42 No Command Result : 0 (Success)
According to the above example, the fixed capabilities require that this HSM be protected at FIPS 140-2 level 3, meaning that the PED and PED Keys are required for authentication, and values typed from a keyboard are ignored.
The alterable policies have numeric codes. You can alter a policy with the hsm changePolicy command, giving the code for the policy that is to change, followed by the new value.
Note: The FIPS 140-2 standard mandates a set of security factors that specify a restricted suite of cryptographic algorithms. The HSM is designed to the standard, but can permit activation of additional non-FIPS-validated algorithms if your application requires them. The example listing above indicates that non-validated algorithms have been activated. The HSM is just as safe and secure as it is with the additional algorithms switched off. The only difference is that an auditor would not validate your configuration unless the set of available algorithms is restricted to the approved subset.
2.In order to change
HSM policies, the HSM SO must first login.
lunash:> hsm login
(If you are not logged in, the above command begins the login process,
directing you to the PED. If you are already logged in, the
SafeNet Network HSM tells you so, with an error message, that you can ignore.)
Control is passed to the PED, which prompts you for the blue
PED Key.
Insert the appropriate PED Key for this HSM, and press [ENT] on
the PED keypad.
3.If you need to
modify a policy setting to comply with your operational requirements,
type:
lunash:> hsm changePolicy -policy <policyCode>
-value <policyValue>
As an example, change code 15 from a value of 1 (On) to 0 (Off).
lunash:> hsm changePolicy -policy 15 -value 0
That command assigns a value of zero (0) to the “HSM Admin can reset partition PIN” policy, turning it off.
WARNING! The above example is a change to a destructive
policy, meaning that, if you apply this policy, the HSM is zeroized and
all contents are lost. For this reason, you are prompted to confirm if
that is what you really wish to do. You must now re-initialize the HSM.
While this is not an issue when you have just initialized
an HSM, it may be a very important consideration if your HSM system has
been in a “live” or “production” environment and the HSM contains useful
or important data, keys, certificates.
If you have been following the instructions on this page as part of setting up a new HSM system, then the next step is to create virtual HSMs or HSM Partitions on the HSM that you just configured. To do this, see Prepare to Create a Partition (PED Authenticated)
SafeNet Network HSM 6 does not currently have a Scalable Key Storage (formerly SIM) configuration. Certain HSM policy settings exist to enable migration from SafeNet Network HSM 4.x to SafeNet Network HSM 5.x or 6.x, specifically the “Enable masking” and “Enable portable masking key” values.