Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 10] Set the Partition Policies for PPSO Partitions
|
---|
At this point, you should have initialized the partition and created the Crypto Officer role and, optionally, the Crypto User role. Before deploying the partitions, review and set the policies that constrain the use of the HSM Partition by clients, as described in the following sections:
•Displaying the Current Partition Policy Settings
•Changing the Partition Policy Settings
Note: This section applies to application partitions that are owned and administered by the HSM SO. If the application partition was created with its own Partition SO, then you cannot use LunaSH to administer the partition. All administration of a PPSO partition is carried out by the Partition SO, via LunaCM, from a registered client computer.
First, display the policies (default) of the created legacy-style application Partition. In order to run the partition showPolicies command, you do not need to be logged into the HSM Partition. However, to change policies of either the HSM or an individual Partition, you must login as HSM SO.
1.Open a LunaCM session.
2.Enter the following command to display current partition capability and policy settings. Capabilities are factory settings. Policies are the means of modifying the adjustable capabilities:
partition showpolicies -partition <partitIon_name>
For example:
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
Partition Policies
0: Allow private key cloning : 0
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 0
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 0
Command Result : No Error
Having viewed the Policy settings, you can now modify a Partition Policy for a given Partition, if required.
1.Open a LunaCM session.
2.Enter the following command to change a Partition Policy:
partition changepolicy -policy <policy_id> -value <policy_value>
Blinding is a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance.
The Partiton Security Officer can turn this feature on or off.
If RSA blinding is enabled in Capabilities and allowed in Policies, the partition will always run in RSA blinding mode; performance will be lower than SafeNet published performance figures. This is because the deliberate introduction of random elements causes the average signature to take longer to complete.
For maximum performance, you can switch RSA blinding mode off, at the cost of slight additional risk of so-called timing attacks on your keys. It is your decision whether your network and other security measures are sufficiently rigorous that blinding is not needed.
SafeNet HSMs are normally shipped with the Capability set to allow switching blinding on or off, and with the Policy set to not use blinding, by default.