|
Home > |
Appliance Administration Guide > Configuration without One-step NTLS > [Step 6] Set the Partition Policies for Legacy Partitions
|
|---|
At this point, you should have initialized the HSM and created one or more HSM Partitions. Before deploying the partitions, review and set the policies that constrain the use of the HSM Partition by clients, as described in the following sections:
•Displaying the Current Partition Policy Settings
•Changing the Partition Policy Settings
Note: This section applies to application partitions that are owned and administered by the HSM SO. If the application partition was created with its own Partition SO, then you cannot use LunaSH (lunash) to administer the partition. All administration of a PPSO partition is carried out by the Partition SO, via LunaCM, from a registered client computer.
If you want to use a Secure Trusted Channel (STC) to provide the network link between the partition and authorized clients, you must enable Policy 37: Force Secure Trusted Channel. See Enabling or Disabling STC on a Partition in the Administration Guide for more information.
First, display the policies (default) of the created legacy-style application Partition. In order to run the partition showPolicies command, you do not need to be logged into the HSM Partition. However, to change policies of either the HSM or an individual Partition, you must login as HSM SO.
1.Open a LunaSH session on the appliance.
2.Enter the following command to display current partition capability and policy settings. Capabilities are factory settings. Policies are the means of modifying the adjustable capabilities:
partition showpolicies -partition <partitIon_name>
For example:
lunash:> partition showPolicies -partition mypartition
Partition Name: mypartition
Partition Num: 65038002
The following capabilities describe this partition and can never be changed. Description Value =========== ===== Enable private key cloning Allowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed Enable secret key cloning Allowed Enable secret key wrapping Allowed Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed Enable PED use without challenge Allowed Allow failed challenge responses Allowed Enable operation without RSA blinding Allowed Enable signing with non-local keys Allowed Enable raw RSA operations Allowed Max failed user logins allowed 10 Enable high availability recovery Allowed Enable activation Allowed Enable auto-activation Allowed Minimum pin length (inverted: 255 - min) 248 Maximum pin length 255 Enable Key Management Functions Allowed Enable RSA signing without confirmation Allowed Enable Remote Authentication Allowed Enable private key unmasking Allowed Enable secret key unmasking Allowed Enable RSA PKCS mechanism Allowed Enable CBC-PAD (un)wrap keys of any size Allowed
Enable private key SFF backup/restore Disallowed
Enable secret key SFF backup/restore Disallowed
Enable Secure Trusted Channel Allowed The following policies are set due to current configuration of this partition and may not be altered directly by the user. Description Value =========== ===== Challenge for authentication not needed False The following policies describe the current configuration of this partition and may be changed by the HSM Administrator. Description Value Code =========== ===== ==== Allow private key cloning On 0 Allow private key unwrapping On 2 Allow secret key cloning On 4 Allow secret key wrapping On 5 Allow secret key unwrapping On 6 Allow multipurpose keys On 10 Allow changing key attributes On 11 Ignore failed challenge responses On 15 Operate without RSA blinding On 16 Allow signing with non-local keys On 17 Allow raw RSA operations On 18 Max failed user logins allowed 10 20 Allow high availability recovery On 21 Allow activation Off 22 Allow auto-activation Off 23 Minimum pin length (inverted: 255 - min) 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30 Allow private key unmasking On 31 Allow secret key unmasking On 32 Allow RSA PKCS mechanism On 33 Allow CBC-PAD (un)wrap keys of any size On 34
Force Secure Trusted Channel Off 37
Command Result : 0 (Success)
[myluna] lunash:>
Having viewed the Policy settings, you can now modify a Partition Policy for a given Partition, if required.
1.Open a LunaSH session on the appliance.
2.Enter the following command to change a Partition Policy:
partition changepolicy -partition <name of HSM Partition> -policy <policy_code> -value <new_ policy_value>
3.Refer to the example below that is applicable to your SafeNet appliance's HSM type.
The default minimum password length is 7 characters (which the SafeNet HSM calculates as 255 minus 248, where 255 is the maximum length and 248 is the number that can be subtracted from the maximum to yield the minimum length). We want the minimum Partition password length to be larger than 7 characters – for example, nine. To do that, we would need to change the number that is subtracted from 255 to be 246, instead of the current 248.
1.Login Before Changing Policies
2.Change the selected
policy for a Partition labeled "myPartition1". Type:
lunash:> partition changePolicy -partition myPartition1
-policy 25 -value 246
'partition changePolicy' successful.
Policy "Minimum pin length (inverted: 255 -
min)" is now set to: 246
lunash:>
3.Log out of the
HSM whenever you finish operations that require HSM login.
lunash:> hsm logout
lunash:>
This is just an example. You do not need to change this particular policy, or any other, except to configure the HSM Partition more appropriately for your use.
1.Login Before Changing Policies
2.Change a selected
policy for a Partition labeled "myPartition1". Type:
lunash:> partition changePolicy -partition myPartition1
-policy 22 -value 1
(allows Activation
mode to be on)
partition changePolicy successful
Policy allow Activation is now set to: 1
3.And change the
other policy for the same Partition.
lunash:> partition -changePolicy -partition myPartition1
-policy 23 -value 1
(allows autoActivation
mode to be on)
partition changePolicy successful
Policy allow autoActivation is now set to: 1
4.Log out of the
HSM whenever you finish operations that require HSM login.
lunash:> hsm - logout
lunash:>
Blinding is a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance.
The HSM Admin or Security Officer can turn this feature on or off.
If RSA blinding is enabled in Capabilities and allowed in Policies, the partition will always run in RSA blinding mode; performance will be lower than SafeNet published performance figures. This is because the deliberate introduction of random elements causes the average signature to take longer to complete.
For maximum performance, you can switch RSA blinding mode off, at the cost of slight additional risk of so-called timing attacks on your keys. It is your decision whether your network and other security measures are sufficiently rigorous that blinding is not needed.
SafeNet HSMs are normally shipped with the Capability set to allow switching blinding on or off, and with the Policy set to not use blinding, by default.