|
Home > |
|---|
Partition Policy Templates enable administrators to replicate configured application partitions, speeding the provisioning process and ensuring consistent policy assignments across partitions with similar security requirements. The Partition Policy Template feature enables scalable policy management across tens and hundreds of partitions while also simplifying future audit and compliance requirements.
Administrators can specify the initial value for each policy, as well as whether changes to the policy AFTER the partition is created will be destructive to existing user objects on the partition. This destructive or non-destructive behavior can be specified independently for the on-to-off and off-to-on transitions of the policy. Once the combined initial values and destructiveness of each partition policy are configured as desired, they can be saved as a named policy template. Multiple such policy templates can be saved on the appliance, or exported and imported between appliances.
An administrator creating an application partition can optionally specify a previously saved policy template in order to create the partition with policy settings as configured in the template. If no policy template is specified during partition creation, the HSM uses built-in default partition policy values.
Partition policy templates can not be used to alter settings for an existing application partition. Once a partition has been created, with or without the use of policy templates, the administrator continues to use the partition changePolicy command to make changes to individual policy values.
Note: Policy destructiveness settings can not be altered on an existing application partition, as these can be specified only at the time the partition is created.
The examples on this page apply to manipulating application partitions via lunacm.
The general procedure is as follows:
•Create (and load for editing) a new, unnamed partition policy template. The possible policy codes, along with their default settings, are displayed.
•Make changes to those default values, one at a time, until you are satisfied. Each change is echoed back.
•Save the new partition policy template, applying a name that is unique and easily recognized, and also applying additional descriptive text to assist yourself and future users to recall the purpose of this specific template among any others you might create.
•Create an application partition, specifying a particular partition policy template by name. This creates the partition with policies applied to it, conforming to the selected template, different from the default set for the HSM.
For this example, before starting, here are the policy values for a default partition that was created without using a template:
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
35: Enable private key SFF backup/restore : 1
36: Enable secret key SFF backup/restore : 1
37: Enable Secure Trusted Channel : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
35: Allow private key SFF backup/restore : 1
36: Allow secret key SFF backup/restore : 1
37: Force Secure Trusted Channel : 0
Command Result : No Error
Now, create a partition policy template and then create a new application partition using the new template.
Note: You must be in the administrative (HSM SO) slot in order to create a partition policy template.
1.Use command partition policyTemplateCreate to create a new partition policy template:
lunacm:> partition policytemplatecreate
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
0 Allow private key cloning On Yes No
1 Allow private key wrapping Off Yes No
2 Allow private key unwrapping On No No
3 Allow private key masking Off Yes No
4 Allow secret key cloning On Yes No
5 Allow secret key wrapping On Yes No
6 Allow secret key unwrapping On No No
7 Allow secret key masking Off Yes No
10 Allow multipurpose keys On Yes No
11 Allow changing key attributes On Yes No
15 Ignore failed challenge responses On Yes No
16 Operate without RSA blinding On Yes No
17 Allow signing with non-local keys On No No
18 Allow raw RSA operations On Yes No
20 Max failed user logins allowed 10 N/A N/A
21 Allow high availability recovery On No No
22 Allow activation On No No
23 Allow auto-activation On No No
24 Allow indirect login Off No No
25 Minimum pin length (inverted: 255 - min) 248 N/A N/A
26 Maximum pin length 255 N/A N/A
28 Allow Key Management Functions On Yes No
29 Perform RSA signing without confirmation On Yes No
30 Allow Remote Authentication On No No
31 Allow private key unmasking On No No
32 Allow secret key unmasking On No No
33 Allow RSA PKCS mechanism On Yes No
34 Allow CBC-PAD (un)wrap keys of any size On Yes No
35 Allow private key SFF backup/restore Off Yes No
36 Allow secret key SFF backup/restore Off Yes No
37 Force Secure Trusted Channel Off No Yes
Type 'proceed' to continue, or 'quit'
to quit now.
> proceed
Successfully created and loaded the new partition policy template.
Use 'partition policyTemplateChange' to edit the template and
'partition policyTemplateSave' to save the template once you have applied all necessary
changes.
Command Result : No Error
2.Use command partition policyTemplateChange to change some policy values in the new partition policy template:
lunacm:> partition policyTemplateChange -policy 25 -value 246
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
25 Minimum pin length (inverted: 255 - min) 246 N/A N/A
Command Result : No Error
lunacm:> partition policyTemplateChange -policy 20 -value 9
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
20 Max failed user logins allowed 9 N/A N/A
Command Result : No Error
lunacm:> partition policyTemplateChange -policy 7 -on non-destructive
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
7 Allow secret key masking Off No No
Command Result : No Error
3.Use command partition policyTemplateSave to save the new partition policy template with its modified policy values:
lunacm:> partition policyTemplateSave -name sample01 sample01 successfully saved. Command Result : No Error lunacm:> partition policyTemplateList Name Description _______________________________________________________________ sample01 No partition policy template is currently loaded. Command Result : No Error
4.Use command partition create with the -policytemplate option to create a new application partition, using the partition policy template that you previously created:
lunacm:> partition create -label parfortemplate -policyTemplate sample01
Please attend to the PED.
Command Result : No Error
lunacm:> slot set slot 0
Current Slot Id: 0 (Luna User Slot 6.24.0 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
35: Enable private key SFF backup/restore : 1
36: Enable secret key SFF backup/restore : 1
37: Enable Secure Trusted Channel : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 9
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 246
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
35: Allow private key SFF backup/restore : 1
36: Allow secret key SFF backup/restore : 1
37: Force Secure Trusted Channel : 0
Command Result : No Error
For this example, we create an application using a partition template that has only one policy modified, then change the template to modify an additional policy, and create yet another partition to which we apply the modified partition template:
Note: You must be in the administrative (HSM SO) slot in order to create, load, and modify a partition policy template.
1.Create and save partition policy template Sample02 with policy 22 set to On, but policy 23 not set (see previous example for steps).
2.Use command partition create with the -policytemplate option to create a new application partition, using partition policy template Sample02 previously created:
lunacm:> partition create -label parfortemplateagain -policyTemplate Sample02
Please attend to the PED.
Command Result : No Error
3.Change to the slot of the newly-created partition and use command partition showpolicies to show the policies of the new partition:
lunacm:> slot set slot 0
Current Slot Id: 0 (Luna User Slot 6.24.0 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
35: Enable private key SFF backup/restore : 1
36: Enable secret key SFF backup/restore : 1
37: Enable Secure Trusted Channel : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 1
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
35: Allow private key SFF backup/restore : 1
36: Allow secret key SFF backup/restore : 1
37: Force Secure Trusted Channel : 0
Command Result : No Error
Observe that policy 22 is on; policy 23 is off, the result of creating the partition with partition policy template Sample02 as it exists at the moment.
4.Use command partition policyTemplateList to show the available partition policy templates:
partition policyTemplate list Name Description _______________________________________________________________ Sample02 Another template sample01 Sample partition policyTemplate No partition policy template is currently loaded. Command Result : No Error
5.Go back to the administrative slot if necessary, and use command partition policyTemplateLoad to load template Sample02 for modification:
lunacm:> partition policyTemplateLoad -name Sample02 Successfully loaded Sample02 partition policy template for editing. Command Result : No Error
6.Use command partition policyTemplateChange to change policy 23 in the loaded (for editing) partition policy template:
lunacm:> partition policyTemplateChange -policy 23 -value on
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
23 Allow auto-activation On No No
Command Result : No Error
Observe that we can use the text string "On" or "Off" interchangeably with the numeric setting "1" or "0" to set a policy; both options are acceptable.
7.Use command partition policyTemplateSave to save the newly modified partition policy template with its modified policy value. Do not provide a name; the loaded policy already has one (in this case, "Sample02"):
lunacm:> partition policyTemplateSave
Saving the modified settings will overwrite the existing template "Sample02".
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Sample02 successfully saved.
Command Result : No Error
8.Delete the previously-created demonstration partition, if necessary to make room.
Use command partition create with the -policytemplate option to create another new application partition, using partition policy template Sample02 previously created, and just now modified:
lunacm:> partition create -label parfortemplateyetagain -policyTemplate Sample02
Please attend to the PED.
Command Result : No Error
9.Use command partition showpolicies to show the policies of the new partition:
lunacm:> slot set slot 0
Current Slot Id: 0 (Luna User Slot 6.24.0 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
35: Enable private key SFF backup/restore : 1
36: Enable secret key SFF backup/restore : 1
37: Enable Secure Trusted Channel : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 1
23: Allow auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
35: Allow private key SFF backup/restore : 1
36: Allow secret key SFF backup/restore : 1
37: Force Secure Trusted Channel : 0
Command Result : No Error
Observe that both policy 22 and policy 23 are on (value = 1), as soon as the partition parfortemplateyetagain) is created, using the recently-modified partition policy template "Sample02". For more information about those frequently-used policies, see About Activation and Auto-Activation.
Note: The chosen partition affects the policies of a partition only when a partition is created.
In the examples on this page, partition parfortemplateagain was created when policy template Sample02 was set to modify only partition policy 22. Therefore, partition parfortemplateagain does not have partition policy 23 set. The change to the policy template does not affect a partition that was already in existence. It has effect only for partitions that are created with that template after the template was modified.
Partition parfortemplateyetagain was created with the template after that modification, so it shows both policies changed.
You can change a policy manually, using partition changepolicy command.
If a partition policy template is no longer useful, use command partition policyTemplate delete to remove that template from the list.
Note: You must be in the administrative (HSM SO) slot in order to delete a partition policy template.
lunacm:> slot list
Slot Id -> 0
Tunnel Slot Id -> 2
Label ->
Serial Number -> 349297122742
Model -> K6 Base
Firmware Version -> 6.24.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 1
Tunnel Slot Id -> 2
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.24.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Current Slot Id: 1
Command Result : No Error
lunacm:> slot set slot 1
Current Slot Id: 1 (Luna Admin Slot 6.24.0 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:> partition policyTemplateList
Name Description
_______________________________________________________________
Sample02 Another template
sample01
No partition policy template is currently loaded.
Command Result : No Error
lunacm:> partition policyTemplateDelete -name sample01
Are you sure you wish to delete partition policy template: sample01
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Successfully deleted partition policy template: sample01
Command Result : No Error
lunacm:> slot set slot 1
Current Slot Id: 1 (Luna Admin Slot 6.24.0 (PED) Signing With Cloning Mode)
Command Result : No Error
lunacm:> partition policyTemplateList
Name Description
_______________________________________________________________
Sample02 Another template
No partition policy template is currently loaded.
Command Result : No Error