Home > |
---|
Displays the HSM-level capability and policy settings for the HSM [and for the SO - deprecated; see notes below].
Note: Some mechanisms (such as KCDSA) are not enabled unless you have purchased and installed the required Secure Capability Update package. If you require a particular mechanism, and do not see it listed when you generate a mechanism list for your SafeNet HSM, contact SafeNet Support.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM appliance, you must use the Luna Shell (lunash).
Note: The output of this command differs considerably, depending on the firmware version of the HSM in the current slot. See the examples and discussion below.
hsm showpolicies
lunacm:>hsm sp HSM Capabilities 0: Enable PIN-based authentication : 1 1: Enable PED-based authentication : 0 2: Performance level : 15 4: Enable domestic mechanisms & key sizes : 1 6: Enable masking : 1 7: Enable cloning : 1 8: Enable special cloning certificate : 0 9: Enable full (non-backup) functionality : 1 12: Enable non-FIPS algorithms : 1 15: Enable SO reset of partition PIN : 1 16: Enable network replication : 1 17: Enable Korean Algorithms : 0 18: FIPS evaluated : 0 19: Manufacturing Token : 0 20: Enable Remote Authentication : 1 21: Enable forcing user PIN change : 1 22: Enable offboard storage : 1 23: Enable partition groups : 0 25: Enable remote PED usage : 0 26: Enable External Storage of MTK Split : 0 27: HSM non-volatile storage space : 2097152 28: Enable HA mode CGX : 0 29: Enable Acceleration : 1 30: Enable unmasking : 0 31: Enable FW5 compatibility mode : 0 34: Enable ECIES support : 0 35: Enable Single Domain : 0 36: Enable Unified PED Key : 0 37: Enable MofN : 0 38: Enable small form factor backup/restore : 0 HSM Policies 0: PIN-based authentication : 1 1: PED-based authentication : 0 6: Allow masking : 1 7: Allow cloning : 1 12: Allow non-FIPS algorithms : 1 15: SO can reset partition PIN : 1 16: Allow network replication : 1 20: Allow Remote Authentication : 1 21: Force user PIN change after set/reset : 0 22: Allow offboard storage : 1 23: Allow partition groups : 0 25: Allow remote PED usage : 0 26: Store MTK Split Externally : 0 29: Allow Acceleration : 1 30: Allow unmasking : 0 31: Allow FW5 compatibility mode : 0 34: Allow ECIES support : 0 35: Force Single Domain : 0 36: Allow Unified PED Key : 0 37: Allow MofN : 0 38: Allow small form factor backup/restore : 0 SO Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 0 2: Enable private key unwrapping : 1 3: Enable private key masking : 0 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 0 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 14: Enable PED use without challenge : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 3 21: Enable high availability recovery : 1 22: Enable activation : 0 23: Enable auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 30: Enable Remote Authentication : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 33: Enable RSA PKCS mechanism : 0 34: Enable CBC-PAD (un)wrap keys of any size : 0 35: Enable private key SFF backup/restore : 0 36: Enable secret key SFF backup/restore : 0 SO Policies 0: Allow private key cloning : 1 1: Allow private key wrapping : 0 2: Allow private key unwrapping : 1 3: Allow private key masking : 0 4: Allow secret key cloning : 1 5: Allow secret key wrapping : 1 6: Allow secret key unwrapping : 1 7: Allow secret key masking : 0 10: Allow multipurpose keys : 1 11: Allow changing key attributes : 1 14: Challenge for authentication not needed : 1 15: Ignore failed challenge responses : 1 16: Operate without RSA blinding : 1 17: Allow signing with non-local keys : 1 18: Allow raw RSA operations : 1 20: Max failed user logins allowed : 3 21: Allow high availability recovery : 1 22: Allow activation : 0 23: Allow auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Allow Key Management Functions : 1 29: Perform RSA signing without confirmation : 1 30: Allow Remote Authentication : 1 31: Allow private key unmasking : 1 32: Allow secret key unmasking : 1 33: Allow RSA PKCS mechanism : 0 34: Allow CBC-PAD (un)wrap keys of any size : 0 35: Allow private key SFF backup/restore : 0 36: Allow secret key SFF backup/restore : 0 Command Result : No Error
llunacm:>hsm sp HSM Capabilities 0: Enable PIN-based authentication : 1 1: Enable PED-based authentication : 0 2: Performance level : 15 4: Enable domestic mechanisms & key sizes : 1 6: Enable masking : 1 7: Enable cloning : 1 8: Enable special cloning certificate : 0 9: Enable full (non-backup) functionality : 1 12: Enable non-FIPS algorithms : 1 15: Enable SO reset of partition PIN : 1 16: Enable network replication : 1 17: Enable Korean Algorithms : 0 18: FIPS evaluated : 0 19: Manufacturing Token : 0 20: Enable Remote Authentication : 1 21: Enable forcing user PIN change : 1 22: Enable offboard storage : 1 23: Enable partition groups : 0 25: Enable remote PED usage : 0 26: Enable External Storage of MTK Split : 0 27: HSM non-volatile storage space : 2097152 29: Enable Acceleration : 1 30: Enable unmasking : 0 31: Enable FW5 compatibility mode : 0 33: Maximum number of partitions : 20 34: Enable ECIES support : 0 35: Enable Single Domain : 1 36: Enable Unified PED Key : 1 37: Enable MofN : 1 38: Enable small form factor backup/restore : 0 39: Enable Secure Trusted Channel : 1 40: Enable decommission on tamper : 0 41: Enable Per-Partition SO : 1 42: Enable partition re-initialize : 1 HSM Policies 0: PIN-based authentication : 1 1: PED-based authentication : 0 6: Allow masking : 1 7: Allow cloning : 1 12: Allow non-FIPS algorithms : 1 15: SO can reset partition PIN : 1 16: Allow network replication : 1 20: Allow Remote Authentication : 1 21: Force user PIN change after set/reset : 0 22: Allow offboard storage : 1 23: Allow partition groups : 0 25: Allow remote PED usage : 0 26: Store MTK Split Externally : 0 29: Allow Acceleration : 1 30: Allow unmasking : 0 31: Allow FW5 compatibility mode : 0 33: Current maximum number of partitions : 20 34: Allow ECIES support : 0 35: Force Single Domain : 0 36: Allow Unified PED Key : 0 37: Allow MofN : 1 38: Allow small form factor backup/restore : 0 39: Allow Secure Trusted Channel : 0 40: Allow decommission on tamper : 0 42: Allow partition re-initialize : 0 Command Result : No Error
Notice that, as of HSM firmware 6.22.0, "SO Capabilities" and "SO Policies" are no longer part of the hsm showpolicies output. They have been moved to the output of command partition showpolicies, when the current slot is the HSM admin partition. If the current slot is an application partition, then command partition showpolicies shows capabilities and policies under the control of a partition SO (for PPSO partitions) or the HSM SO (for legacy partitions).
So, for example, if you were looking for "Max failed user logins allowed", you would now look at partition showpolicies.