Policy Templates
A policy template is a file containing a set of preferred HSM or partition policy settings, used to initialize HSMs/partitions with those settings. You can use the same file to initialize multiple HSMs or partitions, rather than changing policies manually after initialization. This can save time and effort when initializing HSMs or partitions that are to function as an HA group, or must comply with your company's overall security strategy. Templates enable scalable policy management and simplify future audit and compliance requirements.
You can create a policy template file from an initialized or uninitialized HSM/partition, and edit it using a standard text editor. Partition policy templates have further customization options.
Policy templates cannot be used to alter settings for an initialized HSM or partition. Once an HSM or partition has been initialized, the SO must use hsm changepolicy in LunaSH or partition changepolicy in LunaCM to change individual policy values. To zeroize the HSM and reset the policies to their default values, use hsm factoryreset in
To zeroize the HSM and keep the current policy settings, use hsm zeroize in
This section provides instructions for the following procedures, and some general guidelines and restrictions:
Creating a Policy Template
The following procedures describe how to create a policy template for an HSM or partition.
To create an HSM policy template:
1.Login to LunaSH as admin. If you are creating a template from an initialized HSM, you must log in as HSM SO.
lunash:>hsm login
2.Create the HSM policy template file with an original filename. No file extension is required. If a template file with the same name exists, it is overwritten.
lunash:>hsm showpolicies -exporttemplate <filename>
lunash:>hsm showpolicies -exporttemplate HSMPT
HSM policies successfully written.
Use 'scp' from a client machine to get file named:
HSMPT
Command Result : 0 (Success)
3.On a client workstation, use scp/pscp to transfer the template file from the source appliance.
4.Customize the template file with a standard text editor (see Editing a Policy Template).
To create a partition policy template:
1.Launch LunaCM and set the active slot to the partition. If you are creating a template from an initialized partition, you must log in as Partition SO.
lunacm:>slot set slot <slotnum>
lunacm:>role login -name po
2.Create the partition policy template file. Specify an existing save directory and the desired filename. No file extension is required. If a template file with the same name exists in the specified directory, it is overwritten.
lunacm:>partition showpolicies -exporttemplate <filepath/filename>
lunacm:> partition showpolicies -exporttemplate /usr/safenet/lunaclient/templates/ParPT
Partition policies for Partition: myPartition1 written to /usr/safenet/lunaclient/templates/ParPT
Command Result : No Error
Editing a Policy Template
Use a standard text editor to manually edit policy templates for custom configurations. This section provides template examples and customization guidelines.
HSM Policy Template Example
This example shows the contents of an HSM policy template created using the factory default policy settings. Use a standard text editor to change the policy values (0=OFF, 1=ON, or the desired value 0-255). You cannot edit the destructiveness of HSM policies. See HSM Capabilities and Policies for more information.
If you export a policy template from an uninitialized HSM, the Sourced from HSM header field remains blank. This field is informational and you can still apply the template.
The Policy Description field is included in the template for user readability only. Policies are verified by the number in the Policy ID field.
# Policy template FW Version 7.1.0
# Field format - Policy ID:Policy Description:Policy Value
# Sourced from HSM: myLunaHSM, SN: 66331
6:"Allow masking":0
7:"Allow cloning":1
12:"Allow non-FIPS algorithms":1
15:"SO can reset partition PIN":0
16:"Allow network replication":1
21:"Force user PIN change after set/reset":1
22:"Allow offboard storage":1
23:"Allow partition groups":0
25:"Allow remote PED usage":0
30:"Allow unmasking":1
33:"Current maximum number of partitions":100
35:"Force Single Domain":0
36:"Allow Unified PED Key":0
37:"Allow MofN":0
38:"Allow small form factor backup/restore":0
39:"Allow Secure Trusted Channel":0
40:"Decommission on tamper":0
42:"Allow partition re-initialize":0
43:"Allow low level math acceleration":0
46:"Disable Decommission":1
47:"Allow Tunnel Slot":0
48:"Do Controlled Tamper Recovery":1
Partition Policy Template Example
This example shows the contents of a partition policy template created using the factory default policy settings. Use a standard text editor to change the policy and/or destructiveness values (0=OFF, 1=ON, or the desired value 0-255).
Partition policy template entries have two additional fields: Off to on destructive and On to off destructive (see example below). Change these values to 0 or 1 to determine whether cryptographic objects on the partition should be deleted when this policy is changed in the future. Policies that lower the security level of the objects stored on the partition are normally destructive, but it may be useful to customize this behavior for your own security strategy. See Partition Capabilities and Policies for more information.
CAUTION! Setting policy destructiveness to 0 (OFF) makes partitions less secure. Use this feature only if your security strategy demands it.
If you export a policy template from an uninitialized partition, the Sourced from partition header field remains blank. This field is informational and you can still apply the template.
The Policy Description field is included in the template for user readability only. Policies are verified by the number in the Policy ID field.
# Policy template FW Version 7.1.0
# Field format - Policy ID:Policy Description:Policy Value:Off to on destructive:On to off destructive
# Sourced from partition: myPartition1, SN: 154438865290
0:"Allow private key cloning":1:1:0
1:"Allow private key wrapping":0:1:0
2:"Allow private key unwrapping":1:0:0
3:"Allow private key masking":0:1:0
4:"Allow secret key cloning":1:1:0
5:"Allow secret key wrapping":1:1:0
6:"Allow secret key unwrapping":1:0:0
7:"Allow secret key masking":0:1:0
10:"Allow multipurpose keys":1:1:0
11:"Allow changing key attributes":1:1:0
15:"Ignore failed challenge responses":1:1:0
16:"Operate without RSA blinding":1:1:0
17:"Allow signing with non-local keys":1:0:0
18:"Allow raw RSA operations":1:1:0
20:"Max failed user logins allowed":10:0:0
21:"Allow high availability recovery":1:0:0
22:"Allow activation":0:0:0
23:"Allow auto-activation":0:0:0
25:"Minimum pin length (inverted 255 - min)":248:0:0
26:"Maximum pin length":255:0:0
28:"Allow Key Management Functions":1:1:0
29:"Perform RSA signing without confirmation":1:1:0
31:"Allow private key unmasking":1:0:0
32:"Allow secret key unmasking":1:0:0
33:"Allow RSA PKCS mechanism":1:1:0
34:"Allow CBC-PAD (un)wrap keys of any size":1:1:0
39:"Allow Start/End Date Attributes":0:1:0
Guidelines and Restrictions
When creating, applying, or editing policy templates:
>You can remove a policy from the template by adding # at the beginning of the line or deleting the line entirely. When you apply the template, the partition will use the default values for that policy.
>Partition policy templates from older Luna versions (6.x or earlier) cannot be applied to Luna 7.x partitions.
>This version of the partition policy template feature is available on Luna 7.x user partitions only. When the active slot is set to a Luna 6.x partition, the -exporttemplate option is not available.
>If you are using Secure Trusted Channel (STC) client connections, you cannot use partition policy templates.
>The following restrictions apply when configuring partitions for Cloning or Key Export (see Keys In Hardware vs. Private Key Export for more information):
•Partition policy 0: Allow private key cloning and partition policy 1: Allow private key wrapping can never be set to 1 (ON) at the same time. Initialization fails if the template contains a value of 1 for both policies.
•Partition policy 1: Allow private key wrapping must always have Off-to-on destructiveness set to 1 (ON). Initialization fails if the template contains a value of 0 in this field.
>You may not use invalid policy values (outside the acceptable range), or values that conflict with your HSM or partition's capabilities. For example, HSM capability 6: Enable Masking is always Disallowed, so you cannot set the corresponding HSM policy to 1. If you attempt to initialize an HSM or partition with a template containing invalid policy values, an error is returned and initialization fails:
lunacm:>hsm init -label myPartition1 -force -applytemplate ParPTbadvalue
The following values from the PPT are not compatible with the current hsm capabilities:
3: Allow private key masking: 1 (Capability: 0)
7: Allow secret key masking: 1 (Capability: 0)
23: Allow auto-activation: 1 (Capability: 0)
36: Allow Fast-Path: 1 (Capability: 0)
No initialization was performed.
Error: 'hsm init' failed. (C0000102 : RC_DATA_INVALID)
Command Result : 65535 (Luna Shell execution)
>If you include policies that are incompatible with the current HSM's firmware, initialization fails:
lunacm:>partition init -label myPartition2 -force -applytemplate ParPTunsupported
The following policies are not supported. Unsupported values will be ignored.
9: Unsupported policy
Error: 'hsm init' failed. (C0000102 : RC_DATA_INVALID)
Command Result : 65535 (Luna Shell execution)
Applying a Policy Template
The following procedures describe how to apply HSM and partition policy templates.
To apply a policy template to a new HSM:
1.From a client workstation, use scp/pscp to transfer the template file to the destination appliance.
2.Login to LunaSH as admin on the destination appliance, and initialize the HSM using the policy template file.
lunash:>hsm init -label <label> -applytemplate <filename>
3.Verify that the template has been applied correctly by checking the partition's policy settings.
lunash:>hsm showpolicies
To apply a policy template to a new partition:
1.Ensure that the template file is saved on the client workstation.
2.Launch LunaCM, set the active slot to the new partition, and initialize the partition using the policy template file. If the template file is not in the same directory as LunaCM, include the correct filepath.
lunacm:>slot set slot <slotnum>
lunacm:>partition init -label <label> -applytemplate <filepath/filename>
3.Verify that the template has been applied correctly by checking the partition's policy settings.
lunacm:>partition showpolicies -verbose