hsm showpolicies
Display the current settings for all HSM capabilities and policies, or optionally restrict the listing to only the policies that are configurable. Include the -exporttemplate option to export the current state of all policies to a template file.
Certain HSM policy settings exist to enable migration from SafeNet Luna Network HSM 4.x to SafeNet Luna Network HSM 5.x or 6.x, specifically the “Enable masking” and “Enable portable masking key” values.
User Privileges
Users with the following privileges can perform this command:
>Admin
>Operator
>Monitor
Syntax
hsm showpolicies [-configonly] [-exporttemplate <filename>]
Argument(s) | Shortcut | Description |
---|---|---|
-configonly | -c | Restrict the list to configurable policies only. |
-exporttemplate <filename> | -e | Export the current state of all HSM policies to a template file. |
Example
lunash:>hsm showpolicies
HSM Label: sa7pw
Serial #: 66331
Firmware: 7.0.1
The following capabilities describe this HSM, and cannot be altered
except via firmware or capability updates.
Description Value
=========== =====
Enable PIN-based authentication Allowed
Enable PED-based authentication Disallowed
Performance level 15
Enable domestic mechanisms & key sizes Allowed
Enable masking Disallowed
Enable cloning Allowed
Enable full (non-backup) functionality Allowed
Enable non-FIPS algorithms Allowed
Enable SO reset of partition PIN Allowed
Enable network replication Allowed
Enable Korean Algorithms Disallowed
FIPS evaluated Disallowed
Manufacturing Token Disallowed
Enable forcing user PIN change Allowed
Enable portable masking key Allowed
Enable partition groups Disallowed
Enable remote PED usage Disallowed
HSM non-volatile storage space 33554432
Enable unmasking Allowed
Maximum number of partitions 100
Enable Single Domain Disallowed
Enable Unified PED Key Disallowed
Enable MofN Disallowed
Enable small form factor backup/restore Disallowed
Enable Secure Trusted Channel Allowed
Enable decommission on tamper Disallowed
Enable partition re-initialize Disallowed
Enable low level math acceleration Allowed
Enable Fast-Path Disallowed
Allow Disabling Decommission Allowed
Enable Tunnel Slot Disallowed
Enable Controlled Tamper Recovery Disallowed
The following policies are set due to current configuration of
this HSM and cannot be altered directly by the user.
Description Value
=========== =====
PIN-based authentication True
The following policies describe the current configuration of
this HSM and may be changed by the HSM Administrator.
Changing policies marked "destructive" will zeroize (erase
completely) the entire HSM.
Description Value Code Destructive
=========== ===== ==== ===========
Allow cloning On 7 Yes
Allow non-FIPS algorithms On 12 Yes
SO can reset partition PIN Off 15 Yes
Allow network replication On 16 No
Force user PIN change after set/reset Off 21 No
Allow offboard storage On 22 Yes
Allow unmasking On 30 No
Current maximum number of partitions 100 33 No
Allow Secure Trusted Channel On 39 No
Allow low level math acceleration On 43 No
Disable Decommission Off 46 Yes
Command Result : 0 (Success)
lunash:>hsm showpolicies -exporttemplate HSMPT
HSM policies successfully written.
Use 'scp' from a client machine to get file named:
HSMPT
Command Result : 0 (Success)