hsm showpolicies

Display the current settings for all HSM capabilities and policies, or optionally restrict the listing to only the policies that are configurable. Include the -exporttemplate option to export the current state of all policies to a template file.

Certain HSM policy settings exist to enable migration from SafeNet Luna Network HSM 4.x to SafeNet Luna Network HSM 5.x or 6.x, specifically the “Enable masking” and “Enable portable masking key” values.

User Privileges

Users with the following privileges can perform this command:

>Admin

>Operator

>Monitor

Syntax

hsm showpolicies [-configonly] [-exporttemplate <filename>]

Argument(s) Shortcut Description
-configonly -c Restrict the list to configurable policies only.
-exporttemplate <filename> -e Export the current state of all HSM policies to a template file.

Example

lunash:>hsm showpolicies
 
   HSM Label:   sa7pw
   Serial #:    66331
   Firmware:    7.0.1
 
   The following capabilities describe this HSM, and cannot be altered
   except via firmware or capability updates.
 
   Description                              Value
   ===========                              =====
   Enable PIN-based authentication          Allowed
   Enable PED-based authentication          Disallowed
   Performance level                        15
   Enable domestic mechanisms & key sizes   Allowed
   Enable masking                           Disallowed
   Enable cloning                           Allowed
   Enable full (non-backup) functionality   Allowed
   Enable non-FIPS algorithms               Allowed
   Enable SO reset of partition PIN         Allowed
   Enable network replication               Allowed
   Enable Korean Algorithms                 Disallowed
   FIPS evaluated                           Disallowed
   Manufacturing Token                      Disallowed
   Enable forcing user PIN change           Allowed
   Enable portable masking key              Allowed
   Enable partition groups                  Disallowed
   Enable remote PED usage                  Disallowed
   HSM non-volatile storage space           33554432
   Enable unmasking                         Allowed
   Maximum number of partitions             100
   Enable Single Domain                     Disallowed
   Enable Unified PED Key                   Disallowed
   Enable MofN                              Disallowed
   Enable small form factor backup/restore  Disallowed
   Enable Secure Trusted Channel            Allowed
   Enable decommission on tamper            Disallowed
   Enable partition re-initialize           Disallowed
   Enable low level math acceleration       Allowed
   Enable Fast-Path                         Disallowed
   Allow Disabling Decommission             Allowed
   Enable Tunnel Slot                       Disallowed
   Enable Controlled Tamper Recovery        Disallowed
 
   The following policies are set due to current configuration of
   this HSM and cannot be altered directly by the user.
 
   Description                              Value
   ===========                              =====
   PIN-based authentication                 True
 
   The following policies describe the current configuration of
   this HSM and may be changed by the HSM Administrator.
 
   Changing policies marked "destructive" will zeroize (erase
   completely) the entire HSM.
 
   Description                              Value        Code      Destructive
   ===========                              =====        ====      ===========
   Allow cloning                            On           7         Yes
   Allow non-FIPS algorithms                On           12        Yes
   SO can reset partition PIN               Off          15        Yes
   Allow network replication                On           16        No
   Force user PIN change after set/reset    Off          21        No
   Allow offboard storage                   On           22        Yes
   Allow unmasking                          On           30        No
   Current maximum number of partitions     100          33        No
   Allow Secure Trusted Channel             On           39        No
   Allow low level math acceleration        On           43        No
   Disable Decommission                     Off          46        Yes
 
 
Command Result : 0 (Success)
 
lunash:>hsm showpolicies -exporttemplate HSMPT
 
HSM policies successfully written.
 
Use 'scp' from a client machine to get file named:
HSMPT
 
Command Result : 0 (Success)