Set HSM Policies - PED Authentication
Set any of the alterable policies that are to apply to the HSM.
NOTE Capabilities identify the purchased features of the product and are set at time of manufacture. Policies represent the HSM Admin’s enabling (or restriction) of those features.
1.Type the hsm showpolicies command, to display the current policy set for the HSM.
lunash:>hsm showpolicies
HSM Label: myLunaHSM
Serial #: 532018
Firmware: 7.0.1
The following capabilities describe this HSM, and cannot be altered
except via firmware or capability updates.
Description Value
=========== =====
Enable PIN-based authentication Disallowed
Enable PED-based authentication Allowed
Performance level 15
Enable domestic mechanisms & key sizes Allowed
Enable masking Disallowed
Enable cloning Allowed
Enable full (non-backup) functionality Allowed
Enable non-FIPS algorithms Allowed
Enable SO reset of partition PIN Allowed
Enable network replication Allowed
Enable Korean Algorithms Disallowed
FIPS evaluated Disallowed
Manufacturing Token Disallowed
Enable forcing user PIN change Allowed
Enable portable masking key Allowed
Enable partition groups Disallowed
Enable remote PED usage Allowed
HSM non-volatile storage space 33554432
Enable unmasking Allowed
Maximum number of partitions 100
Enable Single Domain Disallowed
Enable Unified PED Key Disallowed
Enable MofN Allowed
Enable small form factor backup/restore Disallowed
Enable Secure Trusted Channel Allowed
Enable decommission on tamper Allowed
Enable partition re-initialize Disallowed
Enable low level math acceleration Allowed
Enable Fast-Path Disallowed
Allow Disabling Decommission Allowed
Enable Tunnel Slot Disallowed
Enable Controlled Tamper Recovery Allowed
The following policies are set due to current configuration of
this HSM and cannot be altered directly by the user.
Description Value
=========== =====
PED-based authentication True
The following policies describe the current configuration of
this HSM and may be changed by the HSM Administrator.
Changing policies marked "destructive" will erase all HSM partitions
on the HSM.
IMPORTANT NOTE: Changing policy 46 (Disable Decommission) will erase
all partitions AND zeroize your HSM.
Description Value Code Destructive
=========== ===== ==== ===========
Allow cloning On 7 Yes
Allow non-FIPS algorithms On 12 Yes
SO can reset partition PIN Off 15 Yes
Allow network replication On 16 No
Force user PIN change after set/reset On 21 No
Allow offboard storage On 22 Yes
Allow remote PED usage On 25 No
Allow unmasking On 30 No
Current maximum number of partitions 100 33 No
Allow MofN On 37 No
Allow Secure Trusted Channel Off 39 No
Decommission on tamper Off 40 Yes
Allow low level math acceleration On 43 No
Disable Decommission Off 46 Yes
Do Controlled Tamper Recovery On 48 No
Command Result : 0 (Success)
According to the above example, the fixed capabilities require that this HSM be protected at FIPS 140-2 level 3, meaning that the PED and PED keys are required for authentication, and values typed from a keyboard are ignored.
The alterable policies have numeric codes. You can alter a policy with the hsm changepolicy command, giving the code for the policy that is to change, followed by the new value.
NOTE The FIPS 140-2 standard mandates a set of security factors that specify a restricted suite of cryptographic algorithms. The HSM is designed to the standard, but can permit activation of additional non-FIPS-validated algorithms if your application requires them. An auditor would not validate your configuration unless the set of available algorithms is restricted to the approved subset.
2.To change HSM policies, the HSM SO must first login with hsm login.
Control is passed to the PED, which prompts you for the blue PED key. Input the appropriate PED key for this HSM, and press Enter on the PED keypad.
3.To modify a policy setting, type the hsm changepolicy command:
**WARNING** This example is a change to a destructive policy, meaning that if you apply this policy, the HSM is zeroized and all contents are lost. This is not an issue when you have just initialized an HSM.
lunash:>hsm changepolicy -policy 12 -value 0
Changing this policy will result in erasing all partitions
on the HSM.
Type 'proceed' to erase all partitions or 'quit' to quit now.
>proceed
'hsm changePolicy' successful.
Policy Allow non-FIPS algorithms is now set to value: 0
Command Result : 0 (Success)
Destructive Change of HSM Policy
The above example is a change to a destructive policy. This means that if you apply this policy, the HSM is zeroized and all contents are lost. For this reason, you are prompted to confirm if that is what you really wish to do. You must now re-initialize the HSM.
While this is not an issue when you have just initialized an HSM, it may be a very important consideration if your SafeNet Luna HSM has been in a “live” or “production” environment and contains useful or important data, keys, certificates.
Backup any important HSM or partition contents before making any destructive policy change, and then restore from backup after the HSM is re-initialized and the partition re-created.
Refer to Capabilities and Policies in the HSM Administration Guide for a description of all policies and their meanings.