partition showpolicies
Displays the partition-level capability and policy settings for the indicated user/application partition, including whether the policy is destructive when it is enabled or disabled (verbose mode). Include the -exporttemplate option to export the current state of all partition policies to a partition policy template (PPT).
Policy template export is supported for application partitions only
The partition showpolicies -exporttemplate function is not supported for HSM admin partitions.
To export HSM-wide policies from HSMs connected locally to the HSM host, use the command hsm showpolicies with the -exporttemplate option.
Multiple sessions and policy changes
If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change is reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings.
Syntax
partition showpolicies [-slot <slot>] [-verbose] [-exporttemplate <filepath/filename>]
| Argument(s) | Short | Description |
|---|---|---|
| -exporttemplate <filepath/filename> | -et |
Export the current state of all partition policies to a policy template in the specified location. |
|
-slot <slot> |
-s | Specifies the slot number for which to display partition policy settings. If no slot is specified, the policies for the currently-active slot are displayed. |
| -verbose | -v | Include information that specifies whether the policy is destructive when enabled/disabled. |
Example
With -exporttemplate specified
lunacm:> partition showpolicies -exporttemplate /usr/safenet/lunaclient/templates/ParPT
Partition policies for Partition: myPartition1 written to /usr/safenet/lunaclient/templates/ParPT
Command Result : No Error
Normal mode
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 1
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
37: Enable Secure Trusted Channel : 1
39: Enable Start/End Date Attributes : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
37: Force Secure Trusted Channel : 0
39: Allow Start/End Date Attributes : 0
Command Result : No Error
Verbose mode
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 1
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
37: Enable Secure Trusted Channel : 1
39: Enable Start/End Date Attributes : 1
Partition Policies
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
0 Allow private key cloning On Yes No
1 Allow private key wrapping Off Yes No
2 Allow private key unwrapping On No No
3 Allow private key masking Off Yes No
4 Allow secret key cloning On Yes No
5 Allow secret key wrapping On Yes No
6 Allow secret key unwrapping On No No
7 Allow secret key masking Off Yes No
10 Allow multipurpose keys On Yes No
11 Allow changing key attributes On Yes No
15 Ignore failed challenge responses On Yes No
16 Operate without RSA blinding On Yes No
17 Allow signing with non-local keys On No No
18 Allow raw RSA operations On Yes No
20 Max failed user logins allowed 10 N/A N/A
21 Allow high availability recovery On No No
22 Allow activation Off No No
23 Allow auto-activation Off No No
25 Minimum pin length (inverted: 255 - min) 248 N/A N/A
26 Maximum pin length 255 N/A N/A
28 Allow Key Management Functions On Yes No
29 Perform RSA signing without confirmation On Yes No
31 Allow private key unmasking On No No
32 Allow secret key unmasking On No No
33 Allow RSA PKCS mechanism On Yes No
34 Allow CBC-PAD (un)wrap keys of any size On Yes No
37 Force Secure Trusted Channel Off No Yes
39 Allow Start/End Date Attributes Off No Yes
Command Result : No Error
