Set HSM Policies - PED Authentication

Set any of the alterable policies that are to apply to the HSM.

NOTE   Capabilities identify the purchased features of the product and are set at time of manufacture. Policies represent the HSM Admin’s enabling (or restriction) of those features.

1.Type the hsm showpolicies command, to display the current policy set for the HSM.

The alterable policies have numeric codes. You can alter a policy with the hsm changepolicy command, giving the code for the policy that is to change, followed by the new value.

NOTE   The FIPS 140-2 standard mandates a set of security factors that specify a restricted suite of cryptographic algorithms.  The HSM is designed to the standard, but can permit activation of additional non-FIPS-validated algorithms if your application requires them. An auditor would not validate your configuration unless the set of available algorithms is restricted to the approved subset.

2.To change HSM policies, the HSM SO must first log in with hsm login.

Control is passed to the PED, which prompts you for the blue PED key. Input the appropriate PED key for this HSM, and press Enter on the PED keypad.

3.To modify a policy setting, type the hsm changepolicy command:

CAUTION!   This example is a change to a destructive policy, meaning that if you apply this policy, the HSM is zeroized and all contents are lost. This is not an issue when you have just initialized an HSM.

lunash:>hsm changepolicy -policy 12 -value 0

        Changing this policy will result in erasing all partitions
        on the HSM.

        Type 'proceed' to erase all partitions or 'quit' to quit now.
        >proceed
'hsm changePolicy' successful.

Policy Allow non-FIPS algorithms is now set to value: 0

Command Result : 0 (Success)

Destructive Change of HSM Policy

The above example is a change to a destructive policy. This means that if you apply this policy, the HSM is zeroized and all contents are lost. For this reason, you are prompted to confirm if that is what you really wish to do. You must now re-initialize the HSM.

While this is not an issue when you have just initialized an HSM, it may be a very important consideration if your SafeNet Luna HSM has been in a “live” or “production” environment and contains useful or important data, keys, certificates.

Backup any important HSM or partition contents before making any destructive policy change, and then restore from backup after the HSM is re-initialized and the partition re-created.

Refer to Capabilities and Policies in the HSM Administration Guide for a description of all policies and their meanings.


Customer Support Portal

SafeNet Luna Network HSM 7.4 Product Documentation  16 December 2019  Copyright 2001-2019 Thales. All rights reserved.