Set Partition Policies
At this point, you should have initialized the partition and created the Crypto Officer role. All administration of an initialized partition is carried out by the Partition SO, via LunaCM, from a registered client computer. Before deploying the partitions, review and set the policies constraining the use of the partition by clients, as described in the following sections:
>Displaying the Current Partition Policy Settings
>Changing the Partition Policy Settings
Displaying the Current Partition Policy Settings
First, display the policies (default) of the application partition. You can run the partition showpolicies command without logging in. The Partition SO must be logged in to change partition policy settings.
To display the current partition policy settings:
1.Open a LunaCM session.
2.Enter the following command to display current partition capability and policy settings. Capabilities are factory settings. Policies are the means of modifying the adjustable capabilities:
lunacm:>partition showpolicies [-slot <slotnum>]
Changing the Partition Policy Settings
Having viewed the Policy settings, you can now modify a Partition Policy for a given partition.
To change a partition policy:
1.Open a LunaCM session, select the partition slot, and login as Partition SO.
lunacm:>slot set slot <slotnum>
lunacm:>role login -name po
2.Enter the following command to change a Partition Policy:
lunacm>partition changepolicy -policy <policy_ID> -value <policy_value>
RSA Blinding Mode
Blinding is a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance.
The Partition Security Officer can turn this feature on or off.
If RSA blinding is enabled in Capabilities and allowed in Policies, the partition will always run in RSA blinding mode; performance will be lower than SafeNet published performance figures. This is because the deliberate introduction of random elements causes the average signature to take longer to complete.
For maximum performance, you can switch RSA blinding mode off, at the cost of additional risk of timing attacks on your keys. It is your decision whether your network and other security measures are sufficiently rigorous that blinding is not needed.
SafeNet Luna HSMs are normally shipped with the Capability set to allow switching blinding on or off, and with the Policy set to not use blinding, by default.
