Setting SafeNet Luna PCIe HSM Policies, PW-authenticated
HSM Capabilities represent the underlying factory configurations of the HSM. HSM Policies are the settings based on those configuration elements, and can be modified by the HSM Security Officer (SO). If a Capability is turned off (disabled), then it cannot be switched on with a Policy setting. Only re-manufacturing or the application of a Secure Capability Update can enable a Capability. If a Capability is enabled, then the SO may be able to alter it with a Policy change, but only to make it more restrictive. The SO cannot make a Capability less restrictive.
In most cases, Configurations and Policies are either off or on (disabled or enabled, where 0 [zero] equals off/disabled and 1 [one] equals on/enabled), but some involve a range of values.
Example Policy Change Procedure
In this example, we show the initial values of the HSM Capabilities and their corresponding Policies, then we change one Policy, and show the values again. The settings you would see for a password-authenticated HSM and a PED-authenticated HSM might differ slightly, but the general principle and the operation of policy change are the same.
1.First, for this example, display the basic HSM information.
lunacm:> hsm showinfo Partition Label -> myPCIe7hsm Partition Manufacturer -> SafeNet Partition Model -> Luna K7 Partition Serial Number -> 528499 Partition Status -> L3 Device HSM Certificates -> *** Test Certs *** HSM Part Number -> 808-000048-002 Token Flags -> CKF_RNG CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED RPV Initialized -> Not Supported Slot Id -> 104 Session State -> CKS_RW_PUBLIC_SESSION Role Status -> none logged in Token Flags -> TOKEN_KCV_CREATED Partition OUID: 000000000000000073100800 Partition Storage: Total Storage Space: 393216 Used Storage Space: 0 Free Storage Space: 393216 Object Count: 0 Overhead: 9848 *** The HSM is NOT in FIPS 140-2 approved operation mode. *** FM HW Status -> FM Firmware Version -> 7.4.0 Rollback Firmware Version -> Not Available Environmental: Fan 1 Status : active Fan 2 Status : failed Battery Voltage : 3.093 V Battery Warning Threshold Voltage : 2.750 V System Temp : 40 deg. C System Temperature Warning Threshold : 75 deg. C HSM Storage: Total Storage Space: 33554432 Used Storage Space: 335544 Free Storage Space: 33218888 Allowed Partitions: 1 Number of Partitions: 1 License Count -> 9 1. 621000068-000 Test Cert : K7 Base 2. 621010185-003 Key backup via cloning protocol 3. 621000046-002 Maximum 100 partitions 4. 621000134-002 Enable 32 megabytes of object storage 5. 621000135-002 Enable allow decommissioning 6. 621000021-002 Maximum performance 7. 621000138-001 Controlled tamper recovery 8. 621000154-001 Enable decommission on tamper with policy off 9. 621000074-001 Test Cert : Enable Functionality Modules w Policy Off Command Result : No Error
Command Result : No Error
Note the message stating that the HSM is not in FIPS 140-2 approved operation mode. This is a condition that we are about to change for the purpose of providing an example; you do not need to make this particular change unless your organization's security policy calls for it.
2.Now display the controlling policies as they currently exist on the HSM.
lunacm:> hsm showpolicies
HSM Capabilities
0: Enable PIN-based authentication : 1
1: Enable PED-based authentication : 0
2: Performance level : 15
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 0
7: Enable cloning : 1
9: Enable full (non-backup) functionality : 1
12: Enable non-FIPS algorithms : 1
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 1
17: Enable Korean Algorithms : 0
18: FIPS evaluated : 0
19: Manufacturing Token : 0
21: Enable forcing user PIN change : 1
22: Enable offboard storage : 1
23: Enable partition groups : 0
25: Enable remote PED usage : 0
27: HSM non-volatile storage space : 33554432
30: Enable unmasking : 1
33: Maximum number of partitions : 1
35: Enable Single Domain : 0
36: Enable Unified PED Key : 0
37: Enable MofN : 0
38: Enable small form factor backup/restore : 0
39: Enable Secure Trusted Channel : 1
40: Enable decommission on tamper : 1
42: Enable partition re-initialize : 0
43: Enable low level math acceleration : 1
46: Allow Disabling Decommission : 1
47: Enable Tunnel Slot : 0
48: Enable Controlled Tamper Recovery : 1
49: Enable Partition Utilization Metrics : 1
50: Enable Functionality Modules : 1
51: Enable SMFS Auto Activation : 1
52: Enable Disabling FM Privilege Level : 1
53: Enable FM Cipher Engine Key Encryption : 1
HSM Policies
0: PIN-based authentication : 1
7: Allow cloning : 1
12: Allow non-FIPS algorithms : 1
15: SO can reset partition PIN : 0
16: Allow network replication : 1
21: Force user PIN change after set/reset : 1
22: Allow offboard storage : 1
30: Allow unmasking : 1
33: Current maximum number of partitions : 1
39: Allow Secure Trusted Channel : 0
40: Decommission on tamper : 0
43: Allow low level math acceleration : 1
46: Disable Decommission : 0
48: Do Controlled Tamper Recovery : 1
49: Allow Partition Utilization Metrics : 1
50: Allow Functionality Modules : 1
51: Allow SMFS Auto Activation : 0
52: Disable FM Privilege Level : 0
53: Do FM Cipher Engine Key Encryption : 0
Command Result : No Error
3.For this example, to change an HSM Policy setting, you must provide the number that identifies the Policy and then the value for the desired state. First login to the HSM using Luna PED (Luna PED must be connected and ready before you login). For a password-authenticated HSM the password is needed, and no PED is involved. Type the hsm changeHSMPolicy command:
lunacm:>role login -name so
enter password: ********
Command Result : No Error
lunacm:>hsm changehsmpolicy -policy 12 -value 0
You are about to change a destructive HSM policy.
All partitions of the HSM will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Command Result : No Error
LunaCM v7.4.0. Copyright (c) 2006-2017 SafeNet.
Available HSMs:
Slot Id -> 103
Label -> myPCIeHSM
Serial Number -> 123456
Model -> Luna K7
Firmware Version -> 7.0.1
Configuration -> Luna HSM Admin Partition (PW) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PW)
HSM Status -> L3 Device
Current Slot Id: 103
lunacm:> hsm showpolicies
HSM Capabilities
0: Enable PIN-based authentication : 1
1: Enable PED-based authentication : 0
2: Performance level : 15
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 0
7: Enable cloning : 1
9: Enable full (non-backup) functionality : 1
12: Enable non-FIPS algorithms : 1
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 1
17: Enable Korean Algorithms : 0
18: FIPS evaluated : 0
19: Manufacturing Token : 0
21: Enable forcing user PIN change : 1
22: Enable offboard storage : 1
23: Enable partition groups : 0
25: Enable remote PED usage : 0
27: HSM non-volatile storage space : 33554432
30: Enable unmasking : 1
33: Maximum number of partitions : 1
35: Enable Single Domain : 0
36: Enable Unified PED Key : 0
37: Enable MofN : 0
38: Enable small form factor backup/restore : 0
39: Enable Secure Trusted Channel : 1
40: Enable decommission on tamper : 1
42: Enable partition re-initialize : 0
43: Enable low level math acceleration : 1
46: Allow Disabling Decommission : 1
47: Enable Tunnel Slot : 0
48: Enable Controlled Tamper Recovery : 1
49: Enable Partition Utilization Metrics : 1
50: Enable Functionality Modules : 1
51: Enable SMFS Auto Activation : 1
52: Enable Disabling FM Privilege Level : 1
53: Enable FM Cipher Engine Key Encryption : 1
HSM Policies
0: PIN-based authentication : 1
7: Allow cloning : 1
12: Allow non-FIPS algorithms : 0
15: SO can reset partition PIN : 0
16: Allow network replication : 1
21: Force user PIN change after set/reset : 1
22: Allow offboard storage : 1
30: Allow unmasking : 1
33: Current maximum number of partitions : 1
39: Allow Secure Trusted Channel : 0
40: Decommission on tamper : 0
43: Allow low level math acceleration : 1
46: Disable Decommission : 0
48: Do Controlled Tamper Recovery : 1
49: Allow Partition Utilization Metrics : 1
50: Allow Functionality Modules : 1
51: Allow SMFS Auto Activation : 0
52: Disable FM Privilege Level : 0
53: Do FM Cipher Engine Key Encryption : 0
Command Result : No Error
lunacm:>hsm showinfo
Partition Label -> myPCIeHSM
Partition Manufacturer -> Gemalto
Partition Model -> Luna K7
Partition Serial Number -> 123456
Partition Status -> L3 Device
HSM Part Number -> 808-000048-002
Token Flags ->
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
RPV Initialized -> Not Supported
Slot Id -> 103
Session State -> CKS_RW_PUBLIC_SESSION
Role Status -> none logged in
Token Flags ->
TOKEN_KCV_CREATED
Partition OUID: 00000000000000001b030100
Partition Storage:
Total Storage Space: 393216
Used Storage Space: 0
Free Storage Space: 393216
Object Count: 4
Overhead: 9640
*** The HSM is in FIPS 140-2 approved operation mode. ***
Note in the above example that HSM Capability
"12: Enable non-FIPS algorithms : 1" still has a value of 1
(meaning that it remains enabled), but the associated Policy "12:
Allow non-FIPS algorithm : 0 " now
has a value of 0 (meaning that it has been disallowed by the SO).
Note also that the message in the middle of the "show" information
now says "***
The HSM is in FIPS 140-2 approved operation mode. *** " because the
HSM is now restricted to using only FIPS-approved algorithms.
Destructive Change of HSM Policy
The above example is a change to a destructive policy. This means that if you apply this policy, the HSM is zeroized and all contents are lost. For this reason, you are prompted to confirm if that is what you really wish to do. You must now re-initialize the HSM.
While this is not an issue when you have just initialized an HSM, it may be a very important consideration if your SafeNet Luna HSM has been in a “live” or “production” environment and contains useful or important data, keys, certificates.
Backup any important HSM or partition contents before making any destructive policy change, and then restore from backup after the HSM is re-initialized and the partition re-created.
Refer to Capabilities and Policies in the HSM Administration Guide for a description of all policies and their meanings.