Setting SafeNet Luna PCIe HSM Partition Policies
Partition Capabilities represent the underlying factory configurations that are in force when a Partition is created. Partition Policies are the settings based on those configuration elements, and can be modified by the HSM Security Officer (SO). If a Capability is turned off (disabled), then it cannot be switched on with a Policy setting. Only re-manufacturing or the application of a Secure Capability Update can change a Capability from off to on (disabled to enabled). If a Capability is enabled, then the SO may be able to alter it with a Policy change, but only to make it more restrictive. The SO cannot make a Capability less restrictive.
For example, if a Capability setting requires that the minimum length of a Partition Password must be (say) seven characters, then the SO can use a Policy change to require a minimum password length of eight, nine, ten, or more characters (up to 255). A requirement for a longer password is considered to be a more restrictive security setting. The SO cannot use a Policy change to set the minimum password length to six or fewer characters, because that would be less restrictive than the original Capability, which demands at least seven characters.
In most cases, Configurations and Policies are either off or on (disabled or enabled, where 0 [zero] equals off/disabled and 1 [one] equals on/enabled), but some involve a range of values, as in the example below.
In this example, we will change the maximum number of consecutive failed login attempts that is permitted on the Partition before it is zeroized. The default maximum is 10. You can change the maximum to less than 10, but not more than 10. Setting to less than ten would make the partition more secure than the default, and is allowed. Setting to more than ten would make the partition less secure than the default, and is not allowed.
To change a partition policy:
1.View the current Partition Capabilities and their corresponding Policies.
slot set slot <slotnum>
partition showpolicies
lunacm:>partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 1021: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
35: Enable private key SFF backup/restore : 0
36: Enable secret key SFF backup/restore : 0
37: Enable Secure Trusted Channel : 1
38: Enable Fast-Path : 0
39: Enable Start/End Date Attributes : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 1021: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
35: Allow private key SFF backup/restore : 0
36: Allow secret key SFF backup/restore : 0
37: Force Secure Trusted Channel : 0
38: Allow Fast-Path : 0
39: Allow Start/End Date Attributes : 0
Command Result : No Error
2.Login as Partition SO.
role login -name po
3.Use the following command to change partition policy 20's value to 5:
partition changepolicy -policy 20 -value 5
lunacm:>partition changepolicy -policy 20 -value 5
Command Result : No Error
4.View the partition policies again to see the change.
partition showpolicies
lunacm:>partition showpolicies
Partition Capabilities
...
20: Max failed user logins allowed : 10
...
Partition Policies
...
20: Max failed user logins allowed : 5...
Command Result : No Error
Note that Partition Capability 20: Max failed user logins allowed still has a value of 10, but the associated Policy 20: Max failed user logins allowed now has a value of 5 - meaning that the Partition SO has decided that 10 bad login attempts on the partition was too many. The SO has used the Policy to impose greater restriction than the Capability required, increasing security on the partition.
