hsm showpolicies

Display the current settings for all HSM capabilities and policies, or optionally restrict the listing to only the policies that are configurable. Include the -exporttemplate option to export the current state of all policies to a template file.

User Privileges

Users with the following privileges can perform this command:

>Admin

>Operator

>Monitor

Syntax

hsm showpolicies [-configonly] [-exporttemplate <filename>]

Argument(s) Shortcut Description
-configonly -c Restrict the list to configurable policies only.
-exporttemplate <filename> -e Export the current state of all HSM policies to a template file. This feature requires minimum firmware version 7.1.0 and appliance software 7.1. See Version Dependencies by Feature for more information.

Example

lunash:>hsm showpolicies


   HSM Label:   myLunaHSM
   Serial #:    66331
   Firmware:    7.4.0

   The following capabilities describe this HSM, and cannot be altered
   except via firmware or capability updates.

   Description                              Value
   ===========                              =====
   Enable PIN-based authentication          Allowed
   Enable PED-based authentication          Disallowed
   Performance level                        15
   Enable domestic mechanisms & key sizes   Allowed
   Enable masking                           Disallowed
   Enable cloning                           Allowed
   Enable full (non-backup) functionality   Allowed
   Enable non-FIPS algorithms               Allowed
   Enable SO reset of partition PIN         Allowed
   Enable network replication               Allowed
   Enable Korean Algorithms                 Allowed
   FIPS evaluated                           Disallowed
   Manufacturing Token                      Disallowed
   Enable forcing user PIN change           Allowed
   Enable portable masking key              Allowed
   Enable partition groups                  Disallowed
   Enable remote PED usage                  Disallowed
   HSM non-volatile storage space           33554432
   Enable unmasking                         Allowed
   Maximum number of partitions             100
   Enable Single Domain                     Disallowed
   Enable Unified PED Key                   Disallowed
   Enable MofN                              Disallowed
   Enable small form factor backup/restore  Disallowed
   Enable Secure Trusted Channel            Allowed
   Enable decommission on tamper            Allowed
   Enable partition re-initialize           Disallowed
   Enable low level math acceleration       Allowed
   Enable Fast-Path                         Disallowed
   Allow Disabling Decommission             Allowed
   Enable Tunnel Slot                       Disallowed
   Enable Controlled Tamper Recovery        Allowed
   Enable Partition Utilization Metrics     Allowed
   Enable Functionality Modules             Allowed
   Enable SMFS Auto Activation              Allowed
   Allow Restricting FM Privilege Level     Allowed
   Allow encrypting of keys from FM to HSM  Allowed


   The following policies are set due to current configuration of
   this HSM and cannot be altered directly by the user.

   Description                              Value
   ===========                              =====
   PIN-based authentication                 True


   The following policies describe the current configuration of
   this HSM and may be changed by the HSM Administrator.

   Changing policies marked "destructive" will erase all HSM partitions
   on the HSM.

   IMPORTANT NOTE: Changing policy 46 (Disable Decommission) will erase
   all partitions AND zeroize your HSM.

   Description                              Value        Code      Destructive
   ===========                              =====        ====      ===========
   Allow cloning                            On           7         Yes
   Allow non-FIPS algorithms                On           12        Yes
   SO can reset partition PIN               Off          15        Yes
   Allow network replication                On           16        No
   Force user PIN change after set/reset    On           21        No
   Allow offboard storage                   On           22        Yes
   Allow unmasking                          On           30        No
   Current maximum number of partitions     100          33        No
   Allow Secure Trusted Channel             Off          39        No
   Decommission on tamper                   Off          40        Yes
   Allow low level math acceleration        On           43        No
   Disable Decommission                     Off          46        Yes
   Do Controlled Tamper Recovery            On           48        No
   Allow Partition Utilization Metrics      Off          49        No
   Allow Functionality Modules              Off          50        Yes
   Allow SMFS Auto Activation               Off          51        Yes
   Restrict FM Privilege Level              Off          52        Yes
   Encrypt keys passing from FM to HSM      Off          53        Yes



Command Result : 0 (Success)

Example with HSM firmware >= 7.7

[sa7pwd78] lunash:>hsm showpolicies


   HSM Label:   myLunaPWD
   Serial #:    66331
   Firmware:    7.7.0

   The following capabilities describe this HSM, and cannot be altered
   except via firmware or capability updates.

   Description                              Value
   ===========                              =====
   Enable PIN-based authentication          Allowed
   Enable PED-based authentication          Disallowed
   Performance level                        15
   Enable domestic mechanisms & key sizes   Allowed
   Enable masking                           Allowed
   Enable cloning                           Allowed
   Enable full (non-backup) functionality   Allowed
   Enable non-FIPS algorithms               Allowed
   Enable SO reset of partition PIN         Allowed
   Enable network replication               Allowed
   Enable Korean Algorithms                 Disallowed
   FIPS evaluated                           Disallowed
   Manufacturing Token                      Disallowed
   Enable forcing user PIN change           Allowed
   Enable portable masking key              Allowed
   Enable partition groups                  Disallowed
   Enable remote PED usage                  Disallowed
   HSM non-volatile storage space           58720256
   Enable unmasking                         Allowed
   Maximum number of partitions             10
   Enable Single Domain                     Disallowed
   Enable Unified PED Key                   Disallowed
   Enable MofN                              Disallowed
   Enable small form factor backup/restore  Disallowed
   Enable decommission on tamper            Allowed
   Enable partition re-initialize           Disallowed
   Enable low level math acceleration       Allowed
   Enable Fast-Path                         Disallowed
   Allow Disabling Decommission             Allowed
   Enable Controlled Tamper Recovery        Allowed
   Enable Partition Utilization Metrics     Allowed
   Enable Functionality Modules             Allowed
   Enable SMFS Auto Activation              Allowed
   Allow Restricting FM Privilege Level     Allowed
   Allow encrypting of keys from FM to HSM  Allowed


   The following policies are set due to current configuration of
   this HSM and cannot be altered directly by the user.

   Description                              Value
   ===========                              =====
   PIN-based authentication                 True


   The following policies describe the current configuration of
   this HSM and may be changed by the HSM Administrator.

   Changing policies marked "destructive" will erase all HSM partitions
   on the HSM.

   IMPORTANT NOTE: Changing policy 46 (Disable Decommission) will erase
   all partitions AND zeroize your HSM.

   Description                              Value        Code      Destructive
   ===========                              =====        ====      ===========
   Allow masking                            On           6         Yes
   Allow cloning                            On           7         Yes
   Allow non-FIPS algorithms                On           12        Yes
   SO can reset partition PIN               Off          15        Yes
   Allow network replication                On           16        No
   Force user PIN change after set/reset    On           21        No
   Allow offboard storage                   On           22        Yes
   Allow unmasking                          On           30        No
   Current maximum number of partitions     10           33        No
   Decommission on tamper                   Off          40        Yes
   Allow low level math acceleration        On           43        No
   Disable Decommission                     Off          46        Yes
   Do Controlled Tamper Recovery            On           48        No
   Allow Partition Utilization Metrics      Off          49        No
   Allow Functionality Module               Off          50        Yes
   Allow SMFS Auto Activation               Off          51        Yes
   Restrict FM Privilege Level              Off          52        Yes
   Encrypt keys passing from FM to HSM      Off          53        Yes



Command Result : 0 (Success)

NOTE   Observe that Secure Trusted Channel capability is no longer listed.

STC is enabled by default for any HSM at firmware version 7.7 or newer.

At the partition level, STC is now optional, unless a partition policy (37) is set, to make it mandatory.