Setting HSM Policies Using a Template

An HSM policy template is a file containing a set of preferred HSM policy settings, used to initialize HSMs with those settings. You can use the same file to initialize multiple HSMs, rather than changing policies manually after initialization. This can save time and effort when initializing multiple HSMs that are to function together (such as in an HA group), or must comply with your company's overall security strategy. Templates enable scalable policy management and simplify future audit and compliance requirements.

See also Setting Partition Policies Using a Template.

NOTE   This feature requires minimum firmware version 7.1.0. See Version Dependencies by Feature for more information.

You can create a policy template file from an initialized or uninitialized HSM, and edit it using a standard text editor.

HSM policy templates cannot be used to alter settings for an initialized HSM. Once an HSM has been initialized, the SO must change individual policy values manually (see Setting HSM Policies Manually).

To zeroize the HSM and revert policies to their default values, see Resetting the Luna PCIe HSM to Factory Condition.

To zeroize the HSM and keep the existing policy settings, use lunacm:> hsm zeroize

This section provides instructions for the following procedures, and some general guidelines and restrictions:

>Creating an HSM Policy Template

>Editing an HSM Policy Template

>Applying an HSM Policy Template

Creating an HSM Policy Template

The following procedures describe how to generate an HSM policy template from the HSM. This can be done optionally at two points in the HSM setup process:

>before the HSM is initialized: this produces a template file containing the default policy settings, which can then be edited

>after initializing and setting the HSM policies manually: this produces a template file with the current HSM policy settings, which can then be used to initialize other HSMs with the same settings. The HSM SO must complete the procedure.

To create an HSM policy template

1.Launch LunaCM and set the active slot to the Admin partition. If you are creating a template from an initialized HSM, you must log in as HSM SO.

lunacm:> slot set slot <admin_slotnum>

lunacm:> role login -name so

2.Create the HSM policy template file with an original filename. Specify the path to the location where you wish to save the template. No file extension is required. If a template file with the same name exists in the specified directory, it is overwritten.

lunacm:> hsm showpolicies -exporttemplate <filepath/filename>

lunacm:>hsm showpolicies -templatefile /usr/safenet/lunaclient/templates/HSMPT

HSM policies for HSM: myPCIeHSM written to /usr/safenet/lunaclient/templates/HSMPT

Command Result : No Error

3.Customize the template file with a standard text editor (see Editing an HSM Policy Template).

Editing an HSM Policy Template

Use a standard text editor to manually edit HSM policy templates for custom configurations. This section provides template examples and customization guidelines.

HSM Policy Template Example

This example shows the contents of an HSM policy template created using the factory default policy settings. Use a standard text editor to change the policy values (0=OFF, 1=ON, or the desired value 0-255). You cannot edit the destructiveness of HSM policies. See HSM Capabilities and Policies for more information.

If you export a policy template from an uninitialized HSM, the Sourced from HSM header field remains blank. This field is informational and you can still apply the template.

The Policy Description field is included in the template for user readability only. Policies are verified by the number in the Policy ID field.

# Policy template FW Version 7.1.0
# Field format - Policy ID:Policy Description:Policy Value
# Sourced from HSM: myLunaHSM, SN: 66331


6:"Allow masking":0
7:"Allow cloning":1
12:"Allow non-FIPS algorithms":1
15:"SO can reset partition PIN":0
16:"Allow network replication":1
21:"Force user PIN change after set/reset":1
22:"Allow offboard storage":1
23:"Allow partition groups":0
25:"Allow remote PED usage":0
30:"Allow unmasking":1
33:"Current maximum number of partitions":100
35:"Force Single Domain":0
36:"Allow Unified PED Key":0
37:"Allow MofN":0
38:"Allow small form factor backup/restore":0
39:"Allow Secure Trusted Channel":0
40:"Decommission on tamper":0
42:"Allow partition re-initialize":0
43:"Allow low level math acceleration":0
46:"Disable Decommission":1
47:"Allow Tunnel Slot":0
48:"Do Controlled Tamper Recovery":1

Editing Guidelines and Restrictions

When creating or editing policy templates:

>You can remove a policy from the template by adding # at the beginning of the line or deleting the line entirely. When you apply the template, the HSM will use the default value for that policy.

>You may not use invalid policy values (outside the acceptable range), or values that conflict with your HSM's capabilities. For example, HSM capability 6: Enable Masking is always Disallowed, so you cannot set the corresponding HSM policy to 1. If you attempt to initialize an HSM with a template containing invalid policy values, an error is returned and initialization fails.

Applying an HSM Policy Template

The following procedure describes how to initialize the HSM using a policy template.

To apply a policy template to a new HSM

1.Ensure that the template file is saved on the workstation hosting the destination HSM.

2.Launch LunaCM and initialize the destination HSM using the policy template file. If the template file is not in the same directory as LunaCM, include the correct filepath.

lunacm:> hsm init -label <label> -applytemplate <filepath/filename>

3.Verify that the template has been applied correctly by checking the partition's policy settings.

lunacm:> hsm showpolicies