Setting Partition Policies Manually
The Partition Security Officer can change available policies to customize partition functionality. Policy settings apply to all roles/objects on the partition. Refer to Partition Capabilities and Policies for a complete list of partition policies and their effects.
In most cases, partition policies are either enabled (1) or disabled (0), but some allow a range of values.
To change multiple policy settings during partition initialization, see Setting Partition Policies Using a Template.
See also Configuring the Partition for Cloning or Export of Private/Secret Keys.
Prerequisites
>The partition must be initialized (see Initializing an Application Partition).
>If you are changing a destructive policy, back up any important cryptographic objects (see Partition Backup and Restore).
To manually set or change a partition policy using LunaCM on the Luna HSM Client
1.Launch LunaCM and set the active slot to the partition.
lunacm:> slot set -slot <slotnum>
2.[Optional] Display the existing partition policy settings.
lunacm:> partition showpolicies
3.Log in as Partition SO
lunacm:> role login -name po
4.Change the policy setting by specifying the policy number and the desired value (0, 1, or a number in the accepted range for that policy). You can specify multiple policy changes in the same command by using comma-separated lists (for example, -policy 33,37,40 -value 0,1,1).
lunacm:> partition changepolicy -policy <policy_ID> -value <value>
If you are changing a destructive policy, you are prompted to enter proceed to continue the operation.
NOTE If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the new policy setting is visible in that session only (although it is in effect). You must exit and restart the other LunaCM sessions to display the new policy setting.
To manually set or change a partition policy using LunaSH on the Luna Appliance Software
1.Log in to LunaSH as admin or operator, or a custom user with access to the next command (see Logging In to LunaSH).
2.Change the policy setting by specifying the partition, policy number, the desired value (0, 1, or a number in the accepted range for that policy), and the Partition SO password (for multifactor quorum-authenticated partitions, the Luna PED prompts for the Partition SO credential).
lunash:> partition changePolicy -partition <name> -policy <policy#> -value <value> -psopin <PSO_password>
NOTE This command requires Luna Appliance Software 7.8.1 or newer. It cannot be used on STC partitions; the Partition SO must use LunaCM at the client for partition management.
