hsm showpolicies

Displays the HSM-level capability and policy settings for the HSM. Include the -exporttemplate option to export the current state of all HSM policies to a policy template. Only policies that the HSM SO can change (the corresponding capability is not set to 0) are included in the output. For a complete list of HSM capabilities and policies, refer to HSM Capabilities and Policies.

NOTE   Some mechanisms (such as KCDSA) are not enabled unless you have purchased and installed the required Secure Capability Update package. If you require a particular mechanism, and do not see it listed when you generate a mechanism list, contact Thales Customer Support.

The hsm commands appear only when LunaCM's active slot is set to the administrative partition on a Luna PCIe HSM 7 or Luna USB HSM 7 or Luna Backup HSM. To access the HSM-level commands on Luna Network HSM 7, use LunaSH (see hsm).

Syntax

hsm showpolicies [-exporttemplate <filepath/filename>]

Argument(s) Short Description
-exporttemplate <filepath/filename> -et

Export the current state of all HSM policies to a policy template in the specified location. This feature requires minimum Luna HSM Firmware 7.1.0 and Luna HSM Client 7.1.0.

Examples

lunacm:> hsm showpolicies
        HSM Capabilities
                 0: Enable PIN-based authentication : 1
                 1: Enable PED-based authentication : 0
                 2: Performance level : 15
                 4: Enable domestic mechanisms & key sizes : 1
                 6: Enable masking : 0
                 7: Enable cloning : 1
                 9: Enable full (non-backup) functionality : 1
                12: Enable non-FIPS algorithms : 1
                15: Enable SO reset of partition PIN : 1
                16: Enable network replication : 1
                17: Enable Korean Algorithms : 0
                18: FIPS evaluated : 0
                19: Manufacturing Token : 0
                21: Enable forcing user PIN change : 1
                22: Enable offboard storage : 1
                23: Enable partition groups : 0
                25: Enable remote PED usage : 0
                27: HSM non-volatile storage space : 33554432
                30: Enable unmasking : 1
                33: Maximum number of partitions : 100
                35: Enable Single Domain : 0
                36: Enable Unified PED Key : 0
                37: Enable MofN : 0
                38: Enable small form factor backup/restore : 0
                39: Enable Secure Trusted Channel : 1
                40: Enable decommission on tamper : 1
                42: Enable partition re-initialize : 0
                43: Enable low level math acceleration : 1
                46: Allow Disabling Decommission : 1
                47: Enable Tunnel Slot : 0
                48: Enable Controlled Tamper Recovery : 1
                49: Enable Partition Utilization Metrics : 1
                50: Enable Functionality Modules : 1
                51: Enable SMFS Auto Activation : 1
                52: Enable Disabling FM Privilege Level : 1
                53: Enable FM Cipher Engine Key Encryption : 1
                56: Enable User Defined ECC Curves : 1 


        HSM Policies
                 0: PIN-based authentication : 1
                 7: Allow cloning : 1
                12: Allow non-FIPS algorithms : 1
                15: SO can reset partition PIN : 0
                16: Allow network replication : 1
                21: Force user PIN change after set/reset : 1
                22: Allow offboard storage : 1
                30: Allow unmasking : 1
                33: Current maximum number of partitions : 100
                39: Allow Secure Trusted Channel : 0
                40: Decommission on tamper : 0
                43: Allow low level math acceleration : 1
                46: Disable Decommission : 0
                48: Do Controlled Tamper Recovery : 1
                49: Allow Partition Utilization Metrics : 1
                50: Allow Functionality Modules : 1
                51: Allow SMFS Auto Activation : 0
                52: Disable FM Privilege Level : 0
                53: Do FM Cipher Engine Key Encryption : 0 
                56: Allow User Defined ECC Curves : 1 


Command Result : No Error

Example with HSM firmware >= 7.7.0 and Client >= 10.3.0

lunacm (64-bit) v10.3.0. Copyright (c) 2020 SafeNet. All rights reserved.

lunacm:>hsm sp
        HSM Capabilities
                 0: Enable PIN-based authentication : 1
                 1: Enable PED-based authentication : 0
                 2: Performance level : 15
                 4: Enable domestic mechanisms & key sizes : 1
                 6: Enable masking : 1
                 7: Enable cloning : 1
                 9: Enable full (non-backup) functionality : 1
                12: Enable non-FIPS algorithms : 1
                15: Enable SO reset of partition PIN : 1
                16: Enable network replication : 1
                17: Enable Korean Algorithms : 0
                19: Manufacturing Token : 0
                21: Enable forcing user PIN change : 1
                22: Enable offboard storage : 1
                23: Enable partition groups : 0
                25: Enable remote PED usage : 0
                27: HSM non-volatile storage space : 67108864
                30: Enable unmasking : 1
                33: Maximum number of partitions : 20
                35: Enable Single Domain : 0
                36: Enable Unified PED Key : 0
                37: Enable MofN : 0
                38: Enable small form factor backup/restore : 0
                40: Enable decommission on tamper : 1
                42: Enable partition re-initialize : 0
                43: Enable low level math acceleration : 1
                46: Allow Disabling Decommission : 1
                48: Enable Controlled Tamper Recovery : 1
                49: Enable Partition Utilization Metrics : 1
                50: Enable Functionality Modules : 0
                51: Enable SMFS Auto Activation : 0
                52: Allow Restricting FM Privilege Level : 0
                53: Allow encrypting of keys from FM to HSM : 0

        HSM Policies
                 0: PIN-based authentication : 1
                 6: Allow masking : 1
                 7: Allow cloning : 1
                12: Allow non-FIPS algorithms : 1
                15: SO can reset partition PIN : 0
                16: Allow network replication : 1
                21: Force user PIN change after set/reset : 1
                22: Allow offboard storage : 1
                30: Allow unmasking : 1
                33: Current maximum number of partitions : 20
                40: Decommission on tamper : 0
                43: Allow low level math acceleration : 1
                46: Disable Decommission : 0
                48: Do Controlled Tamper Recovery : 1
                49: Allow Partition Utilization Metrics : 1


Command Result : No Error