hsm showpolicies
Displays the HSM-level capability and policy settings for the HSM. Include the -exporttemplate option to export the current state of all HSM policies to a policy template. Only policies that the HSM SO can change (the corresponding capability is not set to 0) are included in the output. For a complete list of HSM capabilities and policies, refer to HSM Capabilities and Policies.
NOTE Some mechanisms (such as KCDSA) are not enabled unless you have purchased and installed the required Secure Capability Update package. If you require a particular mechanism, and do not see it listed when you generate a mechanism list, contact Thales Customer Support.
The hsm commands appear only when LunaCM's active slot is set to the administrative partition
Syntax
hsm showpolicies [-exporttemplate <filepath/filename>]
Argument(s) | Short | Description |
---|---|---|
-exporttemplate <filepath/filename> | -et |
Export the current state of all HSM policies to a policy template in the specified location. |
Examples
lunacm:> hsm showpolicies HSM Capabilities 0: Enable PIN-based authentication : 1 1: Enable PED-based authentication : 0 2: Performance level : 15 4: Enable domestic mechanisms & key sizes : 1 6: Enable masking : 0 7: Enable cloning : 1 9: Enable full (non-backup) functionality : 1 12: Enable non-FIPS algorithms : 1 15: Enable SO reset of partition PIN : 1 16: Enable network replication : 1 17: Enable Korean Algorithms : 0 18: FIPS evaluated : 0 19: Manufacturing Token : 0 21: Enable forcing user PIN change : 1 22: Enable offboard storage : 1 23: Enable partition groups : 0 25: Enable remote PED usage : 0 27: HSM non-volatile storage space : 33554432 30: Enable unmasking : 1 33: Maximum number of partitions : 100 35: Enable Single Domain : 0 36: Enable Unified PED Key : 0 37: Enable MofN : 0 38: Enable small form factor backup/restore : 0 39: Enable Secure Trusted Channel : 1 40: Enable decommission on tamper : 1 42: Enable partition re-initialize : 0 43: Enable low level math acceleration : 1 46: Allow Disabling Decommission : 1 47: Enable Tunnel Slot : 0 48: Enable Controlled Tamper Recovery : 1 49: Enable Partition Utilization Metrics : 1 50: Enable Functionality Modules : 1 51: Enable SMFS Auto Activation : 1 52: Enable Disabling FM Privilege Level : 1 53: Enable FM Cipher Engine Key Encryption : 1 56: Enable User Defined ECC Curves : 1 HSM Policies 0: PIN-based authentication : 1 7: Allow cloning : 1 12: Allow non-FIPS algorithms : 1 15: SO can reset partition PIN : 0 16: Allow network replication : 1 21: Force user PIN change after set/reset : 1 22: Allow offboard storage : 1 30: Allow unmasking : 1 33: Current maximum number of partitions : 100 39: Allow Secure Trusted Channel : 0 40: Decommission on tamper : 0 43: Allow low level math acceleration : 1 46: Disable Decommission : 0 48: Do Controlled Tamper Recovery : 1 49: Allow Partition Utilization Metrics : 1 50: Allow Functionality Modules : 1 51: Allow SMFS Auto Activation : 0 52: Disable FM Privilege Level : 0 53: Do FM Cipher Engine Key Encryption : 0 56: Allow User Defined ECC Curves : 1 Command Result : No Error
Example with HSM firmware >= 7.7.0 and Client >= 10.3.0
lunacm (64-bit) v10.3.0. Copyright (c) 2020 SafeNet. All rights reserved. lunacm:>hsm sp HSM Capabilities 0: Enable PIN-based authentication : 1 1: Enable PED-based authentication : 0 2: Performance level : 15 4: Enable domestic mechanisms & key sizes : 1 6: Enable masking : 1 7: Enable cloning : 1 9: Enable full (non-backup) functionality : 1 12: Enable non-FIPS algorithms : 1 15: Enable SO reset of partition PIN : 1 16: Enable network replication : 1 17: Enable Korean Algorithms : 0 19: Manufacturing Token : 0 21: Enable forcing user PIN change : 1 22: Enable offboard storage : 1 23: Enable partition groups : 0 25: Enable remote PED usage : 0 27: HSM non-volatile storage space : 67108864 30: Enable unmasking : 1 33: Maximum number of partitions : 20 35: Enable Single Domain : 0 36: Enable Unified PED Key : 0 37: Enable MofN : 0 38: Enable small form factor backup/restore : 0 40: Enable decommission on tamper : 1 42: Enable partition re-initialize : 0 43: Enable low level math acceleration : 1 46: Allow Disabling Decommission : 1 48: Enable Controlled Tamper Recovery : 1 49: Enable Partition Utilization Metrics : 1 50: Enable Functionality Modules : 0 51: Enable SMFS Auto Activation : 0 52: Allow Restricting FM Privilege Level : 0 53: Allow encrypting of keys from FM to HSM : 0 HSM Policies 0: PIN-based authentication : 1 6: Allow masking : 1 7: Allow cloning : 1 12: Allow non-FIPS algorithms : 1 15: SO can reset partition PIN : 0 16: Allow network replication : 1 21: Force user PIN change after set/reset : 1 22: Allow offboard storage : 1 30: Allow unmasking : 1 33: Current maximum number of partitions : 20 40: Decommission on tamper : 0 43: Allow low level math acceleration : 1 46: Disable Decommission : 0 48: Do Controlled Tamper Recovery : 1 49: Allow Partition Utilization Metrics : 1 Command Result : No Error