partition showpolicies
Displays the partition-level capability and policy settings for the indicated user/application partition, including whether the policy is destructive when it is enabled or disabled (verbose mode). Only policies that the Partition SO can change (the corresponding capability is not set to 0) are included in the output. Include the -exporttemplate option to export the current state of all partition policies to a partition policy template (PPT).
To export HSM-wide policies from network-connected HSMs, use the LunaSH command hsm showPolicies with the -exporttemplate option.
Multiple sessions and policy changes
If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change is reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings.
Syntax
partition showpolicies [-slot <slot>] [-verbose] [-exporttemplate <filepath/filename>]
Argument(s) | Short | Description |
---|---|---|
-exporttemplate <filepath/filename> | -et |
Export the current state of all partition policies to a policy template in the specified location. NOTE If there is a mismatch between template policies and the default values of newer or dependent policies, then the attempt to apply the old policy would fail with CKR_FAILED_DEPENDENCIES. You have the option to edit a policy file before applying it, to add newer policies. |
-slot <slot> |
-s | Specifies the slot number for which to display partition policy settings. If no slot is specified, the policies for the currently-active slot are displayed. |
-verbose | -v | Include information that specifies whether the policy is destructive when enabled/disabled. |
Examples
With -exporttemplate specified
lunacm:> partition showpolicies -exporttemplate /usr/safenet/lunaclient/templates/ParPT Partition policies for Partition: myPartition1 written to /usr/safenet/lunaclient/templates/ParPT Command Result : No Error
Normal mode (pre-firmware 7.7.0)
lunacm:> partition showpolicies Partition Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 1 2: Enable private key unwrapping : 1 3: Enable private key masking : 0 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 0 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Enable high availability recovery : 1 22: Enable activation : 1 23: Enable auto-activation : 1 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 33: Enable RSA PKCS mechanism : 1 34: Enable CBC-PAD (un)wrap keys of any size : 1 37: Enable Secure Trusted Channel : 1 39: Enable Start/End Date Attributes : 1 Partition Policies 0: Allow private key cloning : 1 1: Allow private key wrapping : 0 2: Allow private key unwrapping : 1 4: Allow secret key cloning : 1 5: Allow secret key wrapping : 1 6: Allow secret key unwrapping : 1 10: Allow multipurpose keys : 1 11: Allow changing key attributes : 1 15: Ignore failed challenge responses : 1 16: Operate without RSA blinding : 1 17: Allow signing with non-local keys : 1 18: Allow raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Allow high availability recovery : 1 22: Allow activation : 0 23: Allow auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Allow Key Management Functions : 1 29: Perform RSA signing without confirmation : 1 31: Allow private key unmasking : 1 32: Allow secret key unmasking : 1 33: Allow RSA PKCS mechanism : 1 34: Allow CBC-PAD (un)wrap keys of any size : 1 37: Force Secure Trusted Channel : 0 39: Allow Start/End Date Attributes : 0 Command Result : No Error
For Luna HSM Firmware 7.7.0 and newer, when viewed from an up-to-date Client, the command shows the newer Capabilities and Policies as well as the status of pre-existing policies that have new default settings like policies 3, 7, 31, and 32 for example, regardless of partition V0 or V1 status. However, older clients cannot see newer policies to display them. Newer clients show capabilities and policies for firmware <7.7.0 partitions as the older firmware presents them.
Verbose mode (pre-firmware 7.7.0)
lunacm:> partition showpolicies -verbose Partition Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 1 2: Enable private key unwrapping : 1 3: Enable private key masking : 0 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 0 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Enable high availability recovery : 1 22: Enable activation : 1 23: Enable auto-activation : 1 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 33: Enable RSA PKCS mechanism : 1 34: Enable CBC-PAD (un)wrap keys of any size : 1 37: Enable Secure Trusted Channel : 1 39: Enable Start/End Date Attributes : 1 Partition Policies Destructive Code Description Value Off-To-On On-To-Off ______________________________________________________________________________ 0 Allow private key cloning On Yes No 1 Allow private key wrapping Off Yes No 2 Allow private key unwrapping On No No 4 Allow secret key cloning On Yes No 5 Allow secret key wrapping On Yes No 6 Allow secret key unwrapping On No No 10 Allow multipurpose keys On Yes No 11 Allow changing key attributes On Yes No 15 Ignore failed challenge responses On Yes No 16 Operate without RSA blinding On Yes No 17 Allow signing with non-local keys On No No 18 Allow raw RSA operations On Yes No 20 Max failed user logins allowed 10 N/A N/A 21 Allow high availability recovery On No No 22 Allow activation Off No No 23 Allow auto-activation Off No No 25 Minimum pin length (inverted: 255 - min) 248 N/A N/A 26 Maximum pin length 255 N/A N/A 28 Allow Key Management Functions On Yes No 29 Perform RSA signing without confirmation On Yes No 31 Allow private key unmasking On No No 32 Allow secret key unmasking On No No 33 Allow RSA PKCS mechanism On Yes No 34 Allow CBC-PAD (un)wrap keys of any size On Yes No 37 Force Secure Trusted Channel Off No Yes 39 Allow Start/End Date Attributes Off No Yes Command Result : No Error
V0 Partition Example
lunacm:> partition showpolicies -verbose Partition Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 1 2: Enable private key unwrapping : 1 3: Enable private key masking : 1 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 1 9: Enable DigestKey : 1 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Enable high availability recovery : 1 22: Enable activation : 0 23: Enable auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 248 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 33: Enable RSA PKCS mechanism : 1 34: Enable CBC-PAD (un)wrap keys of any size : 1 37: Enable enforcing Secure Trusted Channel : 1 39: Enable Start/End Date Attributes : 1 40: Enable Per-Key Authorization Data : 1 41: Enable Partition Version : 1 Partition Policies Destructive Code Description Value Off-To-On On-To-Off _____________________________________________________________________________ 0 Allow private key cloning On Yes No 1 Allow private key wrapping Off Yes No 2 Allow private key unwrapping On No No 3 Allow private key masking Off Yes No 4 Allow secret key cloning On Yes No 5 Allow secret key wrapping On Yes No 6 Allow secret key unwrapping On No No 7 Allow secret key masking Off Yes No 9 Allow DigestKey Off Yes No 10 Allow multipurpose keys On Yes No 11 Allow changing key attributes On Yes No 15 Ignore failed challenge responses On Yes No 16 Operate without RSA blinding On Yes No 17 Allow signing with non-local keys On No No 18 Allow raw RSA operations On Yes No 20 Max failed user logins allowed 10 N/A N/A 21 Allow high availability recovery On No No 25 Minimum pin length (inverted: 255 - min) 248 N/A N/A 26 Maximum pin length 255 N/A N/A 28 Allow Key Management Functions On Yes No 29 Perform RSA signing without confirmation On Yes No 31 Allow private key unmasking Off No No 32 Allow secret key unmasking Off No No 33 Allow RSA PKCS mechanism On Yes No 34 Allow CBC-PAD (un)wrap keys of any size On Yes No 37 Force Secure Trusted Channel Off No Yes 39 Allow Start/End Date Attributes Off No Yes 40 Require Per-Key Authorization Data Off Yes Yes 41 Partition Version 0 No Yes Command Result : No Error
V1 Partition Example
lunacm:> partition showpolicies -verbose Partition Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 1 2: Enable private key unwrapping : 1 3: Enable private key masking : 1 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 1 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Enable high availability recovery : 1 22: Enable activation : 0 23: Enable auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 247 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 33: Enable RSA PKCS mechanism : 1 34: Enable CBC-PAD (un)wrap keys of any size : 1 37: Enable enforcing Secure Trusted Channel : 1 39: Enable Start/End Date Attributes : 1 40: Enable Per-Key Authorization Data : 1 41: Enable Partition Version : 1 42: Enable CPv1 : 1 43: Enable non-FIPS algorithms : 1 Partition Policies Destructive Code Description Value Off-To-On On-To-Off _____________________________________________________________________________ 0 Allow private key cloning On Yes No 1 Allow private key wrapping Off Yes No 2 Allow private key unwrapping On No No 3 Allow private key masking On Yes No 4 Allow secret key cloning On Yes No 5 Allow secret key wrapping On Yes No 6 Allow secret key unwrapping On No No 7 Allow secret key masking On Yes No 10 Allow multipurpose keys On Yes No 11 Allow changing key attributes On Yes No 15 Ignore failed challenge responses On Yes No 16 Operate without RSA blinding On Yes No 17 Allow signing with non-local keys On No No 18 Allow raw RSA operations On Yes No 20 Max failed user logins allowed 10 N/A N/A 21 Allow high availability recovery On No No 25 Minimum pin length (inverted: 255 - min) 248 N/A N/A 26 Maximum pin length 255 N/A N/A 28 Allow Key Management Functions On Yes No 29 Perform RSA signing without confirmation On Yes No 31 Allow private key unmasking On No No 32 Allow secret key unmasking On No No 33 Allow RSA PKCS mechanism On Yes No 34 Allow CBC-PAD (un)wrap keys of any size On Yes No 37 Force Secure Trusted Channel Off No Yes 39 Allow Start/End Date Attributes Off No Yes 40 Require Per-Key Authorization Data On Yes Yes 41 Partition Version 1 No Yes 42: Allow CPv1 1 Yes No 43: Allow non-FIPS algorithms : 1 Yes No Command Result : No Error
Firmware 7.8.0
lunacm:> partition showpolicies Partition Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 1 2: Enable private key unwrapping : 1 3: Enable private key masking : 1 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 1 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Enable high availability recovery : 1 22: Enable activation : 0 23: Enable auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 247 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 33: Enable RSA PKCS mechanism : 1 34: Enable CBC-PAD (un)wrap keys of any size : 1 37: Enable enforcing Secure Trusted Channel : 1 39: Enable Start/End Date Attributes : 1 40: Enable Per-Key Authorization Data : 1 41: Enable Partition Version : 1 42: Enable CPv1 : 1 43: Enable non-FIPS algorithms : 1 44: Enable Extended Domain Management : 1 Partition Policies 0: Allow private key cloning : 1 1: Allow private key wrapping : 0 2: Allow private key unwrapping : 1 3: Allow private key masking : 0 4: Allow secret key cloning : 1 5: Allow secret key wrapping : 1 6: Allow secret key unwrapping : 1 7: Allow secret key masking : 0 10: Allow multipurpose keys : 1 11: Allow changing key attributes : 1 15: Ignore failed challenge responses : 1 16: Operate without RSA blinding : 1 17: Allow signing with non-local keys : 1 18: Allow raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Allow high availability recovery : 1 25: Minimum pin length (inverted: 255 - min) : 247 26: Maximum pin length : 255 28: Allow Key Management Functions : 1 29: Perform RSA signing without confirmation : 1 31: Allow private key unmasking : 0 32: Allow secret key unmasking : 0 33: Allow RSA PKCS mechanism : 1 34: Allow CBC-PAD (un)wrap keys of any size : 1 37: Force Secure Trusted Channel : 0 39: Allow Start/End Date Attributes : 0 40: Require Per-Key Authorization Data : 0 41: Partition Version : 0 42: Allow CPv1 : 1 43: Allow non-FIPS algorithms : 1 44: Allow Extended Domain Management : 0 Command Result : No Error