Setting HSM Policies Manually

The HSM SO can change available policies to customize HSM functionality. Some policies apply to all partitions on the HSM; others enable the Partition SO to customize functionality at the partition level. Refer to HSM Capabilities and Policies for a complete list of HSM policies and their effects.

In most cases, HSM policies are either enabled (1) or disabled (0), but some allow a range of values.

To change multiple policy settings during HSM initialization, see Setting HSM Policies Using a Template.

Prerequisites

>The HSM must be initialized (see Initializing the Luna USB HSM 7).

>If you are changing a destructive policy and you have partitions existing on the HSM, back up any important cryptographic objects (see Partition Backup and Restore).

To manually set or change an HSM policy

1.Launch LunaCM and set the active slot to the HSM Admin partition.

lunacm:> slot set -slot <slotnum>

2.[Optional] Display the existing HSM policy settings.

lunacm:> hsm showpolicies

3.Log in as HSM SO (see Logging In as HSM Security Officer).

lunacm:> role login -name so

4.Change the policy setting by specifying the policy number and the desired value (0, 1, or a number in the accepted range for that policy).

lunacm:> hsm changehsmpolicy -policy <policy_ID> -value <value>

If you are changing a destructive policy, you are prompted to enter proceed to continue the operation.