partition showpolicies

Displays the partition-level capability and policy settings for the indicated user/application partition, including whether the policy is destructive when it is enabled or disabled (verbose mode). Only policies that the Partition SO can change (the corresponding capability is not set to 0) are included in the output. Include the -exporttemplate option to export the current state of all partition policies to a partition policy template (PPT).

Policy template export is supported for application partitions only

The partition showpolicies -exporttemplate function is not supported for HSM admin partitions.

To export HSM-wide policies from HSMs connected locally to the HSM host, use the command hsm showpolicies with the -exporttemplate option.

Multiple sessions and policy changes

If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change is reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings.

Syntax

partition showpolicies [-slot <slot>] [-verbose] [-exporttemplate <filepath/filename>]

Argument(s) Short Description
-exporttemplate <filepath/filename> -et

Export the current state of all partition policies to a policy template in the specified location.

NOTE   If there is a mismatch between template policies and the default values of newer or dependent policies, then the attempt to apply the old policy would fail with CKR_FAILED_DEPENDENCIES.

You have the option to edit a policy file before applying it, to add newer policies.

-slot <slot>

-s Specifies the slot number for which to display partition policy settings. If no slot is specified, the policies for the currently-active slot are displayed.
-verbose -v Include information that specifies whether the policy is destructive when enabled/disabled.

Examples

With -exporttemplate specified

lunacm:> partition showpolicies -exporttemplate /usr/safenet/lunaclient/templates/ParPT

Partition policies for Partition: myPartition1 written to /usr/safenet/lunaclient/templates/ParPT

Command Result : No Error

Normal mode (pre-firmware 7.7.0)

lunacm:> partition showpolicies
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 1
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 0
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 0
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 1
                23: Enable auto-activation : 1
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                37: Enable Secure Trusted Channel : 1
                39: Enable  Start/End Date Attributes : 1

        Partition Policies
                 0: Allow private key cloning : 1
                 1: Allow private key wrapping : 0
                 2: Allow private key unwrapping : 1
                 4: Allow secret key cloning : 1
                 5: Allow secret key wrapping : 1
                 6: Allow secret key unwrapping : 1
                10: Allow multipurpose keys : 1
                11: Allow changing key attributes : 1
                15: Ignore failed challenge responses : 1
                16: Operate without RSA blinding : 1
                17: Allow signing with non-local keys : 1
                18: Allow raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Allow high availability recovery : 1
                22: Allow activation : 0
                23: Allow auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Allow Key Management Functions : 1
                29: Perform RSA signing without confirmation : 1
                31: Allow private key unmasking : 1
                32: Allow secret key unmasking : 1
                33: Allow RSA PKCS mechanism : 1
                34: Allow CBC-PAD (un)wrap keys of any size : 1
                37: Force Secure Trusted Channel : 0
                39: Allow Start/End Date Attributes : 0

Command Result : No Error

For Luna HSM Firmware 7.7.0 and newer, when viewed from an up-to-date Client, the command shows the newer Capabilities and Policies as well as the status of pre-existing policies that have new default settings like policies 3, 7, 31, and 32 for example, regardless of partition V0 or V1 status. However, older clients cannot see newer policies to display them. Newer clients show capabilities and policies for firmware <7.7.0 partitions as the older firmware presents them.

Verbose mode (pre-firmware 7.7.0)

lunacm:> partition showpolicies -verbose
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 1
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 0
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 0
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 1
                23: Enable auto-activation : 1
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                37: Enable Secure Trusted Channel : 1
                39: Enable  Start/End Date Attributes : 1

Partition Policies
                                                              Destructive
 Code Description                                   Value Off-To-On On-To-Off
______________________________________________________________________________

  0   Allow private key cloning                      On      Yes       No
  1   Allow private key wrapping                     Off     Yes       No
  2   Allow private key unwrapping                   On      No        No
  4   Allow secret key cloning                       On      Yes       No
  5   Allow secret key wrapping                      On      Yes       No
  6   Allow secret key unwrapping                    On      No        No
  10  Allow multipurpose keys                        On      Yes       No
  11  Allow changing key attributes                  On      Yes       No
  15  Ignore failed challenge responses              On      Yes       No
  16  Operate without RSA blinding                   On      Yes       No
  17  Allow signing with non-local keys              On      No        No
  18  Allow raw RSA operations                       On      Yes       No
  20  Max failed user logins allowed                 10      N/A       N/A
  21  Allow high availability recovery               On      No        No
  22  Allow activation                               Off     No        No
  23  Allow auto-activation                          Off     No        No
  25  Minimum pin length (inverted: 255 - min)       248     N/A       N/A
  26  Maximum pin length                             255     N/A       N/A
  28  Allow Key Management Functions                 On      Yes       No
  29  Perform RSA signing without confirmation       On      Yes       No
  31  Allow private key unmasking                    On      No        No
  32  Allow secret key unmasking                     On      No        No
  33  Allow RSA PKCS mechanism                       On      Yes       No
  34  Allow CBC-PAD (un)wrap keys of any size        On      Yes       No
  37  Force Secure Trusted Channel                   Off     No        Yes
  39  Allow Start/End Date Attributes                Off     No        Yes

Command Result : No Error

V0 Partition Example

lunacm:> partition showpolicies -verbose
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 1
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 1
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 1
                 9: Enable DigestKey : 1 
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 0
                23: Enable auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 248
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                37: Enable enforcing Secure Trusted Channel : 1
                39: Enable Start/End Date Attributes : 1
                40: Enable Per-Key Authorization Data : 1
                41: Enable Partition Version : 1


        Partition Policies
                                                                              Destructive
                 Code Description                                   Value Off-To-On On-To-Off
                _____________________________________________________________________________

                  0   Allow private key cloning                      On      Yes       No
                  1   Allow private key wrapping                     Off     Yes       No
                  2   Allow private key unwrapping                   On      No        No
                  3   Allow private key masking                      Off     Yes       No
                  4   Allow secret key cloning                       On      Yes       No
                  5   Allow secret key wrapping                      On      Yes       No
                  6   Allow secret key unwrapping                    On      No        No
                  7   Allow secret key masking                       Off     Yes       No
                  9   Allow DigestKey                                Off     Yes       No 
                  10  Allow multipurpose keys                        On      Yes       No
                  11  Allow changing key attributes                  On      Yes       No
                  15  Ignore failed challenge responses              On      Yes       No
                  16  Operate without RSA blinding                   On      Yes       No
                  17  Allow signing with non-local keys              On      No        No
                  18  Allow raw RSA operations                       On      Yes       No
                  20  Max failed user logins allowed                 10      N/A       N/A
                  21  Allow high availability recovery               On      No        No
                  25  Minimum pin length (inverted: 255 - min)       248     N/A       N/A
                  26  Maximum pin length                             255     N/A       N/A
                  28  Allow Key Management Functions                 On      Yes       No
                  29  Perform RSA signing without confirmation       On      Yes       No
                  31  Allow private key unmasking                    Off     No        No
                  32  Allow secret key unmasking                     Off     No        No
                  33  Allow RSA PKCS mechanism                       On      Yes       No
                  34  Allow CBC-PAD (un)wrap keys of any size        On      Yes       No
                  37  Force Secure Trusted Channel                   Off     No        Yes
                  39  Allow Start/End Date Attributes                Off     No        Yes
                  40  Require Per-Key Authorization Data             Off     Yes       Yes
                  41  Partition Version                               0      No        Yes






Command Result : No Error

V1 Partition Example



lunacm:> partition showpolicies -verbose
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 1
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 1
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 1
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 0
                23: Enable auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 247
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                37: Enable enforcing Secure Trusted Channel : 1
                39: Enable Start/End Date Attributes : 1
                40: Enable Per-Key Authorization Data : 1
                41: Enable Partition Version : 1
                42: Enable CPv1 : 1
                43: Enable non-FIPS algorithms : 1


        Partition Policies
                                                                              Destructive
                 Code Description                                   Value Off-To-On On-To-Off
                _____________________________________________________________________________

                  0   Allow private key cloning                      On      Yes       No
                  1   Allow private key wrapping                     Off     Yes       No
                  2   Allow private key unwrapping                   On      No        No
                  3   Allow private key masking                      On      Yes       No
                  4   Allow secret key cloning                       On      Yes       No
                  5   Allow secret key wrapping                      On      Yes       No
                  6   Allow secret key unwrapping                    On      No        No
                  7   Allow secret key masking                       On      Yes       No
                  10  Allow multipurpose keys                        On      Yes       No
                  11  Allow changing key attributes                  On      Yes       No
                  15  Ignore failed challenge responses              On      Yes       No
                  16  Operate without RSA blinding                   On      Yes       No
                  17  Allow signing with non-local keys              On      No        No
                  18  Allow raw RSA operations                       On      Yes       No
                  20  Max failed user logins allowed                 10      N/A       N/A
                  21  Allow high availability recovery               On      No        No
                  25  Minimum pin length (inverted: 255 - min)       248     N/A       N/A
                  26  Maximum pin length                             255     N/A       N/A
                  28  Allow Key Management Functions                 On      Yes       No
                  29  Perform RSA signing without confirmation       On      Yes       No
                  31  Allow private key unmasking                    On      No        No
                  32  Allow secret key unmasking                     On      No        No
                  33  Allow RSA PKCS mechanism                       On      Yes       No
                  34  Allow CBC-PAD (un)wrap keys of any size        On      Yes       No
                  37  Force Secure Trusted Channel                   Off     No        Yes
                  39  Allow Start/End Date Attributes                Off     No        Yes
                  40  Require Per-Key Authorization Data             On      Yes       Yes
                  41  Partition Version                               1      No        Yes
                  42: Allow CPv1                                      1      Yes       No
                  43: Allow non-FIPS algorithms :                     1      Yes       No





Command Result : No Error

Firmware 7.8.0

lunacm:> partition showpolicies
        Partition Capabilities
                 0: Enable private key cloning : 1
                 1: Enable private key wrapping : 1
                 2: Enable private key unwrapping : 1
                 3: Enable private key masking : 1
                 4: Enable secret key cloning : 1
                 5: Enable secret key wrapping : 1
                 6: Enable secret key unwrapping : 1
                 7: Enable secret key masking : 1
                10: Enable multipurpose keys : 1
                11: Enable changing key attributes : 1
                15: Allow failed challenge responses : 1
                16: Enable operation without RSA blinding : 1
                17: Enable signing with non-local keys : 1
                18: Enable raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Enable high availability recovery : 1
                22: Enable activation : 0
                23: Enable auto-activation : 0
                25: Minimum pin length (inverted: 255 - min) : 247
                26: Maximum pin length : 255
                28: Enable Key Management Functions : 1
                29: Enable RSA signing without confirmation : 1
                31: Enable private key unmasking : 1
                32: Enable secret key unmasking : 1
                33: Enable RSA PKCS mechanism : 1
                34: Enable CBC-PAD (un)wrap keys of any size : 1
                37: Enable enforcing Secure Trusted Channel : 1
                39: Enable Start/End Date Attributes : 1
                40: Enable Per-Key Authorization Data : 1
                41: Enable Partition Version : 1
                42: Enable CPv1 : 1
                43: Enable non-FIPS algorithms : 1
                44: Enable Extended Domain Management : 1

        Partition Policies
                 0: Allow private key cloning : 1
                 1: Allow private key wrapping : 0
                 2: Allow private key unwrapping : 1
                 3: Allow private key masking : 0
                 4: Allow secret key cloning : 1
                 5: Allow secret key wrapping : 1
                 6: Allow secret key unwrapping : 1
                 7: Allow secret key masking : 0
                10: Allow multipurpose keys : 1
                11: Allow changing key attributes : 1
                15: Ignore failed challenge responses : 1
                16: Operate without RSA blinding : 1
                17: Allow signing with non-local keys : 1
                18: Allow raw RSA operations : 1
                20: Max failed user logins allowed : 10
                21: Allow high availability recovery : 1
                25: Minimum pin length (inverted: 255 - min) : 247
                26: Maximum pin length : 255
                28: Allow Key Management Functions : 1
                29: Perform RSA signing without confirmation : 1
                31: Allow private key unmasking : 0
                32: Allow secret key unmasking : 0
                33: Allow RSA PKCS mechanism : 1
                34: Allow CBC-PAD (un)wrap keys of any size : 1
                37: Force Secure Trusted Channel : 0
                39: Allow Start/End Date Attributes : 0
                40: Require Per-Key Authorization Data : 0
                41: Partition Version : 0
                42: Allow CPv1 : 1
                43: Allow non-FIPS algorithms : 1
                44: Allow Extended Domain Management : 0


Command Result : No Error