You are here: A - Configuration (Set up Luna Appliance after Installing) > [Step 5] Setting Partition Policies > Partition Policies

Partition Policies

At this point, you should have initialized the HSM and created an HSM Partition.  You may need to set the policies that constrain the use of the HSM Partition by clients. Capabilities are factory settings. Policies are the means of modifying the adjustable capabilities.    

First, display the policies (default) of the created HSM Partition.

In order to run the partition showPolicies command, you do not need to be logged into the  HSM Partition.

However, to change policies of either the HSM or an individual Partition, you must login as HSM Administrator.

  1. View the Partition policies. At the lunash prompt, type the command

[myLuna] lunash:> partition showPolicies -partition myPartition1

  Partition Name: myPartition1
Partition Num:  332211001

   The following capabilities describe this partition and can never be changed.

 Description

Value

===========

=====

Enable private key cloning

Allowed

Enable private key wrapping

Disallowed

Enable private key unwrapping

Allowed

Enable private key masking

Disallowed

Enable secret key cloning

Allowed

Enable secret key wrapping

Allowed

Enable secret key unwrapping

Allowed

Enable secret key masking

Disallowed

Enable multipurpose keys

Allowed

Enable changing key attributes

Allowed

Enable PED use without challenge

Allowed

Allow failed challenge responses

Allowed

Enable operation without RSA blinding

Allowed

Enable signing with non-local keys

Allowed

Enable raw RSA operations

Allowed

Max failed user logins allowed

10

Enable high availability recovery

Allowed

Enable activation

Allowed

Enable auto-activation

Allowed

Minimum pin length (inverted: 255 - min)

248

Maximum pin length

255

Enable Key Management Functions

Allowed

Enable RSA signing without confirmation

Allowed

Enable Remote Authentication

Allowed

Enable private key unmasking

Allowed

Enable secret key unmasking

Allowed

   The following policies are set due to current configuration
of this partition and may not be altered directly by the user.

Description

Value

===========

=====

Challenge for authentication not needed

True

  The following policies describe the current configuration of this
partition and may be changed by the HSM Security Officer.

Description

Value

Code

===========

=====

====

Allow private key cloning

On

0

Allow private key unwrapping

On

2

Allow secret key cloning

On

4

Allow secret key wrapping

On

5

Allow secret key unwrapping

On

6

Allow multipurpose keys

On

10

Allow changing key attributes

On

11

Ignore failed challenge responses

On

15

Operate without RSA blinding

On

16

Allow signing with non-local keys

On

17

Allow raw RSA operations

On

18

Max failed user logins allowed

10

20

Allow high availability recovery

On

21

Allow activation

Off

22

Allow auto-activation

Off

23

Minimum pin length (inverted: 255 - min)

248

25

Maximum pin length

255

26

Allow Key Management Functions On 28
Perform RSA signing without confirmation On 29
Allow Remote Authentication On 30
Allow private key unmasking On 31
Allow secret key unmasking On 32

 

(Next, change any of the policies that you wish to change.)

Luna SA 5 does not currently have a secure identity management (SIM) configuration.  Certain HSM policy settings exist to enable migration from Luna SA 4.x to Luna SA 5.x, specifically the “Enable masking” and “Enable portable masking key” values.

 

   

See Also