You are here: D - Reference > Capabilities and Policies > HSM Capabilities & Policies

Luna Reference

HSM Capabilities & Policies

HSM Capability Name

HSM Policy Name

 Destructive

Modifiable

Description

Enable PIN-based authentication (HSM_CONFIG_ENABLE
_PIN_AUTHENTICATION)

Allow PIN-based authentication  

-

no

If allowed, use keyboard for entering passwords. (The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.)

Enable PED-based authentication   (HSM_CONFIG_ENABLE_PED
_AUTHENTICATION)

Allow PED-based authentication

 -

no

If allowed, use the Luna PED (as well as the keyboard) for entering passwords (via PED Keys). (The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.)

Performance level (HSM_CONFIG_PERFORMANCE_LEVEL)

-

-

-

Indicates the performance level of this HSM. The HSM Admin may never modify this capability - it has no corresponding policy. Possible levels are
15: max performance ~7000 1024-bit RSA sigs/sec
4: ~ 1700 1024-bit RSA signatures per second

Enable domestic mechanisms & key sizes (HSM_CONFIG_DOMESTIC)

-

 -

 -

If allowed, this Luna HSM is capable of full strength cryptography (i.e. no US export restrictions)

Enable masking (HSM_CONFIG_MASKING)

Allow masking

yes

yes

If allowed, the Luna HSM is capable of SIM, and this feature can be turned on or off by the HSM Admin. If not allowed, the Luna HSM is not capable of SIM, and there is no way to for the HSM Admin to change this.

Enable cloning (HSM_CONFIG_CLONING)

Allow cloning

yes

yes

If allowed, the Luna HSM is capable of backup to Backup tokens, and this feature can be turned on or off by the HSM Admin. If not allowed, the Luna HSM is not capable of backup and there is no way for the HSM Admin to change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

Enable special cloning certificate   (HSM_CONFIG_SPECIAL_CLONING)

-

-

-

If allowed, this Luna HSM can have a vendor-specific cloning certificate loaded on to it. (This policy is always set to not allowed on current Luna HSMs.)

Enable full (non-backup) functionality  (HSM_CONFIG_NONBACKUP_TOKEN)

-

-

-

If allowed, this Luna HSM can perform cryptographic functions. (This policy is always set to allowed on Luna HSMs.)

Enable ECC mechanisms  (HSM_CONFIG_ECC
_MECH)

-

-

-

If allowed, new changes to existing licenses may be done in the field. (This policy is always set to not allowed on Luna HSMs.)

Enable non-FIPS algorithms (HSM_CONFIG_NONFIPS
_ALGORITHMS)

Allow non-FIPS algorithms  

yes

yes

If allowed, the Luna HSM permits use of cryptographic algorithms that are not sanctioned by the FIPS 140-2 standard, the HSM Admin can select whether to permit use of those algorithms or to adhere to strict FIPS 140-2 regulations. If not allowed, the Luna HSM will only operate with FIPS 140-2 approved algorithms, there is no way for the HSM Admin to change this.

Enable SO reset of partition PIN   (HSM_CONFIG_SO_CAN_RESET_PIN)

SO can reset partition PIN

yes

 

yes

 

If allowed, the Luna HSM has the ability to either lock out users or erase them upon X consecutive bad login attempts, if the HSM Admin sets the corresponding HSM policy to “on”, users will be locked out and the HSM Admin can reset their password, if the HSM Admin sets the policy to “off”, users will be erased after X consecutive bad login attempts. If this capability is not allowed, the Luna HSM will always erase users after X consecutive bad login attempts, the HSM Admin may not change this.

Enable network replication   (HSM_CONFIG_NETWORK
_REPLICATION)

Allow network replication   

no

 

yes

 

If allowed, the Luna HSM may use the SafeNet high availability feature, and the HSM Admin may turn this feature on or off. If not allowed, the Luna HSM is not capable of automatic network replication for high availability. Partition backup or partition network replication is allowed for the SafeNet high availability feature. (Does not apply to Luna PCI.)

Enable Korean Algorithms  (HSM_CONFIG_KOREAN
_ALGORITHMS)

  

no

 

yes

 

If allowed, the Luna HSM may use the Korean algorithm set.)

FIPS evaluated (HSM_FIPS
_EVALUATED)

HSM has been evaluated and validated to FIPS 140 -2 (or 3)

no

 

no

 

Deprecated - no longer used

Enable Remote Authentication (*)

Allow Remote Authentication

yes

yes

If allowed, the Luna SA can be configured to act as a source or a target of Remote Authentication. The PED Key data required for administrating a distant (target) Luna SA can be presented at a local, Administration (source) Luna SA. The source appliance has NTLS disabled and so cannot be used by Clients. (Does not apply to Luna PCI.) (* Deprecated - Remote Admin and Remote Authentication no longer supported.)

Enable forcing user PIN change
(HSM_CONFIG_FORCE_USER
_PIN_CHANGE)

Force user PIN change after set/reset

no

 

yes

If allowed, forces the Partition User to perform a partition changePw operation whenever the SO resets the User password (or creates the User Partition). That is, the User cannot perform any other actions on the Partition until the password change is completed. The purpose is to maintain the separation of roles between the SO/HSM Admin and the Partition User/Owner.

Enable offboard storage
HSM_CONFIG_OFFBOARD_STORAGE)

Allow offboard storage

no

 

yes

Allows or disallows the use of the portable SIM key..

Enable partition groups
(HSM_CONFIG_PARTITION_GROUPS)

Allow partition groups

no

 

no

Deprecated - not supported.

Enable Remote PED usage
HSM_CONFIG_REMOTE_PED)

Allow remote PED usage

no

 

yes

Allow authentication via remotely located Luna PED 2 (Remote Capable) and pedServer.

Enable external storage of MTK split
HSM_CONFIG_REMOTE_PED)

Not directly modifiable by user

-

 

-

Allows one of the splits of the MTK, the Secure Recovery Vector, to be stored outside the HSM on a purple Secure Recovery PED Key. Used for Secure Transport Mode, and for controlled/supervised recovery from tamper events. The policy associated with this capability is set automatically when the lunash command "hsm srk enable" is run. If that command is never run, or if the HSM is a password-authenticated version, then both MTK splits remain inside the HSM and recovery from tamper is automatic after restart.

HSM non-volatile storage space Not directly modifiable by user - - Shows the factory-set amount of non-volatile storage that is available on the HSM.

Enable HA mode CGX
HSM_CONFIG_HA)

Not directly modifiable by user

-

 

-

This capability determines how "random" numbers are generated for use in the HSM. The default (disabled) mode uses an AES-based method that takes a seed from the onboard hardware RNG to produce a high-quality pseudo-random number. With HA mode enabled, the entire number is generated within the hardware RNG (no seeding), which yields results nearer to true randomness, but which can take an indeterminate (long) amount of time for the required random events to occur.

Enable Acceleration
HSM_CONFIG_ACCEL)

Allow acceleration

yes

 

yes

This capability controls the mechanisms available within the HSM for key generation (RSA, DSA, KCDSA), and HAM. With the "Allow acceleration" policy switched ON, your application can choose from the full range of mechanisms supported by the HSM, for optimum performance with your application.