partition showpolicies
Displays the partition-level capability and policy settings for the indicated user/application partition, including whether the policy is destructive when it is enabled or disabled (verbose mode). Only policies that the Partition SO can change (the corresponding capability is not set to 0) are included in the output. Include the -exporttemplate option to export the current state of all partition policies to a partition policy template (PPT).
Policy template export is supported for application partitions only
The partition showpolicies -exporttemplate function is not supported for HSM admin partitions.
To export HSM-wide policies from HSMs connected locally to the HSM host, use the command hsm showpolicies with the -exporttemplate option.
Multiple sessions and policy changes
If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change is reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings.
Syntax
partition showpolicies [-slot <slot>] [-verbose] [-exporttemplate <filepath/filename>]
| Argument(s) | Short | Description |
|---|---|---|
| -exporttemplate <filepath/filename> | -et |
Export the current state of all partition policies to a policy template in the specified location. NOTE If there is a mismatch between template policies and the default values of newer or dependent policies, then the attempt to apply the old policy would fail with CKR_FAILED_DEPENDENCIES. You have the option to edit a policy file before applying it, to add newer policies. |
|
-slot <slot> |
-s | Specifies the slot number for which to display partition policy settings. If no slot is specified, the policies for the currently-active slot are displayed. |
| -verbose | -v | Include information that specifies whether the policy is destructive when enabled/disabled. |
Example
With -exporttemplate specified
lunacm:> partition showpolicies -exporttemplate /usr/safenet/lunaclient/templates/ParPT Partition policies for Partition: myPartition1 written to /usr/safenet/lunaclient/templates/ParPT Command Result : No Error
Normal mode (pre-firmware 7.7.0)
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 1
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
37: Enable Secure Trusted Channel : 1
39: Enable Start/End Date Attributes : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
37: Force Secure Trusted Channel : 0
39: Allow Start/End Date Attributes : 0
Command Result : No Error
Verbose mode (pre-firmware 7.7.0)
lunacm:> partition showpolicies -verbose
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 1
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 1
23: Enable auto-activation : 1
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
37: Enable Secure Trusted Channel : 1
39: Enable Start/End Date Attributes : 1
Partition Policies
Destructive
Code Description Value Off-To-On On-To-Off
______________________________________________________________________________
0 Allow private key cloning On Yes No
1 Allow private key wrapping Off Yes No
2 Allow private key unwrapping On No No
4 Allow secret key cloning On Yes No
5 Allow secret key wrapping On Yes No
6 Allow secret key unwrapping On No No
10 Allow multipurpose keys On Yes No
11 Allow changing key attributes On Yes No
15 Ignore failed challenge responses On Yes No
16 Operate without RSA blinding On Yes No
17 Allow signing with non-local keys On No No
18 Allow raw RSA operations On Yes No
20 Max failed user logins allowed 10 N/A N/A
21 Allow high availability recovery On No No
22 Allow activation Off No No
23 Allow auto-activation Off No No
25 Minimum pin length (inverted: 255 - min) 248 N/A N/A
26 Maximum pin length 255 N/A N/A
28 Allow Key Management Functions On Yes No
29 Perform RSA signing without confirmation On Yes No
31 Allow private key unmasking On No No
32 Allow secret key unmasking On No No
33 Allow RSA PKCS mechanism On Yes No
34 Allow CBC-PAD (un)wrap keys of any size On Yes No
37 Force Secure Trusted Channel Off No Yes
39 Allow Start/End Date Attributes Off No Yes
Command Result : No Error
For firmware 7.7.0 and later, when viewed from an up-to-date Client, the command shows the newer Capabilities and Policies as well as the status of pre-existing policies that have new default settings like policies 3, 7, 31, and 32 for example, regardless of partition V0 or V1 status. However, older clients cannot see newer policies to display them. Newer clients show capabilities and policies for firmware<7.7.0 partitions as the older firmware presents them.
V0 Partition Example
lunacm:> partition showpolicies -verbose
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 1
2: Enable private key unwrapping : 1
3: Enable private key masking : 1
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 1
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
37: Enable enforcing Secure Trusted Channel : 1
39: Enable Start/End Date Attributes : 1
40: Enable Per-Key Authorization Data : 1
41: Enable Partition Version : 1
Partition Policies
Destructive
Code Description Value Off-To-On On-To-Off
_____________________________________________________________________________
0 Allow private key cloning On Yes No
1 Allow private key wrapping Off Yes No
2 Allow private key unwrapping On No No
3 Allow private key masking Off Yes No
4 Allow secret key cloning On Yes No
5 Allow secret key wrapping On Yes No
6 Allow secret key unwrapping On No No
7 Allow secret key masking Off Yes No
10 Allow multipurpose keys On Yes No
11 Allow changing key attributes On Yes No
15 Ignore failed challenge responses On Yes No
16 Operate without RSA blinding On Yes No
17 Allow signing with non-local keys On No No
18 Allow raw RSA operations On Yes No
20 Max failed user logins allowed 10 N/A N/A
21 Allow high availability recovery On No No
25 Minimum pin length (inverted: 255 - min) 248 N/A N/A
26 Maximum pin length 255 N/A N/A
28 Allow Key Management Functions On Yes No
29 Perform RSA signing without confirmation On Yes No
31 Allow private key unmasking Off No No
32 Allow secret key unmasking Off No No
33 Allow RSA PKCS mechanism On Yes No
34 Allow CBC-PAD (un)wrap keys of any size On Yes No
37 Force Secure Trusted Channel Off No Yes
39 Allow Start/End Date Attributes Off No Yes
40 Require Per-Key Authorization Data Off Yes Yes
41 Partition Version 0 No Yes
Command Result : No Error
V1 Partition Example
lunacm:> partition showpolicies -verbose
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 1
2: Enable private key unwrapping : 1
3: Enable private key masking : 1
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 1
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 247
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
37: Enable enforcing Secure Trusted Channel : 1
39: Enable Start/End Date Attributes : 1
40: Enable Per-Key Authorization Data : 1
41: Enable Partition Version : 1
42: Enable CPv1 : 1
43: Enable non-FIPS algorithms : 1
Partition Policies
Destructive
Code Description Value Off-To-On On-To-Off
_____________________________________________________________________________
0 Allow private key cloning On Yes No
1 Allow private key wrapping Off Yes No
2 Allow private key unwrapping On No No
3 Allow private key masking On Yes No
4 Allow secret key cloning On Yes No
5 Allow secret key wrapping On Yes No
6 Allow secret key unwrapping On No No
7 Allow secret key masking On Yes No
10 Allow multipurpose keys On Yes No
11 Allow changing key attributes On Yes No
15 Ignore failed challenge responses On Yes No
16 Operate without RSA blinding On Yes No
17 Allow signing with non-local keys On No No
18 Allow raw RSA operations On Yes No
20 Max failed user logins allowed 10 N/A N/A
21 Allow high availability recovery On No No
25 Minimum pin length (inverted: 255 - min) 248 N/A N/A
26 Maximum pin length 255 N/A N/A
28 Allow Key Management Functions On Yes No
29 Perform RSA signing without confirmation On Yes No
31 Allow private key unmasking On No No
32 Allow secret key unmasking On No No
33 Allow RSA PKCS mechanism On Yes No
34 Allow CBC-PAD (un)wrap keys of any size On Yes No
37 Force Secure Trusted Channel Off No Yes
39 Allow Start/End Date Attributes Off No Yes
40 Require Per-Key Authorization Data On Yes Yes
41 Partition Version 1 No Yes
42: Allow CPv1 1 Yes No
43: Allow non-FIPS algorithms : 1 Yes No
Command Result : No Error
lunacm:>
