Capabilities and Policies

HSMs, and partitions within them, are characterized by capabilities that are set at the factory, or added by means of capability updates, and that are adjusted by means of settable policies that correspond to some of the capabilities. HSM capabilities, and the HSM policies that derive from them, apply HSM-wide. Application partition capabilities, and the application partition policies that derive from them, can be inherited from the HSM, or control characteristics that make sense only at the application partition level. Capability and Policy Inheritance illustrates an example of how capabilities and policies can be inherited from the HSM-level to the partition-level on a Luna HSM.

Figure 1: Capability and Policy Inheritance

All policies have an equivalent capability, but not all capabilities are matched by a policy that allows adjustment of the capability. The HSM Security Officer is responsible for setting up the HSM with capabilities, but it is up to the Partition SO to enable their corresponding policies.

Some policy settings are numerical values that can be increased or decreased. Most policy settings are simply OFF/ON switches. Policy setting requires that the SO be logged in. For HSM-wide policies, that is the HSM SO. For partition-level policies, that is the Partition SO.

Set Policies

Set policies with the hsm changePolicy command or the partition changepolicy command, as appropriate. The command requires that you identify the policy number that is to change, and the new value it is to hold. For OFF/ON policies, the value is set as zero or one, respectively.

Example: Cloning

The cloning operation allows you to duplicate or copy the contents of your HSM or partition to other HSMs or partitions that share a cloning domain. The HSM capability that controls cloning on your HSM is Enable Cloning. The equivalent HSM Policy, Allow Cloning, is the modifiable switch that turns cloning on or off for your specific HSM.

NOTE Turning cloning ON or OFF is destructive, and resets your HSM. Ensure that you decide early on in your configuration whether or not you will be using this capability.

Cloning Capability Inheritance shows how the cloning capability is inherited by partitions within your HSM, depending on whether you turn it on or off when you set its policy value.

Figure 2: Cloning Capability Inheritance

If cloning is not allowed HSM-wide, then no partition on the HSM will be able to use cloning.

If cloning is allowed HSM-wide, then each partition inherits that capability and can independently decide whether it wants to enable it.



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-04-15 13:18:27 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information