Setting Partition Policies Using a Template
A partition policy template is a file containing a set of preferred partition policy settings, used to initialize partitions with those settings. You can use the same file to initialize multiple partitions, rather than changing policies manually after initialization. This can save time and effort when initializing partitions that are to function as an HA group, or must comply with your company's overall security strategy. Templates enable scalable policy management and simplify future audit and compliance requirements.
See also Setting HSM Policies Using a Template.
NOTE This feature requires minimum Luna HSM Firmware 7.1.0 and Luna HSM Client 7.1.0.
You can create a partition policy template file from an initialized or uninitialized partition, and edit it using a standard text editor. Partition policy templates have additional customization options.
Policy templates cannot be used to alter settings for an initialized partition. Once a partition has been initialized, the Partition SO must change individual policies manually (see Setting Partition Policies Manually).
This section provides instructions for the following procedures, and some general guidelines and restrictions:
>Creating a Partition Policy Template
>Editing a Partition Policy Template
>Applying a Partition Policy Template
Creating a Partition Policy Template
The following procedure describes how to create a policy template for a partition. This can be done optionally at two points in the partition setup process:
>before the partition is initialized: this produces a template file containing the default policy settings, which can then be edited
>after initializing and setting the parititon policies manually: this produces a template file with the current policy settings, which can then be used to initialize other partitions with the same settings. The Partition SO must complete the procedure.
To create a partition policy template
1.Launch LunaCM and set the active slot to the partition. If you are creating a template from an initialized partition, you must log in as Partition SO.
lunacm:> slot set -slot <slotnum>
lunacm:> role login -name po
2.Create the partition policy template file. Specify an existing save directory and original filename. No file extension is required. If a template file with the same name exists in the specified directory, it is overwritten.
lunacm:> partition showpolicies -exporttemplate <filepath/filename>
lunacm:> partition showpolicies -exporttemplate /usr/safenet/lunaclient/templates/ParPT Partition policies for Partition: myPartition1 written to /usr/safenet/lunaclient/templates/ParPT Command Result : No Error
Editing a Partition Policy Template
Use a standard text editor to manually edit policy templates for custom configurations. This section provides template examples and customization guidelines.
Partition Policy Template Example
This example shows the contents of a partition policy template created using the factory default policy settings. Use a standard text editor to change the policy and/or destructiveness values (0=OFF, 1=ON, or the desired value 0-255).
Partition policy template entries have two additional fields: Off to on destructive and On to off destructive (see example below). Change these values to 0 or 1 to determine whether cryptographic objects on the partition should be deleted when this policy is changed in the future. Policies that lower the security level of the objects stored on the partition are normally destructive, but it may be useful to customize this behavior for your own security strategy. See Partition Capabilities and Policies for more information.
CAUTION! Setting policy destructiveness to 0 (OFF) makes partitions less secure. Use this feature only if your security strategy demands it.
If you export a policy template from an uninitialized partition, the Sourced from partition header field remains blank. This field is informational and you can still apply the template.
The Policy Description field is included in the template for user readability only. Policies are verified by the number in the Policy ID field.
# Policy template FW Version 7.1.0 # Field format - Policy ID:Policy Description:Policy Value:Off to on destructive:On to off destructive # Sourced from partition: myPartition1, SN: 154438865290 0:"Allow private key cloning":1:1:0 1:"Allow private key wrapping":0:1:0 2:"Allow private key unwrapping":1:0:0 3:"Allow private key masking":0:1:0 4:"Allow secret key cloning":1:1:0 5:"Allow secret key wrapping":1:1:0 6:"Allow secret key unwrapping":1:0:0 7:"Allow secret key masking":0:1:0 9:"Allow DigestKey":0:1:0 10:"Allow multipurpose keys":1:1:0 11:"Allow changing key attributes":1:1:0 15:"Ignore failed challenge responses":1:1:0 16:"Operate without RSA blinding":1:1:0 17:"Allow signing with non-local keys":1:0:0 18:"Allow raw RSA operations":1:1:0 20:"Max failed user logins allowed":10:0:0 21:"Allow high availability recovery":1:0:0 22:"Allow activation":0:0:0 23:"Allow auto-activation":0:0:0 25:"Minimum pin length (inverted 255 - min)":248:0:0 26:"Maximum pin length":255:0:0 28:"Allow Key Management Functions":1:1:0 29:"Perform RSA signing without confirmation":1:1:0 31:"Allow private key unmasking":1:0:0 32:"Allow secret key unmasking":1:0:0 33:"Allow RSA PKCS mechanism":1:1:0 34:"Allow CBC-PAD (un)wrap keys of any size":1:1:0 39:"Allow Start/End Date Attributes":0:1:0 40:"Require Per-Key Authorization Data":0:1:0 41:"Partition Version":0:0:1
Editing Guidelines and Restrictions
When creating or editing partition policy templates:
>You can remove a policy from the template by adding # at the beginning of the line or deleting the line entirely. When you apply the template, the partition will use the default values for that policy.
>Partition policy templates from older Luna versions (6.x or earlier) cannot be applied to Luna 7.x partitions.
>This version of the partition policy template feature is available on Luna 7.x application partitions only. When the active slot is set to a Luna 6.x partition, the -exporttemplate option is not available.
>You cannot set partition policy 37: Force Secure Trusted Channel to 1 using a policy template.
>The following restrictions apply when configuring partitions for Cloning or Key Export
•Partition policy 0: Allow private key cloning and partition policy 1: Allow private key wrapping can never be set to 1 (ON) at the same time. Initialization fails if the template contains a value of 1 for both policies.
•Partition policy 1: Allow private key wrapping must always have Off-to-on destructiveness set to 1 (ON). Initialization fails if the template contains a value of 0 in this field.
>You may not use invalid policy values (outside the acceptable range), or values that conflict with your HSM or partition's capabilities. For example, Partition capability 3: Enable private key masking is always 0, so you cannot set the corresponding partition policy to 1. If you attempt to initialize a partition with a template containing invalid policy values, an error is returned and initialization fails.
If there is a mismatch between template policies and the default values of newer or dependent policies, then the attempt to apply the old policy would fail with CKR_FAILED_DEPENDENCIES.
You have the option to edit a policy file before applying it, to add newer policies.
Applying a Partition Policy Template
The following procedure describes how to initialize a partition using a policy template.
To apply a policy template to a new partition
1.Ensure that the template file is saved on the client workstation.
2.Launch LunaCM and set the active slot to the new partition.
lunacm:> slot set -slot <slotnum>
3.Initialize the partition, specifying a label and the policy template file. If the template file is not in the same directory as LunaCM, include the correct filepath.
lunacm:> partition init -label <label> -applytemplate <filepath/filename>
4.[Optional] Verify that the template has been applied correctly by checking the partition's policy settings. Include the -verbose option to view the destructiveness settings.
lunacm:> partition showpolicies [-verbose]