hsm changePolicy

Change HSM Admin-modifiable elements from the HSM policy set. Use this command to set a policy on or off, or to set it to a certain value if it is a numerical policy. Only certain portions of the policy set are user-modifiable. These policies and their current values can be determined using the hsm showpolicies command. After a successful policy change, with hsm changepolicy, then hsm showpolicies displays the new policy value.

NOTE   This command must be executed by the HSM Admin. If the HSM Admin is not authenticated, a “user not logged in” error message is returned.

If the policy is destructive, the you are given the choice to proceed or quit. This means that you cannot inadvertently destroy the contents of your HSM - you must acknowledge that you know that will happen before you proceed. Once a policy is changed, the program reports back the new value of the policy.

User Privileges

Users with the following privileges can perform this command:



hsm changePolicy -policy <hsm_policy_number> -value <hsm_policy_value> [-force]




-force -f Force the action without prompting. If this option is included in the list for a destructive policy change, the policy will be changed without prompting the user for a confirmation of zeroizing the HSM.
-policy <hsm_policy_number> -p Specifies the policy code of the policy to alter. Policy descriptions and codes are obtained with the hsm showpolicies command.
-value <hsm_policy_value> -v Specifies the value to assign to the specified policy. When specifying values for an on/off type policy, use '1' for on and '0' for off.


lunash:>hsm changePolicy -policy 39 -value 1

    Enabling STC will terminate all existing NTLS connections.

    Type 'proceed' to enable STC on HSM, or 'quit'
    to quit now. > proceed

'hsm changePolicy' successful.

Policy Allow Secure Trusted Channel is now set to value: 1

Restarting NTLS and STC services... Done

Command Result : 0 (Success)

lunash:>hsm changepolicy -policy 6 -value 0

CAUTION:  Are you sure you wish to change the destructive
          policy named:

            Allow masking

          Changing this policy will result in erasing all partitions
          on the HSM! (HSM Admin, Domain, and M of N (where applicable)
          will not be modified.)

          Type 'proceed' to zeroize your HSM and change the policy,
          or 'quit' to quit now.
          > proceed
'hsm changePolicy' successful.

Policy Allow masking is now set to value: 0

Command Result : 0 (Success)