partition changepolicy
Change a user policy on the partition.
NOTE If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change will be reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings.
Syntax
partition changepolicy -policy <policy_id> -value <policy_value> [-slot <slot_number>] [-force]
Argument(s) | Shortcut | Description |
---|---|---|
-force | -f | Force action without prompting for confirmation. |
-policy <policy_id> | -p | Specifies the ID of the policy you want to change. Change multiple policies by specifying a comma-separated list for -policy and -value (for example, -policy 33,37,40 -value 0,1,1). |
-slot <slot_number> | -s | Specifies the slot where the partition is located. |
-value <policy_value> | -v | Specifies the new value for the specified policy. Change multiple policies by specifying a comma-separated list for -policy and -value (for example, -policy 33,37,40 -value 0,1,1). |
Example
The output will vary depending on the specific policy being changed and whether or not the change is destructive. Use the command partition showpolicies with the -verbose option to see which commands are destructive and, if destructive, which direction -- On-to-off, or Off-to-on, or both directions.
C:\Program Files\SafeNet\LunaClient>lunacm.exe lunacm.exe (64-bit) v10.6.0-431. Copyright (c) 2023 Thales Group. All rights reserved. Available HSMs: Slot Id -> 0 Label -> par Serial Number -> 1578912775566 Model -> LunaSA 7.8.3 Firmware Version -> 7.9.0 Bootloader Version -> 1.1.5 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> FM Ready Current Slot Id: 0 lunacm:> role login -n po -p userpin1 Command Result : No Error lunacm:> partition showpolicies Partition Capabilities 0: Enable private key cloning : 1 1: Enable private key wrapping : 1 2: Enable private key unwrapping : 1 3: Enable private key masking : 1 4: Enable secret key cloning : 1 5: Enable secret key wrapping : 1 6: Enable secret key unwrapping : 1 7: Enable secret key masking : 1 9: Enable digest key : 1 10: Enable multipurpose keys : 1 11: Enable changing key attributes : 1 15: Allow failed challenge responses : 1 16: Enable operation without RSA blinding : 1 17: Enable signing with non-local keys : 1 18: Enable raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Enable high availability recovery : 1 22: Enable activation : 0 23: Enable auto-activation : 0 25: Minimum pin length (inverted: 255 - min) : 247 26: Maximum pin length : 255 28: Enable Key Management Functions : 1 29: Enable RSA signing without confirmation : 1 31: Enable private key unmasking : 1 32: Enable secret key unmasking : 1 33: Enable RSA PKCS mechanism : 1 34: Enable CBC-PAD (un)wrap keys of any size : 1 37: Enable enforcing Secure Trusted Channel : 1 39: Enable Start/End Date Attributes : 1 40: Enable Per-Key Authorization Data : 1 41: Enable Partition Version : 1 42: Enable CPv1 : 1 43: Enable non-FIPS algorithms : 1 44: Enable Extended Domain Management : 1 Partition Policies 0: Allow private key cloning : 1 1: Allow private key wrapping : 0 2: Allow private key unwrapping : 1 3: Allow private key masking : 0 4: Allow secret key cloning : 1 5: Allow secret key wrapping : 1 6: Allow secret key unwrapping : 1 7: Allow secret key masking : 0 9: Allow digest key : 0 10: Allow multipurpose keys : 1 11: Allow changing key attributes : 1 15: Ignore failed challenge responses : 1 16: Operate without RSA blinding : 1 17: Allow signing with non-local keys : 1 18: Allow raw RSA operations : 1 20: Max failed user logins allowed : 10 21: Allow high availability recovery : 1 25: Minimum pin length (inverted: 255 - min) : 247 26: Maximum pin length : 255 28: Allow Key Management Functions : 1 29: Perform RSA signing without confirmation : 1 31: Allow private key unmasking : 0 32: Allow secret key unmasking : 0 33: Allow RSA PKCS mechanism : 1 34: Allow CBC-PAD (un)wrap keys of any size : 1 37: Force Secure Trusted Channel : 0 39: Allow Start/End Date Attributes : 0 40: Require Per-Key Authorization Data : 0 41: Partition Version : 0 42: Allow CPv1 : 0 43: Allow non-FIPS algorithms : 0 44: Allow Extended Domain Management : 1 Command Result : No Error lunacm:> partition domainlist Number of supported domains 3 Defined Domains Domain #1 without label. Defined as primary domain. Domain #2 with label "domain". Domain #3 with label "domain%". Command Result : No Error lunacm:> partition changepolicy -v 0 -p 44 -f Command Result : No Error lunacm:> partition domainlist Number of supported domains 3 Defined Domain Domain #1 without label. Defined as primary domain. Command Result : No Error lunacm:>
NOTE In this particular example (above) of switching "Policy 44 - Allow Extended Domain Management" from ON to OFF a partition with multiple domains retains the primary, but loses the non-primary domains.
Other policy changes might have other important follow-on effects, and should be considered carefully for any HSM that is currently deployed.