Modify Luna Partition Policies

Beginning with Gateway version 10.0 CR 2, Layer7 allows Luna SafeNet HSM users to turn on or off a select number of Luna partition policies to suit their enterprise security requirements while connected to the API Gateway.
Gateway supports the default partition policy settings preconfigured with the Luna HSM. In addition to this default profile, the Gateway can also support a specific combination of partition policies (i.e., profile) turned OFF.
  • As of Gateway version 10.0 CR 4, Broadcom Layer 7 supports a profile with the following partition policies turned OFF: #2, 5, 6, 17, and 33.
  • As of Gateway version 10.0 CR 3, Broadcom Layer 7 supports a profile with with the following partition policies turned OFF: #2, 5, and 17.
    Organizations planning to upgrade to Gateway version 10.0 CR 3 MUST upgrade their Luna HSM client to version 10.2 as described here.
  • As of Gateway version 10.0 CR 2, Broadcom Layer 7 supports a profile with the following partition policies turned OFF: #2.
Users are advised to modify partition policies only if they have the required background knowledge of the operations of the SafeNet Luna HSM. It's strongly recommended that users contact Thales support prior to making any partition policy changes.

Effects from Turning Partition Policies #2, 5, 6, 17 and 33 OFF

Before turning the following Luna partition policies off for your Gateway configuration:
  • Policy 2: Enable Private Key Unwrapping
    If turned OFF, private key unwrapping is not available. Default: ON
  • Policy 5: Allow Secret Key Wrapping
    If turned OFF, the partition does not support secret key wrapping. Default: ON
  • Policy 6: Allow Secret Key Unwrapping
    If turned OFF, the partition does not support secret key unwrapping. Default: ON
  • Policy 17: Allow Signing with Non-Local Keys
    If turned OFF, only keys with CKA_LOCAL=1 can be used to sign data on the HSM. Keys that are imported (unwrapped) to the HSM have CKA_LOCAL explicitly set to 0, so they may not be used for signing. Default: ON
  • Policy 33: Allow RSA PKCS Mechanism
    If turned OFF, the RSA PKCS mechanism is not allowed. Default: ON
The following effects must be taken into account:
  • The Gateway cannot import a private key.
  • The Gateway cannot support the creation of EC private keys.
  • JWE decryption with private key will no longer work.
  • RSA key creation, Certificate Signing Request, and signing certificate requests will no longer work due to restrictions for the RSASSA-PKCS1-v1_5 signature algorithm.
    As an alternative, use the SafeNet Certificate Management Utility (CMU) to create a default SSL key. To set a CMU-generated private key as the default SSL key, add the following line to system.properties:
    com.l7tech.server.keyStore.defaultSsl.alias=-1:<CMU created private key label>

Additional Configurations Required for Luna HSM Partition Policy Modifications

The following describes some of the additional configurations required for a partition policy that has policies #2, 5, 6, 17, and 33 turned OFF.
3
3
Edit the Chrystoki.conf File
To ensure that the Gateway can continue to route and secure API traffic, the following configuration changes must be made to a Luna HSM that is running in FIPS mode:
  1. Open the
    /etc/Chrystoki.conf configuration file.
  2. Add the
    RSAKeyGenMechRemap=1;
    line to the 'Misc' section. For example:
    Misc = { PE1746Enabled = 0; ToolsDir = /usr/safenet/lunaclient/bin; PartitionPolicyTemplatePath = /usr/safenet/lunaclient/data/partition_policy_templates; ProtectedAuthenticationPathFlagStatus = 0;
    RSAKeyGenMechRemap=1;
    }
Modify Java Security Settings
Ensure that the following configuration is made to the java.security file:
  1. Open the following file in a text editor:
    /opt/SecureSpan/Gateway/runtime/etc/java.security
  2. Ensure the following lines are in the java.security file:
    security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.ec.SunEC security.provider.3=com.sun.net.ssl.internal.ssl.Provider security.provider.4=com.sun.crypto.provider.SunJCE security.provider.5=sun.security.jgss.SunProvider security.provider.6=com.sun.security.sasl.Provider security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.8=sun.security.smartcardio.SunPCSC security.provider.9=com.safenetinc.luna.provider.LunaProvider security.provider.10=sun.security.rsa.SunRsaSign
  3. Ensure that the following two lines are NOT included in the java.security file:
    com.safenetinc.luna.provider.createExtractablePrivateKeys=true com.safenetinc.luna.provider.createExtractableSecretKeys=true