Modify Luna Partition Policies

Broadcom Layer7 allows Luna SafeNet HSM users to turn a select number of Luna partition policies OFF to suit their enterprise security requirements while connected to the API Gateway.
Gateway supports the default partition policy settings preconfigured with the Luna HSM. In addition to this default profile, the Gateway can also supports a profile with the following policies turned OFF.
  • As of Gateway version 10.1, Broadcom Layer 7 supports a profile with the following partition policies turned OFF: #2, 5, 6, 17, and 33.
While the effects of turning these policies off are described in this topic, users are advised to modify partition policies only if they have the required background knowledge of the operations of the SafeNet Luna HSM. It's strongly recommended that users contact Thales support prior to making any partition policy changes.
To learn about the default partition policies, see Configure the SafeNet Luna HSM Client v10.2.

Effects from Turning Partition Policies #2, 5, 6, 17 and 33 OFF

Before turning the following Luna partition policies off for your Gateway configuration:
  • Policy 2: Enable Private Key Unwrapping
    If turned OFF, private key unwrapping is not available. Default: ON
  • Policy 5: Allow Secret Key Wrapping
    If turned OFF, the partition does not support secret key wrapping. Default: ON
  • Policy 6: Allow Secret Key Unwrapping
    If turned OFF, the partition does not support secret key unwrapping. Default: ON
  • Policy 17: Allow Signing with Non-Local Keys
    If turned OFF, only keys with CKA_LOCAL=1 can be used to sign data on the HSM. Keys that are imported (unwrapped) to the HSM have CKA_LOCAL explicitly set to 0, so they may not be used for signing. Default: ON
  • Policy 33: Allow RSA PKCS Mechanism
    If turned OFF, the RSA PKCS mechanism is not allowed. Default: ON
The following effects must be taken into account:
  • The Gateway cannot import a private key.
  • The Gateway cannot support the creation of EC private keys.
  • JWE decryption with private key will no longer work.
  • RSA key creation, Certificate Signing Request, and signing certificate requests will not work unless the RSASSA-PSS signature algorithm is selected.

Additional Configurations Required for Luna HSM Partition Policy Modifications

The following describes some of the additional configurations required for a partition policy that has policies #2, 5, 6, 17, and 33 turned OFF.
3
3
Edit the Chrystoki.conf File
To ensure that the Gateway can continue to route and secure API traffic, the following configuration changes must be made to a Luna HSM that is running in FIPS mode:
  1. Open the
    /etc/Chrystoki.conf configuration file.
  2. Add the
    RSAKeyGenMechRemap=1;
    line to the 'Misc' section. For example:
    Misc = { PE1746Enabled = 0; ToolsDir = /usr/safenet/lunaclient/bin; PartitionPolicyTemplatePath = /usr/safenet/lunaclient/data/partition_policy_templates; ProtectedAuthenticationPathFlagStatus = 0;
    RSAKeyGenMechRemap=1;
    }
Modify Java Security Settings
The ssg.security file allows you to override current settings in the java.security file.
Ensure that the following configuration is made to the ssg.security file:
  1. Open the following file in a text editor:
    /opt/SecureSpan/Gateway/runtime/etc/ssg.security
  2. Ensure the following lines are in the ssg.security file:
    security.provider.1=SUN security.provider.2=SunEC security.provider.3=SunJCE security.provider.4=SunJGSS security.provider.5=SunSASL security.provider.6=XMLDSig security.provider.7=SunPCSC security.provider.8=JdkLDAP security.provider.9=JdkSASL security.provider.10=SunPKCS11 security.provider.11=com.safenetinc.luna.provider.LunaProvider security.provider.12=SunRsaSign security.provider.13=SunJSSE
  3. Ensure that the following two lines are NOT included in the ssg.security file:
    com.safenetinc.luna.provider.createExtractablePrivateKeys=true com.safenetinc.luna.provider.createExtractableSecretKeys=true