LunaCM Command Reference Guide

User Manual:

Open the PDF directly: View PDF .
Page Count: 252

Download
Open PDF In Browser	View PDF

SafeNet Network HSM 6.2.2
LunaCM Command Reference Guide

Document Information
Product Version

Document Part Number

01 December 2016

Revision History
Revision

01 December 2016

Initial release.

Trademarks, Copyrights, and Third-Party Software
Copyright 2001-2016 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of
Gemalto and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether
registered or not in specific countries, are the property of their respective owners.

Acknowledgements
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org)
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes
software written by Tim Hudson (tjh@cryptsoft.com).
This product includes software developed by the University of California, Berkeley and its contributors.
This product uses Brian Gladman’s AES implementation.
Refer to the End User License Agreement for more information.

Disclaimer
All information herein is either public information or is the property of and owned solely by Gemalto and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property
protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any
intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal, and personal use only provided that:
•

The copyright notice, the confidentiality and proprietary legend and this full warning notice appear in all copies.

This document shall not be posted on any publicly accessible network computer or broadcast in any media, and no
modification of any part of this document shall be made.

Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise
expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.

SafeNet Network HSM LunaCM Command Reference Guide
Rellease 6.2.2 007-011136-012 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

The document could include technical inaccuracies or typographical errors. Changes are periodically added to the
information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications
data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all
implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall
Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any
damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or
customers, arising out of or in connection with the use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and
disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the
date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security
and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third
party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto
products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential
damages that result from any use of its products. It is further stressed that independent testing and verification by the
person using the product is particularly encouraged, especially in any application in which defective, incorrect or
insecure functioning could result in damage to persons or property, denial of service, or loss of privacy.

Acknowledgements
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org)
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes
software written by Tim Hudson (tjh@cryptsoft.com).
This product includes software developed by the University of California, Berkeley and its contributors.
This product uses Brian Gladman’s AES implementation.
Refer to the End User License Agreement for more information.

Regulatory Compliance
This product complies with the following regulatory regulations. To ensure compliancy, ensure that you install the
products as specified in the installation instructions and use only SafeNet-supplied or approved accessories.

USA, FCC
This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions:
(1) This device may not cause harmful interference, and
(2) This device must accept any interference received, including interference that may cause undesired operation.
This equipment has been tested and found to comply with the limits for a “Class B” digital device, pursuant to part 15 of
the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential
installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which can be determined by turning
the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following
measures:
•

Reorient or relocate the receiving antenna

SafeNet Network HSM LunaCM Command Reference Guide
Rellease 6.2.2 007-011136-012 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

Increase the separation between the equipment and receiver

Connect the equipment into an outlet on a circuit different from that to which the receiver is connected

Consult the dealer or an experienced radio/TV technician for help

Changes or modifications not expressly approved by SafeNet could void the user’s authority to operate the
equipment.

Canada
This class B digital apparatus meets all requirements of the Canadian interference- causing equipment regulations.

Europe
This product is in conformity with the protection requirements of EC Council Directive 2004/108/EC. Conformity is
declared to the following applicable standards for electro-magnetic compatibility immunity and susceptibility; CISPR22
and IEC801. This product satisfies the CLASS B limits of EN 55022.

SafeNet Network HSM LunaCM Command Reference Guide
Rellease 6.2.2 007-011136-012 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

CONTENTS
PREFACE

About the LunaCM Command Reference Guide

Customer Release Notes
Gemalto Rebranding
Audience
Document Conventions
Notes
Cautions
Warnings
Command Syntax and Typeface Conventions
Support Contacts

Accessing LunaCM
LunaCM Features
Case Insensitivity
Quotation Marks
Operation

LunaCM commands

appid
appid close
appid info
appid open
appid set
audit
audit changepw
audit config
audit export
audit import
audit init
audit login
audit logmsg
audit logout
audit status
audit time
audit verify
clientconfig
clientconfig deleteServer
clientconfig deploy
clientconfig listservers
clientconfig restart
clientconfig verify
file display

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

10
10
10
11
11
11
11
12
12
12

14
14
15
15
16
16

17
21
22
23
24
25
26
28
29
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

hagroup
hagroup addmember
hagroup addstandby
hagroup creategroup
hagroup deletegroup
hagroup halog
hagroup haonly
hagroup listgroups
Example for HA Group
hagroup recover
hagroup recoverymode
hagroup removemember
hagroup removestandby
hagroup retry
hagroup interval
hagroup synchronize
hsm
hsm changehsmpolicy
hsm changepw
hsm changesopolicy
hsm clear
hsm clone
hsm contents
hsm factoryreset
hsm init
hsm login
hsm logout
hsm migratepedkey
hsm monitor
hsm recoveryinit
hsm recoverylogin
hsm reset
hsm restart
hsm restoreuser
hsm restoresim2
hsm rollbackfw
hsm setlagacydomain
hsm showinfo
hsm showmechanism
Example of Information about One Mechanism
hsm showpolicies
hsm smkclone
hsm updatecap
hsm updatefw
partition
partition activate
Partition Policy settings needed
partition archive
partition archive backup

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

47
49
50
51
52
53
54
55
55
57
58
59
60
61
62
63
64
67
68
69
70
71
72
73
74
77
79
80
81
83
84
85
86
87
88
89
91
92
94
95
96
101
102
103
104
110
110
112
114

Example Backup an Object to an SFF eToken
Example: Backup All Objects to an SFF eToken
partition archive contents
Example: Objects found
partition archive delete
Example: Delete all Objects from an SFF eToken
Example: Attempt to Delete Objects from an Empty SFF eToken
partition archive list
partition archive restore
Example: Restore One or All Objects from an SFF eToken
Example: Restore All objects from an SFF eToken
Example: Restore Objects from an SFF eToken, where some already exist on target
partition changepolicy
partition changepw
partition clear
partition clone
partition contents
partition create
partition createchallenge
partition createuser
partition deactivate
partition delete
partition init
partition login
partition logout
partition recoveryinit
partition recoverylogin
partition resetpw
partition resize
partition restoresim2
partition restoresim3
partition setlegacydomain
partition showinfo
partition showmechanism
partition policyTemplateChange
partition policyTemplatecreate
partition policyTemplateDelete
partition policyTemplateList
partition policytemplateload
partition policyTemplateSave
partition policyTemplateShow
partition showpolicies
partition smkclone
ped
ped connect
ped disconnect
ped get
ped set
ped show

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

115
116
117
118
119
120
120
121
122
123
123
123
125
126
128
129
130
131
138
139
140
140
142
143
144
145
146
147
147
151
152
153
154
156
158
160
162
164
165
166
167
169
171
172
173
175
176
177
179

ped vector
remotebackup start
role
role changepw
role createChallenge
role deactivate
role init
role list
role login
role logout
role recoveryinit
role recoverylogin
role resetpw
role setdomain
role show
slot
slot configset
slot configshow
slot list
slot partitionlist
slot set
srk
srk disable
srk enable
srk generate
srk recover
srk show
srk transport
stc
stc disable
stc enable
stc identitycreate
stc identitydelete
stc identityexport
stc identityshow
stc partitionderegister
stc partitionregister
stc status
stc tokeninit
stc tokenlist
stcconfig
stcconfig activationtimeoutset
stcconfig activationtimeoutshow
stcconfig cipherdisable
stcconfig cipherenable
stcconfig ciphershow
stcconfig clientderegister
stcconfig clientlist
stcconfig clientregister

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

180
181
182
183
186
187
188
190
192
195
196
197
198
199
201
202
203
205
206
208
209
210
211
212
213
214
215
216
217
219
220
221
222
223
224
225
226
227
228
229
230
232
233
234
236
238
239
240
241

stcconfig hmacdisable
stcconfig hmacenable
stcconfig hmacshow
stcconfig partitionidexport
stcconfig partitionidshow
stcconfig rekeythresholdset
stcconfig rekeythresholdshow
stcconfig replaywindowset
stcconfig replaywindowshow

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

242
244
246
247
248
249
250
251
252

PREFACE
About the LunaCM Command Reference
Guide

This document describes how to do something (insert a brief description). It contains the following chapters:
•

"Using LunaCM" on page 14

"LunaCM commands" on page 17

This preface also includes the following information about this document:
•

"Customer Release Notes" below

"Gemalto Rebranding" below

"Audience" on the next page

"Document Conventions" on the next page

"Support Contacts" on page 12

For information regarding the document status and revision history, see "Document Information" on page 2

Customer Release Notes
The customer release notes (CRN) provide important information about this release that is not included in the customer
documentation. It is strongly recommended that you read the CRN to fully understand the capabilities, limitations, and
known issues for this release. You can view or download the latest version of the CRN for this release at the following
location:
•

http://www.securedbysafenet.com/releasenotes/luna/crn_luna_hsm_6-2-2.pdf

Gemalto Rebranding
In early 2015, Gemalto completed its acquisition of SafeNet, Inc. As part of the process of rationalizing the product
portfolios between the two organizations, the Luna name has been removed from the SafeNet HSM product line, with
the SafeNet name being retained. As a result, the product names for SafeNet HSMs have changed as follows:
Old product name

New product name

SafeNet Network HSM

SafeNet PCIe HSM

SafeNet USB HSM

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

About the LunaCM Command Reference Guide

Old product name

New product name

SafeNet HSM Client

Luna Backup HSM

SafeNet Backup HSM

Note: These branding changes apply to the documentation only. The SafeNet HSM software
and utilities continue to use the old names.

Audience
This document is intended for personnel responsible for maintaining your organization's security infrastructure. This
includes SafeNet HSM users and security officers, key manager administrators, and network administrators.
All products manufactured and distributed by Gemalto are designed to be installed, operated, and maintained by
personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them.
The information, processes, and procedures contained in this document are intended for use by trained and qualified
personnel only.
It is assumed that the users of this document are proficient with security concepts.

Document Conventions
This document uses standard conventions for describing the user interface and for alerting you to important information.

Notes
Notes are used to alert you to important or helpful information. They use the following format:
Note: Take note. Contains important or helpful information.

Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use
the following format:
CAUTION: Exercise caution. Contains important information that may help prevent
unexpected results or data loss.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

About the LunaCM Command Reference Guide

Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the following
format:
WARNING! Be extremely careful and obey all safety and security measures. In this
situation you might do something that could result in catastrophic data loss or
personal injury.

Command Syntax and Typeface Conventions
Format

The bold attribute is used to indicate the following:
•

Command-line commands and options (Type dir /p.)

Button names (Click Save As.)

Check box and radio button names (Select the Print Duplex check box.)

Dialog box titles (On the Protect Document dialog box, click Yes.)

Field names (User Name: Enter the name of the user.)

Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)

User input (In the Date box, type April 1.)

In type, the italic attribute is used for emphasis or to indicate a related document. (See the
Installation Guide for more information.)

In command descriptions, angle brackets represent variables. You must substitute a value for
command line arguments that are enclosed in angle brackets.

Represent optional keywords or in a command line description. Optionally enter the
keyword or that is enclosed in square brackets, if it is necessary or desirable to
complete the task.

Represent required alternate keywords or in a command line description. You must
choose one command line argument enclosed within the braces. Choices are separated by vertical
(OR) bars.

Represent optional alternate keywords or variables in a command line description. Choose one
command line argument enclosed within the braces, if desired. Choices are separated by vertical
(OR) bars.

Support Contacts
Contact method
Address

Contact
Gemalto
4690 Millennium Drive
Belcamp, Maryland 21017
USA

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

Contact method
Phone

About the LunaCM Command Reference Guide

+1 410-931-7520

(86) 10 8851 9191

000.800.100.4290

www.safenet-inc.com

Support and Downloads

www.safenet-inc.com/support
Provides access to the Gemalto Knowledge Base and quick downloads for
various products.

Technical Support Customer
Portal

https://serviceportal.safenet-inc.com
Existing customers with a Technical Support Customer Portal account can log in
to manage incidents, get the latest software upgrades, and access the Gemalto
Knowledge Base.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

This chapter describes how to access and use the LunaCM utility. It contains the following topics:
•

"Accessing LunaCM" below

"LunaCM Features" on the next page

Accessing LunaCM
The LunaCM utility (lunacm) is the client-side administrative command interface for SafeNet HSMs.
From a client/host computer, LunaCM can interact with, and perform operations on any, or all, of the following:
•

internally installed SafeNet PCIe HSM 6.x HSMs (K6 HSM card)

locally USB-connected SafeNet USB HSMs

remotely located SafeNet Network HSM application partitions, made available by a NTLS or STC network link
between the distant HSM appliance and partition(s) and the local client computer.

To access LunaCM
1. Open a Command Prompt or console window.
2. Go to the SafeNet HSM Client software directory and start the LunaCM utility:
Windows

C:\> cd c:\Program Files\SafeNet\LunaClient
C:\Program Files\SafeNet\LunaClient\> lunacm

> cd /usr/safenet/lunaclient/bin
> ./lunacm

> cd /opt/safenet/lunaclient/bin
> ./lunacm

Some preliminary status information is displayed, followed by the lunacm:> command-line prompt.
3. You can now issue any lunacm utility command to manage your SafeNet HSM. For a summary, type "help" and
press [Enter].
Note: For SafeNet PCIe HSM and SafeNet USB HSM, LunaCM is used to administer both the
HSM as HSM SO, and the application partition, as HSM SO for HSMs with firmware older than
6.22.0, or as Partition SO for HSMs with firmware 6.22.0 and newer.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

Note: For SafeNet Network HSM, LunaCM is used to manage application partitions (assuming
an NTLS or STC link between your SafeNet HSM Client computer and the SafeNet Network
HSM appliance). LunaCM is not used to perform HSM-wide administration by the HSM SO on
SafeNet Network HSM - for that you must log into a LunaSH (lunash) session via SSH.
LunaCM depends on the availability of HSM partitions in order to be useful. If no application partition has been created,
then only the local HSM SO (administrative) partition is available, against which to run commands.
If the Chrystoki.conf / Crystoki.ini configuration file [Presentation] setting "ShowAdminTokens=" is set to no, then the
HSM administrative partition/slot is also unavailable, and LunaCM is not usable. If you know you have a working
SafeNet PCIe HSM or SafeNet USB HSM attached to your Client computer and LunaCM shows no usable commands,
then verify in your Chrystoki.conf or Crystoki.ini file that "ShowAdminTokens" is not set to "no".

LunaCM Features
•

Command history is supported, using up/down arrows, [Home], [End], [Page Up], [Page Down].

Non-ambiguous command shortnames are supported. You must type the exact shortname that is listed in the
syntax help, or else type the full command with no abbreviations.
Additionally, for syntax help, the alias “?” is available.

Commands and options are case-insensitive.

Limited scripting is possible

However, handling of return codes is not fully supported at this time. The utility is not a full-featured shell, so features
like command-completion or parsing of partial commands are not supported.

Case Insensitivity
Commands and options entered by the user are not sensitive to case. If a user accidentally leaves the Caps-Lock key
on, or by habit capitalizes some commands or options, they should not have to re-enter or edit the command line.
Command parameters, however, are passed to command executables with the same case as entered on the command
line. Command executables must deal with case issues as appropriate for the command.
For example, you can type:
lunacm:> partition login -password mYpa55word!
or
lunacm:> partition LOGIN -PASSWorD mYpa55word!
and successfully login to your Partition. Note that the command and sub-commands can be any combination of
uppercase and lowercase letters. The command parser interprets it correctly. However, the password string itself is
passed on to the access-control handler, which is very particular about lettercase. Therefore, an item like a password
must be typed letter-perfect with the appropriate case applied.
Note: The above example is for Password Authenticated SafeNet HSMs. For Trusted Path
Authenticated HSM, do not type the password - you are directed to the SafeNet PED, which
prompts for the required PED Key.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

Quotation Marks
It might happen that a command parameter consists of two or more parts, separated by spaces. This can be
misconstrued by the command parser as two (or more) additional parameters. To ensure that a multi-part parameter is
parsed as a single entity, enclose it in quotation marks " ".

Operation
LunaCM's cache can become unsynchronized if you access an HSM in more than one application session and make
administrative changes.
For example, you might attempt a role login against a connected SafeNet Network HSM application partition, in a
lunacm instance that had been open for a while, and you (or someone else) had just made a partition policy change in
lunash, such as changing max bad login attempts from default 10 down to (say) 3. The policy change comes into effect
immediately, though any other open sessions might be unaware of the change. A failed attempt in the open lunacm
instance might state that you still had nine unsuccessful attempts remaining, when in fact you had only two, because
the lunacm instance was not up-to-date with the change made via lunash.
Relaunching lunacm, or using "clientconfig restart" updates the cache and fixes the mismatch.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

2
LunaCM commands

This chapter describes the commands available in LunaCM. The commands are described in alphabetical order and
provide:
•

a brief description of the command function

the command syntax and parameter descriptions

Lunacm opens with a slot list, showing brief descriptions of the HSM administrative or application partitions that are
visible to the library, in the order that they are detected. Those include:
•

SafeNet Network HSM application partitions (if any), network-connected to the host computer via NTLS or STC
channels,

SafeNet PCIe HSMs (if any) installed within the host computer,

SafeNet USB HSMs (if any) connected via USB to the host computer.

By default, Lunacm shows the lowest-numbered slot first. Local HSMs (SafeNet PCIe HSM or SafeNet USB HSM)
might have an HSM administrative slot (for the HSM SO) or an application partition slot, or both, so lunacm leaves gaps
in the slot numbering to allow for the possible slots on a given HSM.

Where did my command go?
The question mark (or any incorrect command) shows the lunacm commands available to be used in the current slot.
The availability of lunacm commands changes according to four possible scenarios:
•

the current slot is the HSM administrative partition for an HSM with firmware version 6.22.0 or newer

the current slot is an application partition that has its own SO (a PPSO partition), on an HSM with firmware version
6.22.0 or newer

the current slot is a separate-but-not-independent application partition that is administered by the HSM SO, and
does not have its own separate SO (a legacy-style partition) on an HSM with firmware version 6.22.0 or newer

the current slot is the HSM administrative partition and application partition for an HSM with firmware older than
version 6.22.0 (a true legacy partition).

No single partition type has access to all the possible commands within lunacm.
Note: Persistence of login state
For HSMs with firmware 6.22.0 or newer, login state of a slot is preserved until explicitly ended
(such as with "logout" or "deactivate" or closing the application). Therefore, login state persists
when you switch slots in lunacm. That is, if you were logged into the partition in slot 1, then set
current slot to slot 2, then came back to slot 1, the login state for the partition in slot 1 would still
be in force, with no need to reinstate it.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

For HSMs with older firmware, changing to a different slot terminates the login state in the
original slot, as was always the case.

Lunacm command list on HSM admin partition, f/w 6.22.0
(These are the commands that you see if the current-slot partition is the initialized HSM's administrative partition, while
the HSM is at firmware version 6.22.0 or newer. Some of these commands act on the current-slot partition; some have
a -slot option to direct their action to another partition/slot.)
Select a link to display the command syntax or to help you to navigate to the sub-command you need:
appid
audit
file
clientconfig
hagroup
hsm
partition
ped
remoteBackup
role
slot
srk
stc
stcconfig

> Manage Application Ids. See "appid" on page 21 .

Audit commands. See "audit" on page 26

Client configuration. See "clientconfig" on page 40 .

File commands. See "file display" on page 46 .

High Availability Group commands. See "hagroup" on page 47 .

HSM commands. See "hsm" on page 64 .

Partition commands. See "partition" on page 104 .

Remote PED commands. See "ped" on page 172 .

Manage Remote Backup server. See "remotebackup start" on page 181 .

Role management commands. See "role" on page 182 .

Slot management commands. See "slot" on page 202 .

Secure Recovery commands. See "srk" on page 210 .

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Secure Trusted Channel commands. See "stc" on page 217 .

Secure Trusted Channel configuration commands. See "stcconfig" on
page 230 .

Lunacm command list on application partition, f/w 6.22.0
(These are the commands that you see if the current-slot partition is the initialized HSM's administrative partition, while
the HSM is at firmware version 6.22.0 or newer. Some of these commands act on the current-slot partition; some have
a -slot option to direct their action to another partition/slot.)
Select a link to display the command syntax or to help you to navigate to the sub-command you need:
appid
file
clientconfig
hagroup
partition
ped
remoteBackup
role
slot
stc
stcconfig

> Manage Application Ids. See "appid" on page 1 .

File commands. See "file display" on page 1 .

Client configuration. See "clientconfig" .

High Availability Group commands. See "hagroup" on page 1 .

Partition commands. See "partition" on page 1.

Remote PED commands. See "ped" on page 1 .

Manage Remote Backup server. See "remotebackup start" on page 1 .

Role management commands. See "role" .

Slot management commands. See "slot" on page 1 .

Secure Trusted Channel commands. See "stc" on page 217 .

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Secure Trusted Channel configuration commands. See "stcconfig" on
page 230 .

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

appid
Access the appid-level commands to manage application IDs on the HSM.

Syntax
appid
open
close
set
info
Parameter

Open a previously set access ID. See "appid open" on page 24

Close a previously set access ID. See "appid close" on the next page

Set an access ID. See "appid set" on page 25

Display information for the access IDs. See "appid info" on page 23

Example
lunacm:> help appid
The following sub commands are available:
Command
Short
Description
-----------------------------------open
o
Open an Application Id for the User
close
c
Close an Application Id for the User
set
s
Set the Application Id
info
i
Display current Application Id information
Syntax: appid _{Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

appid close
Close an application access ID on the HSM to prevent your applications from using it to access the HSM. Application
IDs are assigned as a way of sharing login state among multiple processes. AppIDs require two 4-byte/32-bit unsigned
integers, one designated "major" and the other designated "minor".
Note: If you are concerned that an unauthorized process might be able to take over a login
state, then you can use large, difficult-to-guess numbers for the major and minor appids. If this
is not a concern, or for use in a development lab, you can use any arbitrary, conveniently small
integers.

Syntax
appid close -major -minor
Parameter

The major appid.

The minor appid.

Example
lunacm:> appid close -major 1 -minor 40
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

appid info
Display the currently set application IDs. This list includes all set application IDs, regardless of whether they are open
or closed.

Syntax
appid info

Example
lunacm:>appid info
Using user defined Application ID:
Application ID Major: 307
Application ID Minor: 207
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

appid open
Open an application access ID on the HSM to allow your applications to use it to access the HSM. Application IDs are
assigned as a way of sharing login state among multiple processes. AppIDs require two 4-byte/32-bit unsigned
integers, one designated "major" and the other designated "minor".
Note: If you are concerned that an unauthorized process might be able to take over a login
state, then you can use large, difficult-to-guess numbers for the major and minor appids. If this
is not a concern, or for use in a development lab, you can use any arbitrary, conveniently small
integers.

Syntax
appid open -major -minor
Parameter

The major appid.

The minor appid.

Example
lunacm:> appid open -major 1 -minor 40
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

appid set
Set an application access ID on the HSM. Application IDs are assigned as a way of sharing login state among multiple
processes. AppIDs require two 4-byte/32-bit unsigned integers, one designated "major" and the other designated
"minor". After setting an appid, you must open it using appid open to allow your applications to use it to access the
HSM. Once you set an appid you can open and close it, as required, to allow or deny application access to the HSM
using the appid.
Note: If you are concerned that an unauthorized process might be able to take over a login
state, then you can use large, difficult-to-guess numbers for the major and minor appids. If this
is not a concern, or for use in a development lab, you can use any arbitrary, conveniently small
integers.

Syntax
appid open -major -minor
Parameter

The major appid.

The minor appid.

Example
lunacm:> appid set -major 1 -minor 40
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit
Access the audit-level commands. Audit commands control HSM audit logging, and can be used only by the properly
authenticated HSM Audit role, once that role has been initialized.
The lunacm "hsm" commands available to the "audit" user are restricted to "hsm show", and all "hsm ped" commands,
except "hsm ped vector" commands. The "audit" appliance user is allowed to connect and disconnect remote PED
connections, adjust timeout, and view connection information, but is not allowed to create (init) or erase a remote PED
vector.
Note: The list on this page is all the "audit" commands that are available to you when the
current slot is an HSM with firmware older than version 6.22.0.
Where the HSM in the current slot has firmware version 6.22.0 or newer :
- application partition slots do not show the audit commands at all (as those commands are
applicable only to an HSM administrative slot)
- HSM administrative slots with newer firmware show only some of the "audit" commands; the
authentication-related functions are taken over by "role" commands instead.

Syntax for firmware older than version 6.22.0
audit
changepw
config
export
import
init
login
logmsg
logout
status
time
verify
Parameter

Change the Audit user password or PED key. [Older firmware only] See
"audit changepw" on page 28.

Configure the audit parameters. See "audit config" on page 29.

Read the wrapped log secret from the HSM. See "audit export" on page 31.

Import the wrapped log secret to the HSM. See "audit import" on page 32.

Initialize the HSM Audit user. [Older firmware only] See "audit init" on
page 33.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Login to the HSM as the Audit user. [Older firmware only] See "audit
login" on page 34.

Write a message to the HSM's log. See "audit logmsg" on page 35.

Logout from the HSM as the Audit user. [Older firmware only] See "audit
logout" on page 36.

Show the status of the logging subsystem. See "audit status" on page 37.

Synchronize the HSM time to the host, or get the HSM time. See "audit
time" on page 38.

Verify a block of log messages. See "audit verify" on page 39.

Syntax for firmware version 6.22.0 or newer
audit
config
export
import
logmsg
status
time
verify
Parameter

Configure the audit parameters. See "audit config" on page 29.

Read the wrapped log secret from the HSM. See "audit export" on page 31.

Import the wrapped log secret to the HSM. See "audit import" on page 32.

Write a message to the HSM's log. See "audit logmsg" on page 35.

Show the status of the logging subsystem. See "audit status" on page 37.

Synchronize the HSM time to the host, or get the HSM time. See "audit
time" on page 38.

Verify a block of log messages. See "audit verify" on page 39.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit changepw
Change the password or PED Key contents for the HSM Audit role. Both the old and the new PED Key are required for
SafeNet HSM with PED Authentication. In the case of multiple HSMs in the host computer, the command works on the
current slot.
Note: This command applies to slots with HSMs having older firmware only.
If the HSM in the current slot has firmware 6.22.0 or newer, then this command is replaced by
"role changepw" on page 183.

Syntax
audit changepw

Example
lunacm:>audit changePw
Please enter the old password:
> *******
Please enter the new password:
> ********
Please re-enter the new password:
> ********
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit config
Set the audit logging configuration parameters. This command allows you to configure the following:
•

which events are captured in the log.

the log rotation interval.

Syntax
audit config -parameter -value -serial
Parameter

The value you want to configure for the specified parameter.
Valid values for the event parameter
Enter a comma-separated list of events to log. In addition to specifying an
event category, you must also specify the conditions under which those
events are to be logged - either 'f' for failures, or 's' for successes, or both.
Any or all of the following may be specified:
•

[f]ailure: log command failures

[s]uccess: log command successes

[a]ccess: log access attempts (logins)

[m]anage: log HSM management (init/reset/etc)

[k]eymanage: key management events (key create/delete)

[u]sage: key usage (enc/dec/sig/ver)

fi[r]st: first key usage only (enc/dec/sig/ver)

e[x]ternal: log messages from CA_LogExternal

lo[g]manage: log events relating to log configuration

a[l]l: log everything (user will be warned)

[n]one: turn logging off

Note: When specifying an event class to log, you must specify whether
successful or failed events are to be logged. For example, to log all key
management events you would use the command "audit config e t,s,f".
get

get (show) the current configuration

Valid values for the rotation interval parameter
Enter one of the following options for the log rotation interval:
•

daily [@hour:min]

weekly [@day:hour:min]

monthly [@date:hour:min]

path on the HOST to which logs will be written

size limit of a log, to trigger rotation
Valid values for the size parameter

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Description
Enter one of the following options for the log rotation interval:
•

s : an integer string followed by 'k' for KB (default) or 'm' for MB
(so 's 8192' or 's 8192k' or 's 8m' all specify rotation when log size
reaches 8MB)

n: never rotate based on size

Example
audit config e s
audit config e f
audit config e u,f,s
audit config n

audit
audit
audit
audit

config
config
config
config

/usr/lunapci/log
daily@12:05
4096
n

audit all command successes
audit all command failures
audit all key usage requests,
both success and failure
log nothing

set path
rotate logs daily at 12:05
rotate logs when 4MB is exceeded
never rotate based on size

lunacm:> audit config e l,f,s
You have chosen to log all successful key usage events. This can result in
an extremely high volume of log messages, which will significantly degrade
the overall performance of the HSM.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:> audit config get
Current Logging Configuration
----------------------------event mask
: Log everything
rotation interval : daily@0:00
rotation size (KB): never rotate
path to log
:

Command Result : No Error
lunacm:>

Note: In the above example of output from 'audit config get', the configuration rotates the logs
daily; the "never rotate" merely says "do not rotate due to size". So, from that specified
configuration, you get one log each day, regardless of how big it might become.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit export
Export the audit logging secret to the user local directory for import to another HSM. The audit Export command reads
the log secret from the HSM, wrapped with the KCV which was used when the audit container was initialized. The blob
of data is then stored in a file on the HOST. The audit officer then imports this wrapped secret into another HSM in the
same domain, where it is unwrapped. This allows one HSM to verify logs that have been generated on another.

Syntax
audit export [[file [] [overwrite]] [list]
Parameter

Enter this parameter followed by an optional filename for the file to receive
wrapped log secret. If a file name is not specified, the file will be given a
default name with the following structure:
LogSecret_YYMMDDhhmmss_N.bin
where
YYMMDD = year/month/date
hhmmss = hours/mins/secs
N = HSM serial number
This file will be written to the subdirectory which was set by a previous
'audit config p [path]' command. If this path does not exist, or the
configuration was not set for any reason, an error will be returned.
If name was specified, it is examined to see if it contains subdirectories. If
it does, then the path is treated as a fully qualified path name. If not the file
is stored in the default log path.

Overwrite the file if it already exists.

List the files which reside in the log path.

Example
lunacm:>audit export file 2013-04-01nextlog.bin overwrite
Now that you have exported your log secret, if you wish to verify your logs
on another HSM see the 'audit import' command.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit import
Import an audit log secret that was exported using the audit export command. The Import command reads a wrapped
log secret from a file, and sends it to the HSM where it will be unwrapped using that HSM's KCV If the second HSM is
in the same domain, it can then be used to verify logs that were generated on the first one.

Syntax
audit import [file ] [list]
Parameter

Name of file containing the wrapped log secret.
If a file name is not specified, the user will be given a list of files in the
directory which was set by a previous 'audit config p [path]' If this path
does not exist, or the configuration was not set for any reason, an error will
be returned.
If name was specified, it is examined to see if it contains subdirectories. If
it does, then the path is treated as a fully qualified path name. If not the file
is retrieved from the default log path.

Display a list of the files which reside in the log path.

Example
lunacm:>audit import file 150718.lws
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit init
Initialize the Audit role on the HSM. This command attaches an audit domain and a role password for Passwordauthenticated HSMs, and creates a white Audit PED key for PED-authenticated HSMs. For PED-authenticated HSMs
audit init also creates an audit domain, or receives an existing domain, so that selected HSMs are able to validate
each others' HSM Audit Log files.
Because this command destroys any existing Audit role on the HSM, you are asked to “proceed” unless the -force
switch is provided at the command line.
Note: This command is used for HSMs with firmware older than version 6.22.0. Expect an
entry 'LUNA_CREATE_AUDIT_CONTAINER' in the audit log, when auditing is initialized.
For HSMs with firmware 6.22.0 or newer, use "role init" on page 188, and specify the -name
Auditor parameter.

Syntax
audit init [-auth] [-force]
Parameter

This option starts a login after the initialization completes.

If this option is included in the list, the audit role initialization action is
forced without prompting for confirmation.

Example
lunacm:>audit init
The AUDIT role will be initialized.
Are you sure you wish to continue?
Type proceed to continue, or quit to quit now -> proceed
Please enter the domain to use for initializing the
Audit role:
> myauditdomain
Please enter the password:
> *******
Please re-enter password to confirm:
> *******
Command Result : No Error

Note: For PED-authenticated HSMs, after you type "proceed" you are referred to the PED
(which must be connected and 'Awaiting command...') which prompts you for domain (red PED
Key) and Audit authentication (white PED Key).

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit login
Login to the HSM as the Audit role.
Note: This command applies to slots with HSMs having older firmware only.
If the HSM in the current slot has firmware 6.22.0 or newer, then this command is replaced by
"role login" on page 192 .

Syntax
audit login [-serial ] [-password ]
Parameter

HSM Serial Number - identifies which HSM is to accept the login, if you
have a multiple SafeNet PCIe HSM modules installed, or a Backup
HSM or a SafeNet USB HSM locally connected to your host.

The password of the HSM you are logging into.
Used for Password-authenticated HSMs. If you prefer not to write the
password, in the clear, on the command line, leave it out and you are
prompted for it.
Ignored for PED-authenticated HSMs.
If the audit log area in the HSM becomes full, the HSM stops accepting
most commands, and does not prompt for password when login is
requested. In that case, provide the password with the command, and
the login is accepted.
Audit log full does not affect login for PED-auth HSMs.

Example
PED-authenticated HSM
lunacm:>audit login
Luna PED operation required to login as HSM Auditor - use Audit user (white) PED key.
'audit
Command Result : No Error
[myluna] lunacm:>

Password-authenticated HSM
[myluna]lunacm:>audit login
Please enter the password:
> ********
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit logmsg
Logs a message to the audit log file. The message text must be enclosed in double quotes. If the quotation marks are
not provided, the text is interpreted as arguments (to a command that takes no arguments) and is rejected with an error
message.

Syntax
audit logmsg ""

Example
lunacm:>audit logmsg "Sample log message"
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit logout
Logout the the HSM Audit user.
Note: This command applies to slots with HSMs having older firmware only.
If the HSM in the current slot has firmware 6.22.0 or newer, then this command is replaced by
"role logout" on page 195 .

Syntax
audit logout

Example
lunacm:>audit logout
'audit logout' successful.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit status
Displays the Audit logging info for the indicated HSM.

Syntax
audit status [-serial ]
Parameter

Specifies the serial number of the HSM for which you want to display the
HSM Audit configuration. This can be the appliance's onboard HSM, or a
USB-connected SafeNet USB HSM or SafeNet Backup HSM.

Example
audit status
HSM Logging Status:
HSM found logging daemon
Logging has been configured
HSM is currently storing 0 log records.
HSM Audit Role: logged in
HSM Time : Mon Dec 17 17:50:35 2012
HOST Time : Mon Dec 17 17:51:07 2012
Current Logging Configuration
----------------------------event mask
: Log everything
rotation interval : daily
Command Result : 0 (Success)

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit time
Synchronize the HSM time to the host time. Use this command to have the HSM adjust its time to match that of the
host computer. This is especially useful when the host computer is synchronized by NTP, or by local drift correction.
Among other benefits, this ensures that the log times of HSM events coincide with file creation and update events in the
host file system.

Syntax
audit time [sync | get]
Parameter

Synchronize the HSM time to the host time.

Display the current HSM time.

Example
lunacm:> audit time sync

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

audit verify
Verify the audit log records. This command displays details for the indicated file, or verifies records in the specified
range from the named file.
Note: If the log file is archived (tar or tgz) it must be untarred/unzipped before audit verify can
work on records in that log. You cannot verify a ".tgz" file directly.
The audit verify command is not able to verify a log that was in-progress when it was archived.
Only logs from the ready_for_archive folder, logs that have been completed and closed, can be
verified. This usually means that if you cannot verify the most recent log entry in an archive,
then that same entry is probably the first log entry in the next archive, where it was properly
closed and can be verified.

Syntax
audit verify [start ] [end ] file
Parameter

The index of the first record in file to verify. If this parameter is omitted, the
first record in file is assumed.

The index of the last record in file to verify. If this parameter is omitted, the
last record in file is assumed.

The fully-qualified name of file containing data to verify. This is the only
mandatory parameter.

Show details for file. This includes the first and last timestamps, first and
last record sequence numbers, and total number of records in the file.

Example
lunacm:>audit verify f test.log s 21 e 56
Verified messages 21 to 56
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

clientconfig
Access the clientconfig-level commands to configure your client.

Syntax
clientconfig
deleteserver
deploy
listservers
restart
verify
Parameter

Delete SafeNet Network HSM appliance from the list ( "clientconfig
deleteServer" on the next page )

Create aNetwork Trust Link. ( "clientconfig deploy" on page 42 )

List the SafeNet Network HSM appliances that are registered to the client.
( "clientconfig listservers" on page 43 )

Restart LunaCM. ( "clientconfig restart" on page 44 )

Verify the SafeNet Network HSM slots / partitions that are visible from the
client. ( "clientconfig verify" on page 45 )

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

clientconfig deleteServer
Delete an existing SafeNet Network HSM server from the trusted list.

Syntax
clientconfig deleteServer -server

Example
lunacm:> ccfg deleteServer -server mysa30
Server deleted mysa30
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

clientconfig deploy
Delete an existing SafeNet Network HSM server from the trusted list.

Syntax
clientconfig deploy -server -client -partition [password ] [-user ] [-regen] [-force] [-verbose]
Option

SafeNet Network HSM server hostname or IP address
(mandatory).

Client hostname or IP address (mandatory).

Partition name to assign to the client (mandatory).

Appliance admin role user's password.

Appliance admin role user's name, (default is admin).

Regenerate new and replace existing client's certificate.

Force the action, no prompts.

Show verbose logs.

Example
lunacm:> ccfg deploy -server mysa30
Server deleted mysa30
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

clientconfig listservers
List the SafeNet Network HSM appliances that are registered to the client.

Syntax
clientconfig listservers

Example
lunacm:> clientconfig listservers
Server ID
0
1

Server
124.54.98.2
124.54.98.6

Channel
STC
NTLS

HTL Required
no
yes

Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

clientconfig restart
Restart LunaCM. This command refreshes the LunaCM display to show any changes, such as new STC links.

Syntax
clientconfig restart

Example
lunacm:> ccfg rest
You are about to restart this application.
All current login sessions and remote PED connections will be terminated.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
...

...
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

clientconfig verify
Verify SafeNet Network HSM slots / partitions that are visible.

Syntax
clientconfig verify

Example
lunacm:> ccfg verify
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

file display
Display the contents of a backup file.

Syntax
file display -filename
Parameter

Specify the name of the backup file to display. Enter this keyword followed
by the name of an existing backup file..

Example
lunacm:> > file display -filename somepartfile
File Name:
File Version:
SIM Form:
Object Count:
Source Serial Number:

somepartfile
0
CKA_SIM_PORTABLE_NO_AUTHORIZATION
3
321312 (0x4e720)

Object: 1
Attribute Count: 23
CKA_CLASS: CKO_SECRET_KEY
CKA_TOKEN: True
CKA_PRIVATE: True
CKA_LABEL:
47 65 6E 65 72 61 74 65 64 20 44 45 53 33 20 4B
65 79
CKA_KEY_TYPE: CKK_DES3
CKA_SENSITIVE: True
CKA_ENCRYPT: True
CKA_DECRYPT: True
CKA_WRAP: True
CKA_UNWRAP: True
CKA_SIGN: True
CKA_VERIFY: True
CKA_DERIVE: True
CKA_LOCAL: True
CKA_MODIFIABLE: True
CKA_EXTRACTABLE: True
CKA_ALWAYS_SENSITIVE: True
CKA_NEVER_EXTRACTABLE: False
CKA_CCM_PRIVATE: False
CKA_FINGERPRINT_SHA1:
E2 EB 1B 86 58 BB 6C EF 07 87 4C 59 D4 06 73 7D
5E 4D 3A 65

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup
Access the hagroup-level commands. The hagroup commands are used to manage and administer HA (high
availability) groups of SafeNet HSMs for redundancy and load balancing.

Syntax
hagroup
addmember
addstandby
creategroup
deletegroup
halog
haonly
interval
listgroups
recover
recoveryMode
removemember
removestandby
retry
synchronize
Parameter

Add a member to an HA group. See "hagroup addmember" on page 49.

Add a standby member to an HA group. See "hagroup addstandby" on
page 50.

Create an HA group. See "hagroup creategroup" on page 51.

Delete an HA group . See "hagroup deletegroup" on page 52.

Configure the HA log file. See "hagroup halog" on page 53.

Enable "HA Only" mode. See "hagroup haonly" on page 54.

Set the HA recover retry interval. See "hagroup interval" on page 62

List the currently-configured HA groups. See "hagroup listgroups" on page
55.

Recover a failed HA member. See "hagroup recover" on page 57.

Set HA recovery mode to "active" or "passive". See "hagroup
recoverymode " on page 58.

Remove a member from an HA group. See "hagroup removemember" on
page 59.

Remove a standby member from an HA group. See "hagroup

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Description
removestandby" on page 60.

Set the HA recover retry count. See "hagroup retry" on page 61

Synchronize an HA group. See "hagroup synchronize" on page 63

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup addmember
Add a member to an HA group. Use the "-slot" option or the "-serialNumber" option to specify which HSM to add to the
group.
All password authenticated HA group members must have the same password.
All PED authenticated HA group members must have a challenge created, and activation turned on, and all challenges
must be the same.
If you intend to add a standby member to the group, you must first use this command to add the member to the group,
then use the lunacm hagroup addstandby command to convert the member to standby status.

Syntax
haGroup addMember
-serialNumber -l -p [-force]
-slot -l -p [-force]
Parameter

Serial number of primary member. This parameter is mandatory if slotnumber is not used. the serial number that identifies the HSM being
added to the HA group.

Slot number of primary member - [mandatory if -serialnumber not used] a
slot number to identify the HSM being added to the HA group.

Label for the group being joined - [mandatory] a label for the HA group being
created.

Password for the HSM to add - [mandatory if Passwordauthenticated/ignored if PED] The password or challenge secret shared by
group members.

Force the action - no prompting (useful for scripting).

Example
lunacm:> hagroup addmember -serialnumber 12345679 -label mygroup
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup addstandby
Add a standby member to an HA group. Use the "-slot" option or the "-serialNumber" option to specify which HSM to
add to the group. All PED authenticated HA group members must have a challenge created, and activation turned on,
and all challenges must be the same.

Syntax
hagroup addstandby -serialnumber -group
Parameter

Serial number of new standby member - the serial number that identifies the standby
HSM being added to the HA group.

Label for the group being joined - a label for the HA group being created.

Example
lunacm:> hagroup addstandby -serialnumber 12345679 -group mygroup
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup creategroup
Create an HA group. Use the -slot or -serialNumber options to specify the primary member for the group.
All password authenticated HA group members must have the same password. All PED authenticated HA group
members must have a challenge created, and activation turned on, and all challenges must be the same.

Syntax
hagroup creategroup
-serialNumber -l -p
-slot -l -p
Parameter

Serial number of primary member - [mandatory if -slotnumber not used] the serial
number that identifies the primary member of the HA group.

Slot number of primary member - [mandatory if -serialnumber not used] a slot number
to identify the primary member of the HA group.

Label for the new group - [mandatory] a label for the HA group being created.

Password for the primary member. The password is the text password and is
mandatory for Password authenticated HSMs, or is the challenge secret for
PED authenticated HSMs, shared by group members. If an HSM is intended to join an
existing HA group, that HSM's password or challenge secret must be changed to
match the password or secret used by the group, before the new member is added.

Example
lunacm:> hagroup createGroup -serialnumber 12345678 -label mygroup -password some-obscure-string
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup deletegroup
Delete an HA group. Use the "-label" option to specify the group to be deleted.

Syntax
hagroup deletegroup -l
Command

Label for the group being deleted - [mandatory] a label for the HA group being deleted.

Example
lunacm:> hagroup deleteGroup -label mygroup
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup halog
Configure the HA log.

Syntax
haGroup halog
-disable
-enable
-maxlength
-path
-show
Parameter

Disable HA logging.

Enable HA logging.

Set the maximum length for the HA log file The default and minimum size
is 256000.

Set the location for the HA log file. You must enclose the path specification
in quotes if it contains spaces.

Display the HA log configuration

Example
lunacm:> haGroup halog -maxlength 2560000
HA Log maximum file size was successfully set to 2560000.
Command Result : No Error
lunacm:> hagroup halog -path "c:\Program Files\SafeNet\LunaClient\halog"
HA Log path successfully set to c:\Program Files\SafeNet\LunaClient\halog.
Command Result : No Error
lunacm:> haGroup halog -enable
HA Log was successfully enabled.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup haonly
Enable, disable, or display the HA-only mode configuration for the group.
Note: This command acts on your applications, either allowing (default) or disallowing (hagroup
haonly -enable) the application to see individual HSM partition slots or just the HA group virtual
slot, respectively. The command has no effect on administrative tools like lunacm, where a
"slot list" returns all slots, both actual and virtual.

Syntax
hagroup haonly {-enable | -disable | -show}
Command

Enable HA Only mode for the current group.

Disable HA Only mode for the current group.

Show the status of HA Only mode for the current group.

Example
lunacm:> haGroup HAOnly -enable
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup listgroups
List all configured HA groups and all of their members, and show their synchronization status.

Syntax
hagroup listgroups

Example If No HA Group
lunacm:>hagroup listgroups
HA auto recovery: disabled
HA recovery mode: activeBasic
Maximum auto recovery retry: 0
Auto recovery poll interval: 60 seconds
HA logging: disabled
Only Show HA Slots: no

Command Result : No Error

Example for HA Group
LunaCM v6.2.2-4 - Copyright (c) 2006-2016 SafeNet, Inc.

Available HSMs:
Slot Id -> 0
Label -> MyPartition
Serial Number -> 364882803566
Model -> LunaSA
Firmware Version -> 6.23.0
Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label -> MyPartition
Serial Number -> 352691792984
Model -> LunaSA
Firmware Version -> 6.23.0
Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 5
HSM Label -> myHAgroup
HSM Serial Number -> 1364882803566
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.23.0
HSM Configuration -> Luna Virtual HSM (PW) Signing With Cloning Mode
HSM Status -> N/A - HA Group

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Current Slot Id: 0
lunacm:>hagroup listgroups
If you would like to see synchronization data for group myHAgroup,
please enter the password for the group members. Sync info
not available in HA Only mode.
Enter the password: *******

HA auto recovery: enabled
HA recovery mode: activeBasic
Maximum auto recovery retry: infinite
Auto recovery poll interval: 65 seconds
HA logging: enabled
HA log _file: /luna_ha_temp/haErrorLog.txt
Maximum HA log file length: 300000 bytes
Only Show HA Slots: no

HA Group Label: myHAgroup
HA Group Number: 1364882803566
HA Group Slot ID: 5
Synchronization: enabled
Group Members: 364882803566, 352691792984
Needs sync: no
Standby Members:

Slot # Member S/N
====== ==========
0
364882803566
1
352691792984

Member Label
============
MyPartition
MyPartition

Status
======
alive
alive

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup recover
Recover any failed members of an HA group. Use the -group option to specify which HA Group to recover.

Syntax
hagroup recover -group
Command

Specifies the label for the group to recover.

Example
lunacm:> hagroup recover -group myHAgroup
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup recoverymode
Set HA recovery mode to actively reconnect a client to an HA group, with manual login or with auto login.

Syntax
hagroup recoverymode -mode {activeBasic | }
Option

Specifies whether HA automatic recovery
"activeBasic" - actively uses a separate Active Recovery Thread to perform
background checks of HA member presence and runs synchronization if a
member fails/leaves and then returns to availability; attempts to reconnect
with the members if all members were simultaneously unavailable. Network
HSM appliances do not have to restart, login is manual.
"activeEnhanced" - works like activeBasic, but additionally restores all
sessions and their login states

Example
lunacm:> hagroup recoveryMode -mode activeEnhanced
HA Auto Recovery Mode has been set to activeEnhanced mode.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup removemember
Remove an HSM member from an existing HA group. Use the -slot option or the -serialNumber option to specify
which HSM to remove from the group specified by the -group option.

Syntax
haGroup removeMember
-serialNumber -slot [-group]
Parameter

Shortcut Description

Serial number of primary member - [mandatory if -slotnumber not used] the serial
number that identifies the primary member of the HA group.

Slot number of primary member - [mandatory if -serialnumber not used] a slot
number to identify the primary member of the HA group.

Label for the new group - [mandatory] a label for the HA group being created.

Example 1
lunacm:> hagroup removemember -serialnumber 12345679 -group myHAgroup
Command Result : No Error

Example 2
lunacm:> hagroup removemember -slot 6 -group myHAgroup
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup removestandby
Remove a standby member from an HA group. Use the -serialnumber option to specify which HSM to remove from
the group specified by the -group option.

Syntax
hagroup removestandby -serialnumber -g
Parameter

Serial number of HSM to remove - [mandatory if -slotnumber not used] the serial
number that identifies the standby member to remove from the named HA group.

Label for the group - [mandatory] a label for the HA group being modified.

Example
lunacm:> hagroup removestandby -serialnumber 12345679 -group mygroup
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup retry
Modify the HA Recover retry count.
For HA recovery attempts:
•

The default retry interval is 60 seconds.

The default number of retries is effectively infinite.

The HA configuration section in the Chrystoki.conf/crystoki.ini file is created and populated when either the interval
or the number of retries is specified in the lunacm hagroup retry commands.

Syntax
hagroup retry -count <-1 or 0 or positive integer>
Command

Sets the number of times the HA controller attempts to recover a member
that fails. Enter a value of -1 to specify unlimited retries. Enter a value of 0 to
disable automatic recovery for HA.
Default: 0
Range: 1 to 500

Example
lunacm:> hagroup retry -count -1
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup interval
Modify the HA Recover retry interval.
For HA recovery attempts:
•

The default retry interval is 60 seconds.

The default number of retries is effectively infinite.

The HA configuration section in the Chrystoki.conf/crystoki.ini file is created and populated when either the interval
or the number of retries is specified in the lunacm hagroup retry commands.

Syntax
haGroup interval -interval <-1 or 0 or positive integer>
Command

Sets the number of seconds between attempts to recover a failed HA group
member. Enter a value of -1 to specify unlimited retries.
Default: 60 seconds
Range: 60 to 1200 seconds

Example
lunacm:> hagroup interval -i 120
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hagroup synchronize
Synchronize an HA group or enable/disable key synchronization for key export applications.

Syntax
hagroup synchronize -p -group [-enable | -disable]
Parameter

Disable synchronization for this HA group. This option allows you to disable
synchronization on HA groups that use HSMs configured for key export (KE)
to wrap asymmetric private RSA keys. In this model, you create your
symmetric wrapping keys, which are synchronized to each member of the HA
group. After synchronizing the symmetric wrapping keys, you disable
synchronization and begin creating your asymmetric RSA keys. If one of the
HA members fails, the remaining members are still able to generate and wrap
asymmetric private RSA keys using the synchronized symmetric wrapping
key.

Enable synchronization for this HA group. Synchronization is enabled by
default. You require this setting only if you wish to re-enable synchronization
on an HA group where synchronization was previously disabled. For
example, to create and synchronize a new symmetric wrapping key.

Label or serial number for the HA group being synchronized.

Password for the group.

Example
lunacm:> hagroup synchronize -group

mygroup -password 1F331$ecur3N0w

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm
Access the hsm-level commands.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm
changehsmpolicy
changepw
changesopolicy
clear
clone
contents
factoryreset
init
login
logout
migratepedkey
monitor
recoveryinit
recoverylogin
reset
restart
restoresim2
restoreuser
rollbackfw
setlegacydomain
showinfo
showmechanism
showpolicies
smkclone
updatefw
Parameter

changehsmpolicy

Change the HSM Policy value. See "hsm changehsmpolicy" on page 67.

Change the HSM SO password. See "hsm changepw" on page 68.

Change the SO Policy value. See "hsm changesopolicy" on page 69.

Delete all of the SO's token objects. See "hsm clear" on page 70.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Clone SO objects. See "hsm clone" on page 71.

Show the contents of the SO partition. See "hsm contents" on page 72.

Factory reset the HSM. See "hsm factoryreset" on page 73.

Initialize the HSM. See "hsm init" on page 74.

Login to the HSM as SO. See "hsm login" on page 77.

Logout from the HSM as SO. See "hsm logout" on page 79.

Migrate a PED Key from a legacy HSM. See "hsm migratepedkey" on
page 80.

Get HSM utilization information. See "hsm monitor" on page 81.

High Availability Initialize HSM (not related to load balancing). See "hsm
recoveryinit" on page 83.

High Availability Login (not related to load balancing) . See "hsm
recoverylogin" on page 84.

Restart the HSM. See "hsm reset" on page 85.

Restart the HSM. See "hsm restart" on page 86.

Restore SO objects (using Scalable Key Storage2). See "hsm
restoresim2" on page 88.

Restore a user. See "hsm restoreuser" on page 87.

Rollback the HSM firmware. See "hsm rollbackfw" on page 89.

setlegacydomain

Set the legacy domain. See "hsm setlagacydomain" on page 91.

Get HSM information. See "hsm showinfo" on page 92.

Show all mechanisms. See "hsm showmechanism" on page 94.

Get HSM policy information. See "hsm showpolicies" on page 96.

Clone the SMK object. See "hsm smkclone" on page 101.

Update the HSM capabilities. See "hsm updatecap" on page 102.

Update the HSM firmware. See "hsm updatefw" on page 103.

Note: If the current slot is an HSM administrative slot (SO) for an HSM with firmware older
than version 6.22.0, then the list of available "hsm" commands appears as:
init
recoveryinit
recoverylogin

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

login
logout
showinfo
showpolicies
changeHSMPolicy
changeSOPolicy
changePw
contents
clear
updateFW
rollbackFW
updateCap
reset
factoryReset
restoreSIM2
restoreUser
clone
smkClone
setLegacyDomain
showmechanism
monitor

Note: If the current slot is an HSM administrative slot (SO) for an HSM with firmware version
6.22.0 or newer, then the list of available "hsm" commands appears as:
showinfo
factoryReset
zeroize
restart
init
showpolicies
changeHSMPolicy
updateCap
updateFW
rollbackfw
migratePedKey
showmechanism
monitor
Some options that were previously "hsm" commands have become "role" commands.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm changehsmpolicy
Change HSM-level policies. This command changes the specified HSM Policy from the current value to the new,
specified value, if the corresponding HSM capability setting permits the change.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm changeHSMPolicy - policy -value [-force]
Parameter

The number identifying the HSM policy that you want to change. Use the
hsm show command to find the number of the policy you want to change.

The new setting to be applied to the indicated HSM policy. Use the hsm
show command to find the current setting of the policy you want to
change.

Force the change without further prompting.

Example
lunacm:> hsm changeHSMPolicy -policy 12 -value 1
You are about to implement a destructive policy change which will zeroize the HSM.
The User will be deleted and all data will be erased.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm changepw
Change HSM Security Officer password. Use this command to change the password that authenticates the HSM
Security Officer (SO) to the HSM.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm changePw -newpw -oldpw
Parameter

The new SO password.

The old SO password.

Example
lunacm:> hsm changePw -newpw NewPa$$w0rd -oldpw 0ldPa$$w0rd
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm changesopolicy
Change the Security Officer policies. Use this command to change the specified SO Policy from the current value to
the new, specified value, if the corresponding SO Capability setting permits the change.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).
You can use command hsm showpolicies before and after command hsm changesopolicy to verify that the change
has occurred.
If you attempt to change a destructive policy, you are warned first, and asked to confirm before proceeding, so that you
can never inadvertently destroy the contents of your HSM.

Syntax
hsm changesopolicy - policy -value
Parameter

The number identifying the SO policy that you want to change. Use the
hsm show command to find the number of the policy you want to change.

The new setting to be applied to the indicated SO policy. Use the hsm
show command to find the current setting of the policy you want to
change.

Force the change without further prompting.

Example
lunacm:> hsm changeSOPolicy -policy 25 -value 246
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm clear
Delete contents of the SO space. If the SO is logged in, this command deletes all token objects in the SO partition.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm clear

Example
lunacm:> hsm clear
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm clone
Clone HSM SO objects. Use this command to clone SO objects from the HSM into another HSM installed in the same
computer.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm clone -objects [-force] -password -slot
Parameter

The object handles to extract

The target slot.

The target slot password.

Force the action without prompting.

Example
lunacm:> hsm clone -objects 0 -slot 2
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm contents
Show the contents of the SO space. If the SO is logged in, this command displays the contents of the SO space
(exclusive of user partition contents). If the SO is not logged in, this command displays all SO objects that are available
from a public session.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm contents

Example
lunacm:> hsm contents
You are not logged in. Looking for objects in a public session.
No objects are currently viewable from a public session.
Command Result : No Error
lunacm:>
lunacm:> hsm login
If you are not activated, please attend to the PED.
Command Result : No Error
lunacm:> hsm contents
The SO is currently logged in. Looking for objects in the SO's partition.
No objects are currently viewable.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm factoryreset
Reset the HSM to its factory configuration. Use this command to set the HSM back to factory default settings, clearing
all contents (puts HSM in zeroized state). Because this is a destructive command, the user is asked to “proceed”
unless the -force switch is provided at the command line. This command can be performed only at the local serial
console.
Note: This command resets settings and configuration, but does not perform firmware rollback
and does not uninstall Capability Updates that have been installed since the HSM came from
the factory.

Syntax
hsm factoryReset [-force]
Parameter

Force the action without prompts. If this option is included in the list, the
HSM will be zeroized without prompting the user for a confirmation of this
destructive command.

Example
lunacm:>hsm factoryReset
CAUTION: Are you sure you wish to reset this HSM to factory
default settings? All partitions and data will be erased
and HSM policies will be reverted to factory settings.
Type 'proceed' to return the HSM to factory default, or
'quit' to quit now.
> proceed
Command Result : 0 (success)

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm init
Initialize the HSM. Initializing the HSM erases all existing data on the key card, including any HSM Partition and its
data. HSM Partition then must be recreated with the partition create command. Because this is a destructive
command, the user is asked to “proceed” unless the -force switch is provided at the command line.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm init -label -password [-force]
Parameter

Initialize a Backup Device with PED-Auth. This option is supported only
when initializing a Backup Device that is in a zeroized state. This option is
mutually exclusive with the -initwithpwd option.

Initialize a Backup Device with PWD-Auth. This option is supported only
when initializing a Backup Device that is in a zeroized state. This option is
mutually exclusive with the -initwithped option.

The HSM label. Required.

HSM Domain Name. This option is mutually exclusive with the defaultdomain option. This option is required for a password authenticated
HSM. If you do not provide the domain string in the command, you are
prompted for it, and the characters that you type are obscured by asterisks
(*). This option is ignored for PED-authenticated HSMs.

HSM Default Domain Name. This option is mutually exclusive with the domain option. Deprecated. The -defaultdomain is not secure, and should
not be used in a production environment. This option is ignored for PEDauthenticated HSMs.

HSM SO password. This option is required for a password authenticated
HSM. If you do not provide the password string in the command, you are
prompted for it, and the characters that you type are obscured by asterisks
(*). This option is ignored for PED-authenticated HSMs.

Log in after the initialization.

Force the action - no prompts. Useful for scripting.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Example
"Soft" init (no factory reset)
lunacm:> hsm init -label myLuna
You are about to initialize the HSM that is NOT in the
factory reset (zeroized) state.
All objects will be destroyed.
The User will be destroyed.
You are required to provide the current SO PED key.
The domain will NOT be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:>

"Hard" init (with factory reset first)
lunacm:> hsm factoryReset
You
All
The
The
The

are about to factory reset the HSM.
contents of the HSM will be destroyed.
user will be destroyed.
SO will be destroyed.
domain will be destroyed.

Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Resetting HSM
Command Result : No Error
lunacm:>
lunacm:> hsm init -label myLuna
You are about to initialize the HSM that is in the
factory reset (zeroized) state.
All objects will be destroyed.
The User will be destroyed.
You are required to provide the current SO PED key.
The domain will NOT be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error

HSM init on SafeNet Backup HSM
lunacm:>hsm init -label mybackuphsm -password s0mepw -domain s0med0ma1n -force -auth -initwithpwd
Initialization was successful and "-auth" was specified.
Performing an SO login.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

lunacm:>hsm si
HSM Label -> mybackupHSM Manufacturer -> Safenet, Inc.
HSM Model -> G5Backup
HSM Serial Number -> 7000013
HSM Status -> OK
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
Firmware Version -> 6.10.1
Rollback Firmware Version -> Not Available
......[output snipped for space]....
License Count -> 4
1. 621000028-000
1. 621000048-001
2. 621000006-001
2. 621000008-001

SafeNet Remote Backup HSM base configuration
621-000048-001SCU,G5,BU,Partitions100
Enabled for 15.5 megabytes of object storage
Enable remote PED capability

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm login
Login to the HSM as the security officer (SO).
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm login [-password ] [-ped ]
Parameter

Applies to Password-authenticated HSMs; ignored for PED-authenticated
HSMs.
Specifies the HSM Admin password. The password to be used as login
credential by the Security Officer (SO). As shown, you can supply the
password at the command line (useful for scripting). Normally, however,
you should leave out the password when issuing the command. If the
password is not provided, you are prompted for it, and your response is
obscured by asterisk (****) symbols. This a more secure method of
providing the password.

Applies to PED-authenticated HSMs, only. This option is a temporary way
to override PED ID settings or default.
The PED Id parameter is optional. (0=local,1...65535=remote)
If '0' is specified, the locally attached PED is used. If a value between 1
and 65535 is specified, the remote PED corresponding to that PED Id is
used.
If nothing is specified, then the value stored in the library for this slot is
used. Unless the value stored in the library has been changed by using the
'ped set' command, or the 'PEDId' parameter in the 'Luna' section of
cryptoki.ini, the value in the library is '0'.
NOTE: The '-ped' option asserts for the duration of this login command,
only. After the login completes, any PED ID that was set by the '-ped'
option then reverts to whatever value was in effect before "hsm login -ped
".

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Example
HSM login using the -password option (not recommended)
lunacm:> hsm login -password SOpa55word!
Command Result : No Error

HSM login without the -password option
lunacm:> hsm login
Option -password was not supplied. It is required.
Enter the password: ***********
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm logout
Logout the security officer (SO) from the HSM.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm logout

Example
lunacm:> hsm logout
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm migratepedkey
Migrate the PED key contents. use this command to copy the contents of a Version 1.x SafeNet PED Key (looks like a
colorful toy key) to a Version 2.x SafeNet PED USB iKey. This operation requires both a version 1.14 SafeNet PED (no
earlier version will work - contact SafeNet Customer Support) and a Version 2.x SafeNet PED. A G4/K5 HSM or token
with firmware 4.6.1 must be connected, in order to run this command.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm migratepedkey

Example
lunacm:> hsm migratepedkey
Make sure a Version 1 PED is connected.
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Please attend to the PED.
Make sure a Version 2 PED is connected.
Please attend to the PED.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm monitor
Query the HSM for performance monitoring statistics, such as HSM up time, command counts, and utilization. You can
display the information or save it to a file.
Note: This command requires HSM firmware version 6.20.0 or newer. If you run the command
against a slot with older firmware, expect an error CKR_FUNCTION_NOT_SUPPORTED.

Syntax
hsm monitor -slot [-interval ] [-rounds ] [-noheader] [-file ]
Parameter

Save the output to the specified file. The output is also displayed to the
terminal window.

Specifies the polling interval, in seconds.
Default: 5
Range: 5 to 999

Omit the header and footer from the output. This option is typically used in
conjunction with the -file parameter.

Specifies the number of samples to collect during the HSM polling. The
default is a single round, which includes a first sample at the time the
command is launched, followed by the interval (either the default 5
seconds, or the interval that you specified), followed by a second sample
which is compared with the first, to complete the round.
The command exits after the specified number of rounds are displayed.
Default: 1
Range: 1 to 65535

The target slot.

Example
Without arguments
lunacm:>hsm monitor
-------------------|---------------------------------|--------------------------------|
HSM Command Counts
|
HSM Utilization (%)
HSM Uptime (Secs) |-----------------|---------------|-----------------|--------------| Since HSM Reset | Last
5 Secs | Since HSM Reset | Last
5 Secs
-------------------|-----------------|---------------|-----------------|--------------1,115,399 |
57,468,854 |
30 |
1.27 |
0.21
-------------------|-----------------|---------------|-----------------|--------------Average HSM Utilization In This Period :
HSM Last Reset (+/-5 Secs Error Margin) :

0.21%
Fri May 31 14:59:47 2013

Command Result : 0 (Success)

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

With arguments
lunacm:>hsm monitor -interval 6 -rounds 6
-------------------|---------------------------------|--------------------------------|
HSM Command Counts
|
HSM Utilization (%)
HSM Uptime (Secs) |-----------------|---------------|-----------------|--------------| Since HSM Reset | Last
6 Secs | Since HSM Reset | Last
6 Secs
-------------------|-----------------|---------------|-----------------|--------------1,116,668 |
57,470,863 |
1 |
1.27 |
0.00
1,116,674 |
57,470,864 |
1 |
1.27 |
0.00
1,116,680 |
57,470,894 |
30 |
1.27 |
0.18
1,116,686 |
57,470,895 |
1 |
1.27 |
0.00
1,116,692 |
57,470,896 |
1 |
1.27 |
0.00
1,116,698 |
57,470,926 |
30 |
1.27 |
0.18
-------------------|-----------------|---------------|-----------------|--------------Average HSM Utilization In This Period :
HSM Last Reset (+/-5 Secs Error Margin) :

0.06%
Fri May 31 14:59:46 2013

Command Result : 0 (Success)

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm recoveryinit
Rerforms a recovery (formerly High Availability) initialization on the current active session.

Syntax
hsm recoveryinit [-plabel -rlabel -keyhandle ] [force] -password
Parameter

RSA Public key label.

RSA Private key label.

RSA Private Key handle (optional).

Force the action (no prompts).

Note: Labels are required only to create custom-named RecoveryInit RSA key pair, which is
the default action if [keyhandle] is not supplied.

Example
lunacm:> hsm recoveryinit
Generating RSA Key pair for Recovery Init...
No label were supplied for the RSA key pair. Default labels
will be used.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : Success

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm recoverylogin
Perform a High Availability login on the current active session.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm recoverylogin

Example
lunacm:> hsm recoverylogin
Command Result : Success

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm reset
Reset the SafeNet HSM. Use this command to reset the SafeNet HSM if it has stopped responding, but your computer
is still responsive. This command closes out any login status and open sessions.
If you are a developer, trace what you were doing at the time the problem occurred and try to find another way to
program the task that does not put the module in an unresponsive state. If that is not possible, then contact SafeNet
Support with details of the problem and how to reproduce it.
If you are an end-user customer, using an application developed by a supplier other than SafeNet, contact that
company for a resolution of the problem. They know how their application is programmed to accomplish tasks that use
the SafeNet HSM, and they can determine possible workarounds or fixes. If the third-party supplier determines that
there is an actual implementation fault with the HSM, they will contact SafeNet after gathering the relevant information.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Note: The hsm reset command is available when the currently selected slot is an HSM
administrative slot on a local HSM with firmware older than version 6.22.0. HSMs with firmware
6.22.0 or newer have the command hsm restart, instead, which is more descriptive of what the
command does.

Syntax
hsm reset

Example
lunacm:> hsm reset
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm restart
Restart the SafeNet HSM. Use this command to restart the SafeNet HSM if it has stopped responding, but your
computer is still responsive. This command closes out any login status and open sessions.
If you are a developer, trace what you were doing at the time the problem occurred and try to find another way to
program the task that does not put the module in an unresponsive state. If that is not possible, then contact SafeNet
Support with details of the problem and how to reproduce it.
If you are an end-user customer, using an application developed by a supplier other than SafeNet, contact that
company for a resolution of the problem. They know how their application is programmed to accomplish tasks that use
the SafeNet HSM, and they can determine possible workarounds or fixes. If the third-party supplier determines that
there is an actual implementation fault with the Luna, they will contact SafeNet after gathering the relevant information.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Note: The hsm reset command is available when the currently selected slot is an HSM
administrative slot on a local HSM with firmware older than version 6.22.0.
HSMs with firmware 6.22.0 or newer have the command hsm restart, instead, which is more
descriptive of what the command does.
Command hsm reset did not have a "proceed" option, and went directly to execution.
Command hsm restart asks you to verify that you wish to proceed, unless you use the -force
option.

Syntax
hsm restart [-force]
Parameter

Force the action (useful when scripting)

Example
lunacm:> hsm restart
You are about to restart the HSM. You will lose all volatile data.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm restoreuser
Insert a backed-up user partition into the HSM.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm restoreuser -filename
Parameter

The name of the file (SIM2-portable blob) to be imported.

Force the action without prompting.

Example
lunacm:> hsm restoreuser -filename mypartitionblob
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm restoresim2
Insert backed-up SO objects into the HSM. When a Scalable Key Storage2-portable blob is created, the options to
protect it are:
•

an authentication text string.

Therefore, this restore/import operation offers the option to supply an unlocking/authentication text string in case one
was used to secure the blob.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm restoresim2 [-auth ] -filename -partition
Parameter

The authorization password. If "-auth" is specified, the CKA_SIM_
PORTABLE_PASSWORD SIM Form will be used. Otherwise the CKA_
SIM_PORTABLE_NO_AUTHORIZATION SIM Form will be used. The
same Scalable Key Storage Form that was used for the backup command
must be used for the restore command.

The input file name. This is the name of the file (SIM2-portable blob) to be
imported.

Partition into which objects are restored.

Example
lunacm:> hsm restoreSIM2 -auth someauthenticationsecret -filename mySIM2portableblob
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm rollbackfw
Rollback the HSM firmware to the previously installed version. Only the previously installed version is available for
rollback. Rollback allows you to try a new firmware version (hsm updatefw) without permanently committing to the
new version.
Note: For PED-authenticated HSMs, you must disable SRK before you can update the
firmware. Use the srk show command to determine whether SRK is enabled on your HSM. If it
is, the first line of the output of the srk show command reads Secure Transport Functionality is
supported and enabled. If this is the case, run the srk disable command to disable SRK on the
HSM. You must have the appropriate purple PED Key to disable SRK. If you attempt to update
the firmware update while SRK is enabled, the system responds with an error: 0x80000030
(CKR_OPERATION_NOT_ALLOWED).

Note: LunaCM performs an automatic restart following a firmware rollback.

Note: You must re-initialize the HSM after rolling back the firmware rollback. since reinitialization is a destructive action, ensure that you back up any important materials before
running this command.

Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm rollbackfw

Example
lunacm:> hsm login
Please attend to the PED.
Command Result : No Error
lunacm:> hsm rollbackFW
You are about to rollback the firmware.
The HSM will be reset.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Rolling back firmware. This may take several minutes.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Firmware rollback passed. Resetting HSM
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm setlagacydomain
Set the legacy cloning domain on the HSM. You must set the legacy cloning domain to migrate the contents of a legacy
SafeNet HSM to a release 6.x SafeNet HSM.
•

The legacy cloning domain for password-authenticated HSM partitions is the text string that was used as a cloning
domain on the legacy token HSM or SafeNet PCI HSM or SafeNet Network HSM whose contents are to be
migrated to the SafeNet 6.x HSM SO space (a separate command, partition setlegacydomain is used for
partitions).

The legacy cloning domain for PED-authenticated HSMs is the cloning domain secret on the red PED key for the
legacy PED authenticated HSM whose contents are to be migrated to the SafeNet 6.x HSM SO space.

You cannot migrate objects from a password-authenticated token/HSM to a PED authenticated SafeNet 6.x HSM, and
you cannot migrate objects from a PED authenticated token/HSM to a password-authenticated SafeNet 6.x HSM.
Your target SafeNet 6.x HSM has, and retains, whatever modern HSM cloning domain was imprinted (on a red PED
Key) when the HSM was initialized. The hsm setlegacydomain command takes the domain value from your legacy
HSM's red PED Key and associates that with the modern-format domain of the new HSM, to allow the HSM's SO
space to be the cloning (restore...) recipient of objects from the legacy (token) HSM.
Once the first legacy domain has been associated with your new SafeNet HSM, that legacy domain is attached until
the HSM is reinitialized.
The ability to set the legacy cloning domain does not allow you to defeat the security provision that prevents cloning of
objects across different domains.
See "Legacy Domains and Migration" for a description and summary of the possible combinations of source (legacy)
tokens/HSMs and target (modern) HSMs and the disposition of token objects from one to the other.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm setLegacyDomain [-domain ]
Parameter

The HSM password.

The name of the legacy cloning domain.

Example
lunacm:> hsm setLegacyDomain

The PED prompts for the legacy red domain PED Key (notice mention of "raw data" in the PED message).
Command result: Success!

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm showinfo
Display HSM-level information.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm showinfo

Example
lunacm:> hsm showinfo

lunacm:> hsm showinfo

Partition Label -> mypcie6
Partition Manufacturer -> Safenet, Inc.
Partition Model -> K6 Base
Partition Serial Number -> 150022
Partition Status -> OK
Token Flags ->
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
RPV Initialized -> Yes
Slot Id -> 1
Tunnel Slot Id -> 2
Session State -> CKS_RW_PUBLIC_SESSION
Role Status ->
none logged in
Token Flags ->
TOKEN_KCV_CREATED
Partition OUID: 0000000000000000064a0200
Partition Storage:
Total Storage Space:
Used Storage Space:
Free Storage Space:
Object Count:
Overhead:

262144
0
262144
0
9280

*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
Firmware Version -> 6.22.0
Rollback Firmware Version -> 6.21.0
HSM Storage:
Total Storage Space: 2097152
Used Storage Space:
174288
Free Storage Space:
1922864
Allowed Partitions:
1

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Number of Partitions: 1
License Count -> 9
1. 621000026-000 K6 base configuration
1. 620127-000 Elliptic curve cryptography
1. 620114-001 Key backup via cloning protocol
1. 620109-000 PIN entry device (PED) enabled
1. 621010358-001 Enable a split of the master tamper key to be s
tored externally
1. 621010089-001 Enable remote PED capability
1. 621000021-001 Performance level 15
1. 621000079-001 Enable Small Form Factor Backup
1. 621000099-001 Enable per-partition Security Officer
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm showmechanism
Displays a list of the cryptographic mechanisms supported on the HSM.
Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm showmechanism[-m ]

With no arguments/options, lists all available mechanisms

Show expanded information for the indicated mechanism (optional).
Include just the number, without the "Ox" prefix.

Example of List
lunacm:> hsm showmechanism
Mechanisms Supported:
0x00000000
0x00000001
0x00000003
0x00000006
0x00000009
0x0000000a
0x0000000c
0x0000000d
0x0000000e
0x00000010
0x00000011
0x00000012
.
.
.
0x80000140
0x80000141
0x80000a02
0x80000a03

CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS
CKM_RSA_X_509
CKM_SHA1_RSA_PKCS
CKM_RSA_PKCS_OAEP
CKM_RSA_X9_31_KEY_PAIR_GEN
CKM_SHA1_RSA_X9_31
CKM_RSA_PKCS_PSS
CKM_SHA1_RSA_PKCS_PSS
CKM_DSA_KEY_PAIR_GEN
CKM_DSA
CKM_DSA_SHA1

CKM_DSA_SHA224
CKM_DSA_SHA256
CKM_NIST_PRF_KDF
CKM_PRF_KDF

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Example of Information about One Mechanism
lunacm:> hsm showmechanism -m 8000001b
(0x8000001b - -2147483621) CKM_XOR_BASE_AND_KEY
Min Key Size 8
Max Key Size 4096
Flags 0x80001
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm showpolicies
Displays the HSM-level capability and policy settings for the HSM [and for the SO - deprecated; see notes below].
Note: Some mechanisms (such as KCDSA) are not enabled unless you have purchased and
installed the required Secure Capability Update package. If you require a particular mechanism,
and do not see it listed when you generate a mechanism list for your SafeNet HSM, contact
SafeNet Support.

Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Note: The output of this command differs considerably, depending on the firmware version of
the HSM in the current slot. See the examples and discussion below.

Syntax
hsm showpolicies

Examples
Example with HSM firmware older than 6.22.0
lunacm:>hsm sp
HSM Capabilities
0: Enable PIN-based authentication : 1
1: Enable PED-based authentication : 0
2: Performance level : 15
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 1
7: Enable cloning : 1
8: Enable special cloning certificate : 0
9: Enable full (non-backup) functionality : 1
12: Enable non-FIPS algorithms : 1
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 1
17: Enable Korean Algorithms : 0
18: FIPS evaluated : 0
19: Manufacturing Token : 0
20: Enable Remote Authentication : 1
21: Enable forcing user PIN change : 1
22: Enable offboard storage : 1
23: Enable partition groups : 0
25: Enable remote PED usage : 0
26: Enable External Storage of MTK Split : 0

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

27:
28:
29:
30:
31:
34:
35:
36:
37:
38:

HSM non-volatile storage
Enable HA mode CGX : 0
Enable Acceleration : 1
Enable unmasking : 0
Enable FW5 compatibility
Enable ECIES support : 0
Enable Single Domain : 0
Enable Unified PED Key :
Enable MofN : 0
Enable small form factor

LunaCM commands

space : 2097152

0
backup/restore : 0

HSM Policies
0: PIN-based authentication : 1
1: PED-based authentication : 0
6: Allow masking : 1
7: Allow cloning : 1
12: Allow non-FIPS algorithms : 1
15: SO can reset partition PIN : 1
16: Allow network replication : 1
20: Allow Remote Authentication : 1
21: Force user PIN change after set/reset : 0
22: Allow offboard storage : 1
23: Allow partition groups : 0
25: Allow remote PED usage : 0
26: Store MTK Split Externally : 0
29: Allow Acceleration : 1
30: Allow unmasking : 0
31: Allow FW5 compatibility mode : 0
34: Allow ECIES support : 0
35: Force Single Domain : 0
36: Allow Unified PED Key : 0
37: Allow MofN : 0
38: Allow small form factor backup/restore : 0
SO Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 3
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

29:
30:
31:
32:
33:
34:
35:
36:

Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable

LunaCM commands

RSA signing without confirmation : 1
Remote Authentication : 1
private key unmasking : 1
secret key unmasking : 1
RSA PKCS mechanism : 0
CBC-PAD (un)wrap keys of any size : 0
private key SFF backup/restore : 0
secret key SFF backup/restore : 0

SO Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 3
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 0
34: Allow CBC-PAD (un)wrap keys of any size : 0
35: Allow private key SFF backup/restore : 0
36: Allow secret key SFF backup/restore : 0

Command Result : No Error

Example with HSM firmware 6.22.0 or newer
llunacm:>hsm sp
HSM Capabilities
0: Enable PIN-based authentication : 1
1: Enable PED-based authentication : 0
2: Performance level : 15
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 1
7: Enable cloning : 1
8: Enable special cloning certificate : 0
9: Enable full (non-backup) functionality : 1
12: Enable non-FIPS algorithms : 1

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

15:
16:
17:
18:
19:
20:
21:
22:
23:
25:
26:
27:
29:
30:
31:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:

LunaCM commands

Enable SO reset of partition PIN : 1
Enable network replication : 1
Enable Korean Algorithms : 0
FIPS evaluated : 0
Manufacturing Token : 0
Enable Remote Authentication : 1
Enable forcing user PIN change : 1
Enable offboard storage : 1
Enable partition groups : 0
Enable remote PED usage : 0
Enable External Storage of MTK Split : 0
HSM non-volatile storage space : 2097152
Enable Acceleration : 1
Enable unmasking : 0
Enable FW5 compatibility mode : 0
Maximum number of partitions : 20
Enable ECIES support : 0
Enable Single Domain : 1
Enable Unified PED Key : 1
Enable MofN : 1
Enable small form factor backup/restore : 0
Enable Secure Trusted Channel : 1
Enable decommission on tamper : 0
Enable Per-Partition SO : 1
Enable partition re-initialize : 1

HSM Policies
0: PIN-based authentication : 1
1: PED-based authentication : 0
6: Allow masking : 1
7: Allow cloning : 1
12: Allow non-FIPS algorithms : 1
15: SO can reset partition PIN : 1
16: Allow network replication : 1
20: Allow Remote Authentication : 1
21: Force user PIN change after set/reset : 0
22: Allow offboard storage : 1
23: Allow partition groups : 0
25: Allow remote PED usage : 0
26: Store MTK Split Externally : 0
29: Allow Acceleration : 1
30: Allow unmasking : 0
31: Allow FW5 compatibility mode : 0
33: Current maximum number of partitions : 20
34: Allow ECIES support : 0
35: Force Single Domain : 0
36: Allow Unified PED Key : 0
37: Allow MofN : 1
38: Allow small form factor backup/restore : 0
39: Allow Secure Trusted Channel : 0
40: Allow decommission on tamper : 0
42: Allow partition re-initialize : 0

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Notice that, as of HSM firmware 6.22.0, "SO Capabilities" and "SO Policies" are no longer part of the hsm
showpolicies output. They have been moved to the output of command "partition showpolicies" on page 169, when the
current slot is the HSM admin partition. If the current slot is an application partition, then command partition
showpolicies shows capabilities and policies under the control of a partition SO (for PPSO partitions) or the HSM SO
(for legacy partitions).
So, for example, if you were looking for "Max failed user logins allowed", you would now look at partition
showpolicies.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm smkclone
Clone the Scalable Key Storage Masking Key (SMK) from the current slot to the target slot.
CAUTION: This command overwrites the SMK of the target slot.

Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Syntax
hsm smkClone -slot [-force] -password
Parameter

The target slot.

The password for the target slot.

Force the action without prompting.

Example
lunacm:> hsm smkclone -slot 2 -password $ome-Pa55word
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm updatecap
Perform an update of the HSM capabilities on the SafeNet HSM. When updatable features and capabilities are made
available from SafeNet, from time to time, this command is the means to implement such features on your existing
SafeNet HSM. That is, if you purchase an advanced capability upgrade, this is the command to update the HSM
capability from the standard factory version.
This command, and all the lunacm hsm commands, appear only when the current slot selected in lunacm is for a local
HSM, like an installed SafeNet PCIe HSM.
HSM commands do not appear in the lunacm command menu when lunacm is directed at a slot corresponding to a
remote SafeNet Network HSM - lunacm has a client-only connection to a remote HSM and therefore cannot log in as
SO to a remote HSM.
For SafeNet Network HSM, the HSM commands are available via LunaSH, which can be accessed via ssh if you have
the required authentication.

Syntax
hsm updatecap -cuf -authcode [-force]
Parameter

Specifies the capability update file that you want to apply.

Specifies the file containing the authorization code for the capability update.

Force the action without prompting.

Example
lunacm:> hsm uc -cuf 621-000100-001_RC4_G5PPSO.CUF -a G5PPSO-RC6.txt
You are about to apply a destructive update.
All contents of the HSM will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->
Command Result : No Error

Note: The filenames that are shown above are just examples, for purposes of illustration.
Yours will differ.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

hsm updatefw
Update the firmware on the SafeNet HSM.
Note: LunaCM performs an automatic restart following a firmware update.

Note: The lunacm hsm commands appear only when the current slot selected in lunacm is for
a locally-installed HSM, such as a SafeNet PCIe HSM or SafeNet USB HSM. When lunacm is
directed at a slot corresponding to a remote SafeNet Network HSM, the HSM-level commands
do not appear, since lunacm has a client-only connection to a remote HSM and therefore cannot
log in as SO to a remote HSM. To access HSM commands on the SafeNet Network HSM
appliance, you must use the Luna Shell (lunash).

Note: For PED-authenticated HSMs, you must disable SRK before you can update the
firmware. Use the srk show command to determine whether SRK is enabled on your HSM. If it
is, the first line of the output of the srk show command reads Secure Transport Functionality
is supported and enabled. If this is the case, run the srk disablecommand to disable SRK on
the HSM. You must have the appropriate purple PED Key to disable SRK. If you attempt to
update the firmware update while SRK is enabled, the system responds with an error:
0x80000030 (CKR_OPERATION_NOT_ALLOWED).

Syntax
hsm updateFW -fuf -authcode
Parameter

Specifies the firmware update file.

Specifies the file containing the authorization code for the firmware update.

Force the action without prompting.

Example
lunacm:>
You
The
Are

hsm
are
HSM
you

updateFW -fuf fwupdateK6_6.1.3_RC7_w_BB_1.3.FUF -authcode authcodeK6_6.1.3_RC7.txt
about to update the firmware.
will be reset.
sure you wish to continue?

Type 'proceed' to continue, or 'quit' to quit now -> proceed
Updating firmware. This may take several minutes.
Firmware update passed. Resetting HSM
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition
Access the partition-level commands.
Note: The partition command with no options shows the partition commands available to be
used in the current slot.
The availability of partition commands changes according to four possible scenarios:
- the current slot is the HSM administrative partition for an HSM with firmware version 6.22.0 or
newer
- the current slot is an application partition that has its own SO (a PPSO partition), on an HSM
with firmware version 6.22.0 or newer
- the current slot is a separate-but-not-independent application partition that is administered by
the HSM SO, and does not have its own separate SO (meaning, this is a legacy-style partition)
on an HSM with firmware version 6.22.0 or newer
- the current slot is the HSM administrative partition and application partition for an HSM with
firmware older than version 6.22.0 (meaning, this is a true legacy partition).
No single partition type has access to all the possible partition commands within lunacm.

Syntax of partition command on HSM admin partition, f/w 6.22.0
(These are the commands that you see if the current-slot partition is the initialized HSM's administrative partition, while
the HSM is at firmware version 6.22.0 or newer. Some of these commands act on the current-slot partition; some have
a -slot option to direct their action to another partition/slot.)
partition
archive
changePolicy
clear
clone
contents
create
createchallenge
delete
policyTemplateChange
policyTemplateCreate
policyTemplateDelete
policyTemplateList
policyTemplateLoad
policyTemplateSave
policyTemplateShow
resetpw
resize
restoresim3file
setlegacydomain

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

showinfo
showmechanism
showpolicies

> Partition archive management commands. See "partition archive" on
page 112.

Change the Partition Policy value. See "partition changepolicy" on page
125

Delete all of the user's token objects. See "partition clear" on page 128.

Clone user objects. See "partition clone" on page 129.

Show the contents of the application partition. See "partition
contents" on page 130.

Create the application partition. See "partition create" on page 131.

createchallenge

Create the user challenge. See "partition createchallenge" on page 138.

Delete an application partition. See "partition delete" on page 140.

policyTemplateChange

Modify policy settings. See "partition policyTemplateChange " on page
158.

policyTemplateCreate

Create partition policy template . See "partition policyTemplatecreate
" on page 160.

policyTemplateDelete

Delete partition policy template . See "partition policyTemplateDelete
" on page 162.

policyTemplateList

List partition policy templates . See "partition policyTemplateList" on
page 164.

policyTemplateLoad

Load partition policy template . See "partition policytemplateload " on
page 165.

policyTemplateSave

Save partition policy template . See "partition policyTemplateSave " on
page 166.

policyTemplateShow

Show partition policy template . See "partition policyTemplateShow
" on page 167.

Reset the partition password. See "partition resetpw" on page 147.

Re-size an application partition. See "partition resize" on page 147.

Restore user objects (using Scalable Key Storage3). See "partition
restoresim3" on page 152.

setlegacydomain

Set the legacy domain. "partition setlegacydomain" on page 153.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Display partition information. See "partition showinfo" on page 154.

Show all available mechanisms. See "partition showmechanism " on
page 156.

Get partition policy information. See "partition showpolicies" on page
169.

Syntax of partition command on PPSO application partition (f/w 6.22.0 or
newer)
(Same as for legacy-style partition, later on this page, except that this version of the partition command set does
include an init command for the PPSO application partition. These are the commands that you see if the current-slot
application partition was created using the "-slot" option while the HSM was at firmware version 6.22.0 or newer.)
partition
archive
changepolicy
clear
clone
contents
init
restoresim3
setlegacydomain
showinfo
showmechanism
showpolicies

> Partition archive management commands.See "partition archive" on
page 112.

Change the Partition Policy value. See "partition changepolicy" on page
125

Delete all of the user's token objects. See "partition clear" on page 128.

Clone user objects. See "partition clone" on page 129.

Show the contents of the user partition. See "partition contents" on page
130.

Initialize an application partition. See "partition init" on page 142.

Restore user objects (using Scalable Key Storage3). See "partition
restoresim3" on page 152.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

setlegacydomain

Set the legacy domain. "partition setlegacydomain" on page 153.

Display partition information. See "partition showinfo" on page 154.

Show all available mechanisms. See "partition showmechanism " on page
156.

Get partition policy information. See "partition showpolicies" on page 169.

Syntax of partition command on legacy application partition (f/w 6.22.0 or
newer)
(Same as for PPSO partition, above, except there is no partition init command for the legacy application partition. These
are the commands that you see if the current-slot application partition was created using the "-label" option while the
HSM was at firmware version 6.22.0 or newer.)
partition
archive
changepolicy
clear
clone
contents
createchallenge
restoresim3
setlegacydomain
showinfo
showmechanism
showpolicies

> Partition archive management commands. See "partition archive" on
page 112.

Change the Partition Policy value. See "partition changepolicy" on page
125

Delete all of the user's token objects. See "partition clear" on page 128.

Clone user objects. See "partition clone" on page 129.

Show the contents of the user partition. See "partition contents" on page
130.

createchallenge

Restore user objects (using Scalable Key Storage3). See "partition

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Description
restoresim3" on page 152.

setlegacydomain

Set the legacy domain. "partition setlegacydomain" on page 153.

Display partition information. See "partition showinfo" on page 154.

Show all available mechanisms. See "partition showmechanism " on page
156.

Get partition policy information. See "partition showpolicies" on page 169.

Syntax of partition command on HSM admin and application partition (f/w pre6.22.0)
(These are the commands that you see if the current-slot partition is the initialized HSM's administrative partition, while
the HSM is at firmware version older than 6.22.0. )
partition
archive
changepolicy
changepw
clear
clone
contents
create
login
logout
recoveryinit
recoverylogin
resetpw
restoreSIM2
restoreSIM3
setlegacydomain
showinfo
showmechanism
showpolicies

> Partition archive management commands. See "partition archive" on
page 112.

Change the Partition Policy value. See "partition changepolicy" on page
125

Change the partition password. See "partition changepw" on page 126.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Delete all of the user's token objects. See "partition clear" on page 128.

Clones user objects. See "partition clone" on page 129.

Show the contents of the user partition. See "partition contents" on page
130.

Create the user partition. See "partition create" on page 131.

Login to the HSM as user. See "partition login" on page 143.

Logout from the HSM as user. See "partition logout" on page 144.

Setup/configure User for "Recovery Login" (formerly "HA Init", not related
to load balancing). See "partition recoveryinit" on page 145.

Login as the User using "Recovery Login" (formerly "HA Login", not related
to load balancing). See "partition recoverylogin" on page 146.

Reset the partition password. See "partition resetpw" on page 147.

Restore user objects (using Scalable Key Storage2). See "partition
restoresim2" on page 151.

Restore user objects (using Scalable Key Storage3). See "partition
restoresim3" on page 152.

setlegacydomain

Set the legacy domain. "partition setlegacydomain" on page 153.

Display partition information. See "partition showinfo" on page 154.

Show all available mechanisms. See "partition showmechanism " on page
156.

Get partition policy information. See "partition showpolicies" on page 169.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition activate
Cache Partition PED Key data [SafeNet PCIe HSM with PED (Trusted Path) Authentication only]. Use this command
to cache a Partition's PED Key data. Clients can then connect, authenticate with their Partition password (challenge
secret), and perform operations with Partition objects, without need for hands-on PED operations each time.
Activation/caching endures until explicitly terminated with "partition deactivate" or host computer power off. If a
Partition has not been activated, then each access attempt by a Client causes a login call which initiates a SafeNet
PED operation (requiring the appropriate black PED Key). Partition activation makes unattended operation possible.

Partition Policy settings needed
Partition policies must be set before you can activate.

Note: Activate only
If you wish to activate a Partition, then Partition policy number 22 "Allow activation" must be set to "On" for the named
partition. Use partition showPolicies to view the current settings and use partition changePolicy to change the
setting. The policy shows as "Off" or "On", but to change the policy you must give a numeric value of "0" or "1".

Note: Activate and Autoactivate
If you wish to activate a Partition, then Partition policy number 23 "Allow auto-activation" can be set to "On" for the
partition. Use partition showPolicies to view the current settings and use partition changePolicy to change the
setting.
The policy shows as "Off" or "On", but to change the policy you must give a numeric value of "0" or "1".
Autoactivation caches the activation authentication data in battery-backed memory so that activation can persist or
recover following a shutdown/restart or a power outage up to 2 hours duration.
If Partition Policy 23 is set, then partition activation includes autoactivation. If Partition Policy 23 is not set, then
partition activation persists only while the host computer is powered on, and requires your intervention to reinstate
activation following a shutdown or power outage, no matter how brief.
Note: This partition activate command is used for "legacy" or "legacy-style" partitions,
application partitions that are administratively owned by the HSM Security Officer (SO), either
because the HSM firmware is older than version 6.22.0 or because the application partition has
been declared without a Partition Security Officer (even though the firmware version might
support PSO).
If the application partition has its own SO, then the policies must be set, as discussed above,
but simply logging in as Crypto Officer or Crypto User activates the partition for client access.

Syntax
partition activate -password
Parameter

The password to be used as login credential by the Partition User. As
shown, you can supply the password at the command line (useful for

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Description
scripting). Normally, however, you should leave out the password when
issuing the command.
If the password is not provided, you are prompted for it, and your response
is obscured by asterisk (****) symbols. This a more secure method of
providing the password.
NOT USED for PED-authenticated HSMs, which need the data from the
black PED Key instead, however the challenge-secret/password is still
needed by the client application.

Selects to perform the login as Crypto-User, which has a limited subset of
"User". Use this option only if your security scheme makes use of the
Crypto-Officer/Crypto-User distinction.

This parameter is optional. If it is not specified, then the value of the
"PEDId" parameter in the "Luna" section of Chrystoki.conf (cryptoki.ini) is
used. Otherwise the default is "0" or local PED.

Example
Password-authentication
lunacm:> partition activate -password Userpa55word!
Command Result : No Error

PED-authentication
lunacm:> partition activate
Option -password was not supplied. It is required.
Enter the password: ****************
User is not activated, please attend to the PED.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition archive
Access the partition archive commands.
An archive (backup) device can be one of the following:
•

an HSM in another slot in the current system.

a backup HSM connected to a remote workstation.

a USB-attached HSM connected directly to a SafeNet PCIe HSM.

a SFF backup token (SafeNet iKey e7300) USB device connected to a SafeNet PED. The SafeNet PED can be
locally or remotely connected (via PedServer) to the HSM you want to backup.

Device configuraton
In each scenario, the HSM that is being used as a backup device should be configured as a backup device; the HSM
capability Enable full (non-backup) functionality (9) is disabled.
If the HSM is not configured as a backup device then you will not be able to create new backup partitions on the HSM.
You will only be able to backup/restore to/from any existing partitions.
Note: If the domains of your source and target HSMs do not match or the policy settings do not
permit backup, the partition archive backup command fails. No objects are cloned to the target
HSM but the command creates an empty backup partition. In this circumstance, you must
manually delete the empty backup partition.

Specifying the backup device
To specify a backup device in another slot in the current system, use the -s option and give the actual slot number (for
example, -s 4).
To specify a backup device in a remote work station, use the -s option and include the keyword remote (for example, -s
remote). When specifying a remote device, you must also provide a hostname and port number using the -hostname
and -port options. (The -hostname option also accepts an IP address.)
To specify a USB attached backup device directly connected to the HSM in the current slot, use the -s option and
include the keyword direct (for example, -s direct). If you know the slot number that contains the USB attached HSM,
you can specify that slot number explicitly (for example, -s 5).
To specify a SFF backup (eToken 7300) inserted into a SafeNet PED connected to the local HSM or connected by
USB to a host computer running PedServer, use the -s option and include the keyword etoken.

Password-authenticated SafeNet Remote Backup HSM
When using a password-authenticated SafeNet Remote Backup HSM, the SO password, partition password, and
domain values cannot be specified with the command. This is because the network connection is not secured and the
passwords should not be transferred across the network in the clear. If these values are required, they are prompted on
the remote workstation console.

Device initialization
Before a backup HSM can be used, it must be initialized. To initialize a backup HSM, you must set your backup HSM
as your current slot and use the hsm init command. If your backup HSM is in a remote workstation, then you must
initialize it locally at that workstation, or remotely using remote PED if it is supported.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Appending objects to an existing backup partition
When backing up, the append option can be used to add objects to the existing backup partition. If the specified
partition does not exist, then this option cannot be used. If the partition does exist and this option is not used, the
existing partition is deleted and a new partition is created. If the append option is not used and the specified partition
does not exist, it is created. If the partition must be created or resized, the SO password for the backup HSM is
required.

Remote backups
To perform remote backup (-s remote), a remote backup server must be running on the remote work station. To start a
remote backup server, run LunaCM on the remote workstation, select the slot you wish to use as a remote backup
HSM, and use the command remotebackup start. The remote backup server will accept commands and execute them
against the current slot.

Syntax
partition archive
backup
contents
delete
list
restore
Parameter

Backup objects from the current slot to a backup partition in a backup
device in a specified slot. See "partition archive backup" on the next page.

List the contents of a backup partition in a backup device in a specified
slot. See "partition archive contents" on page 117.

Delete the specified backup partition in a backup device in a specified slot.
See "partition archive delete" on page 119.

List the backup partitions on a backup device in a specified slot. See
"partition archive list" on page 121.

Restore objects from the specified backup partition in a backup device in a
specified slot to the current user partition. See "partition archive
restore" on page 122.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition archive backup
Backup partition objects. Use this command to backup objects from the current user partition to a partition on a backup
device.
Note: If the domains of your source and target HSMs do not match or the policy settings do not
permit backup, the partition archive backup command fails. No objects are cloned to the target
HSM but the command creates an empty backup partition. In this circumstance, you must
manually delete the empty backup partition.

Syntax
partition archive backup -slot -pas -par
Parameter

Append the objects to the existing partition.

-commandtimeout

The command timeout for network communication. The default timeout is
10 seconds. The maximum timeout is 3600. This option can be used to
adjust the timeout value to account for network latency.

Turn on additional error information. (optional)

Domain for the specified partition.

Force action with no prompting.

Host name of remote workstation running remote backup server. (required
when -s remote is used)

Partition on the backup device. (maximum length of 64 characters)

Password for the specified partition.

Port number for remote backup server on remote workstation. (required
when -s remote is used)

Allow objects with same OUID on backup device to be deleted and
replaced.

Target slot containing the backup device. It can be specified by any of the
following:
•

, if the backup slot is in the current system.

remote -hostname -port if the backup
device is in a remote work station.

direct to specify a USB attached backup device. If you know the slot
number that contains the USB attached HSM, you can specify that
slot number explicitly (for example, -s 5)

etoken to specify a SFF backup (eToken 7300) inserted into a
SafeNet PED connected to the local HSM or connected by USB to a

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Description
host computer running PedServer.

SO password for the backup device.

Example
lunacm:> par ar b -s 7 -par P2SA2nonppsoBK
Logging in as the SO on slot 7.
Please attend to the PED.
Creating partition P2SA2nonppsoBK on slot 7.
Please attend to the PED.
Logging into the container P2SA2nonppsoBK on slot 7 as the user.
Please attend to the PED.
Creating Domain for the partition P2SA2nonppsoBK on slot 7.
Please attend to the PED.
Verifying that all objects can be backed up...
3 objects will be backed up.
Backing up objects...
Cloned object 73 to partition P2SA2nonppsoBK (new handle 16).
Cloned object 100 to partition P2SA2nonppsoBK (new handle 17).
Cloned object 99 to partition P2SA2nonppsoBK (new handle 18).
Backup Complete.
3 objects have been backed up to partition P2SA2nonppsoBK
on slot 7.
Command Result : No Error
lunacm:>

Example Backup an Object to an SFF eToken
lunacm:>partition archive backup -s eToken -l SFFbackup -o 30
WARNING: continuing the backup operation will wipe out all keys on the backup token!
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Operation in progress, please wait.
(1/1)

Backing up object with handle 30... Success!

Backup Complete.
1 objects have been backed up to token with label localSFFuserPCI
on the backup device

Command Result : No Error

Example: Backup All Objects to an SFF eToken
lunacm:>partition archive backup -s eToken -l SFFbackup
WARNING: continuing the backup operation will wipe out all keys on the backup token!
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Operation in progress, please wait.
(1/5):
(2/5):
(3/5):
(4/5):
(5/5):

Backing
Backing
Backing
Backing
Backing

object
object
object
object
object

with
with
with
with
with

handle
handle
handle
handle
handle

30...
26...
57...
58...
29...

Success!
Success!
Success!
Success!
Success!

Backup Complete.
5 objects have been backed up to token with label SFFbackup
on the backup device

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition archive contents
Display the contents of a specified backup partition on the backup device in the specified slot.
Note: If you want to use this command to view the contents of an SFF token, you must be
logged into an HSM partition that has the SFF capability enabled. You can be logged into any
SFF-enabled partition – it is not necessary to log into the partition the backup was made
against. However, SFF token and target partition must share the same cloning domain.

Note: For full, detailed enumeration of SFF token content, the objects must be decrypted and
enumerated within the secure boundary of the HSM. To run partition archive contents,, free
space must be available within the target partition, equivalent to the size of the largest object on
the SFF token.

Syntax
partition archive c -s -par -pas
Parameter

-commandtimeout

The command timeout for network communication. The default timeout is
10 seconds. The maximum timeout is 3600. This option can be used to
adjust the timeout value to account for network latency. (optional)

Turn on additional error information. (optional)

Host name of remote workstation running remote backup server (required
when -s remote is used)

Partition on the backup device. (maximum length of 64 characters) .

User password for the specified partition.

Port number for remote backup server on remote workstation (required
when -s remote is used)

Target slot containing the backup device. It can be specified by any of the
following:
•

, if the backup slot is in the current system.

remote -hostname -port if the backup
device is in a remote work station.

direct to specify a USB attached backup device. If you know the slot
number that contains the USB attached HSM, you can specify that
slot number explicitly (for example, -s 5)

etoken to specify a SFF backup (eToken 7300) inserted into a
SafeNet PED connected to the local HSM or connected by USB to a
host computer running PedServer.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Example: No objects
lunacm:>par ar c -s eToken
Listing all objects...
Found 0 backup objects:
Command Result : No Error

Example: Objects found
lunacm:> lunacm:> partition archive contents -slot eToken
Listing all objects...
Found 5 backup objects:
Partition:
Object Type:
Object UID:

SFFbackup
Partition
6a0300004800000620420700

Label:
Index:
Object Type:
Object UID:
Fingerprint:

Generated DES3 Key
1
Symmetric Key
7a0300004800000620420700
9f63f36d7cddf5e870c8fb533d6568cc95b619141961690a76da1ac83934a18c

Label:
Index:
Object Type:
Object UID:
Fingerprint:

Created data object
2
Data
7b0300004800000620420700
ef3c747fe4bacd1d8fd6acf8a2fffdf3d75c147979e92e3613b62a249f852167

Label:
Index:
Object Type:
Object UID:
Fingerprint:

Generated RSA Public Key
3
Public Key
7c0300004800000620420700
f592724ccadac362a1b220061fd6da5f6d4dbadd45c2fd87bff2b2889aed6bee

Label:
Index:
Object Type:
Object UID:
Fingerprint:

Generated RSA Private Key
4
Private Key
7d0300004800000620420700
a8ec49a3bc319e22f6772b19c2970c161078757b0d9ec78f2427232946c8e97f

Label:
Index:
Object Type:
Object UID:
Fingerprint:

Created certificate object
5
Certificate
7e0300004800000620420700
48516c4a0bafe2bf2cca190ed816224f00484b73bff659441f84ef79e71a647a

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition archive delete
Delete the specified partition on the backup device in the specified slot.

Syntax
partition archive d -s -par -pas
Parameter

-commandtimeout

The command timeout for network communication. The default timeout is
10 seconds. The maximum timeout is 3600. This option can be used to
adjust the timeout value to account for network latency. (optional)

Turn on additional error information. (optional)

Host name of remote workstation running remote backup server. (required
when -s remote is used)

Partition to delete on the backup device. (maximum length of 64
characters) .

User password for the specified partition.

Port number for remote backup server on remote workstation. (required
when -s remote is used)

Target slot containing the backup device. It can be specified by any of the
following:
•

, if the backup slot is in the current system.

remote -hostname -port if the backup
device is in a remote work station.

direct to specify a USB attached backup device. If you know the slot
number that contains the USB attached HSM, you can specify that
slot number explicitly (for example, -s 5)

etoken to specify a SFF backup (eToken 7300) inserted into a
SafeNet PED connected to the local HSM or connected by USB to a
host computer running PedServer.

Example
Note: The partition archive delete command cannot be issued while the currently selected
slot is the SafeNet Backup HSM. Set your lunacm slot to any other slot, to allow partition
archive delete to work.
lunacm:> slot set -s 1
Current Slot Id: 1 (Luna User Slot 6.22.0 (PW) Signing With Cloning Mode)
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

lunacm:> par ar delete -slot 6 -partition JRLegacyPPSOK6 -password userpin
Logging in as the SO on slot 6.
Partition JRLegacyPPSOK6 was successfully deleted on slot 6.
Command Result : No Error
lunacm:>

Example: Delete all Objects from an SFF eToken
lunacm:>partition archive delete -slot eToken
WARNING: continuing the backup operation will wipe out all keys on the backup token!
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Operation in progress, please wait.
Command Result : No Error

Example: Attempt to Delete Objects from an Empty SFF eToken
lunacm:>partition archive delete -slot eToken
WARNING: continuing the backup operation will wipe out all keys on the backup token!
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Operation in progress, please wait.
Command Result : 0x20 (CKR_DATA_INVALID)

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition archive list
Display a list of the backup partitions on a backup device in a specified slot.
Note: If you want to use this command to list the partition on an SFF token, you must be
logged into a partition that has the SFF capability enabled. You can be logged into any SFFenabled partition – it is not necessary to log into the partition the backup was made against.

Syntax
partition archive list -slot
Parameter

-commandtimeout

The command timeout for network communication. The default timeout is
10 seconds. The maximum timeout is 3600. This option can be used to
adjust the timeout value to account for network latency. (optional)

Turn on additional error information. (optional)

Host name of remote workstation running remote backup server. (required
when -s remote is used)

Port number for remote backup server on remote workstation. (required
when -s remote is used)

Target slot containing the backup device. It can be specified by any of the
following:
•

, if the backup slot is in the current system.

remote -hostname -port if the backup
device is in a remote work station.

direct to specify a USB attached backup device. If you know the slot
number that contains the USB attached HSM, you can specify that
slot number explicitly (for example, -s 5)

etoken to specify a SFF backup (eToken 7300) inserted into a
SafeNet PED connected to the local HSM or connected by USB to a
host computer running PedServer.

Example
lunacm:>partition archive list -slot eToken
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition archive restore
Restore partition objects from a backup. Use this command to restore objects from the specified backup partition, in a
backup HSM, in a specified slot, to the current user partition.

Syntax
partition archive restore -slot -pas -par
Parameter

-commandtimeout

The command timeout for network communication. The default timeout is
10 seconds. The maximum timeout is 3600. This option can be used to
adjust the timeout value to account for network latency. (optional)

Turn on additional error information. (optional)

Host name of remote workstation running remote backup server. (required
when -s remote is used)

Partition on the backup device. (maximum length of 64 characters) .

User password for the specified partition.

Port number for remote backup server on remote workstation. (required
when -s remote is used)

Target slot containing the backup device. It can be specified by any of the
following:
•

, if the backup slot is in the current system.

remote -hostname -port if the backup
device is in a remote work station.

direct to specify a USB attached backup device. If you know the slot
number that contains the USB attached HSM, you can specify that
slot number explicitly (for example, -s 5)

etoken to specify a SFF backup (eToken 7300) inserted into a
SafeNet PED connected to the local HSM or connected by USB to a
host computer running PedServer.

Example
lunacm:> partition archive restore -slot 6 -password -partition mybackupPar
Logging in to partition mybackupPar on slot 6 as the user.
Verifying that all objects can be restored...
1 object will be restored.
Restoring objects...
Cloned object 50 from partition mybackupPar (new handle 39).
Restore Complete.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

1 objects have been restored from partition mybackupPar on slot 6.
Command Result : No Error

Example: Restore One or All Objects from an SFF eToken
lunacm:>partition archive restore -slot eToken -o 1
Restoring objects...
(1/1) Restoring object 00-7a0300004800000620420700-9f63f36d7cddf5e870c8fb533d6568cc95b619141961690a76da1ac83934a18c...Success - Handle 26
Command Result : No Error

Example: Restore All objects from an SFF eToken
lunacm:>partition archive restore -slot eToken
Restoring objects...
(1/5) Restoring object 00-7a0300004800000620420700-9f63f36d7cddf5e870c8fb533d6568cc95b619141961690a76da1ac83934a18c...Success - Handle 26
(2/5) Restoring object 00-7b0300004800000620420700-ef3c747fe4bacd1d8fd6acf8a2fffdf3d75c147979e92e3613b62a249f852167...Success - Handle 29
(3/5) Restoring object 00-7c0300004800000620420700-f592724ccadac362a1b220061fd6da5f6d4dbadd45c2fd87bff2b2889aed6bee...Success - Handle 30
(4/5) Restoring object 00-7d0300004800000620420700-a8ec49a3bc319e22f6772b19c2970c161078757b0d9ec78f2427232946c8e97f...Success - Handle 33
(5/5) Restoring object 00-7e0300004800000620420700-48516c4a0bafe2bf2cca190ed816224f00484b73bff659441f84ef79e71a647a...Success - Handle 41

Command Result : No Error

Example: Restore Objects from an SFF eToken, where some already exist on
target
lunacm:>partition archive restore -slot eToken
Restoring objects...
(1/5) Restoring object 00-7a0300004800000620420700-9f63f36d7cddf5e870c8fb533d6568cc95b619141961690a76da1ac83934a18c...Failure (CKR_CANCEL)
(2/5) Restoring object 00-7b0300004800000620420700-ef3c747fe4bacd1d8fd6acf8a2fffdf3d75c147979e92e3613b62a249f852167...Success - Handle 30
(3/5) Restoring object 00-7c0300004800000620420700-f592724ccadac362a1b220061fd6da5f6d4dbadd45c2fd87bff2b2889aed6bee...Failure (CKR_CANCEL)
(4/5) Restoring object 00-7d0300004800000620420700-

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

a8ec49a3bc319e22f6772b19c2970c161078757b0d9ec78f2427232946c8e97f...Success - Handle 33
(5/5) Restoring object 00-7e0300004800000620420700-48516c4a0bafe2bf2cca190ed816224f00484b73bff659441f84ef79e71a647a...Success - Handle 41
WARNING: Errors occurred during the restore process.
Command Result : 0x1 (CKR_CANCEL)

Note: Objects that also exist on the target HSM fail to be restored from the SFF eToken.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition changepolicy
Change a user policy on the partition.

Syntax
partition changepolicy -policy -value
Parameter

Specifies the ID of the policy you want to change.

Specifies the new value for the specified policy.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition changepw
Change Partition User password. Use this command to change the password that authenticates the Crypto Officer or
Crypto User and/or the client to the application partition. You, as User (or Crypto Officer), need to know the current
password in order to change it.
Contrast this command with the partition resetpw command, used by the SO, where the SO does not need to know
the current partition User/Crypto Officer password in order to reset it.

Password authentication
For Password authenticated SafeNet HSM, the partition password needed by the administrator (Partition Owner/User)
is also the challenge secret needed by the client.

PED authentication
For PED authenticated SafeNet HSM, the data on the black PED Key is the administrative authentication (used by the
Partition Owner/User or Crypto Officer to log in or to activate the partition), and the challenge secret is a separate text
secret used by the client before performing cryptographic operations.
If you run the partition changPw command without additional arguments, the HSM offers to change only the black
PED Key secret.
To change the challenge secret, you must run the command with the -newpw and -oldpw options - OR use the -p option
instead, which tells the HSM to prompt for old and new challenge secrets.

Syntax
partition changepw [- newpw -oldpw ] [-prompt]
Parameter

The new password for the partition User.

The old partition User password that is being replaced.

The system prompts for old and new passwords (for passwordauthenticated HSM) or challenge secrets (for PED-authenticated HSM)
and obscures your typing with asterisks, so an unauthorized person cannot
see the passwords onscreen, and the scroll-back log of your terminal
would not show what you had typed.

Example
Password-authenticated HSM partition, with the passwords typed visibly at the command line.
lunacm:> partition changePw -newpw -oldpw
Command Result : No Error

PED-authenticated HSM partition with the challenge typed visibly at the command line.
lunacm:> partition changePw -newpw -oldpw
User is not activated, please attend to the PED.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Password-authenticated HSM partition, with the passwords prompted by the HSM and obscured
by asterisks.
lunacm:> partition changepw -p
Option -oldpw was not supplied. It is required.
Enter the old password: ***********
Option -newpw was not supplied. It is required.
Enter the new password: ***********
Re-enter the new password: ***********
Command Result : No Error

PED-authenticated HSM partition with the passwords prompted by the HSM and obscured by
asterisks.
lunacm:> partition changePw -p
Option -oldpw was not supplied. It is required.
Enter the old challenge: ***********
Option -newpw was not supplied. It is required.
Enter the new challenge: ***********
Re-enter the new password: ***********
User is not activated, please attend to the PED.
Command Result : No Error

Changing the black key secret on a PED-authenticated HSM partition without changing the
challenge secret.
lunacm:> partition changePw
User is not activated, please attend to the PED.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition clear
Delete User Partition objects. You must be logged in as the user to delete User partition objects. The partition structure
remains in place.
CAUTION: The objects are deleted as soon as the command is executed, without requesting
confirmation.

Syntax
partition clear

Example
lunacm:> partition clear
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition clone
Clone User partition objects from the HSM into another HSM installed in the same computer.

Syntax
partition clone -objects [-force] -password -slot
Parameter

Force the action without prompting.

Specifies the object handles to extract. You can specify the object handles
to clone using any of the following methods:
•

a single object handle

zero, to indicate that all objects are to be extracted

a list of handles, separated by commas. For example: -objects 3,4,6

The target slot password. This option does not apply to PED-authenticated
HSMs/tokens.

The target slot.

Example
lunacm:> partition clone -objects 0 -slot 2
Verifying that the specified objects can be cloned.
All objects will be cloned.
Logging in to target slot 2.
Type 'proceed' to continue, or 'quit' to quit now -> proceed
The cloned objects have been written to the token in slot 2.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition contents
Display a list of the objects on the partition. If the User is logged in, this command will display the contents of the
User's partition. If the User is not logged in, this command will display all of the objects that are available from a public
session. The partition name, serial number and total object count is displayed. For each object that is found, the label
and object type are displayed.

Syntax
partition contents

Example
lunacm:> partition contents
The User is currently logged in.
User's partition.
Number objects: 2
Handle: 7
Label:
Handle: 8
Label:

Looking for objects in the

Known
Generated DES3 Key

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition create
Create an application partition on a locally installed or USB-connected HSM.
The command is run from the HSM administrative partition. The HSM SO must be logged in.

Syntax for command in HSM with firmware 6.22.0 or newer
partition create [-password ] [-label ] [-size ] [-slot ] [-domain ] [defaultdomain] [-force]
Parameter

user role password (Password-auth)

label of the partition (declares a legacy partition - not used if "-slot" is
specified)

storage size of partition (used only for HSMs supporting multiple
application partitions, to specify a size other than the calculated default
size - depends on HSM memory, existing application partitions, and their
specifications)

slot where the new partition is to be created (declares a PPSO partition not used if "-label" is specified)

domain for cloning (Password-auth)

use default domain instead of a private, secure domain (deprecated; not
recommended)

force the action (useful when scripting commands)

Note: For HSMs with firmware 6.22.0 or newer, the partition creation does not overwrite an
existing partition. If the HSM supports just a single application partition, and one already exists,
the partition create command stops and throws the error "Error in execution : CKR_
LICENSE_CAPACITY_EXCEEDED." To create a new application partition, delete the
existing one first, with partition delete, then re-issue partition create.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Rules for names and passwords
A partition name or a partition label can include any of the following characters :
!#$%'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
No spaces, unless you wish to surround the name or label in double quotation marks every time it is used.
No question marks, no double quotation marks within the string.
Minimum name or label length is 1 character. Maximum is 32 characters.
Valid characters that can be used in a password or in a cloning domain, when entered via LunaSH [1]), are:
!#$%'*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~
(the first character in that list is the space character)
Invalid or problematic characters, not to be used in passwords or cloning domains are
"&';<>\`|()
Valid characters that can be used in a password or in a cloning domain, when entered via lunacm, are:
!"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(the first character in that list is the space character)
Minimum password length is 7 characters; maximum is 255 characters in lunash or lunacm.
Minimum domain string length is 1 character; maximum domain length is 128 characters via lunash. No arbitrary
maximum domain string length is enforced for domain strings entered via lunacm, and we have successfully input
domain strings longer than 1000 characters in testing.
[1] LunaSH on the SafeNet Network HSM has a few input-character restrictions that are not present in LunaCM, run
from a client host. It is unlikely that you would ever be able to access, via LunaSH, a partition that received a password
or domain via LunaCM, but the conservative approach would be to avoid the few "invalid or problematic characters"
generally.

Syntax for command in HSM with firmware older than 6.22.0
partition create [-password ] [-domain ] [-defaultdomain] [-force]
Parameter

user role password (Password-auth)

domain for cloning (Password-auth)

use default domain instead of a private, secure domain (deprecated; not
recommended)

force the action (useful when scripting commands)

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Note: For HSMs with firmware older than version 6.22.0, supporting just a single application
partition, partition create overwrites (with a warning) any pre-existing application partition.

Example creating a legacy partition (PED-auth f/w 6.22.0)
lunacm:> slot list
Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->
HSM Configuration ->
HSM Status ->

1
2
mypcie6
150022
K6 Base
6.22.0
Luna HSM Admin Partition (PED) Signing With Cloning Mode
Admin Token Slot
Luna HSM Admin Partition (PED)
OK

Slot Id ->
3
HSM Label ->
myG5pw
HSM Serial Number ->
7001312
HSM Model ->
G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration ->
SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status ->
OK
Current Slot Id: 1
Command Result : No Error
lunacm:> partition create -label mypcielegacypar
Please attend to the PED.
Command Result : No Error
lunacm:> slot list
Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->

0
2
mypcielegacypar
349297122735
K6 Base
6.22.0
Luna User Partition, No SO (PED) Signing With Cloning Mode
User Token Slot

Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->

1
2
mypcie6
150022
K6 Base
6.22.0
Luna HSM Admin Partition (PED) Signing With Cloning Mode
Admin Token Slot

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

HSM Configuration ->
HSM Status ->

LunaCM commands

Luna HSM Admin Partition (PED)
OK

Slot Id ->
3
HSM Label ->
myG5pw
HSM Serial Number ->
7001312
HSM Model ->
G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration ->
SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status ->
OK
Current Slot Id: 1
Command Result : No Error
lunacm:>

Example creating a PPSO partition (PED-auth f/w 6.22.0)
lunacm:> slot list
Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->
HSM Configuration ->
HSM Status ->

1
2
mypcie6
150022
K6 Base
6.22.0
Luna HSM Admin Partition (PED) Signing With Cloning Mode
Admin Token Slot
Luna HSM Admin Partition (PED)
OK

Slot Id ->
3
HSM Label ->
myG5pw
HSM Serial Number ->
7001312
HSM Model ->
G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration ->
SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status ->
OK
Current Slot Id: 1
Command Result : No Error
lunacm:>
lunacm:> partition create -slot 0
Command Result : No Error
lunacm:> slot list
Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->

0
2
349297122736
K6 Base

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Firmware Version ->
Configuration ->
Slot Description ->

6.22.0
Luna User Partition With SO (PED) Signing With Cloning Mode
User Token Slot

Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->
HSM Configuration ->
HSM Status ->

1
2
mypcie6
150022
K6 Base
6.22.0
Luna HSM Admin Partition (PED) Signing With Cloning Mode
Admin Token Slot
Luna HSM Admin Partition (PED)
OK

Slot Id ->
3
HSM Label ->
myG5pw
HSM Serial Number ->
7001312
HSM Model ->
G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration ->
SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status ->
OK
Current Slot Id: 1
Command Result : No Error
lunacm:>

Example creating a legacy partition (PW-auth f/w 6.10.4)
lunacm:> slot list
Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->
HSM Configuration ->
HSM Status ->

1
2
mypcie6
150022
K6 Base
6.22.0
Luna HSM Admin Partition (PED) Signing With Cloning Mode
Admin Token Slot
Luna HSM Admin Partition (PED)
OK

Slot Id ->
3
HSM Label ->
myG5pw
HSM Serial Number ->
7001312
HSM Model ->
G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration ->
SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status ->
OK
Current Slot Id: 1
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

lunacm:>
lunacm:> partition showinfo
The User has not been created.
Command Result : No Error
lunacm:> hsm login
Option -password was not supplied.

It is required.

Enter the password: ********
Command Result : No Error
lunacm:> partition create
Option -password was not supplied.

It is required.

Enter the password: ********
Re-enter the password: ********
Option -domain was not specified.

It is required.

Enter the domain name: ********
Re-enter the domain name: ********
Command Result : No Error
lunacm:> partition showinfo
HSM Serial Number -> 7001312
HSM Status -> OK
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
RPV Initialized -> Not Available / Not Supported
Slot Id -> 3
Session State -> CKS_RW_PUBLIC_SESSION
User Status-> Not Logged In
Crypto Officer Failed Logins-> 0
Crypto User Failed Logins->
0
User Flags ->
CONTAINER_KCV_CREATED
User OUID: 1200000745010000e0d46a00
User Storage:
Total Storage Space:
Used Storage Space:

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

Free Storage Space:
Object Count:

LunaCM commands

*** The HSM is NOT in FIPS 140-2 approved operation mode. ***

License Count -> 4
1. 621000001-000 G5 base configuration
1. 620139-000 Elliptic curve cryptography
1. 620131-000 Key backup via cloning protocol
1. 621010083-001 Performance level 15
Command Result : No Error
lunacm:>

Note: In the examples above, for the newer firmware, slot list, before and after, showed that
the application partition had been created.
For the older firmware, the creation of an application partition did not alter the slot list, so
instead we show the output of partition showinfo, before the application partition is created,
and then again afterward.

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition createchallenge
Create the legacy application partition's Crypto Officer challenge for a PED-authenticated SafeNet USB HSM or
SafeNet PCIe HSM.
In the HSM's administrative partition, log in first, as the HSM SO.
Run the partition createchallenge command after you run the partition createuser command.
If HSM firmware is version 6.22.0 or newer, then a legacy application partition is separate from the HSM administrative
partition. Run the partition createchallenge command from the HSM's administrative partition, specifying the slot
number corresponding to the target application partition.
If HSM firmware is older than version 6.22.0, then a legacy application partition is not separate from the HSM
administrative partition. Run the partition createchallenge command from the HSM's administrative partition, and do
not specify a slot.
Record the 16-character text string displayed by the PED, using a text editor to avoid transcription errors that
sometimes occur with handwriting.
The equivalent of this command for a PPSO partition is the role createchallenge command, which is run within the
application partition, and which is run by the partition SO.

Syntax
partition createChallenge -slot [-defchallenge]

Slot where creating user challenge (for legacy partition)

Use Default Challenge Password . [Optional] This is intended as a
convenience when provisioning or integrating. The challenge must be
changed before you can perform cryptographic operations.

Example
lunacm:> partition createChallenge -slot 0
Please attend to the PED.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition createuser
Create the Crypto-User challenge for the current partition. The command partition createchallenge must have already
been run for this partition. If partition createuser is run (creating the Crypto-User and giving that user its own
challenge), then the challenge created for the partition User becomes the challenge for Crypto-Officer.

Syntax
partition createuser

Example
lunacm:> partition createUser
Please attend to the PED.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition deactivate
De-cache partition PED-key data. This command applies to SafeNet PCIe HSM with PED (trusted path) authentication
only.

Syntax
partition deactivate

Example
lunacm:> partition deactivate
Command Result : No Error

partition delete
Delete an application partition.This command must be invoked from the HSM administrative partition, and operates
against the application partition at the indicated slot.

Syntax
partition resize-slot [-size]

Slot number of partition to be deleted.

force the action (useful for scripting)

Example of partition delete command, showing slot list before and after
lunacm:> slot list
Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->

0
2
pcieppsopar
349297122733
K6 Base
6.22.0
Luna User Partition With SO (PED) Signing With Cloning Mode
User Token Slot

Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->

1
2
mypcie6
150022
K6 Base
6.22.0

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

Configuration ->
Slot Description ->
HSM Configuration ->
HSM Status ->

LunaCM commands

Luna HSM Admin Partition (PED) Signing With Cloning Mode
Admin Token Slot
Luna HSM Admin Partition (PED)
OK

Slot Id ->
3
HSM Label ->
myG5pw
HSM Serial Number ->
7001312
HSM Model ->
G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration ->
SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status ->
OK

Current Slot Id: 1

Command Result : No Error
lunacm:> partition delete -slot 0
You are about to delete partition.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:> slot list
Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->
HSM Configuration ->
HSM Status ->

1
2
mypcie6
150022
K6 Base
6.22.0
Luna HSM Admin Partition (PED) Signing With Cloning Mode
Admin Token Slot
Luna HSM Admin Partition (PED)
OK

Slot Id ->
3
HSM Label ->
myG5pw
HSM Serial Number ->
7001312
HSM Model ->
G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration ->
SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status ->
OK

Current Slot Id: 1

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition init
Initialize an application partition. This command is used within the partition being initialized.

Syntax
partition init-label [-password] [-domain] [-defaultdomain] [-auth] [-force]

Log in after the initialization.

Default cloning domain name. Deprecated. Used only on passwordauthenticated HSMs, and not recommended. Kept for compatibility with
previous, existing configurations; will be discontinued in a future release.

Partition domain name. Used only on password-authenticated HSMs;
ignored for PED-authenticated.

Force the action (useful for scripting).

Label for the partition.

Partition Security Officer Password. Used only on password-authenticated
HSMs; ignored for PED-authenticated.

Example
lunacm:> partition init -label pcieppsopar
You
All
All
The

are about to initialize the partition.
partition objects will be destroyed.
partition roles will be destroyed.
domain will be destroyed.

Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Please attend to the PED.
Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition login
Login to the partition.

Syntax
partition login [-password ] [-cu] [-ped ]
Parameter

Applies to Password-authenticated HSMs; ignored for PED-authenticated
HSMs.
Specifies the Partition Owner or Crypto Officer password, to be used as
login credential. As shown, you can supply the password at the command
line (useful for scripting). Normally, however, you should leave out the
password when issuing the command. If the password is not provided, you
are prompted for it, and your response is obscured by asterisk (****)
symbols. This a more secure method of providing the password.

Perform the operation as Crypto User.

Applies to PED-authenticated HSMs, only. This option is a temporary way
to override PED ID settings or default.
The PED Id parameter is optional. (0=local,1...65535=remote)
If '0' is specified, the locally attached PED is used. If a value between 1
and 65535 is specified, the remote PED corresponding to that PED Id is
used.
If nothing is specified, then the value stored in the library for this slot is
used. Unless the value stored in the library has been changed by using the
'ped set' command, or the 'PEDId' parameter in the 'Luna' section of
cryptoki.ini, the value in the library is '0'.
NOTE: The '-ped' option asserts for the duration of this login command,
only. After the login completes, any PED ID that was set by the '-ped'
option then reverts to whatever value was in effect before "partition login ped ".

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition logout
Logout of the partition.

Syntax
partition logout

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition recoveryinit
Performs a High Availability Initialization of the current active session.
This lunacm command is provided as a demonstration of an operation that you would actually perform within your own
application. Consider this command along with lunacm partition -halogin command, and the material in the SDK
"High Availability Indirect Login Functions" .

Syntax
partition hainit -plabel -rlabel [-keyhandle ]
Parameter

If this option is included then the HA function is initialized with an already
existing RSA keypair, indicated by the handle that you provide.

Specifies a label for the RSA Public Key. Must be supplied if you do not
provide a keyhandle pointing to an existing RSA Private Key.

Specifies a label for the RSA Private Key. Must be supplied if you do not
provide a keyhandle pointing to an existing RSA Private Key.

Example
Creating a new RSA keypair to HA initialize the partition
lunacm:> partition hai -plabel myrsapub -rlabel myrsapriv
Generating RSA Key pair for HAInit...
User in slot 1 has been HA Initialised
with key handle 11.
Command Result : No Error

Initializing the partition when a suitable RSA keypair already exists
lunacm:> partition hai -keyhandle 11
User in slot 1 has been HA Initialised
with key handle 11.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition recoverylogin
Perform a Recovery Login on the target slot. This command is provided as a demonstration of an operation that you
would actually perform within your own application. Consider this command along with the partition -recoveryinit
command, and the material in the SDK "High Availability Indirect Login Functions".

Syntax
command parameter [optional_parameter ]
Parameter

RSA Private Key handle to use on the current token (as specified by the
slot number).

Specifies the slot number assigned to the token/HSM Partition.

An integer that specifies the user type. The user type can be one of the
following:
•

0 - Security Officer

1 - Crypto Officer

Example
lunacm:> partition recoverylogin -user 1 -slot 1 -keyhandle 11
This command will perform a Recovery Login
on the specified target slot.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition resetpw
Reset the partition password.
Used with older firmware. The HSM SO must be logged in.
For firmware 6.22.0 and newer, use role resetPW, instead.

Syntax
partition resetPw [-password ]
Parameter

New partition password. If you do not provide it at the command
line, you are prompted for it.

Example
lunacm:> partition resetPw
Option -password was not supplied.

It is required.

Enter the new password: ********
Re-enter the new password: ********
Command Result : No Error
lunacm:>

partition resize
Re-size an application partition.
You must be HSM SO, in the HSM administrative partition/slot in order to re-size an application partition. If the slot that
currently has focus is an application partition, this command is not visible.

Syntax
partition resize-slot [-size]

Slot number of partition to be re-sized.

New storage size of target partition (bytes).

force the action (useful for scripting)

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Example of partition resize, showing before and after
The partition showinfo command is run from the partition/slot about which you wish to see the current information,
such as, in this case, the current storage space allocated to that partition.
The partition resize command is run from the HSM's administrative partition.
For this example, the HSM SO has previously logged in.
lunacm:> slot list
Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->

0
2
pcieppsopar
349297122733
K6 Base
6.22.0
Luna User Partition With SO (PED) Signing With Cloning Mode
User Token Slot

Slot Id ->
Tunnel Slot Id ->
Label ->
Serial Number ->
Model ->
Firmware Version ->
Configuration ->
Slot Description ->
HSM Configuration ->
HSM Status ->

1
2
mypcie6
150022
K6 Base
6.22.0
Luna HSM Admin Partition (PED) Signing With Cloning Mode
Admin Token Slot
Luna HSM Admin Partition (PED)
OK

Slot Id ->
3
HSM Label ->
myG5pw
HSM Serial Number ->
7001312
HSM Model ->
G5Base
HSM Firmware Version -> 6.10.4
HSM Configuration ->
SafeNet USB HSM (PW) Signing With Cloning Mode
HSM Status ->
OK
Current Slot Id: 1
Command Result : No Error
lunacm:>
lunacm:> slot set slot 0
Current Slot Id:

(Luna User Slot 6.22.0 (PED) Signing With Cloning Mode)

Command Result : No Error
lunacm:> partition showinfo
Partition Label -> pcieppsopar
Partition Manufacturer -> Safenet, Inc.
Partition Model -> K6 Base
Partition Serial Number -> 349297122733
Partition Status -> OK
Token Flags ->
CKF_LOGIN_REQUIRED

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Slot Id -> 0
Tunnel Slot Id -> 2
Session State -> CKS_RW_PUBLIC_SESSION
Role Status ->
none logged in
Token Flags ->
TOKEN_KCV_CREATED
Partition OUID: 7202000072000001064a0200
Partition Storage:
Total Storage Space:
Used Storage Space:
Free Storage Space:
Object Count:
Overhead:

1200000
0
1200000
0
9288

Command Result : No Error
lunacm:> slot set slot 1
Current Slot Id:

(Luna Admin Slot 6.22.0 (PED) Signing With Cloning Mode)

Command Result : No Error
lunacm:> partition resize -slot 0 -size 1000000
You are about to resize partition.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:> slot set slot 0
Current Slot Id:

(Luna User Slot 6.22.0 (PED) Signing With Cloning Mode)

Command Result : No Error
lunacm:> partition showinfo
Partition Label -> pcieppsopar
Partition Manufacturer -> Safenet, Inc.
Partition Model -> K6 Base
Partition Serial Number -> 349297122733
Partition Status -> OK
Token Flags ->
CKF_LOGIN_REQUIRED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Slot Id -> 0
Tunnel Slot Id -> 2
Session State -> CKS_RW_PUBLIC_SESSION
Role Status ->
none logged in
Token Flags ->
TOKEN_KCV_CREATED

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Partition OUID: 7202000072000001064a0200
Partition Storage:
Total Storage Space:
Used Storage Space:
Free Storage Space:
Object Count:
Overhead:

1000000
0
1000000
0
9288

Command Result : No Error
lunacm:>

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition restoresim2
Restore/insert HSM information from a Scalable Key Storage2 backup file. All objects in the file are restored to the
HSM.

Syntax
partition restoreSIM2 [-auth ] -filename
Parameter

The password that was used to protect the generated file, and now unlocks
that file for restoring onto the partition. This parameter is required if the file
is locked.

The name of the backup file on your computer, from which the restore
operation is performed.

Example
partition restoresim2 -filename somepartfile -auth $omePa55word
Restored Objects:
Object Handle: 14 (0xe)
Object Class: CKO_SECRET_KEY
Key Type: CKK_DES3
Label: Generated DES3 Key
Object Handle: 20 (0x14)
Object Class: CKO_SECRET_KEY
Key Type: CKK_DES3
Label: Generated DES3 Key
Object Handle: 30 (0x1e)
Object Class: CKO_SECRET_KEY
Key Type: CKK_DES2
Label: Generated DES2 Key
Object Handle: 31 (0x1f)
Object Class: CKO_SECRET_KEY
Key Type: CKK_AES
Label: Generated AES Key
Object Handle: 32 (0x20)
Object Class: CKO_PRIVATE_KEY
Key Type: CKK_RSA
Label: Generated RSA Private Key
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition restoresim3
Restore/insert HSM information from a Scalable Key Storage3 backup file. All objects in the file are restored to the
HSM.

Syntax
partition restoresim3 [-auth ] -filename
Parameter

The password that was used to protect the generated file, and now unlocks
that file for restoring onto the partition. This parameter is required if the file
is locked.

The name of the backup file on your computer, from which the restore
operation is performed.

Example
partition restoresim3 -filename somepartfile -auth $omePa55word
Restored Objects:
Object Handle: 14 (0xe)
Object Class: CKO_SECRET_KEY
Key Type: CKK_DES3
Label: Generated DES3 Key
Object Handle: 20 (0x14)
Object Class: CKO_SECRET_KEY
Key Type: CKK_DES3
Label: Generated DES3 Key
Object Handle: 30 (0x1e)
Object Class: CKO_SECRET_KEY
Key Type: CKK_DES2
Label: Generated DES2 Key
Object Handle: 31 (0x1f)
Object Class: CKO_SECRET_KEY
Key Type: CKK_AES
Label: Generated AES Key
Object Handle: 32 (0x20)
Object Class: CKO_PRIVATE_KEY
Key Type: CKK_RSA
Label: Generated RSA Private Key
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition setlegacydomain
Set the legacy cloning domain on a partition.
The legacy cloning domain for password-authenticated HSM partitions is the text string that was used as a cloning
domain on the legacy token HSM or SafeNet PCI HSM whose contents are to be migrated to the SafeNet PCI 5.x HSM
partition.
The legacy cloning domain for PED-authenticated HSM partitions is the cloning domain secret on the red PED key for
the legacy PED authenticated HSM whose contents are to be migrated to the SafeNet PCI 5.x HSM partition.
Your target HSM partition has, and retains, whatever modern partition cloning domain was imprinted (on a red PED
Key) when the partition was created. This command takes the domain value from your legacy HSM's red PED Key and
associates that with the modern-format domain of the partition, to allow the partition to be the cloning (restore...)
recipient of objects from the legacy (token) HSM.
You cannot migrate objects from a password-authenticated token/HSM to a PED-authenticated HSM partition, and you
cannot migrate objects from a PED authenticated token/HSM to a Password authenticated HSM partition. Again, this
is a security provision.
See "Legacy Domains and Migration" on page 1 in the Administration Guide for a description and summary of the
possible combinations of source (legacy) tokens/HSMs and target (modern) HSM partitions and the disposition of token
objects from one to the other.
Note: You can use this command repeatedly to associate different legacy domains to the
current partition's cloning domain. This allows you to consolidate content from multiple legacy
HSMs onto a single partition of a modern HSM.

Syntax
partition setLegacyDomain [-legacydomain ] [-force]
Parameter

Force action without prompting.

Legacy cloning domain string. This parameter must be specified for
password-authenticated HSMs. It is optional for PED authenticated
HSMs. If not specified, the domain is obtained using the PED.

Example
lunacm:> partition setLegacyDomain -partition
Existing Legacy Cloning Domain will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed

The PED prompts for the legacy red domain PED Key (notice mention of "raw data" in the PED message).
Command result: No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition showinfo
Display partition-level information for the current slot.
The output from this command varies, depending on the type of partition in the current slot, and on the HSM firmware
version.

Syntax
partition showinfo

Examples
Partition Info for an HSM admin partition (f/w 6.22.0 or newer)
lunacm:> partition showinfo
Partition Label -> mypcie6
Partition Manufacturer -> Safenet, Inc.
Partition Model -> K6 Base
Partition Serial Number -> 150022
Partition Status -> OK
Token Flags ->
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Slot Id -> 1
Tunnel Slot Id -> 2
Session State -> CKS_RW_PUBLIC_SESSION
Role Status ->
none logged in
Token Flags ->
TOKEN_KCV_CREATED
Partition OUID: 0000000000000000064a0200
Partition Storage:
Total Storage Space: 262144
Used Storage Space:
0
Free Storage Space:
262144
Object Count:
0
Overhead:
9280
Firmware Version -> 6.22.0
Rollback Firmware Version -> 6.21.0
RPV Initialized -> Yes
HSM Storage:
Total Storage Space: 2097152
Used Storage Space:
2097152
Free Storage Space:
0
Allowed Partitions:
1
Number of Partitions: 1
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
License Count -> 9
1. 621000026-000 K6 base configuration
1. 620127-000 Elliptic curve cryptography
1. 620114-001 Key backup via cloning protocol

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

1.
1.
1.
1.
1.
1.

LunaCM commands

620109-000 PIN entry device (PED) enabled
621010358-001 Enable a split of the master tamper key to be stored externally
621010089-001 Enable remote PED capability
621000021-001 Performance level 15
621000079-001 Enable Small Form Factor Backup
621000099-001 Enable per-partition Security Officer

Command Result : No Error

Partition Info for a PPSO application partition (f/w 6.22.0 or newer)
lunacm:> partition showinfo
Partition Label -> mypciepsopar
Partition Manufacturer -> Safenet, Inc.
Partition Model -> K6 Base
Partition Serial Number -> 349297122736
Partition Status -> OK
Token Flags ->
CKF_LOGIN_REQUIRED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Slot Id -> 0
Tunnel Slot Id -> 2
Session State -> CKS_RW_PUBLIC_SESSION
Role Status ->
none logged in
Token Flags ->
TOKEN_KCV_CREATED
Partition OUID: 6d02000074000001064a0200
Partition Storage:
Total Storage Space:
Used Storage Space:
Free Storage Space:
Object Count:
Overhead:

2087864
0
2087864
0
9288

Command Result : No Error

Partition Info for a Legacy application partition (f/w older than 6.22.0)
lunacm:> partition showinfo
HSM Serial Number -> 7001312
HSM Status -> OK
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
RPV Initialized -> Not Available / Not Supported
Slot Id -> 3
Session State -> CKS_RW_PUBLIC_SESSION

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

User Status-> Not Logged In
Crypto Officer Failed Logins-> 0
Crypto User Failed Logins->
0
User Flags ->
CONTAINER_KCV_CREATED
User OUID: 1200000745010000e0d46a00
User Storage:
Total Storage Space:
Used Storage Space:
Free Storage Space:
Object Count:

2094996
3116
2091880
2

*** The HSM is NOT in FIPS 140-2 approved operation mode. ***

License Count -> 4
1. 621000001-000 G5 base configuration
1. 620139-000 Elliptic curve cryptography
1. 620131-000 Key backup via cloning protocol
1. 621010083-001 Performance level 15
Command Result : No Error

partition showmechanism
Lists the supported mechanisms, or shows some detail about a named mechanism.

Syntax
partition showmechanism [-m ]
Option

Lists all available mechanisms.

Shows expanded information for the indicated mechanism (optional).

Example
List all mechanisms available to the partition
lunacm:> partition showmechanism

Mechanisms Supported:
0x00000000 - CKM_RSA_PKCS_KEY_PAIR_GEN
0x00000001 - CKM_RSA_PKCS
0x00000003 - CKM_RSA_X_509
0x00000006 - CKM_SHA1_RSA_PKCS
0x00000009 - CKM_RSA_PKCS_OAEP
0x0000000a - CKM_RSA_X9_31_KEY_PAIR_GEN

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

0x80000142
0x80000143
0x0000000b
0x0000000c
0x80000135
0x80000136
0x80000137
0x80000138
0x8000013e
0x80000139
0x8000013a
0x8000013b
0x8000013c
0x8000013d
0x0000000d
0x0000000e
:
:
0x00000365
0x00000391
0x00000390
0x00000392
0x00000350
0x00000371
0x00000372
0x00000380
0x00000381
0x00000221
0x00000222
0x00000211
0x00000212
0x00000370
0x80000140
0x80000141
0x80000a02
0x80000a03
Command Result : No

LunaCM commands

CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
CKM_RSA_X9_31
CKM_SHA1_RSA_X9_31
CKM_SHA224_RSA_X9_31
CKM_SHA256_RSA_X9_31
CKM_SHA384_RSA_X9_31
CKM_SHA512_RSA_X9_31
CKM_RSA_X9_31_NON_FIPS
CKM_SHA1_RSA_X9_31_NON_FIPS
CKM_SHA224_RSA_X9_31_NON_FIPS
CKM_SHA256_RSA_X9_31_NON_FIPS
CKM_SHA384_RSA_X9_31_NON_FIPS
CKM_SHA512_RSA_X9_31_NON_FIPS
CKM_RSA_PKCS_PSS
CKM_SHA1_RSA_PKCS_PSS

- CKM_EXTRACT_KEY_FROM_KEY
- CKM_MD2_KEY_DERIVATION
- CKM_MD5_KEY_DERIVATION
- CKM_SHA1_KEY_DERIVATION
- CKM_GENERIC_SECRET_KEY_GEN
- CKM_SSL3_MASTER_KEY_DERIVE
- CKM_SSL3_KEY_AND_MAC_DERIVE
- CKM_SSL3_MD5_MAC
- CKM_SSL3_SHA1_MAC
- CKM_SHA_1_HMAC
- CKM_SHA_1_HMAC_GENERAL
- CKM_MD5_HMAC
- CKM_MD5_HMAC_GENERAL
- CKM_SSL3_PRE_MASTER_KEY_GEN
- CKM_DSA_SHA224
- CKM_DSA_SHA256
- CKM_NIST_PRF_KDF
- CKM_PRF_KDF
Error

Show information about a particular mechanism
lunacm:> partition showmechanism -m 80000142
(0x80000142 - -2147483326) CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
Min Key Size 1024
Max Key Size 3072
Flags 0x10001
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition policyTemplateChange
Modify a policy's initial value and destructive settings within the partition policy template currently being edited. This
change is done independently of any partition when the edit is performed. The change becomes accessible when the
template is saved. The change becomes active if the template is applied to an application partition.

Syntax
partition policyTemplateChange -policy [-value ] [-on{destructive | non-destructive}] [-off
{destructive | non-destructive}]
Option

Specifies whether the action of switching the
policy off shall be destructive.

Specifies whether the action of switching the
policy on shall be destructive.

Specifies the policy code identifying the policy to
alter. Policy descriptions and codes are obtained
with the partition showpolicies command.

Specifies the value that should be assigned to the
specified policy. When specifying values for an
on/off type policy, use '1' for on and '0' for off, or
just type the text "on" or "off". Either is
acceptable.

Example
lunacm:> partition policyTemplateChange -policy 23 -value on
Destructive
Code Description
Value Off-To-On On-To-Off
______________________________________________________________________________
23

Allow auto-activation

Command Result : No Error

lunacm:> partition policyTemplateChange -policy 25 -value 246
Destructive
Code Description
Value Off-To-On On-To-Off
______________________________________________________________________________
25

Minimum pin length (inverted: 255 - min)

Command Result : No Error
lunacm:> partition policyTemplateChange -policy 20 -value 9

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

Destructive
Code Description
Value Off-To-On On-To-Off
______________________________________________________________________________
20

Max failed user logins allowed

Command Result : No Error
lunacm:> partition policyTemplateChange -policy 7 -on non-destructive
Destructive
Code Description
Value Off-To-On On-To-Off
______________________________________________________________________________
7

Allow secret key masking

Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition policyTemplatecreate
Create an application partition policy template in memory (for editing). To preserve the template, it must be saved
separately by the partition policyTemplatesave command.

Partition policy template naming
A policy template must have a unique name, which can be a character string.
Acceptable characters are:
-.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz
Minimum length is a single character.
Maximum length is 20 characters.

Syntax
partition create -policyTemplateCreate[-force]

Force the partition creation with no prompting
- you are still prompted by SafeNet PED, if
yours is a PED authenticated HSM.

Example
lunacm:> partition policytemplatecreate
Destructive
Code Description
Value Off-To-On On-To-Off
______________________________________________________________________________
0
1
2
3
4
5
6
7
10
11
15
16
17
18
20
21
22
23
24
25
26

Allow private key cloning
Allow private key wrapping
Allow private key unwrapping
Allow private key masking
Allow secret key cloning
Allow secret key wrapping
Allow secret key unwrapping
Allow secret key masking
Allow multipurpose keys
Allow changing key attributes
Ignore failed challenge responses
Operate without RSA blinding
Allow signing with non-local keys
Allow raw RSA operations
Max failed user logins allowed
Allow high availability recovery
Allow activation
Allow auto-activation
Allow indirect login
Minimum pin length (inverted: 255 - min)
Maximum pin length

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

On
Off
On
Off
On
On
On
Off
On
On
On
On
On
On
10
On
On
On
Off
248
255

Yes
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Yes
N/A
No
No
No
No
N/A
N/A

No
No
No
No
No
No
No
No
No
No
No
No
No
No
N/A
No
No
No
No
N/A
N/A

28
29
30
31
32
33
34
35
36
37

Allow Key Management Functions
Perform RSA signing without confirmation
Allow Remote Authentication
Allow private key unmasking
Allow secret key unmasking
Allow RSA PKCS mechanism
Allow CBC-PAD (un)wrap keys of any size
Allow private key SFF backup/restore
Allow secret key SFF backup/restore
Force Secure Trusted Channel

On
On
On
On
On
On
On
Off
Off
Off

Yes
Yes
No
No
No
Yes
Yes
Yes
Yes
No

LunaCM commands

No
No
No
No
No
No
No
No
No
Yes

Type 'proceed' to continue, or 'quit'
to quit now.
> proceed
Success: Created and loaded the new partition policy template.
Use 'partition policyTemplateChange' to edit the template and
'partition policyTemplateSave' to save the template once you have applied all necessary
changes.
Command Result : No Error

SafeNet Network HSM LunaCM Command Reference Guide
Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved.

LunaCM commands

partition policyTemplateDelete
Delete partition policy template.

Syntax
partition policyTemplateDelete [-all] [-name] [-force]
Option

Delete all templates