Utilities Reference Guide
User Manual:
Open the PDF directly: View PDF .
Page Count: 146
Download | |
Open PDF In Browser | View PDF |
SafeNet Network HSM 6.2.2 Utilities Reference Guide Document Information Product Version 6.2.2 Document Part Number 007-011136-012 Release Date 01 December 2016 Revision History Revision Date Reason A 01 December 2016 Initial release. Trademarks, Copyrights, and Third-Party Software Copyright 2001-2016 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. Acknowledgements This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org) This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This product includes software developed by the University of California, Berkeley and its contributors. This product uses Brian Gladman’s AES implementation. Refer to the End User License Agreement for more information. Disclaimer All information herein is either public information or is the property of and owned solely by Gemalto and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information. This document can be used for informational, non-commercial, internal, and personal use only provided that: • The copyright notice, the confidentiality and proprietary legend and this full warning notice appear in all copies. • This document shall not be posted on any publicly accessible network computer or broadcast in any media, and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. SafeNet Network HSM Utilities Reference Guide Rellease 6.2.2 007-011136-012 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 2 The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service, or loss of privacy. Regulatory Compliance This product complies with the following regulatory regulations. To ensure compliancy, ensure that you install the products as specified in the installation instructions and use only Gemalto-supplied or approved accessories. USA, FCC This device complies with Part 15 of the FCC rules. Operation is subject to the following conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operation. Note: This equipment has been tested and found to comply with the limits for a “Class B” digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: • Reorient or relocate the receiving antenna • Increase the separation between the equipment and receiver • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected • Consult the dealer or an experienced radio/TV technician for help Changes or modifications not expressly approved by Gemalto could void the user’s authority to operate the equipment. Canada This class B digital apparatus meets all requirements of the Canadian interference- causing equipment regulations. SafeNet Network HSM Utilities Reference Guide Rellease 6.2.2 007-011136-012 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 3 Europe This product is in conformity with the protection requirements of EC Council Directive 2004/108/EC. Conformity is declared to the following applicable standards for electro-magnetic compatibility immunity and susceptibility; CISPR22 and IEC801. This product satisfies the CLASS B limits of EN 55022. SafeNet Network HSM Utilities Reference Guide Rellease 6.2.2 007-011136-012 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 4 CONTENTS PREFACE About the Utilities Reference Guide Customer Release Notes Gemalto Rebranding Audience Document Conventions Notes Cautions Warnings Command Syntax and Typeface Conventions Support Contacts 1 Certificate Management Utility (CMU) About the CMU Functions Authentication cmu certify cmu delete cmu export cmu generatekeypair cmu getattribute cmu getpkc cmu import cmu importkey cmu list cmu requestcertificate cmu selfsigncertificate cmu setattribute cmu verifypkc 2 CKdemo Accessing the ckdemo Utility Using the ckdemo Menu Executing a Menu Function The AUDIT/LOG Menu Functions (130) Get Config (131) Set Config (132) Verify Logs (133) Get Time (134) Set Time (135) Import Secret (136) Export Secret (137) Init Audit (138) Get Status (139) Log External SafeNet Network HSM Utilities Reference Guide Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 11 11 12 12 12 12 13 13 13 14 16 16 16 17 19 20 21 25 26 27 28 30 32 35 38 40 41 41 42 43 44 44 44 44 44 44 44 44 44 44 45 5 The CA Menu Functions (70) Set Domain (71) Clone Key (72) Set MofN (73) Generate MofN (74) Activate MofN (75) Generate Token Keys (76) Get Token Cert (77) Sign Token Cert (78) Generate CertCo Cert (79) Modify MofN (86) Dup. MofN Keys (87) Deactivate MofN (88) Get Token Certificates (112) Set Legacy Cloning Domain The CLUSTER EXECUTION Menu Functions (111) Get Cluster State The HIGH AVAILABILITY RECOVERY Menu Functions (50) HA Init (51) HA Login (52) HA Status The KEY Menu Functions 60) Wrap Key 61) Unwrap Key 62) Generate Random Number 63) Derive Key 64) PBE Key Generation 65) Create Known Keys 66) Seed RNG 67) EC User Defined Curves The OBJECT MANAGEMENT Menu Functions (20) Create Object (21) Copy Object (22) Destroy Object (23) Object Size (24) Get Attribute (25) Set Attribute (26) Find Objects (27) Display Object (30) Modify Usage Count (31) Destroy Multiple Objects (32) Extract Public Key The OFFBOARD KEY STORAGE Menu Functions (101) Extract Masked Object (102) Insert Masked Object (103) Multisign With Value (104) Clone Object (105) SIMExtract (106) SIMInsert SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 45 45 45 45 45 45 45 46 46 46 46 46 46 46 46 46 47 47 47 47 47 47 47 47 47 48 48 48 48 48 48 48 48 49 49 49 49 49 49 49 49 49 50 50 50 50 50 50 50 6 (107) SimMultiSign (118) Extract Object (119) Insert Object The OTHERS Menu Functions 90) Self Test 94) Open Access 95) Close Access 97) Set App ID 98) Options 100) LKM Commands The PED INFO menu functions 120) Set PED Info 121) Get PED Info 122) Init RPV 123) Delete RPV The SCRIPT EXECUTION Menu Functions (108) Execute Script (109) Execute Asynchronous Script (110) Execute Single Part Script The SECURITY Menu Functions (40) Encrypt File (41) Decrypt File (42) Sign (43) Verify (44) Hash (45) Simple Generate Key (46) Digest Key The SRK Menu Functions (200) SRK Get State (201) SRK Restore (202) SRK Resplit (203) SRK Zeroize (204) SRK Enable/Disable The TOKEN Menu Functions ( 1) Open Session ( 2) Close Session ( 3) Login ( 4) Logout ( 5) Change PIN ( 6) Init Token ( 7) Init PIN ( 8) Mechanism List ( 9) Mechanism Info (10) Get Info 11) Slot Info 12) Token Info 13) Session Info 14) Get Slot List 15) Wait for Slot Event SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 50 50 50 50 51 51 51 51 51 52 52 52 52 52 53 53 53 53 53 53 53 53 53 54 54 54 54 54 54 54 54 54 54 55 55 55 55 55 55 55 56 56 56 56 56 56 56 57 57 7 18) Factory Reset 19) Clone MofN CKlog cklog Utility Windows Example UNIX Example Selective Logging 3 Lunadiag Lunadiag Utility Using Lunadiag Verify Successful Installation 4 Multitoken Accessing Multitoken Using Multitoken Operating Modes Named and User-defined Curves 5 57 57 58 58 58 59 59 61 61 61 63 64 64 64 66 70 Pedserver and Pedclient 73 Overview The pedserver Utility The pedclient Utility The pedclient Command General Syntax PedClient on SafeNet Network HSM The pedserver Command Syntax Sample Outputs 73 73 73 74 74 77 77 77 79 6 Remote Backup Service (RBS) RBS Overview rbs rbs config rbs daemon rbs genkey rbs nopassword 7 SAlogin Using the salogin Utility The salogin Command Examples Other options 8 SCP and PSCP Using the scp and pscp Utilities SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 81 81 82 83 84 85 86 87 87 87 88 88 89 89 8 9 Ureset Utility ureset Example 10 Vreset Utility vreset Example 11 VTL VTL Overview vtl addServer vtl backup vtl backup append vtl backup delete vtl backup restore vtl backup token vtl backup token factoryreset vtl backup token init vtl backup token resize vtl backup token show vtl backup token show licenses vtl backup token update vtl cklogsupport vtl createCert vtl deleteServer vtl examineCert vtl fingerprint vtl haAdmin vtl haAdmin addMember vtl haAdmin autoRecovery vtl haAdmin deleteGroup vtl haAdmin haLog vtl haAdmin HAOnly Client vtl haAdmin HAOnly disable vtl haAdmin HAOnly enable vtl haAdmin HAOnly show vtl haAdmin newGroup vtl haAdmin recover group vtl haAdmin removeMember vtl haAdmin show vtl haAdmin standbyMembers vtl haAdmin standbyMembers -remove vtl haAdmin standbyMembers -set vtl haAdmin synchronize vtl listServers vtl listSlots vtl logging configure vtl logging show SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 91 91 91 93 93 93 95 96 98 99 101 103 104 105 106 107 108 109 110 111 112 113 115 116 118 119 120 122 123 125 127 128 129 130 131 133 134 135 136 137 138 139 140 141 142 143 9 vtl replaceserver vtl supportInfo vtl verify SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 144 145 146 10 PREFACE About the Utilities Reference Guide PREFACE About the Utilities Reference Guide This document describes how to use the various utilities included with the SafeNet HSM client. It contains the following chapters: • "Certificate Management Utility (CMU)" on page 16 • "CKdemo" on page 41 • "CKlog" on page 58 • "Lunadiag" on page 61 • "Multitoken" on page 64 • "Pedserver and Pedclient" on page 73 • "Remote Backup Service (RBS)" on page 81 • "SAlogin" on page 87 • "SCP and PSCP" on page 89 • "Ureset Utility" on page 91 • "Vreset Utility" on page 93 • "VTL" on page 95 This preface also includes the following information about this document: • "Customer Release Notes" below • "Gemalto Rebranding" on the next page • "Audience" on the next page • "Document Conventions" on the next page • "Support Contacts" on page 14 For information regarding the document status and revision history, see "Document Information" on page 2. Customer Release Notes The customer release notes (CRN) provide important information about this release that is not included in the customer documentation. It is strongly recommended that you read the CRN to fully understand the capabilities, limitations, and known issues for this release. You can view or download the latest version of the CRN for this release at the following location: • http://www.securedbysafenet.com/releasenotes/luna/crn_luna_hsm_6-2-2.pdf SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 11 PREFACE About the Utilities Reference Guide Gemalto Rebranding In early 2015, Gemalto completed its acquisition of SafeNet, Inc. As part of the process of rationalizing the product portfolios between the two organizations, the Luna name has been removed from the SafeNet HSM product line, with the SafeNet name being retained. As a result, the product names for SafeNet HSMs have changed as follows: Old product name New product name Luna SA HSM SafeNet Network HSM Luna PCI-E HSM SafeNet PCIe HSM Luna G5 HSM SafeNet USB HSM Luna PED SafeNet PED Luna Client SafeNet HSM Client Luna Dock SafeNet Dock Luna Backup HSM SafeNet Backup HSM Luna CSP SafeNet CSP Luna JSP SafeNet JSP Luna KSP SafeNet KSP Note: These branding changes apply to the documentation only. The SafeNet HSM software and utilities continue to use the old names. Audience This document is intended for personnel responsible for maintaining your organization's security infrastructure. This includes SafeNet HSM users and security officers, key manager administrators, and network administrators. All products manufactured and distributed by Gemalto are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them. The information, processes, and procedures contained in this document are intended for use by trained and qualified personnel only. It is assumed that the users of this document are proficient with security concepts. Document Conventions This document uses standard conventions for describing the user interface and for alerting you to important information. Notes Notes are used to alert you to important or helpful information. They use the following format: SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 12 PREFACE About the Utilities Reference Guide Note: Take note. Contains important or helpful information. Cautions Cautions are used to alert you to important information that may help prevent unexpected results or data loss. They use the following format: CAUTION: Exercise caution. Contains important information that may help prevent unexpected results or data loss. Warnings Warnings are used to alert you to the potential for catastrophic data loss or personal injury. They use the following format: WARNING! Be extremely careful and obey all safety and security measures. In this situation you might do something that could result in catastrophic data loss or personal injury. Command Syntax and Typeface Conventions Format Convention bold The bold attribute is used to indicate the following: • Command-line commands and options (Type dir /p.) • Button names (Click Save As.) • Check box and radio button names (Select the Print Duplex check box.) • Dialog box titles (On the Protect Document dialog box, click Yes.) • Field names (User Name: Enter the name of the user.) • Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.) • User input (In the Date box, type April 1.) italics In type, the italic attribute is used for emphasis or to indicate a related document. (See the Installation Guide for more information.)In command descriptions, angle brackets represent variables. You must substitute a value for command line arguments that are enclosed in angle brackets. [optional] [ ] Represent optional keywords or in a command line description. Optionally enter the keyword or that is enclosed in square brackets, if it is necessary or desirable to complete the task. {a|b|c} {|| } Represent required alternate keywords or in a command line description. You must choose one command line argument enclosed within the braces. Choices are separated by vertical (OR) bars. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 13 PREFACE About the Utilities Reference Guide Format Convention [a|b|c] [|| ] Represent optional alternate keywords or variables in a command line description. Choose one command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars. Support Contacts Contact method Address Contact Gemalto 4690 Millennium Drive Belcamp, Maryland 21017 USA Phone Global +1 410-931-7520 Australia 1800.020.183 China (86) 10 8851 9191 France 0825 341000 Germany 01803 7246269 India 000.800.100.4290 Netherlands 0800.022.2996 New Zealand 0800.440.359 Portugal 800.1302.029 Singapore 800.863.499 Spain 900.938.717 Sweden 020.791.028 Switzerland 0800.564.849 United Kingdom 0800.056.3158 United States (800) 545-6608 Web www.safenet-inc.com Support and Downloads www.safenet-inc.com/support Provides access to the Gemalto Knowledge Base and quick downloads for various products. Technical Support Customer Portal https://serviceportal.safenet-inc.com Existing customers with a Technical Support Customer Portal account can log in SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 14 PREFACE Contact method About the Utilities Reference Guide Contact to manage incidents, get the latest software upgrades, and access the Gemalto Knowledge Base. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 15 1 Certificate Management Utility (CMU) This chapter provides a detailed description of each of the functions available in the SafeNet Certificate Management Utility. It contains the following topics: • "About the CMU Functions" below • "cmu certify" on the next page • "cmu delete" on page 19 • "cmu export" on page 20 • "cmu generatekeypair" on page 21 • "cmu getattribute" on page 25 • "cmu getpkc" on page 26 • "cmu import" on page 27 • "cmu importkey" on page 28 • "cmu list" on page 30 • "cmu requestcertificate" on page 32 • "cmu selfsigncertificate" on page 35 • "cmu setattribute" on page 38 • "cmu verifypkc" on page 40 About the CMU Functions This section provides a detailed description of each function available in the Certificate Management Utility. The command function is the first parameter on the command line that invokes the CMU application. It does not require a leading dash character. All options follow the command function and do employ leading dashes. Only a single command function can be specified with each invocation of the CMU application. cmu <-parameter_name[=parameter_value]> Most functions take parameters, some of which may be mandatory, and some optional. Parameters may, in turn, take values. If a parameter takes a value, then the general syntax is to write the command "cmu", followed by a space, followed by a function name, followed by a space, followed by a leading dash "-" and parameter name and an equal sign "=" and a value, with no spaces from the dash to the end of the parameter value. Multiple parameters are separated by spaces. Authentication Where an operation requires authentication, you must provide the appropriate Password (for a Password Authenticated HSM) or the appropriate PED Key (via SafeNet PED, for a Trusted Path HSM). SafeNet Network HSM Utilities Reference Guide Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 16 1 Certificate Management Utility (CMU) cmu certify This function creates an X.509 V3 certificate from a PKCS #10 certificate request. The parent certificate and corresponding private key must already exist on the token or HSM. The private key is located on the token using the public key info inside the parent certificate. Syntax cmu certify Mandatory Parameters Parameter Description -handle= This is a mandatory parameter that defines the handle to parent certificate. If this parameter is omitted and there is only one certificate on the HSM, that certificate is automatically selected. If this parameter is omitted and there are multiple certificates on the HSM, the user is asked to select the certificate. -inputfile This parameter defines the name of the file that contains the PKCS #10 certificate request. -startDate This parameter defines the validity start of the certificate, in the format YYYYMMDD. -endDate This parameter defines the validity end of the certificate, in the format YYYYMMDD. -serialNumber This parameter defines the serial number of the certificate, in big-endian hexadecimal form. Optional Parameters Parameter Description -keyusage This is an optional parameter that defines the key usage extension for the certificate. It can be set to any of the following: digitalsignature, nonrepudiation, keyencipherment, dataencipherment, keyagreement, keycertsign, crlsign, encipheronly, decipheronly. This parameter may appear more than once in the parameter set to define multiple usages, or it can be used once with a comma separated list of usage types. -md5WithRsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa. -sha1WithRsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa. -label This is an optional parameter that defines the label attribute for the certificate object that gets created on the HSM. If omitted, the common name of the subject DN is used instead. -sha224withrsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA224withRSAEncryption. The default is to use sha1WithRsa. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 17 1 Certificate Management Utility (CMU) Parameter Description -sha256withrsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA256withRSAEncryption. The default is to use sha1WithRsa. -sha384withrsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA384withRSAEncryption. The default is to use sha1WithRsa. -sha512withrsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA512withRSAEncryption. The default is to use sha1WithRsa. -sha1withdsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withDSAEncryption. The default is to use sha1WithRsa. -sha1withecdsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA1withECDSAEncryption. The default is to use sha1WithRsa. - sha224withecdsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA224withECDSAEncryption. The default is to use sha1WithRsa. -sha256withecdsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA256withECDSAEncryption. The default is to use sha1WithRsa. -sha384withecdsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA384withECDSAEncryption. The default is to use sha1WithRsa. - sha512withecdsa This is an optional parameter that defines the signature algorithm for the certificate to be pkcs-1-SHA512withECDSAEncryption. The default is to use sha1WithRsa. -id This optional parameter defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead. -certificatepolicy This optional parameter defines the certificate policy to be used. -keyids This optional parameter indicates to use a subject key identifier from the parent. Set to True or False (or 1 or 0). Example cmu certify -input=testCert.req -h=8 - create and sign a new certificate using certificate 8 as the parent. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 18 1 Certificate Management Utility (CMU) cmu delete This function deletes a key, certificate, or generic data object on the token. A confirmation message is presented to the user, describing the class and label of the object about to be deleted. Syntax cmu delete Required Parameters Parameter Description -handle= The handle of the object to be deleted. The parameter "-handle" is followed by an equal sign "=", followed by the handle of the object (no spaces). Optional Parameters Parameter Description -force This optional parameter can be used to suppress the user confirmation step. Example The following command deletes the key or certificate referenced by object handle 14 without a request for confirmation of the delete operation: cmu delete -handle=14 -force The following command queries the user for a handle of an object to delete. The user is asked to confirm the deletion operation: cmu delete SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 19 1 Certificate Management Utility (CMU) cmu export This function exports an X.509 certificate from the token or HSM to a file. The supported formats are Raw (binary) and PEM (base 64 encoding). Syntax cmu export Required Parameters Parameter Description -handle= The handle to the X.509 certificate to be exported from the HSM to a file. The parameter "-handle" is followed by an equal sign "=", followed by the handle of the object (no spaces). -outputfile This mandatory parameter defines the name of the file that receives the certificate. Optional Parameters Parameter Description -binary This is an optional parameter that defines the exported certificate format to be raw binary instead of the default PEM (base64) encoding. Example The following command outputs the certificate with handle 7 to file test.cer in PEM format: cmu export -handle=7 -output=test.cer SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 20 1 Certificate Management Utility (CMU) cmu generatekeypair This function generates an asymmetric key pair on the token or HSM. An optional input filename can be used to specify a file from which mandatory and optional attributes are to be read. For DSA key generation, the domain parameters (Prime, Subprime, and Base) are required, and must be provided either as part of the command, or as responses to interactive prompting. If one is provided at the command line, then all three must be provided in that manner. If none are provided at the command line, then all three are prompted for interactive entry. You may not provide only one or two of the parameters at the command line. Providing just one or two domain parameters is considered an error, and the command halts with an error message. Syntax cmu generatekeypair Required Parameters Parameter Description -modulusBits This mandatory parameter defines the length in bits of the modulus value for the generation of RSA key pairs. It must be set to a value between 1024 and 4096 that is a multiple of 64 bits. If the HSM policy 12 "Allow non-FIPS algorithms" is set to "No", then RSA key size is limited to 2048 bits or 3072 bits. -publicExponent This mandatory parameter defines the public exponent value to use in the generation of RSA key pairs. It must be set to a value of 3, 17 or 65537. Optional Parameters Parameter Description -binary This is an optional parameter that defines the exported certificate format to be raw binary instead of the default PEM (base64) encoding. -inputFile This optional parameter defines the name of a file from which to obtain additional parameter settings, one per line, of the form name=value. -keyType This optional parameter defines the type of asymmetric keys to generate. This parameter is not required if the key type can be established by the presence of other parameters. (e.g. If modulusBits and/or publicExponent parameters are present, then keyType=RSA is redundant). Currently, only RSA key pairs are supported. -label This optional parameter defines a label to be applied to both of the newly generated keys. If a multiple word label is required, the label value must be enclosed within quotation marks. -labelPublic This optional parameter defines a label to apply to the public key from the newly generated key pair. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 21 1 Certificate Management Utility (CMU) Parameter Description -labelPrivate This optional parameter defines a label to apply to the private key from the newly generated key pair. -modifiable This optional parameter defines the modifiable setting for each of the keys in the key pair. It must be set to True or False (or 1 or 0). -id This optional parameter defines the Id field for the newly generated keys. It must be set to a big-endian hexadecimal integer value. -startDate This optional parameter defines the startDate field for the newly generated keys. The format for the value is YYYYMMDD. -endDate This optional parameter defines the endDate field for the newly generated keys. The format for the value is YYYYMMDD. -subject This optional parameter defines the subject field for the newly generated keys. It must be set to a big-endian hexadecimal integer value. The subject field is typically set to the DER encoding of the subject distinguished name for the key. -encrypt This optional parameter defines the encrypt setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the decrypt setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if encrypt is set True, then wrap and verify need to be False. -decrypt This optional parameter defines the decrypt setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the encrypt setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if decrypt is set True, then unwrap and sign need to be False. -sign This optional parameter defines the sign setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the verify setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if sign is set True, then unwrap and decrypt need to be False. -verify This optional parameter defines the verify setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the sign setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if verify is set True, then encrypt and wrap need to be False. -wrap This optional parameter defines the wrap setting for the public key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the unwrap setting for the private key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if wrap is set True, then encrypt and verify need to be False. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 22 1 Certificate Management Utility (CMU) Parameter Description -unwrap This optional parameter defines the unwrap setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. If this parameter is set to True, then the wrap setting for the public key should also be set to True. Note that an HSM is often configured such that no key can have multiple functions. Thus if unwrap is set True, then decrypt and sign need to be False. -extractable This optional parameter defines the extractable setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. -curvetype This optional parameter defines the name of a curve type for ECDSA keys. Enter values 1-5 (1-NISTP 192 / 2-NISTP 224 / 3-NISTP 256 / 4-NISTP 384 / 5-NISTP 521). -prime This optional parameter defines a prime length for DSA key generation. -subprime This optional parameter defines a subprime bits length for DSA key generation. -base This optional parameter defines a base length for DSA key generation. Example RSA C:\Program Files\SafeNet\LunaClient>cmu gen -modulusBits=2048 -publicExp=65537 -sign=T -verify=T Select token [1] Token Label: myPartition1 [2] Token Label: myPartition1 Enter choice: 2 Please enter password for token in slot 2 : ******************* C:\Program Files\SafeNet\LunaClient>cmu list Select token [1] Token Label: myPartition1 [2] Token Label: myPartition1 Enter choice: 2 Please enter password for token in slot 2 : ******************* handle=14 label=NewPublicVerifyingKey handle=15 label=NewPrivateSigningKey C:\Program Files\SafeNet\LunaClient> DSA - Domain Parameters at Command Line cmu generatekeypair -keytype DSA -slot 6 -prime 0xfcec6182eb206b43c03e36c0eadabff56a0c2e79def44bc8f2e53699096d1ff270f159785d756921dbff9773ae08483b662fc07df7512ff68b2e5565fd7982e20c2448 -subprime 0xd3807353b51c5f71b22ac3d0c7e394148fcedc61 -base 0x42e3778e6ec31b0db07a6b370d7fb6fb4a0bca6deaac371f6adbcbeba38ddf76a47c3c3d79276a0e579ce4e347180fd9b4ad461d6cf0eac51fb08cf452f624570051e51 SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 23 1 Certificate Management Utility (CMU) DSA - Domain Parameters Entered Interactively cmu generatekeypair -keytype DSA -slot 6 The prime, subprime and base values must be entered as a HEX byte array. For example, to enter a 1024-bit prime value, enter a 128-byte HEX byte array using this format: 0xa0383ee692f8... The prime value can be a 1024-bit, 2048-bit or 3072-bit value. Enter a prime value: 0xfcec6182eb206b43c03e36c0eadabff56a0c2e79def44bc8f2e53699096d1ff270f159785d7 56921dbff9773ae08483b662fc07df7512ff68b2e5565fd7982e20c244832aba121cc0799cc09f2d5414d5f3966211365f 51b83e9ffcccb3d88cdf238f7c2739131ca7aadff662fec1fb0e1d311a404260376fd011fe00d0204c3 Enter a 160 bit subprime value: 0xd3807353b51c5f71b22ac3d0c7e394148fcedc61 Enter a 1024-bit base value: 0x42e3778e6ec31b0db07a6b370d7fb6fb4a0bca6deaac371f6adbcbeba38ddf76a47 c3c3d79276a0e579ce4e347180fd9b4ad461d6cf0eac51fb08cf452f624570051e518a75a5bb9c3578a14fd4f27f795b22 acea62b1fdf1032c1266da081c7fb99c4266626587093fd381617238ee1578fc325548dc1c08e5f9322c3b1205e SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 24 1 Certificate Management Utility (CMU) cmu getattribute This function outputs any viewable attributes for an object. An optional output filename can be used to direct the output to a file. Syntax cmu getAttribute Required Parameters Parameter Description -handle= The handle to the object. The parameter "-handle" is followed by an equal sign "=", followed by the handle of the object (no spaces). If this parameter is omitted and there is only one object on the HSM, that object is automatically selected. If this parameter is omitted and there are multiple objects on the HSM, you are prompted to select the object. Optional Parameters Parameter Description -attributes This optional parameter lists the attributes to be displayed for the object as a comma separated list. Multiple instances of this option can also be used to define multiple attributes. If this parameter is omitted, all viewable attributes are displayed. -outputFile This optional parameter defines the filename to which the attribute set is written. If this parameter is omitted, the attribute set is written to the display. Example The following command outputs all of the viewable attributes for the object with handle 46 cmu getAttribute -handle=46 The following command outputs the label, public exponent and modulus of key 9 to file keydata.txt. cmu getAttribute -handle=9 -attribute=label,publicExponent,modulus -outputFile=keydata.txt SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 25 1 Certificate Management Utility (CMU) cmu getpkc Retrieve a Public Key Confirmation from the HSM. Syntax cmu getpkc Optional Parameters Parameter Description -handle= The handle to the corresponding private key for the PKC. The parameter "-handle" is followed by an equal sign "=", followed by the handle of the object (no spaces). -outputfile This mandatory parameter defines the name of the file that receives the PKC. -pkctype This mandatory parameter defines the PKC type (1 - TC-TrustCenter, 2 - Chrysalis-ITS). -verify This optional parameter sets a flag to verify the PKC against the certificate that signed the PKC. It must be set to True or False (or 1 or 0), with False being the default. Example cmu getpkc –handle=5 –pkctype=1 SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 26 1 Certificate Management Utility (CMU) cmu import This function imports X.509 certificates from a file to the token or HSM. The file may include a single DER encoded binary certificate or a CMSS PKCS #7 certificate or certificate set. Either type of certificate can be binary or PEM (base 64) encoded. An optional label can be defined as a function parameter. If omitted, the common name of the certificate subject is chosen as the label. Syntax cmu import Required Parameters Parameter Description -inputFile This parameter defines the name of the file containing the certificate to import. Optional Parameters Parameter Description -label This parameter defines a label to apply to the imported certificate. If no label is defined, the Common Name portion of the certificate Subject distinguished name is used instead. Example The following example inputs the certificate in test.cer SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 27 1 Certificate Management Utility (CMU) cmu importkey This function unwraps an RSA, DSA , or ECDSA private key onto the selected token or HSM. The key file may be in any of the following formats: • PKCS #12(PFX) RSA in a DER-encoded format (.pfx file) • PKCS #8(Unencrypted PrivatekeyInfo) in RSA or DSA in base 64 PEM, or binary DER format • PKCS #1 (RSA in base64 PEM, or binary DER) format. Syntax cmu importkey Required Parameters Parameter Description -in (Filename) This parameter defines the full path to the file containing the key to import. -keyarg (DSA|RSA|ECDSA) Specifies the key's algorithm. Optional Parameters Parameter Description -PKCS8 Indicates that the key to import is formatted according to the PKCS#8 standard. -PKCS12 Indicates that the key to import is formatted according to the PKCS#12 standard. *Note that only the private key portion is unwrapped onto the token. Any certificates in this file are simply ignored. It is assumed that you properly export a PKCS #12 key from Windows keystore (or other source, as appropriate). -wrapkey (handle) The handle of the existing key that is to be used as the wrapping key. *Note that this key must have the CKA_WRAP attribute set to true. If this flag is not specified the default behaviour is to autogenerate a 3DES key for the sole purpose of unwrapping the key onto the HSM. -setkeyattr Allows the user to manually enter the imported key’s attributes. Modifiable key attributes are CKA_DECRYPT, CKA_SIGN, CKA_EXTRACTABLE, and CKA_UNWRAP. The defaults are always 1=true. Example cmu importkey -in rawrsa1028.pem –keyalg RSA -wrapkey 11 –setkeyattr cmu importkey –pkcs8 –in pk8privkey.pem –keyalg DSA–keyalg DSA cmu importkey –in rsakey.pem –keyalg RSA –wrapkey 11 SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 28 1 Certificate Management Utility (CMU) cmu importkey –in rsakey.pem –keyalg RSA cmu importkey –PKCS12 –in p12.pfx –keyalg RSA Notes 1. Ideally the private key should be in PKCS#8 format (privatekeyinfo) and not encrypted. To convert a private key of either RSA or DSA type: (see PKCS#1 for RSA and PKCS#11 (11.9) for DSA) into a PKCS#8 structure, use the following openssl command: openssl pkcs8 -in key.pem -topk8 –nocrypt -out noenckey.pem 2. In the option to the command, the "PKCS" should be in all uppercase letters, as "cmu importkey -PKCS8" or "cmu importkey -PKCS12". 3. If the PKCS#8 structure is already encrypted according to the PKCS#5-PBE standard, then to import via CMU, use the following command: openssl pkcs8 -in pk8.pem -out key.pem *You will be prompted for the password to decrypt the PrivateKeyInfo. 4. You can export the PrivatekeyInfo contents of a .pfx file by using the following openssl command: openssl pkcs12 –in p12.pfx –out pk12_privkey.pem –nocerts –nodes *You will be prompted for the password to decrypt the PrivateKeyInfo. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 29 1 Certificate Management Utility (CMU) cmu list This function lists all objects (keys, certificates and other general data objects) on the HSM that match an optional set of search criteria and that are accessible given the authentication state of the HSM. Search criteria can include many of the object attributes that are available for searching via the PKCS #11 API. If no search criteria are defined, all accessible objects are returned. The content of the entries in the returned list is definable and can include the object handle and/or any combination of viewable object attributes. The default is to include the handle and the label (CKA_ LABEL). Syntax cmu list Required Parameters None Optional Parameters Parameter Description -display This is a comma-separated list of attributes to be displayed for each returned object in the list. Multiple attributes can also be specified by repeated use of the display option instead of using the comma-separated list. The attributes supported with the display option are index, handle, class, keyType, label and value. If this parameter is omitted, only the handle and the label are displayed. -class This option defines the class of object to list. It can be set to any of data, certificate, public, private and secret. -keyType This option specifies the type of keys to list. It can be set to any of rsa, dsa, dh, des, 2des, 3des, rc2, rc4, rc5, cast3, cast5 and generic. -certificateType This option specifies the type of certificate to list. It can only be set to x.509 if used. -label This option specifies the label that objects must match in order to be listed. -application This option specifies the application attribute that objects must match in order to be listed. -value This option specifies the value that objects must match in order to be listed. -issuer This option specifies the issuer that objects must match in order to be listed. -serialNumber This option specifies the serial number that objects must match in order to be listed. -subject This option specifies the subject that objects must match in order to be listed. -id This option specifies the id that objects must match in order to be listed. -token This option specifies whether permanent or temporary objects are to be listed. It can be set to True or 1 for permanent objects and False or 0 for temporary objects. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 30 1 Certificate Management Utility (CMU) Parameter Description -private Set to True or False (or 1 or 0). -sensitive Set to True or False (or 1 or 0). -alwaysSensitive Set to True or False (or 1 or 0). -extractable Set to True or False (or 1 or 0). -neverExtractable Set to True or False (or 1 or 0). -local Set to True or False (or 1 or 0). -encrypt Set to True or False (or 1 or 0). -decrypt Set to True or False (or 1 or 0). -sign Set to True or False (or 1 or 0). -verify Set to True or False (or 1 or 0). -wrap Set to True or False (or 1 or 0). -unwrap Set to True or False (or 1 or 0). -derive Set to True or False (or 1 or 0). startDate This option specifies the start date that objects must match in order to be listed. endDate This option specifies the end date that objects must match in order to be listed. modulusBits This option specifies the modulus size that RSA keys must match in order to be listed. publicExponent This option specifies the public exponent value that RSA keys must match in order to be listed. It can only be set to 3, 17 or 65537. - modifiable Set to True or False (or 1 or 0). Example The following example displays the handle and label of each certificate that is accessible on the HSM: cmu list -class=certificate The following example displays the handles of all locally generated RSA private signing keys on the HSM: cmu list -keyType=rsa -local=True -sign=True -display=handle The following example displays the class, type and label of all signing keys on the HSM: cmu list -display=class,keyType,label -sign=True SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 31 1 Certificate Management Utility (CMU) cmu requestcertificate This function creates a PKCS #10 certificate request for an RSA/DSA/ECDSA key pair on the token or HSM. It must be provided with the handle either to the public key or to the corresponding private key (all of the public key components are contained within the private key). The private key must have Signing capability because it is used to sign the certificate request structure. The signature is done using any of the mechanisms listed below. The subject name is defined by a series of optional RDN components. If none of these components are provided on the command line, the CKA_SUBJECT of the private key is used as the subject of the certificate request. If the private key does not have its CKA_SUBJECT attribute set, the user will be queried for each of the RDN components. The Subject DN should contain at least the country, organization and common name components. The signed certificate request is output to the specified file. Syntax cmu requestCertificate Required Parameters Parameter Description publichandle= This is a mandatory parameter that defines the handle to the public key from an RSA key pair to be certified. If this parameter is omitted and there is only one public signing key on the HSM, that key is automatically selected. If this parameter is omitted and there are multiple public signing keys on the HSM, the user is asked to select the public signing key. privatehandle = This is a mandatory parameter that defines the handle to the private key from an RSA key pair to be certified. If this parameter is omitted and there is only one private signing key on the HSM, that key is automatically selected. If this parameter is omitted and there are multiple private signing keys on the HSM, the user is asked to select the private signing key. -outputFile This mandatory parameter defines the file that receives the certificate request. Optional Parameters Parameter Description -binary This is an optional parameter that defines the certificate request format to be raw binary instead of the default PEM (base64) encoding. -sha1WithRsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa. - sha224withrsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha224withRSAEncryption. The default is to use sha1WithRsa. - sha256withrsa This is an optional parameter that defines the signature algorithm for the certificate SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 32 1 Parameter Certificate Management Utility (CMU) Description request to be pkcs-1-sha256withRSAEncryption. The default is to use sha1WithRsa. - sha384withrsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha384withRSAEncryption. The default is to use sha1WithRsa. - sha512withrsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha512withRSAEncryption. The default is to use sha1WithRsa. - sha1withdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha1withDSAEncryption. The default is to use sha1WithRsa. - sha1withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha1withECDSAEncryption. The default is to use sha1WithRsa. - sha224withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha224withECDSAEncryption. The default is to use sha1WithRsa. - sha256withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha256withECDSAEncryption. The default is to use sha1WithRsa. - sha384withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha384withECDSAEncryption. The default is to use sha1WithRsa. - sha512withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha512withECDSAEncryption. The default is to use sha1WithRsa. -C This optional parameter defines the two-letter country name for the subject distinguished name (DN) of the certificate request. This parameter should be present in the subject DN. -S This optional parameter defines the state or province name for the subject distinguished name of the certificate request. This parameter may be present in the Subject DN. -L This optional parameter defines the locality (typically the city) for the subject distinguished name of the certificate request. This parameter may be present in the Subject DN. -O This optional parameter defines the organization name for the subject distinguished name (DN) of the certificate request. This parameter should be present in the subject DN. -OU This optional parameter defines the organization unit name for the subject distinguished name (DN) of the certificate request. This parameter may be present in the subject DN -CN This optional parameter defines the common name for the subject distinguished name (DN) of the certificate request. This parameter should be present in the subject DN. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 33 1 Certificate Management Utility (CMU) Example The following example creates a PEM encoded PKCS #10 certificate request for key 6: cmu requestCert -publichandle=6 –privatehandle=7 -C=CA -L=Ottawa -O="Rainbow-Chrysalis" CN="Test Certificate" -outputFile=testCert.req SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 34 1 Certificate Management Utility (CMU) cmu selfsigncertificate This function creates a self-signed X.509 certificate for an RSA, DSA, or ECDSA key pair on the token or HSM. It must be provided with the handles to both the public key and the corresponding private key (all of the public key components are contained within the private key). The private key must have Signing capability since it is used to sign the certificate request structure. The signature is done with any of the mechanisms listed below. The subject name is defined by a series of optional RDN components. If none of these components are provided on the command line, the CKA_SUBJECT of the private key is used as the subject of the certificate. If the private key does not have its CKA_SUBJECT attribute set, the user will be queried for each of the RDN components. The Subject DN should contain at least the country, organization and common name components. The certificate will, by default, have a keyUsage setting of keycertsign. The certificate is stored as a PKCS #11 certificate object on the token. The CKA_ID attribute of the certificate is defined by an optional parameter. If this parameter is omitted, the CKA_ID of the private key is used. Syntax cmu selfSignCertificate Required Parameters Parameter Description publichandle= This is a mandatory parameter that defines the handle to the public key from an RSA key pair to be certified. If this parameter is omitted and there is only one public signing key on the HSM, that key is automatically selected. If this parameter is omitted and there are multiple public signing keys on the HSM, the user is asked to select the public signing key. privatehandle = This is a mandatory parameter that defines the handle to the private key from an RSA key pair to be certified. If this parameter is omitted and there is only one private signing key on the HSM, that key is automatically selected. If this parameter is omitted and there are multiple private signing keys on the HSM, the user is asked to select the private signing key. -startDate This parameter defines the validity start of the certificate, in the format YYYYMMDD. -endDate This parameter defines the validity end of the certificate, in the format YYYYMMDD. -serialNumber This parameter defines the serial number of the certificate, in big-endian hexadecimal form. Optional Parameters Parameter Description -keyusage This is an optional parameter that defines the key usage extension for the certificate. It can be set to any of the following: digitalsignature, nonrepudiation, keyencipherment, SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 35 1 Parameter Certificate Management Utility (CMU) Description dataencipherment, keyagreement, keycertsign, crlsign, encipheronly, decipheronly. This parameter may appear more than once in the parameter set to define multiple usages, or it can be used once with a comma separated list of usage types. If no key usage is specified, a default setting of keycertsign is used. -label This is an optional parameter that defines the CKA_LABEL attribute for the certificate object that gets created on the HSM. If omitted, the common name of the issuer and subject DN is used instead. -id This is an optional parameter that defines the CKA_ID attribute for the certificate object that gets created on the HSM. If omitted, the CKA_ID attribute of the private key is used instead. -md5WithRsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-MD5withRSAEncryption. The default is to use sha1WithRsa. -sha1WithRsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-SHA1withRSAEncryption. The default is to use sha1WithRsa. - sha224withrsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha224withRSAEncryption. The default is to use sha1WithRsa. - sha256withrsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha256withRSAEncryption. The default is to use sha1WithRsa. - sha384withrsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha384withRSAEncryption. The default is to use sha1WithRsa. - sha512withrsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha512withRSAEncryption. The default is to use sha1WithRsa. - sha1withdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha1withDSAEncryption. The default is to use sha1WithRsa. - sha1withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha1withECDSAEncryption. The default is to use sha1WithRsa. - sha224withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha224withECDSAEncryption. The default is to use sha1WithRsa. - sha256withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha256withECDSAEncryption. The default is to use sha1WithRsa. - sha384withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha384withECDSAEncryption. The default is to use sha1WithRsa. - sha512withecdsa This is an optional parameter that defines the signature algorithm for the certificate request to be pkcs-1-sha512withECDSAEncryption. The default is to use SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 36 1 Parameter Certificate Management Utility (CMU) Description sha1WithRsa. -C This optional parameter defines the two-letter country name for the subject distinguished name (DN) and issuer Distinguished Name of the certificate. This parameter should be present in each DN. -S This optional parameter defines the state or province name for the subject DN and issuer DN of the certificate. This parameter may be present in each DN. -L This optional parameter defines the locality (typically the city) for the subject DN and issuer DN of the certificate. This parameter MAY be present in each DN. -O This optional parameter defines the organization name for the subject DN and issuer DN of the certificate. This parameter SHOULD be present in each DN. -OU This optional parameter defines the organization unit name for the subject DN and issuer DN of the certificate. This parameter MAY be present in each DN. -CN This optional parameter defines the common name for the subject DN and issuer DN of the certificate. This parameter SHOULD be present in each DN. Example The following example creates a self-signed certificate for RSA key 4: cmu selfSign -publichandle=4 –privatehandle=5 -C=CA -O=Rainbow-Chrysalis -CN="Test Root Certificate" -startDate=20120101 -endDate=20151231 -serialNum=0133337f SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 37 1 Certificate Management Utility (CMU) cmu setattribute This function sets any modifiable attributes for an object. An optional input filename can be used to specify a file from which the new attribute values are to be read. Syntax cmu setAttribute Required Parameters Parameter Description -handle= This is a mandatory parameter that defines the handle to the object on the HSM. If this parameter is omitted and there is only one object on the HSM, that object is automatically selected. If this parameter is omitted and there are multiple objects on the HSM, the user is asked to select the object Optional Parameters Parameter Description -inputFile This optional parameter names a file from which to obtain additional attribute settings. The settings in this file shall be one per line and of the form: attributeName=attributeValue. -label This optional parameter defines a new value for the label of an object on the HSM. -application This optional parameter defines a new value for the application attribute of a data object on the HSM. -value This optional parameter defines a new value attribute for an object on the HSM. It must be set to a big-endian hexadecimal integer value. Note that the value attribute can be changed only for data objects, not for certificates or keys. -issuer This optional parameter defines a new issuer attribute for a certificate on the HSM. It must be set to a big-endian hexadecimal integer value. Note that this field is informational, typically set to the DER encoding of the issuer field within the certificate, and changing it does not affect the actual issuer field within the certificate itself. -serialNumber This optional parameter defines a new serial number attribute for a certificate on the HSM. It must be set to a big-endian hexadecimal integer value. Note that this field is informational, typically set to the DER encoding of the serial number of the certificate, and changing it does not affect the actual serial number field within the certificate itself. -subject This optional parameter defines a new subject field for an object on the HSM. It must be set to a big-endian hexadecimal integer value. The subject field is typically set to the DER encoding of the subject distinguished name for the key or certificate. Note that the subject is not modifiable for certificate objects once they are created. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 38 1 Certificate Management Utility (CMU) Parameter Description -id This optional parameter defines a new ID field for a key or certificate on the HSM. It must be set to a big-endian hexadecimal integer value. -extractable This optional parameter defines a new extractable setting for a private key on the HSM. This setting can only be changed from True to False (or from 1 to 0). -encrypt Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. -decrypt Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. -sign Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. -verify Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. -wrap Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. -unwrap Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. -derive Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. -startDate This optional parameter defines a new startDate field for a key on the HSM. The format for the value is YYYYMMDD. -endDate This optional parameter defines a new endDate field for a key on the HSM. The format for the value is YYYYMMDD. -sensitive Set to True or False (or 1 or 0). Note that an HSM is typically configured such that functional key attributes cannot be changed, so attempting to change this attribute will be rejected by the HSM. Example The following example changes the key with handle 43 to be unextractable: cmu setAttribute -handle=43 -extractable=False SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 39 1 Certificate Management Utility (CMU) cmu verifypkc Verify a Public Key Confirmation from the HSM. Syntax cmu verifypkc Required Parameters Parameter Description -inputFile This parameter defines the name of the file that contains the PKC. -pkctype This parameter defines the PKC type (1 - TC-TrustCenter, 2 - Chrysalis-ITS). Optional Parameters None. Example cmu verifypkc –inputFile=test.pkc –pkctype=1 SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 40 2 CKdemo This chapter describes how to access and use the ckdemo demonstration utility. The ckdemo utility is a simple console-based tool that provides a menu of functions that perform operations based on the PKCS#11 API. The ckdemo utility is included with the SafeNet HSM client and can be used with any SafeNet HSM. This chapter contains the following sections: • "Accessing the ckdemo Utility" below • "Using the ckdemo Menu" on the next page • "The TOKEN Menu Functions" on page 55 • "The OBJECT MANAGEMENT Menu Functions" on page 48 • "The SECURITY Menu Functions" on page 53 • "The TOKEN Menu Functions" on page 55 • "The HIGH AVAILABILITY RECOVERY Menu Functions" on page 47 • "The KEY Menu Functions" on page 47 • "The CA Menu Functions" on page 45 • "The OTHERS Menu Functions" on page 50 • "The OFFBOARD KEY STORAGE Menu Functions" on page 50 • "The SCRIPT EXECUTION Menu Functions" on page 53 • "The CLUSTER EXECUTION Menu Functions" on page 46 • "The PED INFO menu functions" on page 52 • "The AUDIT/LOG Menu Functions" on page 44 • "The SRK Menu Functions" on page 54 Accessing the ckdemo Utility The ckdemo utility is included with the SafeNet HSM client. How you access it depends on whether you are using Windows or Linux/UNIX. To access ckdemo from a Linux client 1. Go to the SafeNet HSM client binary directory. cd /usr/safenet/lunaclient/bin 2. Launch the ckdemo utility ./ckdemo The ckdemo main menu is displayed. See "Using the ckdemo Menu" on the next page. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 41 2 CKdemo To access ckdemo from a Windows client 1. Navigate to the SafeNet HSM client installation folder (C:\Program Files\SafeNet\LunaClient) 2. Double-click on ckdemo to open a console window with the ckdemo interface. The ckdemo main menu is displayed. See "Using the ckdemo Menu" on page 1. Using the ckdemo Menu When you launch the ckdemo utility, the ckdemo menu is displayed. The ckdemo menu provides access to numerous functions in several categories, as illustrated below: Figure 1: The ckdemo menu TOKEN: ( 1) Open Session ( 2) Close Session ( 3) Login ( 4) Logout ( 5) Change PIN ( 6) Init Token ( 7) Init Pin ( 8) Mechanism List ( 9) Mechanism Info (10) Get Info (11) Slot Info (12) Token Info (13) Session Info (14) Get Slot List (15) Wait for Slot Event (16) Token Status (18) Factory Reset (19) CloneMofN (33) Token Insert (34) Token Delete (36) Show Roles (37) Show Role Configuration Policies (38) Show Role State (39) Get OUID (58) HSM Zeroize (59) Token Zeroize OBJECT MANAGEMENT: (20) Create object (21) Copy object (22) Destroy object (23) Object size (24) Get attribute (25) Set attribute (26) Find object (27) Display Object (30) Modify Usage Count (31) Destroy Multiple Objects (32) Extract Public Key SECURITY: (40) Encrypt file (41) Decrypt file (42) Sign (43) Verify (44) Hash file (45) Simple Generate Key (46) Digest Key HIGH AVAILABILITY RECOVERY: (50) HA Init (51) HA Login (52) HA Status KEY: (60) Wrap key (61) Unwrap key (62) Generate random number (63) Derive Key (64) PBE Key Gen (65) Create known keys (66) Seed RNG (67) EC User Defined Curves CA: (70) Set Domain (71) Clone Key (72) Set MofN (73) Generate MofN (74) Activate MofN (75) Generate Token Keys (76) Get Token Cert Info (77) Sign Token Cert (78) Generate CertCo Cert (79) Modify MofN (86) Dup. MofN Keys (87) Deactivate MofN (88) Get Token Certificates (112) Set Legacy Cloning Domain OTHERS: (90) Self Test (94) Open Access (95) Close Access (97) Set App ID (98) Options (100) LKM Commands OFFBOARD KEY STORAGE: (101) Extract Masked Object (102) Insert Masked Object (103) Multisign With Value (104) Clone Object (105) SIMExtract (106) SIMInsert (107) SimMultiSign (118) Extract Object SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 42 2 CKdemo (119) Insert Object SCRIPT EXECUTION: (108) Execute Script (109) Execute Asynchronous Script (110) Execute Single Part Script CLUSTER EXECUTION: (111) Get Cluster State (113) Lock Clustered Slot (114) Unlock Clustered Slot PED INFO: (120) Set Ped Info (121) Get Ped Info (122) Init RPV (123) Delete RPV AUDIT/LOG: (130) Get Config (131) Set Config (132) Verify logs (133) Get Time (134) Set Time (135) Import Secret (136) Export Secret (137) Init Audit (138) Get Status (139) Log External SRK: (200) SRK Get State (201) SRK Restore (202) SRK Resplit (203) SRK Zeroize (204) SRK Enable/Disable POLICY: (53) Show Partition Policies (54) Set Partition Policies (55) Show HSM Policies (56) Set HSM Policies (57) Set Destructive HSM Policies (TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Enter your choice : Executing a Menu Function To execute one of the functions listed in the menu, type the number of the function and press Enter. In general, if parameters or options are required, you are prompted to provide the additional information. Because most of the commands represent separate functions on an HSM, you may need to use more than one command to accomplish a task. For example, many of the commands require that you open a session on a token slot or HSM partition. Other commands require that you first login to the HSM or partition. Functions that involve authentication or initialization of the HSM invoke the SafeNet PED for Trusted Path appliances. If the SafeNet PED is not connected and ready when a command is issued, the command eventually times out. If the SafeNet PED is connected and ready, it displays a prompt requesting the appropriate action. If you do not provide the requested PED Key or keypad press, the SafeNet PED eventually times out and returns an error to the calling application (in this case, ckdemo). The individual ckdemo functions are described in detail in the following sections: • "The AUDIT/LOG Menu Functions" on the next page • "The CA Menu Functions" on page 45 • "The CLUSTER EXECUTION Menu Functions" on page 46 • "The HIGH AVAILABILITY RECOVERY Menu Functions" on page 47 • "The KEY Menu Functions" on page 47 • "The OBJECT MANAGEMENT Menu Functions" on page 48 • "The OFFBOARD KEY STORAGE Menu Functions" on page 50 • "The OTHERS Menu Functions" on page 50 • "The PED INFO menu functions" on page 52 SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 43 2 • "The SCRIPT EXECUTION Menu Functions" on page 53 • "The SECURITY Menu Functions" on page 53 • "The SRK Menu Functions" on page 54 • "The TOKEN Menu Functions" on page 55 CKdemo The AUDIT/LOG Menu Functions The AUDIT/LOG menu provides the following functions: (130) Get Config (131) Set Config (132) Verify Logs (133) Get Time (134) Set Time (135) Import Secret (136) Export Secret (137) Init Audit (138) Get Status SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 44 2 CKdemo (139) Log External The CA Menu Functions The CA menu provides the following functions: (70) Set Domain (Not for SafeNet Network HSM) This option prompts for a text string and sets the token cloning domain name to that value. To clone a key between two SafeNet CA3 tokens, both tokens must share the same red PED Key. (71) Clone Key (Not for SafeNet Network HSM) This option allows you to clone a key from one SafeNet RA token to another (or one SafeNet CA3 token to another). Both tokens must have the same cloning domain name (or red PED Key). Both tokens must have an open and logged on session active. (72) Set MofN (Not for SafeNet Network HSM) If you have a SafeNet CA3 token (which supports MofN authentication), this option allows you to turn on the MofN token feature. This option alone does nothing to the token, but instead sets a flag specifying that the next token to be initialized should have its MofN feature turned on (assuming, of course, that the token supports it). (73) Generate MofN (Not for SafeNet Network HSM) This option allows you to generate MofN authentication splits, or secret shares. You can generate up to 16 shares (N), and you can specify how many of these shares are needed (M) in order to activate the token (up to 16). (74) Activate MofN (Not for SafeNet Network HSM) This option allows you to authenticate yourself to the token using MofN secret shares generated by option #73 (Generate MofN). You must activate MofN on a token on which MofN has been generated, or you are unable to perform any cryptographic operations with the token. (75) Generate Token Keys (Not for SafeNet Network HSM) Some tokens have the ability to support customer loaded certificates used for key cloning. If your token supports this feature, and you wish to use you own key cloning certificates (rather than the default certificates provided by SafeNet), the first step is to Generate token keys. Note: If you do this, you are not able to clone to any other SafeNet CA tokens except those containing your own certificate. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 45 2 CKdemo (76) Get Token Cert (Not for SafeNet Network HSM) This option is the next step in loading your own key cloning certificate onto the token. This action is done after #75 (Generate Token Keys). (77) Sign Token Cert (Not for SafeNet Network HSM) This option is the final step to load a customer key cloning certificate to the token. This step is done after Steps 75 and 76. (78) Generate CertCo Cert (Not for SafeNet Network HSM) Generate a special-purpose certificate for CertCo application. (79) Modify MofN (Not for SafeNet Network HSM) Modifies the secret splitting vector on a token. (86) Dup. MofN Keys (Not for SafeNet Network HSM) Create duplicates (copies) of all MofN secret splits. (87) Deactivate MofN Decache the MofN data. (88) Get Token Certificates Extract one of the following certificates from the HSM. You must supply the type and filename of the certificate you want to extract: • Root certificate • Hardware origin certificate • ECC hardware origin certificate • TWC (token wrapping certificate) version 1, 2, or 3. • TCTrust device authentication certificate • CITS device authentication certificate (112) Set Legacy Cloning Domain This option sets the legacy Cloning Domain, from a legacy token, into association with the modern cloning domain attached to a current-model SafeNet HSM, to allow migration of token objects from legacy HSMs. The CLUSTER EXECUTION Menu Functions The CLUSTER EXECUTION menu provides the following functions: SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 46 2 CKdemo (111) Get Cluster State The HIGH AVAILABILITY RECOVERY Menu Functions The HIGH AVAILABILITY RECOVERY menu provides the following functions: (50) HA Init (Not for SafeNet Network HSM) Requires that an RSA keypair have been previously created, and the private key cloned to User space of the affected tokens. This option requires the handle to the session (of the User that owns the key pair) and the handle to the login private key itself. (51) HA Login (Not for SafeNet Network HSM) This option initiates several functions (including creation of a TWC [Token Wrapping Certificate] blob and HA Login Challenge (secondary token in the current HA domain) and Acceptance (primary token), as described in the document Extensions to PKCS#11, Cryptographic Token Interface Standard. (52) HA Status Display the current status for a specified HA slot. The KEY Menu Functions The KEY menu provides the following functions: 60) Wrap Key This option allows you to encrypt a key. You must provide the encryption mechanism type, the handle of the wrapping key (used to encrypt the key), and the handle of the key to be wrapped (the one that is going to be encrypted). Currently, the wrapping of private asymmetric keys is not supported. 61) Unwrap Key This option allows you to import a wrapped (encrypted) key into the token. You are asked for the mechanism to be used for the unwrapping operation as well as what type of key is being unwrapped. Depending on the type of key being unwrapped, you are asked for some information about the key. Then you must provide a key handle of the token key to be used in the unwrapping (decryption) operation, and finally, give the name of the file containing the wrapped key. If the unwrapping key has an associated CKA_UNWRAP_TEMPLATE attribute, this affects the results of the operation. Note that if you are generating a key in CKDemo, the option to attach an unwrap template is disabled by default. You can enable this option in the OTHERS menu. 62) Generate Random Number This option generates a specified amount of random data. You are asked how many bytes of random data to generatanthen are presented with the random value. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 47 2 CKdemo 63) Derive Key This option allows you to use a key derivation mechanism to derive a key on the token. There are several key derivation mechanisms to choose from, and you are presented with a menu of the choices. Depending on the key derivation mechanism, you are asked for some information about the key. If the base key used for generation includes a CKA_ DERIVE_TEMPLATE attribute, the information you provide is added with the attributes in the derive template. If your information contradicts the attributes in the derive template, the derive operation fails. Note that if you are generating a key in CKDemo, the option to attach a derive template is disabled by default. You can enable this option in the OTHERS menu. 64) PBE Key Generation This option allows you to perform a "Password Based Encryption" key generation. This option is useful because it allows you to put the same key on multiple tokens without ever knowing the key value itself. 65) Create Known Keys This option attempts to load a known key onto the token. However, due to policy setting on most tokens, this option is not allowed. As an alternative, it is possible to encrypt a known key and then unwrap it onto the token. See the Unwrap Key sample code on the SDK distribution CD. 66) Seed RNG Provide a seed value to the HSM's Random Number Generator. 67) EC User Defined Curves Set the desired attributes and point to a file containing Elliptical Curve parameters for generating EC keys. The OBJECT MANAGEMENT Menu Functions The OBJECT MANAGEMENT menu provides the following functions: (20) Create Object This option allows you to create objects on the token. You can use this option to create data or certificate objects on the token. You are presented with a default template for your new object that you can change or choose to accept as default. Note: Key generation is not done with this option, instead you should use option #45 - Generate Key (21) Copy Object This option allows you to make a copy of a token object and allows you to add/remove/change attributes of the object as you copy it. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 48 2 CKdemo (22) Destroy Object This option allows you to permanently delete a token object from the token. (23) Object Size This option asks you for an object handle and returns the total size of the object (how much memory it is occupying on the token). (24) Get Attribute This option asks you for an object handle and returns the attributes of that object. (25) Set Attribute This option allows you to change the value of an attribute on an object that already exists on the token. (26) Find Objects This option searches the token for objects that are available to you as the User or the SO (depending on which identity you used to log in). You specify a type (such as Data Objects, various Key objects, Certificate Objects, etc.). Option (#6) shows all the objects on the token. (27) Display Object This option shows all the attributes and associated values for an object on the token (if that object is available to you). Note: If a key is sensitive, it contains an attribute called CKA_VALUE but this attribute is not displayed because the token does not allow this information to be exported. (30) Modify Usage Count This option allows you to increment the current value, or specify a new value, for an object's usage counter. You are prompted for the object handle and whether you want to increment or reset the usage counter for the specified object. (31) Destroy Multiple Objects This option allows you to permanently delete multiple token objects from the selected token. (32) Extract Public Key This option allows you to specify a public key to extract from the HSM. The key is saved as publickey.bin in the current directory, overwriting any existing publickey.bin file. Note: The Extractable attribute must be set to 1 (on) in order for a public key to be extracted from the HSM. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 49 2 CKdemo The OFFBOARD KEY STORAGE Menu Functions The OFFBOARD KEY STORAGE menu provides the following functions: (101) Extract Masked Object Extracts a key off the SafeNet Network HSM in a masked format, into a file “masked.key”. You can rename the resulting file if you are testing with multiple extractions. (102) Insert Masked Object Inserts an extracted, masked blob (file) back onto the SafeNet Network HSM. You are prompted for the name of the file, which must have been extracted from a SafeNet Network HSM using the same masking key (i.e., the same SafeNet Network HSM or a clone of it). (103) Multisign With Value Performs the multisign function, after prompting you for the mechanism to use, the number of datablobs to be signed (limited to 5 for this demonstration command), and the data or filenames to be signed. (104) Clone Object (Reserved for SafeNet use) (105) SIMExtract (106) SIMInsert (107) SimMultiSign (118) Extract Object (119) Insert Object The OTHERS Menu Functions The OTHERS menu provides the following functions: SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 50 2 CKdemo 90) Self Test Not currently supported. 94) Open Access Creates a token access ID that is independent of any sessions so that the login state can be maintained even when your application exits. Used to allow the same application to return repeatedly for access without requiring a separate login each time. Remains active until Closed (command 95, below) or until the token is removed. 95) Close Access Kills the ID generated by command 94, above. 97) Set App ID You are prompted to type in an explicit application ID (in two parts, Major and Minor), rather than having it generated by Chrystoki. Doing so effectively causes all processes (using that Major/Minor application ID) on the machine to be recognized as the same application. Refer to the PKCS#11 Extensions document. 98) Options This item allows you to change some default options of the CKDemo program. You can turn off help (which prevents the entire menu from being displayed after each command), or select the type of session you wish the Open Session command to use. Use option #0 to exit this menu and return to the CKDemo main menu. Use option 16 if HSM firmware is newer than version 6.22.0 and you wish to use CKR_TEMPLATE_INCONSISTENT Option Description (Default) Alternate 1 - Open Session Type Always R/W and Serial User selectable. 2 - Display Help Always On demand 3 - PIN path User supplied ASCII password Selectable 4 - Echo input Disabled On all commands and data 5 - Sleep for n seconds Sleep for n seconds after writing special instructions to stderr Enter a number of seconds to sleep. Then enter the desired instructions. Finish entering instructions with a period ( . ) alone on a line. 6 - KCV Default User supplied KCV Domain Selectable 7 - MofN path User supplied MofN path Selectable 8 - Show Response Code SHOW_RESPONSE_BEFORE_MENU SHOW_RESPONSE_ BEFORE_AND_AFTER_ MENU SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 51 2 CKdemo Option Description (Default) Alternate 9 - Input data for sign/derive Input from keyboard Input from file 10 - Object Usage Counters Disabled Selectable 11 - GCM IV Source External Internal 12 - ECIES Parameters Use default (XOR with HMAC_SHA1) Selectable 13 - X9.31 Signatures Allow X9.31 generated keys only Allow non-X9.31 generated keys 14 - Multipart enc/dec/sig/ver Use single part operations Use multi-part operations 15 - Use Old Enc/Dec Menu Use old Encrypt/Decrypt menu Use new Encrypt/Decrypt menu 16 - Role Support Enhanced roles - use with roles as they are implemented with PSO-capable firmware (f/w 6.22.0 and newer) Use HSM with legacy SafeNet roles ( as found with f/w previous to v6.22.0) 17 - OAEP Hash Params Use default (SHA1 Digest and MGF1) Selectable 18 - Array Template Attributes Do not use array template attributes Use array template attributes 0 - Finished 100) LKM Commands The PED INFO menu functions The PED INFO menu provides the following functions: 120) Set PED Info Specify the PED (local or remote) that is associated with the HSM in a specific slot. 121) Get PED Info Display information describing the PED that is associated with the HSM in a specific slot. 122) Init RPV Create a Remote PED Vector, and imprint it onto an orange Remote PED Key (RPK), to allow PED functions with a remotely located SafeNet HSM (which must also have the same RPV). SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 52 2 CKdemo 123) Delete RPV Remove the Remote PED Vector from the current HSM. Disallows Remote PED operation for this HSM until (if) a new RPV is created or an existing RPV is acquired from an imprinted RPK. The SCRIPT EXECUTION Menu Functions The SCRIPT EXECUTION menu provides the following functions: (108) Execute Script (109) Execute Asynchronous Script (110) Execute Single Part Script The SECURITY Menu Functions The SECURITY menu provides the following functions: (40) Encrypt File This option allows you to encrypt a file. You are asked which encryption mechanism you wish to use, then the filename of the file to be encrypted, and finally the key handle of the key to be used in the encryption operation. (41) Decrypt File This option allows you to decrypt an encrypted file. You are asked for the encryption mechanism to use to decrypt the file, name of the file to be decrypted, and the handle of the key to be used for the decryption. (42) Sign This option signs a string of data using a token signing mechanism. You are prompted for the signing mechanism that you wish to use, the data to be signed, and the key handle of the signing key (private key when using a Private/Public key pair). Note: This option takes in a string of data to be signed from the keyboard, rather than a filename of a file containing the data (like encryption does). The signature is saved to a file called SIGN.BIN SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 53 2 CKdemo (43) Verify This option verifies a signature against a string of data. You are prompted for the mechanism to be used for verification, the data to be verified and the key handle of the verification key. The signature is read from the file SIGN.BIN that is generated during the sign operation. (44) Hash File This option prompts for the hashing mechanism to be used, and the name of the file to be hashed. The hash value is saved to a file called DIGEST.HSH at the end of the operation. (45) Simple Generate Key This option performs key generation on the token. You are presented with a menu of possible key types. Depending on the key type being generated, you are asked a list of question about the attributes of the key(s). If the option to use array attributes is enabled through the OTHERS menu, you are presented with the option to use and edit a CKA_UNWRAP_ TEMPLATE or CKA_DERIVE_TEMPLATE. These templates affect the Unwrap Key and Derive Key functions. (46) Digest Key This option prompts for a digest mechanism and a key handle. The key value is digested using the selected mechanism. The SRK Menu Functions The SRK menu provides the following functions: (200) SRK Get State Shows the current state of the Master Tamper Key. (201) SRK Restore Gets the external split (SRK) of the Secure Recovery Vector from a connected SafeNet PED, combines it with the internally-stored split, to regenerate the SRV, and re-validates the MTK (202) SRK Resplit Performs a new split of the Secure Recovery Vector and places the external portion of the split onto a PED Key (purplelabeled key called the Secure Recovery Key or SRK). (203) SRK Zeroize Zeroize the SRK. This action simulates a hardware tamper. (204) SRK Enable/Disable Enable splitting of the Secure Recovery Vector into an internal (to the HSM) portion and an external portion (stored on a purple PED Key). Or, disables that function by bringing the external split back into the HSM (requires SafeNet PED and SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 54 2 CKdemo the purple PED Key with the correct SRV split on it - that purple key then becomes invalid). The TOKEN Menu Functions The TOKEN menu provides the following functions: ( 1) Open Session Before you can manipulate objects or perform cryptographic operations on a token, you must have an open session on that token. This command prompts you for the number of the slot on which to open the new session. By default, an exclusive, Read/Write session is opened. If you would like to open a read only or non-exclusive session, you must use the (98) Options function and specify that you want to be prompted for session types. See ( 2) Close Session Session Once you are finished using a session, the session should be closed. The Close Session option allows you to close a single session, or to close all the sessions on a specific token. ( 3) Login Once a session is opened, you usually log on to the token. You have a choice between logging on as a User (where you do most of your work with the token) or as Security Officer "SO" (Where you can set up the user PIN and do any token administration operations). ( 4) Logout When you are finished with the token, you should first log out, then close the session. ( 5) Change PIN (Not for SafeNet Network HSM) This option lets you change the logon password (the PIN) of the currently logged in user. You must supply both the old PIN and the new PIN to complete the operation. ( 6) Init Token (Not for SafeNet Network HSM) This option allows you to reset a token to its initial state. You are prompted for the following: • the slot containing the token to be initialized • the token label (which is simply a text string that you can use for Token Identification) • a new password for the Security Officer. Token initialization performs the following actions: • wipes out any token objects (Keys, certificates, etc) • clears the user PIN (so that it must be reset by the Security Officer) • sets the SO PIN to the value that you have specified. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 55 2 CKdemo ( 7) Init PIN (Not for SafeNet Network HSM) This command is used to create a user (and thus overwrites an existing user) and is run when you are logged in as the Security Officer. ( 8) Mechanism List This option gives a list of all the encryption/authentication/hashing/key-generation mechanisms supported by the token. If you want to know if the token supports a specific type of encryption, you can check for it in the mechanism list. ( 9) Mechanism Info This option allows you to query a specific mechanism (option #8 - Mechanism List presents a list of them) to find such information as supported key sizes. You are asked for the Mechanism type, which is a numeric value representing the mechanism (these numeric values are given when you request a mechanism list). (10) Get Info This option returns basic information on the Dynamic Library that is being used to talk to the token. None of this information is token specific, and it can be viewed even if there is no token present. 11) Slot Info This option gives specific information on a card slot. The slot description and slot ID are given, as well as some flags to represent if a token is present. 12) Token Info This option gives information on a token in a specific slot, including the following: • Token Label • Token Manufacturer • Token Model • Token Flags • Session Count • Min and Max PIN Lengths • Private memory size/free • Public memory size/free 13) Session Info This option gives information on an open session. You must have at least one session opened to query session information. For a particular session you can find the session handle, the slot ID, the session state, and any associated session flags. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 56 2 CKdemo 14) Get Slot List This option returns a list of card slots available on the system. You are given the option to view all slots, or just the slots which contain tokens. 15) Wait for Slot Event Runs CK_WaitforSlotEvent (from PKCS#11 Extensions) 18) Factory Reset This option resets the HSM to its factory settings. 19) Clone MofN (Not for SafeNet Network HSM) Copy a clonable secret-splitting vector from one token to another. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 57 CKlog CKlog This chapter describes how to use the cklog utility. It contains the following sections: • "Lunadiag Utility" on page 61 cklog Utility SafeNet Software Development Kit can record all interactions between an application and our PKCS#11-compliant library, allowing a developer to debug an application by viewing what the library receives. The tool is the Cryptoki Logging Facility or cklog. In function, cklog is a library that displaces our PKCS#11 library. When it receives a call it does not service the request but, instead, logs the call to a file and passes the request to the originally intended library. For cklog to function properly, perform these two steps: 1. Direct the application to use the cklog library instead of the regular Chrystoki library. 2. Instruct the cklog library where to access the regular library. Achieve the first step by modifying the configuration files to instruct CkBridge to load the Cklog library. This redirection is described in the next sub-section. The second step involves different blocks in the configuration file. Here are descriptions of entries that might be applicable: • LibNT - references to a Cryptoki library for Windows 2008 and Windows 2012. • LibUNIX - references to a Cryptoki library for UNIX (meaning Solaris, Linus and AIX). • LibHPUX - references to a Cryptoki library specific to HP-UX. • Enabled - 0 or 1. Allows turning the logging facility off or on. • File - references the file to which the requests should be logged. • Error - references a file where the logging facility can record fatal errors. • NewFormat - 0 or 1 disables/enables a more compact output format, which is the format preferred by SafeNet Customer Support. Windows Example The following example shows a typical initialization file under Windows where cklog is in use: [Chrystoki2] LibNT=c:\Program Files\SafeNet\LunaClient\cklog201.dll [CkLog2] LibNT=c:\Program Files\SafeNet\LunaClient\cryptoki.dll Enabled=1 File=c:\Program Files\SafeNet\LunaClient\cklog2.txt Error=c:\Program Files\SafeNet\LunaClient\error2.txt NewFormat=1 LoggingMask=ALL_FUNC SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 58 CKlog UNIX Example The following example shows a typical configuration file under UNIX where cklog is in use: Chrystoki2 = { LibUNIX=/usr/lib/libcklog2.so; } CkLog2 = { LibUNIX=/usr/lib/libCryptoki2.so; Enabled=1; File=/tmp/cklog.txt; Error=/tmp/error.txt; NewFormat=1; LoggingMask=ALL_FUNC; } Selective Logging When logging is turned on, all functions are logged, by default. If you wish to restrict logging to particular functions of interest only, you can edit the “LoggingMask=” parameter in the crystoki.ini [Windows] or Chrystoki.conf [UNIX] file to include flags for the desired logging. LoggingMask= Flags Here is the list of possible flags for cklog: Flag Description GEN_FUNCS General Functions SLOT_TOKEN_FUNC Slot/Token related functions SESSION_FUNC Session related functions OBJ_MNGMNT_FUNC Object Management functions ENC_DEC_FUNC Encrypt/Decrypt related functions DIGEST_FUNC Digest Related functions SIGN_VERIFY_FUNC Signing/Verifying related functions KEY_MNGMNT_FUNC Key Management related functions MISC_FUNC Misc functions CHRYSALIS_FUNC SafeNet Extensions functions ALL_FUNC All functions logged; You can mix and match any or all of the flags, using the “|” operator. For example, the following: LoggingMask=GEN_FUNC | SLOT_TOKEN_FUNC | ENC_DEC_FUNC | SIGN_VERIFY_FUNC; would be valid. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 59 CKlog Note: You can use the flags in any order. Using the ALL_FUNC flag overrides any other flag. If you have the “LoggingMask=” parameter, with NO flags set, then nothing is logged. If logging capability is enabled (cklog), but there is no “LoggingMask=” line, then default behavior prevails and everything is logged. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 60 3 Lunadiag This chapter describes how to use the lunadiag utility. It contains the following sections: • "Lunadiag Utility" below Lunadiag Utility Lunadiag is a diagnostic tool for SafeNet card products. In general, you may never need to use it, other than to confirm a successful SafeNet installation. If you experience problems with a SafeNet product and need to contact Customer Support, you may be asked to perform additional tests with Lunadiag, as part of the troubleshooting process. In that circumstance, the support representative will instruct you. Several menu items are self-explanatory. The more obscure items are of interest only to Technical Support in very specific circumstances. However, if you are an application developer, you may wish to use Lunadiag during your software-development. You have the option to run Lunadiag from the command line of a console window. From the command line, the syntax for Lunadiag is: lunadiag [-s=num] [-o=num] [-c=num] <[options]> Where -s=num Number of slots to test at once. (Range: 1.. N; default: 1 where N is the number of slots available to the client) -o=num Offset into slots to begin testing (Range: 0.. N-1; default: 0) -c=num Command to run (Range: 1..16) for example, lunadiag -s=1 -o=1 -c=11 The spaces are required. The following additional options can be executed, and exit immediately without user prompt. -CHRYSTOKI Perform the Chrystoki Library configuration test. -DUALPORT Dump dualport. -FIPS Test for FIPS setting for one token. Exit code 1 implies FIPS enabled. Using Lunadiag Run lunadiag with no arguments, to get a list of slots that it can see. C:\Program Files\SafeNet\LunaClient>lunadiag lunadiag version 8.0 Date: Feb 13 2015 Time: 14:21:44 Detecting Luna devices ... Detection complete. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 61 3 Slots available: Slot #0 - Present Slot #1 - Present Slot #2 - Present Slot #3 - Present Slot #4 - Not present Slot #5 - Present Slot #6 - Not present Slot #7 - Not present Enter slot to test: - Lunadiag LunaNet Slot LunaNet Slot LunaNet Slot Viper PCI Card Luna UHD Tunnel Slot Luna UHD Slot Luna UHD Slot Luna UHD Slot In the slot list, above, slots 0, 1, and 2 are listed as "LunaNet Slot", and correspond to SafeNet Network HSM application partitions that are registered with this client/host. Slot 3, "Viper PCI Card", is a locally contained SafeNet PCIe HSM physical slot. While LunaCM shows a separate HSM administrative slot and application partition slot (if HSM firmware is version 6.22.0 or newer), lunadiag shows a single physical slot. Similarly, Slot 5, "Present - Luna UHD Slot", is a SafeNet USB HSM physical slot. Slot 4 "Not present - Luna UHD Tunnel Slot", is reserved for a USB HSM Device (UHD) like a SafeNet Backup HSM that could be directly connected to the SafeNet PCIe HSM card. The slots listed as "Not Present - Luna UHD Slot" are placeholders for other possible devices that could be USBconnected, but currently are not. Lunadiag displays a menu of commands, once you have selected a slot to work on. C:\Program Files\SafeNet\LunaClient>lunadiag lunadiag version 8.0 Date: Feb 13 2015 Time: 14:21:44 Detecting Luna devices ... Detection complete. Slots available: Slot #0 - Present Slot #1 - Present Slot #2 - Present Slot #3 - Present Slot #4 - Not present Slot #5 - Present Slot #6 - Not present Slot #7 - Not present Enter slot to test: - LunaNet Slot LunaNet Slot LunaNet Slot Viper PCI Card Luna UHD Tunnel Slot Luna UHD Slot Luna UHD Slot Luna UHD Slot In order to see the lunadiag menu of commands, first select a slot on which to act: Enter slot to test: 0 ---------------------------------------lunadiag version 8.0 Date: Feb 13 2015 Time: 14:21:44 Main Menu 1 2 3 4 5 Select slot to test Driver Test Communication Test Read Firmware Level Read Protocol Level SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 62 3 6 7 8 9 10 11 12 16 Lunadiag Read Capabilities Read Token Policies Read TSV Read Dualport Read Dualport Command Token Info Test Mechanism Info Test Read Debug/Trace Information 0 Exit ---------------------------------------- Command 9 is a complete dual-port dump of a SafeNet PCIe HSM, which includes any debug/trace information at the end. This command does not work for SafeNet USB HSM because that HSM is not built around dual-port architecture. Command 10 attempts to present information from the current command. Command 16 provides just the debug/trace information for either a SafeNet USB HSM or a SafeNet PCIe HSM. For SafeNet PCIe HSM, this is a much more compact output than is available from command 9. For SafeNet USB HSM, this is all the information available, since there is no dual-port to expose. The "missing" commands, 13, 14, and 15 appear only in special circumstances. The example that might have some general relevance is where Microsoft IIS is in use, and settings "AppIdMajor=1" and "AppIdMinor=42" are present in the Crystoki.ini file; this causes menu item 15 to appear. Generally, if a menu number does not appear, you do not need it. If in doubt, contact Technical Support. Verify Successful Installation If you can run tests 2 3 Driver Test Communication Test and 4 Read Firmware Level successfully (if they do not return error messages) then the installation was successful. If there is a problem, check the connections to your HSM. If there is still a problem, remove and re-install the SafeNet HSM Client software. If problems persist, contact SafeNet/Gemalto Technical Support. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 63 4 Multitoken This chapter describes how to access and use Multitoken, a simple demonstration tool that allows you to perform basic cryptographic functions on a SafeNet HSM. It contains the following topics: • "Accessing Multitoken" below • "Using Multitoken" below Accessing Multitoken The multitoken utility is a command line utility included with the SafeNet Client software. To access the multitoken utility 1. Open a console window. 2. Go to the SafeNet Client installation folder/directory: Windows C:\Program Files\SafeNet\LunaClient Linux/Unix /usr/safenet/lunaclient/bin 3. Launch the multitoken utility: ./multitoken Using Multitoken The multitoken utility allows you to specify an operation, and one or more “slots” or HSM Partitions on which to perform that operation. The multitoken utility runs the operations and returns a summary, or progress report, of the results. CAUTION: To achieve maximum performance with SafeNet Network HSM 5.x and 6.x, client applications must spawn 30+ threads. The 10 threads indicated for legacy SafeNet Network HSM 4.x is not sufficient to stress the current product. Syntax multitoken -mode -slots [-nodestroy] [-key ] [-curve ] [-blob ] [-packet ] [-logfile ] [-force] [-help] [-symm] [-password ] [-timed ] [-nodec] [-parmfile ] [-noverifyr] [-multipartsignatures] [-subprime ] [noverify] [-nslots] [-keychoice ] [-kdfchoice ] [-kdfscnt [counter index>] [-sharefile ] [-noenc] [-nosign] [-verbose] [-alarm ] [-template] SafeNet Network HSM Utilities Reference Guide Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 64 4 Multitoken Parameter Shortcut Description -alarm -al Sound periodic alarm (every seconds) if error occurs. -blob -b Number of data blobs to be signed during each multisign operation. -curv -crv ID number of ECC curve. If user-defined (99), then must specify -parmfile. -force -f Avoid prompts for responses. -ped -ped Specify ped id (-ped 0 for local, -ped 1 for remote). This applies only to the first HSM slot to be specified using the '-s' option. -help -h Display help information only. -key -k Size of key: asymmetric in bits (default = 1024 for RSA, 2048 for DSA). symmetric in bytes (i.e. 16, 24, 32 for AES/ARIA). -keychoice -kc Select key type to derive/generate - specify choice list index. -kdfchoice -kdf Select key derivation function - specify choice list index. -kdfscnt -kds Select key derivation session counter type - specify choice list index. -usage -u Number of times a key is allowed to be used. -logfile -l File for results logging. -mode -m Operating mode. See mode values available below. -multipartsig -msig Use multipart signatures. -nodec -nod Decryption operation will not be performed. Only symmetric and asymmetric encryption will be performed and measured. -nodestroy -n Leaves created objects on the HSM after test completes. -noenc -noe Perform only one encryption operation. Only symmetric and asymmetric decryption will be performed and measured. -nosign -nos Perform only one sign operation. Only verify will be performed and measured. -noverify -nov Verify operation will not be performed. Only sign will be performed and measured. -noverifyr -nvr Do not verify decryption results. -packet -p Size of packet used in operation. -parmfile -prm File for EC curve parameters or OAEP source data (0 = none for OAEP). -password -pwd Specify password to use for token. -prftype -prf Specify the type of PRF to use for PRF based key derivation. -sharefile -shf Shared data file used for operation. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 65 4 Multitoken Parameter Shortcut Description -slots -s List of of slots to use (slot numbers separated by commas). -subprime -sub Size of the sub-prime in bits. -symm -sym Select symmetric key mechanism for symderive/pbegen or key choice for symgen (can also use -kc). -timed -t Fixed amount of time to run (seconds). -nslots -ns Slots and threads to be specified as slot number times (x or X) number of threads, then comma for next pair. Ex. -ns 1x5,2X10 This will create 5 threads on slot 1 and 10 threads on slot 2. -verbose -v Show all thread performances. Default is only first and last threads. -template -tp Attaches a generic unwrap template or derive template for the wrapunwrap or symderive mode respectively. Operating Modes The following table lists the available operating modes for the multitoken utility. The operating mode is specified using the -mode parameter. Mode Description rsakeygen RSA key generation rsax931keygen RSA X9.31 key generation rsasigver RSA sign sha1rsasigver SHA1 with RSA sign sha224rsasigver SHA224 with RSA sign sha256rsasigver SHA256 with RSA sign sha384rsasigver SHA384 with RSA sign sha512rsasigver SHA512 with RSA sign rsax931sigver X9.31 RSA sign sha1rsax931sigver SHA1 X9.31 RSA sign sha224rsax931sigver SHA224 X9.31 RSA sign sha256rsax931sigver SHA256 X9.31 RSA sign sha384rsax931sigver SHA384 X9.31 RSA sign sha512rsax931sigver SHA512 X9.31 RSA sign SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 66 4 Mode Description sha1rsapsssigver SHA1 RSA PSS sign rsaenc RSA encrypt rsaoaepenc RSA OAEP encrypt dsakeygen DSA Key Generation dsasigver DSA bare sign sha1dsasigver SHA1 DSA sign sha224dsasigver SHA224 DSA sign sha256dsasigver SHA256 DSA sign ecdsakeygen ECDSA Key Generation ecdsasigver ECDSA sign ecdsasha1sigver SHA1 ECDSA sign ecdsasha224sigver SHA224 ECDSA sign ecdsasha256sigver SHA256 ECDSA sign ecdsasha384sigver SHA384 ECDSA sign ecdsasha512sigver SHA512 ECDSA sign kcdsakeygen KCDSA Key Generation kcdsasigver HAS160 KCDSA 1024-bit sign kcdsasha1sigver SHA51 KCDSA sign kcdsasha224sigver SHA224 KCDSA sign kcdsasha256sigver SHA256 KCDSA sign kcdsasha384sigver SHA384 KCDSA sign kcdsasha512sigver SHA512 KCDSA sign pbegen PBE key generation symgen Symmetric key generation symderive Symmetric key derivation rc4enc RC4 encrypt des3enc DES3 ECB encrypt SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. Multitoken 67 4 Mode Description des3enccbc DES3 CBC encrypt des3enccfb8 DES3 CFB8 encrypt des3enccfb64 DES3 CFB64 encrypt des3encofb DES3 OFB encrypt desmac DES3 MAC sign descmac DES3 CMAC sign aesenc AES ECB encrypt aesenccbc AES CBC encrypt aesencfb8 AES CFB8 encrypt aesenccfb128 AES CFB128 encrypt aesencofb AES OFB encrypt aesencgcm AES GCM encrypt aesmac AES MAC sign aescmac AES CMAC sign ariaenc ARIA ECB encrypt ariaenccbc ARIA CBC encrypt ariaenccfb8 ARIA CFB8 encrypt ariaenccfb128 ARIA CFB128 encrypt ariacencofb ARIA OFB sign ariamac ARIA MAC sign ariacmac ARIA CMAC sign seedenc SEED ECB encrypt seedmac SEED MAC sign seedcmac SEED CMAC sign extractinsert Extract Insert masked objects multisignvalue Multisign w/ masked key simextractinsert SIMExtract Insert masked objects SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. Multitoken 68 4 Mode Description simmultisign SIMMultisign w/ masked key sim3extractinsert SIM3 Extract Insert masked objects md5 MD5 Hashing sha1 SHA-1 Hashing sha224 SHA-224 Hashing sha256 SHA-256 Hashing sha384 SHA-384 Hashing sha512 SHA-512 Hashing sha1hmac SHA1 HMAC sign sha224hmac SHA224 HMAC sign sha256hmac SHA256 HMAC sign sha384hmac SHA384 HMAC sign sha512hmac SHA512 HMAC sign ecdhderive ECDH derive key ecdhcderive ECDH Cofactor derive key eciesxorhmacsha1 ECIES XOR enc/dec with HMAC SHA1 eciesxorhmacsha1shared ECIES XOR enc/dec with HMAC SHA1 and shared data eciesdes3hmacsha224 ECIES DES3 enc/dec with HMAC SHA224 eciesdes3hmacsha224shared ECIES DES3 enc/dec with HMAC SHA224 and shared data eciesaes128hmacsha256 ECIES AES-128 enc/dec with HMAC SHA256 eciesaes128hmacsha256shared ECIES AES-128 enc/dec with HMAC SHA256 and shared data eciesaes192hmacsha384 ECIES AES-192 enc/dec with HMAC SHA384 eciesaes192hmacsha384shared ECIES AES-192 enc/dec with HMAC SHA384 and shared data eciesaes256hmacsha512 ECIES AES-256 enc/dec with HMAC SHA512 eciesaes256hmacsha512shared ECIES AES-256 enc/dec with HMAC SHA512 and shared data wrapunwrap Wrap/unwrap operations randgen Random number generation SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. Multitoken 69 4 Multitoken Notes 1. If you are performing RSA operations, you have the option of specifying a key size (512, 1024, 2048, 4096, 8192). If no key size is specified, the default key size of 1024 will be used. For example: multitoken -mode rsasigver -key 512 -slots 1 2. If you are performing wrapunwrap operation, it will perform the following operations: – Generate RSA key pair and a symmetric DES key. – Wrap DES key with RSA public key. – Unwrap wrapped key above with RSA private key. – Verify the unwrapped key. 3. If you are performing a Multisign operation, you have the option of specifying a key size (512, 1024, 2048, 4096, 8192). If no key size is specified, the default key size of 1024 will be used. You must also specify a blob count, indicating the number of data blobs to be signed during each multisign operation. For example: multitoken -mode multisignvalue -key 512 -blob 10 -s 1,1,2,2,2 multitoken -mode multisignvalue -blob 10 -s 1,1,2,2,2,2 4. A thread will be spawned to perform tests on each slot specified. A slot can be specified multiple times, in which case multiple threads will be created for the slot. 5. Options for the followiong modes can be used with the default 1024 bit key size only: – sha256rsasign - SHA256 with RSA – sha384rsasign - SHA384 with RSA – sha512rsasign - SHA512 with RSA If you specify a keysize on the command line (any of 1024, 2048 or 4096), the result is the 1024 bit benchmark speed, and a file called "1024" or "2048" or "4096" is created - that is the keysize parameter is parsed as a filename to which results are saved. Named and User-defined Curves The SafeNet HSMs employ named and user-defined curves.Multitoken supports this option, as illustrated in the following example: C:\Program Files\SafeNet\LunaClient>multitoken -mode ecdsasigver -s 1,1,1,1,1,1,1,1 Prime field curves: [0]secp112r1 [1]secp112r2 [2]secp128r1 [3]secp128r2 [4]secp160k1 [5]secp160r1 [6]secp160r2 [7]secp192k1 [8]secp224k1 [9]secp224r1 [10]secp256k1 [11]secp384r1 [12]secp521r1 SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 70 4 Multitoken [13]X9_62_prime192v1 [14]X9_62_prime192v2 [15]X9_62_prime192v3 [16]X9_62_prime239v1 [17]X9_62_prime239v2 [18]X9_62_prime239v3 [19]X9_62_prime256v1 Characteristic two field curves: [20]sect113r1 [21]sect113r2 [22]sect131r1 [23]sect131r2 [24]sect163k1 [25]sect163r1 [26]sect163r2 [27]sect193r1 [28]sect193r2 [29]sect233k1 [30]sect233r1 [31]sect239k1 [32]sect283k1 [33]sect283r1 [34]sect409k1 [35]sect409r1 [36]sect571k1 [37]sect571r1 [38]X9_62_c2pnb163v1 [39]X9_62_c2pnb163v2 [40]X9_62_c2pnb163v3 [41]X9_62_c2pnb176v1 [42]X9_62_c2tnb191v1 [43]X9_62_c2tnb191v2 [44]X9_62_c2tnb191v3 [45]X9_62_c2pnb208w1 [46]X9_62_c2tnb239v1 [47]X9_62_c2tnb239v2 [48]X9_62_c2tnb239v3 [49]X9_62_c2pnb272w1 [50]X9_62_c2pnb304w1 [51]X9_62_c2tnb359v1 [52]X9_62_c2pnb368w1 [53]X9_62_c2tnb431r1 [54]Brainpool_P160r1 [55]Brainpool_P160t1 [56]Brainpool_P192r1 [57]Brainpool_P192t1 [58]Brainpool_P224r1 [59]Brainpool_P224t1 [60]Brainpool_P256r1 [61]Brainpool_P256t1 [62]Brainpool_P320r1 [63]Brainpool_P320t1 [64]Brainpool_P384r1 [65]Brainpool_P384t1 [66]Brainpool_P512r1 SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 71 4 Multitoken [67]Brainpool_P512t1 Please pick a curve (0-67) or enter (99) for a user defined curve:99 Please enter the filename for the EC parameters: Here, you would provide the filepath to the file specifying the Elliptical Curve parameters. The format and content of the parameter file follow industry standards, and are discussed in more detail in "Named Curves and User-Defined Parameters" on page 1 in the SDK Reference Guide. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 72 5 Pedserver and Pedclient This chapter describes how to use the pedserver and pedcient utilities to manage your remote PED devices. It contains the following topics: • "Overview" below • " The pedserver Command" on page 77 • " The pedClient Command" on page 1 Overview You can use the pedserver and pedclient utilities to manage your remote PED devices. The pedserver Utility The pedserver utility has one function. It resides on a computer with an attached SafeNet PED [Remote], and it serves PED operations to an instance of pedClient that operates on behalf of an HSM. The HSM could be local to the computer that has pedServer running, or it could be on another HSM host computer at some distant location. See " The pedserver Command" on page 77. The pedclient Utility The pedserver utility performs the following functions: • It mediates between the HSM where it is installed and the SafeNet PED [Remote] where pedServer is installed, to provide PED services to the requesting HSM(s). • It resides on a computer with RBS and an attached SafeNet Remote Backup HSM, and it connects with another instance of pedClient on a distant host of an HSM, to provide the link component for Remote Backup Service. Thus, in the case where (say) an administrative workstation or laptop has both a Remote PED and a Remote Backup HSM attached, pedClient would perform double duty. It would link with a locally-running instance of pedServer, to convey HSM requests from the locally-connected Backup HSM to the locally-connected PED, and return the PED responses, As well, it would link a locally-running instance of RBS and a distant pedClient instance to mediate Remote Backup function for that distant HSM's partitions. See " The pedclient Command" on the next page. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 73 5 Pedserver and Pedclient The pedclient Command General Syntax This is the syntax of the pedClient command, which includes starting and stopping of the service, and an assortment of configuration options. Specify "pedClient" at the command line, plus one of the modes, plus any option applicable to that mode. [root@lunaclient101360 bin]# ./pedClient Ped Client Version 2.0.0 (20000) Error: You must specify a mode. Usage: pedClient [mode] [options...] Explanation of the modes: To query if a Ped Client is currently running, and to get details about the Ped Client, use this command: pedClient -m show [ options... ] To shut down an existing Ped Client, use this command: pedClient -m stop [ options... ] To start the Ped Client, use this command: pedClient -m start [ options... ] To start the Ped Client for Windows service, use this command: pedClient -m start -winservice [ options... ] To create a PED ID mapping, use this command: pedClient -m setid [ options... ] To test a PED ID mapping, use this command: pedClient -m testid [ options... ] To delete a PED ID mapping, use this command: pedClient -m deleteid [ options... ] To assign a PED ID mapping to an HSM, use this command: pedClient -m assignid [ options... ] To release a PED ID mapping from an HSM, use this command: pedClient -m releaseid [ options... ] To show the existing configuration file settings, use this command: pedClient -m config -show To restore the internal default configuration file settings, use this command: pedClient -m config -create To modify the existing configuration file settings, use this command: pedClient -m config -set [ options... ] To view a more detailed description of the Ped Client, use this command: pedClient -m desc SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 74 5 Pedserver and Pedclient Explanation of the options: Any options that are not specified on the command line will be read from the config file. If the config file cannot be found, internal default settings will be used. Invalid options do not generate an error and are ignored. -mode -> Specifies the mode that the Ped Server will be executed in. The supported modes are "start", "stop", "show", "setid", "testid", "deleteid", "assignid", "releaseid" and "config". -id -> Specifies the PED ID (larger then 0, less then 65535). Applicable to the "setid", "testid", "deleteid", "assignid" and"releaseid" modes. -id_ip -> Specifies the IP or hostname for the PED Server to be linked to the specified PED ID. Applicable to the "setid" mode. -id_port -> Specifies the port for the PED Server to be linked to the specified PED ID. Applicable to the "setid" mode. -id_serialnumber -> Specifies the serial number of the HSM to be linked to the specified PED ID. Applicable to the "assignid" mode. -eadmin <0 or 1> -> Specifies if the administration port is on "localhost" or listening on the external host name. Applicable to "start", "stop", "show" and "config set" modes. -admin -> Specifies the administration port number. Applicable to "show" and "config set" modes. -set -> When used with "-config", specifies that the configuration file should be updated with values of the other supplied options. Applicable to "config" mode. -show -> When used with "-config", specifies that the contents of the configuration file should be displayed. Applicable to "config" mode. -idletimeout -> Specifies the idle connection timeout in seconds. Applicable to "start", "assignid" and "config set" modes. -ignoreidletimeout -> Specifies that the idle connection timeout should not apply to the connection established for the specified PED ID to HSM assignement. Applicable to "assignid" and "config set" modes. -socketreadtimeout -> Specifies the socket read timeout in seconds. Applicable to "start", "stop", "show" and "config set" modes. -socketwritetimeout -> Specifies the socket write timeout in seconds. Applicable to "start", "stop", "show" and "config set" modes. -shutdowntimeout -> Specifies the shutdown timeout in seconds for internal services. Applicable to "start", "stop" and "config set" modes. -pstartuptimeout -> Specifies the startup timeout for the detached SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 75 5 -pshutdowntimeout -> -loginfo <0 or 1> -> -logwarning <0 or 1> -> -logerror <0 or 1> -> -logtrace <0 or 1> -> -logfilename -> -maxlogfilesize -> -locallogger -> Pedserver and Pedclient process. Applicable to "start", "stop" and "config set" modes. Specifies the shutdown timeout for the detached process. Applicable to "start", "stop" and "config set" modes. Specifies if the logger should log "info" messages. Applicable to all modes. Specifies if the logger should log "warning" messages. Applicable to all modes. Specifies if the logger should log "error" messages. Applicable to all modes. Specifies if the logger should log "trace" messages. Applicable to all modes. Specifies the log file name. Applicable to all modes. Specifies the maximum log file size in KB Applicable to all modes. Specifies that the Remote Ped logger should be used, not the IS logging system. Applicable to all modes. [admin@myluna bin]# pedClient must run on any host of an HSM that needs to be served by a Remote PED. pedClient must run on any host of a Remote Backup HSM that will be serving remote primary HSMs*. * A distant HSM that appears as a crypto slot at the host of the Backup HSM is not considered "remote" in this sense, and so the Backup HSM's host does not need RBS. This would be the case for (say) a SafeNet Network HSM partition where the Remote Backup workstation is a registered client of the partition, and therefore has a Network Trust Link (NTL) with the SafeNet Network HSM appliance. In that case, a lunacm session on the Backup workstation sees the SafeNet Network HSM's partition as just another "local" slot. A slot-to-slot backup operation launched by lunacm at the Backup workstation is a local operation, as is a restore operation. That client relationship implies that the Backup workstation's administrator is entrusted with the partition authentication (black PED Key, challenge secret, red PED Key) for the partition on that distant SafeNet Network HSM. In many cases, that is a perfectly legitimate assumption. The partition is registered with two "clients" - one is the working, or production client that uses the partition for cryptographic operations; the other is the Backup workstation that connects with the partition only when it is time to perform backup or restore activity. If, instead, the administrator of the Remote Backup HSM was not entrusted with the authentication secrets of the distant HSM partition, then the administrator could still perform a backup, but it would proceed differently. The backup administrator could connect by SSH or RDP session to a legitimate client computer and use lunacm at that client to launch the backup. The client, already authenticated to the activated SafeNet Network HSM partition would see the partition as a local slot, but would see the backup HSM and its attached SafeNet Remote Backup HSM only through the intermediary Remote Backup Service (rbs) running on that Backup workstation and conversing with the distant client computer by means of pedClient instances at each end. This is one version of the method used when the organization (or its customer) prefers a strict separation of roles. A variant of the RBS method might work from the other direction, with the owner of the client computer doing the work, and the owner of the administrative/backup workstation simply allowing the client to take over the admin/backup workstation for the duration of the backup-or-restore operation. In either case, RBS must reside on the computer with the SafeNet Remote Backup HSM attached, and pedClient must run on both. The various methods have their place, depending on your organization's structure and security protocols. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 76 5 Pedserver and Pedclient See "Remote Application Partition Backup and Restore Using the Backup HSM" on page 1 in the Administration Guide for more information. PedClient on SafeNet Network HSM PedClient exists on the SafeNet Network HSM appliance, but is not directly exposed. Instead, the relevant features are accessed via lunash hsm ped commands. The pedserver Command Syntax This is the syntax of the pedServer command, which includes starting and stopping of the service, and an assortment of configuration options. Specify "pedserver" at the command line, plus one of the modes, plus any option applicable to that mode. pedServer.exe –mode {start | stop | connect | disconnect | show | config } -ip [-port ] [-force] pedServer –appliance register –name -certificate -ip [-port ] Note: The -name parameter must be alphanumeric only: 0 through 9 or a through z or A through Z No punctuation or special characters are permitted. pedServer –appliance deregister –name [-force] pedServer –appliance list pedServer –regenCert [-force] Note: When registering, the default port 9697 is assumed. However in the special case where another application already uses port 9697, port forwarding in a router could remap a different incoming port number (that you provide in the -appliance register command) to 9697 when forwarded to the SafeNet Network HSM. C:\Program Files\SafeNet\LunaClient>pedserver Ped Server Version 1.0.5 (10005) SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 77 5 Pedserver and Pedclient Error: You must specify a mode. Usage: pedServer [mode] [options...] Explanation of the modes: To query if a Ped Server is currently running, and to get details about the Ped Server, use this command: pedServer -mode show [ options... ] To shut down an existing Ped Server, use this command: pedServer -mode stop [ options... ] To start the Ped Server, use this command: pedServer -mode start [ options... ] To start the Ped Server, use this command: pedServer -mode start [ options... ] To show the existing configuration file settings, use this command: pedServer -mode config -show To restore the internal default configuration file settings, use this command: pedServer -mode config -create [ options... ] To modify the existing configuration file settings, use this command: pedServer -mode config -set [ options... ] To view a more detailed description of the Ped Server, use this command: pedServer -mode desc Explanation of the options: Any options that are not specified on the command line will be read from the config file. If the config file cannot be found, internal default settings will be used. Invalid options do not generate an error and are ignored. -mode -configfile -name -eserverport <0 or 1> -port -eadmin <0 or 1> -> Specifies the mode that the Ped Server will be executed in. The supported modes are "start", "stop", "connect", "disconnect", "show" and "config". -> Specifies the config file to use. Applicable to all modes. -> Specifies the config file to use. Applicable to "connect" mode. -> Specifies if the server port is on "localhost" or listening on the external host name. Applicable to "start" and "config set" modes. -> Specifies the server port number. Applicable to "start" and "config set" modes. -> Specifies if the administration port is on "localhost" or listening on the external host name. Applicable to "start" and "config set" modes. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 78 5 Pedserver and Pedclient -admin -> Specifies the administration port number. Applicable to "start", "stop", and "show" modes. -force -> When used with "-start", specifies that any existing Ped Server currently running should be shutdown and a new Ped Server started. Applicable to "start" mode. -set -> When used with "-config", specifies that the configuration file should be updated with values of the other supplied options. Applicable to "config" -show -> When used with "-config", specifies that the contents of the configuration file should be displayed. Applicable to "config" mode. -idletimeout -> Specifies the idle connection timeout in seconds. Applicable to "start" and "config set" modes. -socketreadtimeout -> Specifies the socket read timeout in seconds. Applicable to "start", "stop", "show" and "config set" modes. -socketwritetimeout -> Specifies the socket write timeout in seconds. Applicable to "start", "stop", "show" and "config set" modes. -internalshutdowntimeout -> Specifies the shutdown timeout in seconds for internal services. Applicable to "start", "stop" and "config set" modes. -bgprocessstartuptimeout -> Specifies the startup timeout for the detached process. Applicable to "start", "stop" and "config set" modes. -bgprocessshutdowntimeout -> Specifies the shutdown timeout for the detached process. Applicable to "start", "stop" and "config set" modes. -loginfo <0 or 1> -> Specifies if the logger should log "info" messages. Applicable to all modes. -logwarning <0 or 1> -> Specifies if the logger should log "warning" messages. Applicable to all modes. -logerror <0 or 1> -> Specifies if the logger should log "error" messages. Applicable to all modes. -logtrace <0 or 1> -> Specifies if the logger should log "trace" messages. Applicable to all modes. -logfilename -> Specifies the log file name. Applicable to all modes. -maxlogfilesize -> Specifies the maximum log file size in KB Applicable to all modes. -pinginterval -> Specifies the interval in seconds for ping commands. Applicable to "start" and "config set" modes. -pongtimeout -> Specifies timeout in seconds for the ping response. Applicable to "start" and "config set" modes C:\Program Files\SafeNet\LunaClient> Sample Outputs Commands you are likely to use most often are PedServer mode start, to launch the service, when working in Client/Server mode, and PedServer mode show, to display its current status. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 79 5 Pedserver and Pedclient C:\Program Files\Safenet\LunaClient>PedServer.exe mode start Ped Server Version 1.0.5 (10005) Failed to load configuration file. Using default settings. Ped Server launched in startup mode. Starting background process Background process started Ped Server Process created, exiting this process. C:\Program Files\Safenet\LunaClient> C:\Program Files\Safenet\LunaClient>PedServer.exe mode show Ped Server Version 1.0.5 (10005) Failed to load configuration file. Using default settings. Ped Server launched in status mode. Server Information: Hostname: OTT1-202311 IP: 172.20.10.190 Firmware Version: 2.5.0-1 PedII Protocol Version: 1.0.1-0 Software Version: 1.0.5 (10005) Ped2 Connection Status: Connected Ped2 RPK Count 1 Ped2 RPK Serial Numbers (5b420100834a2301) Client Information: Not Available Operating Information: Server Port: 1503 External Server Interface: Yes Admin Port: 1502 External Admin Interface: No Server Up Time: 8 (secs) Server Idle Time: 8 (secs) (100%) Idle Timeout Value: 1800 (secs) Current Connection Time: 0 (secs) Current Connection Idle Time: 0 (secs) Current Connection Total Idle Time: 0 (secs) (100%) Total Connection Time: 0 (secs) Total Connection Idle Time: 0 (secs) (100%) Show command passed. C:\Program Files\Safenet\LunaClient> PedServer is required to run on any computer that has a SafeNet Remote PED attached, and is providing PED services. PedServer always works with an instance of PedClient. PedClient could be running on a distant HSM host computer, or it could be running on the same computer that has the Remote PED attached and PedServer running. This would normally be the case where a SafeNet Remote Backup HSM or other HSM is also attached or embedded. In other words, the one computer could be carrying on both halves of the PedClient/PedServer conversation over two ports in its own memory. PedServer can also run in peer-to-peer mode, where the server initiates the connection to the Client. This is needed when the Client (usually SafeNet Network HSM) is behind a firewall that forbids outgoing initiation of connections. See "Remote Application Partition Backup and Restore Using the Backup HSM" on page 1 in the Administration Guide for more information. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 80 6 Remote Backup Service (RBS) This chapter describes how to use the RBS utility to remotely back up your HSMs. It contains the following topics: • "RBS Overview" below • "rbs" on the next page • "rbs config" on page 83 • "rbs daemon" on page 84 • "rbs genkey" on page 85 • "rbs nopassword" on page 86 RBS Overview RBS implements the Remote Backup Service. RBS is run on a workstation with a SafeNet Remote Backup HSM connected. RBS requires pedClient to be running both on the RBS computer and on the host of the SafeNet HSM primary (the HSM being backed-up from, or being restored-to). PedClient enables the communication link over which RBS works. PedClient is also used in conjunction with pedServer to enable Remote PED, and in the case where both the Backup HSM and the Remote PED are connected to the same administrative workstation, you might legitimately have all three of RBS, pedServer, and pedClient running on the one system. See "Pedserver and Pedclient" on page 73 for more information. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 81 6 Remote Backup Service (RBS) rbs Access the RBS commands. Syntax rbs [-daemon] [-genkey] [-nopassword] [-config] [-help] Parameter Shortcut Description -config -c Runs RBS to select devices to support for Remote Backup. See "rbs config" on the next page. -daemon -d Runs RBS in daemon (background) mode. See "rbs daemon" on page 84. -genkey -g Runs RBS to generate private key/certificate for Remote Backup. See "rbs genkey" on page 85. -help -h Displays help information for the rbs command. -nopassword -n Require no password for encoded keys. See "rbs nopassword" on page 86. Example [admin@myluna bin] # ./rbs --h Supported Options: --help --daemon --genkey --nopassword --config help run as daemon generate private key/certificate no password for encoded keys select devices to support [optional] - default [optional] [optional] - password [optional] NOT daemon required [admin@myluna bin]# SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 82 6 Remote Backup Service (RBS) rbs config Runs rbs to select devices to support for Remote Backup. Syntax rbs --config Options None. "config" is an option of the rbs command. Example [admin@myluna bin] # ./rbs --config [admin@myluna bin]# SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 83 6 Remote Backup Service (RBS) rbs daemon Runs RBSin daemon (background) mode. RBS is required for Remote Backup. Syntax rbs --daemon Options None. "daemon" is an option of the rbs command. Default for rbs is non-daemon mode. Example [admin@myluna bin] # ../rbs/bin/rbs --daemon Enter password : ******** [admin@myluna bin]# SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 84 6 Remote Backup Service (RBS) rbs genkey Runs RBS to generate private key/certificate for Remote Backup. Syntax rbs --genkey Options None. "genkey" is an option of the rbs command. . Example [admin@myluna bin] # ./rbs --genkey Enter password : ******** Verify password: ******** [admin@myluna bin]# SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 85 6 Remote Backup Service (RBS) rbs nopassword Require no password for encoded keys. Default is password required. Syntax rbs --nopassword Options None. "nopassword" is an option of the rbs command. . Example [admin@myluna bin] # ./rbs --nopassword [admin@myluna bin]# SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 86 7 SAlogin This chapter describes how to use the salogin utility to allow applications that do not provide a native login interface to an HSM to login to a SafeNet Network HSM. It contains the following topics: • "Using the salogin Utility" below Using the salogin Utility Cryptographic applications that are not specifically adapted to use an HSM Server can nevertheless be run using SafeNet Enterprise HSMs, with the aid of the salogin utility. This section provides the settings required for some widely-used applications. An example of a situation where you might use salogin is where you wish to use a SafeNet HSM appliance with openssl, which can be used with HSMs, but which has no inherent ability to provide credentials to the HSM. The salogin Command The salogin client-side utility is provided to assist clients that do not include the requisite HSM login and logout capability within the client application. Run the utility from a shell or command prompt, or include it in scripts. The salogin utility has a single command, with several arguments, as follows: >salogin -h Luna Login Utility 1.0 Arguments: o open application access c close application access i hi:lo application id; high and low component s slot token slot id number (default = 1) u specifies that login should be performed as the Crypto-User if no user type is supplied, the Crypto-Officer will be used p pswd challenge password - if not included, login will not be performed r server IP remote ped server ip v verbose h this help SafeNet Network HSM Utilities Reference Guide Release 6.2.2 007-011136-012Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 87 7 SAlogin Examples salogin -o -s 1 -i 1:1 # open a persistent application connection # on slot 1 with app id 1:1 salogin -o -s 1 -i 1:1 -p HT7bHTHPRp/4/Cdb # open a persistent application connection # and login with Luna HSM challenge salogin -c -s 1 -i 1:1 # close persistent application connection 1:1 # on slot 1 Note: The applications in the integrations documents have been explicitly integrated by SafeNet, to work with your SafeNet HSM product. Contact your SafeNet representative. If you are a developer, you might prefer to create or modify your own application to include support for the HSM or appliance. Refer to the Software Development Kit and the Extensions sections of this document set. Other options For java applications you could consider the KeyStore interface. It is internally consistent with the service provider interface defined by SUN/Oracle and does not require any proprietary code or applications. If you are using an integration that does not refer to a KeyStore then the salogin method might be required. You are then limited to working with 1 partition. The type of HSM doesn’t matter, as long as it is SafeNet and visible by the client at the time that the library is initialized. SafeNet Network HSM Utilities Reference Guide Release 6.2.2 Rev. A December 2016 Copyright 2001-2016 Gemalto All rights reserved. 88 8 SCP and PSCP This chapter describes how to use the scp (Linux/UNIX) or pscp (Windows) utilities to transfer files between a SafeNet HSM client computer and a SafeNet Network HSM appliance. It contains the following sections: • "Using the scp and pscp Utilities" below Using the scp and pscp Utilities Use the scp (Linux/Unix) or pscp (Windows) command to securely move updates and certificates and other files from a source computer onto the SafeNet appliance, or to move appliance certificates or log files out to a client computer. All packages from SafeNet are signed and encrypted and come with an authorization code (authcode) that must be provided to decrypt and use the package. Note: In Windows, use PSCP.exe (provided with SafeNet HSM Client software) to transfer certificates, software updates, capability updates, logs, etc. The command syntax is similar to scp. PuTTY and PSCP have their own help. Syntax Client to appliance scp [options] [ @] :
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Count : 146 Page Mode : UseOutlines Language : en-us Producer : madbuild Create Date : 2016:12:01 23:26:25-05:00 Modify Date : 2016:12:01 23:26:25-05:00 Title : Utilities Reference Guide Author : SafeNet Subject :EXIF Metadata provided by EXIF.tools