apps hsm-group
Use the apps hsm-group command to configure an HSM group.
The apps hsm-group command has the following syntax:
apps hsm-group <alias <alias>>
type luna-hsm/ncipher-hsm
comm <comment>
fetch key-handler <URL for HSM group key handler file>
hsm-alias
add <HSM alias>
delete <HSM alias>
hsm-set
rfs-sync
ipv4-addr <rfs-server-IP>
auto <time-period>
fetch-now
keymap
add server-ip<address> [server-port <port> ] [[key-name <name>] | [key-token <name>]]
delete [all | rule-id <id>]
fetch keymap <URL>
The following table describes the arguments for the apps hsm-group command:
Argument |
Description |
||||||
alias <alias> |
Specifies an alias of the HSM group. For example: (config) # apps hsm-group alias hsm-set Note: Only one HSM group can be configured. |
||||||
type luna-hsm/nCipher-hsm |
Specifies the vendor type either nTrust-nCipher HSM or Thales-Luna HSM. |
||||||
comment <comment> |
Adds a comment to an HSM group. Comments can be up to 128 characters. Comments longer than one word must be enclosed in double quotation marks. For example: (config) # apps hsm-group alias hsm-set comment "HSM group1" |
||||||
fetch key-handler <URL for HSM group key handler file> |
Fetches an HSM group key handler. These are Entrust nShield World and Module binary files. They can be fetched from Entrust nShield HSM RFS. A World file is a metadata file used by the Entrust nShield client. One World file is needed for an HSM group. One Module file is required for each HSM in a group. So if there are two HSMs in the group, you need to fetch one World file and two Module files. Examples: (config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/world (config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/module_12EE-4B24-2FCE (config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/module_FBC5-F777-2A93 |
||||||
hsm-alias add <HSM alias> delete <HSM alias> |
Specifies the HSM alias to add or delete as follows:
Examples: (config) # apps hsm-group alias hsm-set hsm-alias add hsm1 (config) # apps hsm-group alias hsm-set hsm-alias add hsm2 (config) # apps hsm-group alias hsm-set hsm-alias delete hsm1 |
||||||
hsm-set rfs-sync ipv4-addr <rfs-server-IP> |
Enables Remote File System (RFS) on the GigaVUE‑OS device. RFS is a component in HSM. It is used to store and manage encrypted keys. The RFS helps to automate the key distribution process. Example: (config) # apps hsm-group alias hsm-set rfs-sync ipv4-addr 20.1.1.1 Note: The configuration example above is only applicable for nTrust-nCipher HSM. |
||||||
hsm-set rfs-sync auto <time-period> |
Synchronizes the RFS server with the GigaVUE‑OS device automatically so that the device can fetch the encrypted keys stored in the RFS server for a given time period. The valid values for the time period are 0–100 hours. The value 0 turns off the automatic synchronization of the RFS server with the GigaVUE‑OS device. The default value is 24 hours. Example: (config) # apps hsm-group alias hsm-set rfs-sync auto 24 |
||||||
hsm-set rfs-sync fetch-now |
Fetches all the encrypted keys from the RFS server to the GigaVUE‑OS device manually. Example: (config) # apps hsm-group alias hsm-set rfs-sync fetch-now |
||||||
hsm-set keymap add server-ip <address> [server-port <port> ] [[key-name <name>] | [key-token <name>]] |
Maps a key token or a key name with the server IP address and the server port. Note: Mapping a key token or a key name to a server port is optional. Examples: (config) # apps hsm-group alias hsm-set keymap add server-ip 20.1.1.1 key-name rsa2048-server1-cert (config) # apps hsm-group alias hsm-set keymap add server-ip 20.1.1.1 sesrver-port 443 key-name rsa2048-server1-cert (config) # apps hsm-group alias hsm-set keymap add server-ip 20.1.1.1 key-token pkcs11_ua88af6e573c9c6c39b245a15edfc3ebcbebbdae4f Note: The configuration examples above are only applicable for nTrust-nCipher HSM. |
||||||
hsm-set fetch keymap <URL> |
Fetches the text file with the key mappings from the specified URL. You must create a text file with the key mappings and upload it to a server. Enter a valid directory path including the text file name. It is recommended to use a secure protocol, such as SCP or HTTPS to access the URL. Example of the Keymap text file format: server-ip key-name/key-token 20.1.1.1 rsa2048-server1-cert 20.1.1.2 key_pkcs11_uad6963c0f0c30037c707e22ed6ccf8e12014a237d 20.1.1.3 433 rsa2048-server1-cert 20.1.1.4 433 key_pkcs11_uad6963c0f0c30037c707e22ed6ccf8e12014a237d Example: (config) # apps hsm-group alias hsm-set fetch keymap scp://user@10.10.10.10/keymap.txt |
Related Commands
The following table summarizes other commands related to the apps hsm-group command:
Task |
Command |
---|---|
Displays the ESN for a given IP address. |
# show apps hsm-group anonkneti |
Displays enquiry data from the module. |
# show apps hsm-group enquiry |
Displays the result of a hardserver connection attempt. |
# show apps hsm-group chkserv |
Displays PKCS11 information. |
# show apps hsm-group ckinfo |
Displays HSM key information. |
# show apps hsm-group key |
Displays Security World information. |
# show apps hsm-group world |
Displays Security World configuration information. |
# show apps hsm-group config |
Displays Security World module information. |
# show apps hsm-group module |
Displays SSL session statistics. |
# show apps hsm-group session-stats |
Displays HSM buffer statistics. |
# show apps hsm-group buffer-stats |
Displays all statistics. |
# show apps hsm-group all |
Displays operational status. |
# show apps hsm-group status |
Displays the details of the RFS server, such as the IP address, synchronization period, last sync time, next sync time, and the number of keys stored and managed in the RFS server. |
# show apps hsm-group rfs-sync |
Displays all the key mappings configured and the RFS match for the key names or key tokens. |
# show apps hsm-group keymap |
Deletes a specified HSM group. |
(config) # no apps hsm-group alias hsm-set |
Deletes all HSM groups. |
(config) # no apps hsm-group all |
Verifies if the Luna Network HSM slots/partitions are visible to the Client. |
# show apps hsm-group stats verify |
Verifies if the Luna HSM appliances are ping-able. |
# show apps hsm-group stats ping-result |
Verifies the Luna HSM appliances HA stats. |
# show apps hsm-group status ha |