apps hsm

Use the apps hsm command to configure a Hardware Security Module (HSM) appliance.

The apps hsm command has the following syntax:

apps hsm <alias <alias>>
   hsm-ip <HSM server IP address> hsm-port <port number> type ncipher-hsm esn <HSM ESN string> kneti <HSM KNETI>

hsm-ip <HSM server IP address> hsm-port <port number> type luna-hsm server-username <name> server-password <*****> partition-label <name> partition-password <*****>

 

The following table describes the arguments for the apps hsm command:

Argument

Description

alias <alias>
hsm-ip <HSM server IP address> hsm-port <port number> type ncipher-hsm esn <HSM ESN string> kneti <HSM KNETI>

Configures an HSM appliance as follows

alias—Specifies an alias of the HSM.
hsm-ip—Specifies the IP address of the HSM server. Only IPv4 addresses are supported.
hsm-port—Specifies the HSM port number.
type ncipher-hsm—Specifies the HSM type which is Entrust nShield.
esn—Specifies the HSM Electronic Serial Number (ESN) for a given IP address.
kneti—Specifies the HSM KNETI key for a given IP address. KNETI is a key hash exposed by each Entrust nShield HSM.

Examples:

(config) # apps hsm alias hsm1 hsm-ip 10.115.176.5 hsm-port 9004 esn FBC5-F777-2A93 kneti 30eab672d888d22eab811755d5938981ca5c8f18

(config) # apps hsm alias hsm2 hsm-ip 10.115.176.6 hsm-port 9004 esn 12EE-4B24-2FCE kneti cf9ad964faa9acdcbf0e725a76e77e212fd8345b

Note:  Obtain the ESN and KNETI numbers from an HSM administrator. The following is from a HSM Remote File System (RFS):

$ anonkneti 10.115.176.5
FBC5-F777-2A93 30eab672d888d22eab811755d5938981ca5c8f18
$ anonkneti 10.115.176.6
12EE-4B24-2FCE cf9ad964faa9acdcbf0e725a76e77e212fd8345b

alias <alias>
hsm-ip <HSM server IP address> hsm-port <port number> type luna-hsm server-username <name> server-password <*****> partition-label <name> partition-password <*****>

Configures an HSM appliance as follows

alias—Specifies an alias of the HSM.
hsm-ip—Specifies the IP address of the HSM server. Only IPv4 addresses are supported.
hsm-port—Specifies the HSM port number.
type luna-hsm—Specifies the HSM type which is Thales-Luna.
server-username— Specifies the HSM servers administration username.
server-password— Specifies the HSM servers administration password.
partition label—Specifies the user partition label configured by the administrator.
partition password—Specifies the user partition password configured by the administrator.

Examples:

(config) # apps hsm alias hsm1 hsm-ip 10.115.72.15 hsm-port 1792 type luna-hsm server-username admin server-password ******* partition-label partition1 partition-password *******

(config) # apps hsm alias hsm2 hsm-ip 10.115.74.36 hsm-port 1792 type luna-hsm server-username admin server-password ******* partition-label partition1 partition-password *******

Note:  The server-password and partition-password should be encrypted using the keychain password in the keystore.

Related Commands

The following table summarizes other commands related to the apps hsm command:

Task

Command

Displays a specified HSM.

# show apps hsm alias hsm1

Displays all HSM.

# show apps hsm all

Deletes a specified HSM.

(config) # no apps hsm alias hsm1

Deletes all HSM.

(config) # no apps hsm all