apps hsm-group

Use the apps hsm-group command to configure an HSM group.

The apps hsm-group command has the following syntax:

apps hsm-group <alias <alias>>

type luna-hsm/ncipher-hsm

comm <comment>
fetch key-handler <URL for HSM group key handler file>
hsm-alias

add <HSM alias>

delete <HSM alias>

hsm-set

rfs-sync

ipv4-addr <rfs-server-IP>

auto <time-period>

fetch-now

keymap

add server-ip<address> [server-port <port> ] [[key-name <name>] | [key-token <name>]]

delete [all | rule-id <id>]

fetch keymap <URL>

The following table describes the arguments for the apps hsm-group command:

Argument

Description

alias <alias>

Specifies an alias of the HSM group.

For example:

(config) # apps hsm-group alias hsm-set

 

Note:  Only one HSM group can be configured.

type luna-hsm/nCipher-hsm

Specifies the vendor type either Entrust nShieldHSM or Thales-Luna HSM.

comment <comment>

Add a comment to an HSM group. Comments can be up to 128 characters. Comments longer than one word must be enclosed in double quotation marks.

For example:

(config) # apps hsm-group alias hsm-set comment "HSM group1"

fetch key-handler <URL for HSM group key handler file>

Fetches an HSM group key handler. These are Entrust nShield World and Module binary files. They can be fetched from Entrust nShield HSM RFS.

 

Note:  Configuring Key Handler is not applicable for a Thales-Luna HSM group.

A World file is a metadata file used by the Entrust nShield client. One World file is needed for an HSM group. One Module file is required for each HSM in a group. So if there are two HSMs in the group, you need to fetch one World file and two Module files.

Examples:

(config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/world

(config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/module_12EE-4B24-2FCE

(config) # apps hsm-group alias hsm-set fetch key-handler http://10.115.0.100/tftpboot/temp/hsm/module_FBC5-F777-2A93

hsm-alias   add <HSM alias>   delete <HSM alias>

Specifies the HSM alias to add or delete as follows:

add—Adds an HSM to an HSM group. Multiple HSMs can be added to a group. Multiple HSMs might be needed for load balancing, failover, or redundancy.
delete—Deletes an HSM from an HSM group.

Examples:

(config) # apps hsm-group alias hsm-set hsm-alias add hsm1

(config) # apps hsm-group alias hsm-set hsm-alias add hsm2

(config) # apps hsm-group alias hsm-set hsm-alias delete hsm1

hsm-set rfs-sync ipv4-addr <rfs-server-IP>

Enables Remote File System (RFS) on the GigaVUE‑OS device. RFS is a component in HSM. It is used to store and manage encrypted keys. The RFS helps to automate the key distribution process.

Example:

(config) # apps hsm-group alias hsm-set rfs-sync ipv4-addr 20.1.1.1

Note:  The configuration example above is only applicable for Entrust nShield HSM.

hsm-set rfs-sync auto <time-period>

Synchronizes the RFS server with the GigaVUE‑OS device automatically so that the device can fetch the encrypted keys stored in the RFS server for a given time period.

The valid values for the time period are 0–100 hours. The value 0 turns off the automatic synchronization of the RFS server with the GigaVUE‑OS device.

The default value is 24 hours.

Example:

(config) # apps hsm-group alias hsm-set rfs-sync auto 24

hsm-set rfs-sync fetch-now

Fetches all the encrypted keys from the RFS server to the GigaVUE‑OS device manually.

Example:

(config) # apps hsm-group alias hsm-set rfs-sync fetch-now

hsm-set keymap add server-ip <address> [server-port <port> ] [[key-name <name>] | [key-token <name>]]

Maps a key token or a key name with the server IP address and the server port.

Note:  Mapping a key token or a key name to a server port is optional.

Examples:

(config) # apps hsm-group alias hsm-set keymap add server-ip 20.1.1.1 key-name rsa2048-server1-cert

(config) # apps hsm-group alias hsm-set keymap add server-ip 20.1.1.1 sesrver-port 443 key-name rsa2048-server1-cert

(config) # apps hsm-group alias hsm-set keymap add server-ip 20.1.1.1 key-token pkcs11_ua88af6e573c9c6c39b245a15edfc3ebcbebbdae4f

Note:  The configuration examples above are only applicable for Entrust nShield HSM.

hsm-set fetch keymap <URL>

Fetches the text file with the key mappings from the specified URL.

You must create a text file with the key mappings and upload it to a server. Enter a valid directory path including the text file name. It is recommended to use a secure protocol, such as SCP or HTTPS to access the URL.

Example of the Keymap text file format:

server-ip    key-name/key-token

20.1.1.1             rsa2048-server1-cert

20.1.1.2             key_pkcs11_uad6963c0f0c30037c707e22ed6ccf8e12014a237d

20.1.1.3             433 rsa2048-server1-cert

20.1.1.4             433 key_pkcs11_uad6963c0f0c30037c707e22ed6ccf8e12014a237d

Example:

(config) # apps hsm-group alias hsm-set fetch keymap scp://user@10.10.10.10/keymap.txt

Related Commands

The following table summarizes other commands related to the apps hsm-group command:

Task

Command

Displays the ESN for a given IP address.

# show apps hsm-group anonkneti

Displays enquiry data from the module.

# show apps hsm-group enquiry

Displays the result of a hardserver connection attempt.

# show apps hsm-group chkserv

Displays PKCS11 information.

# show apps hsm-group ckinfo

Displays HSM key information.

# show apps hsm-group key

Displays Security World information.

# show apps hsm-group world

Displays Security World configuration information.

# show apps hsm-group config

Displays Security World module information.

# show apps hsm-group module

Displays SSL session statistics that are handled by HSM servers.

# show apps hsm-group session-stats

Displays HSM buffer statistics.

# show apps hsm-group buffer-stats

Displays all statistics along with their operation state.

# show apps hsm-group all

Displays operational status along with their operation state. The operational states are as follows:

RegisterInProgress-This state indicates that the registration process of HSM-LUNA client on HSM-LUNA server is in progress.
RegisterPending -The register-pending state indicates that the Luna client registration on HSM-LUNA server is pending.

Note:  To register your clinet in Luna server, refer to Client Register - Luna Command Reference for more details.

VerifyInProgress - This states indicates That the verification has begun after LUNA client registration.
HAConfig- This state denotes that the prerequisite configurations are completed for HA verification and HA verifications has started/in-progress.YES means hsm configuration is correct and up.
YES - This state denotes that the HA verification is completed successfully and the HSM configuration is functional.
NO - The HSM configuration is not functional.
INIT - This state denotes that the HSM Server configuration has been initialized in GigaSMART node. This also checks the communication between GigaSMART node and HSM server.
Unknown- The HSM Group was configured prior to the Inline SSL or Passive SSL Application was configured.

# show apps hsm-group status

Displays the details of the RFS server, such as the IP address, synchronization period, last sync time, next sync time, and the number of keys stored and managed in the RFS server.

# show apps hsm-group rfs-sync

Displays all the key mappings configured and the RFS matches for the key names or key tokens.

# show apps hsm-group keymap

Displays the list of key labels available in Thales- Luna HSM group.

#show apps hsm-group keylabels

Deletes a specified HSM group.

(config) # no apps hsm-group alias hsm-set

Deletes all HSM groups.

(config) # no apps hsm-group all

Verifies if the Luna Network HSM slots/partitions are visible to the Client.

#show apps hsm-group verify

Verifies if the Luna HSM appliances are pingable.

# show apps hsm-group ping-result

Verifies the Luna HSM appliances HA statistics.

# show apps hsm-group ha