TOKEN Menu Functions
The TOKEN menu provides the following functions:
# | Function | Description |
---|---|---|
(1) | Open Session |
Before you can manipulate objects or perform cryptographic operations on a token, you must have an open session on that token. This command prompts you for the number of the slot on which to open the new session. By default, an exclusive, Read/Write session is opened. If you would like to open a read only or non-exclusive session, you must use the (98) Options function and specify that you want to be prompted for session types. |
(2) | Close Session |
Once you are finished using a session, the session should be closed. The (2) Close Session function allows you to close a single session, or to close all the sessions on a specific token. |
(3) | Login |
Once a session is opened, you usually log on to the token. You have a choice between logging on as: > Partition SO (PO) - initialize other roles and do partition administration operations, unblock blocked PKA keys >Crypto Officer (CO) - created by SO, can perform crypto operations including creating/deleting/ backing up keys >Limited Crypto Officer (LCO) - created by CO, can generate/delete keys, SIMExtract/SIMInsert, derive and wrap/unwrap (part of Per Key Authorization), cannot unblock >Crypto User (CU) - created by CO, read-only crypto operations |
(4) | Logout |
When you are finished with the token, you should first log out, then close the session. |
(5) | Change PIN |
This option lets you change the logon password (the PIN) of the currently logged in user. You must supply both the old PIN and the new PIN to complete the operation. |
(6) | Init Token | This option allows you to reset a token to its initial
state. You are prompted for the following: >The slot containing the token to be initialized >The token label (which is simply a text string that you can use for Token Identification) >A new password for the Partition SO Token initialization performs the following actions: >Wipes out any token objects (Keys, certificates, etc) >Clears the user PIN (so that it must be reset by the Partition SO) >Sets the SO PIN to the value that you have specified |
(7) | Init PIN |
This command is used to create a user (and thus overwrites an existing user) and is run when you are logged in as the Partition SO. |
(8) | Mechanism List |
This option gives a list of all the encryption/authentication/hashing/key-generation mechanisms supported by the token. If you want to know if the token supports a specific type of encryption, you can check for it in the mechanism list. |
(9) | Mechanism Info |
This option allows you to query a specific mechanism to find such information as supported key sizes. You are asked for the Mechanism type, which is a numeric value representing the mechanism (these numeric values are given when you request a mechanism list). |
(10) | Get Info |
This option returns basic information on the Dynamic Library that is being used to talk to the token. None of this information is token specific, and it can be viewed even if there is no token present. |
(11) | Slot Info |
This option gives specific information on a card slot. The slot description and slot ID are given, as well as some flags to represent if a token is present. |
(12) | Token Info |
This option gives information on a token in a specific slot, including the following: >Token Label >Token Manufacturer >Token Model >Token Flags > Session Count >Min and Max PIN Lengths >Private memory size/free >Public memory size/free |
(13) | Session Info |
This option gives information on an open session. You must have at least one session opened to query session information. For a particular session you can find the session handle, the slot ID, the session state, and any associated session flags. |
(14) | Get Slot List |
This option returns a list of card slots available on the system. You are given the option to view all slots, or just the slots which contain tokens. |
(15) | Wait for Slot Event |
Runs CK_WaitforSlotEvent (from PKCS#11 Extensions). |
(18) | Factory Reset |
This option resets the HSM to its factory settings. |
(19) | Clone MofN |
Copy a clonable secret-splitting vector from one token to another. |
(33) | Token Insert |
This option signals the HSM or local workstation that a token will be inserted. Insert the token to begin performing operations with it. |
(34) | Token Delete |
This option deletes the token in a specific slot. |
(36) | Show Roles |
This option lists the roles currently configured on the token in a specific slot. |
(37) | Show Role Configuration Policies |
This option lists the role configuration policies currently in effect for the named role on the token in a specific slot. |
(38) | Show Role State |
This option shows the state of the named role. Information given includes: >Primary authentication type >Secondary authentication type >Failed login attempts before lockout >Failed change password attempts before lockout >Init status |
(39) | Get OUID |
This option retrieves the OUID (Object Unique Identifier) of a token in a specific slot. |
(58) | HSM Zeroize |
This option zeroizes the HSM, removing all partitions and keys. |
(59) | Token Zeroize |
This option zeroizes the token in a specific slot, removing all keys and objects. |