vtl
The vtl (Virtual Token Library) command-line utility is installed with the HSM Client software. It is used to manage the relationship between your Client computer and one or more Luna appliances.
NOTE Many vtl functions have been moved to LunaCM. Thales recommends using LunaCM for client configuration wherever possible. See lunacm:> clientconfig for details.
Open a command prompt window or console, cd to the directory where you installed your client software, and run the vtl command (with the -h option, to see the available sub-commands).
These are the commands that you can use to manage the relationship between your HSM Client computer and one or more Luna appliances (either Luna Network HSM 7s, or Luna Backup HSM configured for remote backup). You must have Administrator privileges on the client computer. If you do not also have authority on the Luna Network HSM 7 appliance(s), then you need the co-operation of the person who holds that authority.
admin@mycomputer:~>vtl
usage: (select command -h for additional information)
NOTE You need to be Administrator (or equivalent) when running vtl commands that need to access /etc and /user (and the equivalents in Windows).
Subcommands
Subcommand | Description |
---|---|
addCA | Add a Certificate Authority root chain certificate to the list of CAs registered on the client. See vtl addCA. |
addServer |
Adds the specified server to the client's list of trusted servers. See vtl addServer. |
addServerNoCert | Add an HSM server's IP/hostname to the client's list of Luna Network HSM 7 servers. See vtl addServerNoCert. |
cklogsupport | Enable or disable CKLOG support. See vtl cklogsupport. |
createCert | Create (or re-create) the client's certificate and private key used for NTLS (Network Trust Link Service). See vtl createCert. (See note below this table.) |
createCSR | Create a Certificate Signing Request (CSR)—a private key and unsigned client certificate. See vtl createCSR. |
deleteCA | Delete a Certificate Authority root chain certificate from the truststore on the client. See vtl deleteCA. |
deleteServer | Remove a server/host from the client's list of trusted HSM servers. See vtl deleteServer. |
deleteServerNoCert | Delete the IP/hostname of a Luna Network HSM 7 server from the list of servers, without deleting the certificate associated with that server. See vtl deleteServerNoCert. |
examineCert | Display details of a specified certificate. See vtl examineCert. |
fingerprint | Display the fingerprint of a specified certificate. See vtl fingerprint. |
listCAs | Display a list of the Certificate Authority root chain certificates registered on the client. See vtl listCAs. |
listServers | Display a list of HSM servers trusted by this client. See vtl listServers. |
listSlots |
List all PKCS#11 cryptographic device slots that can be seen at this time. See vtl listSlots. |
logging | Configure logging for Windows computers. See vtl logging. |
replaceServer | Replace a named server/host from the client's list of trusted HSM servers with a new named server/host. See vtl replaceServer. |
supportInfo | Create a support information file, when one is requested by Thales Customer Support. See vtl supportInfo. |
verify |
Verify the visible HSM slots or partitions. See vtl verify. |
NOTE Client software version 10.7.0 upgrades the algorithm used in client keypair creation from TDES/DES3 to AES-256-CBC. You can verify that the newer algorithm was used, by viewing the cert file and checking the DEK-Info section. Requires HSM Client version 10.7.0 onward.