|
Home > |
|---|
Access the token pki commands. These commands allow you to operate token HSMs (with Luna G5 HSM connected to the Luna SA via USB) when used in PKI mode.
Note: The PKI Bundle feature is supported with PED-authenticated Luna SA, and the connected Luna G5 HSM must also be PED-authenticated.
PKI bundling with password-authenticated Luna SA or Luna G5 is not supported.
Note: The Luna SA PKI Bundle option does not support Per-Partition Security Officer (PPSO). That is, a Luna G5 HSM that is USB-connected to a Luna SA appliance can be configured with any compatible firmware, including firmware version 6.22.0 (or newer), but cannot have the PPSO capability applied.
Note: Luna SA PKI Bundle option does not support the use of Luna DOCK2 and removable PCMCIA token HSMs (Luna CA4).
An external Luna HSM can be USB-connected to a Luna SA appliance for:
•local backup/restore operations (Luna Backup HSM)
•PKI bundle operations (Luna G5 HSM)
Luna SA does not pass PED operations and data through to an externally connected Luna HSM from a Luna PED that is connected locally to the Luna SA.
If the external HSM is PED-authenticated, then the options for Luna PED connection are:
•local PED connection, directly to the affected HSM, when needed, or
•Remote PED connection, passed through the Luna SA
Note: Support for PKI Bundles with Remote PED begins at firmware version 6.10.1 in the external HSM.
Note: Support for locally connected Backup HSM with Remote PED,
begins at firmware version 6.10.1 in the external HSM.
Note: Use of Remote PED with an external device is made possible when you set up with the commands
hsm ped vector init -serial <serial#_of_external_HSM>
and
hsm ped connect -serial <serial#_of_external_HSM>
before using token pki or token backup commands.
token pki
activate
changepin
clone
deploy
factoryreset
listall
listdeployed
predeploy
resetpin
undeploy
update
| Parameter | Shortcut | Description |
|---|---|---|
| activate | a | Activate PKI Token for use with your application. See "token pki activate". |
| changepin | ch | Change PKI Token PIN. See "token pki changepin". |
| clone | cl | Clone PKI Token contents. See "token pki clone". |
| deploy | d | Deploy PKI Token. See "token pki deploy". |
| factoryreset | fr | Factory Reset PKI Token. See "token pki factoryreset". |
| listall | lista |
List All PKI Tokens. See "token pki listall". |
| listdeployed | listd | List All Deployed Tokens. See "token pki listdeployed". |
| predeploy | p | Pre-deploy PKI Token. See "token pki predeploy". |
| resetpin | r | Reset PKI Token PIN. See "token pki resetpin". |
| undeploy | un | Undeploy PKI Token. See "token pki undeploy". |
| update | up | Access the token pki update commands.See "token pki update". |
Note: The above commands prepare an HSM, externally connected to a Luna SA appliance, for operation in the PKI use-case. However, once the external HSM has been deployed for PKI bundle, it must be assigned to the remote client, by means of the command "client assignpartition".