Accessing LunaCM
The LunaCM utility (LunaCM) is the client-side administrative command interface for
From a client/host computer, LunaCM can interact with, and perform operations on any, or all, of the following:
>Internally installed SafeNet Luna PCIe HSMs (HSM card)
>Locally USB-connected SafeNet Luna USB HSMs
>Remotely located SafeNet Luna Network HSM application partitions, made available by a NTLS or STC network link between the distant HSM appliance and partition(s) and the local client computer.
To access LunaCM:
1.Open a Command Prompt or console window.
2.Go to the SafeNet Luna HSM Client software directory and start the LunaCM utility:
| Windows |
C:\> cd c:\Program Files\SafeNet\LunaClient C:\Program Files\SafeNet\LunaClient\> lunacm |
| Linux/AIX |
> cd /usr/safenet/lunaclient/bin > ./lunacm |
| Solaris |
> cd /opt/safenet/lunaclient/bin > ./lunacm |
Some preliminary status information is displayed, followed by the lunacm:> command-line prompt.
3.You can now issue any LunaCM utility command to manage your
NOTE For SafeNet Luna PCIe HSM and SafeNet Luna USB HSM, LunaCM is used to administer both the HSM as HSM SO, and the application partition. For SafeNet Luna Network HSM, LunaCM is used to manage application partitions (assuming an NTLS or STC link between your SafeNet Luna HSM Client computer and the SafeNet Luna Network HSM appliance). LunaCM is not used to perform HSM-wide administration by the HSM SO on SafeNet Luna Network HSM - for that you must log into a LunaSH session via SSH.
LunaCM depends on the availability of HSM partitions in order to be useful. If no application partition has been created, then only the HSM SO (administrative) partition is available, against which to run commands.
If the Chrystoki.conf / Crystoki.ini configuration file [Presentation] setting "ShowAdminTokens=" is set to no, then the HSM administrative partition/slot is also unavailable, and LunaCM is not usable. If you know you have a working SafeNet Luna PCIe HSM or SafeNet Luna USB HSM attached to your Client computer and LunaCM shows no usable commands, then verify in your Chrystoki.conf or Crystoki.ini file that "ShowAdminTokens" is not set to no.
Scripted Use
This document generally describes LunaCM being used via its own persistent interface or shell, where the tool is launched and remains open for administrative users to issue commands at their convenience. However, for headless operation and other administrative scenarios, it is possible to launch LunaCM from a Windows or UNIX/Linux command prompt to execute a single command and immediately close. Similarly, it is possible to invoke LunaCM by referring it to a file that contains a list of commands to execute. Some command-line launch-time flags are provided.
lunacm [-c <command>] [-q <command>] [-s <slot id> <command>] [-e <script filename>] [-f <script filename>]
| Option | Description |
|---|---|
| Non-repeating, single-instance commands | |
| . <command> | If no option is specified, LunaCM launches its full, persistent shell interface. |
| -c <command> | This option displays the banner and runs a single instance of a LunaCM command, and then returns to the operating system command prompt. |
| -q <command> | This option runs a single instance of a LunaCM command, and then returns to the operating system command prompt. The banner is suppressed. |
| -s <slot number> <command> | This option runs a single instance of a LunaCM command against the specified slot, and then returns to the operating system command prompt. The banner is suppressed. |
| Scripting options | |
| -e <script filename> | Launch LunaCM with this option followed by the name of a file containing a list of LunaCM commands, with one command per line. This option halts when the first error is encountered. Use this option when debugging your scripts. |
| -f <script filename> |
Launch LunaCM with this option followed by the name of a file containing a list of LunaCM commands, with one command per line. This option continues after any command that results in an error (as long as the command concludes by returning control). |
NOTE When preparing a script file, any commands with a -force option should include that option to suppress prompts (like "Type 'proceed'...") that could halt the progression of scripted commands. If a command requires inputs (like passwords, domains, etc), those parameters must be provided as part of the command.
