Before you can manipulate objects or perform cryptographic operations on a token, you must have an open session on that token. This command prompts you for the number of the slot on which to open the new session. By default, an exclusive, Read/Write session is opened. If you would like to open a read only or non-exclusive session, you must use the (98) Options function and specify that you want to be prompted for session types.

Once you are finished using a session, the session should be closed. The (2) Close Session function allows you to close a single session, or to close all the sessions on a specific token.

Once a session is opened, you usually log on to the token. You have a choice between logging on as:

> Partition SO (PO) - initialize other roles and do partition administration operations, unblock blocked PKA keys

>Crypto Officer (CO) - created by SO, can perform crypto operations including creating/deleting/ backing up keys

>Limited Crypto Officer (LCO) - created by CO, can generate/delete keys, SIMExtract/SIMInsert, derive and wrap/unwrap (part of Per Key Authorization), cannot unblock  

>Crypto User (CU) - created by CO, read-only crypto operations

When you are finished with the token, you should first log out, then close the session.

(Not for Luna Network HSM) This option lets you change the logon password (the PIN) of the currently logged in user. You must supply both the old PIN and the new PIN to complete the operation.

>The slot containing the token to be initialized

>The token label (which is simply a text string that you can use for Token Identification)

>A new password for the Partition SO

Token initialization performs the following actions:

>Wipes out any token objects (Keys, certificates, etc)

>Clears the user PIN (so that it must be reset by the Partition SO)

>Sets the SO PIN to the value that you have specified

(Not for Luna Network HSM) This command is used to create a user (and thus overwrites an existing user) and is run when you are logged in as the Partition SO.

This option gives a list of all the encryption/authentication/hashing/key-generation mechanisms supported by the token. If you want to know if the token supports a specific type of encryption, you can check for it in the mechanism list.

This option allows you to query a specific mechanism to find such information as supported key sizes. You are asked for the Mechanism type, which is a numeric value representing the mechanism (these numeric values are given when you request a mechanism list).

This option returns basic information on the Dynamic Library that is being used to talk to the token. None of this information is token specific, and it can be viewed even if there is no token present.

This option gives specific information on a card slot. The slot description and slot ID are given, as well as some flags to represent if a token is present.

This option gives information on a token in a specific slot, including the following:

>Token Label

>Token Manufacturer

>Token Model

>Token Flags

> Session Count

>Min and Max PIN Lengths

>Private memory size/free

>Public memory size/free

This option gives information on an open session. You must have at least one session opened to query session information. For a particular session you can find the session handle, the slot ID, the session state, and any associated session flags.

This option returns a list of card slots available on the system. You are given the option to view all slots, or just the slots which contain tokens.

Runs CK_WaitforSlotEvent (from PKCS#11 Extensions).

This option resets the HSM to its factory settings.

(Not for Luna Network HSM) Copy a clonable secret-splitting vector from one token to another.

(For Luna USB HSM) This option signals the HSM or local workstation that a token will be inserted. Insert the token to begin performing operations with it.

(For Luna USB HSM) This option deletes the token in a specific slot.

This option lists the roles currently configured on the token in a specific slot.

This option lists the role configuration policies currently in effect for the named role on the token in a specific slot.

This option shows the state of the named role. Information given includes:

>Primary authentication type

>Secondary authentication type

>Failed login attempts before lockout

>Init status

This option retrieves the OUID (Object Unique Identifier) of a token in a specific slot.

This option zeroizes the HSM, removing all partitions and keys. HSM zeroization does not destroy the RPV or Auditor role.