Accessing LunaCM
The LunaCM utility (LunaCM) is the client-side administrative command interface for
From a client/host computer, LunaCM can interact with, and perform operations on any, or all, of the following:
>Internally installed Luna PCIe HSMs (HSM card)
>Locally USB-connected Luna USB HSMs
>Remotely located Luna Network HSM application partitions, made available by a NTLS or STC network link between the distant HSM appliance and partition(s) and the local client computer.
To access LunaCM:
1.Open a Command Prompt or console window.
2.Go to the Luna HSM Client software directory and start the LunaCM utility:
Windows |
C:\> cd c:\Program Files\SafeNet\LunaClient C:\Program Files\SafeNet\LunaClient\> lunacm |
Linux/AIX |
> cd /usr/safenet/lunaclient/bin > ./lunacm |
Solaris |
> cd /opt/safenet/lunaclient/bin > ./lunacm |
Some preliminary status information is displayed, followed by the lunacm:> command-line prompt.
3.You can now issue any LunaCM utility command to manage your
NOTE For Luna PCIe HSM and Luna USB HSM, LunaCM is used to administer both the HSM as HSM SO, and the application partition. For Luna Network HSM, LunaCM is used to manage application partitions (assuming an NTLS or STC link between your Luna HSM Client computer and the Luna Network HSM appliance). LunaCM is not used to perform HSM-wide administration by the HSM SO on Luna Network HSM - for that you must log into a LunaSH session via SSH.
LunaCM depends on the availability of HSM partitions in order to be useful. If no application partition has been created, then only the HSM SO (administrative) partition is available, against which to run commands.
CAUTION! If the Chrystoki.conf / Crystoki.ini configuration file [Presentation] setting "ShowAdminTokens=" is set to no, then the HSM administrative partition/slot for any attached HSMs are not available. If you also have not created any application partitions, LunaCM is not usable. If you know you have a working Luna PCIe HSM attached to your Client computer and LunaCM shows no usable commands, or you cannot see the Admin slots, then verify in your Chrystoki.conf or Crystoki.ini file that "ShowAdminTokens" is not set to no. See Configuration File Summary for more information.
Scripted Use
This document generally describes LunaCM being used via its own persistent interface or shell, where the tool is launched and remains open for administrative users to issue commands at their convenience. However, for headless operation and other administrative scenarios, it is possible to launch LunaCM from a Windows or UNIX/Linux command prompt to execute a single command and immediately close. Similarly, it is possible to invoke LunaCM by referring it to a file that contains a list of commands to execute. Some command-line launch-time flags are provided.
lunacm [-c <command>] [-q <command>] [-s <slot id> <command>] [-e <script filename>] [-f <script filename>]
Option | Description |
---|---|
Non-repeating, single-instance commands | |
. <command> | If no option is specified, LunaCM launches its full, persistent shell interface. |
-c <command> | This option displays the banner and runs a single instance of a LunaCM command, and then returns to the operating system command prompt. |
-q <command> | This option runs a single instance of a LunaCM command, and then returns to the operating system command prompt. The banner is suppressed. |
-s <slot number> <command> | This option runs a single instance of a LunaCM command against the specified slot, and then returns to the operating system command prompt. The banner is suppressed. |
Scripting options | |
-e <script filename> | Launch LunaCM with this option followed by the name of a file containing a list of LunaCM commands, with one command per line. This option halts when the first error is encountered. Use this option when debugging your scripts. |
-f <script filename> |
Launch LunaCM with this option followed by the name of a file containing a list of LunaCM commands, with one command per line. This option continues after any command that results in an error (as long as the command concludes by returning control). |
NOTE When preparing a script file, any commands with a -force option should include that option to suppress prompts (like "Type 'proceed'...") that could halt the progression of scripted commands. If a command requires inputs (like passwords, domains, etc), those parameters must be provided as part of the command.