Using PSESH

The PSESH shell command line tool provides access to the ProtectServer Network HSM shell for performing basic appliance configuration tasks such as network configuration and appliance software package updates and management.

PSESH commands are not case sensitive.

Access to PSESH is via SSH or the local console.

This chapter contains the following sections:

>Users

>Features

>Accessing PSESH

Admin Account Lockout and Recovery

Users

The following users can access PSESH:

User Description
admin

The admin user is responsible for managing the appliance.

The admin user is able to execute all of the PSESH commands available to the pseoperator, as well as commands used to perform package upgrades/installations, troubleshooting, viewing log files, and extracting log files. The admin user is also able to reset the password for the audit and pseoperator users.

audit

The audit user is responsible for managing logging on the appliance.

The audit user is able to execute the PSESH commands used to manage audit logging configuration, log rotation scheduling, and settings for the audit user role.

pseoperator

The pseoperator user is responsible for configuring the appliance for client access.

The pseoperator user is able to execute the PSESH commands used to configure the appliance network parameters such as IP addresses, iptables, and routes etc., as well as appliance settings such as the date/time, SNMP configuration, etc.

Features

PSESH provides the following features:

Feature Description
Command history You can scroll through the commands you have entered on the PSESH command line using the up/down arrows keys.
Console history You can scroll up to see the console history with SHIFT+PageUp.
Command shortcuts You must type sufficient letters of a command or sub-command to make the input unique in the current syntax. For example, you could invoke system syntax help with help, hel, he, but not just h (because there is also an hsm command and typing just "h" is not sufficient to indicate whether you want help or hsm).
Command completion You can use the TAB key to automatically complete partially typed commands. This allows you to type only enough characters to uniquely identify the command, and then press TAB to automatically fill in the rest of the characters for the command.
Command syntax help To display help information for a command, type help <command_name>, or ? <command_name>.

Accessing PSESH

You can access PSESH by connecting a keyboard and monitor to the appliance, using a serial connection, or using an SSH client (such as puTTY in Windows or the ssh command in Linux) after the network settings have been configured.

To access PSESH

1.Connect to the appliance (monitor and keyboard, serial connection, or SSH).

When a successful connection is made, a terminal window opens and the prompt login as: appears.

You can log in as admin, pseoperator, or audit (see Users for details on these roles).

2.You are prompted for the password. If this is the first time you have signed in as this user, the default password is password. You will be prompted to enter a new password.

Once you have logged in, the system presents the psesh:> prompt, includes the hostname you assigned to the appliance:

[myPSE] psesh:>

NOTE   After three failed SSH login attempts, the account will be locked out for 10 minutes.

You can now issue any PSESH command. For a summary, type ? or help and press Enter.

Admin Account Lockout and Recovery

As a security measure, the admin account is locked out after 10 consecutive failed login attempts using the console (serial port or keyboard and monitor). Further login attempts will produce a message like the following:

Your admin account is locked due to 11 failed logins.
You will need to tamper the HSM and reboot the system to reset the admin password.

CAUTION!   Tampering the HSM will destroy all tokens and stored objects. Back up any important cryptographic objects using the ProtectToolkit client software before you proceed.

To recover the admin account

1.Tamper the HSM by turning the tamper lock key or pressing the tamper switch. See Tampering or Decommissioning the HSM.

2.Reboot the appliance using one of the following methods:

Log in to PSESH as pseoperator and run sysconf appliance reboot.

Hard reboot

ProtectServer External 2

Press the recessed reset button on the appliance's front panel See Reset button.

ProtectServer External 2 Plus

Press the start/stop switch on the appliance's rear panel. See ProtectServer External 2 Plus rear panel.

Wait at least 15 seconds, and press the start/stop switch again to restart the system.

After a successful reboot, the following message is displayed, followed by the login prompt:

Protect Server External II v5.9.1

Warning: This is a password recovery process.
         The HSM is tampered and rebooted after max password retry failures.
         The admin password is reset to factory default now.
         You are required to change the password at the first login.

myPSE login:

3.Log in to the unlocked admin account using the default password ("password"). You are prompted to set a new password for the admin account.

4.Set a new admin password.

5.The password recovery process halts the SSH service on the appliance. Restart the SSH service with the following command:

psesh:>service restart ssh