ctconf
Configuration utility for the ProtectToolkit-C environment.
The ctconf utility is used to configure the operating parameters for ProtectToolkit-C.
By default, ctconf will report configurable settings for the first device found. Some options are only applicable to either the hardware or software implementation of ProtectToolkit-C.
NOTE When operating in WLD/HA mode, this utility should only be used to view the configuration. Any changes to the configuration should be made in NORMAL mode. See Operation in WLD Mode and Operation in HA Mode for more information about these operating modes.
Syntax
ctconf [-a<device>] [-b<name>] [-c<slots>] [-d<slot>] [-e] [-f<flags>] [-g<file>] [-h] [-i<file>] [-j<file>] [-k<file>] [-l] [-m<mode>] [-n<slot>] [-p] [-q] [-r<slot>] [-s] [-t] [-v] [-x] [--rtc-adj-access-control-rule=<secs>:<count>:<days>] [--rtc-adj-access-control=<0 | 1>]
Option |
Description |
||||||
---|---|---|---|---|---|---|---|
-a<device> |
--device-number=<device> Use the admin token on the specified device |
||||||
-b<name> |
--fm-cert=<name> Specifies the certificate used to validate an FM specified with -k<FM_file>. |
||||||
-c<slots> |
--create-slots=<slots> Create slots new User slots |
||||||
-d<slot> |
--delete-slot=<slot> Delete and remove User slot with ID slot (You cannot delete the admin slot). |
||||||
-e |
--event-log Prints the event log on stdout |
||||||
-f<flags> |
Configures security flags. Security flags are used to implement security policies. Multiple flags may be set simultaneously. For example the command: ctconf -ftu would set both the t and the u flags. When flags are set, any flags set previously are cleared. Setting ctconf -f0 clears all the flags and places the device in SafeNet Default Mode (no flags set). This security policy is described in the "Typical Security Policies" section Default Mode. Use other flags values to set flags as follows: Each of these flags is fully described in Security Flag Descriptions. |
||||||
-g<file> |
--upgrade-fw=<file> Upgrade firmware with file |
||||||
-h |
--help Display usage information |
||||||
-i<file> |
--integrity-fw=<file> Verify the authenticity/integrity of a firmware file by specifying its filename. |
||||||
-j<file> |
--download-fm=<file> Download FM module file |
||||||
-k<FM_file> |
--validate-fm=<file> Validate FM module file. You must also specify the certificate used to validate the FM (-b<name>). |
||||||
-l<fmID> |
--delete-fm --disable-fm --fmid=<fmid> Disable/delete an FM module, specifying the FM ID in hex format. |
||||||
-m<n> |
--mode=<n> Set the transport mode for the HSM. The following transport modes can be set with <n>:
|
||||||
-n<slot> |
--init-token=<slot> Initialize the token in the specified slot |
||||||
-p |
--purge-log Purge event log. Note that a purge cannot be done until the event log is full. |
||||||
-q |
--query Query peripheral devices. Check all available serial ports, and attempt to activate drivers for the connected devices. |
||||||
-r<slot> |
--reset-token=<slot> Reset existing token in specified slot |
||||||
-s |
--fm-info Display FM module information |
||||||
-t |
--time-set Synchronizes the HSM's internal clock with the host system. This command is only valid when the RTC Status is either HSMADM_RTC_UNINITIALIZED or HSMADM_RTC_STAND_ALONE. For more information about RTC status values, see HSMADM_SetRtcStatus. |
||||||
-v |
--verbose Display extended status information |
||||||
-x |
--tamper This will cause the Key Store memory on the HSM to be erased (as if tampered) and made ready for re-initialization. The -x option is only available on hardware-based ProtectToolkit-C implementations. |
||||||
--rtc-adj-access-control-rule=
<secs>:<count>:<days> |
This option sets the rule for RTC Adjustment Access Control. The RTC Adjustment Access Control Rule specifies the guard parameters that control RTC modification. If modification of the RTC is attempted outside of these guard parameters, it will fail. secstotal: amount of deviation (in seconds) within a guard duration. counttotal number of adjustment that can be made within the guard duration. days: the guard duration in number of days. The separator ‘:’ is a compulsory argument. However, the values for <secs>, <count> and <days> can be NULL. A NULL equates to no modification. For example: Use ctconf -v to display the current settings for the RTC Adjustment Access Control Rule. |
||||||
--rtc-adj-access-control=0|1 |
RTC Adjustment Access Control can be enabled once the RTC Adjustment Access Control Rule has been set. When RTC Adjustment Access Control is enabled, the functions provided by the HSMAdmin API (seehsmadmin.h Library Reference) are governed by the RTC Adjustment Access Control Rule. By disabling RTC Adjustment Access Control, unlimited adjustments to the RTC may be performed. ctconf may be specified with both the --rtc-adj-access-control-rule and --rtc-adj-access-control command line parameters simultaneously. The RTC Adjustment Access Control Rule is given precedence over RTC Adjustment Access Control. Use ctconf -v to display the current settings for the RTC Adjustment Access Control Rule. |