ctconf

Configuration utility for the ProtectToolkit-C environment.

The ctconf utility is used to configure the operating parameters for ProtectToolkit-C.

By default, ctconf will report configurable settings for the first device found. Some options are only applicable to either the hardware or software implementation of ProtectToolkit-C.

NOTE   When operating in WLD/HA mode, this utility should only be used to view the configuration. Any changes to the configuration should be made in NORMAL mode. See Operation in WLD Mode and Operation in HA Mode for more information about these operating modes.

Syntax

ctconf [-a<device>] [-b<name>] [-c<slots>] [-d<slot>] [-e] [-f<flags>] [-g<file>] [-h] [-i<file>] [-j<file>] [-k<file>] [-l] [-m<mode>] [-n<slot>] [-p] [-q] [-r<slot>] [-s] [-t] [-v] [-x] [--rtc-adj-access-control-rule=<secs>:<count>:<days>] [--rtc-adj-access-control=<0 | 1>]

Option

Description

-a<device>

--device-number=<device>

Use the admin token on the specified device

-b<name>

--fm-cert=<name>

Specifies the certificate used to validate an FM specified with -k<FM_file>.

-c<slots>

--create-slots=<slots>

Create slots new User slots

-d<slot>

--delete-slot=<slot>

Delete and remove User slot with ID slot (You cannot delete the admin slot).

-e

--event-log

Prints the event log on stdout

-f<flags>

Configures security flags. Security flags are used to implement security policies.

Multiple flags may be set simultaneously. For example the command: ctconf -ftu would set both the t and the u flags.

When flags are set, any flags set previously are cleared.

Setting ctconf -f0 clears all the flags and places the device in SafeNet Default Mode (no flags set). This security policy is described in the "Typical Security Policies" section Default Mode.

Use other flags values to set flags as follows:

a FIPS Algorithms Only
b Enable PCI Audit Logs
c No Public Crypto
d DES Keys Even Parity Allowed
e Entrust Ready
F FIPS Mode (equivalent to -faclntu)
i Increased Security Level
I Mode Locked
n No Clear PINs
N Full Secure Messaging Encryption
p Pure PKCS11
t Tamper Before Upgrade
u Auth Protection
U Full Secure Messaging Signing
E User Specified EC Parameters allowed
w Weak PKCS#11 Mechanisms

Each of these flags is fully described in Security Flag Descriptions.

-g<file>

--upgrade-fw=<file>

Upgrade firmware with file

-h

--help

Display usage information

-i<file>

--integrity-fw=<file>

Verify the authenticity/integrity of a firmware file by specifying its filename.

-j<file>

--download-fm=<file>

Download FM module file

-k<FM_file>

--validate-fm=<file>

Validate FM module file. You must also specify the certificate used to validate the FM (-b<name>).

-l<fmID>

--delete-fm

--disable-fm

--fmid=<fmid>

Disable/delete an FM module, specifying the FM ID in hex format.

-m<n>

--mode=<n>

Set the transport mode for the HSM. The following transport modes can be set with <n>:

0 No Transport Mode (Default) - to be applied when HSM is installed and configured. This mode will tamper the HSM if it is removed from the PCI bus, the tamper key is turned to the tamper position, or the tamper button is pressed.
1 Single Transport Mode - HSM will not be tampered after removal from the PCI bus, or when the tamper key is turned to the tamper position, or the tamper button is pressed. HSM will automatically change to No Transport Mode the next time the HSM is reset or power is removed and restored.
2 Continuous Transport Mode - HSM will not be tampered by removal from the PCI bus, or when the tamper key is turned to the tamper position, or the tamper button is pressed.

See Using Transport Mode to Avoid a Board Removal Tamper.

-n<slot>

--init-token=<slot>

Initialize the token in the specified slot

-p

--purge-log

Purge event log. Note that a purge cannot be done until the event log is full.

-q

--query

Query peripheral devices. Check all available serial ports, and attempt to activate drivers for the connected devices.

-r<slot>

--reset-token=<slot>

Reset existing token in specified slot

-s

--fm-info

Display FM module information

-t

--time-set

Synchronizes the HSM's internal clock with the host system. This command is only valid when the RTC Status is either HSMADM_RTC_UNINITIALIZED or HSMADM_RTC_STAND_ALONE.

For more information about RTC status values, see HSMADM_SetRtcStatus.

-v

--verbose

Display extended status information

-x

--tamper

This will cause the Key Store memory on the HSM to be erased (as if tampered) and made ready for re-initialization.

The -x option is only available on hardware-based ProtectToolkit-C implementations.

--rtc-adj-access-control-rule=
<secs>:<count>:<days>

This option sets the rule for RTC Adjustment Access Control. The RTC Adjustment Access Control Rule specifies the guard parameters that control RTC modification.

If modification of the RTC is attempted outside of these guard parameters, it will fail. 

secstotal: amount of deviation (in seconds) within a guard duration.
Range: 1-120

counttotal number of adjustment that can be made within the guard duration.
Range: 0-no maximum. 0 denotes that unlimited adjustments can be made.

days: the guard duration in number of days.
Range 1-12.

The separator ‘:’ is a compulsory argument. However, the values for <secs>, <count> and <days> can be NULL. A NULL equates to no modification.

For example:
ctconf --rtc-adj-access-control-rule=12:0:1
ctconf --rtc-adj-access-control-rule=12::
ctconf --rtc-adj-access-control-rule=::4

Use ctconf -v to display the current settings for the RTC Adjustment Access Control Rule.

--rtc-adj-access-control=0|1

RTC Adjustment Access Control can be enabled once the RTC Adjustment Access Control Rule has been set.

When RTC Adjustment Access Control is enabled, the functions provided by the HSMAdmin API (seehsmadmin.h Library Reference) are governed by the RTC Adjustment Access Control Rule.

By disabling RTC Adjustment Access Control, unlimited adjustments to the RTC may be performed.

ctconf may be specified with both the --rtc-adj-access-control-rule and --rtc-adj-access-control command line parameters simultaneously.

The RTC Adjustment Access Control Rule is given precedence over RTC Adjustment Access Control. Use ctconf -v to display the current settings for the RTC Adjustment Access Control Rule.