cmu verifyhsm
This command allows you to verify that the client is connected to a genuine Luna HSM, by creating and verifying a confirmation on a temporary key created in the HSM. It also includes a proof of possession that asks the HSM to sign a user-entered string as proof the associated private key is present within the target HSM.
The root certificate is not included in the client package.Download the Luna Cloud HSM Certificate and copy it to your client directory to execute cmu verifyhsm.
Refer also to Verifying HSM Authenticity or Key Attestation.
NOTE This confirmation procedure is currently not supported on FM-enabled HSMs. Refer to FM Deployment Constraints for details.
Syntax
cmu verifyhsm -challenge="<string>" [-rootcert=<filename>]
| Argument(s) | Description |
|---|---|
| -challenge=<string> | Defines a user-entered string for the HSM to sign. |
| -rootcert=<filename> | Defines the name of the .pem file that contains the root certificate. |
Common CMU Options
Some options are commonly available to all cmu commands. They are described below.
| Argument(s) | Description |
|---|---|
| -cu | Specifies that you wish to perform the command as the partition's Crypto User. If the CU is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
| -lco | Specifies that you wish to perform the command as the partition's Limited Crypto Officer. If the LCO is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
|
-password=<password> -pin=<password> |
The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -ped=<PED_ID> | Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication. |
| -slot=<slot#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
| -so | Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default. |
Example
./cmu verifyhsm -challenge "1234567890" -rootcert root_device_prod.crt Select token [0] Token Label: mypartition-1 [1] Token Label: mypartition-2 Enter choice: 0 Please enter password for token in slot 0 : ******* Reading rootcert from file "root_device_prod.crt"... ok. Generating temporary RSA keypair in HSM... ok. Extracting PKC bundle from HSM... ok. Verifying PKC certificate... ok. Verifying DAC certificate... ok. Verifying HOC certificate... ok. Verifying MIC certificate... ok. Verifying MIC against rootcert... ok. Signing and verifying challenge... ok. Verifying HSM serial number... ok. Overall status: Success.
