Accessing LunaCM
The LunaCM utility (LunaCM) is the client-side administrative command interface for Luna Network HSM 7s.
From a client/host computer, LunaCM can interact with, and perform operations on any, or all, of the following:
>Internally installed Luna PCIe HSM 7s (HSM card)
>Locally USB-connected Luna USB HSM 7s
>Remotely located Luna Network HSM 7 application partitions, made available by an NTLS or STC network link between the distant HSM appliance and partition(s) and the local client computer.
To access LunaCM
1.Open a Command Prompt or console window.
2.Go to the Luna HSM Client software directory and start the LunaCM utility:
| Windows |
C:\> cd c:\Program Files\SafeNet\LunaClient C:\Program Files\SafeNet\LunaClient\> lunacm |
| Linux
|
> cd /usr/safenet/lunaclient/bin > ./lunacm |
| Solaris |
> cd /opt/safenet/lunaclient/bin > ./lunacm |
Some preliminary status information is displayed, followed by the lunacm:> command-line prompt.
3.You can now issue any LunaCM utility command to manage your Luna Network HSM 7s. For a summary, type "help" and press Enter.
NOTE For Luna PCIe HSM 7 andLuna USB HSM 7, LunaCM is used to administer both the HSM as HSM SO, and the application partition. For Luna Network HSM 7, LunaCM is used to manage application partitions (assuming an NTLS or STC link between your Luna HSM Client computer and the Luna Network HSM 7 appliance). LunaCM is not used to perform HSM-wide administration by the HSM SO on Luna Network HSM 7 - for that you must log into a LunaSH session via SSH.
LunaCM depends on the availability of HSM partitions in order to be useful. If no application partition has been created, then only the HSM SO (administrative) partition is available, against which to run commands.
CAUTION! If the Chrystoki.conf / Crystoki.ini configuration file [Presentation] setting "ShowAdminTokens=" is set to no, then the HSM administrative partition/slot for any attached HSMs are not available. If you also have not created any application partitions, LunaCM is not usable. If you know you have a working Luna PCIe HSM 7 attached to your Client computer and LunaCM shows no usable commands, or you cannot see the Admin slots, then verify in your Chrystoki.conf or Crystoki.ini file that "ShowAdminTokens" is not set to no. See Configuration File Summary for more information.
Scripted Use
This document generally describes LunaCM being used via its own persistent interface or shell, where the tool is launched and remains open for administrative users to issue commands at their convenience. However, for headless operation and other administrative scenarios, it is possible to launch LunaCM from a Windows or UNIX/Linux command prompt to execute a single command and immediately close. Similarly, it is possible to invoke LunaCM by referring it to a file that contains a list of commands to execute. Some command-line launch-time flags are provided.
lunacm [-c <command>] [-q <command>] [-s <slot id> <command>] [-e <script filename>] [-f <script filename>]
| Option | Description |
|---|---|
| Non-repeating, single-instance commands | |
| . <command> | If no option is specified, LunaCM launches its full, persistent shell interface. |
| -c <command> | This option displays the banner and runs a single instance of a LunaCM command, and then returns to the operating system command prompt. |
| -q <command> | This option runs a single instance of a LunaCM command, and then returns to the operating system command prompt. The banner is suppressed. |
| -s <slot number> <command> | This option runs a single instance of a LunaCM command against the specified slot, and then returns to the operating system command prompt. The banner is suppressed. |
| Scripting options | |
| -e <script filename> | Launch LunaCM with this option followed by the name of a file containing a list of LunaCM commands, with one command per line. This option halts when the first error is encountered. Use this option when debugging your scripts. |
| -f <script filename> |
Launch LunaCM with this option followed by the name of a file containing a list of LunaCM commands, with one command per line. This option continues after any command that results in an error (as long as the command concludes by returning control). |
NOTE When preparing a script file, any commands with a -force option should include that option to suppress prompts (like "Type 'proceed'...") that could halt the progression of scripted commands. If a command requires inputs (like passwords, domains, etc), those parameters must be provided as part of the command.
TIP Change in scripted operation from Luna HSM 6.x to Luna HSM 7.x
When scripting multi-step operations, a common way to provide responses to interactive commands (example, the lunacm hagroup creategroup command needs a response of "copy", or "remove", or "quit") is to use "echo" to pipe the response text into the command within your script.
This worked well for Luna 5.x/6.x, in the below example presenting "copy" to resolve the interim prompt.
“echo copy | lunacm -q hagroup creategroup -serialNumber <serialNumber> -label <HAgroupName> -password <partitionPass>"
To accomplish the same result with Luna 7.x.x, do the following:
1.Create a file, in this example, “copy.txt” that contains only the word “copy” as its content.
2.Run the “lunacm” commands as below to create the HA group, and to add a member to the HA group, while inputting the “copy” prompt:
•In cmd (for .bat script):
type copy.txt | lunacm -c hagroup creategroup -label HA -slot 0 -p ********
type copy.txt | lunacm -c hagroup addmember -group HA -slot 1 -p ********
•In Powershell (for powershell script) :
Get-Content .\copy.txt | .\lunacm.exe -c hagroup creategroup -label HA -slot 0 -p ********
Get-Content .\copy.txt | .\lunacm.exe -c hagroup addmember -group HA -slot 1 -p ********
Use the same technique in similar situations.
