hsm stm recover
Recover the HSM from Secure Transport Mode (STM). If the HSM is in initialized state, you must be logged in as HSM SO to recover from STM; if the HSM is zeroized, no login is required.
When you enter this command, enter the random user string that was generated when the HSM was put into STM. A verification string will be displayed:
>If the verification string generated matches the string that was displayed when the HSM was put into STM (see hsm stm transport), the HSM was not interfered with or tampered while in STM.
>If the verification string generated does not match the verification string generated when you placed the HSM in STM, this might indicate that the HSM has been interfered with or tampered while in STM, or that an incorrect random user string has been entered.
NOTE The random user string is for verification purposes only. Entering a different string will not prevent you from recovering the HSM from STM.
If you are confident the HSM has not been tampered with, you can still enter "proceed" to recover from STM. See Secure Transport Mode for more information.
CAUTION! Use the LunaCM command role deactivate from a connected client, to deactivate each role, by name, for each partition on the HSM, before issuing command hsm stm transport.
Failure to do so can result in mismatch when the generated strings are later compared during Secure Transport Mode recovery.
User Privileges
Users with the following privileges can perform this command:
>Admin
>Operator
Syntax
hsm stm recover -randomuserstring <string>
| Argument(s) | Shortcut | Description |
|---|---|---|
| -randomuserstring <string> | -r |
To confirm that the HSM was not tampered with while in STM, enter the random user string generated when it was placed in STM, in the format XXXX-XXXX-XXXX-XXXX. |
Example
lunash:>hsm stm recover -randomuserstring 4CEd-4HX7-J/YW-pCX6
Attempting to recover from Secure Transport Mode...
Calculating the verification string (may take a few seconds)...
Verification String: 59bt-3CXF-7/Tt-qKTx
CAUTION: You are attempting to recover the HSM from Secure Transport Mode. If the Verification
string does not match the one you were provided out-of-band, there may be an issue
with the HSM. Type 'quit' at the prompt to remain in Secure Transport Mode.
If the verification strings match, or if you wish to bypass this check,
type 'proceed' to recover from Secure Transport Mode.
Type 'proceed' to continue, or 'quit' to quit now.
> proceed
Successfully recovered from Secure Transport Mode.
Command Result : 0 (Success)
