Supplied utilities
This appendix describes the executable command‑line utilities (utilities) that you can use for performing various configuration and administrative tasks related to your module.
These utilities exist in the bin subdirectory of your Security World Software installation.
Unless noted, all utilities have the following standard help options:
- 
-h|--helpdisplays help for the utility.
- 
-v|--versiondisplays the version number of the utility.
- 
-u|--usagedisplays a brief usage summary for the utility.
Utilities for general operations
Use the utilities described in this section to:
- 
Check the module configuration and verify that it functions as expected. 
- 
Obtain statistics for checking the performance of the module. 
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 | Obtain information about the hardserver (Security World Software server) and the modules connected to it. Use this utility to: 
 See Testing the installation for more information. | ||
| 
 | Check modulo exponentiations performed on the module against the test data located in the
 | ||
| 
 | Create a default client configuration file for the hardserver configuration sections. | ||
| 
 | Load the hardserver configuration from the configuration file. | ||
| 
 | 
 To view the status of features, run the tool without a smart card. If a FEM card is not present, or if any of the features are not enabled successfully, the utility prompts you to indicate what to do next. 
 For more information, see Enabling features with a smart card. | ||
| 
 | View, set, and update the time on a module’s real-time clock. | ||
| 
 | Obtain and verify the versions of the Security World Software components that are installed. This utility lists the following information: 
 | ||
| 
 | Obtain information about the module and the host on which it is installed.
This diagnostic utility can save information to either a  For more information, see nfdiag: diagnostics utility. 
 | ||
| 
 | Clear an HSM, put an HSM into the error state, retry a failed HSM, or change the HSM mode. | ||
| 
 | Copy files between a module’s NVRAM and a smart card, allowing files to be backed up and restored. | ||
| 
 | View and modify information about NVRAM areas. | ||
| 
 | Obtain information of the public key from a certificate or certificate request (in a Base-64 encoded PEM file). | ||
| 
 | Run a universal statistical test on random numbers returned by the module. | ||
| 
 | View and set the module’s real‑time clock. | ||
| 
 | 
 | ||
| 
 | Obtain system, module, connection and software information from the SNMP agent. For more information, see Using the SNMP command-line utilities. | ||
| 
 | Obtain statistics gathered by the Security World Software server and modules. For more information, see stattree: information utility. | ||
| 
 | Archive the existing hardserver log from  When run with no arguments, it will automatically archive the existing log to  Optionally, a single argument can be provided with the full file name to archive the existing hardserver log to. This script must be run as root. | 
Hardware utilities
Use the following utilities to manage the firmware installed on an nShield HSM.
| Utility | Enables you to… | 
|---|---|
| 
 | Verify the firmware installed on a module. | 
| 
 | Upgrade the module monitor and firmware of nShield Edge and nShield Solo modules. | 
Test analysis tools
Use the following utilities to test the cryptographic operational behavior of a module.
| All the listed utilities, except the floodtestutility, are supported only on FIPS 140‑2 Level 2 Security Worlds. | 
| Utility | Enables you to… | 
|---|---|
| 
 | Test all defined symmetric cryptographic mechanisms. | 
| 
 | Perform DES known‑answer tests. This utility indicates if any of them fail. | 
| 
 | Perform hardware speed‑testing by using modular exponentiation. | 
| 
 | Test the consistency of encryption and decryption, or of signature and verification, with the RSA and DSA algorithms. | 
| 
 | Stress test modules and test nCore API concurrent connection support. | 
| 
 | Run various tests to measure the cryptographic performance of a module. For more information, see perfcheck: performance measurement checking tool. | 
| 
 | Measure module speed using RSA or DSA signatures or signature verifications. | 
| 
 | Test the performance of various crypto commands using attached nShield hardware.
Available since v12.10 it contains all the functionality in  | 
Security World utilities
Use the utilities described in this section to:
- 
Set up and manage Security Worlds. 
- 
Create and manage card sets and pass phrases. 
- 
Generate keys and transfer keys between Security Worlds. 
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 | Erase multiple smart cards including Administrator Cards, Operator Cards, and FEM activation cards, in the same session. 
 | ||
| 
 | Change, verify, and recover a pass phrase of an Operator Card. For more information, see: | ||
| 
 | Create and erase an OCS. For more information, see: | ||
| 
 | Initialize an nShield module. For more information, see Erasing a module with initunit. | ||
| 
 | Generate, import, or retarget keys.
This utility is included in the  
 | ||
| 
 | Obtain key management information from a Security World’s key management data file. | ||
| 
 | Migrate existing keys to a destination Security World. For more information, see Security World migration. | ||
| 
 | Generate non-standard cryptographic keys that can be used to perform specific functions, for example, to wrap keys and derive mechanisms.
This utility includes options that are not available with the  
 | ||
| 
 | Create and manage Security Worlds on nShield modules. | ||
| 
 | Check Security World data for consistency. | ||
| 
 | Obtain information about a Security World and its associated cards and keys. For more information, see: | ||
| 
 | Perform Security World verification. For more information, see Verifying Key Generation Certificates with nfkmverify. | ||
| 
 | Transfer PKCS #11 keys to a new card set in the new Security World.
When transferring keys by using either the  
 | ||
| 
 | 
 For more information, see: | ||
| 
 | Load keys into a module before an application is run in another session. | ||
| 
 | Create a new ACS to replace an existing ACS. For more information, see Replacing an Administrator Card Set with racs. | ||
| 
 | 
 For more information, see: | 
CodeSafe utilities
Use the following helper utilities to develop and sign SEE machines. For more information about these utilities, see the CodeSafe Developer Guide.
| Utility | Enables you to… | 
|---|---|
| 
 | Convert ELF format executables into a format suitable for loading as an SEE machine. | 
| 
 | Load an SEE machine into each module that is configured to receive one, then publishes a newly created SEE World, if appropriate. | 
| 
 | Set up the configuration of auto‑loaded SEE machines. | 
| 
 | View the signed module state. | 
| 
 
 
 
 | Activate or enable standard IO and socket connections for SEE machines using the  | 
| 
 | Sign, pack, and encrypt file archives so that they can be loaded onto an SEE‑ready nShield module. | 
PKCS #11
Use the following utilities to manage the interfaces between the PKCS #11 library and the module.
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 | Import a certificate as a PKCS #11  | ||
| 
 | Verify the installation of the nShield PKCS #11 libraries. For more information, see Checking the installation of the nCipher PKCS #11 library. | ||
| 
 | Generate keys for use with PKCS #11 applications.
When you run the  
 | ||
| 
 | View values of attributes of PKCS #11 objects. | ||
| 
 | Perform a PKCS #11 test for vendor‑defined  | ||
| 
 | Measure module signing or encryption speed when used with nShield PKCS #11 library calls. | 
If you have installed Cipher Tools, you can use the following additional PKCS #11 utilities.
For more information about these utilities, see the Cryptographic API Integration Guide.
| Utility | Enables you to… | 
|---|---|
| 
 | View PKCS #11 library, slot, and token information. Use this utility to verify that the library is functioning correctly. | 
| 
 | View details of objects on all slots.
If invoked with a PIN argument, the utility lists public and private objects.
If invoked with the  This utility does not output any potentially sensitive attributes, even if the object has  | 
| 
 | View details of the supported PKCS #11 mechanisms provided by the module. | 
| 
 | Test RSA key generation. You can use specific PKCS #11 attributes for generating RSA keys. | 
| 
 | Create a PKCS #11 Security Officer role, and manage its PIN. | 
nShield Connect utilities
The utilities described in this section are used with nShield Connect only. Use these utilities to:
- 
Create and manage client configuration files. 
- 
Enroll nTokens with an nShield Connect. 
- 
Set up a Remote File System (RFS) and synchronize Security World data between an nShield Connect and the RFS. 
- 
Administer an nShield Connect remotely 
- 
Configure NTP. 
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 | View the ESN and  For more information, see Configuring the remote file system (RFS). | ||
| 
 | Copy a specified configuration file from a remote file system to the file system on a specified module. For more information, see: | ||
| 
 | Configure time synchronisation on the nShield Connect, using NTP. For more information, see Configuring NTP in the nShield Connect. | ||
| 
 | Edit the  For more information, see: | ||
| 
 | Administer an nShield Connect remotely. Options include: 
 The IP address to identify the Connect could be: 
 For more information, see: | ||
| 
 | Edit the local hardserver configuration file to add the specified nShield Connect unit. As an alternative to hand‑editing a client’s configuration file, you can run this utility on a client to configure it to access an nShield Connect. For more information, see: | ||
| 
 | Enroll a locally attached nToken with an nShield Connect unit. This utility installs the Electronic Serial Number (ESN) of the nToken within the client configuration file and displays the module’s ESN and the hash of the key to be used in nToken authentication. For more information, see Configuring the unit to use the client. | ||
| 
 | Create a default RFS hardserver configuration on the client. Run this utility when you first configure a client. For more information, see: | ||
| 
 | 
 For more information, see: 
 | 
Developer-specific utilities
Use the following utilities to ensure that the HSMs are functioning as expected and to test the cryptographic functionality at the nCore level.
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 | Obtain information about state changes. The functionality of this test utility depends on whether the server or an HSM supports nCore API poll commands. 
 | ||
| 
 | Test the nCore API commands. You can use this utility interactively or from a script file. |