Supplied utilities
This appendix describes the executable command-line utilities (utilities) that you can use for performing various configuration and administrative tasks related to your module.
These utilities exist in the bin subdirectory of your Security World Software installation.
Unless noted, all utilities have the following standard help options:
- 
-h|--helpdisplays help for the utility.
- 
-v|--versiondisplays the version number of the utility.
- 
-u|--usagedisplays a brief usage summary for the utility.
Utilities for general operations
Use the utilities described in this section to:
- 
Check the module configuration and verify that it functions as expected. 
- 
Obtain statistics for checking the performance of the module. 
enquiry
Obtain information about the hardserver (Security World Software server) and the modules connected to it.
- 
Check if the software has been installed correctly 
- 
Check the firmware version 
- 
Check if the Remote Operator feature is enabled 
- 
Check the hardware status of nShield PCIe HSMs 
See the Installation Guide for more information.
checkmod
Check modulo exponentiations performed on the module against the test data located in the
%NFAST_HOME%\testdata
directory.
cfg-remoteslots
Configures Remote Operator slot imports and exports. See Remote Operator.
fet
- 
Activate features on an nShield module connected to the host 
- 
View the status of features on a connected module 
- 
Verify that a feature has been successfully enabled on a connected module 
To view the status of features, run the tool without a smart card. If a FEM card is not present, or if any of the features are not enabled successfully, the utility prompts you to indicate what to do next.
| To enable features, and view the status of or verify features on an nShield HSM, use the front panel rather than the fetutility. | 
For more information, see Enabling optional features
ncversions
Obtain and verify the versions of the Security World Software components that are installed. This utility lists the following information:
- 
Versions of all components, irrespective of whether they are installed individually or as part of a component bundle 
- 
Version of each component bundle 
nfdiag
Obtain information about the module and the host on which it is installed.
This diagnostic utility can save information to either a ZIP file or a text file.
For more information, see nfdiag: diagnostics utility.
| Run this utility only if requested to do so by Support. | 
nfwarrant
Ensure that a suitable warrant is available to allow a Security World to be dynamically managed using an nShield PCIe or USB-attached HSM.
- 
Identify modules that have the appropriate firmware/KLF2 key 
- 
Identify modules that need their KLF2 key to be warranted by Entrust 
- 
Generate a warrant upgrade request for a specific module, as required 
- 
Install an upgraded warrant 
- 
List KLF2 warrants 
See Warrant Management for Solo and Edge for more information.
nopclearfail
Clear an HSM, put an HSM into the error state, retry a failed HSM, or change the HSM mode.
You must use a privileged connection to use this utility with the following parameters:
- 
change the mode of the HSM ( nopclearfail -I/M/O)
- 
Clear the module ( nopclearfail -c)
For information about changing the nShield HSM mode, see Checking and changing the mode on an nShield Edge.
randchk
Run a universal statistical test on random numbers returned by the module.
rtc
View and set the module’s real-time clock.
By default, rtc reads the real-time clock of module 1.
- 
--adjust: The module uses the difference between its idea of the current time and the new time, together with how long it’s been since the clock was last set, to compute how much its clock is drifting.
- 
--set-clock: The module’s clock is set to either TIME, if it is provided as a list of six integers separated by non-digit characters, or to the host’s current time.
snmpbulkwalk snmpget snmpgetnext snmptable snmpset snmptest snmptranslate snmpwalk
Obtain system, module, connection and software information from the SNMP agent.
For more information, see Using the SNMP command-line utilities.
stattree
Obtain statistics gathered by the Security World Software server and modules.
For more information, see stattree: information utility.
nshieldeventlog
Extract Windows event log entries and output them to the console or a text file.
As required, specify:
- 
-s\|--source: The event log source. The default is thenCipherlog
- 
-c\|--count: The number of records read from the event log. The default is10000
- 
-f\|--file: The output filename.
Hardware utilities
Use the following utilities to manage the firmware installed on an nShield HSM.
loadrom
- 
Upgrade the module firmware 
- 
Obtain information about the firmware installed on a module 
To determine the version security number of the firmware in a file and for more information, see Firmware on the installation media.
| The loadromcommand is intended to update nShield PCIe and USB-attached HSMs; it is not intended to be used to update an nShield network-attached HSM firmware image. | 
nfloadmon
Upgrade the module monitor and firmware of nShield PCIe and network-attached HSMs.
For more information, see Upgrading firmware.
Test analysis tools
Use the following utilities to test the cryptographic operational behavior of a module.
| All the listed utilities, except the floodtestutility, are supported only on FIPS 140 Level 2 Security Worlds. | 
| Utility | Enables you to… | 
|---|---|
| 
 | Test all defined symmetric cryptographic mechanisms. | 
| 
 | Perform DES known-answer tests. This utility indicates if any of them fail. | 
| 
 | Perform hardware speed-testing by using modular exponentiation. | 
| 
 | Test the consistency of encryption and decryption, or of signature and verification, with the RSA and DSA algorithms. | 
| 
 | Stress test modules and test nCore API concurrent connection support. | 
| 
 | Run various tests to measure the cryptographic performance of a module. For more information, see perfcheck: performance measurement checking tool. | 
| 
 | Measure module speed using RSA or DSA signatures or signature verifications. | 
| 
 | Test the performance of various crypto commands using attached nShield hardware.
Available since v12.10 it contains all the functionality in  | 
Security World utilities
Use the utilities described in this section to:
- 
Set up and manage Security Worlds. 
- 
Create and manage card sets and passphrases. 
- 
Generate keys and transfer keys between Security Worlds. 
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 | Erase multiple smart cards including Administrator Cards, Operator Cards, and FEM activation cards, in the same session. 
 | ||
| 
 | Change, verify, and recover a passphrase of an Operator Card. For more information, see: | ||
| 
 | Create and erase an OCS. For more information, see: | ||
| 
 | Initialize an nShield module. For more information, see Erasing a module with initunit. | ||
| 
 | Generate, import, or retarget keys.
This utility is included in the  
 | ||
| 
 | Obtain key management information from a Security World’s key management data file. | ||
| 
 | Migrate existing keys to a destination Security World. For more information, see Security World migration. | ||
| 
 | Generate non-standard cryptographic keys that can be used to perform specific functions, for example, to wrap keys and derive mechanisms.
This utility includes options that are not available with the  
 | ||
| 
 | Create and manage Security Worlds on nShield modules. You must use a privileged connection to use this utility with the following parameter: 
 For more information, see: | ||
| 
 | Check Security World data for consistency. | ||
| 
 | Obtain information about a Security World and its associated cards and keys. For more information, see: | ||
| 
 | Perform Security World verification. For more information, see Verifying Key Generation Certificates with nfkmverify. | ||
| 
 | Transfer PKCS #11 keys to a new card set in the new Security World.
When transferring keys by using either the  
 | ||
| 
 | 
 For more information, see: | ||
| 
 | Load keys into a module before an application is run in another session. | ||
| 
 | Create a new ACS to replace an existing ACS. For more information, see Replacing an Administrator Card Set using racs. | ||
| 
 | 
 For more information, see: | 
CodeSafe utilities
Use the following helper utilities to develop and sign SEE machines. For more information about these utilities, see the CodeSafe Developer Guide.
| Utility | Enables you to… | 
|---|---|
| 
 | Convert ELF format executables into a format suitable for loading as an SEE machine. | 
| 
 | Load an SEE machine into each module that is configured to receive one, then publishes a newly created SEE World, if appropriate. | 
| 
 | Set up the configuration of auto-loaded SEE machines. | 
| 
 | View the signed module state. | 
| 
 
 
 
 | Activate or enable standard IO and socket connections for SEE machines using the  | 
| 
 | Sign, pack, and encrypt file archives so that they can be loaded onto an SEE-ready nShield module. | 
PKCS #11
Use the following utilities to manage the interfaces between the PKCS #11 library and the module.
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 | Import a certificate as a PKCS #11  | ||
| 
 | Verify the installation of the nShield PKCS #11 libraries. For more information, see Checking the installation of the nCipher PKCS #11 library. | ||
| 
 | Generate keys for use with PKCS #11 applications.
When you run the  
 | ||
| 
 | View values of attributes of PKCS #11 objects. | ||
| 
 | Perform a PKCS #11 test for vendor-defined  | ||
| 
 | Measure module signing or encryption speed when used with nShield PKCS #11 library calls. | 
The Security World software enables you to use the following additional PKCS #11 utilities. For more information about these utilities, see the Cryptographic API Integration Guide.
| Utility | Enables you to… | 
|---|---|
| 
 | View PKCS #11 library, slot, and token information. Use this utility to verify that the library is functioning correctly. | 
| 
 | View details of objects on all slots.
If invoked with a PIN argument, the utility lists public and private objects.
If invoked with the  This utility does not output any potentially sensitive attributes, even if the object has  | 
| 
 | View details of the supported PKCS #11 mechanisms provided by the module. | 
| 
 | Test RSA key generation. You can use specific PKCS #11 attributes for generating RSA keys. | 
| 
 | Create a PKCS #11 Security Officer role, and manage its PIN. | 
MSCAPI utilities
Use the following utilities to migrate from Windows registry-based CSP container storage to the new CSP formats. These utilities also enable you to manage the interfaces between the MSCAPI library and the module.
For more information about these utilities, see Utilities for the CAPI CSP.
| Utility names that end with 64run only on 64-bit version of Microsoft Windows.
All other utilities run on both 32-bit and 64-bit versions of Microsoft Windows. | 
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 
 | Check that CSP container files and keys in the  | ||
| 
 
 | Insert keys manually into existing CSP containers. For more information, see Installing the CAPI CSP. | ||
| 
 
 | Move CSP container information for an existing Security World from the registry into the Security World. | ||
| 
 
 | Regenerate the NVRAM key counter area for a specified nShield CSP key. | ||
| 
 
 | Test the installed Cryptographic Service Providers. | ||
| 
 
 | Obtain detailed information about CSP containers. 
 | ||
| 
 
 | Create, test, and display information about keys and CSP key containers. | ||
| 
 
 | Configure HSM Pool mode for the nShield CAPI CSP. | 
CNG
Use the following helper utilities to manage keys and the interfaces between the CNG library and the HSM. For a list of utilities specific to the nShield CNG CSP, see Utilities for the CAPI CSP.
| Utility names that end with 64run only on 64-bit version of Microsoft Windows.
All other utilities run on both 32-bit and 64-bit versions of Microsoft Windows. | 
| Utility | Enables you to… | 
|---|---|
| 
 | Migrate Security World, CAPI and CNG keys to the Security World Key Storage Provider. For more information, see: | 
| 
 
 (nShield CNG provider installer utility) | Remove or reinstall the provider DLLs and associated registry entries manually. For more information, see cnginstall. | 
| 
 
 | View information about CNG providers. For more information, see: | 
| 
 | Unregister and re-register the nShield providers manually. For more information, see: | 
| 
 
 (nShield CNG soak tool) | Evaluate the performance of signing, key exchange, and key generation by using a user-defined number of threads. For more information, see cngsoak. | 
| 
 | Configure service-based applications such as Microsoft Certificate Services and IIS to use the nShield CNG CSP. Use this tool to add the nFast Server to the dependency list of such services. For more information, see: | 
| 
 
 | Configure HSM Pool mode for the nShield CNG CSP. For more information, see configure-csp-poolmode. | 
Developer-specific utilities
Use the following utilities to ensure that the HSMs are functioning as expected and to test the cryptographic functionality at the nCore level.
| Utility | Enables you to… | ||
|---|---|---|---|
| 
 | Obtain information about state changes. The functionality of this test utility depends on whether the server or an HSM supports nCore API poll commands. 
 | ||
| 
 | Test the nCore API commands. You can use this utility interactively or from a script file. | 
Utilities that require a privileged connection
You must be a privileged user, that is, use a privileged connection to the HSM, to run certain utilities with certain parameters.
| Utility | Use case | 
|---|---|
| 
 | Change the mode of the HSM | 
| 
 | Clear the module | 
| 
 | Initialize the HSM |