View cards and softcards
It is often necessary to obtain information from card sets, usually because for security reasons they are left without any identifying markings.
To view details of all the Operator Cards in a Security World or details of an individual Operator Card, you can use:
-
the front panel (only on network-attached HSMs)
-
KeySafe
To check which passphrase is associated with a card, you can use:
-
the front panel (only on network-attached HSMs)
To list all softcards in a Security World or to show details of an individual softcard, you can use the ppmk
or nfkminfo
command-line utilities.
To check which passphrase is associated with a softcard, you can use the ppmk
command-line utility.
View card sets using an nShield network-attached HSM front panel
You can use the unit front panel to view details of all the Operator Cards in a Security World or to view details of an individual Operator Card.
To view a list of all the card sets in the Security World, from the front panel select Security World mgmt > Cardset operations > List cardsets.
To view details of a single card using the unit front panel:
-
Insert the card into the unit.
-
From the main menu, select Security World mgmt > Card operations > Card details.
-
The type of the card (Administrator or Operator) is displayed with the number of the card in the card set.
View card sets with KeySafe
You can use KeySafe to view details of all the Operator Cards in a Security World, details of individual OCSs or details of an individual Operator Card.
Examine card
In order to view information about individual cards with KeySafe, follow these steps:
-
Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)
-
Click the Card Sets menu button, or select the Card sets menu item from the Manage menu. KeySafe takes you to the List Operator Card Sets panel.
-
Click Examine/Change Card to open the Examine/Change Card panel.
-
Insert a card into the appropriate smart card slot. KeySafe displays information about the smart card currently in the slot. If there is no smart card in the slot, KeySafe displays a message Card slot empty - please insert the card that you want to examine.
From the Examine/Change Card panel, you can also:
-
Change a card’s passphrase (if it has one)
-
Give a passphrase to a card that does not already have one
-
Remove a passphrase from a card that currently has one
-
Erase the card.
List an Operator Card Set
In order to view information about whole OCSs with KeySafe, follow these steps:
-
Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)
-
Click the
Card Sets
menu button, or select the Card sets menu item from the Manage menu. KeySafe takes you to theList Operator Card Sets
panel, which displays information about all OCSs in the current Security World.
From the List Operator Card Sets
panel, you can also:
-
Examine / change a card (see Examine card)
-
Create a new card set (see [CreatingOSCKeySafe])
-
Replace an Operator Card Set (see [ReplacingOCSKeySafe])
-
PCIe and USB HSMs: Replace an Administrator Card Set (see [ReplaceACSKeySafe])
-
Discard a card set (see [ErasingCardKeySafe]).
View card sets using the command line
You can use the nfkminfo
command-line utility to view details of either all the Operator Cards in a Security World or of an individual Operator Card.
To list the OCSs in the current Security World from the command line, open a command window, and give the command:
nfkminfo --cardset-list
In this command, --cardset-list
specifies that you want to list the operator card sets in the current Security World.
nfkminfo
displays output information similar to the following:
Cardset summary - 1 cardsets: (in timeout, P=persistent, N=not)
Operator logical token hash k/n timeout name
hash 1/1 none-N name
To list information for a specific card, use the command:
nfkminfo <TOKENHASH>
In this command, <TOKENHASH>
is the Operator logical token hash
of the card (as listed when the command nfkminfo --cardset-list
is run).
This command displays output information similar to the following:
name "name"
k-out-of-n 1/1
flags NotPersistent
timeout none
card names ""
hkltu 794ada39038fa8c4e9ea46a24136bbb2b8b337f2
Not all software can give names to individual cards. |
View softcards
To view softcards, use KeySafe or the command line. The command line provides several options for viewing softcard information.
View softcards with KeySafe
To view a softcard with KeySafe, follow these steps:
-
Start KeySafe.
-
Click the Softcards menu button. KeySafe takes you to the Softcard Operations panel.
-
Click the List Softcards navigation button. KeySafe takes you to the List Softcards panel, which displays information about all softcards in the current Security World.
From the List Softcards panel, you can also choose to remove a softcard from the Security World. For more information about this procedure, see [ErasingCards].
View softcards with nfkminfo
To list the softcards in the current Security World using the nfkminfo
command-line utility, give the command:
nfkminfo --softcard-list
In this command --softcard-list
specifies that you want to list the softcards in the current Security World.
To show information for a specific softcard using the nfkminfo
command-line utility, give the command:
nfkminfo --softcard-list <IDENT>
In this command <IDENT>
is the softcard’s logical token hash (as given by running the command nfkminfo --softcard-list
).
This command displays output information similar to the following:
SoftCard
name "mysoftcard"
hkltu 7fb95888ea2850d4e3ffcc8f0c22100937344308
Keys protected by softcard 7fb95888ea2850d4e3ffcc8f0c22100937344308:
AppName simple Ident mykey
AppName simple Ident myotherkey
View softcards with ppmk
To list the softcards in the current Security World using the ppmk
command-line utility, use the command:
ppmk --list
In this command --list
specifies that you want to list the softcards in the current Security World.
In order to view the details of a particular softcard using the ppmk
command-line utility, give the command:
ppmk --info <NAME>|<IDENT>
In this command, you can identify the softcard whose details you want to view either by its name (<NAME>
) or by its logical token hash (as given by running the command nfkminfo --softcard-list
).