anonkneti

anonkneti [OPTIONS] <ADDRESS>

Anonymous kNETI request command that polls an HSM for its connection details. It returns the ESN and HKNETI key hash from the HSM identified by its IP address.

For more information, see Configuring the remote file system (RFS).

Option Description

<ip-address>

If your network is secure and you know the IP address of the HSM, you can obtain the ESN and hash of the KNETI key by running anonkneti on the client computer. A manual double-check is recommended for security. For guidance on network security, see the nShield Security Manual.
<ip-address> is the IP address of the HSM, which could be one of the following:

  • an IPv4 address

  • an IPv6 address, including a link-local IPv6 address

  • a hostname

The command returns output in the following form:

A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f

In this example output, A285-4F5A-7500 is the ESN and 2418ec85c86027eb2d5959fef35edc5e1b3b698f is the hash of the KNETI key.

-p, --port=PORT

Confirms connectivity to an HSM that you expect to be at <port-number>. The output format is the same as without the port number: the ESN and the hash of the KNETI key.

anonkneti -p 9004 <ip-address>

Default: 9004.

nethsmenroll uses -P, with upper-case P, for port numbers. anonkneti uses -p, with lower-case p.

Module selection

-m, --module=MODULE

Specifies the number ID to use.
If you only have one module, MODULE is 1.
If module 0 is specified, anonkneti displays the hash of the software key generated by the remote server.
If you do not specify a module ID, anonkneti uses all modules by default.

Help options

-h, --help

Displays help for anonkneti.

-u, --usage

Displays a brief usage summary for anonkneti.

-v, --version

Displays the version number of the Security World Software that deploys anonkneti.

anonkneti examples

Example 1: Run anonkneti against an HSM to check availability

anonkneti <ip-address>

If anonkneti can’t reach the HSM, it displays an error: no route to host/destination unreachable.

If the remote device is not an HSM it will also error.

Example 2: Run anonkneti against localhost to obtain the softkneti hash

anonkneti -m 0 127.0.0.1

anonkneti polls the local hardserver for its softkneti hash. You can then provide the softkneti hash to the HSM alongside, or instead of, the IP address when configuring client connections for stronger authentication.

Example 3: Compare the IP address of a network-attached HSM from the front panel and the anonkneti response

anonkneti <network-attched-hsm-ip-address>