createocs

createocs -m MODULE -Q K/N -N NAME [-MpPRqe] [-T TIME]
createocs -m MODULE -e [-e]

Creates operator cardsets or erases cards. When createocs has obtained the authorization from a valid card or if no authorization is required, it prompts you to insert a card.

Without -e, creates a new operator cardset. You must specify at least the module (with --module), the quorum (with --ocs-quorum) and the new cardset name (with --name).

By default when a new operator cardset is created:

  • The cardset will NOT be persistent. Thus keys protected by it will only be usable while the last card remains inserted. Use the --persist option to change this.

  • Passphrase recovery is enabled. Use the --no-pp-recovery option to make passphrase recovery impossible. This will make keys inaccessible if more than N-K passphrases are forgotten.

  • Not remotely readable. Use the --remotely-readable option to allow the cardset to be used in remote slots. Remotely readable cardsets are always persistent.

For more information, see:

Option Description

-e, --erase

Erases a card (instead of creating a card set).
This option cannot be used in conjunction with any of the 'New cardset properties' options.

--ee

Erases several cards.
This option cannot be used in conjunction with any of the 'New cardset properties' options.

-M, --name-cards

Names individual cards within the card set. You can only use this option after the card set has been named by using the --name=`NAME option. `createocs prompts for the names of the cards as they are created. Not all applications can display individual card names.

-N, --name=<NAME>

Specifies a name for the card set. The card set must be named with this option before individual cards can be named using the -M/--name-cards=<NAME> options.

-p, --persist

Creates a persistent card set.

-P, --no-persist

Creates a non-persistent card set.

-q, --remotely-readable

Allows this card set to be read remotely. For information on configuring Remote OCSs, see Remote Operator.

Not required for Remote Administration.

-Q, --ocs-quorum=<K>/<N>

<K> is the minimum required number of cards. If you do not specify the value <K>, the default is 1.
Some applications do not have mechanisms for requesting that cards be inserted. Therefore any OCSs that you create for use with these applications must have <K>=1.
<N> is the total number of cards. If you do not specify the value <N>, the default is 1.

-R, --no-pp-recovery

Specifies that passphrase replacement for this OCS is disabled. Setting this option overrides the default setting, which is that the card passphrases are replaceable. You can specify the enablement of passphrase replacement explicitly by setting the --pp-recovery option.

-T, --timeout=<TIME>

Sets the time-out for the card set.
Use the suffix s to specify seconds, m for minutes, h for hours, and d for days. If the time-out is set to 0, the OCS never times out. Otherwise, the hardware security module automatically unloads the OCS when the amount of time specified by TIME has passed since the OCS was loaded.

Module selection

-m, --module=MODULE

Specifies the number ID to use.
If you only have one module, MODULE is 1.
If you do not specify a module ID, createocs uses all modules by default.

Help options

-h, --help

Displays help for createocs.

-u, --usage

Displays a brief usage summary for createocs.

-v, --version

Displays the version number of the Security World Software that deploys createocs.

Restrictions on using createocs

With Security World Software v11.72 and later, passphrases are limited to a maximum length of 254 characters, when using createocs. See Maximum passphrase length.

If you have created a FIPS 140 Level 3 compliant Security World, you must provide authorization to create new Operator Cards; createocs prompts you to insert a card that contains this authorization. Insert any card from the Administrator Card Set or any Operator Card from the current Security World.