enquiry

enquiry [-m MODULE]

Obtain information about the hardserver (Security World Software server) and the modules connected to it.

Check if the software has been installed correctly
Check the firmware version
Check if the Remote Operator feature is enabled
On a network-attached HSM: Check if the Serial Console feature is available

On a PCIe or USB-attached HSM: Check the hardware status of the HSM
On a network-attached HSM: Check the hardware status of internal security modules

See:

network-attached HSM: Testing the installation
PCIe or USB-attached HSM: Checking the installation

Option Description

Option	Description
Connection options
`--pool`	Views the pool of HSMs as a single resource.
Option to address HSMs
`-m`, `--module=MODULE`	Specifies the number of the module to perform the tests on. If you only have one module, `<MODULE>` is `1`. If you specify module `0`, `enquiry` prints data from only the hardserver. If you do not specify a module number, the utility uses all modules by default.
Help options
`-h`, `--help`	Displays help for `enquiry`.
`-u`, `--usage`	Displays a brief usage summary for `enquiry`.
`-v`, `--version`	Displays the version number of the Security World Software that deploys `enquiry`.

Connection options

--pool

Views the pool of HSMs as a single resource.

Option to address HSMs

-m, --module=MODULE

Specifies the number of the module to perform the tests on.
If you only have one module, <MODULE> is 1.
If you specify module 0, enquiry prints data from only the hardserver.
If you do not specify a module number, the utility uses all modules by default.

Help options

-h, --help

Displays help for enquiry.

-u, --usage

Displays a brief usage summary for enquiry.

-v, --version

Displays the version number of the Security World Software that deploys enquiry.

enquiry output info

enquiry displays information similar to that shown in the following example:

The output for remote modules contains the connection status and connection info fields. These fields are absent for local modules.

Server:
 enquiry reply flags    none
 enquiry reply level    Six
 serial number          A815-03E0-D947
 mode                   operational
 version                12.81.2
 speed index            478
 rec. queue             374..574
 level one flags        Hardware HasTokens SupportsCommandState
 version string         12.81.2-393-7b3f83e, 13.3.1-210-bfe23daa, Bootloader: 1.2.3, Security Processor: 13.3.1 , 13.4.3-349-5a0b72d8
 checked in             00000000623c858f Thu Mar 24 10:51:59 2022
 level two flags        none
 max. write size        8192
 level three flags      KeyStorage
 level four flags       OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds JobFragmentation LongJobsPreferred Type2Smartcard ServerHasCreateClient HasInitialiseUnitEx AlwaysUseStrongPrimes Type3Smartcard HasKLF2
 module type code       0
 product name           nFast server
 device name
 EnquirySix version     8
 impath kx groups
 feature ctrl flags     none
 features enabled       none
 version serial         0
 level six flags        none
 remote port (IPv4)     9004
 kneti hash             5e2ade32b47dde562a4b3f6a9c11eb75b0f40b47
 rec. LongJobs queue    0
 SEE machine type       None
 supported KML types
 active modes           none
 remote port (IPv6)     9004

Module #1:
 enquiry reply flags    none
 enquiry reply level    Six
 serial number          A815-03E0-D947
 mode                   operational
 version                13.3.1
 speed index            478
 rec. queue             43..152
 level one flags        Hardware HasTokens SupportsCommandState SupportsHotReset
 version string         13.3.1-210-bfe23daa, Bootloader: 1.2.3, Security Processor: 13.3.1 , 13.4.3-349-5a0b72d8
 checked in             0000000063b6f493 Thu Jan 5 11:02:27 2023
 level two flags        none
 max. write size        8192
 level three flags      KeyStorage
 level four flags       OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds JobFragmentation LongJobsPreferred Type2Smartcard ServerHasCreateClient HasInitialiseUnitEx AlwaysUseStrongPrimes Type3Smartcard HasKLF2
 module type code       12
 product name           nC3025E/nC4035E/nC4335N
 device name            Rt1
 EnquirySix version     7
 impath kx groups       DHPrime1024 DHPrime3072 DHPrime3072Ex DHPrimeMODP3072
 feature ctrl flags     LongTerm
 features enabled       RemoteShare GeneralSEE StandardKM EllipticCurve ECCMQV AcceleratedECC HSMBaseSpeed
 version serial         37
 connection status      OK
 connection info        esn = A815-03E0-D947; addr = INET/192.168.156.32/9004; ku hash = 3a75d883a3bca6e3d277ea3ca0f9179b31ed40c3, mech = Any
 image version          13.4.3-294-5a0b72d8
 level six flags        SerialConsoleAvailable
 max exported modules   4100
 rec. LongJobs queue    42
 SEE machine type       PowerPCELF
 supported KML types    DSAp1024s160 DSAp3072s256
 using impath kx grp    DHPrimeMODP3072
 active modes           UseFIPSApprovedInternalMechanisms AlwaysUseStrongPrimes  FIPSLevel3Enforcedv2
 hardware status        OK

Flag explanations

Level one flags

Flag Explanation

Flag	Explanation
`Hardware`	Set if this is a hardware module.
`HasTokens`	Set if the module has a hardware token interface, such as a smart card reader.
`MaintenanceMode`	The module is in maintenance mode.
`InitialisationMode`	The module is in initialisation mode.
`PreMaintInitMode`	The module is in pre-maintenance or pre-initialisation mode.
`Uninitialised`	Firmware versions earlier than 13.5: The module enters this state following a firmware upgrade. When in this state it cannot be used, it can only be changed into the pre-maintenance or pre-initialisation states to load new firmware or be initialised. Firmware versions 13.5 and later: This flag is never set. The module enters pre-initialisation mode following a firmware upgrade.
`SupportsCommandState`	The firmware supports the `state` field in `Command` (for HSM Pool Mode).
`SupportsHotReset`	The firmware supports hot reset (for `nopclearfail -S` with Solo XC).

Hardware

Set if this is a hardware module.

HasTokens

Set if the module has a hardware token interface, such as a smart card reader.

MaintenanceMode

The module is in maintenance mode.

InitialisationMode

The module is in initialisation mode.

PreMaintInitMode

The module is in pre-maintenance or pre-initialisation mode.

Uninitialised

Firmware versions earlier than 13.5:

The module enters this state following a firmware upgrade. When in this state it cannot be used, it can only be changed into the pre-maintenance or pre-initialisation states to load new firmware or be initialised.

Firmware versions 13.5 and later:

This flag is never set. The module enters pre-initialisation mode following a firmware upgrade.

SupportsCommandState

The firmware supports the state field in Command (for HSM Pool Mode).

SupportsHotReset

The firmware supports hot reset (for nopclearfail -S with Solo XC).

Level two flags

These flags are not used in practise. The Level two flags value will always be none.

Level three flags

Flag Explanation

Flag	Explanation
`KeyStorage`	The module is capable of key management functions.

KeyStorage

The module is capable of key management functions.

Level four flags

Flag Explanation

Flag	Explanation
`OrderlyClearUnit`	The module supports `Cmd_ClearUnit`. If this flag is set, the server will clear the module whenever the server is started.
`HasRTC`	The module has an onboard real-time clock.
`HasNVRAM`	The module has onboard nonvolatile memory.
`HasNSOPermsCmd`	The module supports the `SetNSOPermsCmd` command.
`ServerHasPollCmds`	The server supports the `PollModuleState` and `PollSlotList` commands.
`FastPollSlotList`	The module issues asynchronous notifications to the server when tokens are inserted, removed, or modified.
`HasSEE`	The module supports the Secure Execution Engine (SEE).
`HasKLF`	The module has a KLF long-term fixed signing key.
`HasShareACL`	The module supports setting ACLs on logical token shares, the `impath` commands, and the `Send` and `Receive` commands.
`HasFeatureEnable`	The module supports feature-enabled functions.
`HasFileOp`	The module supports operations using nonvolatile memory, and the `FileCopy`, `FileCreate`, `FileErase`, `FileOp`, `LoadBlob` and `MakeBlob` commands.
`HasPCIPush`	The module supports the PCI push interface. This increases the speed of commands on the PCI bus, improving performance for certain channel commands.
`HasKernelInterface`	The module has a separate logical interface capable of receiving jobs from, for instance, the OS kernel. This facility requires support from the driver.
`HasLongJobs`	The module supports the command flag `Command_flags_LongJob` and will not time out commands with this flag set.
`ServerHasLongJobs`	The hardserver understands the command flag `Command_flag_LongJobs` and will correctly wait for the module to complete commands that have this flag set. Clients must only set the `Command_flag_LongJobs` flag if the server supports it; otherwise the server may declare the module to have failed. For a job to be processed as a LongJob, the module and all servers handling the job must support long jobs.
`AESModuleKeys`	The module supports AES module keys.
`NTokenCmds`	The module is an nToken.
`JobFragmentation`	The module supports fragmentation of large commands and replies to and from the host.
`LongJobsPreferred`	The module is happy to receive all commands as LongJobs, that is jobs with no timeout.
`Type2Smartcard`	The module supports type 2 (Payflex) smartcards.
`ServerHasCreateClient`	The server can accept the `CreateClient` command in place of `NewClient`, and store information about the process for associating connections with applications.
`HasInitialiseUnitEx`	The module supports the `Cmd_InitialiseUnitEx` command.
`AlwaysUseStrongPrimes`	The module is behaving as if the `UseStrongPrimes` flag was present for all RSA key generations.
`Type3Smartcard`	The module supports type 3 smartcards (original Remote Administration Ready Athena Javacards supported v12.0 onwards).
`HasKLF2`	The module has a KLF2 long-term fixed signing key.
`DisablePKCS1Padding`	All cryptographic mechanisms which use PKCS #1 v1.5 padding are disabled. If this is enabled, raw RSA encryption/decryption is still supported by the RSA OAEP mechanisms.
`HasPCIPushPull`	The module supports the PCI push pull interface. This increases the speed of commands on the PCI bus in both directions, improving performance for certain channel commands.

OrderlyClearUnit

The module supports Cmd_ClearUnit. If this flag is set, the server will clear the module whenever the server is started.

HasRTC

The module has an onboard real-time clock.

HasNVRAM

The module has onboard nonvolatile memory.

HasNSOPermsCmd

The module supports the SetNSOPermsCmd command.

ServerHasPollCmds

The server supports the PollModuleState and PollSlotList commands.

FastPollSlotList

The module issues asynchronous notifications to the server when tokens are inserted, removed, or modified.

HasSEE

The module supports the Secure Execution Engine (SEE).

HasKLF

The module has a KLF long-term fixed signing key.

HasShareACL

The module supports setting ACLs on logical token shares, the impath commands, and the Send and Receive commands.

HasFeatureEnable

The module supports feature-enabled functions.

HasFileOp

The module supports operations using nonvolatile memory, and the FileCopy, FileCreate, FileErase, FileOp, LoadBlob and MakeBlob commands.

HasPCIPush

The module supports the PCI push interface. This increases the speed of commands on the PCI bus, improving performance for certain channel commands.

HasKernelInterface

The module has a separate logical interface capable of receiving jobs from, for instance, the OS kernel. This facility requires support from the driver.

HasLongJobs

The module supports the command flag Command_flags_LongJob and will not time out commands with this flag set.

ServerHasLongJobs

The hardserver understands the command flag Command_flag_LongJobs and will correctly wait for the module to complete commands that have this flag set. Clients must only set the Command_flag_LongJobs flag if the server supports it; otherwise the server may declare the module to have failed. For a job to be processed as a LongJob, the module and all servers handling the job must support long jobs.

AESModuleKeys

The module supports AES module keys.

NTokenCmds

The module is an nToken.

JobFragmentation

The module supports fragmentation of large commands and replies to and from the host.

LongJobsPreferred

The module is happy to receive all commands as LongJobs, that is jobs with no timeout.

Type2Smartcard

The module supports type 2 (Payflex) smartcards.

ServerHasCreateClient

The server can accept the CreateClient command in place of NewClient, and store information about the process for associating connections with applications.

HasInitialiseUnitEx

The module supports the Cmd_InitialiseUnitEx command.

AlwaysUseStrongPrimes

The module is behaving as if the UseStrongPrimes flag was present for all RSA key generations.

Type3Smartcard

The module supports type 3 smartcards (original Remote Administration Ready Athena Javacards supported v12.0 onwards).

HasKLF2

The module has a KLF2 long-term fixed signing key.

DisablePKCS1Padding

All cryptographic mechanisms which use PKCS #1 v1.5 padding are disabled. If this is enabled, raw RSA encryption/decryption is still supported by the RSA OAEP mechanisms.

HasPCIPushPull

The module supports the PCI push pull interface. This increases the speed of commands on the PCI bus in both directions, improving performance for certain channel commands.

Level six flags

Flag Explanation

Flag	Explanation
`SerialConsoleAvailable`	This is a remote module with a serial console.
`Type3SmartcardRevB`	The module supports type 3 revision B smartcards (NXP JCOP Javacards, second generation of Remote Administration Ready).

SerialConsoleAvailable

This is a remote module with a serial console.

Type3SmartcardRevB

The module supports type 3 revision B smartcards (NXP JCOP Javacards, second generation of Remote Administration Ready).