CLI console

Remote operation refers to administration functions such as user management, log extraction, real-time event monitoring and others.

The HSM administrator or Security Officer must have an operator profile in the HSM.

The Dinamo remote management console is the CLI(Command Line Interface) application used to perform the HSM's administrative functions, such as user management, log recovery, backup and restore, basic HSM operation tests, operation statistics and firmware updates, among others.

The console is installed together with the HSM client software. See the Client software topic for more details on uses and procedures.

Some features of the remote management console program:

Command line interface;
Each session can manage one HSM at a time;
The connection is not affected by the load balancing configuration (the console always connects directly to the HSM indicated on the command line);
Every session must be authenticated, there is no exposed functionality for anonymous sessions;
The menus only display the options that the logged-in/authenticated user is allowed to execute;
Operations that fail indicate the error code and an explanatory text about the cause of the problem;

The remote management console program is part of the Dinamo package. To run the program, open a command line window and run the hsmcon command from the prompt. The program works synchronously, always showing a menu of options, and after the corresponding request has been sent to Dinamo, the response is waited for and shown to the user. There is no set limit to the number of simultaneous client sessions that can be opened on Dinamo. The HSM will accept new sessions as long as there are physical resources available.

Attention

The HSM will disconnect the customer after 20 (twenty) minutes of inactivity. Any operation attempted after the inactivity period has expired will result in an error.

Always use the version of the library recommended by the program. To check the version of the library, run the program without arguments, and the current version of the library will be displayed, and if applicable, the minimum recommended version. If in doubt, contact your supplier about how to get the recommended version.

Console version

Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

Library tacndlib version 4.7.12.3. # (1)!
.
.
.

Console version.

Running the program without arguments displays a help screen:

Console help screen

Dinamo - Remote Management Console v. 4.13.0.156 2018 (c) Dinamo Networks

Library tacndlib version  4.13.0.156.
Usage: hsmcon [<hsm_ip_address> <id_user> | --cm <hsm_ip_address/target>] [-e/-c] [-p <port>] [-o]
  <hsm_ip_address>       ip address of the HSM
  <id_user>              name of the user to open a session to the HSM
  -e                     open session encrypted (use TLS) - default option
  -c                     open session in clear text (do not use TLS)
  -p <port>              service port of the HSM to open a session - default 4433
  -o                     authentication with an OTP value (2nd factor)
  -3                     enable option to use exponent 3 for RSA keys
  -l                     enable legacy options
  -sip                   search for the nearby HSMs to connect
  -g <cert path>         get the HSM's TLS cert and write it to <cert_path>
                         in PEM format
  -pri <key path>        private key used in mutual authentication, MUST be in
                         PEM format. -pri_cert and -hsm_cert MUST be provided
  -pri_cer <cert path>   private key's certificate used in mutual
                         authentication, in PEM/DER format. -pri and -hsm_cert
                         MUST be provided
  -hsm_cer <hsm path>    HSM's certificate used in mutual authentication, in
                         PEM/DER format. -pri and -pri_cert MUST be provided
  --cm <ip/target>       connect to the HSM using the Windows Credential Manager
                         target name. Target name must be the address of the HSM
  -h                     display this help and exit

Example:
       hsmcon 10.10.1.1 master -c
       hsmcon 10.10.1.1 master -e -p 4433
       hsmcon --cm 10.10.1.1
       hsmcon 10.10.1.1 master -o

To connect the remote management console to Dinamo , enter the IP address of Dinamo and the user id. You will then be asked for the password. Optionally, you can also enter the type of session (open or encrypted) and the port. If these arguments are not entered, the session will be encrypted and the port will be 4433 (TCP).

Connection prompt

C:\>hsmcon 127.0.0.1 master
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

Library tacndlib version  4.7.12.3.

HSM Dinamo IP : 127.0.0.1 # (1)!
HSM User ID : master # (2)!
HSM User Password : ************ # (3)!

HSM IP address
Name of partition or user
Password credential

Info

Make sure that the Dinamo service is started to connect to the remote management console, and that the network parameters are correctly configured.

If the arguments are entered correctly, the connection to the HSM service is established and a menu with the available options is displayed. The following example screens will always show the full menus for a user with full permissions. If the session is opened by a user who does not have full permissions, some menus will have fewer options.

Console Main Menu

Dinamo - Remote Management Console v. 4.7.16.15 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

Main Menu

Keys/Objects              Users                        HSM

 1 - Create...            17 - Create                  33 - Info
 2 - Remove               18 - Remove                  34 - Logs...
 3 - Attributes           19 - List                    35 - Backup...
 4 - Import...            20 - Attributes              36 - Monitoring...
 5 - Export...            21 - Trust Relations         37 - Firmware Update
 6 - List                 22 - Password Policy         38 - Replication...
 7 - Permissions...       23 - My Password             39 - SPB...
 8 - Key Backup...                                     40 - EFT...
                                                       41 - IP Filter...
                                                       42 - Tests...
                                                       43 - Dinamo Services...
                                                       44 - Tools...




 0 - Exit

Option: #(1)!

Indicate one of the menu options

The first line shows a title bar, informing you of the program's version. HSM being managed: the IP address, the communication channel (e for tls protected channel and c for open channel) the model and software version of the HSMthe serial number of the HSM and the user who is maintaining the session and the main menu and submenus are shown below.

The administration tasks of the HSM are divided into three groups: Keys and objects, users and operation of the HSM. Options marked with ... indicate that a submenu with new options will be displayed to complete the task.

To exit the console program choose option 0 (zero) in the main menu.

Credential Manager

In the Windows version, you can create an entry in the WindowsCredential Manager and just enter the name of this entry to use the console. Retrieval of the username and password is done implicitly for HSM authentication.

To create the entry¹ enter:

in Network or Internet address the IP address of the HSM (DNS name or IP number);
in User name the name of the HSM user;
in Password the HSM user's password.

To use the entry, enter the IP address of the HSM in the command line with the --cm. The configured credentials will be used for authentication with the HSM.

Use with Windows Credential Manager input

C:\>hsmcon --cm 127.0.0.1 #(1)!

Enter the IP address of the HSM configured in the Credential Manager.

You can run the Credential Manager from the prompt with control.exe keymgr.dll or by searching in the Windows search box. ↩