P11NG-CLI

EIDAS This is an EJBCA eIDAS feature.

The EJBCA P11NG-CLI tool enables a set of commands and is built as a stand-alone package, which can be put on any machine and run independently of EJBCA.

The P11NG-CLI provides commands to manage keys on CP5-specific HSMs.

Build and Use P11NG-CLI

The following provides information on building and using the P11NG-CLI tool.

Building P11NG-CLI

To build P11NG-CLI with ant, run the following:

ant p11ng-cli

The directory ./dist/p11ng-cli is created and can be moved to any location.

To use any of the commands, call p11ng-cli.sh in this directory or put the directory in your PATH and run p11ng-cli.sh to call it from any location.

Providing Help

Run the main command to provide help for available commands and options.

List Valid Arguments

Call the p11ng-cli.sh script without arguments to list valid arguments for sub commands to use:

p11ng-cli.sh

Help on Specific Sub Command

Call the p11ng-cli.sh script with an argument to provide help on the specified sub command, for example backupobject:

./p11ng-cli.sh authorizekey

The following displays the output from the above command:

ERROR: Incorrect parameter usage.
    The following mandatory arguments are missing or poorly formed, use --help for more information:
        --lib-file              Shared library path
	--slot-ref 		Slot reference type. One of the following: 'SLOT_INDEX', 'SLOT_NUMBER', 'SLOT_LABEL'
        --slot                  Slot reference value. Slot index, number or label
        --alias                 Alias of the key pair on the HSM.
        --kak-file-path         The path which will be used to save the KAK file to and later for authorization the KAK will be
                                read from it.
        --user                  This option is used to provide user credential for running the CP5 command.
        --padding-scheme        This option is used to provide padding scheme used for signing the hash sent back from HSM
                                (valid values are PSS and PKCS1).

Run command with "--help" to see full manual page.

List All Arguments and Help

To list all arguments and their help, enter the command with the --help argument:

./p11ng-cli.sh authorizekey --help

The following displays the output:

AUTHORIZEKEY            P11NG CLI Commands Manual            AUTHORIZEKEY

NAME
    authorizekey - Authorizes a key before it can be used. CP5 specific operation.

SYNOPSIS
    authorizekey --lib-file <LIBRARY_FILE> --slot <HSM_SLOT> --alias <ALIAS> --kak-file-path <KAK_FILE_PATH> --user <USER_NAME_> --padding-scheme <PADDING_SCHEME_> [OPTIONAL PARAMETERS]

DESCRIPTION
    Authorizes a key before it can be used. CP5 specific operation.

PARAMETERS
    Mandatory parameters:
        --alias <ALIAS>
            Alias of the key pair on the HSM.
        --kak-file-path <KAK_FILE_PATH>
            The path which will be used to save the KAK file to and later for authorization
            the KAK will be read from it.
        --lib-file <LIBRARY_FILE>
            Shared library path
        --padding-scheme <PADDING_SCHEME_>
            This option is used to provide padding scheme used for signing the hash sent
            back from HSM (valid values are PSS and PKCS1).
        --slot-ref <PKCS#11_SLOT_REFERENCE_TYPE>
            Slot reference type. One of the following: 'SLOT_INDEX', 'SLOT_NUMBER', 'SLOT_LABEL'
        --slot <HSM_SLOT>
            Slot reference value. Slot index, number or label
        --user <USER_NAME_>
            This option is used to provide user cridential for running the CP5 command.

    Optional parameters:
        --max-operations-count <MAX_OPERATIONS_COUNT_>
            Maximum number of operations a key can perform on the HSM.
        --password <PASSWORD_>
            Slot Password. If not set then it will be prompted for.
        --verbose
            Set this value for verbose output of parameter values.

List All Available Sub Commands

The following lists all available sub command for the P11NG-CLI tool:

    authorizekey                    Authorizes a key before it can be used. CP5 specific operation.
    backupobject                    Backs up a key from the HSM on the backup file. CP5 specific operation.
    deleteobject                    Deletes objects.
    generatekey                     Generates symmetric key on the HSM
    generatekeypair                 Generates a key pair
    initializekey                   Initializes a key prior to authorization. CP5 specific operation.
    listobjects                     List objects available on the slot.
    listslots                       Lists slots available on the HSM
    onetimeperformancetest          Runs a one time performance test.
    restoreobject                   Restores a backed up key from file into the HSM. CP5 specific operation.
    showinfo                        Shows information about HSM.
    showslotinfo                    Prints information about the slot.
    showtokeninfo                   Prints information about token.
    signperformancetest             Runs a signing performance test.
    unblockkey                      Unblocks a key previously blocked. CP5 specific operation.