Troubleshooting

To display specific configuration information you may need, use the hsm showinfo command. This command displays the following types of information:

• HSM label, manufacturer, model, and serial number

• Token flags in use

• Firmware version

• Slot ID

• Session state

• SO status

To display a screen that displays such HSM-specific information, complete the following steps:

1. Go to the lunacm command prompt.

2. Enter the following command (which displays the following screen):

   Copy

   hsm showinfo

To display specific partition capability and policy information you may need, use the partition showpolicies command. For example, this command displays the following types of partition capability or policy information (refer to the screen example for a complete listing):

• State of the following partition capabilities:

  • Private key cloning

  • Private key wrapping/unwrapping

  • Private key masking

  • Secret key cloning

  • Secret key wrapping/unwrapping

  • Secret key masking

  • Max non-volatile storage space

  • Max failed user logins allowed
    
    

• State of the following partition policies:

  • Private key cloning

  • Private key wrapping/unwrapping

  • Private key masking

  • Secret key cloning

  • Secret key wrapping/unwrapping

  • Secret key masking

  • Multipurpose keys

  • Changing key attributes

To display a screen that displays such HSM-specific information, complete the following steps:

1. Go to the lunacm command prompt.

2. Enter the following command (which displays the following screen):

   Copy

   partition showpolicies

To reset the HSM content in an HSM to its original manufacturing state, use the hsm factoryreset command and restart the HSM. However, you must be aware that resetting the HSM content to its original manufacturing state erases all of the existing content and it will be unrecoverable once reset.

To perform a reset of HSM content and display a screen with the corresponding prompts, complete the following steps:

1. Go to the lunacm command prompt.

2. Enter the following command (which displays the following screen):

   Copy

   hsm factoryreset

After completing the reset operation, the HSM is fully re-initialized (with its content having been cleared including its partitions). The HSM has been reset back to its original manufacturing state (for example, the SO PIN is again set to default). In addition, all of the previous keys have been irreversibly destroyed during this operation.

To gather the most current configuration information (appliance details, HSM details, partition details, and FIPS Federal Information Processing Standard 140-2 status), run the following command:

[ade_luna_sa] lunash:>hsm show
 
   Appliance Details:
   ==================
   Software Version:                4.3.2-21
 
   HSM Details:
   ============
   HSM Label:                       ade_luna_sa     
   Serial #:                        950217
   Firmware:                        4.6.1
   Hardware Model:                  Luna K5
   Authentication Method:           PED keys
   
   HSM Admin login status:          Logged In
   HSM Admin login attempts left:   3 before HSM zeroization!
   MofN activation status:          M of N not used
 
   Partitions created on HSM:
   ==========================
   Partition: 902514001,     Name: ade_partition
  
      FIPS 140-2 Operation:
   =====================
   The HSM is NOT in FIPS 140-2 approved operation mode.
   Command Result: 0 (Success)

Generating an HSM Log File

You can generate an HSM log file that contains the current support information using the ctp utility. The file can be shared with either the HID Global or Thales / Thales TCT Support staff. Use the following sample as a guide:

Copy

[cmslunasa] lunash:>hsm -su
'hsm supportInfo' successful.
Use 'ctp' from a client machine to get file named:
supportInfo.txt
Command Result: 0 (Success)