The hsm_mgmt_tool command line tool helps crypto officers (COs) manage HSM instances and HSM users. The tool also allows crypto users (CUs) to share keys, and obtain and set key attributes.
Before you run a hsm_mgmt_tool command, you must start hsm_mgmt_tool and log on to the HSM instance. Make sure that you log on as a user that can run the commands you want to use. For more information, see Permissions of HSM users.
Download and install the package
Download the HSM Instance Management Tool.
CentOS
Method 2: Run the following command to download the HSM management tool. This operation requires the ECS instance to be connected to the Internet.
wget -O hsm-client-v2.03.15.10-1.x86_64.rpm 'https://yundun-hsm4.oss-ap-southeast-1.aliyuncs.com/hsm-client-v2.03.15.10-1.x86_64.rpm'Method 3: On the Instances page, find the master HSM and click the
icon in the Specifications column. Method 4: On the Activate Cluster page, click Download HSM Management Tool.
Debian
Visit hsm-client-2.03.15.10-20240710_1.x86_64.deb to download the HSM management tool.
Run the following command to install the program and client configuration file in the /opt/hsm directory:
CentOS
sudo yum install -y hsm-client-v2.03.15.10-1.x86_64.rpmDebian
sudo dpkg -i hsm-client-2.03.15.10-20240710_1.x86_64.deb
Modify the client configuration file
Modify the configuration items in servers in the /opt/hsm/etc/hsm_mgmt_tool.cfg file.
Replace name and hostname with the private IP address of the master HSM on the Instances page.
Replace owner_cert_path with the path to the issuerCA.crt file.
Run and Exit the Tool
To start the hsm_mgmt_tool command line utility:
/opt/hsm/bin/hsm_mgmt_tool /opt/hsm/etc/hsm_mgmt_tool.cfgRun the following command to end your hsm_mgmt_tool session:
cloudmgmt> quitObtain Help
Run the following command to list all hsm_mgmt_tool commands:
cloudmgmt> helpRun the following command to obtain the syntax for a hsm_mgmt_tool command:
cloudmgmt> help <command-name>Command References
The following table describes the commands in the hsm_mgmt_tool.
Command | Description | User Type |
changePswd | Changes the passwords of users on an HSM instance. All users can change their own password. COs can change the passwords of all users. | CO |
createUser | Creates users of all types on an HSM instance. | CO |
deleteUser | Deletes users of all types from an HSM instance. | CO |
findAllKeys | Obtains the keys that a user owns or shares. Obtains a hash of the key ownership and data for all the keys on each HSM instance. | CO, AU |
getAttribute | Obtains an attribute value for an HSM key and writes it to a file or standard output (stdout). | CU |
getCert | Obtains the certificate of a particular HSM instance and saves it in a specified format. | All |
getCertReq | Obtains the certificate request of a particular HSM instance and saves it in a specified format. | All |
getHSMInfo | Obtains information about the device on which an HSM instance runs. | All. Logon is not required. |
getKeyInfo | Obtains owners, shared users, and the quorum authentication status of a key. | CU |
info | Obtains information about an HSM instance, including the IP address, hostname, port, and current user. | All. Logon is not required. |
listAttributes | Lists the attributes of an HSM key and the constants that represent them | All. Logon is not required. |
listUsers | Obtains the users in each of the HSM instances, their user types and IDs, and other attributes. | All. Logon is not required. |
loginHSM and logoutHSM | Logs on and logs off of an HSM instance. | All |
server | Enters and exits the server mode of an HSM instance. | All |
setAttribute | Changes the values of a label, and encrypt, decrypt, wrap, and unwrap attributes of an existing key. | CU |
quit | Quits hsm_mgmt_tool. | All. Logon is not required. |
shareKey | Shares an existing key with other users. | CU |
storeCert | Stores an HSM owner certificate and owner signed certificate. | PRECO or CO |