X-ROAD 6 SIGNER CONSOLE USER GUIDE



Similar documents
webmethods Certificate Toolkit

Use Enterprise SSO as the Credential Server for Protected Sites

Using LDAP Authentication in a PowerCenter Domain

Displaying SSL Certificate and Key Pair Information

GoldKey and Cisco AnyConnect

Privilege Manager for Unix How To

Go to Policy/Global Properties/SmartDashboard Customization, click Configure. In Certificates and PKI properties, change host_certs_key_size to 2048

PaaS Operation Manual

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

Displaying SSL Certificate and Key Pair Information

WebSphere Application Server security auditing

PRiSM Security. Configuration and considerations

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

DIGIPASS CertiID. Getting Started 3.1.0

User and Programmer Guide for the FI- STAR Monitoring Service SE

Router CLI Overview. CradlePoint, Inc.

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Install an SSL Certificate onto SilverStream. Sender Recipient Attached FIles Pages Date. Development Internal/External None 5 6/16/08

EJBCA with GemSAFE Toolbox Part2 Sign. and Encrypt

Using RADIUS Agent for Transparent User Identification

WebLogic Server 6.1: How to configure SSL for PeopleSoft Application

TeamViewer 9 Manual Management Console

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Microsoft Windows Server 2008 Active Directory, Configuring

Generating an Apple Enterprise MDM Certificate

Clearswift Information Governance

Configure Single Sign on Between Domino and WPS

User Management Guide

RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 On Existing Hardware

McAfee Cloud Identity Manager

Monitoring App V eg Enterprise v6

Title: Documentation for the Pi-UPS-Monitor-App

UFTP AUTHENTICATION SERVICE

CRYPTOLogon Agent. for Windows Domain Logon Authentication. Deployment Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved.

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

INFORMATION TECHNOLOGY CONTROLS

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Unicenter Workload Control Center r1 SP4. Server Status Troubleshooting Guide

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Advanced Administration

Configuring Microsoft Active Directory for Oracle Net Naming. An Oracle White Paper April 2014

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Creating an ESS instance on the Amazon Cloud

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

Microsoft IAS and NPS Agent Configuration Guide

Document Management Getting Started Guide

Server Account Management

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

Flight Workflow User's Guide. Release

Yubico PIV Management Tools

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Digital Signatures on iqmis User Access Request Form

Policy and Profile Reference Guide

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

WHMCS LUXCLOUD MODULE

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

English ETERNUS CS800 S3. Backup Exec OST Guide

SafeNet KMIP and Google Cloud Storage Integration Guide

OneLogin Integration User Guide

UM8000 Voic System Administration Guide

CA Nimsoft Monitor. Probe Guide for NT Event Log Monitor. ntevl v3.8 series

MBAM Self-Help Portals

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

Remote Administration

IBM WebSphere Application Server Version 7.0

User Management Tool 1.6

CAPIX Job Scheduler User Guide

Powershell Management for Defender

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

Resco Mobile CRM Security

FIGURE Selecting properties for the event log.

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Marriott Enrollment Server for Web User Guide V1.4

ITA Mail Archive Setup Guide

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

Certificates for computers, Web servers, and Web browser users

Command Line Interface User Guide for Intel Server Management Software

Configuring Logging. Information About Logging CHAPTER

HP LeftHand SAN Solutions

Certificate technology on Pulse Secure Access

etrust Audit Using the Recorder for Check Point FireWall-1 1.5

Source Code Management for Continuous Integration and Deployment. Version 1.0 DO NOT DISTRIBUTE

Configuring Sponsor Authentication

Lieberman Software. RSA SecurID Ready Implementation Guide. Account Reset Console. Partner Information. Last Modified: March 20 th, 2012

Upgrading Software Using the Online Installer

Certificate technology on Junos Pulse Secure Access

Documentum Developer Program

Junos Pulse. Windows In-Box Junos Pulse Client Quick Start Guide. Published: Copyright 2013, Juniper Networks, Inc.

ESM s management across multi-platforms eliminates the need for various account managers.

HP Service Manager. Software Version: 9.40 For the supported Windows and Linux operating systems. Application Setup help topics for printing

Guide to Your Telephone Service

Preface. Limitations. Disclaimers. Technical Support. Luna SA and IBM HTTP Server/IBM Web Sphere Application Server Integration Guide

The Impact of 21 CFR Part 11 on Product Development

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Transcription:

X-ROAD 6 SIGNER CONSOLE USER GUIDE 2.2

Signer Console User Guide Page 2 VERSION HISTORY Date Version Description 20.11.2014 0.1 First draft 20.11.2014 0.2 Some improvements done 1.12.2014 1.0 Minor corrections done 19.01.2015 1.1 License information added 02.04.2015 1.2 sdsb changed to xroad 30.06.2015 1.3 Minor corrections done 09.09.2015 2.0 Editorial changes made 14.09.2015 2.1 Audit log added 20.09.2015 2.2 Editorial changes made

Signer Console User Guide Page 3 TABLE OF CONTENTS 1 Introduction... 4 1.1 References... 4 2 Using the Signer Console... 5 2.1 Signer Console Options... 5 2.2 Starting as Interactive Shell... 5 2.3 Executing Single Commands... 5 2.4 Available Commands... 6 2.4.1 list-tokens... 6 2.4.2 list-keys... 6 2.4.3 list-certs... 6 2.4.4 set-token-friendly-name... 6 2.4.5 set-key-friendly-name... 6 2.4.6 get-member-certs... 7 2.4.7 activate-certificate... 7 2.4.8 deactivate-certificate... 7 2.4.9 delete-key... 7 2.4.10 delete-certificate... 7 2.4.11 delete-certificate-request... 7 2.4.12 import-certificate... 8 2.4.13 login-token... 8 2.4.14 logout-token... 8 2.4.15 init-software-token... 8 2.4.16 sign... 8 2.4.17 generate-key... 8 2.4.18 generate-cert-request... 9 3 Example: Certificate Import... 10 4 Audit Log... 11

Signer Console User Guide Page 4 1 INTRODUCTION The purpose of this document is to explain how to manage keys and certificates in signer from the command line using the signer console utility. Signer is an X-Road component whose primary purpose is to process signing requests and produce signatures. Signer manages software and hardware (smart cards, HSMs) tokens and their keys and handles certificates associated with the keys. Signer console is a command line utility for interacting with Signer. The utility provides commands for various operations and can execute a single command or be started as an interactive text-based shell. 1.1 REFERENCES 1. [SPEC-AL] X-Road: Audit log events. Cybernetica AS. 2. [JSON] Introducing JSON, http://json.org/

Signer Console User Guide Page 5 2 USING THE SIGNER CONSOLE 2.1 SIGNER CONSOLE OPTIONS Signer console accepts the following options: -h or -help displays list of supported commands -v or -verbose displays more detailed execution output 2.2 STARTING AS INTERACTIVE SHELL To start the signer console as an interactive shell, type sudo -u xroad -i signer-console [<options>] 2.3 EXECUTING SINGLE COMMANDS To execute a single command, type sudo -u xroad -i signer-console [<options>] <command> [<command arguments>]

Signer Console User Guide Page 6 2.4 AVAILABLE COMMANDS This section gives an overview of all available commands in signer console. A command may have one or more arguments, and may or may not produce any output. If command has arguments, they are always mandatory. 2.4.1 list-tokens Description: Lists all tokens. (none) Output: List of all tokens, each line representing the following token information: <id> (<status>, <read only writable>, <available unavailable>, <active inactive>) 2.4.2 list-keys Description: Lists all keys on all tokens. (none) Output: List of keys on all tokens, each line representing the following key information: <id> (<usage>, <available unavailable>) 2.4.3 list-certs Description: Lists all certificates and certificate requests on all keys. (none) Output: List of certificates and certificate requests on all keys, each line representing the following information: <id> (<status>, <client id>) 2.4.4 set-token-friendly-name Description: Sets friendly name to the specified token. token id: the identifier of the token. Use list-tokens to look up token id-s. friendly name: the name to set. 2.4.5 set-key-friendly-name Description: Sets friendly name to the specified key. key id: the identifier of the key. Use list-keys to look up key id-s. friendly name: the name to set.

Signer Console User Guide Page 7 2.4.6 get-member-certs Description: Returns certificates of a member. member id: the identifier of the member, entered as \ <instance> <class> <code>\. Output: List of certificates of the specified member. 2.4.7 activate-certificate Description: Activates the specified certificate. certificate id: the identifier of the certificate. Use list-certs to look up certificate identifiers. 2.4.8 deactivate-certificate Description: Deactivates the specified certificate. certificate id: the identifier of the certificate. Use list-certs to look up certificate identifiers. 2.4.9 delete-key Description: Deletes the specified key and all associated certificates and certificate requests. key id: the identifier of the key. Use list-keys to look up key id-s. 2.4.10 delete-certificate Description: Deletes the specified certificate from Signer. certificate id: the identifier of the certificate. Use list-certs to look up certificate identifiers. 2.4.11 delete-certificate-request Description: Deletes the specified certificate request from Signer. certificate request id: the identifier of the certificate. Use list-certs to look up certificate request identifiers.

Signer Console User Guide Page 8 2.4.12 import-certificate Description: Imports a certificate from the specified file to a key. The certificate is imported to the key pair whose public key matches that of the certificate. file: the relative or absolute file name of the certificate in PEM or DER format. member id: the identifier of the member constructed from the C, O, CN fields of the certificates DN, entered as: \ <instance> <class> <code>\. If the certificate is an authentication certificate, the member id is not used. Output: Identifier of the key to which the certificate was imported. 2.4.13 login-token Description: Log in to the specified token. token id: the identifier of the token. Use list-tokens to look up token identifiers. 2.4.14 logout-token Description: Log out of the specified token token id: the identifier of the token. Use list-tokens to look up token identifiers. 2.4.15 init-software-token Description: Initialize the software token. A PIN is prompted that is used to log in to this token. (none) 2.4.16 sign Description: Sign the specified character data using the specified key. key id: the identifier of the key. Use list-keys to look up key identifiers. data: character data to be signed as string Output: signature byte array 2.4.17 generate-key Description: Generates a key on the specified token.

Signer Console User Guide Page 9 token id: the identifier of the token. Use list-tokens to look up token identifiers. Output: The id of the generated key. 2.4.18 generate-cert-request Description: Generates a certificate request under the specified key in Signer and saves it to a CSR file in current directory. key id: the identifier of the key. Use list-keys to look up key identifiers. member id: the identifier of the member that matches the subject name, entered as: \ <instance> <class> <code>\. usage: key usage either s (sign) or a (authentication) subject name: the subject distinguished name, entered as: C=<instance>, O=<class>, CN=<code> Output: Name of the file where the certificate request was saved.

Signer Console User Guide Page 10 3 EXAMPLE: CERTIFICATE IMPORT The following usage example shows how to initialize a software token and import a certificate to signer. 1. Initialize the software token: signer-console init-software-token A PIN is prompted, this will be used to log in to the software token afterwards. 2. Log in to the software token: signer-console login-token 0 Note, that the identifier of software token is always 0. 3. Generate a new key on the software token: Output is key id: signer-console generate-key 0 F30D41B745FC072028956A3E9695416247248595 4. Create a certificate request: signer-console generate-cert-request F30D41B745FC072028956A3E9695416247248595 \ FOO BAR BAZ\ s C=FOO,O=BAR,CN=BAZ Output: Saved to file F30D41B745FC072028956A3E9695416247248595.csr 5. Send the CSR to the Certificate Authority and get the certificate. 6. Import the new certificate to signer: signer-console import-certificate <PEM file> SAVED \ FOO BAR BAZ\

Signer Console User Guide Page 11 4 AUDIT LOG User actions events that are made by the signer-console utility and that change the system state or configuration are logged to the audit log. The actions are logged regardless of whether the outcome was a success or a failure. The complete list of the audit log events is described in [SPEC-AL]. An audit log record contains the description of the user action, the date and time of the event, the user name of the user performing the action, and the data related to the event. For example, logging in to the token produces the following log record: 2015-09-14T17:41:28+03:00 my-server-host INFO [X-Road Signer Console] 2015-09-14 17:41:28+0300 - {"event":"log into the token","user":"xroad","data":{"tokenid":"0"}} The event is present in JSON [JSON] format, in order to ensure machine processability. The fieldevent represents the description of the event, the fielduser represents the user name of the performer, and the fielddata represents data related with the event. The failed action event record contains an additional fieldreason for the error message. For example: 2015-09-14T17:43:07+03:00 my-server-host INFO [X-Road Signer Console] 2015-09-14 17:43:07+0300 - {"event":"log into the token failed","user":"xroad","reason":"signer.pinincorrect: PIN incorrect","data":{"tokenid":"0"}} By default, in the X-Road security server and central server, audit log is located in the file /var/log/xroad/audit.log

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information