SMConsole Version 1.01 User Guide
Contents
1. Keys found on the Token PUBLIC KEY ID 100 DSA ABEL NmxActiveKey PUBLIC KEY ID 3 DSA ABEL NmxNotActive PRIVATE KEY ID 100 DSA ABEL NmxActiveKey PRIVATE KEY ID 3 DSA ABEL NmxNotActive kk ck ck ck KK KKK KKK KKK KKK kk ck kk kk ck kk ck kk kk ck AH KK KH TH AH KH KH KH KH AK KKK KKK Generate KeyPair DSA parameters file optional Key ID 0 for auto 0 Key Pair with ID 2 generated List Keys kk ck ck ck ck ck ck kk ck Ck KKK KKK ck kk KKK kk ck kk ck kk kk ck kk Sk kk Ck kk ko KH AK KH A AH A Keys found on the Token PUBLIC KEY ID 100 DSA ABEL NmxActiveKey PUBLIC_KEY TD 2 DSA ABEL NmxNotActive PRIVATE KEY ID 100 DSA ABEL NmxActiveKey PRIVATE_KEY IDs 2 DSA ABEL NmxNotActive kk ck ck ck ck ck ck Ck KKK KKK KKK KKK KKK KK KKK KKK KK KKK Sk kk RA KK KH KH AH KK Typically after generating a new key pair you would set the key pair to active 15160R2 2005 10 28 SMConsole Version 1 01 9 User Guide SMConsole Table 3 4 Workstation User commands Continued Command Description Set ActiveKey Specify the key pair to be used for signing data and emails For example commands are summarized List Keys Ck Ck ck ck kk ck ck ck Ck Sk ck Ck Sk KKK ck ck KKK KKK KKK Ck kk kk ck kk Sk kk kk Sk ko k kc k kc KK KKK Keys PUBLIC KEY PUBLIC KEY PRIVATE KEY PRIVATE KEY2. ID IDs ID ID found on the Token 100 2 100 2 DSA DSA DSA DSA ABI ABI ABI ABI NmxActiveKey NmxNotActive NmxActiveKey NmxNotActive Ck Ck ck ck Ck ck ck Ck KKK ck Ck KKK KKK KKK ck kk ck kk Ck ck Sk kk KKK Sk kk kk KKK KKK KK KKK Generate KeyPair DSA parameters file 0 for auto Key Pair with ID Key ID List Keys optional 0 3 generated Ck Ck ck ck ck ck ck kk Ck Ck ck Ck Sk ck kk ck kk Ck KKK KKK KKK KKK KK Keys PUBLIC KEY PUBLIC KEY PRIVATE KEY PRIVATE KEY ID ID ID ID found on the Token 100 3 100 3 DSA DSA DSA DSA ABI Ckckckckckck ck ck ck ck ck ck ck ck kk k ABI ABI ABI Ck Ck ck ck kk ck kk Ck kk Ck Sk ck kk ck kk Ck kk kk kk KK KH KH KH A KR ck Set ActiveKey Key ID 3 Key Pair with ID List Keys 3 set to Active KKK KKK ck ck ck Ck kk Ck Sk ck kk ck kk Ck kk kk KK KK KH KKK KK Keys PUBLIC KEY PUBLIC KEY PRIVATE KEY PRIVATE KEY ID ID ID ID found on the Token 100 3 100 3 DSA DSA DSA DSA ABI NmxActiveKey NmxNotActive NmxActiveKey NmxNotActive CkCkckckckckck ck ck ck ck ck ck ck kk k Ckckckckckckck ck ck ck ck ck ck ck kk k ABI ABI ABI NmxNotActive NmxActiveKey NmxNotActive NmxActiveKey Ck Ck ck ck kk ck ck KKK ck Ck Sk ck Ck
3. 16 SMConsole Version 1 01 15160R2 User Guide 2005 10 28 Appendix A Overview of Menus A 3 User Authorization menus Figure A 3 User authorization management menus 1 t1zers Manage the digitizer ke workstation Manage information on the workstation token 2 work g vorks 3 User Authorization Manage user access permissions Exit a feel aaa lente Pee User Authorization 4 1 Display User Display the details of a user 2 Update User Add remove a user s roles 3 Add User Add new user 4 Delete User Delete an existing user 5 Display Role Display the details of a role 6 Update Role Add remove a role s permissions 7 Load Defaults Load the default authorization values 8 Save changes Save changes made to authorization values O Exit Exit this menu and discard the changes 4 4 4 Update User operator 1 Add the SecurityAdministrator role Update Role n 2 Add the SecurityUser role 3 Remove the Operator role 4 Remove the User role o t Exit t gt 4 2 2 Update Role Operator Sa ee 1 Add the GenerateKeypair pe
4. Digitizers Manage the digitiser key pairs Workstation Manage key pairs and other information on the workstation token User Authorization Manage user access permissions 3 1 Levels of access to menus and commands The SMConsole menus and commands that are available depend on your level of access For example the User Authorization section of SMConsole is visible only to users with the MaintainAuthorizationModel permission which defaults to be the nmx userID only The default role and permission mappings are shown in Appendix B Access Level Defaults See also Section 3 3 3 Managing user access and permis sions on page 12 3 2 Starting and stopping SMConsole To start SMConsole enter smconsole in any terminal window To stop SMConsole enter 0 as required from each sub menu until you have exited from the Main menu 3 3 Using the SMConsole run time commands This section provides a summary of initial token configuration and the command options for each of the management functions digitiser keys workstation keys and token information and authorization model To run a command enter the number for the corresponding menu option and then for some commands enter parameter values as prompted All SMConsole menus have an Exit or Logout option 0 To exit or log out from the current menu enter 0 This will open the menu that is one higher up in the hierarchy To exit from SMConsole
5. 2005 10 28 User Guide Appendix A Overview of Menus A 2 Workstation menus Figure A 2 Workstation token management menus 4 Main Menu 1 Digitizers Manage the digitizer keypairs 2 workstation Manage information on the workstation token 3 User Authorizatior Manage user access permissions 6 exit e workstation Token A e 1 Get TokenInfo Get information about the Token 2 Login SO Log into the Token as a Security Officer 3 Login User Log into the Token as a User O Exit EN fn cl o dd a ia em a a he er A rae E Get TokenInfo Login so A ea EE O Mo EE D ip eae Token Information ete 1 Set version Get the token version information 2 Get MechanismList Get a list of encryption mechanisms on a token 3 Get SlotInfo Get information about a slot on this workstation 4 Get TokenInfo Get detailed information about token 5 Get SlotList Get a list of the slots on this workstation 0 Exit P SSE SN S A S i ee Login User 4 t Security Officer Options aaa 1 Change PIN Change the PIN for this account 2 Initialize Token Initialize the Token clears existing data 3 Initialize UserPIN Change the
6. Key Id 5414 KCkCkCk ck ck ck ck ck ck ck ck ck ck A AA AAA ck ck ck ck ck ckck ck ck ck ck k ck ck ck ck ck ck ck k ck kk kk kk kk Change KeyID Key ID to change 5414 New Key ID 414 Get KeyList KCKCkCkCk ck ck ck ck ck ck ck ck ck ck ck Ck AAA AAA ck ck kck ck ck ck ck ck ck k ck kck ck ck ck ck k ck kk kk kk kk Number of Keypairs 2 Key IDs 5414 414 Active Key Id 414 kk ck ck ck ck KKK KKK KKK KKK KKK ck kk kk ck kk ck kk kk ck kk Sk kk kk kk ko KKK KK Get KeyList Retrieve the list of all key pair IDs currently defined and show which is active Set ActiveKey Set the key to be used for data authentication to the specified key pair For example commands are summarized Get KeyList Dk ck ck ck Ck ck ck 0k Ck ck Ck ck kk ck Sk ck ck Ck ck ck ck ck ck ck ck ck ck ck HK ck ck ck ck AH RK kk ck kk ck ko Sk ko kx kv A ko ko ko Number of Keypairs 2 Key IDs 414 5414 Active Key Id 414 Dk ck ck ck Sk ck ck 0c ck Ck ck kk ck Sk ck ck Ck ck ck ck ck ck ck ck ck ck ck KH ck IK KH RARA ck kk ck ko Sk ke A Sk A kx ko ko Set ActiveKey Key ID 5414 Get KeyList KCkCkCk ck ck ck ck ck ck ck ck ck ck ck ck ck Ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck kck kck ck ck ck ck k ck kk kk kk kk Number of Keypairs 2 Key IDs 414 5414 Active Key Id 5414 kk ck ck ck ck ck ck Ck ck ck kk ck Ck KKK ck kk ck kk kk ck kk ck kk kk Sk kk Sk kk kk kk kc ko KKK KK Delete KeyPair Delete the specified non active key pair
7. Sk ck Sk KKK KK KKK ck Ck kk kk KKK Sk kk KKK KKK KK KKK KK 1 SMConsole Version 1 01 User Guide 15160R2 2005 10 28 SMConsole Table 3 4 Workstation User commands Continued Command Description Change Keyld Change the ID of either of the 2 key pairs to any valid ID any integer from 1 to 4294967295 If you change a key pair ID to the ID of an existing key pair the ID of the other key pair is automatically assigned an available default value For example commands are summarized List Keys Ck Ck ck ck Ck ck ck Ck KKK ck Ck Sk ck Ck ck KK KKK ck kk ck kk Ck kk kk ck kk Sk kk kk Sk Sk kk KKK AA Keys found on the Token PUBLIC KEY IDs 2 DSA ABEL NmxNotActive PUBLIC KEY ID 100 DSA ABEL NmxActiveKey PRIVATE_KEY EDs 2 DSA ABEL NmxNotActive PRIVATE_KEY ID 100 DSA ABEL NmxActiveKey Ck Ck ck ck Ck ck ck Ck ck Ck ck ck Ck Sk ck Ck ck ck kk Ck ck ck kk ck kk KARA RARA RARA ko kc kk ko kk ck kok Change Keyld Key ID 2 New Key ID 100 Key Pair ID changed to 100 List Keys Ck Ck ck ck Ck ck ck ck KKK KKK KKK KK KKK ck kk ck kk Ck kk kk ck kk ck kk kk Sk kk kk kc AH KH A ko Keys found on the Token PUBLIC KEY ID 100 DSA ABEL NmxNotActive PUBLIC KEY ID 3 DSA ABEL NmxActiveKey PRIVATE_KEY ID 100 DSA ABEL NmxNotActive PRIVATE_KEY ID 3 DSA ABEL NmxActiveKey Ck Ck ck ck Ck ck ck Ck
8. Update User Add remove a user s roles The sub menu Update User user name lists the options to add or remove roles as applicable to the current user configuration See Appendix B for the default role and permission values Add User Add a new user You can then use Update User to assign roles to the new user to grant them access to the appropriate permissions When adding a new AutoDRM user their user name must be the Subject Distinguished Name of the certificate used to sign their emails Delete User Delete an existing user You will be prompted for confirmation before the user is deleted Display Role Display the role name and the assigned permissions See Appendix B for the default values Update Role Add remove a role s permissions The sub menu Update Role role name lists the options to add or remove permissions as applicable to the current configuration All permissions except MaintainAuthorizationModel are for email AutoDRM requests Permissions include CenterMass Can send mass centre commands GenerateKeypair Can generate key pairs and store them on the digi tiser token MaintainAuthorizationModel Can change the user authorization model such as adding a user and changing the user roles StartCalibration Can send calibration commands StartContinuous Can set the CD 1 1 sender to continuous on StartKeypair Can set a digitiser key pair to active StopConti
9. update the certificate revocation list 15160R2 SMConsole Version 1 01 2005 10 28 19 User Guide Appendix B Access Level Defaults Table B 1 Default role and permission mappings Continued User Role Permissions Permission description SecurityUser CenterMass Can send mass centre commands GenerateKeypair Can generate key pairs and store them on the token StartCalibration Can send calibration commands StartContinuous Can set the CD 1 1 sender to continuous on StartKeypair Can set a digitiser key pair to active StopContinuous Can set the CD 1 1 sender to continuous off unsigned User RequestData Can request data such as waveform data All permissions except MaintainAuthorizationModel are for email AutoDRM requests 2 SMConsole Version 1 01 15160R2 User Guide 2005 10 28
10. List Dk ck Ck ck ck ck ck 0k ck ck Ck ck ck ck ck Sk ck ck ck ck kk RA ck ck TR ck HK ck IK KH KH ck KH kk ck ko ko Sk ko Sk kv kx Sk A ko ko ko Number of Keypairs 2 Key IDs 414 5414 Active Key Id 414 kk ck ck ck ck ck ck Ck ck ck Ck KKK KKK KKK KKK KKK kk ck kk kk ck kk ck kk KKK KKK KKK KKK Typically after generating a new key pair you would set the key pair to active and set the active key ID to the instrument serial number Use Set ActiveKey to make the new key pair active Use Change KeylD to set the new active key pair ID to the instru ment serial number Get PublicKey Retrieve the DSA public key value along with its parameters for the key specified by the key ID Specify the filename for the stored key information there is no default filename For example Key ID 5414 Destination key information file getKeyPair 15160R2 2005 10 28 SMConsole Version 1 01 5 User Guide SMConsole Table 3 1 Digitiser key management commands Continued Command Description Change KeylD Change the ID of either of the 2 key pairs A key pair ID can be changed to the ID of an existing key pair the ID of the other key pair is then assigned an available default value For example commands are summarized Get KeyList CKCKkCkCkCk ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ck ckck ck ck k ck KH KH kck ck ck k ck kk kk kk kk Number of Keypairs 2 Key IDs 414 5414 Active
11. SMConsole Version 1 01 User Guide O 2004 2005 Nanometrics Inc All Rights Reserved SMConsole Version 1 01 User Guide The information in this document has been carefully reviewed and is believed to be reliable for Version 1 01 xx Nanometrics Inc reserves the right to make changes at any time without notice to improve the reli ability and function of the product No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without the prior written permis sion of Nanometrics Inc Nanometrics Inc 250 Herzberg Road Kanata Ontario Canada K2K 2A1 Tel 613 592 6776 Fax 613 592 5929 Email info Onanometrics ca Part number 15160R2 Release date 2005 10 28 Contents FUI TTT iii TADIOS ein petu hehe enten d S pent ass V SMOOISOIG 2 gt 252 564 TTT 1 About SMConSole 152 eisi ey we nd E A bates a RA 1 Typical per tion rr u nee 1 Summary of inputs and outputS 2 222 oo non neeen en 2 PUIS se a ads Meran sn een ee ee NT eye 2 Outputs ass SS SE 2 Installing SMCONSOIG t a4 HH HH ne er he dose ORE RE RA EURAN 2 Dependencles gere eee T A E a A Us ka A a ERA 2 Install SMConsole oia tarro APA a AG ERE AREA 3 Using SMGonsole 14 si ia a Y CEU RAM ie P E sde EUR 3 Levels of access to menus and commMands LLP 3 Starting and stopping SMConsole 222er ees 3 Using th
12. a workstation token 1 2 3 4 5 6 7 9 Insert the token into the card reader Launch SMConsole Choose Workstation gt Initialize Token A confirmation prompt will display Enter y to initialize the token Set all PINs to a password and leave the token label blank Choose Login User and enter the PIN Choose Generate KeyPair and then set the key pair to active Set ActiveKey The system will use the private key to sign data in NmxToCD11 or email in AutoDRM Data receivers will use the public key to verify the signature Export the public key as a certificate request a Choose Generate CertReq Use the following guidelines for parameters in the certificate request Subject Name CN CF nn mm The computer name where nn denotes the Central Facility number and mm denotes the workstation number for exam ple CF 01 02 for ws02 in the first central facility of station Locality Organization O CTBTO Organization Unit OU IMS Locality L station code for example JMIC Country C not used press Enter b Save the file in nmx user computer name crg c Obtain a certificate containing this public key by sending the certificate reguest to an appropriate certificate authority CA For example email this file to CTBTO reguesting in return the workstation certificate as well as the certifi cate of the Certificate Authority CA that issued the workstation certificate When the certificates are r
13. after prompting for confirmation Generate CertReq Create a certificate request for the specified key and store it in a file Encoding options include DER default filename is cert req cra and PEM default filename is cert req txt Specify the public key ID for which the certificate is requested enter the distinguished name information and select the storage format Change RSAKey Change the key that is used to encrypt protected commands Use this function when you suspect the current key may have been compromised 6 SMConsole Version 1 01 User Guide 15160R2 2005 10 28 SMConsole Table 3 1 Digitiser key management commands Continued Command Description Initialize Token Clear reinitialize the digitiser token This deletes all keys certificates and other data that are currently stored on the token Initialization will automatically create a single key pair and make it active with the instrument serial number as the key pair ID It may take a minute or two for the action to complete 3 3 2 Managing workstation tokens Workstation tokens are used to provide S MIME email signing and verification serv ices using X 509 certificates and can be used to store and export CRLs These tokens may also be used by NmxToCD I I for signing data The authorization model for assign ing permissions to users for example to send commands via email is stored on work station tokens 3 3 2 1 Setup
14. all encryption mechanisms or algo rithms supported for the token in the specified slot Get Slotlnfo Get information about a slot on this workstation Get Tokenlnfo Get detailed information about a token Get SlotList Get a list of the slots on this workstation either all slots or those slots that have a token Login SO Log in to the token with Security Officer SO access See Table 3 3 for SO level token management options Login User Log in to the token with User access See Table 3 4 for User level token management options Table 3 3 Workstation Security Officer commands Command Description Change PIN Change the login PIN for this Security Officer account Initialize Token Clear reinitialize the workstation token This deletes all keys certificates and other data that are currently stored on the token After initializing the token you must set the Security Officer SO PIN token label and User PIN 8 SMConsole Version 1 01 15160R2 User Guide 2005 10 28 SMConsole Table 3 3 Workstation Security Officer commands Continued Command Description Initialize UserPIN Initialize the User PIN for this token This command will delete all User data from the token including keys and certificates as it initializes the User area of the token Table 3 4 Workstation User commands Command Description Get Sessionlnfo Get information about this
15. ck Ck ck ck Ck Sk ck Ck ck ck Sk ck KEK KKK ck kk KK KKK KKK KK KKK KKK KKK AH KH A ko Load Certificate Load an X 509 certificate from file and store it on the token Specify the relative or absolute filename for the certificate The certificate may be DER or PEM encoded If the certificate is self signed a warning will display Choose whether or not to trust and store the certificate If the certificate is not self signed the program will search the token for the issuer s self signed certificate and verify the new certificate using the issuer s public key If the new certificate can be verified it will be stored automatically on the token otherwise it will not be stored Unverified certificates will not be stored on the token Each certificate stored on the token will be given an object ID If the public key contained in a certificate matches a public key on the token it will get the same ID number as the key Export Certificate Export an X 509 certificate from the token and store it as a file You must specify the object ID for the certificate to export and a format in which to store the certificate Encoding options include DER default filename is cert cer and PEM default filename is cert txt You can specify different filenames Load CRL Load a certificate revocation list in X 509 format onto this token The self signed certificate that issued the CRL must be present The CRL is stored with the cert
16. e SMConsole run time commands oooccccccco eee 3 Managing digitiser tokens 0 000 ne nn 3 Set up a digitiser token 2 00 reari RR ph ndn 4 Digitiser management commands 0 00 ee 4 Managing workstation tokens o o ccoocccocooc es 7 Set up a workstationtoken lilii ess 7 Workstation management commands LL 8 Managing user access and permissions avvaarnaa eee 12 Authorization model management commands 2 22222 12 Updating the token configuration for AutoDRM ks 13 Monitoring SMConsole Operati0N o o oocoocccooco ren 13 Overview of Menus 9 2503 Y IS SAK Ae te Se 15 DIGItISEr MEN S siais a saa BD dad oa ad 15 Workstation MENUS 1 tte eae 16 User Authorization menus oo 17 Access Level Defaults 2 2 26 ic eee rrt hme 19 Contents Figures A 1 Digitiser key management menus A 2 Workstation token management menus A 3 User authorization management menus Figures Tables 3 1 3 2 3 4 3 5 B 1 Digitiser key management commands Workstation token menu commands Workstation Security Officer commands Workstation User commands User authorization commands Default role and permission mappings Tables vi SMConsole 1 About SMConsole Security Management Console SMConsole provides command line options for man aging PKCS11 compliant cryptographic tokens on both digitisers and workstations Tokens ca
17. e provides functions for using a token with the NmxToCD1 NmxToCD11 and AutoDRM programs The reguisite management function determines how you should configure the token initially see Section 3 3 1 Managing digitiser tokens and Section 3 3 2 Managing workstation tokens for token setup by function See also documentation for PKCS11 Cryptography Token Version 2 01 15160R2 2005 10 28 SMConsole Version 1 01 1 User Guide SMConsole 1 2 Summary of inputs and outputs 1 2 1 Inputs 1 2 2 Outputs Solaris or Linux program files smconsole jar smconsole bcprov jdk14 122 jar libcrystoki2 so libpkcsllnmx so Windows program files smconsole jar SMConsole bat bcprov jdk14 122 jar cryst201 dll pkcsllnmx dll Digitiser token DSA parameters file The program accepts both Windows and Unix path names The file specified must adhere to the Java Properties file syntax and contain the p q and g DSA parameters The parameters are hex representations of Big Integers and can be up to a maximum size of 256 40 and 256 hex char acters respectively for p q and g The parameter identifiers in the file are case sensitive Workstation token Certificate files in PEM format CRL files in PEM format DSA parameters file with characteristics as described above The appropriate Luna card drivers for your operating system and card reader The appropriate security token access
18. eceived log in again as User 10 Choose Load Certificate 15160R2 2005 10 28 SMConsole Version 1 01 7 User Guide SMConsole 11 Load the CA certificate it will probably be called cacert pem 12 If a CRL is available for the CA certificate choose Load CRL and then load the CRL 13 Choose Load Certificate 14 Load the workstation certificate 1t will probably be called computer name pen 15 Optional Store other trusted certificates on the token using the Load Certificate option These certificates are used to identify users authorized to request data via AutoDRM 16 Log out 3 3 2 2 Workstation management commands Note Commands used to alter data on the workstation token commands in the Workstation and User Authorization sections will update the first token that is found on the workstation The workstation menu provides access to sub menus for token encryption key certif icate and CRL management see Table 3 2 Table 3 3 and Table 3 4 The menus and options available depend on whether you are logged in as a Security Officer or as a User see also Section A 2 Workstation menus on page 16 Table 3 2 Workstation token menu commands Command Description Get Tokenlnfo Get information about the token through options in the Token Information menu Get Version Get the token version information such as manufacturer and library version Get MechanismList Get a list of
19. enter 0 from the Main menu 3 3 1 Managing digitiser tokens Digitiser tokens are only used to sign CD 1 0 and CD 1 1 sub frames The digitiser token can store up to 2 key pairs 15160R2 SMConsole Version 1 01 3 2005 10 28 User Guide SMConsole 3 3 1 1 Set up a digitiser token Note When a digitiser is rebooted and there are no key pairs on the token the digitiser will automatically create a key pair and make it active lt will not clear off any other existing data from the token 1 Choose the digitiser via Digitizers gt digitiser number and then choose Initialize Token When the digitiser initializes a new token it clears any existing data off the token then creates a new key pair and makes it active 2 Choose Get KeyList to see what Key ID was assigned to the key pair the default value is the instrument serial number 3 Create a certificate request with this Key ID a Choose Generate CertReq and then enter distinguished name parameters as appropriate for the certificate request for Subject Name Organization Organi zation Unit Locality and Country b Save the file in nmx user digitiserID cra 4 Email the certificate request to the CTBTO officer in charge of the system The digitiser will use the private key to sign data in NmxToCD1 and NmxToCD11 Data receivers will use the public key to verify the digitiser signature 3 3 1 2 Digitiser management commands SMConsole provides the encryption key ma
20. er Guide SMConsole file The logs are stored in the directory nmx 1log SMConsole Linux and Solaris orc nmx log SMConsole Windows If SMConsole encounters an error the console window will display an error message to help with solving the problem 14 SMConsole Version 1 01 15160R2 User Guide 2005 10 28 Appendix A Overview of Menus This section provides a graphic overview of the SMConsole menus by each task area digitiser token management workstation token management and authorization model A 1 Digitiser menus Figure A 1 Digitiser key management menus A 227 2 1 Europalo1 2 Europa421 3 Europa429 4 Europa433 O Exit 7 e gt gt gt gt gt gt Digitizer Europal01 a nn nn nn 1 Generate KeyPair Creates a new keypair and returns its public key 2 set Publickey Returns the public key for the specified keypair 3 Change KeyID Re labels a keypair 4 Get KeyList Returns a list of keypair IDs 5 Set Activekey Sets the active key to the specified keypair 6 Delete KeyPair Deletes the specified non active keypair 7 Generate CertReq Creates a certificate request and stores it in a file s change RSAKey Changes the key used to encrypt protected commands 9 Initialize Token Reinitializes clears the digitizer token 0 Exit 7 77 7272222222 15160R2 SMConsole Version 1 01 1 5
21. ificate and is deleted automatically when the certificate is deleted Export CRL Export a certificate revocation list in X 509 format from this token Encoding options include DER default filename is cr1st cr1 and PEM default filename is cr1st txt You can specify different filenames 15160R2 2005 10 28 SMConsole Version 1 01 1 1 User Guide SMConsole Table 3 4 Workstation User commands Continued Command Description Generate CertReq Generate a certificate request for a key pair This exports a public key in a standard format as a PKCS10 Certificate Request Specify the public key ID for which the certificate is requested and the country organization organization unit and subject for the cer tificate The program will save the certificate request in either DER or PEM encoding Default filenames are certreq crq for DER and certreg txt for PEM You can specify different filenames 3 3 3 Managing user access and permissions Note The User Authorization section is visible only to users with the Maintain AuthorizationModel permission which defaults to be only the nmx userlD Users are assigned roles and roles are assigned permissions The stored mapping of users their roles and role permissions is the authorization model This determines both the level of access to menus and commands for using and managing tokens and per missions for sending requests via email using AutoDRM User level
22. is determined when you log on to the workstation Users can be added and deleted One or more roles can be mapped to a user for example a system administrator might be assigned the role Security Administrator In the current release the list of possible roles is fixed Different permissions can be mapped to a role for example a Security Administra tor has permission to add or remove users and to modify other user roles and to send various requests a User has permission to request data In the current release the list of possible permissions is fixed See Appendix B for a list of the default roles and permissions 3 3 3 1 Authorization model management commands The User Authorization menu provides authorization model management functions Table 3 5 Updating of users and roles is managed through the sub menus Notes Pig 1 Commands that are used to alter data on the workstation token com mands in the Workstation and User Authorization sections will update the first token that is found on the workstation 2 Authorization model changes will not be seen by AutoDRM until the changes are saved and AutoDRM is restarted Table 3 5 User authorization commands Command Description Display User View the user name and the assigned role s for that user 1 2 SMConsole Version 1 01 15160R2 User Guide 2005 10 28 SMConsole Table 3 5 User authorization commands Continued Command Description
23. libraries for your operating system SMConsole yyyymmdd log The log file contains timestamped messages for every user action or attempted action that can cause a change to the system for example changing the mapping of a user to a role Digitiser token in PEM or DER format Certificate requests Workstation token in PEM or DER format Certificate and CRL files Certificate requests 2 Installing SMConsole 2 4 Dependencies SMConsole must be run from the same directory as NagsServer It will look in the working directory for the naqsaddr ini file created by NagsServer For the workstation and authorization model functions t must be installed on the same machine as the workstation token with that token being in the first slot if more than one are installed It must be run from the same directory as AutoDRM It uses AuCoDRM ini to get the workstation token PIN so that the authorization model can be retrieved from the token without requiring the user to log in first For the digitiser functions the Comms Controller firmware must be version 5 81 01 or higher 2 SMConsole Version 1 01 15160R2 User Guide 2005 10 28 SMConsole 2 2 Install SMConsole See the installation instructions for the acquisition system workstation 3 Using SMConsole SMConsole commands are accessible through a hierarchy of menus see Appendix A for an overview These are divided into three general task areas
24. n be managed locally and remotely via SSH For workstation tokens SMConsole also provides commands to manage certificates certificate revocation lists CRLs and the AutoDRM access control list or authorization model 1 1 Typical operation Tokens on Europa digitisers are used to sign CD 1 0 and CD 1 1 frames Workstation tokens are used to sign CD 1 1 frames and to provide S MIME email signing and ver Ification services using X 509 certificates and to check command request authorization using the stored authorization model Objects such as keys certificates and CRLs may be stored on a token Keys are used primarily for signing data and email Certificates are used for email verification at the workstation token for example by the AutoDRM program which requires that a valid certificate be included in any signed received message and which includes a certificate in outgoing signed emails CRLs are used for verifying certificates Many objects may be stored on the token Each stored object is assigned an ID number The object type and ID number are used to specify a particular object on the token for example to specify which private key should be used for signing data Related objects will have the same object ID For example if you generate a public private key pair then obtain and store a certificate containing the public key all three objects both of the keys and the certificate will have the same object ID SMConsol
25. nagement functions listed in Table 3 1 To choose a digitiser from the list of all Europa digitisers connected to the system enter the corresponding menu number from the list of digitisers Main Menu Digitizers gt Available Digitizers digitiser menu number 4 SMConsole Version 1 01 15160R2 User Guide 2005 10 28 SMConsole Table 3 1 Digitiser key management commands Command Description Generate KeyPair Generate a new DSA key pair on the security token using specified DSA parameters and either an automatically generated or a specified unique key ID The key ID must be an integer from 1 to 4294967295 unsigned 4 byte Integer value The default key ID is the instrument serial number if that 1D is not currently in use by either of the key pairs otherwise some other default value will be assigned A maximum of 2 key pairs can be stored on the token A previously inactive key pair will be removed if required to accommodate the new key pair For example commands are summarized Get KeyList KKKKKK ck ck ck Ck ck ck ck ck ck ck A AAA ck ck ck ck ck kc ck ckck ck ck ck ck kck ck ck ck ck k ck kk kk kk kk Number of Keypairs 1 Key IDs 414 Active Key Id 414 kk ck ck ck ck ck ck kk ck Ck KKK KKK ck kk ck kk Ck ck ck kk ck kk kk ck kk ck kk kk kk KH AK KH KKK KK Generate KeyPair DSA parameters file getKeyPair Key ID 0 for auto 0 Destination key information file generateKeyPair Get Key
26. nuous Can set the CD 1 1 sender to continuous off UpdateCRL Can update the certificate revocation list Load Defaults Load the default authorization values Appendix B This will overwrite all changes made to the authorization model subsequent to the initial system configuration If you want to keep the changes either the default values or any changes you have since made to the values that were loaded from default use Save Changes before exiting to the Main menu Save Changes Save changes made to authorization values before exiting the User Authorization menu Exit without saving will discard all of the changes 3 4 Updating the token configuration for AutoDRM AutoDRM caches certificates and CRLs for 10 minutes and access control lists are cached indefinitely Any changes to these items made using SMConsole will not be seen by AutoDRM for that period of time unless AutoDRM is restarted Restart AutoDRM after making changes to certificates CRLs or the access con trol list authorization model to ensure that the cache reflects the current token configuration 3 5 Monitoring SMConsole operation Log messages generated by SMConsole list all user actions and attempted actions that can change the state of the system A new log file is created each day with the name SMConsole_yyyymmdd log all applicable session messages are appended to this 15160R2 2005 10 28 SMConsole Version 1 01 1 3 Us
27. rmission 2 Add the Maintainauthorizationmodel permission 3 Add the Startkeypair permission 4 Add the UpdateCRL permission 5 Remove the CenterMass permission 6 Remove the Startcalibration permission 7 Remove the Startcontinuous permission 3 Remove the StopContinuous permission 0 Exit A 7272222 15160R2 SMConsole Version 1 01 1 7 2005 10 28 User Guide Appendix A Overview of Menus 1 SMConsole Version 1 01 15160R2 User Guide 2005 10 28 Access Level Defaults Table B 1 shows the default role and permission mappings for the authorization model Table B 1 Default role and permission mappings User Role Permissions Permission description operator Operator CenterMass Can send mass centre commands StartCalibration Can send calibration commands StartContinuous Can set the CD 1 1 sender to continuous on StopContinuous Can set the CD 1 1 sender to continuous off nmx SecurityAdministrator CenterMass Can send mass centre commands GenerateKeypair Can generate key pairs and store them on the token MaintainAuthorizationModel Can change the user authorization model such as adding a user and changing the user roles StartCalibration Can send calibration commands StartContinuous Can set the CD 1 1 sender to continuous on StartKeypair Can set a digitiser key pair to active StopContinuous Can set the CD 1 1 sender to continuous off UpdateCRL Can
28. session Change PIN Change the login PIN for this User account It prompts for the current User PIN and new User PIN If the current PIN is entered correctly the User PIN will be set to the new value Delete Object Delete a user object for example a key pair from the token It prompts for the Object ID and lists the types if multiple objects have the same ID The Object properties will be shown and you will be prompted to confirm the deletion List Objects View summary information for all objects stored on the token The List Objects sub menu provides options to display keys certifi cates or all objects Display Object View detailed information for a single object on the token lt prompts for the Object ID and lists the types if multiple objects have the same ID Generate KeyPair Generate a DSA private public key pair for data and email signing and verification You can use either default or specified DSA parameters and either an automatically generated or a specified unigue key ID The key ID must be an integer from 1 to 4294967295 unsigned 4 byte Integer value The key labels are generated automatically A maximum of 2 key pairs can be stored on the token An inactive key pair will be removed if reguired to accommodate the new key pair For example commands are summarized List Keys kk ck KR KKK KKK KKK KK KKK ck Ck ck ck kk kk ck kk ck kk kk ck kk ko kk ko kc kk KK KH A AH ok
29. user PIN for this token O Logout rere nner rnaaa e User Options ete a a 1 set SessionInfo Get information about this session 2 Change PIN Change the PIN for this account 3 Delete Object Delete an object from this token 4 List Objects List the objects on this token 5 Display Object Display the details of an object on this token 6 Generate KeyPair Generate a new keypair on this token 7 Set Activekey Sets the active key to the specified keypair 8 change KeyId Changes the ID of the specified keypair 9 Load Certificate Load certificate onto this token 10 Export Certificate Export certificate from this token 11 Load CRL Load certificate revocation list onto this token 12 Export CRL Export a certificate revocation list from this token 13 Generate CertReq Generate a certificate request for a keypair O Logout 4 mm mm mm mm List Objects 3 List Objects 4 1 List Keys List all of the keypairs on this token 2 List Certificates List all of the certificates on this token 3 List All List all of the objects on this token O Exit 4
Download Pdf Manuals
Related Search