이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 26. tpsclient (Debugging the TPS)
The
tpsclient
tool can be used for debugging or testing the TPS. The tpsclient
imitates the Enterprise Security Client and can give debug output or emulate enrolling and formatting tokens without having to use tokens.
The
tpsclient
tool is launched by running the command tpsclient
. The tool has no options. Running this opens a shell which allows specific commands to be directed toward the tpsclient
.
tpsclient
and the TPS need to agree on a set of symmetric keys to establish a secure channel. They are both configured with a mutual default token, which has the default key set (version 1
) which contains three keys: authentication key, Mac key, and key encryption key (KEK). The TPS subsystem understands and accepts the default key set.
The default key values for each are set to
0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4a 0x4b 0x4c 0x4d 0x4e 0x4f
, 16 bytes. The default configuration is shown by running the token_status
option within the tpsclient
command shell.
If the TPS is configured to use a new master key, then the
tpsclient
must also be reconfigured, or it cannot establish its connection to the TPS.
- Get the new key set data to input into
tpsclient
. The default key set must be stored in the TKS, and the master key must be added. Do this by editing the TKS mapping parameter in the TKSCS.cfg
file:tks.mk_mappings.#02#01=nethsm1:masterkey
tks.mk_mappings.#02#01=nethsm1:masterkey
Copy to Clipboard Copied! Toggle word wrap Toggle overflow This configuration instructs the TKS to map the master key namedmasterkey
on thenethsm1
token to the#02#01
key. - Enable key upgrade in the TPS by editing the update symmetric keys parameter in the TPS
CS.cfg
file:op.format.tokenKey.update.symmetricKeys.enable=true op.format.tokenKey.update.symmetricKeys.requiredVersion=2
op.format.tokenKey.update.symmetricKeys.enable=true op.format.tokenKey.update.symmetricKeys.requiredVersion=2
Copy to Clipboard Copied! Toggle word wrap Toggle overflow This setting instructs the TPS to upgrade the token from version 1 to version 2 during thetpsclient
format operation. - Format the token using
tpsclient
, as follows:Copy to Clipboard Copied! Toggle word wrap Toggle overflow The CUID can be any 10-byte string; it affects how the TKS computes the new key set fortpsclient
.Note
Because it can be tedious to type each operation and parameter through the command line, it is possible to create an input file and then point thetpsclient
command to the file. For example:tpsclient < /tmp/input.txt
tpsclient < /tmp/input.txt
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example 26.1, “Example tpsclient Enrollment Input File” and Example 26.2, “Example tpsclient Format Input File” both list examples for an input file.The command prompt will return any output given bytpsclient
during the operation and the final result of the command. - After running the format operation,
tpsclient
prints the new key set in the standard output. Save the new values in a newtpsclient
input file. The input file can then be used with a production TPS server.
tpsclient
can be used for formatting operations or for enrollment operations. The sample input file for an enrollment operation is shown in Example 26.1, “Example tpsclient Enrollment Input File”.
Example 26.1. Example tpsclient Enrollment Input File
The sample input file for an enrollment operation is shown in Example 26.2, “Example tpsclient Format Input File”.
Example 26.2. Example tpsclient Format Input File
Note
The host value can be an IPv4 address or an IPv6 address, if one is configured for the host.
26.1. Syntax 링크 복사링크가 클립보드에 복사되었습니다!
링크 복사링크가 클립보드에 복사되었습니다!
The
tpsclient
tool has the following syntax:
tpsclient op=operation options
tpsclient op=operation options
Operation | Description | Options |
---|---|---|
op=help | Brings up the help page, which lists all usage and options for the tpsclient tool. | N/A |
op=debug filename=filename | Enables debugging. | filename sets the debug file. |
op=ra_enroll | Tests certificate enrollments. |
|
op=ra_reset_pin | Resets the token PIN. |
|
op=ra_update | Updates the applet. |
|
op=token_set | Sets the token value. | The usage with this operation is name=value, which sets the token name and description. |
op=token_status | Returns the current token status/ | N/A |
op=var_get | Gets the current value of the variable. | This has the usage name= name, where name is the variable being checked. |
op=var_list | Lists all possible variables. | N/A |
op=var_set | Sets variable values. |
|