.. hsm2-verify-tools-software-install.rst .. _hsm2-verify-tools-software-install-label: ===================================================== Verifying the Default Configuration of the YubiHSM 2 ===================================================== Verify the results of the YubiHSM Setup program using the YubiHSM Shell program. Log in using the application authentication key. The YubiHSM 2 device comes with a single factory-installed authentication key whose default password is ``password``. As part of the configuration in this guide, this default authentication key will be destroyed. If the YubiHSM 2 is reset to its default configuration, any non factory-installed objects stored on it are also destroyed. Reset instructions can be found in :ref:`hsm2-reset-to-factory-label`. We reiterate that you will need two YubiHSM 2 devices to complete all steps of this guide, because you will be deploying the first device and creating a backup of all key material on the second device. These steps also verify that neither of the YubiHSM 2 devices have been tampered with. To verify that YubiHSM 2 devices still have the default configuration by following the steps below: :Step 1: Verify the YubiHSM 2 setup, in your Command Prompt, run the following command: .. code-block:: bash $ yubihsm-shell Do one of the following: * If the application that calls the YubiHSM Connector is **running on a local host**, start the Connector with the command ``yubihsm-connector`` without additional parameters. In Windows Server 2012 SP2 or higher, ``yubihsm-connector.exe`` is located in ``C:\Program Files\YubiHSM Connector\``. * If the application is **running on a VM or a different server**, start the YubiHSM Connector on the host operating system in networking mode. For example, if the host machine’s IP address is ``192.168.100.252``, launch the Connector on the host OS with the command ``yubihsm-connector -l 192.168.100.252:12345`` .. Tip:: For testing or debugging the YubiHSM Connector, the flag ``-d`` can be set. :Step 2: To gain shell access to the YubiHSM 2, launch the YubiHSM Shell program: a. Open a Command Prompt. b. Run the command ``yubihsm-shell``. c. If a networked Connector is used, set the parameter ``--connect ``. If the YubiHSM Connector is running on a host machine to which the YubiHSM 2 is physically connected, start the YubiHSM Shell program in networked mode. .. code-block:: bash $ yubihsm-shell --connector http://192.168.100.252:12345 where -- The host server’s IP address is 192.168.100.252 .. Tip:: For testing or debugging the YubiHSM Shell, the flag ``-d`` can be set. :Step 3: To connect to the YubiHSM 2, at the ``yubihsm`` command line, type ``connect``. A message saying that you have a successful connection is displayed. :Step 4: To open a session with the YubiHSM 2, type ``session open 1`` (where ``1`` is the ID of the default authentication key pre-installed on the device). :Step 5: Type in the default password: ``password``. A message confirming that the session has been set up successfully is displayed. :Step 6: You now have an administrative connection to the YubiHSM 2 and you can list the objects available by typing ``list objects 0`` and pressing **Enter**. Your results should be similar to the following: .. code-block:: bash Found 3 object(s) id: 0x0002, type: wrap-key, sequence: 0 id: 0x0003, type: authentication-key, sequence: 0 id: 0x0004, type: authentication-key, sequence: 0 As you can see by looking at their IDs, these objects correspond to the wrap key, the application authentication key and the audit key that were just created. :Step 7: To obtain more information about any of the objects and its capabilities — for example, the application authentication key (object ID 3) — run the ``objectinfo`` command with the appropriate ID format, for example: .. code-block:: bash yubihsm> get objectinfo 0 3 authentication-key The response you receive should look similar to the following: .. code-block:: bash id: 0x0003, type: authentication-key, algorithm: aes128-yubico-authentication, label: "Application auth key", length: 40, domains: 1, sequence: 0, origin: imported, capabilities: exportable-under-wrap:generate-asymmetric-key: sign-attestation-certificate:sign-pkcs:sign-pss:sign-ecdsa, delegated_capabilities:exportable-under-wrap: generate-asymmetric-key:sign-attestation-certificate:sign-pkcs: sign-pss:sign-ecdsa :Step 8: Review the responses to confirm that YubiHSM 2 has now been configured to: * Generate asymmetric objects * Compute signatures using RSA-PKCS1v1.5 * Compute signatures using RSA-PSS * Export other objects under wrap * Import wrapped objects * Mark an object as exportable under wrap In addition, this object (the application authentication key, object ID 3) also has delegated capabilities that can be bestowed on other objects that it creates. For more information on delegated capabilities, see :ref:`hsm2-concepts-capability-label`. :Step 7: To exit, type ``quit``.