Verifying the Default Configuration of the YubiHSM 2

Verify the results of the YubiHSM Setup program using the YubiHSM Shell program. Log in using the application authentication key.

The YubiHSM 2 device comes with a single factory-installed authentication key whose default password is password. As part of the configuration in this guide, this default authentication key will be destroyed. If the YubiHSM 2 is reset to its default configuration, any non factory-installed objects stored on it are also destroyed. Reset instructions can be found in Resetting Device to Factory Settings.

We reiterate that you will need two YubiHSM 2 devices to complete all steps of this guide, because you will be deploying the first device and creating a backup of all key material on the second device.

These steps also verify that neither of the YubiHSM 2 devices have been tampered with.

To verify that YubiHSM 2 devices still have the default configuration by following the steps below:

Step 1:

Verify the YubiHSM 2 setup, in your Command Prompt, run the following command:

$ yubihsm-shell

Do one of the following:

  • If the application that calls the YubiHSM Connector is running on a local host, start the Connector with the command yubihsm-connector without additional parameters. In Windows Server 2012 SP2 or higher, yubihsm-connector.exe is located in C:\Program Files\YubiHSM Connector\.
  • If the application is running on a VM or a different server, start the YubiHSM Connector on the host operating system in networking mode. For example, if the host machine’s IP address is 192.168.100.252, launch the Connector on the host OS with the command yubihsm-connector -l 192.168.100.252:12345

Tip

For testing or debugging the YubiHSM Connector, the flag -d can be set.
Step 2:

To gain shell access to the YubiHSM 2, launch the YubiHSM Shell program:

  1. Open a Command Prompt.

  2. Run the command yubihsm-shell.

  3. If a networked Connector is used, set the parameter --connect <connector URL>.

    If the YubiHSM Connector is running on a host machine to which the YubiHSM 2 is physically connected, start the YubiHSM Shell program in networked mode.

    $ yubihsm-shell --connector http://192.168.100.252:12345

where –

The host server’s IP address is 192.168.100.252

Tip

For testing or debugging the YubiHSM Shell, the flag -d can be set.
Step 3:

To connect to the YubiHSM 2, at the yubihsm command line, type connect. A message saying that you have a successful connection is displayed.
Step 4:

To open a session with the YubiHSM 2, type session open 1 (where 1 is the ID of the default authentication key pre-installed on the device).
Step 5:

Type in the default password: password. A message confirming that the session has been set up successfully is displayed.
Step 6:

You now have an administrative connection to the YubiHSM 2 and you can list the objects available by typing list objects 0 and pressing Enter. Your results should be similar to the following:

Found 3 object(s)
id: 0x0002, type: wrap-key, sequence: 0
id: 0x0003, type: authentication-key, sequence: 0
id: 0x0004, type: authentication-key, sequence: 0

As you can see by looking at their IDs, these objects correspond to the wrap key, the application authentication key and the audit key that were just created.
Step 7:

To obtain more information about any of the objects and its capabilities — for example, the application authentication key (object ID 3) — run the objectinfo command with the appropriate ID format, for example:

yubihsm> get objectinfo 0 3 authentication-key

The response you receive should look similar to the following:

id: 0x0003, type: authentication-key, algorithm:
aes128-yubico-authentication, label: "Application auth key",
length: 40, domains: 1, sequence: 0, origin: imported,
capabilities: exportable-under-wrap:generate-asymmetric-key:
sign-attestation-certificate:sign-pkcs:sign-pss:sign-ecdsa,
delegated_capabilities:exportable-under-wrap:
generate-asymmetric-key:sign-attestation-certificate:sign-pkcs:
sign-pss:sign-ecdsa
Step 8:

Review the responses to confirm that YubiHSM 2 has now been configured to:

  • Generate asymmetric objects
  • Compute signatures using RSA-PKCS1v1.5
  • Compute signatures using RSA-PSS
  • Export other objects under wrap
  • Import wrapped objects
  • Mark an object as exportable under wrap

In addition, this object (the application authentication key, object ID 3) also has delegated capabilities that can be bestowed on other objects that it creates. For more information on delegated capabilities, see Capability.
Step 7:

To exit, type quit.