Verifying the Default Configuration of the YubiHSM 2
Verify the results of the YubiHSM Setup program using the YubiHSM Shell program. Log in using the application authentication key.
The YubiHSM 2 device comes with a single factory-installed authentication key whose default password is password
. As part of the configuration in this guide, this default authentication key will be destroyed. If the YubiHSM 2 is reset to its default configuration, any non factory-installed objects stored on it are also destroyed. Reset instructions can be found in Resetting Device to Factory Settings.
We reiterate that you will need two YubiHSM 2 devices to complete all steps of this guide, because you will be deploying the first device and creating a backup of all key material on the second device.
These steps also verify that neither of the YubiHSM 2 devices have been tampered with.
To verify that YubiHSM 2 devices still have the default configuration by following the steps below:
Verify the YubiHSM 2 setup, in your Command Prompt, run the following command:
$ yubihsm-shell
Do one of the following:
- If the application that calls the YubiHSM Connector is running on a local host, start the Connector with the command
yubihsm-connector
without additional parameters. In Windows Server 2012 SP2 or higher,yubihsm-connector.exe
is located inC:\Program Files\YubiHSM Connector\
. - If the application is running on a VM or a different server, start the YubiHSM Connector on the host operating system in networking mode. For example, if the host machine’s IP address is
192.168.100.252
, launch the Connector on the host OS with the commandyubihsm-connector -l 192.168.100.252:12345
Tip
For testing or debugging the YubiHSM Connector, the flag
-d
can be set.- If the application that calls the YubiHSM Connector is running on a local host, start the Connector with the command
To gain shell access to the YubiHSM 2, launch the YubiHSM Shell program:
Open a Command Prompt.
Run the command
yubihsm-shell
.If a networked Connector is used, set the parameter
--connect <connector URL>
.If the YubiHSM Connector is running on a host machine to which the YubiHSM 2 is physically connected, start the YubiHSM Shell program in networked mode.
$ yubihsm-shell --connector http://192.168.100.252:12345
where –
The host server’s IP address is 192.168.100.252
Tip
For testing or debugging the YubiHSM Shell, the flag
-d
can be set.To connect to the YubiHSM 2, at the
yubihsm
command line, typeconnect
. A message saying that you have a successful connection is displayed.To open a session with the YubiHSM 2, type
session open 1
(where1
is the ID of the default authentication key pre-installed on the device).Type in the default password:
password
. A message confirming that the session has been set up successfully is displayed.You now have an administrative connection to the YubiHSM 2 and you can list the objects available by typing
list objects 0
and pressing Enter. Your results should be similar to the following:Found 3 object(s) id: 0x0002, type: wrap-key, sequence: 0 id: 0x0003, type: authentication-key, sequence: 0 id: 0x0004, type: authentication-key, sequence: 0
As you can see by looking at their IDs, these objects correspond to the wrap key, the application authentication key and the audit key that were just created.
To obtain more information about any of the objects and its capabilities — for example, the application authentication key (object ID 3) — run the
objectinfo
command with the appropriate ID format, for example:yubihsm> get objectinfo 0 3 authentication-key
The response you receive should look similar to the following:
id: 0x0003, type: authentication-key, algorithm: aes128-yubico-authentication, label: "Application auth key", length: 40, domains: 1, sequence: 0, origin: imported, capabilities: exportable-under-wrap:generate-asymmetric-key: sign-attestation-certificate:sign-pkcs:sign-pss:sign-ecdsa, delegated_capabilities:exportable-under-wrap: generate-asymmetric-key:sign-attestation-certificate:sign-pkcs: sign-pss:sign-ecdsa
Review the responses to confirm that YubiHSM 2 has now been configured to:
- Generate asymmetric objects
- Compute signatures using RSA-PKCS1v1.5
- Compute signatures using RSA-PSS
- Export other objects under wrap
- Import wrapped objects
- Mark an object as exportable under wrap
In addition, this object (the application authentication key, object ID 3) also has delegated capabilities that can be bestowed on other objects that it creates. For more information on delegated capabilities, see Capability.
To exit, type
quit
.