Verifying the Default Configuration of the YubiHSM 2
Verify the results of the YubiHSM Setup program using the YubiHSM Shell program. Log in using the application authentication key.
The YubiHSM 2 device comes with a single factory-installed authentication key whose default password is
password. As part of the configuration in this guide, this default authentication key will be destroyed. If the YubiHSM 2 is reset to its default configuration, any non factory-installed objects stored on it are also destroyed. Reset instructions can be found in Resetting Device to Factory Settings.
We reiterate that you will need two YubiHSM 2 devices to complete all steps of this guide, because you will be deploying the first device and creating a backup of all key material on the second device.
These steps also verify that neither of the YubiHSM 2 devices have been tampered with.
To verify that YubiHSM 2 devices still have the default configuration by following the steps below:
Verify the YubiHSM 2 setup, in your Command Prompt, run the following command:
Do one of the following:
- If the application that calls the YubiHSM Connector is running on a local host, start the Connector with the command
yubihsm-connectorwithout additional parameters. In Windows Server 2012 SP2 or higher,
yubihsm-connector.exeis located in
C:\Program Files\YubiHSM Connector\.
- If the application is running on a VM or a different server, start the YubiHSM Connector on the host operating system in networking mode. For example, if the host machine’s IP address is
192.168.100.252, launch the Connector on the host OS with the command
yubihsm-connector -l 192.168.100.252:12345
For testing or debugging the YubiHSM Connector, the flag
-dcan be set.
To gain shell access to the YubiHSM 2, launch the YubiHSM Shell program:
For testing or debugging the YubiHSM Shell, the flag
To connect to the YubiHSM 2, at the
To open a session with the YubiHSM 2, type
Type in the default password:
You now have an administrative connection to the YubiHSM 2 and you can list the objects available by typing
Found 3 object(s) id: 0x0002, type: wrap-key, sequence: 0 id: 0x0003, type: authentication-key, sequence: 0 id: 0x0004, type: authentication-key, sequence: 0
As you can see by looking at their IDs, these objects correspond to the wrap key, the application authentication key and the audit key that were just created.
To obtain more information about any of the objects and its capabilities — for example, the application authentication key (object ID 3) — run the
yubihsm> get objectinfo 0 3 authentication-key
The response you receive should look similar to the following:
id: 0x0003, type: authentication-key, algorithm: aes128-yubico-authentication, label: "Application auth key", length: 40, domains: 1, sequence: 0, origin: imported, capabilities: exportable-under-wrap:generate-asymmetric-key: sign-attestation-certificate:sign-pkcs:sign-pss:sign-ecdsa, delegated_capabilities:exportable-under-wrap: generate-asymmetric-key:sign-attestation-certificate:sign-pkcs: sign-pss:sign-ecdsa
Review the responses to confirm that YubiHSM 2 has now been configured to:
In addition, this object (the application authentication key, object ID 3) also has delegated capabilities that can be bestowed on other objects that it creates. For more information on delegated capabilities, see Capability.
To exit, type