Batch commands
Batch commands provide command line access to the PKCS #11 tools.
The following batch commands are available in the PKCS #11 Key Management tool (p11km).
Note: To use the batch commands, do the following:
- Create and edit a batch file as described in Batch processing.
- Create new p11km_cmd sections that contain the attributes for the batch commands that you want to use.
- List available PKCS #11 tokens
- Generates a report and displays token and slot information for
the available PKCS #11 tokens.
- Required attributes
action_name = “LIST_TOKENS”- Optional attributes
start_gui = “<boolean>”Where <boolean> is either
TRUEorFALSE- Example
[p11km_cmd_list_tokens] action_name = “LIST_TOKENS”
- List available PKCS#11 mechanisms
- Generates a report and displays available PKCS #11 mechanisms
that are supported by a specific PKCS #11 token (matched by specifying
the driver and slot attribute values).
- Required attributes
action_name = “LIST_MECHANISMS” p11_driver = “<driver name>” p11_slot = “<slot number>”Where <slot number> is a positive integer value, and <driver name> is one of the following values:Value Description AIX® AIX OS Cryptographic Framework IBM_4758_4960 IBM® 4758/4960 Cryptographic Hardware Adapters IBM_4764 IBM 4764 Cryptographic Hardware Adapter Other If you specify OTHER, you must also specifying the p11_driver_path attribute. - Optional attributes
start_gui = “<boolean>”- Supplemental attributes
p11_driver_path = “<path to PKCS#11 driver>”Where <path to PKCS#11 driver> is the full UNIX path and filename of the PKCS #11 library that is used for the command. This attribute can be specified only when the p11_driver attribute is set to
OTHER.- Example
[p11km_cmd_list_4764_slot_0_mechs] action_name = “LIST_MECHANISMS” p11_driver = “IBM_4764” p11_slot = “0” start_gui = “TRUE”
- List available PKCS #11 objects
- Generates a report and displays available PKCS #11 objects that
are supported by a PKCS #11 token (matched by specifying the driver
and slot attribute values).
- Required attributes
action_name = “LIST_OBJECTS” p11_driver = “<driver name>” p11_slot = “<slot number>”- Optional attributes
p11_login = “<boolean>” p11_label = “<string>” p11_class = “<PKCS#11 Object Class>” p11_private = “<boolean>” p11_trusted = “<boolean>” p11_sensitive = “<boolean>” start_gui = “<boolean>”Where <PKCS#11 Object Class> is one of the following values as defined in the PKCS #11 specification from RSA:CKO_DATA CKO_CERTIFICATE CKO_PUBLIC_KEY CKO_PRIVATE_KEY CKO_SECRET_KEY CKO_HW_FEATURE CKO_DOMAIN_PARAMETERS CKO_MECHANISM CKO_VENDOR_DEFINED- Example
[p11km_cmd_list_private_objs] action_name = “LIST_OBJECTS” p11_login = “TRUE” p11_private = “TRUE” p11_driver = “AIX” p11_slot = “5”
- Change PKCS #11 token user's PIN:
- Changes a PKCS #11 token user's PIN that is used when logging
into the token.
- Required attributes
action_name = “CHANGE_USER_PIN” p11_driver = “<driver name>” p11_slot = “<slot number>”- Optional attributes
start_gui = “<boolean>”- Example
[p11km_cmd_change_my_pin] action_name = “CHANGE_USER_PIN” p11_slot = “1337” p11_driver = “IBM_4764”
- Delete PKCS #11 Objects
- Deletes PKCS #11 objects. Objects are deleted based on the numbered
list of the objects that result from running a LIST_OBJECTS command and using the same template with the following attributes:
p11_label = “<string>” p11_class = “<PKCS#11 Object Class>” p11_private = “<boolean>” p11_trusted = “<boolean>” p11_sensitive = “<boolean>” p11_login = “<boolean>”Attention: Because the token state and consistency are not maintained between batch processes, objects can be inadvertently deleted. The listed order of the objects changes if objects are added or deleted by other processes that are running against the same token between the time that an object is originally listed and the time that it is deleted.- Required attributes
action_name = “DELETE_OBJECTS” p11_driver = “<driver name>” p11_slot = “<slot number>” p11_objects = “<CSV>”Where <CSV> is either the word ALL (all of the token objects) or a comma-separated list of positive integer values that corresponds to the objects in numbered order of appearance by using the following optional attributes.
- Optional attributes
p11_label = “<string>” p11_class = “<PKCS#11 Object Class>” p11_private = “<boolean>” p11_trusted = “<boolean>” p11_sensitive = “<boolean>” p11_login = “<boolean>” start_gui = “<boolean>”- Example
[p11km_cmd_delete_seven_objects] action_name = “DELETE_OBJECTS” p11_slot = “0” p11_driver = “AIX” p11_objects = “1,5,10,11,12,27,33” p11_login = “TRUE”
- Move PKCS #11 objects:
- Moves PKCS #11 objects. Objects are moved based on the numbered
list of the objects that result from running a LIST_OBJECTS command and using the same template.Attention: Because the token state and consistency are not maintained between batch processes, objects can be inadvertently moved. The listed order of the objects changes if objects are added or deleted by other processes that are running against the same token between the time that an object is originally listed and the time that it is moved.
- Required attributes
action_name = “MOVE_OBJECTS” ############################################ ###### Source Token Identification: ###### p11_driver = “<driver name>” p11_slot = “<slot number>” ############################################ ###### Target Token Identification: ###### p11_driver_target = “<driver name>” p11_slot_target = “<slot number>” ############################################ ###### Objects being moved to target: ###### p11_objects = “<CSV>”- Optional attributes
p11_label = “<string>” p11_class = “<PKCS#11 Object Class>” p11_private = “<boolean>” p11_trusted = “<boolean>” p11_sensitive = “<boolean>” p11_login = “<boolean>” start_gui = “<boolean>”- Example
[p11km_cmd_move_three_objects] action_name = “MOVE_OBJECTS” p11_slot = “0” p11_slot_target = “1” p11_driver = “AIX” p11_driver_target = “AIX” p11_objects = “15,20,60” p11_login = “FALSE”
- Copy PKCS #11 objects
- Copies PKCS #11 objects. Objects are copied based on the numbered
list of the objects that result from running a LIST_OBJECTS command and using the same template.Attention: Because the token state and consistency are not maintained between batch processes, objects can be inadvertently copied. The listed order of the objects changes if objects are added or deleted by other processes that are running against the same token between the time that an object is originally listed and the time that it is copied.
- Required attributes
action_name = “COPY_OBJECTS” p11_driver = “<driver name>” p11_slot = “<slot number>” p11_driver_target = “<driver name>” p11_slot_target = “<slot number>” p11_objects = “<CSV>”- Optional attributes
p11_label = “<string>” p11_class = “<PKCS#11 Object Class>” p11_private = “<boolean>” p11_trusted = “<boolean>” p11_sensitive = “<boolean>” p11_login = “<boolean>” start_gui = “<boolean>”- Example
[p11km_cmd_copy_one_private_object] action_name = “COPY_OBJECTS” p11_slot = “0” p11_slot_target = “1” p11_driver = “AIX” p11_driver_target = “AIX” p11_objects = “3” p11_login = “TRUE” ## REQUIRED FOR PRIVATE OBJECT MGT.
- Export and backup PKCS #11 objects to a file
- Exports and backs up PKCS #11 objects. Objects are exported and
backed up based on the numbered list of the objects that result from
running a LIST_OBJECTS command and using the same template.Attention: Because the token state and consistency are not maintained between batch processes, objects can be inadvertently exported. The listed order of the objects changes if objects are added or deleted by other processes that are running against the same token between the time that an object is originally listed and the time that it is exported.
- Required attributes
action_name = “EXPORT_OBJECTS” p11_driver = “<driver name>” p11_slot = “<slot number>” p11_object_file = “<file name>” p11_objects = “<CSV>”- Optional attributes
p11_label = “<string>” p11_class = “<PKCS#11 Object Class>” p11_private = “<boolean>” p11_trusted = “<boolean>” p11_sensitive = “<boolean>” p11_login = “<boolean>” start_gui = “<boolean>”- Example
[p11km_cmd_backup_objects] action_name = “EXPORT_OBJECTS” p11_slot = “0” p11_driver = “AIX” p11_objects = “ALL” p11_login = “TRUE” p11_object_file = “/home/user1/p11km.backup”
- Import PKCS #11 objects from a file
- Imports the PKCS #11 objects that were created from a PKCS #11
export file.
- Required attributes
action_name = “IMPORT_OBJECTS” p11_driver = “<driver name>” p11_slot = “<slot number>” p11_object_file = “<file name>”- Optional attributes
p11_login = “<boolean>” # REQUIRED TO IMPORT ANY PRIVATE OBJECTS start_gui = “<boolean>”- Example
[p11km_cmd_import_my_backed_up_objects] action_name = “IMPORT_OBJECTS” p11_slot = “0” p11_driver = “AIX” p11_login = “TRUE” p11_object_file = “/home/user1/p11km.backup”
- Create a self-signed certificate
- Creates a self-signed X.509 certificate and the associated PKCS
#11 objects on a PKCS #11 token.
- Required attributes
action_name = “CREATE_SSC” p11_driver = “<driver name>” p11_slot = “<slot number>” p11_login = “TRUE” p11_ssc_label = “<string>” p11_ssc_config = “<openssl configuration file>”Where <openssl configuration file> is the full UNIX path and filename of an OpenSSL configuration file that is populated with values that are used in creating the self-signed certificate.
- Optional attributes
start_gui = “<boolean>”- Example
[p11km_cmd_self_signed_certificate] action_name = “CREATE_SSC” p11_slot = “0” p11_driver = “AIX” p11_login = “TRUE” p11_ssc_label = “Lab RADIUS Server” p11_ssc_config = “/etc/radius/EAP-TLS/openssl.cnf”
- Create a PKCS #10 certificate signing request
- Creates a PKCS #10 certification request or certificate signing
request (CSR).
- Required attributes
action_name = “CREATE_CSR” p11_driver = “<driver name>” p11_slot = “<slot number>” p11_login = “TRUE” p11_csr_label = “<string>” p11_csr_file = “<path to CSR output file>” p11_csr_type = “<DER or Base64>' p11_csr_config = “<openssl configuration file>”Where <DER or Base64> either generates an ASN.1 (DER) encoded CSR output file or a Base64-encoded CSR output file and <path to CSR output file> refers to the full UNIX path and filename to the CSR output.
- Optional attributes
start_gui = “<boolean>”- Example
[p11km_cmd_my_pkcs10_base64] action_name = “CREATE_SSC” p11_slot = “0” p11_driver = “AIX” p11_login = “TRUE” p11_csr_label = “Lab RADIUS Server” p11_csr_type = “Base64” p11_csr_file = “/etc/radius/EAP-TLS/certreq.b64” p11_csr_config = “/etc/radius/EAP-TLS/openssl.cnf”
The following batch commands are available in the PKCS #11 Administration tool (p11admin).
Note: To use the batch commands, do the following:
- Create and edit a batch file as described in Batch processing.
- Create new p11km_cmd sections that contain the attributes for the batch commands that you want to use.
- List available PKCS #11 tokens
- Generates a report and displays the token and slot information
for the available PKCS #11 tokens.
- Required attributes
action_name = “ADM_LIST_TOKENS”- Optional attributes
start_gui = “<boolean>”Where <boolean> is either
TRUEorFALSE- Example
[p11admin_cmd_list_tokens] action_name = “ADM_LIST_TOKENS”
- List available PKCS #11 mechanisms
- Generates a report and displays the available PKCS #11 mechanisms
that are supported by a PKCS #11 token (matched by specifying the
driver and slot attribute values).
- Required attributes
action_name = “ADM_LIST_MECHANISMS” p11_driver = “<driver name>” p11_slot = “<slot number>”Where <slot number> is a positive integer value, and <driver name> is one of the following values:Value Description AIX AIX OS Cryptographic Framework IBM_4758_4960 IBM 4758/4960 Cryptographic Hardware Adapters IBM_4764 IBM 4764 Cryptographic Hardware Adapter Other If you specify OTHER, you must also specifying the p11_driver_path attribute. - Optional attributes
start_gui = “<boolean>”- Supplemental attributes
p11_driver_path = “<path to PKCS#11 driver>”Where <path to PKCS#11 driver> is the full UNIX path and filename of the PKCS #11 library that is used for the command. This attribute can be specified only when the p11_driver attribute is set to
OTHER.- Example
[p11admin_cmd_list_4764_slot_0_mechs] action_name = “ADM_LIST_MECHANISMS” p11_driver = “IBM_4764” p11_slot = “0” start_gui = “TRUE”
- Display information for a PKCS #11 token
- Displays the PKCS #11 token and slot information for a PKCS #11
token.
- Required attributes
action_name = “ADM_SHOW_TOKEN_INFO” p11_driver = “<driver name>” p11_slot = “<slot number>”- Optional attributes
start_gui = “<boolean>”- Example
[p11admin_cmd] action_name = “ADM_SHOW_TOKEN_INFO” p11_slot = “411” p11_driver = “IBM_4764”
- Initialize a PKCS #11 token:
- Initializes a PKCS #11 token. Initialization resets the token,
erases all of the stored PKCS#11 objects and data, and allows the
token to be relabeled.Attention: Because all of the PKCS #11 objects and data are erased during the initialization process, ensure that you do not need the objects and data before you initialize a PKCS #11 token.
- Required attributes
action_name = “ADM_INIT_TOKEN” p11_driver = “<driver name>” p11_slot = “<slot number>” ## SAME AS 'p11_init_slot' p11_init_slot = “<slot number>” ## SAME AS 'p11_slot' p11_init_label = “<string>” ## NEW TOKEN LABEL- Optional attributes
start_gui = “<boolean>”- Example
[p11admin_cmd] action_name = “ADM_INIT_TOKEN” p11_slot = “1” p11_driver = “IBM_4764” p11_init_slot = “1” p11_init_label = “ABC Token”
- View the clock for a PKCS #11 token
- Displays the hardware clock for a PKCS #11 token if that token
has a clock.
- Required attributes
action_name = “ADM_CLOCK_VIEW” p11_driver = “<driver name>” p11_slot = “<slot number>”- Optional attributes
start_gui = “<boolean>”- Example
[p11admin_cmd] action_name = “ADM_CLOCK_VIEW” p11_slot = “1” p11_driver = “IBM_4764”
- Set the clock for a PKCS #11 token
- Sets the hardware clock for a PKCS #11 token if that token has
a clock.
- Required attributes
action_name = “ADM_CLOCK_SET” p11_driver = “<driver name>” p11_slot = “<slot number>” p11_clock_set = “<clock data>”Where <clock data> is the current UTC date and time with the following format: HH:MM:SS mm-dd-YYYY.
- Optional attributes
start_gui = “<boolean>”- Example
[p11admin_cmd] action_name = “ADM_CLOCK_SET” p11_slot = “1” p11_driver = “IBM_4764” p11_clock_set = “23:59:59 12-31-1999”
- Reset the PIN for a PKCS #11 token user
- Resets the PIN for a PKCS #11 token user.
- Required attributes
action_name = “ADM_RESET_USER_PIN” p11_driver = “<driver name>” p11_slot = “<slot number>”- Optional attributes
start_gui = “<boolean>”- Example
[p11admin_cmd_change_so_pin] action_name = “ADM_RESET_USER_PIN” p11_driver = “AIX” p11_slot = “0”
- Change the PIN for PKCS #11 token security officer
- Changes the PIN for a PKCS #11 token security officer. This PIN
is used when token administration is performed.
- Required attributes
action_name = “ADM_CHANGE_SO_PIN” p11_driver = “<driver name>” p11_slot = “<slot number>”- Optional attributes
start_gui = “<boolean>”- Example
[p11admin_cmd_change_so_pin] action_name = “ADM_CHANGE_SO_PIN” p11_slot = “888” p11_driver = “IBM_4764”