Debugs all the components of the EVA deployment.

evactl check all [-c <tls_ca_path>] [-i <cert_id>] [-l <level>] [-p <pin>] [-v <vendor>] [-t <token>]

For example:

$ sudo ./evactl check all
Starting PKCS #11 Manager... Done
===============================================
CHECKING HSM
===============================================
 
Slot Id -> 0
Label -> pking203
Serial Number -> 1433959427612
Model -> LunaSA 7.2.0
Firmware Version -> 7.0.3
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
FM HW Status -> FM Ready
 
Slot Id -> 1
Label -> pking202
Serial Number -> 1433964084224
Model -> LunaSA 7.2.0
Firmware Version -> 7.0.3
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
FM HW Status -> FM Ready
 
 
Current Slot Id: 0
 
Passing HSM checks... Done
 
===============================================
CHECKING DB
===============================================
Starting Configurator... Done
Checking DB user privileges... Done
Checking DB tables... Done
 
===============================================
CHECKING CAGW
===============================================
 
CAID: intminions~subordinate
Checking CAGW is reachable... Done
Checking configured CA... Done
 
===============================================
 
Tests passed successfully

See below for a description of each parameter.

-c <tls_ca_path>

Validate the TLS server certificate of CA Gateway with <tls_ca_path>. Where <tls_ca_path> is the path of a CA file in PEM format.

Mandatory: No. When omitting this option, the command uses the CA configured in TLS CA certificate.

-i <cert_id>

Authenticate in CA Gateway with the <cert_id> certificate, where <cert_id> is a certificate identifier.

Run the evactl list-certs command to list the available certificate identifiers.

Mandatory: No. This optional parameter defaults to the latest client certificate imported as explained in Importing the CA Gateway client certificate

Run the evactl list-certs to command to check the latest imported certificate.

-l <level>

Debug the nShield HSM with the <level> level, where <level> is a CKNFAST_DEBUG variable level. When not using a nShield HSM, the command ignores this option.

See the nShield documentation for details on the CKNFAST_DEBUG configuration parameter.

Mandatory: No. This optional parameter defaults to 0.

-p <pin>

Authenticate in the HSM with the <pin> PIN.

Mandatory: No. When omitting this option, the command looks for the PIN in the application secrets. If not found, prompts the user for the PIN.

-v <vendor>

Use the <vendor> security module. See the following table for the supported values.

Vendor

Security module

​none

Built-in software PKCS #11 module.

nshield

nShield HSM. See HSM requirements for the supported models.

thales

Thales HSM. See HSM requirements for the supported models.

It is recommended to select a Hardware Security Module (HSM).

Mandatory: No. When omitting this option, the command assumes the value of the Vendor configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.

-t <token>

Select the HSM token with the <token> label.

Mandatory: No. When omitting this option, the command uses the value of the Token label configuration parameter.

The command will raise an error if you omit this option and the configuration is not loaded.