cns4 csfc - niap-ccevs

CNS4 CSfC

Common Airborne Recorder

CSfC Encrypted Data StorageUser Guide

Part Number: DDOC0108-000-A2

This Page Intentionally Left Blank

User Guide DDOC0108-000-A2

CNS4 CSfC i

Front Matter

Revisions

NOTEThe content revision level remains unchanged for chapters / appendices impacted only by nomen-clature change (implemented by revision A2).The Curtiss-Wright CNS4 CSfC DDOC0108-000-A2 User Guide is made up of the following individual chapters / appendices:

Changes to content are shown through the use of change bars placed in the left margin next to the changed material.

Document Number Media Revision Date Description PCN

DDOC0108-000 PDF A0 02/12/19 NIAP Review NA

DDOC0108-000 PDF A0.1 02/12/19 Incorporate Gossamer comments NA

DDOC0108-000 PDF A1 03/06/19 Initial Release 0319-0001

DDOC0108-000 PDF A2 03/20/19 Change nomenclature to CNS4 CSfC 0319-0002

Chapter / Appendix Topic Content Revision

1.0 Introduction 0.0

2.0 Overview 1.0

3.0 Controls and Indicators 0.0

4.0 Installation 1.0

5.0 Quick Start 1.0

6.0 Operation 1.0

7.0 System Configuration 0.0

8.0 Troubleshooting 0.0

9.0 Simple Network Management Protocol 0.0

10.0 Remove / Replace 2.0

11.0 Command Line Interface 0.0

A Specifications 0.0

B Cables / Connectors 0.0

C Ordering Information 1.0


CNS4 CSfC ii

Safety

WARNINGHAZARD. A potential hazard that could result in serious injury or death.Information contained in WARNINGS applies to dangers and hazards that may result in injury and / or death to personnel. The actual hazard is provided in CAPITALIZED letters and the information that mitigates the danger is provided in sentence case. This information typically precedes procedural steps. It also may be present in narrative text to warn operators or maintenance personnel of dangers present in the equipment.

CAUTIONHAZARD. A potential hazard that could result in equipment damage or improper operation.Information contained in CAUTIONS applies to dangers and hazards that may result in damage to equipment or improper operation. The actual hazard is provided in CAPITALIZED letters and the information that mitigates the danger is provided in sentence case. This information typically precedes procedural steps. It also may be present in narrative text to warn operators or maintenance personnel of dangers present in the equipment.

NOTEAmplifying information that helps in making a task of procedure more easily understood.NOTES are used to supply amplifying information that will result in ease of testing or be beneficial to personnel. This information typically precedes procedural steps. It also may be present in narrative text as well.

Style and Conventions

This user guide uses the following typographical conventions.

This style Refers to

Ready Text the software displays.

go Anything you type, exactly as it appears, whether referenced in text or at a prompt.

ENTER Special keys on the keyboard, such as enter, alt, and spacebar.

Save Software command buttons and sections of dialog boxes, such as group boxes, text boxes, and text fields.

File Open A menu and a specific menu command.

ALT+F1 Pressing more than one key at the same time.

ALT, TAB Pressing more than one key in sequence.

xx,yy Variable in error messages and text.

jobfile.dat File names.

Denotes the result of an action or procedure.

xyz Hyperlink.

STOP Controls on equipment.

CNS4 CSfC User GuideTable of Contents

DD0C0108-000-A2 iii

Table of Contents

Introduction1.1 Purpose ..................................................................................................................................................... 1-11.2 Scope ........................................................................................................................................................ 1-11.3 Quality Assurances.................................................................................................................................... 1-21.4 Related Information ................................................................................................................................... 1-21.5 Technical Support...................................................................................................................................... 1-21.6 Ordering Process....................................................................................................................................... 1-3

Overview2.1 Description................................................................................................................................................. 2-1

2.1.1 Chassis ........................................................................................................................................... 2-12.1.2 FSM-C Module ................................................................................................................................ 2-32.1.3 ILE Module ...................................................................................................................................... 2-4

2.2 CNS4 Features.......................................................................................................................................... 2-62.3 Protocols.................................................................................................................................................... 2-72.4 CSfC Encryption ........................................................................................................................................ 2-7

2.4.1 Hardware Layer Encryption ............................................................................................................. 2-72.4.1.1 Hardware Layer Account Creation ........................................................................................ 2-72.4.1.2 Hardware Layer Account Log In ............................................................................................ 2-8

2.4.2 Software Layer Encryption .............................................................................................................. 2-9Controls and Indicators

3.1 CNS4 Chassis Controls / Indicators .......................................................................................................... 3-13.1.1 Chassis LED Brightness ................................................................................................................. 3-1

3.2 ILE Module Controls / Indicators ............................................................................................................... 3-13.3 FSM-C Module Controls / Indicators ......................................................................................................... 3-2

Installation4.1 Package..................................................................................................................................................... 4-14.2 Inspection .................................................................................................................................................. 4-14.3 Mounting.................................................................................................................................................... 4-2

4.3.1 Mounting - User Defined ................................................................................................................. 4-24.3.2 Mounting - ARINC Tray ................................................................................................................... 4-2

4.4 CNS4 Install / Remove .............................................................................................................................. 4-24.4.1 Install (User Defined Mount) ........................................................................................................... 4-24.4.2 Install (ARINC Tray) ........................................................................................................................ 4-34.4.3 Remove (User Defined Mount) ....................................................................................................... 4-34.4.4 Remove (ARINC Tray) .................................................................................................................... 4-3

4.5 Cables ....................................................................................................................................................... 4-44.5.1 Power / RS-232 Cable .................................................................................................................... 4-54.5.2 Ethernet Cable ................................................................................................................................ 4-5

Quick Start5.1 Connections and Controls ......................................................................................................................... 5-15.2 Communications Setup ............................................................................................................................. 5-15.3 Login.......................................................................................................................................................... 5-1


DD0C0108-000-A2 iv

5.3.1 CNS4 ............................................................................................................................................... 5-15.4 Hardware Layer ......................................................................................................................................... 5-15.5 Software Layer .......................................................................................................................................... 5-15.6 Partition Disks............................................................................................................................................ 5-1

5.6.1 Erase All Partitions / All Slots .......................................................................................................... 5-15.6.2 Check Drive Status ......................................................................................................................... 5-15.6.3 Create Single Partition on FSM0 ..................................................................................................... 5-25.6.4 Create Single Partition on FSM1 ..................................................................................................... 5-25.6.5 Create Single Partition on FSM2 ..................................................................................................... 5-35.6.6 Create Single Partition on FSM3 ..................................................................................................... 5-45.6.7 Create NAS Partitions on FSM0 - 3 ................................................................................................ 5-4

5.7 Create Software Encryption Containers on FSM2 and FSM3 ................................................................... 5-55.8 Open Software Encryption Containers on FSM2 and FSM3 ..................................................................... 5-6

5.8.0.1 Method 1 ................................................................................................................................ 5-65.8.0.2 Method 2 ................................................................................................................................ 5-7

5.9 Format / Mount NAS Partitions.................................................................................................................. 5-85.10 Unformat NAS Partitions ......................................................................................................................... 5-95.11 Close Software Encryption Containers.................................................................................................... 5-95.12 Erase Software Encryption Containers.................................................................................................. 5-105.13 ILE Account Logout ............................................................................................................................... 5-115.14 Access from Windows as NAS Device .................................................................................................. 5-115.15 Access from Linux as NAS Device ........................................................................................................ 5-125.16 External Key Passing Example ............................................................................................................. 5-12

Operation6.1 Lab Setup / Connections ........................................................................................................................... 6-16.2 Basic Operation ......................................................................................................................................... 6-2

6.2.1 Initial Configuration ......................................................................................................................... 6-26.2.1.1 Time ....................................................................................................................................... 6-26.2.1.2 Passwords ............................................................................................................................. 6-2

6.2.2 Communications ............................................................................................................................. 6-26.2.2.1 Terminal Emulation ................................................................................................................ 6-36.2.2.2 Ethernet ................................................................................................................................. 6-4

6.2.3 Account Management ..................................................................................................................... 6-56.2.4 Storage Media ................................................................................................................................. 6-5

6.2.4.1 Preparation ............................................................................................................................ 6-56.2.4.2 Assigning Services to Partitions ............................................................................................ 6-56.2.4.3 Preparation ............................................................................................................................ 6-56.2.4.4 Creating a RAID .................................................................................................................... 6-66.2.4.5 Partitioning ............................................................................................................................. 6-66.2.4.6 Assign NAS Service .............................................................................................................. 6-66.2.4.7 Format Partitions ................................................................................................................... 6-76.2.4.8 Mounting NAS Partition ......................................................................................................... 6-76.2.4.9 Verification ............................................................................................................................. 6-7

6.2.5 Health .............................................................................................................................................. 6-76.2.6 Built-In Test ..................................................................................................................................... 6-8

6.2.6.1 CBIT (Continuous Built-In Test) ............................................................................................. 6-86.2.6.2 IBIT (Initiated Built-In Test) .................................................................................................... 6-86.2.6.3 PBIT (Power-On Built In Test ................................................................................................ 6-9


DD0C0108-000-A2 v

6.3 Update ....................................................................................................................................................... 6-96.3.1 CNS4 Operating System Update .................................................................................................... 6-96.3.2 ILE Module Firmware .................................................................................................................... 6-10

6.4 Encryption................................................................................................................................................ 6-116.4.1 Zeroize .......................................................................................................................................... 6-116.4.2 Hardware Encryption Layer ........................................................................................................... 6-12

6.4.2.1 LE Account - Internal / External Key Storage ...................................................................... 6-126.4.2.2 Internal Security Mode ......................................................................................................... 6-136.4.2.3 External Security Mode ....................................................................................................... 6-136.4.2.4 ILE Account Creation ........................................................................................................... 6-136.4.2.5 ILE Login ............................................................................................................................. 6-146.4.2.6 Key Transfer ........................................................................................................................ 6-14

6.4.3 Software Encryption ...................................................................................................................... 6-156.4.3.1 Software Encryption Container ............................................................................................ 6-15

System Configuration7.1 add............................................................................................................................................................. 7-27.2 all ............................................................................................................................................................... 7-27.3 file .............................................................................................................................................................. 7-37.4 format ........................................................................................................................................................ 7-37.5 free ............................................................................................................................................................ 7-47.6 fsck ............................................................................................................................................................ 7-47.7 fsep............................................................................................................................................................ 7-57.8 getDevName.............................................................................................................................................. 7-57.9 getFreeDisks ............................................................................................................................................. 7-57.10 getNfsOpt ................................................................................................................................................ 7-57.11 help.......................................................................................................................................................... 7-67.12 hide.......................................................................................................................................................... 7-67.13 iscsi0, 1, 2, 3............................................................................................................................................ 7-67.14 isMounted ................................................................................................................................................ 7-77.15 mount....................................................................................................................................................... 7-77.16 multi ......................................................................................................................................................... 7-87.17 nas........................................................................................................................................................... 7-87.18 numFreeDisks ......................................................................................................................................... 7-97.19 numFsmDisks.......................................................................................................................................... 7-97.20 numPartitions........................................................................................................................................... 7-97.21 part .......................................................................................................................................................... 7-97.22 raid......................................................................................................................................................... 7-107.23 raidStatus .............................................................................................................................................. 7-107.24 remove................................................................................................................................................... 7-117.25 rescan.................................................................................................................................................... 7-117.26 scan ....................................................................................................................................................... 7-117.27 setNfsOpt............................................................................................................................................... 7-127.28 status ..................................................................................................................................................... 7-127.29 sw .......................................................................................................................................................... 7-137.30 trim......................................................................................................................................................... 7-137.31 umount................................................................................................................................................... 7-147.32 verb........................................................................................................................................................ 7-147.33 version ................................................................................................................................................... 7-14


DD0C0108-000-A2 vi

7.34 wipe ....................................................................................................................................................... 7-147.35 wrap....................................................................................................................................................... 7-157.36 writecfg .................................................................................................................................................. 7-15

Troubleshooting8.1 LED Indicators ........................................................................................................................................... 8-18.2 Error Codes ............................................................................................................................................... 8-1

Simple Network Management Protocol9.1 SNMP MIB................................................................................................................................................. 9-3

Remove / Replace10.1 ILE Module - Install / Remove ............................................................................................................... 10-1

10.1.1 Remove ....................................................................................................................................... 10-110.1.2 Install ........................................................................................................................................... 10-1

10.2 FSM-C Module - Install / Remove ......................................................................................................... 10-210.2.1 Remove ....................................................................................................................................... 10-210.2.2 Install ........................................................................................................................................... 10-3

10.3 Chassis Battery Replacement ............................................................................................................... 10-310.3.1 Remove ....................................................................................................................................... 10-310.3.2 Install ........................................................................................................................................... 10-4

10.4 ILE Module Battery Replacement.......................................................................................................... 10-410.4.1 Remove ....................................................................................................................................... 10-410.4.2 Install ........................................................................................................................................... 10-4

Command Line Interface11.1 CLI Commands...................................................................................................................................... 11-1

11.1.1 CNS4 Commands ....................................................................................................................... 11-111.1.2 FSM-C Module Commands ......................................................................................................... 11-111.1.3 ILE Commands ........................................................................................................................... 11-1

11.2 Commands ............................................................................................................................................ 11-1Specifications

A.1 Envelope / Mounting Dimensions..............................................................................................................A-1A.2 Physical Dimensions / Weight...................................................................................................................A-3A.3 Power Dissipation .....................................................................................................................................A-3A.4 Electrical Requirements ............................................................................................................................A-3A.5 Mean Time Between Failure .....................................................................................................................A-3A.6 Environment ..............................................................................................................................................A-3

A.6.1 Temperature ...................................................................................................................................A-3A.6.2 Humidity ..........................................................................................................................................A-3A.6.3 Vibration, Operating ........................................................................................................................A-3

A.7 EMI............................................................................................................................................................A-3Cables / Connectors

B.1 Power / RS-232.........................................................................................................................................B-1B.2 Ethernet.....................................................................................................................................................B-2

Ordering Information

CNS4 CSfC User GuideList of Figures

DDOC0108-000-A2 vii

List of Figures

Figure 1.1 CNS4 CSfC CAR LRU..................................................................................................................... 1 - 1Figure 2.1 CNS4 Assembly............................................................................................................................... 2 - 2Figure 2.2 FSM-C Module Block Diagram ........................................................................................................ 2 - 3Figure 2.3 FSM-C Module................................................................................................................................. 2 - 4Figure 2.4 ILE Module Block Diagram .............................................................................................................. 2 - 5Figure 2.5 ILE Module....................................................................................................................................... 2 - 5Figure 2.6 Hardware Layer Account Creation................................................................................................... 2 - 8Figure 2.7 Hardware Layer Account Log In ...................................................................................................... 2 - 8Figure 3.1 CNS4 Chassis Indicators................................................................................................................. 3 - 1Figure 3.2 ILE Module Controls / Indicators...................................................................................................... 3 - 2Figure 3.3 FSM-C Module Controls / Indicators................................................................................................ 3 - 2Figure 4.1 Anti-Tamper Label Locations........................................................................................................... 4 - 1Figure 4.2 Required Door Clearance ................................................................................................................ 4 - 2Figure 4.3 CNS4 Mounting - ARINC Tray......................................................................................................... 4 - 3Figure 4.4 CNS4 Installed on ARINC Tray ....................................................................................................... 4 - 4Figure 4.5 CNS4 Connectors............................................................................................................................ 4 - 4Figure 4.6 Power / RS-232 Lab Cable .............................................................................................................. 4 - 5Figure 4.7 Ethernet Lab Cable.......................................................................................................................... 4 - 5Figure 6.1 CNS4 Test Setup............................................................................................................................. 6 - 1Figure 6.2 PuTTY Terminal Emulator ............................................................................................................... 6 - 3Figure 6.3 PuTTY Terminal Emulator (SSH) .................................................................................................... 6 - 4Figure 6.4 CNS Update Utility......................................................................................................................... 6 - 10Figure 6.5 ILE Firmware Update..................................................................................................................... 6 - 11Figure 9.1 OID Tree .......................................................................................................................................... 9 - 1Figure 10.1 ILE Module Replacement .............................................................................................................. 10 - 1Figure 10.2 FSM-C Module Replacement ........................................................................................................ 10 - 2Figure 10.3 Chassis Battery Replacement ....................................................................................................... 10 - 3Figure 10.4 ILE Module Battery Replacement .................................................................................................. 10 - 5Figure A.1 CNS4 Envelope/ Mounting Dimensions........................................................................................... A - 1Figure B.1 Power / RS-232 Lab Cable .............................................................................................................. B - 1Figure B.2 CNS4 Bulkhead Power Connector .................................................................................................. B - 1Figure B.3 Ethernet Lab Cable.......................................................................................................................... B - 2Figure B.4 CNS4 Bulkhead Ethernet Connectors ............................................................................................. B - 2

CNS4 CSfC User GuideList of Tables

DDOC0108-000-A2 viii

List of Tables

Table 6.1 Ethernet Interfaces ................................................................................................................................ 6-3Table 6.2 Security Modes.................................................................................................................................... 6-12Table 7.1 Sysconfig Flags and Options................................................................................................................. 7-1Table 8.1 LED Indicators ....................................................................................................................................... 8-1Table 8.2 Error Code List ...................................................................................................................................... 8-1Table B.1 Power / RS-232 Lab Cable Pinout ........................................................................................................ B-1Table B.2 Ethernet Lab Cable Pinout .................................................................................................................... B-2Table C.1 Ordering Information ............................................................................................................................. C-1


CNS4 CSfC 1 - 1 IntroductionRevision 0.0

Introduction1.1 Purpose

The purpose of this manual is to describe the Curtiss-Wright CNS4 CSfC Common Airborne Recorder (CAR) Line Replaceable Unit (LRU) and to guide users through the process of unpacking, installing, configuring, and using the unit. The CNS4 CSfC (Figure 1.1) requires the use of multiple Flash Storage Modules-Carriers (FSM-C) and an In-Line Encryptor (ILE) to operate. From this point forward, the product will be referred to as the CNS4; the associated storage modules as FSM-C modules; and the associated encryptor module as the ILE module.

Figure 1.1 CNS4 CSfC CAR LRU

1.2 ScopeThe information in this user guide is intended for information systems personnel, systems coordinators, or highly skilled network users. This manual contains the following information:• An overview of the CNS4.• Unpacking, installation, and setup information.• User interface connections.• User input.• Configuration options.• Product specifications.• Operation requirements.• Environmental restrictions.• Connector pinout and specifications.• Ordering information for related products and parts

DDOC0108-0001

FSM-C Modules

ILE Module

CNS4 Chassis



1.3 Quality AssurancesCurtiss-Wright Controls, Inc., Electronic Systems is committed to leveraging our technology leadership to deliver products and services that meet or exceed customer requirements. In addition to the physical product, the company provides documentation, sales and marketing support, hardware and software technical support, and timely product delivery. Our quality commitment begins with product concept and continues after receipt of the purchased product.Curtiss-Wright Controls, Inc., Electronic Systems' Quality Management System is accredited to the latest revision of the aerospace standard, AS9100 Quality Management Systems - Requirements for Aviation, Space, and Defense Organizations.Our Quality System addresses the following basic objectives:• Achieve, maintain, and continually improve the quality of our products and service through

established design, test, production and service procedures.• Improve the quality of our operations to meet the needs of our customers, suppliers, and other

stakeholders.• Provide our employees with the tools and overall work environment to fulfill, maintain, and

improve product and service quality.• Ensure our customer and other stakeholders that only the highest quality product or service

will be delivered.Eagle Registrations Inc. assessed Curtiss-Wright's Quality Management System and confirmed conformance to AS9100D including ISO 9001:2015 with Certificate No. 5819. The scope of the registration is as follows: "Design, manufacture, test and repair of board level products, electronic sub-systems, related software and services for commercial, aerospace and military applications.”Customer feedback is integral to our quality and reliability program. We encourage customers to contact us with questions, suggestions, or comments regarding any of our products or services. We guarantee professional and quick responses to your questions, comments, or problems.

1.4 Related Information• AES (Advanced Encryption Standard). https://csrc.nist.gov/publications/fips/fips197/ fips-

197.pdf• EIA-232 RS-232 electrical characteristics single-ended voltage digital interface circuit.

http://www.eia.org/• VITA 46, 47, 48, and 58. http://www.vita.com/vso-stds.html• FIPS 140-2. https://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf• EMI Mil-Std-461• NAS, http://www.pdl.cmu.edu/PDL-FTP/NASD/hotnet99.pdf• Ruggedization, Curtiss-Wright, http://www.cwcelectronicsystems.com• Curtiss-Wright Defense Solutions http://www.cwcdefense.com• PuTTy User Manual (client program for SSH, Telnet, and Rolgin network protocols)• Technical Note 8004 CNS4 CSfC Software and Firmware History• NSA CSfC Program https://www.iad.gov/iad/programs/iad-initiatives/commercialsolutionsfor-

classified.cfm

1.5 Technical SupportTechnical documentation is provided with all of our products. This documentation describes the technology, its performance characteristics, and includes some typical applications. It also includes comprehensive support information, designed to answer any technical questions that might arise concerning the use of this product. We also publish and distribute technical briefs and application notes that cover a wide assortment of topics. Although we try to tailor the applications to real scenarios, not all possible circumstances are covered.



While we have attempted to make this document comprehensive, you may have specific problems or issues this document does not satisfactorily cover. Our goal is to offer a combination of products and services that provide complete, easy-to-use solutions for your application.If you have any technical or non-technical questions or comments, contact us. Hours of operation are from 8:00 a.m. to 5:00 p.m. Eastern Standard/Daylight Time.• Phone: (937) 252-5601 or (800) 252-5601• E-mail: [email protected]• Fax: (937) 252-1465• World Wide Web address: www.cwcdefense.com

1.6 Ordering ProcessTo learn more about Curtiss-Wright Defense Solutions' products or to place an order, please use the following contact information.• E-mail: [email protected]• World Wide Web address: http://www.cwcdefense.com/To contact a local Curtiss-Wright sales representative go to: http://www.cwcdefense.com/sales.html, point to your location on the map presented, then click on the pop-up with the sales representative's name.


CNS4 CSfC 2 - 1 OverviewRevision 1.0

Overview2.1 Description

The CNS4 is a high-performance multimedia data acquisition and encrypting network file storage device. The CNS4 is protocol flexible, providing CIFS, NFS, FTP, HTTP, DHCP, SNMP, and iSCSI file access protocols, making it ideal for sharing critical data in a harsh environment. The CNS4 is a modular design, consisting of• CNS4 chassis• ILE module• One to four FSM-C module(s)The ILE module and FSM-C module(s) plug into a high-insertion rate backplane in the CNS4 chassis. The unit has four 1-Gbps Ethernet ports accessed via front panel connectors.

2.1.1 ChassisThe CNS4 chassis (Figure 2.1) is made up of the following major subassemblies:• Backplane Subassembly

• Storage Backplane• ILE Backplane

• Holdup Subassembly• Power Supply Subassembly• USB Flash Module• COM Express PCB / Memory Module• Main Carrier SubassemblyIt also contains one AA battery to supply power to the Real Time Clock (RTC) and two external trigger monitoring circuits.The backplane is used to provide a means of interconnecting the FSM-C modules and the ILE module to the main carrier subassembly. The backplane is made of two joined components that have multiple low-force insertion sockets. Both backplane components plug into the main carrier.The main carrier subassembly provides overall system interconnection. As a result, the power supply and hold up sub-assemblies are connected to it as well. In addition, it supports external communications through the four Ethernet connectors and power / RS-232 connector that are installed on it. The Ethernet connectors (GBE0 through GBE3 support 0, 100, and 1000 Base-T Ethernet. They support Ethernet IEEE 802.3ab standard over copper in full duplex.Refer to Cables / Connectors section for additional information regarding the interface connectors and associated cables. The subassembly also has a set of utility connectors used for manufacturing and service activities. Contact Curtiss-Wright for more information about end-user utilization of these connectors.The COM Express PCB contains the main CPU and RAM memory for the unit. The USB flash module contains the BIOS and operating system. The power supply assembly takes the 28 VDC input power, cleans and conditions it, and then distribute it to the entire system. The holdup subassembly consists of a series of capacitors and a power monitoring circuit. It ensures the unit can power down in an orderly fashion if the 28 VDC input power is suddenly removed.The chassis has four status LEDs. Refer to paragraph 3.1 CNS4 Chassis Controls / Indicators for information regarding the LEDs.Control of CNS4 chassis functions is established through the Command Line Interface (CLI). Refer to Command Line Interface section for additional information regarding applicable CLI commands. Multiple CNS4 chassis functions are monitored to ensure proper operation. Refer to paragraph 6.2.5 Health for additional information.



Figure 2.1 CNS4 Assembly

DDOC0108-0002

Power Supply Subassembly

Main Carrier Subassembly

Holdup Subassembly

Storage Backplane

ILE Backplane

ILE Module

Ethernet Connectors

Power/ RS-232 Connector

Power Supply Subassembly

Main Carrier SubassemblyBattery

COM Express Module

Memory ModuleUtility Connectors

eUSB Flash Module



2.1.2 FSM-C Module

CAUTIONEQUIPMENT DAMAGE. Do not remove / install a FSM-C module with power applied or damage to the FSM-C module and / or CNS4 will occur.

CAUTIONEQUIPMENT DAMAGE. Use ESD precautions when handling a FSM-C module. Failure to properly handle FSM-C modules can result in damage.

CAUTIONEQUIPMENT DAMAGE. Ensure wedge-lock levers are in closed position when FSM-C module is installed in CNS4 chassis. The levers are thermally conductive and must be closed to provide proper heat dissipation for the FSM-C module. Failure to close levers will result in improper operation / failure of the FSM-C module.Up to four FSM-C modules can be installed in the CNS4 chassis. Each FSM-C module is a 2.0 TB storage module that uses EMLC type memory. The FSM-C modules are installed behind an access door located on the front of the CNS4 chassis. Each FSM-C module has three status LEDs and a removal request button. Refer to paragraph 3.3 FSM-C Module Controls / Indicators for information regarding the LEDs and button. Refer to Figure 2.2 for a block diagram of the FSM-C module.Figure 2.2 FSM-C Module Block Diagram

The FSM-C module design supports dynamic and static data wear-leveling enforcing an even distribution of erase/write cycles. This prevents excessive writes to the same flash locations extending the life cycle of the memory. An ECC engine is present to provide bit error detection and correction in the physical NAND memory. In addition, a Bad Block Management (BBM) algorithm is included to replace bad-blocks. Wear-leveling, ECC, and BBM techniques provide an extended endurance rating for the FSM-C module storage. The FSM-C supports Serial Advanced Technology Attachment (SATA I/II) interface bus. It is capable of data transfer rates of 1.5 Gbps and 3.0 Gbps (SATA I and SATA II respectively).The FSM-C model (Figure 2.3) enclosure is constructed of two custom-machined anodized aluminum covers fastened together with screws. The internal structure is designed to dissipate component heat and provide rigidity. This closed structure makes the FSM-C module less susceptible to problems due to adverse environments and provides silent vibration-free operation.The FSM-C module uses conduction cooling. Its internal structure transfers heat to a physically connected aluminum enclosure, which in turn conducts the heat through the wedgelock guide rails to the CNS4 chassis. The interconnect plug is keyed to ensure the FSM-C module is inserted correctly into the CNS4 chassis.The FSM-C module is NOT hot-swappable, the CNS4 MUST be powered down prior to removal or installation of any modules. The module is removed by grasping a pair of wedgelock levers and pulling them away from the module's body. An additional eject lever is provided to assist with removing the module. After removal, the FSM-C module can be transported in an ESD-safe carrying case.

RemovalRequestButton

Status LED

Fault LED

Power LED

SATA PORT

POWER

DDOC0108-0010

I2C Register EPROMTemperature Sensor

Voltage SensorSYSTEM

MANAGEMENT

2.5 SATASolid State Drive



Figure 2.3 FSM-C Module

Control of FSM-C module functions is established through the Command Line Interface (CLI). Refer to Command Line Interface section for additional information regarding applicable CLI commands. Several FSM-C functions are monitored to ensure proper operation. Refer to paragraph 6.2.5 Health for additional information. Refer to Ordering Information section for the FSM-C module part number. Refer to paragraph 10.2 FSM-C Module - Install / Remove for instruction on installing or removing the FSM-C module.

2.1.3 ILE Module

CAUTIONEQUIPMENT DAMAGE. Do not remove / install a ILE module with power applied or damage to the ILE module and / or CNS4 will occur.

CAUTIONEQUIPMENT DAMAGE. Use ESD precautions when handling a ILE module. Failure to properly handle ILE modules can result in damage.The CNS4 uses the Curtiss-Wright FIPS 140-2 certifiable ILE module for hardware encryption. For CSfC, the ILE module works in conjunction with software encryption present on each FSM-C module. The FSM-C module(s) accepts the cipher text written from the ILE module and retains it until read and decoded by the ILE module. The ILE module has two encryption modes:• Internally generated Date Encryption Key (DEK).• Externally provided DEK.The ILE module uses the Advanced Encryption Standard (AES) and a 256-bit encryption key. As a result, sensitive data can be protected when processed through the ILE module. Refer to Figure 2.4 for a block diagram of the ILE module.

WedgelockLever

WedgelockLever

Eject Lever

Power LED Status LEDFault LED

DDOC0108-0009

Removal RequestButton

DETAIL AStandard Keying

See DETAIL A



Figure 2.4 ILE Module Block Diagram

The ILE module (Figure 2.5) is NOT hot-swappable, the CNS4 MUST be powered down prior to removal or installation of the module. The module is removed by rotating a pair of Allen screws to lower the wedge locks. The unit is removed by grasping the eject lever and pulling the module from the chassis. After removal, the ILE module can be transported in an ESD-safe carrying case.Figure 2.5 ILE Module

A single ILE module contains four encryptors which performs the data encryption for all installed FSM-C modules. The four encryptors are labeled A through D, with encryptor A assigned to FSM-C module 0, B to 1, C to 2, and D to 3. As a result a single DEK can be assigned to all installed FSM-C modules or a separate DEK can be assigned to each FSM-C module.

RS-232 (Optional)

I2C

StatusKey Purge

RS-232 (Reserve Keep Alive)

ZeroizeButton

Power LED

Key LED

Fault LED

5V

AES256-bitEncryption




SRAMBattery Backup

AES KEYStorage

Admin / Use LoginDefault Settings

DC-DCPower

µController

SATA PortsTo FSM-CModules

DDOC0108-0014

ZEROIZE

ILE P F S DDOC0108-0015


Eject Lever

Wedge Locks

Allen Screw

Zeroize Button



The ILE module is located behind a front panel access cover labeled FIPS CRYPTO. The ILE module has three status LEDs and a zeroize button. Refer to paragraph 3.2 ILE Module Controls / Indicators for information regarding the LEDs and button.The ILE module encryption key(s) can be zeroized (removed) by one of the three methods:• Pressing the zeroize button on the ILE.• Applying an external trigger via a signal applied through the Power / RS-232 connector / cable.• Sending a software command via the Command Line Interface (CLI).Refer to paragraph 6.4.1 Zeroize for more information regarding removing the encryption key from the CNS4 / ILE module.

NOTEThe 1st account created on the ILE is always the crypto officer account (had admin privileges). Four additional user accounts can be created as well.Control of ILE module functions is established through the CLI. Refer to Command Line Interface section for additional information regarding applicable CLI commands.Several ILE functions are monitored to ensure proper operation. Refer to paragraph 6.2.5 Healthfor additional information. Refer to paragraph Figure 10.1 ILE Module Replacement for instruction on installing or removing the ILE module. The ILE requires use of an account to access data. Refer to paragraph 6.4.1 Zeroizet for additional information.

2.2 CNS4 Features• Built-In-Test

• Power-On (PBIT)• Initiated (IBIT)• Continuous (CBIT)

• Command Line Interface• Encryptor Features

• CSfC Associated Encryption• Hardware Encryption Layer• Software Encryption Layer

• Local Zeroization• Remote Zeroization

• Five-second Power Hold Up• Four 1 Gigabit Ethernet Ports• Health Monitor (with Front Panel Indicator)• Indicator Brightness Control• Multiple Protocols

• Common Internet File System (CIFS)• Dynamic Host Configuration Protocol (DHCP)• File Transfer Protocol (FTP)• HyperText Transfer Protocol (HTTP)• Internet Small Computer System Interface, (iSCSI)• Network File System (NFS)• Secure Shell Protocol (SSH)• Simple Network Management Protocol (SNMP)

• Power / RS-232 Port• Solid-state Storage• Thermal Overtemp Sensors



2.3 ProtocolsThe CNS4 supported protocols include CIFS, NFS, FTP, HTTP, DHCP, SNMP, and iSCSI in addition to its RS-232 console port. These protocols are disabled by default. The unit also supports SSH, which is always enabled. The user can enable the desired protocols to support their application. Refer to paragraph 11.2.23 serv for additional information.The FDEEEcPP20 and FDEAAcPP20 Protection Profiles did not consider, nor did they include networking protocols as part of the security functional requirements, and as a result, did not include any requirements for addressing those protocols. Therefore, as per the FDEEEcPP20 and FDEAAcPP20, the protocols have not been examined as part of the required assurance activities and consequently the evaluation can make no claims about the CNS4’s networking protocols. It is suggested that a customer using the product consider the impact of utilizing remote administration via SSH across the network (rather than through the console) based upon their specific use case. The customer should factor into their risk management decision the environment in which the CNS4 operates (dedicated, segregated, private network versus residing in a Demilitarized Zone [DMZ] accessible to the Internet), and the value of data to be protected.

2.4 CSfC EncryptionCommercial Solutions for Classified (CSfC) encryption is based on a National Security Agency (NSA) specification. The CSfC program requires multi-layered security. Hardware data encryption is used for the first security layer. The second security layer is software data encryption. The hardware encryption is performed in the ILE module, the software encryption is performed on the FSM-C module(s) loaded in the CNS4 chassis.Proper encryption / decryption is dependent on the use of keys and passphrases. The key resides in hardware layer on the ILE module. As a result, if an ILE module is changed, unless the exact same key is loaded on the second module, the FSM-C modules will not be accessible. The passphrase resides in the software layer on the FSM-C module. So if a FSM-C module is swapped, unless the second FSM-C has been encrypted with the same passphrase, its stored data will not be accessible.

2.4.1 Hardware Layer Encryption

CAUTIONIMPROPER OPERATION / LOST DATA. If the specific user token key is lost, the user account will be rendered unusable.

NOTERefer to paragraph 6.4.2 Hardware Encryption Layer for information regarding the actual commands and procedures used to create and log into the hardware layer.

2.4.1.1 Hardware Layer Account Creation

Before use, an account must be created () on the hardware layer. To start the account creation, the user logs into the CNS4 / ILE module via the Command Line Interface (CLI). Once logged in, additional commands are entered to create an account on the ILE hardware layer. The hardware layer contains a Pre-Shared Key (PSK) which is generated at initial equipment power-on at the manufacturer and provided separately by Curtiss-Wright. The PSK cannot be read out of the ILE module. When the account is created, a user token key is internally generated by the hardware layer. The layer then keywraps the user token key using the PSK and supplies it to the end user through the CLI. The keywrapped user token key is validated on a third-party system by comparing the ILE-generated HMAC and the third party-generated HMAC. If both match, the user token is unwrapped using the PSK. The unwrapped user token key is then used in subsequent log ins as the specific-user token.



Figure 2.6 Hardware Layer Account Creation

2.4.1.2 Hardware Layer Account Log In

Any subsequent use of the equipment requires logging in (Figure 2.7) to the hardware layer before data storage and/or transfer can begin. The user enters their user name and password into the ILE module. The hardware layer checks the information against its accounts. If the user name and password are recognized, a random one-time 64-byte key (also referred to as a nonce) is generated. The nonce is sent to the end-user via the CLI. The user then enters the nonce and their specific-user token key (generated when the account was created) into a third-party HMAC-SHA256 generator using the user token as the key. The CLI then sends this data as a user-generated HMAC to the hardware layer. The layer compares the user HMAC and the hardware layer HMAC. If they are the same, the user is logged in. If they do not compare, the user is denied access.Figure 2.7 Hardware Layer Account Log In

TERMINAL / PC

CNS4CLI HARDWARE LAYER(ILE MODULE)

Internally Generate32-byte User Token Key

PSK Keywraps User TokenKey (AES256 Keywrap)

PSK

Generate HMAC (User Token Key and PSK)

Send Encrypted User Token Key and HMAC

Login / CreateAccount onHardware

Crypto Layer

Validate HMAC (Use PSK and Encrypted

User Token Key)

User Token Key is Now a Specific-UserToken Key Tied to

Account

Decrypt User TokenKey (Use PSK )

DDOC0108-0011

TERMINAL / PC

CNS4CLI HARDWARE LAYER (ILE MODULE)

Check / Verify End-UserName / Password

Against Account Information

Generate Random One-Time Use 64-byte Key (Nonce)

Send Nonce

Generate HMAC (Nonce and Specific-User

Token Key)

Compare User HMACand Hardware Crypto

Layer HMAC

Log IntoPreviously

CreatedAccount

Send User-Generated

HMAC

User GeneratesHMAC via 3rd-Party

Software (Use SpecificUser Token Key

and Nonce)

If Comparison Passes,User is Logged InIf Comparison Fails,User is Denied AccessDDOC0108-0012



2.4.2 Software Layer Encryption

CAUTIONIMPROPER OPERATION / LOST DATA. If the software encryption key / passphrase is lost, the associated FSM-C module(s) will be rendered unusable.

NOTERefer to paragraph 6.4.3 Software Encryption for information regarding the actual commands and procedures used to create and log into the hardware layer.To create the software layer encryption, the user must first log into the hardware layer. If the CNS4 / ILE module is connected to the same terminal or PC that was used to create the hardware layer account, the ILE module will automatically validate the account and allow access to the FSM-C (if installed). If the CNS4 / ILE module is connected to a different terminal or PC, the user will be required to enter the specific user token key via the CLI. After that procedure has been accomplished, creation of the software layer encryption can begin.Software encryption is performed after the FSM-C module is formatted and mounted. Multiple modules can be encrypted using the same or different encryption key / passphrase. In addition, FSM-C can be partitioned and have each partition use the same or different encryption key / passphrase. Before attempting to encrypt the FSM-C module, its status should be checked. If the status is not correct, creation of the software encryption layer will fail.Subsequent use of the FSM-C module is dependent upon the proper encryption key / passphrase being entered using the Command Line Interface (CLI). Failure to enter the proper information will result in the FSM-C module being inaccessible for data storage or use.


CNS4 CSfC 3 - 1 Controls and IndicatorsRevision 0.0

Controls and Indicators3.1 CNS4 Chassis Controls / Indicators

NOTERefer to paragraph 3.1.1 Chassis LED Brightness for information regarding how to set chassis LED illumination levels.The CNS4 chassis (Figure 3.1) has four LED status indicators on the bottom of the front panel: S0, S1, S2, and S3. During normal operation, S1, S2, and S3 will be ON; S0 will be off. The illumination level of the LEDs is user programmable from 0 (off) to 100%. The function of these indicators is as follows.• S0 (RED). This LED is the health alert indicator. It turns ON when any monitored parameter is

outside of specified tolerance. It turns OFF when the parameter returns to normal. It also turns on when: • Internal communications cease for a period of 40 seconds.• Shutdown command is issued.

• S1 (YELLOW). This LED turns ON whenever 28VDC is applied to the CNS4 power supply.• S2 (GREEN). This LED turns ON after the CNS4 has booted up and is ready for operation.• S3 (GREEN). This LED turns ON when the storage function (via the FSM-C modules) is ready

for read/writer operations.There are no controls associated with CNS4 chassis.Figure 3.1 CNS4 Chassis Indicators

3.1.1 Chassis LED BrightnessThe brightness of the chassis LEDs can be independently set from 0 to 100% brightness. This accomplished by changing the duty cycle of the power applied to the individual LEDs. The command line interface (CLI) ledcntrl command is used in association with -s option to select the individual LED and -d option to select its duty cycle. See paragraph 11.2.18 ledctrl for detailed information.

3.2 ILE Module Controls / IndicatorsThe ILE module (Figure 3.2) has three LED status indicators: P, F, and S. During normal operation, P and S will be ON; F will be off. The illumination level of the LEDs is preset and non-adjustable.

S0 S1 S2 S3

POWER GBE2GBE0 GBE1 GBE3

DDOC0108-0026


CNS4 CSfC 3 - 2 Controls and IndicatorsRevision 0.0

The function of the ILE module indicators is as follows.• P (GREEN). This LED turns ON whenever 28VDC is applied to the ILE module.• F (RED). This LED turns ON whenever the ILE module has a fault condition.• S (YELLOW). This LED turns ON whenever the encryption key(s) are loaded into the ILE

module.The ZEROIZE button is used to zeroize (delete) the encryption keys loaded in the ILE module.Figure 3.2 ILE Module Controls / Indicators

3.3 FSM-C Module Controls / Indicators

NOTEThe F (RED) LED turns on until after the CNS4 has booted up, started communicating, and loaded encryption keys into the FSM-C module.The FSM-C module (Figure 3.3) has three LED status indicators: P, F, and S. During normal operation, P and S will be ON; F will be off. The illumination level of the LEDs is preset and non-adjustable. The function of these indicators is as follows.• P (GREEN). This LED turns ON when 28VDC is applied and FSM-C module initialization has

occurred.• F (RED). This LED turns ON whenever there is a Built-In Test (BIT) failure or operational

problem related to the FSM-C module. If the problem is also related to the CNS4, the S0 will turn ON.

• S (GREEN). This LED turns ON whenever the FSM-C module is active (reading / writing data).The REMOVAL REQUEST button is disabled in this configuration.Figure 3.3 FSM-C Module Controls / Indicators

ZEROIZE

ILE P F SDDOC0108-0028


Zeroize Button


DDOC0108-0027

Removal RequestButton


CNS4 CSfC 4 - 1 InstallationRevision 1.0

Installation4.1 Package

The CNS4 package contents are listed below:• CNS4 Chassis• ILE Module• Product Documentation CDOptional Items. Refer to Ordering Information section for PN information. Refer to paragraph 1.6 Ordering Process for information on how to order the item(s).• FSM-C Modules• Power / RS-232 Lab Cable• Ethernet Lab Cables• ATR Tray / Shock Mounts

4.2 InspectionThe CNS4 is a multi-part data storage system that consists of a CNS4 chassis, up to four FSM-C modules and an ILE module. Additional accessories may be included (if ordered). All received items should be inspected for damage. Inspect all units as follows:• All screws should be tight.• All anti-tamper labels (Figure 4.1) should be unbroken.• All components should be free from any dents, cracks, or damage.• All connectors pins should be present, straight, and undamaged.Figure 4.1 Anti-Tamper Label Locations

DDOC0108-0017

FP

S

FSM-C Module ILE Module

Tamper-ProofSeal Locations



If either the CNS4 chassis or associated modules were damaged in shipping or the enclosure was breached, immediately notify Curtiss-Wright Defense Solutions or your supplier.

4.3 MountingMounting environment considerations should include operating temperature limits, humidity, and vibration limits. Other considerations should include clearance for mounting hardware, cables, and safe installation or removal of the CNS4 from its mounting structure. Precautions should be taken when cables are routed around structures that could cause excessive abrasion, such as around the corner of vibrating equipment.Installation of the CNS4 can put an increased demand on cooling systems by raising ambient air temperatures. Evaluate changes in airflow obstructions and temperatures around equipment and possible detrimental surface temperatures due to conducted heat. See Appendix A for thermal limit specifications.If installation and / or removal of FSM-C modules is desired while the CNS4 remains mounted, be sure to allow clearance (4.4) for the door to open and the FSM-C module(s) to be positioned in front of the CNS4.Figure 4.2 Required Door Clearance

4.3.1 Mounting - User DefinedThe CNS4 can be mounted directly to a mounting surface. The unit provides holes in the rear for interfacing with mounting pins. The front provides J-hooks to secure the unit in place. Refer to Specifications section, Figure A.1 for dimensional information.

4.3.2 Mounting - ARINC TrayMechanical mounting of the CNS4 can be accomplished using a ARINC 404 1 ATR short tray. The tray has the mounting components in place and offers options for use of shock isolators. Contact Curtiss-Wright Defense Solutions for information on the ARINC tray.

4.4 CNS4 Install / Remove4.4.1 Install (User Defined Mount)

1. Slide CNS4 back so mounting pins engage chassis holes.2. Pivot mounting knobs up so they capture J-hooks.3. Rotate mounting knobs to secure CNS4 to mounting surface.4. Connect Ethernet cables to front panel connectors GBE0 through GBE3.5. Connect power / RS-232 cable to front panel power connector.

DDOC0108-0018

150°6.75 In.(171.4 mm)



4.4.2 Install (ARINC Tray)1. Place CNS4 (Figure 4.3) on ARINC tray.Figure 4.3 CNS4 Mounting - ARINC Tray

2. Slide CNS4 back so mounting pins engage chassis holes.3. Pivot mounting knobs up so they capture J-hooks.4. Rotate mounting knobs (Figure 4.4) to secureCNS4 to tray.5. Connect Ethernet cables to front panel connectors GBE0 through GBE3.6. Connect power / RS-232 cable to front panel power connector.

4.4.3 Remove (User Defined Mount)1. If applicable, turn 28VDC power supply OFF.2. Disconnect power / RS-232 cable from front panel power connector.3. Disconnect Ethernet cables from front panel connectors GBE0 through GBE3.4. Rotate mounting knobs to release CNS4 from mounting surface.5. Pivot mounting knobs down / away from J-hooks.6. Slide CNS4 forward so mounting pins disengage chassis holes.7. Remove CNS4 from mounting surface

4.4.4 Remove (ARINC Tray)1. If applicable, turn 28VDC power supply OFF.2. Disconnect power / RS-232 cable from front panel power connector.3. Disconnect Ethernet cables from front panel connectors GBE0 through GBE3.4. Rotate mounting knobs to release CNS4 from ARINC tray.

DDOC0108-0006

Mounting Pin

TrayMounting Knob



Figure 4.4 CNS4 Installed on ARINC Tray

5. Pivot mounting knobs down / away from J-hooks (Figure 3-4).6. Slide CNS4 forward so mounting pins disengage chassis holes.7. Remove CNS4 from ARINC tray

4.5 CablesCAUTION

Make sure the 28VDC power supply is OFF when connecting the power / RS-232 cable to the unit or damage may occur.

NOTEThe CNS4 typically does not have an Ethernet cable attached to GBE3.All connections to the CS4 are on the front panel (Figure 4.5). Be sure the external 28VDC power supply is off when making connections.Figure 4.5 CNS4 Connectors

DDOC0108-0007

MountingKnob

J-HookEthernetConnectors

Power / RS-232Connector

DDOC0108-0021

Power / RS-232Connector Ethernet

Connectors



4.5.1 Power / RS-232 CableThe CNS4 Power / RS-232 Lab Cable (Figure 4.6) is used to make power and serial data connections to the CNS4. The CNS4 requires an input power of +28 volts and ground. The serial data portion of the cable is used to interface the Command Line Interface (CLI) terminal to the unit. Refer to paragraph B.1 Power / RS-232 for connector pin signal information.Connections:• The 13-pin connector (P1) mates to CNS4 power connector.• The red plug connects to 28 VDC.• The black plug connects to 28 VDC return.• The RS-232 connector connects to the terminal RS-232 port.Figure 4.6 Power / RS-232 Lab Cable

4.5.2 Ethernet CableThe Ethernet lab cables (Figure 4.7) are used to make network connections to the CNS4. Refer to paragraph B.2 Ethernet for connector pin signal information. Each Ethernet connector is keyed to the respective CNS4 connector.

NOTEThe CNS4 typically does not have an Ethernet cable attached to GBE3.• GBE0 Ethernet Lab Cable (12-Inch Long) 801-008-16NF7-10SA• GBE1 Ethernet Lab Cable (12-Inch Long) 801-008-16NF7-10SB• GBE2 Ethernet Lab Cable (12-Inch Long) 801-008-16NF7-10SCConnections• The 10-pin connector (P1) mates to CNS4 GBE0 through GBE2.• The RJ-45 port (P2) accepts a normal Ethernet cable RJ-45 plug.Figure 4.7 Ethernet Lab Cable

DDOC0108-0020

RS-232 Connector

Power / RE-232Connector 28 VDC (+)

28 VDCRTN (-)

DDOC0108-0019

RJ-45 Port

EthernetConnector


CNS4 CSfC 5 - 1 Quick StartRevision 1.0

Quick StartThe quick start section provides easy to access commands and examples.

5.1 Connections and Controls1. Refer to paragraph 6.1 Lab Setup / Connections for connection information.2. Refer to Controls and Indicators section for information about indicators and controls.

5.2 Communications SetupRefer to paragraph 6.2.2 Communications for information.

5.3 LoginTo access the FSMs, the user must be logged into CNS4 and hardware encryption layer. However, once the software encryption layer has been activated, the user must be logged into the software layer as well.

5.3.1 CNS4NOTE

The administrator can configure the unit using the Command Line Interface (CLI).Administrator• Username: admin• Password: istrator

NOTEThe user can access the drives configured as network storage. The user cannot access the CLI.User• Username: user• Password: password

5.4 Hardware LayerRefer to paragraph 6.4.2 Hardware Encryption Layer for information.

NOTEThe unit is shipped with a default ILE account• Username: user• Password: Password1

5.5 Software LayerRefer to paragraph 6.4.3 Software Encryption for information.

5.6 Partition Disks5.6.1 Erase All Partitions / All Slots

Commands:sysconfig –esysconfig --wipe

5.6.2 Check Drive StatusCommand: sysconfig

Example:cns> sysconfigsysconfig]

DiskConfig



Unconfigured_disks: numDisk=4Disk0: name=fsm0-d0 size=2000GBDisk1: name=fsm1-d0 size=2000GBDisk2: name=fsm2-d0 size=2000GBDisk3: name=fsm3-d0 size=2000GB

Raid_disks: numDisk=0Raid_volumes: numDisk=0

Partitions: numPartitions=0--- Device Partitions ---[!sysconfig] OK

Check Software Encryption (SWE) Status:swcrypt

Example:cns> swcrypt[swcrypt]Partitions: 0[!swcrypt] OK

5.6.3 Create Single Partition on FSM0Command: sysconfig --part fsm0-d0 1 100% -w

Example:cns> sysconfig --part fsm0-d0 1 100% -w[sysconfig]

Partition_disk: status=OK[!sysconfig] OKCheck Status:cns> sysconfig

[sysconfig]DiskConfig:Unconfigured_disks: numDisk=3

Disk0: name=fsm1-d0 size=2000GBDisk1: name=fsm2-d0 size=2000GBDisk2: name=fsm3-d0 size=2000GB

Individual_disks: numDisk=1Disk0: name=fsm0-d0 size=2000GB


Partitions: numPartitions=1Part0: name=fsm0-d0 size=2000246MB pSize=100.00% dp=1 numServ=1

sName=Unconfigured swe=no--- Device Partitions ---[!sysconfig] OKCheck SWE Status:cns> swcrypt[swcrypt]Partitions: 1Part0: name=fsm0-d01 swe=no

[!swcrypt] OK



Partition_disk: status=OK[!sysconfig] OK



Check Status:cns> sysconfig

[sysconfig]DiskConfig:

Unconfigured_disks: numDisk=2Disk0: name=fsm2-d0 size=2000GBDisk1: name=fsm3-d0 size=2000GB

Individual_disks: numDisk=2Disk0: name=fsm0-d0 size=2000GBDisk1: name=fsm1-d0 size=2000GB



sName=Unconfigured swe=noPart1: name=fsm1-d0 size=2000246MB pSize=100.00% dp=1 numServ=1

sName=Unconfigured swe=no-- Device Partitions ---[!sysconfig] OKCheck SWE Status:cns> swcrypt[swcrypt]Partitions: 2Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=no

[!swcrypt] OK





Unconfigured_disks: numDisk=1Disk0: name=fsm3-d0 size=2000GB

Individual_disks: numDisk=3Disk0: name=fsm0-d0 size=2000GBDisk1: name=fsm1-d0 size=2000GBDisk2: name=fsm2-d0 size=2000GB





sName=Unconfigured swe=no-- Device Partitions ---[!sysconfig] OK



Check SWE Status:cns> swcrypt[swcrypt]Partitions: 3Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=no

[!swcrypt] OK





Individual_disks: numDisk=4Disk0: name=fsm0-d0 size=2000GBDisk1: name=fsm1-d0 size=2000GBDisk2: name=fsm2-d0 size=2000GBDisk3: name=fsm4-d0 size=2000GB






sName=Unconfigured swe=no-- Device Partitions ---[!sysconfig] OKCheck SWE Status:cns> swcrypt[swcrypt]Partitions: 4Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=noPart3: name=fsm2-d01 swe=no

[!swcrypt] OK

5.6.7 Create NAS Partitions on FSM0 - 3

NOTEThe first # in the command is the # partitions to assign as NAS drives. The subsequent #s are the partitions #'s, in a list…Command: sysconfig --nas 4 0 1 2 3



Example:cns> sysconfig --nas 4 0 1 2 3


Individual_disks: numDisk=4Disk0: name=fsm0-d0 size=2000GBDisk1: name=fsm1-d0 size=2000GBDisk2: name=fsm2-d0 size=2000GBDisk3: name=fsm3-d0 size=2000GB


Partitions: numPartitions=4Part0: name=fsm0-d0 size=2000246MB pSize=100.00% dp=1 numServ=1 sName=fsm_nas0

fmt=no mnt=0 enb=0 swe=noPart1: name=fsm1-d0 size=2000246MB pSize=100.00% dp=1 numServ=1 sName=fsm_nas1



fmt=no mnt=0 enb=0 swe=no--- Device Partitions ---NAS on partition 0 1 2 3[!sysconfig] OKCheck SWE Status:cns> swcrypt[swcrypt]Partitions: 4Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=noPart3: name=fsm3-d01 swe=no

[!swcrypt] OK

5.7 Create Software Encryption Containers on FSM2 and FSM3Create Passphrase (Linux)echo Cns4:istratorFsm3 > keyfile3.txtscp keyfile3.txt [email protected]:/keyfilesCreate Passphrase (Windows)1. Create a passphrase for FSM2 as follows:

a. Use a text editor to create file containing “Cns4:istratorFsm2”.b. Save file on PC as keyfile2.txt.

2. Create a passphrase for FSM3 as follows:a. Use a text editor to create file containing “Cns4:istratorFsm3”.b. Save file on PC as keyfile3.txt.

3. On a PC with Linux OS, type scp keyfile2.txt [email protected]:/keyfiles/ to move keyfile3 to CNS4 keyfile director.

4. On a PC with Linux OS, type scp keyfile3.txt [email protected]:/keyfiles/ to move keyfile3 to CNS4 keyfile director.

Create ContainersFSM2cns> swcrypt --init 2 --key-file /keyfiles/keyfile2.txt[swcrypt]cmd=init Part=2 status=OK

[!swcrypt] OK



FSM3cns> swcrypt --init 3 --key-file /keyfiles/keyfile3.txt[swcrypt]cmd=init Part=3 status=OK

[!swcrypt] OK

Check Status:cns> sysconfig[sysconfig]

DiskConfig:Individual_disks: numDisk=4Disk0: name=fsm0-d0 size=2000GBDisk1: name=fsm1-d0 size=2000GBDisk2: name=fsm2-d0 size=2000GBDisk3: name=fsm3-d0 size=2000GB



sName=fsm_nas0 fmt=no mnt=0 enb=0 swe=noPart1: name=fsm1-d0 size=2000246MB pSize=100.00% dp=1 numServ=1


sName=fsm_nas2 fmt=na mnt=0 enb=0 swe=closedPart3: name=fsm3-d0 size=2000246MB pSize=100.00% dp=1 numServ=1

sName=fsm_nas3 fmt=na mnt=0 enb=0 swe=closed--- Device Partitions ---NAS on partition 0 1 2 3

Check SWE Status:cns> swcrypt[swcrypt]Partitions: 4Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=closedPart3: name=fsm3-d01 swe=closed

[!swcrypt] OK

5.8 Open Software Encryption Containers on FSM2 and FSM35.8.0.1 Method 1

1. Open FSM2 as follows:

NOTEEnter password 'Cns4:PasswordFsm2' when prompted.Commandswcrypt --open 2 --pass

Examplecns> swcrypt --open 2 --pass[swcrypt]

cmd=open Part=2 Enter passphrase for /dev/sdb1:Verify passphrase:

status=OK[!swcrypt] OK

Check Statuscns> sysconfig[sysconfig]DiskConfig:Individual_disks: numDisk=4Disk0: name=fsm0-d0 size=2000GB



Disk1: name=fsm1-d0 size=2000GBDisk2: name=fsm2-d0 size=2000GBDisk3: name=fsm3-d0 size=2000GB





sName=fsm_nas2 fmt=no mnt=0 enb=0 swe=openPart3: name=fsm3-d0 size=2000246MB pSize=100.00% dp=1 numServ=1

sName=fsm_nas3 fmt=na mnt=0 enb=0 swe=closed--- Device Partitions ---NAS on partition 0 1 2 3[!sysconfig] OK

Check SWE Status:cns> swcrypt[swcrypt]Partitions: 4Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=openPart3: name=fsm3-d01 swe=closed

[!swcrypt] OK

2. Repeat paragraph 5.8.0.1 Method 1 step 1 above substituting 3 for 2 to open FSM3.5.8.0.2 Method 2

1. Open FSM2 as follows:Commandswcrypt --open 2 --key-file /keyfiles/keyfile2.txt

Examplecns> swcrypt --open 2 --key-file /keyfiles/keyfile2.txt[swcrypt]cmd=open Part=3 status=OK

[!swcrypt] OK

Check Statuscns> sysconfig[sysconfig]DiskConfig:Individual_disks: numDisk=4Disk0: name=fsm0-d0 size=2000GBDisk1: name=fsm1-d0 size=2000GBDisk2: name=fsm2-d0 size=2000GBDisk3: name=fsm3-d0 size=2000GB





sName=fsm_nas2 fmt=no mnt=0 enb=0 swe=openPart3: name=fsm3-d0 size=2000244MB pSize=100.00% dp=1 numServ=1

sName=fsm_nas3 fmt=no mnt=0 enb=0 swe=open



--- Device Partitions ---NAS on partition 0 1 2 3[!sysconfig] OK

Check SWE Status:cns> swcrypt[swcrypt]Partitions: 4Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=openPart3: name=fsm3-d01 swe=open

[!swcrypt] OK

2. Repeat paragraph 5.8.0.2 Method 2 step 1 above substituting 3 for 2 to open FSM3.

5.9 Format / Mount NAS PartitionsNOTE

Paragraphs 5.7 and 5.8 created and opened SWE containers for partitions 2 and 3. If desired, create and open containers on partitions 0 and / or 1 as well.Commandsysconfig -f all -m all

Examplecns> sysconfig -f all -m all[sysconfig]FSM_NAS0: cmd=Formatting status=OKFSM_NAS1: cmd=Formatting status=OKFSM_NAS2: cmd=Formatting status=OKFSM_NAS3: cmd=Formatting status=OKFSM_NAS0: mounted=1 status=OKFSM_NAS1: mounted=1 status=OKFSM_NAS2: mounted=1 status=OKFSM_NAS3: mounted=1 status=OK

[!sysconfig] OK

Check Statuscns> sysconfig[sysconfig]DiskConfig: Individual_disks: numDisk=4Disk0: name=fsm0-d0 size=2000GBDisk1: name=fsm1-d0 size=2000GBDisk2: name=fsm2-d0 size=2000GBDisk3: name=fsm3-d0 size=2000GB



sName=fsm_nas0 fmt=ext4 mnt=1 enb=0 swe=noPart1: name=fsm1-d0 size=2000244MB pSize=100.00% dp=1 numServ=1


sName=fsm_nas2 fmt=ext4 mnt=1 enb=0 swe=openPart3: name=fsm3-d0 size=2000244MB pSize=100.00% dp=1 numServ=1

sName=fsm_nas3 fmt=ext4 mnt=1 enb=0 swe=open--- Device Partitions ---NAS on partition 0 1 2 3[!sysconfig] OK




[!swcrypt] OK

5.10 Unformat NAS PartitionsCommandsysconfig -u all

Examplecns> sysconfig -u all[sysconfig]FSM_NAS0: mounted=0 status=OKFSM_NAS1: mounted=0 status=OKFSM_NAS2: mounted=0 status=OKFSM_NAS3: mounted=0 status=OK

[!sysconfig] OK

Check Statuscns> sysconfig[sysconfig]






sName=fsm_nas2 fmt=ext4 mnt=0 enb=0 swe=openPart3: name=fsm3-d0 size=2000244MB pSize=100.00% dp=1 numServ=1

sName=fsm_nas3 fmt=ext4 mnt=0 enb=0 swe=open--- Device Partitions ---NAS on partition 0 1 2 3[!sysconfig] OK


[!swcrypt] OK

5.11 Close Software Encryption ContainersCommandswcrypt --close all



Examplecns> swcrypt --close all[swcrypt]cmd=close Part=2 status=OKcmd=close Part=3 status=OK

[!swcrypt] OK







sName=fsm_nas2 fmt=na mnt=0 enb=0 swe=closedPart3: name=fsm3-d0 size=2000246MB pSize=100.00% dp=1 numServ=1

sName=fsm_nas3 fmt=na mnt=0 enb=0 swe=closed--- Device Partitions ---NAS on partition 0 1 2 3[!sysconfig] OK

Check SWE Status:cns> swcrypt[swcrypt]Partitions: 4Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=closedPart3: name=fsm3-d01 swe=closed

[!swcrypt] OK

5.12 Erase Software Encryption ContainersCommandswcrypt --erase all

Examplecns> swcrypt --erase allcmd=erase Part=2 status=OKcmd=erase Part=3 status=OK

[!swcrypt] OK




Partitions: numPartitions=4



Part0: name=fsm0-d0 size=2000246MB pSize=100.00% dp=1 numServ=1 sName=fsm_nas0 fmt=ext4 mnt=0 enb=0 swe=noPart1: name=fsm1-d0 size=2000246MB pSize=100.00% dp=1 numServ=1



sName=fsm_nas3 fmt=no mnt=0 enb=0 swe=no--- Device Partitions ---NAS on partition 0 1 2 3[!sysconfig] OK

Check SWE Status:cns> swcrypt[swcrypt]Partitions: 4Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=noPart3: name=fsm3-d01 swe=no

[!swcrypt] OK

5.13 ILE Account LogoutCommandcm_login -o

Examplecns> cm_login -o[cm_login]status=OK[!cm_login]

5.14 Access from Windows as NAS DeviceNOTE

When the partitions are formatted and mounted, they can be accessed from a PC running Windows.

NOTEThis procedure is performed via Ethernet connected to CNS4 port GBE0.1. Open a terminal window.2. Type ssh [email protected]. Press ENTER key.4. Type istrator for password.5. Press ENTER key.6. Type serv and press ENTER key to see if NFS and CIFS is enabled.

NFS enabled: nfs=1 status ok NFS disabled: nfs=0 status ok CIFS enabled: cifs=1 status ok CIFS disabled: cifs=0 status ok

7. If NFS is disabled type serv --nfs 1.8. If CIFS is disabled type serv --cifs 1.9. Open a File Explorer window.10. Enter the IP address of the CNS4 / NAS partition In the address bar.



Example\\192.168.0.1\fsm_nas0Where 192.168.0.1 is the IP address and fsm nas 0 is the partition.11. Login as user:

a. Type user at user name prompt.b. Type password at password prompt.

5.15 Access from Linux as NAS DeviceNOTE

When the partitions are formatted and mounted, they can be accessed from a PC running Linux.

NOTEThis procedure is performed via Ethernet connected to CNS4 port GBE0.1. Open a terminal window2. Type ssh [email protected]. Press ENTER key.4. Type istrator for password.5. Press ENTER key.6. Type serv and press ENTER key to see if NFS is enabled.

NFS enabled: nfs=1 status ok

NFS disabled: nfs=0

7. If NFS is disabled type serv --nfs 1.8. In the terminal window on the Linux PC:

a. Create a mount point.b. Mount to the storage device.

Examplemkdir /fsm0mount -t nfs 192.168.0.1:/fsm_shares/fsm_nas0 /fsm0

5.16 External Key Passing Example

NOTEExternal key passing requires the use of the Curtiss-Wright supplied PSK.1. Zeroize the ILE.cns> cm_key -z[cm_key]status=OK[!cm_key]

2. Create Account on ILE.cns> cm_create_account -u user -p Password1 -m e -k e[cm_create_account]user_token=0x49db8e13c3cd7461bace801e06d9152b0cf283d6bd42fa8082115a7b86705aff8acde8bf27b58faatoken_hmac=0xd07babac2eb88c883b3ed0c27ed317676a35bd5f5247d4fec38df4fd67531d8dstatus=OK[!cm_create_account]



3. Verify HMAC.cns> cm_crypto -t 49db8e13c3cd7461bace801e06d9152b0cf283d6bd42fa8082115a7b86705aff8acde8bf27b58faa -k e7f1d995bf53556836490b5dea45ec1261a5d1a2e515f003286152fada7c2321[cm_crypto]text=0x49db8e13c3cd7461bace801e06d9152b0cf283d6bd42fa8082115a7b86705aff8acde8bf27b58faakey=0xe7f1d995bf53556836490b5dea45ec1261a5d1a2e515f003286152fada7c2321hmac_output=0xd07babac2eb88c883b3ed0c27ed317676a35bd5f5247d4fec38df4fd67531d8d[!cm_crypto]

4. Decrypt User Token.cns> cm_crypto -c 49db8e13c3cd7461bace801e06d9152b0cf283d6bd42fa8082115a7b86705aff8acde8bf27b58faa -k e7f1d995bf53556836490b5dea45ec1261a5d1a2e515f003286152fada7c2321[cm_crypto]ciphertext=0x49db8e13c3cd7461bace801e06d9152b0cf283d6bd42fa8082115a7b86705aff8acde8bf27b58faakey=0xe7f1d995bf53556836490b5dea45ec1261a5d1a2e515f003286152fada7c2321keyunwrap_output=0x7b4398e2f5d89257b54656101d9d0ed335f54a74e8121ae48dc7775f785707d4[!cm_crypto]

5. Login.cns> cm_login -u user -p Password1[cm_login]challenge_nonce=0x57a1d98f7a6ada0a60d04c87194fe3a0ae334a73ad6a00a70f2abebd2452dfe53a51d68d1a3282b10051e8fb05e36de9b738b8f4e142b59f2f081cd1fd73f9b0status=OK[!cm_login]

6. Generate User Authentication Token (UAT).cns> cm_crypto -t 57a1d98f7a6ada0a60d04c87194fe3a0ae334a73ad6a00a70f2abebd2452dfe53a51d68d1a3282b10051e8fb05e36de9b738b8f4e142b59f2f081cd1fd73f9b0 -k 7b4398e2f5d89257b54656101d9d0ed335f54a74e8121ae48dc7775f785707d4[cm_crypto]text=0x57a1d98f7a6ada0a60d04c87194fe3a0ae334a73ad6a00a70f2abebd2452dfe53a51d68d1a3282b10051e8fb05e36de9b738b8f4e142b59f2f081cd1fd73f9b0key=0x7b4398e2f5d89257b54656101d9d0ed335f54a74e8121ae48dc7775f785707d4hmac_output=0xd6dac2ae685ce4adb776e0a27a69a0632ffe0ba8461c1d29b51388ae7b69937a[!cm_crypto]

7. Login using the UAT.cns> cm_login --hmac d6dac2ae685ce4adb776e0a27a69a0632ffe0ba8461c1d29b51388ae7b69937a[cm_login]challenge_hmac=0xd6dac2ae685ce4adb776e0a27a69a0632ffe0ba8461c1d29b51388ae7b69937astatus=OK[!cm_login]



8. Verify State.cns> cm_state[cm_state]ile_firmware_version=0.1ile_id_number=666ile_state=logged_incurrent_user=userkey_location=eepromkey_gen_method=externalprivilege_level=crypto_officer[!cm_state]

9. Generate a KEK.cns> cm_key --kek[cm_key]e_kek=0xa062009e59d3623dd9f1059ea61deb3e9bbd1c6c9e8e62d85c710a461018db633937c95585110bb8kek_mac=0x6c67356ee62c190b7e96343191bf37ebf689ce4b3d5870c4eed69cf577a8da77status=OK[!cm_key]

10. Verify HMAC.cns> cm_crypto -t a062009e59d3623dd9f1059ea61deb3e9bbd1c6c9e8e62d85c710a461018db633937c95585110bb8 -k e7f1d995bf53556836490b5dea45ec1261a5d1a2e515f003286152fada7c2321[cm_crypto]text=0xa062009e59d3623dd9f1059ea61deb3e9bbd1c6c9e8e62d85c710a461018db633937c95585110bb8key=0xe7f1d995bf53556836490b5dea45ec1261a5d1a2e515f003286152fada7c2321hmac_output=0x6c67356ee62c190b7e96343191bf37ebf689ce4b3d5870c4eed69cf577a8da77[!cm_crypto]

11. Decrypt KEK using PSK (or previous plaintext KEK).cns> cm_crypto -c a062009e59d3623dd9f1059ea61deb3e9bbd1c6c9e8e62d85c710a461018db633937c95585110bb8 -k e7f1d995bf53556836490b5dea45ec1261a5d1a2e515f003286152fada7c2321[cm_crypto]ciphertext=0xa062009e59d3623dd9f1059ea61deb3e9bbd1c6c9e8e62d85c710a461018db633937c95585110bb8key=0xe7f1d995bf53556836490b5dea45ec1261a5d1a2e515f003286152fada7c2321keyunwrap_output=0x04170bc4b683ce47a6bbd473d3514a9f9f25cf3dcf0afe1b9a72d35f71405837[!cm_crypto]

12. Send KEK Acknowledge after successful HMAC verification and decryption of KEK.cns> cm_key -a[cm_key]status=OK[!cm_key]



13. Encrypt KEK using the plaintext KEK.cns> cm_crypto -p 3705708cb8a3616f7a0019b81699c7b1131a776de8ed601a1fdcee95c6d25223 -k 04170bc4b683ce47a6bbd473d3514a9f9f25cf3dcf0afe1b9a72d35f71405837[cm_crypto]plaintext=0x3705708cb8a3616f7a0019b81699c7b1131a776de8ed601a1fdcee95c6d25223key=0x04170bc4b683ce47a6bbd473d3514a9f9f25cf3dcf0afe1b9a72d35f71405837keywrap_output=0x38c69b9a3d1f84e5bdc86500b5454ea390405c12a6249edc387167e43ce62acac4813c33b69f8893[!cm_crypto]

14. Generate HMAC using the plaintext KEK as the key and the encrypted DEK as the text.cns> cm_crypto -t 38c69b9a3d1f84e5bdc86500b5454ea390405c12a6249edc387167e43ce62acac4813c33b69f8893 -k 04170bc4b683ce47a6bbd473d3514a9f9f25cf3dcf0afe1b9a72d35f71405837[cm_crypto]text=0x38c69b9a3d1f84e5bdc86500b5454ea390405c12a6249edc387167e43ce62acac4813c33b69f8893key=0x04170bc4b683ce47a6bbd473d3514a9f9f25cf3dcf0afe1b9a72d35f71405837hmac_output=0xa257cc5fd5bc0132e9fdf36ecf5da5a5d99ce3df0c470dc97c189bae7e3cb5ea[!cm_crypto]

15. Send to the ILE.cns> cm_key -e 38c69b9a3d1f84e5bdc86500b5454ea390405c12a6249edc387167e43ce62acac4813c33b69f8893 -m a257cc5fd5bc0132e9fdf36ecf5da5a5d99ce3df0c470dc97c189bae7e3cb5ea -s 0[cm_key]encrypted_dek=0x38c69b9a3d1f84e5bdc86500b5454ea390405c12a6249edc387167e43ce62acac4813c33b69f8893generated_mac=0xa257cc5fd5bc0132e9fdf36ecf5da5a5d99ce3df0c470dc97c189bae7e3cb5eastatus=OK[!cm_key]

16. Confirm state.cns> cm_state[cm_state]ile_firmware_version=0.1ile_id_number=666ile_state=keys_loadedencryptors_loaded=0current_user=userkey_location=eepromkey_gen_method=externalprivilege_level=crypto_officer[!cm_state]


CNS4 CSfC 6 - 1 OperationRevision 1.0

Operation6.1 Lab Setup / Connections

NOTEIf the optional lab cables are not used, the user must construct a connection method for their test set up. Refer to paragraph B.1 Power / RS-232 and paragraph B.2 Ethernetfor connector and signal information.

NOTEThe CNS4 is powered by a user-supplied 28 VDC power supply and does not have a power switch of its own. The CNS4 is powered up by turning on the 28 VDC supply.

NOTEAnytime the CNS4 is powered off, the user must wait at least 30 seconds to re-apply power. This gives the internal 5 second holdup capacitor circuit time to discharge properly.1. If not previously accomplished, connect the following cables to the CNS4 front panel

connectors (Figure 6.1).• Power / RS-232 lab cable: Power• Ethernet lab cable (keyed for GBE0): GBE0• Ethernet lab cable (keyed for GBE1): GBE1• Ethernet lab cable (keyed for GBE2): GBE2• Ethernet lab cable (keyed for GBE3): GBE3

Figure 6.1 CNS4 Test Setup

Power Supply

CNS4

POWER / RS-232

GBE0

GBE1

GBE2

GBE3

ZeroizeChassisGND

Reserved

5

21

DDOC0108-0025

Test PC

123456789

10111213

123456789

10111213

123456789

10

123456789

10

28 VDC

28 VDC RTN

Similar to GBE0

Similar to GBE0

Keyed for GBE1

Keyed for GBE2

Not Used

Keyed for GBE0

Ethernet Patch Cable



SerialDataPort

EthernetPortsAA+

AA-

AB+

AB-

AC+

AC-

AD+

AD-



2. If not previously accomplished, connect the following cables to the test PC.• Power / RS-232 cable DB-9 connector: serial data port• GBE0 Ethernet lab cable: Ethernet port*• GBE1 Ethernet lab cable: Ethernet port*• GBE2 Ethernet lab cable: Ethernet port*• GBE3 Ethernet lab cable: Ethernet port*

* Use Ethernet patch cable between Ethernet lab cable port and test PC Ethernet port3. If not previously accomplished, connect the following cables to the 28VDC power supply.

• Power / RS-232 lab cable red banana plug: 28 VDC power supply positive (+) output.• Power / RS-232 lab cable black banana plug: 28 VDC power supply return (-) output

4. Turn on 28 VDC power supply.

6.2 Basic Operation6.2.1 Initial Configuration

Initial configuration must be performed through the user's admin account.6.2.1.1 Time

The time and date appear in some status displays and messages. To display the current date and time, type:

NOTEIn the example shown below, -d option xx/xx/xx is the desired date and -t option is desired timeIf the date or time needs to be corrected, type:

6.2.1.2 Passwords

NOTEThe admin account has configuration privileges while the user account has access to only network storage functionality.To change admin account password, type

To change user account password, type

The CNS4 software will prompt for the new password when -p command is used.

6.2.2 CommunicationsThe RS-232 serial port link is provided via the CNS4 power connector. A terminal emulation program (putty, minicom, hyperterminal) is used to communicate with the Command Line Interface (CLI) using the RS-232 port. Serial port accesses is recommended for initial configuration of the CNS4. The terminal emulation program should be set to 115200 bps, 8 bits, no parity, one stop bit, and no flow control.

cns> sysdate

cns> sysdate -d xx/xx/xx -t xx:xx;xx

cns> password -u admin -p [desired password]

cns> password -u user -p [desired password]



The CLI is also accessible via Ethernet using Secure Shell (SSH). The default IP addresses are shown in Table 6.1.

Simple Network Management Protocol (SNMP) is also available to communicate with the CNS4. See Simple Network Management Protocol section for details.

6.2.2.1 Terminal Emulation

A copy of the PuTTY terminal emulator can be obtained from https://www.putty.org/.This section explains setting up communications using serial communication (RS-232) and a PuTTY terminal emulator. 1. If not previously accomplished, download a copy of the PuTTY terminal emulator and install on

computer.2. Open PuTTY terminal emulator (Figure 6.2).Figure 6.2 PuTTY Terminal Emulator

3. Configure PuTTY as follows:• Serial line: COM1• Speed: 115200• Connection type: Serial

4. Click Open button. A terminal screen should activate.

Table 6.1 Ethernet Interfaces

Connector Port Interface IP Address Subnet Mask

GBE0 Port 0 eth0 192.168.0.1 255.255.255.0

GBE1 Port 1 eth1 192.168.1.1 255.255.255.0

GBE2 Port 2 eth2 192.168.2.1 255.255.255.0

GBE3 Port 3 eth3 192.168.3.1 255.255.255.0

DDOC0108-0032



5. Click Enter button. A login prompt should activate.

6. Log into the CLI as follows:a. At the cns login prompt type admin.b. At the password prompt type istrator.

6.2.2.2 Ethernet

This section explains setting up communications using secure shell (SSH) and a PuTTY terminal emulator. 1. If not previously accomplished, download a copy of PuTTY terminal emulator and install on

computer.2. Open PuTTY terminal emulator (Figure 6.3).Figure 6.3 PuTTY Terminal Emulator (SSH)

3. Configure PuTTY as follows:• Connection Type: SSH• Port: • Host Name (or IP Address): see Table 6.1

4. Click Open button. A terminal screen should activate.

5. Click Enter button. A login prompt should activate.

6. Log into CLI as follows:a. At the login prompt type admin.b. At the password prompt type istrator.

DDOC0108-0045



6.2.3 Account ManagementThe CNS4 has two accounts:• admin (default password is istrator)• user (default password is password)The admin account is used to setup and configure the unit via the CLI. The user account can only access the drives and cannot change or update any operational parameters.The hardware encryption layer can have up to five accounts as follows:• crypto officer (one account)• user (up to four accounts)These accounts are independent of the CNS4 / software encryption accounts. Refer to paragraph 6.4.2 Hardware Encryption Layer for additional information.The software encryption layer has one account. Refer to paragraph 6.4.3 Software Encryption for additional information.

6.2.4 Storage MediaThe CNS4 provides a versatile user-configurable storage system. This section provides some examples of different configurations. The FSM-C modules are configured through the CLI using the sysconfig command. The user should determine the following configuration attributes.• Will there be a RAID configuration.• Which FSM-C modules to use for a RAID.• How many and what size partitions to configure.• What services (iSCSI, NAS) to assign to which partitions.

6.2.4.1 Preparation

Before any attempt to configure or reconfigure the storage system be sure the NAS services are stopped and unmounted. • Use CLI command serv --nas 0 to stop NAS service.• Use CLI command sysconfig -u to unmount drives.

6.2.4.2 Assigning Services to PartitionsThe list below shows the Network Attached Storage (NAS) services available with the CNS4.• Common Internet File System (CIFS)• Dynamic Host Configuration Protocol (DHCP)• File Transfer Protocol (FTP)• HyperText Transfer Protocol (HTTP)• Internet Small Computer System Interface, (iSCSI)• Network File System (NFS)• Secure Shell Protocol (SSH)• Simple Network Management Protocol (SNMP)Only SSH is enabled by default. All other services are disabled. See paragraph 11.2.23 serv for how to enable other service.

6.2.4.3 PreparationBefore any attempt to configure or reconfigure the storage system be sure the NAS services are stopped and unmounted.• Use CLI command serv --nas 0 to stop NAS service.• Use CLI command sysconfig -u all to unmount drives.



6.2.4.4 Creating a RAID

The CNS4 supports RAID configurations. Once the initial RAID is configured, it is labeled as fsm_raida. If a second RAID is configured, it will be labeled fsm_raidb. Assigning services to partitions of a RAID is done in the same manner shown in the previous examples, shown here as two 50% partitions for NAS over both FSM-C within the RAID1.

6.2.4.5 Partitioning

NOTEPartitioning is based on user-accessible capacity (referenced as 100%). The actual capacity avail-able is approximately 90% of the stated drive size. A 2 TB dive will have approximately 1862GB available for user access /storage.The command shown below is an example of creating two partitions on FSM0, each containing 50% of the drive capacity. For additional information on partitioning, refer toparagraph 7.21 part.

6.2.4.6 Assign NAS Service

To assign NAS services the command sysconfig --nas is applied. Option are used to select partitions to command / flag is applied to. The options are:• <#parts> Number of partitions to use with the device.• <part #> Partition number (can have multiple partitions).• --all All partitions used with deviceIn the example below, the NAS is assigned to partition 0.

Example.

cns> sysconfig --raid1 fsm0-d1 fsm0-d2 2 50% 50% -W[sysconfig]Create_raid: status=OKPartition_disk: status=OK

[!sysconfig] OK

cns> sysconfig --part fsm0 2 50% 50% -w[sysconfig]Partitions: numPartitions:2Partition 0:FSM0 fsm0-d0 Part:1 of 2 Size 50% 1000GB UnconfiguredPartition 1:FSM0 fsm0-d0 Part:2 of 2 Size 50% 1000GB Unconfigured

[!sysconfig] OK

cns> sysconfig --nas 1 0[sysconfig]DiskConfig:

Individual_disks: numDisk=4Disk0: name=fsm0-d0 size=2000GBRaid_disks: numDisk=0Raid_volumes: numDisk=0Partitions: numPartitions=1Part0: name=fsm0-d0 size=2000246MB pSize=100.00% dp=1 numServ=1 sName=fsm_nas0 fmt=no mnt=0 enb=0 swe=no--- Device Partitions ---NAS on partition 0

[!sysconfig] OK



6.2.4.7 Format Partitions

Once the storage media configuration task is done, the sysconfig -F command is issued to activate the configuration. The example below shows the command to use to format all NAS partitions by using the --all flag. A specific partition number can be entered if desired.

6.2.4.8 Mounting NAS Partition

Once formatting is completed, all partitions that were formatted can be mounted with the sysconfig -M command. Any configured partitions not formatted will result in an error report, while all formatted partitions will be mounted.

6.2.4.9 Verification

To verify the CNS4 configuration, type sysconfig --status. The response will show the current configuration.

6.2.5 HealthThe CNS4 has internal sensors to monitor critical environmental and operational parameters. When activated, the health command displays health information for the CNS unit. FSM-C status, system status and network status can be displayed depending on the chosen suffix / attribute. See paragraph 11.2.13 health for additional information.

NOTEThe CNS4 S0 LED will turn on if any of the values exceed the listed limits.Temperature and voltage values will be displayed. The following tolerances are applicable:1.8 VDC NominalLow Limit: 1.60 VDCHigh Limit: 2.00 VDC3.3 VDC NominalLow Limit: 2.70 VDCHigh Limit: 3.60 VDC5.0 VDC NominalLow Limit: 4.60 VDCHigh Limit: 5.50 VDC12 VDC NominalLow Limit: 11.0 VDCHigh Limit: 13.0 VDCTemperatureNormal: 35 to 60 ºCHigh: 90 ºCLow: -40 ºC

cns> sysconfig --format --all[sysconfig]FSM_NAS0: cmd=format status=OKFSM_NAS1: cmd=format status=OK

[!sysconfig] OK

cns> sysconfig --mount --all[sysconfig]FSM_NAS0: mounted=1 status=OKFSM_NAS1: mounted=1 status=OK

[!sysconfig] OK



The ILE status is shown at the bottom of the text box above. The value for each of the ILE status items will have a value of 1 or 0.• Zero = 1, the ILE is currently zeroizing. Will get reset back to 0 when zeroization is complete.• Key = 1, the key is present on the ILE. Key= 0, key is absent.• Tamper = 1, the ILE has lost the key. Tamper=0, all is well.• Alarm = 1, the ILE is in an error state, run the cm_log command to determine the problem.While the ILE is in the error state, the user will be locked out of the ILE account. Depending on the reason of the hard error state, the only way to overcome the lockout is to power cycle or zeroize the ILE.

6.2.6 Built-In TestThe built-in tests monitor CNS4 health. If any of the monitored items listed below fails, a description of the failure is written to a log file. See paragraph 11.2.19 log for additional information.

6.2.6.1 CBIT (Continuous Built-In Test)

The following items are monitored by the CBIT. The CBIT runs in the background and cannot be initiated by the user. If any item is outside of tolerance range, the CNS4 S0 LED will illuminate. See log paragraph 11.2.19 log for information on how to determine the error.• Main Carrier Temperature.• Power Supply Temperature.• FSM-C Voltage Levels (5V & 3.3V rails).• Super I/O Voltage (3.3V & 12V rails, plus two Marvell controller voltage levels).• Processor (CPU Voltage, 12V & 5V rails, plus the AA sized battery voltage).

6.2.6.2 IBIT (Initiated Built-In Test)

The following items are monitored by the IBIT. The IBIT must be initiated by the user using the ibit command. If any item is outside of tolerance range, the CNS4 S0 LED will illuminate. In addition, the ibit report will show the error. Refer to paragraph 11.2.19 log and paragraph 11.2.15 ibit for more information.

[health]SYSTEM: Date=04/01/2018 Time=00:00:01 Firmware Ver=1.1 CNSVer=2.42-carPower Supply Temp 1 = 46 C Temp 2 = 38 CMain Board Temp Bot 1 = 38 C Temp Bot 2 = 39 CMain Board Temp Top 1 = 36 C Temp Top 2 = 40 Cflash=rw Boot Flash=rw FSM EEPROM=rw pbit_status=OK|----------------------- FSM Status ----------------------|| | Temp | 5V | 3.3V | Fault LED | Status LED ||--------|------|-------|-------|---------- |-------------|| FSM0 | 35 C | 4.87V | 3.29V | OFF | OFF || FSM1 | 34 C | 4.87V | 3.31V | OFF | OFF || FSM2 | 35 C | 4.89V | 3.29V | OFF | OFF || FSM3 | 35 C | 4.87V | 3.30V | OFF | OFF ||---------------------------------------------------------|ETH_0: ip=192.168.0.1 link=1000Mb/s status=OKETH_1: ip=192.168.1.1 link=1000Mb/s status=OKETH_2: ip=192.168.2.1 link=1000Mb/s status=OKETH_3: ip=192.168.3.1 link=1000Mb/s status=OK|----------------------- ILE Status-----------------------|| Voltages | Status ||------|--------------------|-----------------------------||Temps | 5V | 3.3V | 1.8V | Zero | Key | Tamper | Alarm ||------|------|------|------|------|-----|--------|-------||38,40 | 4.94V| 3.31V| 1.81V| 0 | 1 | 0 | 0 ||---------------------------------------------------------|[!health] OK



The ibit:• Checks all I2C components.• Reports all FSM-C voltages (5V & 3.3V rails).• Reports Super I/O.• Reported processor sensors.• Runs S.M.A.R.T. monitor test on each FSM-C module.• Checks for Ethernet devices (eth0/1/2/3).

6.2.6.3 PBIT (Power-On Built In Test

The following items are monitored by the PBIT. The PBIT runs only at initial power ON and cannot be initiated by the user. If any item is outside of tolerance range, the CNS4 S0 LED will illuminate. See paragraph 11.2.19 log for information on how to determine the error.• Tests 10MB of system memory• Attempt to communicate with processor• Check if Ethernet Devices are present• Check for SATA controller device presence

6.3 UpdateThe CNS4 operating system and the ILE firmware can be updated. Contact Curtiss-Wright for information regarding available / applicable update files before performing any updates.

6.3.1 CNS4 Operating System UpdateThe following files are required to update the CNS4 operating system:

NOTEContact Curtiss-Wright to obtain any available / applicable update files The files below refer to Curtiss-Wright provided files for performing operating system update. The year, month, day, and ver_#_## are variables that will reflect the update file date and version.• cnsf_csfc-image_year_month_day-ver_#_##.bin• cnsf_csfc-image_year_month_day-ver_#_##.gz• cnsf_csfc-image_year_month_day-ver_#_##.hdr• cnsf_csfc-image_yyear_month_day-ver_#_##.md5The fupdate command boots the CNS4 system into a RAM disk image where the user can install a new CNS4 disk image onto the system. By default the new image file should be copied to fsm0 partition 0 location. Upon logging into the new RAM disk image, a menu of operations to restore and verify the restoration of a new disk image activates. The disk image is loaded onto must be configured so it will be able to accept the files (e.g., not configured as a RAID).1. Reconfigure FSM0 module as follows:

a. Type sysconfig -E. This command will erase the current configuration.b. Type sysconfig --part fsm0 1 100% -W. This will create a partition on fsm0. One

partition will be created and it will use 100% of the drive.c. Type sysconfig --nas 1 0. This assigns NAS service to partition 0.d. Type sysconfig -F --all -m --all. This formats and mounts all NAS partitions.e. Type serv --nas 1. This starts NAS services and gives the ability to access the storage

from a remote machine. See serv for additional information.2. Create a folder called firmware within the /fsm_shares/fsm_nas0 folder.3. Copy update file (e.g., cns4_image_ver2_31.gz) into /fsm_shares/fsm_nas0 folder.

NOTEThe fupdate command loads an image into memory to allow the user to update the boot image on the unit.4. Type fupdate and press ENTER key.

The update utility will start.



Figure 6.4 CNS Update Utility

5. Typically, the update file name should appear above the displayed menu (e.g.,cns4_csfc_image__year_month_day-ver_#_##.gz).

6. Select 2) Verify digital signature, image mdsum and program image into flash and press ENTEr key.

7. The update process will begin and continue for approximately 25 minutes. When the update is complete, ([!fupdate] OK) will be shown.

8. Cycle the power to store the new image.

6.3.2 ILE Module FirmwareThe following files are required to update the ILE firmware:

NOTEContact Curtiss-Wright to obtain any available / applicable update files The files below refer to Curtiss-Wright provided files for performing ILE firmware update. The ver_# is a variable that will reflect the update file version.• ile_csfc_ver_#.bin• signature_ile_csfc_ver_#.bin

NOTEThe disk the firmware update is loaded onto must be configured so it will be able to accept the files (e.g., not configured as a RAID).1. Reconfigure FSM-C module as follows:

a. Type sysconfig -E. This command will erase the current configuration.b. Type sysconfig --part fsm0 1 100% -W. This will create a partition on fsm0. One

partition will be created and it will use 100% of the drive.c. Type sysconfig --nas 1 0. This assigns NAS service to partition 0.d. Type sysconfig -F --all -m --all. This formats and mounts all NAS partitions.e. Type serv --nas 1. This starts NAS services and gives the ability to access the storage

from a remote machine. See serv for additional information.2. Create a folder called firmware within the /fsm_shares/fsm_nas0 folder.

DDOC0108-0043



3. On the host Linux PC:a. Type mkdir -p /tmp/nas_tmp/.b. Type mount.nfs 192.168.0.1:/fsm_shares/fsm_nas0/ /tmp/nas_tmp/

NOTEThe files below refer to Curtiss-Wright provided files. The year, month, day, and ver_#_## are variables that will reflect the update file date and version.4. Type cp ile_csfc_ver_#.bin signature_ile_csfc_ver_#.bin /tmp/nas_tmp/5. Type umount /tmp/nas_tmp/

NOTE The cm_field_update command loads an image into memory to allow the user to update the firmware on the ILE.6. Type cm_field_update -f ile_csfc_ver_#.bin -s

signature_ile_csfc_ver_#.bin and press ENTER key. The update utility will start.

Figure 6.5 ILE Firmware Update

7. The update process will begin and continue for approximately 10 minutes. When the update is complete, status=OK will be shown.

8. Cycle the power to store the new firmware.

6.4 EncryptionNOTE

Three failed attempts at logging into an encryption layer will block any further attempts until a power cycle or zeroization is initiated.The CNS4 uses two methods of encryption:• Hardware Encryption Layer• Software Encryption LayerThe zeroize function removes the encryption keys from both layers.

6.4.1 Zeroize

CAUTIONLOSS OF STORED DATA. Pushing the ILE Zeroize button will zeroize the ILE (erase the DEK). This action will occur even with power off. Data stored on the FSM-C modules will not be recoverable without using the same exact key as it was encrypted with.

NOTEThe zeroize button is located behind the FIPS CRYPTO cover to ensure it is not accidentally pressed.

NOTEThe ILE must be zeroized to change the hardware layer password.The goal of zeroization is to destroy the DEK loaded in the ILE beyond recovery by any means. Once a zeroize action is initiated, the process will erase the DEK. The zeroization process is accomplished by one of the following:• Pushing the ILE zeroize button.• Issuing a cm_key -z command via the CLI.• Connecting CNS4 power / RS-232 connector pin 13 to ground for a minimum of 300 mS.

DDOC0108-0044



Zeroization affects only the ILE. The data on the FSM-C modules is still accessible:• If the FSM-C module can be placed in another CNS4 with the same DEK loaded in its ILE.• If the DEK can be restored / reloaded.Data stored on the CNS4 will be encrypted using the ILE module and software encryption on the FSM-C modules. In addition, data on the FSM-C module can be secured by:• Physically separating (removing) the FSM-C module from the ILE which holds the encryption

key,• Zeroizing (erasing) the encryption key (zeroizing the ILE).In both cases, the encrypted data remains on the FSM-C module, but is unintelligible and inaccessible. To destroy the data on the FSM-C module, the FSM purge command must be used. This action actually overwrites all the data on the FSM-C modules. Refer to paragraph 11.2.11 fsmpurge for additional information.

6.4.2 Hardware Encryption Layer6.4.2.1 LE Account - Internal / External Key Storage

NOTEDEKs are created in two ways, depending on which Security Mode is selected at login.The ILE has two security modes (Internal and External). Each mode will define how the Data Encryption Key (DEK) management is performed. Table 6.2 describes the security modes. The user may change the security modes as needed.

* Requires the selection of NOT STORED storage option along with a host to generate and retain the DEK.

• ILE Mode: security mode type. The security mode must be selected by user via user interface on initial power up.

• User Authentication: ILE user authentication is required to access available ILE services.• Authorized Services: ILE security modes restrict access to services until the user is identified

and granted access to perform requested service (identity based authorization).• DEK Generation: method used to create the encryption key. The DEK may be created by the

ILE (Internal Mode) or by the host and sent to the ILE (External Mode).• DEK Transport: is how the DEK is moved from the user's storage place to the ILE. If DEK

management is handled by the ILE host (External Mode) then the DEK must be passed to the ILE via RS-232 or I2C. This DEK is passed in an encrypted form and may then be stored on the ILE. When the ILE controls DEK management, the DEK is created by the ILE (Internal Mode) and stored on the ILE. Therefore, the DEK never passes outside the ILE unit.

• DEK Storage Location: is how and where the DEK is stored. The user selects one of three storage options for the DEK (Not stored, SRAM, or EEPROM) when using the Internal or External Mode.

Table 6.2 Security Modes

FeatureInternal Mode

External Mode

User Authentication Required x x

User Composed Key x

ILE Generated Key x

DEK is Internal to the ILE and is Not Accessible to the User x

Data Recovery after Power cycle x x

Data Recovery after Zeroization* x

Selectable Storage Location x x

User Must Execute a Key Transfer Procedure* x



6.4.2.2 Internal Security Mode

The DEK is generated by the ILE's RNG to create a 256-bit DEK. It is stored in the ILE EEPROM, SRAM, or not stored per the user's selection at login. The not stored selection requires a new DEK be generated at each power-on cycle.Advantages:• Requires less effort on the user's part.• Creates a DEK known and stored exclusively by the ILE.Disadvantages:• Stored data lost if ILE is zeroized.

6.4.2.3 External Security Mode

In the External Security Mode the user is required to use their host computer to create four DEKs, along with their corresponding Message Authentication Code (MAC). It is recommended that the user utilize software that allows the entry or generation of DEKs (32 bytes long, plus an 8-byte Initialization Vector, terminated with pressing ENTER key) using an AES-ECB-256 key wrap encryption algorithm and generates the corresponding MAC (32 bytes) using an HMACSHA-256 algorithm. The software should also handle the transmission of each of the four required DEK packages (DEK of 64 ASCII hex characters, plus an Initialization Vector of 16 ASCII hex characters, terminated with pressing ENTER key). The initialization vector provides the required information to unwrap the package and extract the KEK. The DEKs are stored in the EEPROM or SRAM, or None (not stored on the ILE) per the user's selection at login. The None selection retains the DEK on the host.Advantages:• Stored data retained / accessible if ILE is zeroized (as long as DEK has been retained).• Creates a custom DEK created and known by the user.Disadvantages:• Requires more effort on the user's part.

6.4.2.4 ILE Account Creation

NOTEThe ILE must be zeroized to change the hardware layer password.

NOTEThe first account created on the ILE is always the administrator / crypto officer account. Four additional user accounts can be created as well.After the CNS4 has been initially configured, the administrator / crypto officer may create up to four additional user accounts using the cm_create_account command. The accounts must comply with the following considerations.• User name

• Composed by the user• Must be 16 characters maximum, 8 characters minimum.

• Password• Composed by the user• Must be 8 to 64 character• Must contain at least one number• Must have one upper and one lower case letter• Cannot contain symbols.

• Mode. The mode will be either internal or external. See Security Mode above.• Transfer. If external mode is selected, the DEK can be either plain text or encrypted using

another key (referred to as Key Encryption Key [KEK]). Use of a KEK provides extra security when the DEK is transferred.

• Storage. Where the key will be stored; None (not stored), EEPROM or SRAM.



ExamplesCreate a crypto officer account with username john, password aBcDeFg1, with internal key generation stored on the SRAM

Create a crypto officer account with username john, password aBcDeFg1, with external key generation stored on the EEPROM

Create a user account with username marty, password gHpErCf7

6.4.2.5 ILE Login

The login process is a two-step process where a username and password must first be provided to login. The second step is to decrypt the user token and use that decrypted user token along with the provided nonce to generate an HMAC-SHA256 to complete the challenge. Refer to paragraph 11.2.6 cm_login for additional information.

Login with username user, password Password1

Complete the login process by submitting the HMAC-SHA256

6.4.2.6 Key Transfer

NOTEKey transfer is applicable only if external mode has been selected.The command example below transfers the PSK and DEK:• from the user's equipment to CNS4 ILE 0 (0=first encryptor of four within the ILE).• in plain text (non-encrypted transfer).

cns> cm_create_account -u john -p aBcDeFg1 -m i -k s[cm_create_account]user_token=0xab491feccdd158654adab4bb10ddfffe3948571fddeee43f6b7c9a0cc0013693token_hmac=0xce6256b4220638eefb3bb3c428ddd853353bc9ce3f436062ab59d9fcd9f93642status=OK

[!cm_create_Account]

cns> cm_create_account -u john -p aBcDeFg1 -m e -k e[cm_create_account]user_token=0xc9ed6c3bbc3de43110d4e5b67da39ea4d1d79d1fb269d25759b38a25db0a8552c72158ebc19e7e60token_hmac=0x8ba8729d3a22bc6787b404a13f7cbec190ce5f64fc0e770c8710f60318274259status=OK

[!cm_create_account]

cns> cm_create_account -u marty -p gHpErCf7[cm_create_account]user_token=0xa77650375de646873a61d4c18954d2c4aaf35cd2af59bd9f0646b5a55223011atoken_hmac=0xbd7147c5119728ffea5aa2d517c3c747242ab8ad2e3259561a59d9dbe8e43248status=OK


cns> cm_login -u user -p Password1[cm_login]challenge_nonce=0xf9ccab6b0838c5ab2c1d51085df7cb3a2b9d11b7f7264b39b20116085f628255d5c72906af864026f18a7e39e7da5afe2666b839f258a37eb90386a6493726b2status=OK

[!cm_login]

cns> cm_login --hmac 30fc2e0ced04edb0942b8cae01dc0692e61bfedf172404da45edbaab72fb0791[cm_login]challenge_hmac=0x30fc2e0ced04edb0942b8cae01dc0692e61bfedf172404da45edbaab72fb0791status=OK

[!cm_login]



This command assumes that the external mode was selected in the cm_create_account command.The following explanation pertains to both the plain text key and encrypted key transfers. In the plain text transfer, the user sends the DEK and PSK over the serial or Ethernet user interface. The encryption process takes place over the backplane between the ILE and its FSM-C modules. In the encrypted transfer, the user is involved in the encryption of the transfer from their equipment over the serial or Ethernet interface to the ILE.When encrypted transfers are required, the transfer package that carries the DEK itself must be encrypted. Therefore, an encryption key for the transfer package is needed. This encryption key is referred to as the Key Encryption Key (KEK). This is not a permanent key; it is regenerated each time a KEK is called for by the cm_key command.After a zeroization, or on a new ILE, a common encryption key is needed to encrypt and decrypt the first KEK to the user's equipment from the ILE. This common key is called the PreShared Key (PSK); it is always available on the ILE. The PSK is used to encrypt all initial transfers to establish unique encryption keys for subsequent encrypted transfers of keys and their MACs (Message Authentication Code).When the ILE receives a KEK command, the KEK is generated and packaged for transfer. This package is encrypted using the previous KEK (referred to as an old or retired KEK; the PSK is used if it is the first KEK cmd. for the unit) and sent to the user's equipment. The corresponding MAC is generated in the same manner and sent to the user's equipment. The user's equipment has the old KEK and the PSK and uses the appropriate key to decrypt the KEK package and the MAC, which is used to verify that the KEK is correct. The KEK is only used once per DEK transfer session and then retired. Once this process is completed, a KEK is available to encrypt the DEK and send it to the ILE. Refer to paragraph 5.16 External Key Passing Example or a step-by-step example.

6.4.3 Software EncryptionNOTE

The passphrase can be any ASCII printable character

NOTEChanging the SWE passphrase renders the data in SWE container useless.

6.4.3.1 Software Encryption ContainerThe swcrypt command allows the user to view and alter the CNS disk encryption options. Software Encryption (SWE) uses containers to hold the data. Creation of a container requires the use of a passphrase. The passphrase must include the conditions listed below:• Minimum characters: 15.• Minimum numbers: 1.• Minimum lowercase characters: 1.• Minimum uppercase characters: 1.• Minimum special characters: 1.• Maximum consecutive repeating characters: 2.• Maximum consecutive repeating characters of the same class: 4.• Minimum number of different characters: 8.• Minimum days for passphrase change: 1.• Maximum days for password change: 60.• Dictionary words are not valid or accepted.• The last seven passphrases cannot be reused.

NOTEKeyfiles should not be used in high threat environments.After the passphrase has been decided upon, it can be:• typed in when prompted.• saved a keyfile.



To generate the keyfile, the passphrase is enter as a text file and then saved to the CNS4 keyfile directory. After the keyfile is saved to the CNS4, a SWE container must be created using the --init flag before it can be opened, closed or erased. The --flag is applied to partitions. The example shown below is creating a SWE container on partition 2.

Example

After the SWE container has been created, the following command and flags are used;• swcrypt --open will open a SWE container.• swcrypt --close will close a SWE container.• swcrypt --erase will erase a SWE container.These commands / flags typically have an option included with them. The option is used to select partitions to command / flag is applied to. The options are:• # - single NAS disk volume number• # # - <# #> two or more NAS disk volumes• all - all NAS disk volumesThe example below opens a SWE container on partition 2 by manually entering the passphrase.

Example

The example below opens a SWE container on partition 2 using a keyfile.Example

The status of the SWE container can be checked by using the swcrypt command without any associated flags. The example show below shows no SWE containers on partitions 1 and 2. The container on partition 3 is open while the container on partition 4 is closed.

Example

Additional information regarding command associated with the software encryption layer is available in paragraph 11.2.25 swcrypt and the Quick Start section

cns> swcrypt --init 2 --key-file /keyfiles/keyfile2.txt[swcrypt]cmd=init Part=2 status=OK

[!swcrypt] OK

cns> swcrypt --open 2 --pass[swcrypt]

cmd=open Part=2 Enter passphrase for /dev/sdb1:Verify passphrase:

status=OK[!swcrypt] OK

cns> swcrypt --open 2 --key-file /keyfiles/keyfile2.txt[swcrypt]cmd=open Part=3 status=OK

[!swcrypt] OK

cns> swcrypt[swcrypt]Partitions: 4Part0: name=fsm0-d01 swe=noPart1: name=fsm1-d01 swe=noPart2: name=fsm2-d01 swe=openPart3: name=fsm3-d01 swe=closed

[!swcrypt] OK


CNS4 CSfC 7 - 1 System ConfigurationRevision 0.0

System ConfigurationThe system configuration command (sysconfig) is used to either:• View the system configuration• Create or modify the system configurationRefer to Table 7.1 for a list of flags and options associated with the sysconfig command.

Table 7.1 Sysconfig Flags and Options Flag Modifier Action

--add <options> Add spare / replace disk in RAID-A --all Show all fields even empty ones

--file <options> Allocate a target image file on a mounted NAS volume-F --format <#|# #|all> Format NAS partition(s)

--free <options> Free partition not used for service-K --fsck <#|# #|all> File system check one or more NAS partitions

--fsep "char" Specify field separation character for single line machine output--getDevName <str> Get device name of specified NAS volume--getFreeDisks Get list of unconfigured disks--getNfsOpt Get current NFS export flags

-h --help Show sysconfig help file-L --hide Hide most of the field labels

--iscsi0 <options> iSCSI on assigned partition using GBE0--iscsi1 <options> iSCSI on assigned partition using GBE1--iscsi2 <options> iSCSI on assigned partition using GBE2--iscsi3 <options> iSCSI on assigned partition using GBE3--isMounted <VID> Check to see if NAS volume is mounted

-M --mount <#|# #|all> Mount partition(s) as NAS --multi Used with assign services flag to allow multiple services to use the same

partition--nas <options> Network attached storage--numFreeDisks Get number of free disks--numFsmDisks Get total number of disks--numPartitions Get total number of partitions--part <options> Create partition(s) on specified FSMs--raid <L> <options> Create RAID across specified FSMs--raidStatus Display status of each RAID in the system--remove <options> Remove spare defective disk from a raid--rescan Rescan SATA hosts for FSM connections--scan Delete and then scan for FSM connections--setNfsOpt <options> Set NFS export flags

-S --status Show disk, partition, and service configuration--sw Generate single line machine output

-T --trim <#|# #|all> Trim one or more mounted NAS partitions-U --umount <#|# #|all> Unmount NAS partition(s)

--verb Generate verbose output--version Show software version

-E --wipe Wipe RAID and partition data from all disks--wrap <1, 0> Word wrap text to screen

-W --writecfg Write system configuration to disks



7.1 addPurposeAdd spare disk / replace disk in RAIDCommandsysconfig --add fsm_raid<c> fsm<slot>-d<pos>

Flag Modifiers Explanation<c> - Raid disk identifier (a,b,c,d,etc)<slot> - FSM slot number<pos> - Disk in specified position in FSM

Example

7.2 allPurposeShow all fields, even empty ones. Typically used as a modifier to the stats command.Commandsysconfig --status --all

Flag Modifiers ExplanationNot Applicable

Example

cns> sysconfig --add fsm_raida fsm0-d3[sysconfig]Add_spare: raid=/dev/md/fsm_raida disk=/dev/fsm0-d3 status=OK

[!sysconfig] OK

cns> sysconfig --status --all[sysconfig]DiskConfig:Unconfigured_disks: numDisk=0Individual_disks: numDisk=0Raid_disks: numDisk=4Disk0: name=fsm0-d0 size=512GBDisk1: name=fsm0-d1 size=512GBDisk2: name=fsm0-d2 size=480GBDisk3: name=fsm0-d3 size=512GB

Raid_volumes: numDisk=1Raid0: name=fsm_raida level=0 size=2016GB numDisk=4 disk=fsm0-d0 \disk=fsm0-d1 disk=fsm0-d2 disk=fsm0-d3

Partitions: numPartitions=6Part0: name=fsm_raida size=322629MB pSize=16.00% dp=1 numServ=1 \sName=fsm_nas0 fmt=ext4 mnt=1 enb=0Part1: name=fsm_raida size=322630MB pSize=16.00% dp=2 numServ=1 \sName=fsm_nas1 fmt=ext4 mnt=0 enb=0Part2: name=fsm_raida size=342794MB pSize=17.00% dp=3 numServ=1 \sName=FC0_L0 enb=0Part3: name=fsm_raida size=342794MB pSize=17.00% dp=4 numServ=1 \sName=FC1_L0 enb=0Part4: name=fsm_raida size=342794MB pSize=17.00% dp=5 numServ=1 \sName=iSCSI0_L0 enb=0Part5: name=fsm_raida size=342794MB pSize=17.00% dp=6 numServ=1 \sName=iSCSI1_L0 enb=0

Device_partitions: numServ=5NAS: num_part=2 part=0 part=1FC0: num_part=1 part=2FC1: num_part=1 part=3iSCSI0: num_part=1 part=4iSCSI1: num_part=1 part=5

Image_files:[!sysconfig] OK



7.3 filePurposeAllocate a target image file on a mounted NAS volumeCommandsysconfig --file <nas volume #> <image file name> <image size>

Flag Modifiers Explanation<NAS volume #> - NAS volume number. 0 to n<image file name> - Name of target image file on NAS volume.<image size> - Image size specified in MiB, MB, GiB, GB, TiB or TB.

Example

7.4 formatPurposeFormat NAS partition(s)Commandsysconfig --format <# | ## | all>

Flag Modifiers Explanation# - single NAS disk volume number# # - <# #> two or more NAS disk volumesall - all NAS disk volumes

Example

cns> sysconfig --file 0 file1.img 10GiB[sysconfig]DiskConfig:Raid_disks: numDisk=4Disk0: name=fsm0-d0 size=512GBDisk1: name=fsm0-d1 size=512GBDisk2: name=fsm0-d2 size=480GBDisk3: name=fsm0-d3 size=512GBRaid_volumes: numDisk=1

Raid0: name=fsm_raida level=0 size=2016GB numDisk=4 disk=fsm0-d0 \disk=fsm0-d1 disk=fsm0-d2 disk=fsm0-d3

Partitions: numPartitions=6Part0: name=fsm_raida size=322629MB pSize=16.00% dp=1 numServ=1 \sName=fsm_nas0 fmt=ext4 mnt=1 enb=0Part1: name=fsm_raida size=322630MB pSize=16.00% dp=2 numServ=1 \sName=fsm_nas1 fmt=ext4 mnt=1 enb=0Part2: name=fsm_raida size=342794MB pSize=17.00% dp=3 numServ=1 \sName=UnconfiguredPart3: name=fsm_raida size=342794MB pSize=17.00% dp=4 numServ=1 \sName=UnconfiguredPart4: name=fsm_raida size=342794MB pSize=17.00% dp=5 numServ=1 \sName=iSCSI0_L0 enb=0Part5: name=fsm_raida size=342794MB pSize=17.00% dp=6 numServ=1 \sName=iSCSI1_L0 enb=0

Device_partitions: numServ=3NAS: num_part=2 part=0 part=1iSCSI0: num_part=1 part=4iSCSI1: num_part=1 part=5

Image_files:Vol0: numFiles=1 name=file1.img size=10737MB[sysconfig] OK

cns> sysconfig --format all[sysconfig]FSM_NAS0: cmd=format status=OKFSM_NAS1: cmd=format status=OK

[!sysconfig] OK



7.5 free PurposeFree partition not used for serviceCommandsysconfig --free <# parts (0-n)> <part #>Flag Modifiers Explanation<#parts> Number of partitions to use with the device.<part #> Partition number (can have multiple partitions)

Example

7.6 fsckPurposeFile system check one or more NAS partitionsCommandsysconfig --fsck <# | ## | all>

Explanation# - single NAS disk volume number# # - <# #> two or more NAS disk volumesall - all NAS disk volumes

Example

cns> sysconfig --free 2 2 3[sysconfig]DiskConfig:Raid_disks: numDisk=4Disk0: name=fsm0-d0 size=512GBDisk1: name=fsm0-d1 size=512GBDisk2: name=fsm0-d2 size=480GBDisk3: name=fsm0-d3 size=512GB


Partitions: numPartitions=6Part0: name=fsm_raida size=322629MB pSize=16.00% dp=1 numServ=1 \sName=fsm_nas0 fmt=ext4 mnt=1 enb=0Part1: name=fsm_raida size=322630MB pSize=16.00% dp=2 numServ=1 \sName=fsm_nas1 fmt=ext4 mnt=1 enb=0Part2: name=fsm_raida size=342794MB pSize=17.00% dp=3 numServ=1 \sName=UnconfiguredPart3: name=fsm_raida size=342794MB pSize=17.00% dp=4 numServ=1 \sName=UnconfiguredPart4: name=fsm_raida size=342794MB pSize=17.00% dp=5 numServ=1 \sName=iSCSI0_L0 enb=0Part5: name=fsm_raida size=342794MB pSize=17.00% dp=6 numServ=1 \sName=iSCSI1_L0 enb=0


Image_files:[!sysconfig] OK

cns> sysconfig --fsck all[sysconfigFSM_NAS0: cmd=fsck status=OKFSM_NAS1: cmd=fsck status=OK

[!sysconfig] OK



7.7 fsepPurposeSpecify field separation character for single line machine outputCommandsysconfig --fsep “char”

Flag Modifiers Explanation“char” - designates a character to act as a separator between fields.

7.8 getDevNamePurposeGet device name of specified NAS volumeCommandsysconfig --getDevName <str>

Flag Modifiers Explanation<str> - System name of the NAS volume specified (ie. /dev/fsm0-d0p0 /dev/fsm_raida1)

[Example

7.9 getFreeDisksPurposeGet list of unconfigured disksCommandsysconfig --getFreeDisks


Example

7.10 getNfsOptPurposeGet current NFS export flagsCommandsysconfig --getNfsOpt


Example

cns> sysconfig --getDevName 0[sysconfig]/dev/fsm0-d0p1

[!sysconfig] OK

cns> sysconfig --getFreeDisks[sysconfig]/dev/fsm0-d0 /dev/fsm0-d1 /dev/fsm0-d2 /dev/fsm0-d3

[!sysconfig] OK

cns> sysconfig --getNfsOpt[sysconfig]nfs_export_flags=rw,sync,no_root_squash,anonuid=1000,anongid=1000 status=OK

[!sysconfig] OK



7.11 helpPurposeShow sysconfig help fileCommandsysconfig --help


7.12 hidePurposeHide most of the field labelsCommandsysconfig --status --hide


Example

7.13 iscsi0, 1, 2, 3PurposeAssign a service to a specific partitionCommandsysconfig --iscsiX <# parts> <part #>

Flag Modifiers Explanation<#parts> Number of partitions to use with the device.<part #> Partition number (can have multiple partitions)

cns> sysconfig --hide[sysconfig]DiskConfig:Unconfigured disks: 1Disk0: fsm0-d2 480GB

Individual disks: 1Disk0: fsm0-d3 512GB

Raid disks: 2Disk0: fsm0-d0 512GBDisk1: fsm0-d1 512GB

Raid volumes: 1Raid0: fsm_raida level=0 1024GB numDisk=2 fsm0-d0 fsm0-d1

Partitions: 6Part0: fsm0-d3 128027MB 25.00% dp=1 fsm_nas0 fmt=ext4 mnt=1 enb=0 FC1_L0 \enb=0Part1: fsm0-d3 128027MB 25.00% dp=2 iSCSI0_L0 enb=0Part2: fsm0-d3 128028MB 25.00% dp=3 fsm_nas1 fmt=ext4 mnt=1 enb=0 iSCSI0_L1 \enb=0 iSCSI0_L2 enb=0Part3: fsm0-d3 128027MB 25.00% dp=4 iSCSI1_L0 enb=0Part4: fsm_raida 512110MB 50.00% dp=1 UnconfiguredPart5: fsm_raida 512110MB 50.00% dp=2 FC0_L0 enb=0

Device_partitions:NAS: 0 2FC0: 5iSCSI0: 1iSCSI1: 3

Image_files:Vol0: file.img 10737MBVol1: file1.img 10737MB file2.img 5368MBFC1: numFiles=1 /fsm_shares/fsm_nas0/file.imgiSCSI0: numFiles=2 /fsm_shares/fsm_nas1/file1.img \ /fsm_shares/fsm_nas1/file2.img

[!sysconfig] OK



Example

7.14 isMountedPurposeCheck to see if NAS volume is mountedCommandsysconfig --isMounted <VID>

Flag Modifiers Explanation[<VID> - NAS volume ID

Example

7.15 mountPurposeMount NAS partition(s)Commandsysconfig --mount <#|# #|all>


cns> sysconfig --nas 2 0 1 --fc0 1 2 --fc1 1 3 --iscsi0 1 4 --iscsi1 1 5sysconfig]DiskConfig:Raid_disks: numDisk=4Disk0: name=fsm0-d0 size=512GBDisk1: name=fsm0-d1 size=512GBDisk2: name=fsm0-d2 size=480GBDisk3: name=fsm0-d3 size=512GB


Partitions: numPartitions=6Part0: name=fsm_raida size=322629MB pSize=16.00% dp=1 numServ=1 \sName=fsm_nas0 fmt=no mnt=0 enb=0Part1: name=fsm_raida size=322630MB pSize=16.00% dp=2 numServ=1 \sName=fsm_nas1 fmt=no mnt=0 enb=0Part2: name=fsm_raida size=342794MB pSize=17.00% dp=3 numServ=1 \sName=FC0_L0 enb=0Part3: name=fsm_raida size=342794MB pSize=17.00% dp=4 numServ=1 \sName=FC1_L0 enb=0Part4: name=fsm_raida size=342794MB pSize=17.00% dp=5 numServ=1 \sName=iSCSI0_L0 enb=0Part5: name=fsm_raida size=342794MB pSize=17.00% dp=6 numServ=1 \sName=iSCSI1_L0 enb=0

Device_partitions: numServ=5NAS: num_part=2 part=0 part=1FC0: num_part=1 part=2FC1: num_part=1 part=3iSCSI0: num_part=1 part=4iSCSI1: num_part=1 part=5

Image_files:Vol0: numFiles=2 file1.img 60927MB file0.img 31875MB[!sysconfig] OK

cns> sysconfig --isMounted 0[sysconfig]FSM_NAS0: mounted=1 status=OK

[!sysconfig] OK



Example

7.16 multiPurposeUsed with assign services flag to allow multiple services to use the same partitionCommandsysconfig --fc0 1 0 --fc1 1 0 --multiFlag Modifiers ExplanationNot Applicable

Example

7.17 nasPurposeAssign a service to a specific partitionCommandsysconfig --nas <# parts> <part #>

Flag Modifiers Explanation<#parts> - Number of partitions to use with the device.<part #> - Partition number (can have multiple partitions).--all - All partitions used with device.

Example

cns> sysconfig --mount all[sysconfig]FSM_NAS0: mounted=1 status=OKFSM_NAS1: mounted=1 status=OK

[!sysconfig] OK

cns> sysconfig --fc0 1 0 --fc1 1 0 --multi

cns> sysconfig --nas 2 0 1 --iscsi0 1 4 --iscsi1 1 5sysconfig]DiskConfig:Raid_disks: numDisk=4Disk0: name=fsm0-d0 size=512GBDisk1: name=fsm0-d1 size=512GBDisk2: name=fsm0-d2 size=480GBDisk3: name=fsm0-d3 size=512GB


Partitions: numPartitions=6Part0: name=fsm_raida size=322629MB pSize=16.00% dp=1 numServ=1 \sName=fsm_nas0 fmt=no mnt=0 enb=0Part1: name=fsm_raida size=322630MB pSize=16.00% dp=2 numServ=1 \sName=fsm_nas1 fmt=no mnt=0 enb=0Part2: name=fsm_raida size=342794MB pSize=17.00% dp=3 numServ=1 \sName=FC0_L0 enb=0Part3: name=fsm_raida size=342794MB pSize=17.00% dp=4 numServ=1 \sName=FC1_L0 enb=0Part4: name=fsm_raida size=342794MB pSize=17.00% dp=5 numServ=1 \sName=iSCSI0_L0 enb=0Part5: name=fsm_raida size=342794MB pSize=17.00% dp=6 numServ=1 \sName=iSCSI1_L0 enb=0


Image_files:Vol0: numFiles=2 file1.img 60927MB file0.img 31875MB[!sysconfig] OK



7.18 numFreeDisksPurposeGet number of free disksCommandsysconfig --numFreeDisks


Example

7.19 numFsmDisksPurposeGet total number of disks seen by the OS in all FSM present with keys loadedCommandsysconfig --numFsmDisks


Example

7.20 numPartitionsPurposeGet total number of partitionsCommandsysconfig --numPartitions


Example

7.21 partPurposeCreate partitionCommandsysconfig --part <device> <num parts (1-n)> <part sizes>

Flag Modifiers Explanation<device> - FSM device name of disk to create partitions on. (fsmX-dY)<num parts> - Number of partitions to create on the disk. (1 to n)<part sizes> - List of partition sizes. Can be specified as percent of disk or sizes in MiB, MB, GiB, GB, TiB or TB.

cns> sysconfig --numFreeDisks[sysconfig]4

[!sysconfig] OK

cns> sysconfig --numFsmDisks[sysconfig]4

[!sysconfig] OK

cns> sysconfig --numPartitions[sysconfig]6

[!sysconfig] OK



Example

7.22 raidPurposeCreate RAIDCommandsysconfig --raid<L> <devices> <num parts> <part sizes>

Flag Modifiers Explanation<L> - Raid level 0, 1 or 10. Raid 0 if not specified.<devices> - FSM device names of disks to create raid and partitions on.<num parts> - Number of partitions to create on the raid.<part sizes> - List of partition sizes. Can be specified as percent of disk or sizes in MiB, MB, GiB, GB, TiB or TB.

Example

Example

7.23 raidStatusWhen a RAID that can operate with a missing disk is built it takes time for the disk to synchronize the disk contents between disks. The command sysconfig --raidstatus can be used to monitor the raid state and check the status of the synchronization progress of each raid in the system. The raid status command reports:• RAID level• RAID size• RAID state• Number of disks• Name of each disk device• Mode of each disk device If the disk is being synchronized it will report the percentage of synchronization completed, the estimated time to finish and the speed at which the data is being synchronized.PurposeDisplay status of each RAID in the systemCommandsysconfig --raidStatus


cns> sysconfig --part fsm0-d0 2 25% 75% -W[sysconfig]Partition_disk: status=OK

[!sysconfig] OK

cns> sysconfig --raid1 fsm0-d1 fsm0-d2 2 50% 50% -W[sysconfig]Create_raid: status=OKPartition_disk: status=OK

[!sysconfig] OK

cns> sysconfig --raid fsm0-d0 fsm0-d1 fsm0-d2 fsm0-d3 6 16% 16% 17% 17% 17% 17% -W[sysconfig]Create_raid: status=OKPartition_disk: status=OK

[!sysconfig] OK



Example

7.24 removePurposeRemove spare defective disk from a raidCommandsysconfig --remove fsm<slot>-d<pos>

Flag Modifiers Explanation<slot> - FSM slot number<pos> - Disk in specified position in FSM

Example

7.25 rescanPurposeRescan SATA hosts for FSM connectionsCommandsysconfig --rescan


Example

7.26 scanPurposeDelete and then scan for FSM connectionsCommandsysconfig --scan


Example

cns> sysconfig --raidStatus[sysconfig]fsm_raida: level=raid1 size=511.98GB state=active,resyncing active_dev=2 \raid_dev=2 dev=fsm0-d0 dstate=active,sync dev=fsm0-d1 dstate=active,sync \resync=1.1% finish=71.5min speed=115080K/sec

[!sysconfig] OK

cns> sysconfig --remove fsm0-d3[sysconfig]Remove_spare: raid=/dev/md/fsm_raida disk=/dev/fsm0-d3 status=OK

[!sysconfig] OK

cns> sysconfig --rescan[sysconfig]cmd=rescan, scanning_for_FSM_disks status=OK

[!sysconfig] OK

cns> sysconfig --scan[sysconfig]cmd=scan, deleting_all_FSM_entries status=OKcmd=scan, scanning_for_FSM_disks status=OK

[!sysconfig] OK



7.27 setNfsOpt PurposeSet NFS export flagsCommandsysconfig --setNfsOpt <flags>

Flag Modifiers Explanation<flags> - comma separated list of export options

Example

7.28 statusPurposeShow disk, partition, and service configurationCommandsysconfig --status

Flag Modifiers ExplanationNot ApplicableThe sysconfig status output has four sections: • DiskConfig• Partitions• Device Partitions• Image FilesDiskConfig describes how the individual FSM disk are used. The FSM disks fall in one of three categories:• Unconfigured disks - unconfigured disks are disks that have no partition table or other

information stored on the disk• Individual disks - Individual disks are comprised of a single FSM disk with one or more

partitions stored on the disk. • Raid disks- Raid disks are disk that are part of a multiple FSM disk software raid. There can be

multiple raids present. The Raid volumes section provides information on the configuration of each software raid.

Partitions describes how each disk partition on the system is configured and used. Each line contains:• Name of the individual disk or raid the partition is located on.• Raw size of each partition.• Individual disk partition (dp) number of the partition on the disk or raid. • Number of device services associated with each partitions and the exported name of the

service.Example: fsm_nas<vol> fmt=<type> enb=<0|1>. The NAS entries are exported as fsm_nas0, fsm_nas1, etc where <vol> is the NAS volume id. The fmt=<type> field indicates if the partition is formatted and what type of file system is present on the partition. If a NAS services such as ftp, tftp, cifs or nfs are active the flag enb will be set to one. If they are all inactive it will be set to zero.For iSCSI target device you should see iSCSIX_LY where X is the Ethernet port used and Y is the device. If the iSCSI device is an active device the enb f lag will be set to one.

cns> sysconfig --setNfsOpt rw,async,all_squash,no_subtree_check,anonuid=1000,anongid=1000[sysconfig]set_nfs_export_flags='rw,async,all_squash,no_subtree_check,anonuid=1000,anongid=1000' status=OK

[!sysconfig] OK



The swe=<str> entry at the end of each line indicates if the partitions is software encrypted. Valid string values are no, open and closed. 'no' indicates there is not an encrypted partition on the partition. 'open' indicates there is an encrypted container present on the partition and the data is accessible to read and write. 'closed' indicates there is an encrypted container present on the partition but the data is not accessible Device_partitions provides a list of partitions used by each possible service type (NAS, ISCSI0, iSCSI1, etc). To use a service it needs to be assigned to one or more partitions from the partition list. This section show which partitions have been assigned to each service.Image file shows a list of files that have been created on a NAS volume for the purpose of being exported as a target device. External hosts see the target iSCSI devices as disks. This section start by listing the volumes containing target files. For each NAS volume the name and size of each file is listed. Then it shows which files have been assigned to each possible service.

Example

7.29 swPurposeGenerate single line machine outputCommandsysconfig --sw


7.30 trim PurposeTrim one or more mounted NAS partitionsCommandsysconfig --trim <# | ## | all>


cns> sysconfig --status[sysconfig]DiskConfig:Individual_disks: numDisk=1Disk0: name=fsm0-d3 size=512GB

Raid_disks: numDisk=3Disk0: name=fsm0-d0 size=512GBDisk1: name=fsm0-d1 size=512GBDisk2: name=fsm0-d2 size=512GB

Raid_volumes: numDisk=1Raid0: name=fsm_raida level=0 size=1536GB numDisk=3 disk=fsm0-d0 disk=fsm0-d1 disk=fsm0-d2

Partitions: numPartitions=6Part0: name=fsm0-d3 size=128027MB pSize=25.00% dp=1 numServ=1 sName=fsm_nas0 fmt=ext4 mnt=1 enb=0 swe=openPart2: name=fsm0-d3 size=128028MB pSize=25.00% dp=3 numServ=1 sName=fsm_nas1 fmt=ext4 mnt=0 enb=0 swe=openPart3: name=fsm0-d3 size=128027MB pSize=25.00% dp=4 numServ=1 sName=Unconfigured swe=openPart4: name=fsm_raida size=768165MB pSize=50.00% dp=1 numServ=1 sName=iSCSI0_L0 enb=0 swe=openPart5: name=fsm_raida size=768165MB pSize=50.00% dp=2 numServ=1 sName=Unconfigured swe=open

Device_partitions: numServ=3NAS: num_part=2 part=0 part=2FC0: num_part=1 part=1iSCSI0: num_part=1 part=4

[!sysconfig] OK



Example

7.31 umountPurposeUnmount NAS partition(s)Commandsysconfig -unmount <# | # # | all>


Example

7.32 verbPurposeGenerate verbose (non-truncated) output. Typically used as a modifier to the --status command to make the text easier to read.Commandsysconfig --status --verb


7.33 versionPurposeShow software versionCommandsysconfig --version


Example

7.34 wipePurposeWipe RAID and partition data from all disksCommandsysconfig --wipe


cns> sysconfig --trim all[sysconfig]FSM_NAS0: cmd=trim status=OKFSM_NAS1: cmd=trim status=OK

[!sysconfig] OK

cns> sysconfig -unmount all[sysconfig]

FSM_NAS0: mounted=0 status=OKFSM_NAS1: mounted=0 status=OK

[!sysconfig] OK

cns> sysconfig --version[sysconfig]VER: cmd=sysconfig version=17 date=01/April/2018 status=OKVER: lib=function version=18 date=01/April/2018 status=OK

[!sysconfig] OK



Example

7.35 wrapPurposeThe flag --wrap adds carriage returns to the output for any line over 80 characters in length. Typically used as a modifier to the --status command to make the text easier to read.Commandsysconfig --status --wrap

Flag Modifiers Explanation1=word wrap 0=no wrap. Default:1

Example

7.36 writecfgPurposeWrite system configuration to disks. Usually used as a modifier to --part or --raid flagCommandsysconfig --part fsm0-d0 2 100Gib 900Gib --writecfg


Example

cns> sysconfig --wipe[sysconfig]cmd=wipe status=OK

[!sysconfig] OK

cns> sysconfig --status --wrap[sysconfig]DiskConfig:Unconfigured_disks: numDisk=1Disk0: name=fsm0-d3 size=512GB

Individual_disks: numDisk=1Disk0: name=fsm0-d0 size=512GB

Raid_disks: numDisk=2Disk0: name=fsm0-d1 size=512GBDisk1: name=fsm0-d2 size=512GB

Raid_volumes: numDisk=1Raid0: name=fsm_raida level=0 size=1024GB numDisk=2 disk=fsm0-d1 disk=fsm0-d2

Partitions: numPartitions=5Part0: name=fsm0-d0 size=128027MB pSize=25.00% dp=1 numServ=1 sName=UnconfiguredPart1: name=fsm0-d0 size=128027MB pSize=25.00% dp=2 numServ=1 sName=UnconfiguredPart2: name=fsm0-d0 size=128028MB pSize=25.00% dp=3 numServ=1 sName=UnconfiguredPart3: name=fsm0-d0 size=128027MB pSize=25.00% dp=4 numServ=1 sName=UnconfiguredPart4: name=fsm_raida size=1024220MB pSize=100.00% dp=1 numServ=1sName=Unconfigured

Device_partitions: numServ=0Image_files:[!sysconfig] OK

cns> sysconfig --raid1 fsm0-d0 fsm0-d1 2 50% 50% --writecfg[sysconfig]Create_raid: status=OKPartition_disk: status=OK

[!sysconfig] OK


CNS4 CSfC 8 - 1 TroubleshootingRevision 0.0

Troubleshooting8.1 LED Indicators

Refer to Table 8.1 for LED status indicator information. Refer to Controls and Indicators section for location information. If any one of the LEDs exhibits the failure status, the CNS4 will not function properly. The remedial action should only be tried one or two times.

8.2 Error CodesThe ILE red Fault LED will turn ON if any of the conditions inTable 8.2 occur. Refer to log for information on CNS4 errors and how to clear them. Refer to cm_log for information on ILE error codes.If any of the errors shown in Table 8.2 appear in the CLI, the unit will be locked. The only course of action for the user is to cycle power or zeroize the ILE. If the error does not clear and normal operation is not restored, contact Curtiss-Wright Customer Support at (800) 252-5601 for assistance or E-mail [email protected].

Table 8.1 LED Indicators

LED Location / Label Color

Failure Condition Meaning Remedial Action

Chassis S0 Red ON See Table 8.2 Enter health, ibit, or log commands via CLI to determine cause

Chassis S1 Yellow OFF No 28VDC input power applied Cycle power

Chassis S2 Green OFF System did not boot / OS did not load

Cycle power

Chassis S3 Green OFF Storage not ready Enter health, ibit, or log commands via CLI to determine cause

FSM P (Power) Green OFF No power applied 1. Enter health, ibit, or log commands via CLI to determine cause

2. Re-seat module

FSM F (Fault) Red ON FSM-C module fault Enter health, ibit, or log commands via CLI to determine cause

FSM C (Status) Yellow OFF FSM-C module fault Enter health, ibit, or log commands via CLI to determine cause

ILE P (Power) Green OFF No power applied 1. Enter health, ibit, or log commands via CLI to determine cause

2. Re-seat module

ILE F (Fault) Red ON ILE module fault Enter health, ibit, or cm_log commands via CLI to determine cause

ILEC (Status) Yellow OFF Encryption keys not loaded Load DEKs

Table 8.2 Error Code List

Error Code Type Meaning

0x0102 AES Memory allocation error

0x0109 AES Known Answer Test (KAT) failed

0x0202 KEY_WRAP Memory allocation error

0x0209 KEY_WRAP Known Answer Test (KAT) failed



0x0210 KEY_WRAP Initialization vector error

0x0302

SHA Memory allocation error0x0303

0x0307

0x0309 SHA Known Answer Test (KAT) failed

0x0402 HMAC Memory allocation error

0x0407 HMAC HMAC vector failed

0x0409 HMAC Known Answer Test (KAT) failed

0x0502DRBG Memory allocation error

0x0503

0x0508 DRBG Invalid state error

0x0509 DRBG Known Answer Test (KAT) failed

0x0510 DRBG Reseed error

0x0602RNG Memory allocation error

0x0603

0x0604 RNG SRAM write error

0x0605 RNG SRAM write error

0x0609 RNG Known Answer Test (KAT) failed

0x0705 TEMP Temperature read error

0x0804 I2C i2c switch write error

0x0809 I2C i2c switch queue error

0x0810 I2C Interrupt handler error

0x080F I2C Checksum failed

0x0910 VOLT 1.8v sensor failure


0x0930 VOLT 5v sensor failure



0x0960 VOLT Low battery warning

0x0A0A ENCRYPTION User has not yet requested kek

0x0A11 ENCRYPTION Encryptor key mode config error

0x0A12 ENCRYPTION Encryptor keyload error

0x0A13 ENCRYPTION Encryptor xwall config error

0x0A14 ENCRYPTION Invalid enova slot

0x0A10 ENCRYPTION Chip_A BIST error

0x0A20 ENCRYPTION Chip_B BIST error





0x0A30 ENCRYPTION Chip_C BIST error

0x0A40 ENCRYPTION Chip_D BIST error

0x0A50 ENCRYPTION Chip_A POST error

0x0A60 ENCRYPTION Chip_B POST error

0x0A70 ENCRYPTION Chip_C POST error

0x0A80 ENCRYPTION Chip_D POST error

0x0B04 SATA SATA write error

0x0B05 SATA SATA read error

0x0D01 SRAM Low battery error

0x0D04 SRAM Write error

0x0D07 SRAM Read error

0x0D08 SRAM SRAM corrupt

0x0E03 NVRAM_1 Memory allocation error

0x0E04 NVRAM_1 Write error

0x0E05 NVRAM_1 Read error

0x0E07 NVRAM_1 NVRAM corrupt

0x0F03 NVRAM_2 Memory allocation error

0x0F04 NVRAM_2 Write error

0x0F05 NVRAM_2 Read error

0x0F07 NVRAM_2 NVRAM corrupt

0x1001 ILE Invalid storage type

0x1002 ILE Invalid credentials

0x1003 ILE Invalid credentials

0x1004 ILE Invalid login

0x1005 ILE Invalid user type

0x1006 ILE Invalid PSK

0x1007 ILE User accounts have exceeded 5

0x1008 ILE Permission denied

0x1009 ILE Invalid key generation method

0x100A ILE Invalid state

0x100B ILE Exceeded ILE login attempts

0x100C ILE EDC check failed

0x100D ILE Duplicate username

0x100E ILE Unrecognized command

x3001 FUPDATE Transfer failed

x3002 FUPDATE Invalid checksum





x3003 FUPDATE Filesave failed

x3004 FUPDATE Invalid signature

x3005 FUPDATE Verification failed

x3006 FUPDATE Program failed

0x0C10 SECURITY Tamper event








0x0009 HOST Communications error

0x0000 Not Applicable Status OK




CNS4 CSfC 9 - 1 Simple Network Management ProtocolRevision 0.0

Simple Network Management ProtocolThe CNS4 supports Simple Network Management Protocol (SNMP). The data provided to the user's SNMP-configured workstation. The user may configure SNMP for a Windows workstation via the Windows Control Panel. The user should consult with their network administrator for details on configuration and utilization of the SNMP traps and other data capture programs. Figure 6-6 shows the OID command hierarchic. Below are examples of making use of the SNMP agent running on the CNS4. Refer to the OID tree and the MIB for objects to query/set. Some objects are read only, write-only, as well as read-write. In these examples, note the cnsSnmp.X.Y format. You can correlate from these examples and the OID tree (Figure 9.1) on how to access different objects. A majority of the objects are STRINGS and we denote that by passing an ‘s’ to the set command.A.Refer to SNMP MIB for the CNS4 MIB for SNMP. The MIB default path is /usr/share/snmp/mibs/ As of the date of this document, the appropriate way to start/stop the SNMP agent via command line is:

serv –-snmp 1 – starts the snmp agentserv –-snmp 0 – stops the snmp agent

NOTETraps may not be included in all installations.

Figure 9.1 OID Tree

Adjust Brightness

Read Only

ETH0 (1)

IP (1)

Gateway (2)

Netmask (3)

DHCP Client ID (4)

Use DHCP (5)

Apply Changes (6)

IP (1)

Gateway (2)

Netmask (3)

DHCP Client ID (4)

Use DHCP (5)

Apply Changes (6)

IP (1)

Gateway (2)

Netmask (3)

DHCP Client ID (4)

Use DHCP (5)

Apply Changes (6)

IP (1)

Gateway (2)

Netmask (3)

DHCP Client ID (4)

Use DHCP (5)

Apply Changes (6)

ETH1 (2) ETH2 (3) ETH3 (4)

DDOC0108-0042

cnsSnmp (1)

HEALTH (1)

IBIT (2)

FSM Disk Status (3)

FSM0 EEPROM (1) FSM1 EEPROM (2) FSM2 EEPROM (3) FSM3 EEPROM (4)

LED Status (4)

S0 (1) S1 (2) S2 (3) S3 (4)

IP Configuration (5)

IP ConfigSystem Config (6)

Start / Stop Services (7)Control Boot Services (8)

CIFS (1)

NFS (2)

FTP (3)

TFTP (4)

HTTP (5)

Telnet (6)

SNMP (7)

All (8)

CIFS (1)

NFS (2)

FTP (3)

TFTP (4)

HTTP (5)

Telnet (6)

SNMP (7)

All (8)

Fibre Channel ON / OFF (9)

System Date (10)

System Time (11)

Reboot (12)

Shutdown (13)



NOTEIf a remote machine is not available to run SNMP functionality, use 127.0.0.1 as the IP.Example 1: CWCDS-CNS-MIB::cnsHealth.0 = STRING: "[health]

Example 2: GET IP ETH1 – cnsSnmp.5.2.1

Example 3: SET LED DUTY CYCLE – cnsSnmp.4.1

Example 4: SET ETH0 IP – cnsSnmp.5.1.1

snmpget -v 2c -c cns -mCWCDS-CNS-MIB [IP.Address.Here]cnsSnmp.1.1.0CWCDS-CNS-MIB::cnsHealth.0 = STRING: [health]SYSTEM: Date=04/02/2015 Time=19:22:09 Firmware Ver=1.0 CNSVer=1.08Power Supply Temp 1 = 34 C Temp 2 = 26 CMain Board Temp Bot 1 = 33 C Temp Bot 2 = 28 CMain Board Temp Top 1 = 24 C Temp Top 2 = 30 Cstatus=OK|----------------------- FSM-C Status --------------------|| | Temp 1 | 5 V | 3.3V | Fault LED | Status LED ||------|---------|-------|-------|-----------|------------|| FSM0 | 21 C | 4.88V | 3.29V | OFF | OFF || FSM1 | 27 C | 4.90V | 3.31V | OFF | OFF || FSM2 | 26 C | 4.91V | 3.29V | OFF | OFF || FSM3 | 25 C | 4.89V | 3.29V | OFF | OFF ||---------------------------------------------------------|ETH_0: ip=192.168.1.22 link=1000Mb/s status=OKETH_1: ip=192.168.2.22 link=1000Mb/s status=OKETH_2: ip=192.168.3.22 link=1000Mb/s status=OKETH_3: ip=192.168.4.22 link=1000Mb/s status=OK|----------------------- DAR Status ----------------------|| | Present | Zero | Yellow | Blue | Tamper | Alarm || | | bit | bit | bit | bit | bit ||--------------------------------------------------------||DAR0 | YES | 1 | 1 | 1 | 1 | 0 ||DAR1 | YES | 1 | 1 | 1 | 1 | 1 ||--------------------------------------------------------|[!health] OK

snmpget -v 2c -c cns -mCWCDS-CNS-MIB 10.19.6.4 cnsSnmp.5.2.1.0CWCDS-CNS-MIB::cnsIpEth1.0 = STRING: [ipconfig]gw=0.0.0.0IF_ETH_1: link=1000 ip=192.168.2.22 netmask=255.255.255.0status=OKCFG_ETH_1: prot=static ip=192.168.2.22 netmask=255.255.255.0status=OK[!ipconfig] OK

snmpset -v 2c -c cns -mCWCDS-CNS-MIB 10.19.6.4 cnsSnmp.4.1.0 s "100"CWCDS-CNS-MIB::cnsS0.0 = STRING: 100

snmpset -v 2c -c cns -mCWCDS-CNS-MIB 10.19.6.4 cnsSnmp.5.1.1.0 s 192.168.1.22CWCDS-CNS-MIB::cnsIpEth0.0 = STRING: 192.168.1.22



9.1 SNMP MIBCWCDS-CNS-MIB DEFINITIONS ::= BEGIN---- MIB for CWCDS CNS.--IMPORTS

MODULE-IDENTITY, MODULE-COMPLIANCE, OBJECT-TYPE, Integer32, enterprises,NOTIFICATION-TYPE FROMSNMPv2-SMIOBJECT-GROUP, NOTIFICATION-GROUP FROMSNMPv2-CONF;cnsSnmp MODULE-IDENTITYLAST-UPDATED "201510200000Z"ORGANIZATION "www.cw controls.com"CONTACT-INFO

"email: [email protected]"DESCRIPTION

"MIB for CWCDS CNS4."REVISION "201505200000Z"DESCRIPTION

"version 1.0"::= { enterprises 27675 }

---- top level structure--

cnsFSMStatus OBJECT IDENTIFIER ::= { cnsSnmp 3 }cnsLED OBJECT IDENTIFIER ::= { cnsSnmp 4 }cnsIPConfig OBJECT IDENTIFIER ::= { cnsSnmp 5 }cnsLiveServices OBJECT IDENTIFIER ::= { cnsSnmp 7 }cnsBootServices OBJECT IDENTIFIER ::= { cnsSnmp 8 }cnsEth0 OBJECT IDENTIFIER ::= { cnsIPConfig 1 }cnsEth1 OBJECT IDENTIFIER ::= { cnsIPConfig 2 }cnsEth2 OBJECT IDENTIFIER ::= { cnsIPConfig 3 }cnsEth3 OBJECT IDENTIFIER ::= { cnsIPConfig 4 }

---- Values--

cnsHealth OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-onlySTATUS currentDESCRIPTION

"Output of command: health"::= { cnsSnmp 1 }

cnsIBIT OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-onlySTATUS currentDESCRIPTION

"Output of command: ibit"::= { cnsSnmp 2 }



cnsSystemConfig OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Object that is used to display current system configuration."DEFVAL { "" }::= { cnsSnmp 6 }

cnsFibreChannel OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Object that is used to start and stop fibre channel service."DEFVAL { "" }::= { cnsSnmp 9 }

cnsSystemDate OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Object that is used to set and get the system date."DEFVAL { "" }::= { cnsSnmp 10 }

cnsSystemTime OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Object that is used to set and get the system time."DEFVAL { "" }::= { cnsSnmp 11 }

cnsReboot OBJECT-TYPESYNTAX INTEGERMAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Object that is used to reboot."DEFVAL { "" }::= { cnsSnmp 12 }

cnsShutdow n OBJECT-TYPESYNTAX INTEGERMAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Object that is used to reboot."DEFVAL { "" }::= { cnsSnmp 13 }

cnsFSMDiskStatus OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-onlySTATUS currentDESCRIPTION

"Output of command: fsmdiskstatus"::= { cnsSnmp 3 }



cnsFSM0EEPROMOBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-onlySTATUS currentDESCRIPTION

"Output of command: Contents of FSM0 EEPROM"::= { cnsFSMDiskStatus 1 }







---- LED Objects--

cnsS0 OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Read LED status. Set S0 duty cycle."DEFVAL { "" }::= { cnsLED 1 }





cnsS2 OBJECT-TYPESYNTAX OCTET STRING (SIZE(1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION




---- ETH0 ITEMS--

cnsIpEth0 OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Read eth0 status. Set eth0 IP."DEFVAL { "" }::= { cnsEth0 1 }

cnsGatew ayEth0 OBJECT-TYPESYNTAX OCTET STRING (SIZE(1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Read eth0 status. Set eth0 gateway."DEFVAL { "" }::= { cnsEth0 2 }

cnsNetmaskEth0 OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Read eth0 status. Set eth0 netmask."DEFVAL { "" }::= { cnsEth0 3 }

cnsDhcpClientIdEth0 OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Read eth0 status. Set eth0 DHCPClient ID."DEFVAL { "" }::= { cnsEth0 4 }



cnsUseDhcpEth0 OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS current

"Read eth0 status. Enable/Disable DHCP for eth0."DEFVAL { "" }::= { cnsEth0 5 }

cnsApplyChangesEth0 OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Write-only; Reading will return eth0 status. Apply changes made to eth0."DEFVAL { "" }::= { cnsEth0 6 }

---- ETH1 ITEMS--



cnsGatew ayEth1 OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION





"Read eth1 status. Set eth1 DHCP Client ID."DEFVAL { "" }::= { cnsEth1 4 }



cnsUseDhcpEth1 OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION




---- ETH2 ITEMS--















---- ETH3 ITEMS--














"Write-only; Reading w ill return eth3 status. Apply changes made to eth3."DEFVAL { "" }::= { cnsEth3 6 }

---- CONTROL LIVESERVICES OBJECTS--

cnsCifsLive OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the CIFS server."DEFVAL { "" }::= { cnsLiveServices 1 }

cnsNfsLive OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the NFS server."DEFVAL { "" }::= { cnsLiveServices 2 }

cnsFtpLive OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the FTP server."DEFVAL { "" }::= { cnsLiveServices 3 }

cnsTftpLive OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the TFTP server."DEFVAL { "" }::= { cnsLiveServices 4 }



cnsHttpLive OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the HTTP server."DEFVAL { "" }::= { cnsLiveServices 5 }

cnsTelnetLive OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the Telnet server."DEFVAL { "" }::= { cnsLiveServices 6 }

cnsSnmpLive OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to ONLY stop (0) SNMP."DEFVAL { "" }::= { cnsLiveServices 7 }

cnsAllLive OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) all the services EXCEPT SNMP."DEFVAL { "" }::= { cnsLiveServices 8 }

---- CONTROL BOOT SERVICES OBJECTS--

cnsCifsBoot OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the CIFS server on boot."DEFVAL { "" }::= { cnsBootServices 1 }

cnsNfsBoot OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the NFS server on boot."DEFVAL { "" }::= { cnsBootServices 2 }



cnsFtpBoot OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the FTP server on boot."DEFVAL { "" }::= { cnsBootServices 3 }

cnsTftpBoot OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the TFTP server on boot."DEFVAL { "" }::= { cnsBootServices 4 }

cnsHttpBoot OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the HTTP server on boot."DEFVAL { "" }::= { cnsBootServices 5 }

cnsTelnetBoot OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) the Telnet server on boot."DEFVAL { "" }::= { cnsBootServices 6 }

cnsSnmpBoot OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) SNMP on boot."DEFVAL { "" }::= { cnsBootServices 7 }

cnsAllBoot OBJECT-TYPESYNTAX OCTET STRING (SIZE (1..4096))MAX-ACCESS read-writeSTATUS currentDESCRIPTION

"Used to start (1) and stop (0) all the services on boot."DEFVAL { "" }::= { cnsBootServices 8 }

END


CNS4 CSfC 10 - 1 Remove / ReplaceRevision 2.0

Remove / Replace10.1 ILE Module - Install / Remove

CAUTIONEQUIPMENT DAMAGE. Do not remove / install an ILE module with power applied or damage to the ILE module and / or CNS4 will occur.

CAUTIONEQUIPMENT DAMAGE. Exercise ESD precautions when installing, removing, or handling the ILE module. Failure to properly handle ILE modules can result in damage

10.1.1 Remove1. If applicable, turn 28VDC power supply OFF.2. Remove four screws and FIPS CRYPTO cover panel.3. Loosen two Allen screws (Figure 10.1) to release wedgelocks.4. Grasp eject lever and carefully pull ILE module from the CHS4 chassis.5. Place ILE module in a static-safe container and close cover.Figure 10.1 ILE Module Replacement

10.1.2 Install1. Remove ILE module from static safe container.2. Align ILE module rails with the chassis slides and carefully push module into chassis. Ensure

module connector fully seats in ILE backplane connector.

EjectLever

Allen Screw

Rail

Slide

DDOC0108-0004



CAUTIONIMPROPER OPERATION, Wedgelock levers must be raised to ensure conductive cooling of ILE module occurs. Failure to close levers tightly may result in improper operation.3. Tighten two Allen screws to raise wedgelocks and secure ILE module in place. Tighten screws

to 8.0 in.-lb (0.9 Nm).4. Clean FIPS CRYPTO cover panel screws with primer (Loctite 7649) to remove old threadlock.5. Coat screw threads with threadlock (Loctite 222).6. Place FIPS CRYPTO cover panel onCNS4 chassis and secure with four screws. Tighten

screws to 8.0 in.-lb (0.9 Nm).7. Install CNS4 anti-tamper label. Refer to paragraph 4.2 Inspection for label location. Refer to

Ordering Information section for tamper label information.

10.2 FSM-C Module - Install / RemoveCAUTION

EQUIPMENT DAMAGE. Do not remove / install a FSM-C module with power applied or damage to the FSM-C module and / or CNS4 will occur.

CAUTIONEQUIPMENT DAMAGE. Exercise ESD precautions when installing, removing, or handling the FSM-C module. Failure to properly handle FSM-C modules can result in damage

10.2.1 Remove1. If applicable, turn 28VDC power supply OFF.2. Loosen two captive screws and open FSM cover panel.3. Extend / pull wedgelock levers (Figure 10.2) away from module body to release wedgelocks.4. Grasp eject lever and carefully pull FSM-C module from CNS4 chassis.5. Place FSM-C module in a static-safe container and close cover.Figure 10.2 FSM-C Module Replacement

Wedgelock LeverEjectLever

DDOC0108-0008

Rail

Slide



10.2.2 Install1. Remove FSM-C module from static safe container.2. Align FSM-C module rails with chassis slides and carefully push module into chassis. Ensure

module connector fully seats in storage backplane connector.

CAUTIONIMPROPER OPERATION, Wedgelock levers must be closed to ensure conductive cooling of FSM-C module occurs. Failure to close levers tightly may result in improper operation.3. Place wedgelock levers in the closed / retracted position to raise wedgelocks and secure

module in place.4. Close FSM cover panel and secure with two captive screws. Tighten screws finger-tight.

10.3 Chassis Battery Replacement

NOTEThe battery should be replaced every five years. Refer to Ordering Information section for part number information.

10.3.1 Remove1. If applicable, turn 28VDC power supply OFF.2. Disconnect cables and remove CNS4 from mounting surface / tray. Refer to paragraph 4.4

CNS4 Install / Remove for additional information.3. Remove six screws, battery cover, and gasket from CNS4 chassis (Figure 4-7).4. Remove battery from battery holder.5. Discard battery.Figure 10.3 Chassis Battery Replacement

DDOC0108-0031

Battery Cover

Battery

1

2

4 5

6 3

Gasket

(+)

(-)

Tightening Sequence



10.3.2 Install1. Place battery in battery holder. Ensure battery polarity is correct (positive towards front of unit).2. Clean screws with primer (Loctite 7649) to remove old threadlock.3. Coat screw threads with threadlock (Loctite 222).4. Place gasket and battery cover on CNS4 chassis and align mounting holes.5. Use six screws to secure battery cover in place. Tighten screws to 8.0 in-lb (0.9 Nm) using

pattern shown in Figure 10.3.6. Install new chassis battery label over old label. Refer to Ordering Information section for part

number information.

NOTEInstall and replacement dates should use MM / YYYY format.7. Use a permanent marker to write Install and Replacement dates on label. 8. Install CNS4 on mounting surface / tray and connect cables. Refer to paragraph 4.4 CNS4

Install / Remove for additional information.

10.4 ILE Module Battery Replacement

CAUTIONEQUIPMENT DAMAGE. Exercise ESD precautions when installing, removing, or handling the ILE module. Failure to properly handle ILE modules can result in damage

NOTEThe batteries should be replaced every five years. Refer to Ordering Information section for part number information.

NOTEReplacement of the batteries will require breaking ILE tamper seal.

NOTEThe ILE module contains two batteries. They should be replaced as a pair.

10.4.1 Remove1. If applicable, turn 28VDC power supply OFF.2. Remove ILE module from CNS4 chassis. Refer to paragraph 10.1 ILE Module - Install /

Remove for additional information.3. Remove ILE tamper label.4. Remove 10 screws and cover from ILE chassis (Figure 10.4).5. Remove batteries from battery holders.6. Discard batteries.

10.4.2 Install1. Place batteries in battery holder.2. Place cover on ILE chassis and align mounting holes.3. Clean screws with primer (Loctite 7649) to remove old threadlock.4. Coat screw threads with threadlock (Loctite 222).5. Use 10 screws to secure battery cover in place. Tighten screws to 8.0 in-lb (0.9 Nm) using

pattern shown in Figure 4-8.6. Install ILE tamper label. Refer to paragraph 4.2 Inspection for label locations. Refer to

Ordering Information section for tamper label information.



Figure 10.4 ILE Module Battery Replacement

NOTEILE Battery Label is located on CNS4 chassis.7. Install new ILE battery label over old label. Refer to Ordering Information section for part

number information.

NOTEInstall and replacement dates should use MM / YYYY format.8. Use a permanent marker to write Install and Replacement dates on label. 9. Install ILE module in CNS4. Refer to paragraph 10.1 ILE Module - Install / Remove for

additional information.

DDOC0108-0040

Cover

Battery

Battery Holder

9

1 7

8

6

4

5

3

10

2TightenPattern


CNS4 CSfC 11 - 1 Command Line InterfaceRevision 0.0

Command Line InterfaceThe Command Line Interface (CLI) is the primary method of communicating with and configuring the CNS4.

11.1 CLI Commands11.1.1 CNS4 Commands

dhcpconfig............................. Configures DHCP services.fupdate ................................... Used to perform field update of CNS4.health...................................... Shows health information for CNS4.help......................................... Shows list of available help topics.ibit ........................................... Starts CNS4 initiated built-in test.ipconfig .................................. Sets / shows IP interface information.istarget ................................... Starts / stops and report iSCSI target server.ledctrl ..................................... Sets / shows CNS4 front panel LED duty cycle.log........................................... Shows / clears CNS4 log files.password ............................... Sets / shows password.reboot ..................................... Stops all services, unmounts storage, and does a soft reboot.serial_config .......................... Sets / shows serial port configuration or gets current configuration.serv......................................... Sets boot configuration and manually starts / stops CNS4 services.shutdown ............................... Stops all services, unmounts storage, and halts CNS4 operating

system.swcrypt................................... Sets / shows disk encryption options.sysconfig ............................... Sets / shows CNS4 disk and system storage.sysdate................................... Sets / shows CNS4 time and date.

11.1.2 FSM-C Module Commandsdiskcfg.................................... Shows information about FSM-C module disk / interface.fsmpurge ................................ Removes all data from FSM-C module.fsmdiskstatus ........................ Shows FSM-C module NAS partition status and usage.

11.1.3 ILE Commandscm_create_account............... Set / show user name and password. Also specifies DEK source

and storage location.cm_crypto .............................. Utility used to perform HMAC-SHA256 generation and AES-256

key wrap / unwrap.cm_field_update .................... Used to perform field update of ILE.cm_key ................................... Sets / shows encryption key management (key creation, usage,

encryption).cm_log.................................... Shows / clears ILE log files.cm_login ................................ Allows users to login / use ILE.cm_state................................. Shows current user / encryption key information.

11.2 Commands



11.2.1 cm_create_accountSyntax:cm_create_account [ -h | --help ] | [ -v | --version ]cm_create_account [ -u <str> ] [ -p <str> ] [ -m i | e ] [ -k e | s | n ]cm_create_account [ -u <str> ] [ -p <str> ]Description:The cm_create_account command provides the user the ability to create accounts. The first account created will always be the crypto officer account and every other account created thereafter will be treated as users. The crypto officer must be logged in to create user accounts. Normal user accounts only have certain privileges where they are not able to choose the DEK nor where the DEK is stored. Every user shares the same DEK as the crypto officer.Options: -h, --help............................. Help -v, --version ........................ Show version information -u <string> .......................... Specify username -p <string> .......................... Specify password (min. 8 characters; max. 64 characters) -m <char>........................... ILE Key Generation Mode. i=Internal, e=External -k <char> ............................ ILE Key Storage Location. e=EEPROM, s=SRAM, n=NONE

Example 1. Create a crypto officer account with username john, password aBcDeFg1, with internal key generation stored on the SRAM

Example 2. Create a crypto officer account with username john, password aBcDeFg1, with external key generation stored on the EEPROM

Example 3. Create a user account with username marty, password gHpErCf7

cns> cm_create_account -u john -p aBcDeFg1 -m i -k s[cm_create_account]user_token=0xab491feccdd158654adab4bb10ddfffe3948571fddeee43f6b7c9a0cc0013693token_hmac=0xce6256b4220638eefb3bb3c428ddd853353bc9ce3f436062ab59d9fcd9f93642status=OK

[!cm_create_Account]

cns> cm_create_account -u john -p aBcDeFg1 -m e -k e[cm_create_account]user_token=0xc9ed6c3bbc3de43110d4e5b67da39ea4d1d79d1fb269d25759b38a25db0a8552c72158ebc19e7e60token_hmac=0x8ba8729d3a22bc6787b404a13f7cbec190ce5f64fc0e770c8710f60318274259status=OK


cns> cm_create_account -u marty -p gHpErCf7[cm_create_account]user_token=0xa77650375de646873a61d4c18954d2c4aaf35cd2af59bd9f0646b5a55223011atoken_hmac=0xbd7147c5119728ffea5aa2d517c3c747242ab8ad2e3259561a59d9dbe8e43248status=OK




11.2.2 cm_cryptoSyntax:cm_crypto [ -h | --help ] | [ -v | --version ]cm_crypto [ -p <hex> | --plaintext <hex>] & [ -k <hex> | --key <hex> ]cm_crypto [ -c <hex> | --ciphertext <hex> ] & [ -k <hex> | --key <hex> ]cm_crypto [ -t <hex> | --text <hex> ] & [ -k <hex> | --key <hex> ]

Description:The cm_crypto command provides the user the ability to perform cryptographic operations on data of their choosing. More specifically the user may use this utility to decrypt KEKs, encrypt DEKS, and generate HMAC-SHA256s.Options:-h, --help.............................. Help-v, --version ......................... Show version information-p, --plaintext <hex> ............ Data to be used to perform AES256 Keywrap on. Must be a 32 byte

value represented by 64 hex characters-c, --ciphertext <hex> .......... Data to be used to perform AES256 KeyUnwrap on. Must be a 40

byte value represented by 80 hex characters-t, --text <hex>..................... Data to be used when calculating HMAC-SHA-256. Must be less than

a 64 byte value represented by 128 hex characters.-k, --key <hex> ................... Key to be used against AES256 Keywrap / KeyUnwrap and HMAC-

SHA-256. Must be a 32 byte value represented by 64 hex charactersExample 1. Perform AES256 KeyUnWrap

Example 2. Perform AES256 KeyWrap

cns> cm_crypto -c aa6db2ebee5438665f49d4b228942a2a53b78552b7f16be37c77508b596bdc5998e5ba844947227f -k 0000000000000000000000000000000000000000000000000000000000001234[cm_crypto]ciphertext=0xaa6db2ebee5438665f49d4b228942a2a53b78552b7f16be37c77508b596bdc5998e5ba844947227fKey=0x0000000000000000000000000000000000000000000000000000000000001234keyunwrap_output=0xb68dc04ac3ade0e9f883eded13a9a90e7b86d7b6a4c22c4d26b7344e8ce2ef9b

[!cm_crypto]

cns> cm_crypto -p c213a1e6d0cc9f61d2e7777d0c1a3b5cb70a3342e70252ae0773cb326cf17da9 -k 0c56d2e4fa740fcf92119502f8ca88378190dbfb63c545909a26d478c6f595d0

[cm_crypto]plaintext=c213a1e6d0cc9f61d2e7777d0c1a3b5cb70a3342e70252ae0773cb326cf17da9key=0c56d2e4fa740fcf92119502f8ca88378190dbfb63c545909a26d478c6f595d0keywrap_output=0xe9ed6d1cd711600f8c7f8eea6f22d9199bf85698b86ac2a5f6bf3a8c5e5359a7b9c79b4d3a1bb39e

[!cm_crypto]



11.2.3 cm_field_updateSyntax:cm_field_update [ -h | --help ] | [ -v | --version ]cm_field_update [ -f <str> ] [ -s <str> ]Description:The cm_field_update command provides the user the ability to update the firmware within the ILE module. The update is a trusted update that requires an update file paired with a signature. This update file and signature will be verified during the transfer and will generate a failure if verification is unsuccessful.

NOTEThe update files must be placed on the root of fsm_nas0 on the CNS4.Refer to paragraph 6.3.2 ILE Module Firmware for more details.

NOTECurtiss-Wright will be the only entity who provides ILE firmware updates. Options:-h, --help.............................. Help-v, --version ......................... Show version information-f .......................................... Filename (ex. file.bin)-s ......................................... Signature (ex. signature.bin)

Example 1. Performing an update with official files supplied by Curtiss-Wright

Example 2. Performing an update with an invalid update file and a valid signature

cns> cm_field_update -f ileTestImage.bin -s ileTestImageSignature.bin[cm_field_update]STATUS: Activity [...................................................................................................................................................] Update Complete. Please wait 5 seconds to power cycle the unit.status=OK

[!cm_field_update]

cns> cm_field_update -f ileTestImageInvalid.bin -s ileTestImageSignature.bin[cm_field_update]STATUS: Activity [.......................................................................................................................................................(0x3005):[FUPDATE] - verification failed

[!cm_field_update]



11.2.4 cm_keySyntax:cm_key [ -h | --help ] | [ -v | --version ]cm_key [ -k | --kek ] | [ -a | --kekAck ] | [ -r | --resetKek ] | [ -z | --zero ] | [ --zero-psk ]cm_key [ -s <int> | --slot <int> ] & [ -e <hex> | --edek <hex> ] & [ -m <hex> | --hmac <hex> ]cm_key [ -s <int> | --slot <int> ] & [ -d <hex> | --dek <hex> ] & [ -p <hex> | --psk <hex> ]cm_key [ --userpsk <hex> ]Description:The cm_key command provides the user the ability to inject DEKs into the ILE, zeroize the DEKs or PSK, and change the PSK. The crypto officer is the only entity that has permission to inject or change a DEK. It is to be noted that only one slot option can be chosen per transaction.Options:-h, --help.............................. Help-v, --version ......................... Show version informationEncrypted Key Operation Options-k, --kek ............................... Generates an encrypted KEK (key encryption key) and an HMAC-a, --kekAck ......................... Sets the key used to encrypt KEK to previously used key. Must be

used after HMAC has been verified and the KEK decrypted-e, --edek <hex>.................. Encrypted DEK (data encryption key) 40 byte value represented by

80 hex characters-m, --hmac <hex>................ MAC (message authentication code) 32 byte value represented by 64

hex charactersPlaintext Operation Options -d, --dek <hex>................... Plaintext DEK (data encryption key) 32 byte value represented by 64

hex characters -p, --psk <hex> ................... Plaintext PSK (pre-shared key) 32 byte value represented by 64 hex

charactersOptions used for both key generation methods-r, --resetKek ....................... Resets key used to encrypt KEK to PSK-s, --slot <int> ...................... Encryptor selector. Select either slot 0,1,2,3, or all. Only one

encryptor can be specified per transaction-z, --zero.............................. Zeroize Crypto Module--zero-psk ............................ Zeroize System Storage. This option will restore the ILE back to a

pre-manufacturing state making it inoperable. Will prompt user prior to performing the erase

--userpsk <hex> .................. Changes current PSK to a user supplied PSK.User must supply current PSK in conjunction (-p option)

Example 1. Using Encrypted Key Operation - Request a Key Encryption Key (for external key passing method only)

Example 2. Send a KEK Acknowledge to the FIPS Encryptor after the HMAC has been verified and KEK has been decrypted

cns> cm_key -k[cm_key]status=OK

[!cm_key]

cns> cm_key -a[cm_key]status=OK

[!cm_key]



Example 3. Load DEK into FSM slot 0 using encrypted external key operation. Must send a KEK Acknowledge prior to executing this command

Example 4. Load DEK into FSM slot 1 Using Plaintext Operation

Example 5. Reset KEK to PSK

Example 6. Load next desired slot (examples uses slot 3)

cns> cm_key -e 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -m fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210 -s 0[cm_key]status=OK

[!cm_key]

cns> cm_key -d 1111222233334444555566667777888899990000AAAABBBBCCCCDDDDEEEEFFFF -p 098765432109876543210987654321AB098765432109876543210987654321CD -s 1[cm_key]status=OK

[!cm_key]

cns> cm_key -r[cm_key]status=OK

[!cm_key]

cns> cm_key -d 1111222233334444555566667777888899990000AAAABBBBCCCCDDDDEEEEFFFF -p 098765432109876543210987654321AB098765432109876543210987654321CD -s 3[cm_key]status=OK

[!cm_key]



11.2.5 cm_logSyntaxcm_log [ -h | --help ] | [ -v | --version ]cm_log [ -c ]DescriptionThe cm_log command provides the user the ability to view and clear the ILE error log. Only the crypto officer has permission to clear the ILE error log.Options-h ......................................... Help--version .............................. Show version information-c ......................................... Clear error log

Example 1

Example 2

Example 3

cns> cm_log[cm_log](0x0c20):[SECURITY] - tamper event: T1(0x0960):[VOLT] - low battery warning(0x080f):[I2C] - checksum failed(0x1009):[ILE] - invalid keygen method(0x100a):[ILE] - invalid state

[!cm_log]

cns> cm_log[cm_log]status=OK

[!cm_log]

cns> cm_log -c[cm_log]status=OK

[!cm_log]



11.2.6 cm_loginSyntaxcm_login [ -h | --help ] | [ -v | --version ]cm_login [ -u <str> ] [ -p <str> ]cm_login [ -m <hex> | --hmac <hex> ]cm_login [ -o ]DescriptionThe cm_login command provides the user the ability to login to a user desired account. The login process is a two-step process where you must first provide a username and password to login. The second step would be to decrypt the user token and use that decrypted user token along with the provided nonce to generate an HMAC-SHA256 to complete the challenge.Options-h, --help.............................. Help-v, --version ......................... Show version information-u <string>........................... Specify username-p <string>........................... Specify password-m, --hmac........................... MAC (message authentication code) 32 byte value represented by 64

hex characters-o ......................................... Log out current user

Example 1. Login with username user, password Password1

Example 2. Complete the login process by submitting the HMAC-SHA256

Example 3. Logout current user

cns> cm_login -u user -p Password1[cm_login]challenge_nonce=0xf9ccab6b0838c5ab2c1d51085df7cb3a2b9d11b7f7264b39b20116085f628255d5c72906af864026f18a7e39e7da5afe2666b839f258a37eb90386a6493726b2status=OK

[!cm_login]

cns> cm_login --hmac 30fc2e0ced04edb0942b8cae01dc0692e61bfedf172404da45edbaab72fb0791[cm_login]challenge_hmac=0x30fc2e0ced04edb0942b8cae01dc0692e61bfedf172404da45edbaab72fb0791status=OK

[!cm_login]

cns> cm_login -o[cm_login]status=OK

[!cm_login]



11.2.7 cm_stateSyntaxcm_state [ -h | --help ] | [ -v | --version ]DescriptionThe cm_state command provides the user the ability to view the current state of the ILE. Only certain information will be displayed depending on the state of the ILE.Options -h, --help............................. Help -v, --version ........................ Show version information

Example 1

Example 2

cns> cm_state[cm_state]ile_firmware_version=0.1ile_id_number=789ile_state=initialized

[!cm_state]

cns> cm_state[cm_state]ile_firmware_version=0.1ile_id_number=789ile_state=keys_loadedencryptors_loaded=0,1,2,3current_user=johnkey_location=eepromkey_gen_method=internalprivledge_level=user

{!cm_state]



11.2.8 dhcpconfigSyntaxdhcpconfig [-h | --help | --version]dhcpconfig -A -s IP NM [-r val val] [-n val] [-g val] [-d val] [-t val]dhcpconfig -D -s IP NMdhcpconfig -A -b NAME [-m val | -c val] [-t val] [-f val] [-n val] [-g val] [-d val] [-t val]dhcpconfig -D -b NAMEDescriptionThe dhcpconfig command allows the user to configure DHCP services on the CNS4 unit.OptionsOptions for subnet and BOOTP declarations:-h, --help............................ Print help message--version ............................ Print program version-A, --add ............................ Add/Update subnet or bootp entry-D, --delete: ....................... Delete subnet or bootp entry.-n, --netmask <ip> ............. Netmask to assign to subnet clients-g, --gateway <ip> ............. Gateway to assign to clients in subnet-i, --domainserver <ip> ...... IP of Domain Name Server to assign to clients-d, --domain <str>.............. Domain Name to assign to clients-o, --offset <str>................. Time offset from UTC in secondsOptions specific to subnet declarations:-s, --subnet <ip> <nm>...... IP and netmask for DHCP Subnet entry (Required)-r, --ange <ip> <ip>............ Low to high range of IP addresses to provideOptions specific to BOOTP declarations:-b, --bootp <str> ................ Name for bootp entry (Required)-m, --mac <str>.................. Ethernet MAC to identify bootp client-c, --clientid <str> .............. Alternative bootp client identifier value-t, --tftpfile <str>................. TFTP file for bootp client to download/boot-f, --fixedip <ip> ................ Fixed IP for bootp client

NOTETo start and stop the DHCP service use serv command

Example. View configuration enumerated

Line IdentifierSUBNET.............................. Reports a DHCP subnet declarationHOST .................................. Reports a BOOTP client declarationFields (only fields defined for the entry are displayed).subnet=<net> ...................... Reports subnet on which to assign addressesrn=<ip>-<ip>........................ Reports range of addresses to assign to clientsgw=<ip> .............................. Reports gateway address passed to clientsdns=<ip> ............................. Reports DNS server address passed to clientsnm=<nm>............................ Reports netmask passed to clientsdmn=<str>........................... Reports domain name passed to clientstoff=<int> ............................. Reports time offset passed to clientshost=<str> ........................... Reports name of BOOTP entry / hostname of clientmac=<mac> ........................ Reports MAC address of BOOTP clientid=<str> ............................... Reports client ID of BOOTP clienttftp=<file> ............................ Reports BOOTP file name

cns> dhcpconfig[dhcpconfig]SUBNET: subnet=<net> rn=<ip>-<ip> gw=<ip> dns=<ip> nm=<nm>dmn=<str>toff=<int> status=<sts>BOOTP: host=<str> mac=<mac> id=<str> tftp=<file> ip=<ip>nm=<nm> gw=<ip>dmn=<str> dns=<ip> toff=<int> status=<sts>

[!dhcpconfig] <summary>



ip=<ip> ................................ Reports IP address to assigned to clientstatus=<sts>........................ Summary status for the given lineEnumerated types<net> ................................... IPv4 dotted-decimal subnet address (Ex: 192.168.1.0)<ip> ..................................... IPv4 dotted-decimal address (Ex: 192.168.1.1)<nm>................................... IPv4 dotted-decimal netmask (Ex: 255.255.255.0)<int> .................................... An integer value (Ex: -28800, 7200)<mac> ................................. MAC address (Ex: 00:11:22:33:44:55)<file> ................................... File name for BOOTP client (Ex: "/rmc0/bootimage")<str> .................................... Text string<sts> ................................... Status message (OK, ERR "<str>")<summary> ......................... Command status summary (OK, ERR)

Example 1. View configuration (sample command output)

Example 2. Add subnet configuration

Example 3. Delete subnet configuration

Example 4. Add BOOTP client

Example 5. Delete BOOTP client

cns> dhcpconfig[dhcpconfig]SUBNET: subnet=192.168.1.0 rn=192.168.1.1-192.168.1.10 gw=192.168.1.1dns=192.168.1.1 nm=255.255.255.0 dmn="CWNAS" toff=-8 status=OKBOOTP: host=target mac=00:1b:ac:70:10:42 tftp="/fsm_shares/fsm_nas0/bootfile" status=OK

[!dhcpconfig] OK

cns> dhcpconfig -A -s 192.168.3.0 255.255.255.0 -g 192.168.3.5 -r 192.168.3.10 192.168.3.20 - i 192.168.3.10 -o -8[dhcpconfig]SUBNET: status=OK

[!dhcpconfig] OK

cns> dhcpconfig -D -s 192.168.3.0 255.255.255.0[dhcpconfig]SUBNET: status=<sts>

[!dhcpconfig] OK

cns> dhcpconfig -A -b mypc -m 20:50:A4:FC:6B:B5 -f 192.168.3.55 -t /fsm_shares/fsm_nas0/bootfile[dhcpconfig]BOOTP: status=<sts>


cns> dhcpconfig -D -b mypc[dhcpconfig]BOOTP: status=<sts>




11.2.9 diskcfgSyntaxdiskcfg [-h|-l|-s|-c|-d|-q|-t|-n|-a|-w|-m] diskcfg [ --scan | --rescan | --version ]DescriptionThe diskcfg command allows the user to display detailed information about the FSM disks and their configuration.Options-h | --help............................. Show command help-l | --label ............................ Generate output with label before each value. If not specified data is

output in table form -s | --serial .......................... Show Serial Number, product name and revision-c | --ctrl ............................... Show SATA controller and ATA port number-d | --dev.............................. Show local /dev/sd? name -q | --queue.......................... Show queue depth and scheduler -t | --temp............................. Show disk die and carrier temperature -n | --nas.............................. Show NAS service name assignments -a | --all ................................ Show all options -w | --wrap ........................... Word wrap output -m ....................................... Minimize space between fields --scan .................................. Delete all existing FSM SATA connections then scan each SATA host

port for disks.--rescan ............................... Scan each SATA host port for disks.--version .............................. Show program versionField label definitions:[dev] .................................... Disk device. D00 to D07 based on position.[osName]............................. Disk name as seen my OS (ex. /dev/sdb).[fsmName]........................... FSM device name (ex. /dev/fsm0-d0).[sz]....................................... Disk size.[link]..................................... SATA link state. (ex. 1.0Gb/s)[mode] ................................ Disk mode. Partition or raid member[ctrl] .................................... SATA controller port used by disk[ata ...................................... SATA host name [qd] ...................................... Disk native command queue depth [sched]................................. Disk command scheduler[dtemp] ................................ Disk on board die temp[ctemp] ................................ FSM carrier temp [sn] ..................................... Disk serial Number[model] ................................ Disk model number[fw]....................................... Disk firmware version[num_serv] .......................... Number of services on disk/raid (only appears in label mode)[serv_name] ........................ Name of service on disk/raid

Example 1cns> diskcfg diskcfg]

FSM name | Size | Link | Mode | ------------------------------------------

/dev/fsm0-d0 | 2000GB | 3.0Gb/s | PART | /dev/fsm1-d0 | 1024GB | 3.0Gb/s | RAIDa | /dev/fsm2-d0 | 1024GB | 3.0Gb/s | RAIDa | /dev/fsm3-d0 | 1000GB | 3.0Gb/s | PART | [!diskcfg] OK



Example 2

Example 3

Example 4

cns> diskcfg -s -n -w [diskcfg] FSM name | Size | Link | Mode | Serial Num | -> | Model | FW | service name | ----------------------------------------------------------------------- /dev/fsm0-d0 | 2000GB | 3.0Gb/s | PART | 201602080001 | -> | SCALAR-2T | NV.R 1201 | fsm_nas0 and iSCSI0_L0 | /dev/fsm1-d0 | 1024GB | 3.0Gb/s | RAIDa | 839F07541E1700000120 | -> | SSD | S8FM | fsm_nas3 and iSCSI0_L2 | /dev/fsm2-d0 | 1024GB | 3.0Gb/s | RAIDa | 14250C5FAB54 | -> | Micron_M550_MTFD | MUN1 | fsm_nas3 and iSCSI0_L2 | /dev/fsm3-d0 | 1000GB | 3.0Gb/s | PART | S1D9NSAF633990D | -> | Samsung SSD 840 | EXT0 | fsm_nas1, fsm_nas2 and iSCSI0_L1 | [!diskcfg] OK

cns> diskcfg -c [diskcfg] FSM name | Size | Link | Mode | Cntlr | Ata | --------------------------------------------------------- /dev/fsm0-d0 | 512GB | 1.5Gb/s | RAIDa | Ctrl_C | ata3 | /dev/fsm0-d1 | 512GB | 1.5Gb/s | RAIDa | Ctrl_D | ata7 | /dev/fsm0-d2 | 512GB | 1.5Gb/s | RAIDa | Ctrl_C | ata4 | /dev/fsm0-d3 | 512GB | 1.5Gb/s | RAIDa | Ctrl_D | ata8 |

[!diskcfg] OK

cns> diskcfg -l [diskcfg]fsm1-d0: fsmName=/dev/fsm1-d0 sz=512GB link=1.5Gb/s type=PARTfsm1-d1: fsmName=/dev/fsm1-d1 sz=512GB link=1.5Gb/s type=RAIDafsm1-d2: fsmName=/dev/fsm1-d2 sz=512GB link=1.5Gb/s type=RAIDafsm1-d3: fsmName=/dev/fsm1-d3 sz=512GB link=1.5Gb/s type=RAIDa

[!diskcfg] OK



11.2.10 fsmdiskstatusSyntaxfsmdiskstatus [-h | --help | --version]fsmdiskstatusDescriptionThe fsmdiskstatus command displays FSM-C NAS partition status and usage.Options-h, --help............................ Print help message.--version ............................ Print program version.ResponsesFSM_X ................................ <status><status> .............................. Status <enum> (NA, NRDY)FSM_NAS ........................... [psize] [mounted] [size] [used] [avail] [used%] <status>FSM_NAS .......................... NAS partition on FSM-C Software RAID[psize].................................. FSM-C NAS partition size <str> (ex. 500G)[mounted] ............................ FSM-C NAS mounted <bool> (0,1)[size].................................... NAS Filesystem size <str> (ex. 50G)[used] .................................. Used Filesystem space <str> (ex. 500M)[avail]................................... Available Filesystem space <str> (ex. 22G)[used%] ............................... Filesystem used percentage <int> (0 to 100)<status> .............................. Status <enum> (OK, ERR "<str>")iSCSIy_Ln ........................... [psize] [is_tgt_en] <status>iSCSIy_Ln ........................... iSCSI target on FSM-C using ethernet port y

(y = CNS Gibabit ethernet port used )(n = lun number. 0 to number of targets on this port)

[psize].................................. iSCSI target partition size <str> (ex. 500G)[is_tgt_en]............................ iSCSI target enabled 1=enable 0=disables<status> ............................. Status <enum> (OK, ERR "<str>")INVALID .............................. <status>INVALID .............................. Command parameter(s) or Unit state invalid<status> .............................. Status <str> (ERR "<str>")ERROR ............................... <status>ERROR ............................... Critical error has occurred<status> .............................. Status <str> (ERR "<str>")

Example 1

Example 2

Example 3

cns> fsmdiskstatus[fsmdiskstatus]FSM_NAS0: psize=1000G mounted=1 size=932G used=2.4G avail=929G used%=1% status=OKFSM_NAS1: psize= 100G mounted=1 size=93G used=251M avail=93G used%=1% status=OKFSM_NAS2: psize= 200G mounted=1 size=187G used=251M avail=186G used%=1% status=OKFSM_NAS3: psize=1024G mounted=1 size=954G used=77M avail=954G used%=1% status=OKiSCSI0_L0: psize=1000G is_tgt_en=0 status=OKiSCSI0_L1: psize= 300G is_tgt_en=0 status=OKiSCSI0_L2: psize=1024G is_tgt_en=0 status=OKiSCSI1_L0: psize= 400G is_tgt_en=0 status=OK

[!fsmdiskstatus] OK

cns> fsmdiskstatus[fsmdiskstatus]FSM_1: status=NRDY

[!fsmdiskstatus] OK

cns> fsmdiskstatus --sw --fsep "#"[fsmdiskstatus] # FSM_NAS0: # psize=2048G # mounted=0 # status=OK #

[!fsmdiskstatus] OK



11.2.11 fsmpurgeSyntaxfsmpurge -f <fsm_name> [ -h | -N | - E | -M | -C | --verb ] fsmpurge --fsm <fsm_name> [ --help | --verb ] fsmpurge --fsm <fsm_name> [ --normal | --enhanced | --military | --cnt DescriptionThis command is used to purge all data bits from the selected FSM-C module. The data is erased from the disk using one of three different methods.

NOTEMilitary erase can take ~3 hours to complete on a 2 TB drive.Options-h, --help............................ Print help message.-f, --fsm <name>................ name of the FSM-C module to erase (e.g., fsm--d0)-N, --normal ....................... Issue ATA Security Erase Command on each FSM-C drive-E, --enhanced: ................. Issue ATA Security Enhanced Erase Command on each FSM-C drive-M, --Mil ............................. Erase data from disk using military algorithm.-C --cnt .............................. Show elapsed time counter.--verb................................. Show verbose output.-p, --pass ........................... Specify password to use to lock drive. Max 32 charResponsesfsmX-dY .............................. [cmd] [type] <status>

fsmX-dY ....................... FSM disk y in slot X[cmd] ............................. Command name.[[type]............................ Disk erase method

Example 1

Example 2

Example 3

Example 4

cns> fsmpurge -f fsm1-d0 -M[fsmpurge]Fsm1-d0: cmd=purge type=nsa_9-12 status=OK

[!fsmpurge] OK

cns> fsmpurge -f fsm0-d0 -N[fsmpurge]fsm0-d0: cmd=purge type=normal_erase status=OK

[!fsmpurge] OK

cns> fsmpurge -f fsm0-d0 -E[fsmpurge] fsm0-d0: cmd=purge type=enhanced_erase status=OK

[!fsmpurge] OK

cns> fsmpurge -f fsm0-d0 -E -C[fsmpurge]fsm0-d0: cmd=purge type=enhanced_erase status=OKElapsed time 00:06:39

[!fsmpurge] OK



Example 5cns> fsmpurge --fsm fsm0-d0 -N --verb [fsmpurge]Device Name: /dev/fsm0-d0 Password: '' Model name: 'TRITON HC' Serial Number: 201602080001 Firmware rev:NV.R1000 Perform normal erase. Start Erase Elapsed time 00:01:53 Erase Complete

[!fsmpurge] OK



11.2.12 fupdateSyntaxfupdate [--version | --help | -h]DescriptionThe fupdate command boots the CNS4 system into a RAM disk image where the user can install a new CNS4 disk image onto the system. By default the new image file to be updated is expected to be copied to the fsm_nas directory. Upon logging into the new RAM disk image, a menu of operations to restore and verify the restoration of a new disk image activates.Use of this command requires the user to first contact Curtiss-Wright Defense Solutions to identify and obtain the needed update files (specific instructions for individual situations may also be provided). The FSM-C modules must be configured or have their configuration verified so they will be able to accept the files (e.g., not configured as a RAID). The user should be aware that if reconfiguration of the FSM-C modules is necessary, data stored on the FSM-C modules may be lost. See paragraph 6.2.1 Initial Configuration and paragraph 6.2.4 Storage Media for configuration information and commands. See paragraph 6.1 Lab Setup / Connections for the required unit communications (keyboard & monitor) connections.Options-h, --help ............................. Print help message.--version ............................ Print program version.ExampleBelow is an example of commands (sysconfig) used (in sequence) to reconfigure and prepare an FSM-C for execution of field update process. If the FSM-C is already configured as a an individual disk, skip to the last item (serv --nas) in the list below and continue.sysconfig -E. This command will (E) erase the current configuration that is shown by ‘sysconfig’ upon entering the command.sysconfig --part fsm0 1 100% -W. This will create partition (part) on (fsm0) FSM-C module 0 (fsm0) with one partition (1) using all (100%) of FSM-C module 0 to which we will write (W) the system configuration.sysconfig --nas 1 0. This assigns one partition (1) as 0 to the system NAS partition. View the partition numbers by typing sysconfig.sysconfig -F all. This formats (F) all (all) of the NAS partitions.sysconfig -M all. This mounts (M) all (all) of the NAS partitions.serv --nas 1. This starts the NAS services and gives the ability to access the storage from a remote machine. See paragraph 11.2.23 serv.Once the user is sure the FSM-C module is in a configuration that will accept the update files, use the fupdate command to complete the Field Update. Create a folder called ‘firmware’ in the root of the NAS and copy the update file (e.g., cns4_image_ver2_31.gz) into the firmware folder just created. If communications with the CNS4 has been established, the update process may continue.Once the file is copied, the user will need to communicate with the CNS4 either via RS232 or keyboard/monitor as stated above. Once this has been done, continue with Fupdate process.fupdate. This command will load an image into memory to allow the user to update the boot image on the unit. A prompted for a user name will appear, enter root and press the ENTER key (no password is required). A menu with procedural options (shown below) will activate.

1) Scan for downloaded image2) Verify downloaded image against checksum3) Program image into Flash4) Verify Flash against image checksum5) Command Line Shellr) Reboots) Select image from list of image files



The update file name should appear above the displayed menu (e.g., cns4_image_ver2_31.gz). If so, then continue with the update process by selecting Program image into Flash, shown as selection number 3 in the example above. If the update file name does not appear, select 1) SCAN FOR DOWNLOADED IMAGE. After the scan is complete, select S) SELECT THE DESIRED IMAGE FROM LIST OF IMAGE FILES. If the file is not found, then the firmware folder does not exist on the NAS volume and reloading the file to the FSM-C should be performed.The update process takes approximately 25 minutes. A notification will be presented upon completion of the field update ([!fupdate] OK). The user may power cycle the unit after completion of the update to store the updated image.



11.2.13 health

NOTEThe CNS4 typically does not have an Ethernet cable attached to GBE3 (ETH3).Syntaxhealth [-h | --help | --version]health [-A] [-S] [-F] [-N] [-O]DescriptionThe health command displays health information for the CNS unit. FSM-C status, system status and network status can be displayed.Options-h, --help.............................. Print help message.--version .............................. Print program version.-A, --all................................. Display all CNS health information. (default)-S, --system......................... Display system specific health information.-F, --fsm............................... Display FSM-C specific health information.-N, --network ....................... Display network specific health information.-E, --en ................................ Display encryptor status.-T, --tf................................... Display temperatures in fahrenheit.ResponsesSYSTEM .............................................. System Health.[date] .................................................... Date <str> (Month/Date/Year).[time] .................................................... Time <str> (Hour:Minute:Second).[cns ver]................................................ CNS Firmware version <str> (ex. 3.1).[firmware ver] ....................................... Micro Controller firmware version <str> (ex.1.0).[power supply temp <int>] ................... CNS Power Supply Temp <int> (-128 to 127).[main board temp <str> <int>] ..............CNS Main Board Temp <int> (1|2) <int> (-128 to 127).[flash] ................................................... Flash Read/Write state <str> (ro, rw).[boot Flash] .......................................... Hardware Read/Write switch state <str> (ro, rw).[FSM EEPROM] ................................... Hardware Read/Write switch state <str> (ro, rw). <status> .............................................. Status <enum> (OK, NA, ERR "<str>").FSMX ................................................... [state] [id] [Temp] [5V pwr] [3V pwr] [FaultLED] [Status

LED] <status>.[FSMX] ................................................. FSM-C unit in slot X (X=slot number).[state] .................................................. <str> ( N/A ) or <int> <int> <int> <str> <str>.[id] ........................................................ Unique id of FSM-C <int> (105).[temp] ................................................... FSM-C temp <int> (-128 to 127).[5V pwr] ................................................ Reading of 5V sensor.[3V pwr] ............................................... Reading of 3.3V sensor.[faultLED] ............................................ <str> (ON, OFF).[statusLED]........................................... <str> (ON, OFF).<status> ............................................... Status <enum> (OK, NA, ERR "<str>").ETH_X.................................................. [ip] [link] <status>.ETH_X.................................................. Ethernet device X (X=device number).[ip] ....................................................... IP address <str> (ex. 192.168.0.1).[link]...................................................... Link status <str> (down, 1000Mb/s, 100Mb/s, 10Mb/s).<status> ............................................... Status <enum> (OK, NA, ERR "<str>").INVALID ............................................... <status>.INVALID ............................................... Command parameter(s) invalid.<status> ............................................. Status <str> (ERR "<str>").ERROR ................................................ <status>.ERROR ................................................ Command parameter(s) invalid.<status> ............................................... Status <str> (ERR "<str>").



Example 1

Example 2

Example 3

cns> health -A[health]SYSTEM: Date=04/29/2015 Time=12:00:24 Firmware Ver=1.0 CNS Ver=1.08Power Supply Temp 1 = 40 C Temp 2 = 27 CMain Board Temp Bot 1 = 32 C Temp Bot 2 = 29 CMain Board Temp Top 1 = 24 C Temp Top 2 = 30 Cflash=rw Boot Flash=rw FSM EEPROM=rw status=OK|----------------------- FSM Status ----------------------|| | Temp 1 | 5 V | 3.3V | Fault LED | Status LED ||------|---------|-------|-------|-----------|------------|| FSM0 | 23 C | 4.94V | 3.30V | OFF | OFF || FSM1 | 25 C | 4.92V | 3.30V | OFF | OFF || FSM2 | 24 C | 4.94V | 3.30V | OFF | OFF || FSM3 | 23 C | 4.95V | 3.30V | OFF | OFF ||---------------------------------------------------------| ETH_0: ip=192.168.1.22 link=1000Mb/s status=OK ETH_1: ip=192.168.2.22 link=1000Mb/s status=OK ETH_2: ip=192.168.3.22 link=1000Mb/s status=OK ETH_3: ip=10.19.6.4 link=1000Mb/s status=OK

[!health] OK

cns> health -F[health]|----------------------- FSM Status ----------------------|| | Temp 1 | 5 V | 3.3V | Fault LED | Status LED ||------|---------|-------|-------|-----------|------------|| FSM0 | 24 C | 4.92V | 3.31V | OFF | OFF || FSM1 | 23 C | 4.92V | 3.30V | OFF | OFF || FSM2 | 23 C | 4.94V | 3.31V | OFF | OFF || FSM3 | 22 C | 4.93V | 3.30V | OFF | OFF ||---------------------------------------------------------|

[!health] OK

cns> health -N -F[health]|----------------------- FSM Status ----------------------|| | Temp 1 | 5 V | 3.3V | Fault LED | Status LED ||------|---------|-------|-------|-----------|------------|| FSM0 | 21 C | 4.94V | 3.31V | OFF | OFF || FSM1 | 25 C | 4.91V | 3.30V | OFF | OFF || FSM2 | 22 C | 4.93V | 3.29V | OFF | OFF || FSM3 | 23 C | 4.92V | 3.30V | OFF | OFF ||---------------------------------------------------------| ETH_0: ip=192.168.1.22 link=1000Mb/s status=OK ETH_1: ip=192.168.2.22 link=1000Mb/s status=OK ETH_2: ip=192.168.3.22 link=1000Mb/s status=OK ETH_3: ip=10.19.6.4 link=1000Mb/s status=OK

[!health] OK



11.2.14 helpSyntax<command> -hhelp <command>DescriptionThe help command will provide a list of available commands as shown in the text box below.

NOTEFor help on a specific command, use help [command] or issue -h to the command. For example: help ipconfig or ipconfig -h

cns> helpcm_create_accountcm_cryptocm_field_updatecm_keycm_logcm_logincm_statedhcpconfigdiskcfgfsmdiskstatusfsmpurgefupdatehealthhelpibitipconfigistargetledcntrllogpasswordrebootserial_configservshutdownswcryptsysconfigsysdate



11.2.15 ibit

NOTEThe CNS4 typically does not have an Ethernet cable attached to GBE3 (ETH3).Syntaxibit [-h | -v]DescriptionThe ibit command performs the CNS4 system wide Initiated Built-In Test (CBIT). When the -v option is omitted a brief summary of system statistics is returned.Options-h, --help.............................. Print help message.-v, --verbose ........................ Verbose mode. Print more info regarding tests.-vf,--verbose on fail ............. Additional output about failures.ResponsesVerbose ............................... System wide [voltage] [temperature] [mfg. component BIT results]

<status><status> .............................. Status <str> (pass, fail "<str>")

NOTEOnly one FSM-C is shown for a concise depiction of repetitive report data. The actual display shows all FSM-Cs and reports errors for those not installed.

Example 1

Line Identifier:IBIT_MON ........................... Results for system monitor subsystem.IBIT_ETH ............................ Results for Ethernet subsystem.IBIT_FSM# .......................... Results for FSM in slot '#'.Fields:mcu=<s> ............................. Result for sysmon microcontrolleri2c=<s> ............................... Result for I2C busvolt=<s> ............................. Result for voltage regulator monitorseth#=<s> ............................. Result for Ethernet device eth# (eth0, eth1, ...)ata=<s> ............................... Result for ATA driver log checksmart=<s> ........................... Result for disk S.M.A.R.T. self assessmentstatus=<sts>........................ Summary status for the line.Enumerated types:<s> ...................................... Subtest status. 1=pass, 0=fail<sts> ................................... Status message (OK, ERR "<str>")<str> .................................... Text string<summary> ......................... Command status summary (OK, ERR)

cns> ibit[ibit]IBIT_MON: mcu=<s> i2c=<s> volt=<s> status=<sts>IBIT_ETH: eth0=<s> eth1=<s> eth2=<s> eth3=<s> status=<sts>IBIT_FSM0: volt=<s> ata=<s> smart=<s> status=<sts>IBIT_FSM1: volt=<s> ata=<s> smart=<s> status=<sts>IBIT_FSM2: volt=<s> ata=<s> smart=<s> status=<sts>IBIT_FSM3: volt=<s> ata=<s> smart=<s> status=<sts>

[!ibit] <summary>



11.2.16 ipconfigSyntaxipconfig [-h | --help | --version]ipconfig [-e device] [-V[ [-S] [-M]ipconfig [-e device] -D [-c cliented] [-F]ipconfig [-e device] [-i address] [-n netmask] [-g gateway] [-F]ipconfig [-e device] [-remove]DescriptionThe ipconfig command allows for configuration of an IP interface. By default, changes takeeffect on the next bootup.Options-h, --help.............................. Print help message. --version ............................. Print program version.-e, --eth <str> ...................... Ethernet device: eth0, eth1, ..., eth[n]. Default is 'all' when viewing

status (see -V), otherwise eth0.-i, --ip <str>.......................... Assign static IP address.-n, --net <str> ...................... Assign static IP netmask. Use '.' to clear.-g, --gate <str> ................... Assign static gateway address. Use '.' to clear.-t, --mtu <int>....................... Assing MTU value.-D, --dhcp ............................ Use DHCP.-O, --onboot......................... Configure interface to come up on boot.-Z, --zone............................. Zone to use when enabling ports in firewall. default:public-F, --force............................. Force reconfiguration without reboot. Note: This will cause

termination of active connections.-V, --view ............................. View interface status and configuration settings. Default action when

other options absent.-M, --mac............................. View MAC addresses.-S......................................... Like -V, but status only.

Example 1. Status/config display

NOTECommand 'ipconfig -S' reports only the STS_ETH_# lines as above.Line IdentifierSTS_ETH_# Current status for Ethernet device eth#.CFG_ETH_#Configuration settings for Ethernet device eth#.Fieldsink=<lnk>............................. Link speed / link down indicatorip=<ip> ................................ IP addressnm=<ip> .............................. Subnet mask (netmask)gw=<ip> .............................. Gateway addressprot=<prot> ......................... Identifies protocol/method of assigning TCP/IP parameters.zone=<zone> ...................... Zone to use when enabling port in firewall. default:publiconBoot=<y/n>...................... Yes or no response indicating interface is started on boot.status=<sts>........................ Summary status for the given line.Enumerated types:<lnk> Link speed (10, 100, 1000, down)<ip> ..................................... IPv4 dotted-decimal address (Ex: 10.19.6.6), netmask (Ex:

255.255.255.0), gateway (Ex: 10.19.0.0), or 'NA' for "Not available"

cns> ipconfig -V[ipconfig]STS_ETH_0: link=<lnk> ip=<ip> nm=<ip> gw=<ip> status=<sts>STS_ETH_1: link=<lnk> ip=<ip> nm=<ip> gw=<ip> status=<sts>CFG_ETH_0: prot=<prot> ip=<ip> nm=<ip> gw=<ip> zone=<zone> onBoot=<y/n> status=<sts>CFG_ETH_1: prot=<prot> ip=<ip> nm=<ip> gw=<ip> zone=<zone> onBoot=<y/n> status=<sts>

[!ipconfig] <summary>



<prot>.................................. "dhcp" for DHCP assignment (ip, nm, gw fields absent) "static" for static assignment (ip, nm, gw fields follow)

<sts> ................................... Status message (OK, ERR "<str>")<str> .................................... Text string<summary> ......................... Command status summary (OK, ERR)

Example 2. MAC display

Line IdentifierMAC_ETH_# ....................... MAC address / current status for Ethernet device eth#.Fieldsmac=<mac> ........................ Interface MAC addressip=<ipnm> .......................... IPv4 dotted-decimal address and netmask lengthlink=<lnk>............................ Link speed / link down indicatorstatus=<sts>........................ Summary status for the given line.Enumerated types (See also above examples):<mac> ................................. MAC address (Ex format: 00:11:22:33:44:55)<ipnm> ................................ IP/netmask length (Ex: 10.19.6.6/20) or "NA" for "Not available"<summary> ......................... Command status summary (OK, ERR)

Example 3. Set static IP and netmask on interface eth1

Example 4. Set DHCP config / force reconfiguration on interface eth1

Example 5. Configure (enable) boot configuration of eth1

Line IdentifierIP......................................... Configuration status lineFieldsstatus=<sts>........................ Summary status for the given line.

cns> ipconfig -M[ipconfig]MAC_ETH_0: mac=<mac> ip=<ipnm> link=<lnk> status=<sts>MAC_ETH_1: mac=<mac> ip=<ipnm> link=<lnk> status=OK


cns> ipconfig -e eth1 -i 192.168.1.5 -n 255.255.255.0[ipconfig]IP: status=<sts>


cns> ipconfig -e eth1 -D -F[ipconfig]IP: status=<sts>


cns> ipconfig -e eth1 -O yes[ipconfig]IP: status=<sts>




11.2.17 istargetSyntaxistarget [ -h | --help | --version]istarget [ --start | --stop | --status | --setTargetName <index> <iqn name>]istarget [ --getTargetName ] [ --blocksize <int> ] [ --getBlockSize <int> ]istarget [ --sw ] | --fsep <char> ]DescriptionThe istarget command starts, stops, and reports the status of the iSCSIi target server.Options-h, --help........................................................ Print help message.--version ........................................................ Print program version.--start............................................................. Start iSCSI Target service.--stop ............................................................. Stop iSCSI Target service.--status .......................................................... Status of iSCSI Target service (default).--setTargetName <index> <iqn name>.......... Set iSCSI qualified name (iqn)<index> ......................................................... Ethernet port number 0,1,2 etc or all <iqn name> .................................................. iSCSI Qualified Name (IQN)--getTargetNames ......................................... Get iSCSI qualified name (iqn} of each Ethernet port --blocksize <int> ............................................ Set target block size--getBlockSize ............................................... Get target block size--sw ............................................................... Generate single line machine output --fsep "<char>" .............................................. Specify field separation char for machine output.

When used --sw or --fsep should be the first argument

NOTEThe IQN format takes the form 'iqn.yyyy-mm.naming-authority:unique name', where: 'yyyy-mm' is the year and month when the naming authority was established. 'naming-authority' is usually reverse syntax of the Internet domain name of the naming authority.

NOTE'unique name' is any name you want to use, for example, the name of your host. The information following the colon must be unique, such as:iqn.2015-05.net.cwnas.iscsi:gbe1iqn.2015-05.net.cwnas.iscsi:gbe2ResponsesISCSI#_L#........................... <idevY> [is_tgt_en] <status>idevY ................................... ISCSI target device iqn.2015-05.net.cwnas.iscsi:gbeY (Y=ISCSI

target disk 0,1,2 or 3)[is_tgt_en] ........................... iSCSI Target Enabled <bool> (0,1)<status> .............................. Status <enum> (OK, ERR "<str>")INVALID .............................. <status>INVALID .............................. Command parameter(s) invalid<status> .............................. Status <str> (ERR "<str>")ERROR ............................... <status>ERROR ............................... Critical error has occurred<status> .............................. Status <str> (ERR "<str>")

Example 1 cns> istarget --start[istarget]iSCSI0_L0: iqn=iqn.2015-05.net.cwnas.iscsi:gbe0 is_tgt_en=1 status=OKiSCSI1_L0: iqn=iqn.2015-05.net.cwnas.iscsi:gbe1 is_tgt_en=1 status=OK

[!istarget] OK



Example 2

Example 3

Example 4

Example 5

Example 6

Example 7

cns> istarget --stop[istarget]iSCSI0_L0: iqn=iqn.2015-05.net.cwnas.iscsi:gbe0 is_tgt_en=0 status=OKiSCSI1_L0: iqn=iqn.2015-05.net.cwnas.iscsi:gbe1 is_tgt_en=0 status=OK

[!istarget] OK

cns> istarget --status[istarget]iSCSI0_L0: iqn=iqn.2015-05.net.cwnas.iscsi:gbe0 is_tgt_en=1 status=OKiSCSI1_L0: iqn=iqn.2015-05.net.cwnas.iscsi:gbe1 is_tgt_en=1 status=OK

[!istarget] OK

cns> istarget --getTargetName[istarget]ISCSI0: iqn=iqn.2015-05.net.cwnas.iscsi:gbe0ISCSI1: iqn=iqn.2015-05.net.cwnas.iscsi:gbe1

[!istarget] OK

cns> istarget --blockSize 4096[istarget]Set_target_block_size=4096

[!istarget] OK

cns> istarget --getBlocksize[istarget]WARNING: status=WRN str="Blocksize:4096 != Active Size:512. Need to restart target"Target_block_size=4096

[!istarget] OK

cns> istarget --getBlocksSize[istarget]Target_block_size=512

[!istarget] OK



11.2.18 ledctrlSyntaxledctrl [-h | --help | --version]ledctrl [-l ledNum] [-d dutyCycle]DescriptionThe ledctrl command allows the user to set the duty cycle or get the duty cycle and whetherthe specified LED is ON or OFF for all LEDs (s0, s1, s2, and s3) on the CNS4 unit.Options-h, --help.............................. Print help message.--version .............................. Print program version.-d, --duty <num>.................. Set CNS4 LED duty cycle (0 - 100%)-l, --led <str>........................ LED number ('A' for all CNS4 LEDs: s0, s1, s2, and s3)ResponsesLED ..................................... [s0] [d0] [s1] [d1] [s2] [d2] [s3] [d3] <status>LED ..................................... CNS4 LED settings.[s0] ...................................... LED_0 activity <bool> (0,1)[d0] ...................................... LED_0 duty cycle <int> (0 to 100)[s1] ...................................... LED_1 activity <bool> (0,1)[d1] ...................................... LED_1 duty cycle <int> (0 to 100)[s2] ...................................... LED_2 activity <bool> (0,1)[d2] ...................................... LED_2 duty cycle <int> (0 to 100)[s3] ...................................... LED_3 activity <bool> (0,1)[d3] ...................................... LED_3 duty cycle <int> (0 to 100)<status> .............................. Status <enum> (OK, NA, ERR "<str>")INVALID .............................. status>INVALID .............................. Command parameter(s) invalid<status> .............................. Status <enum> (OK, NA, ERR "<str>")ERROR ............................... <status>ERROR ............................... Command parameter(s) invalid<status> .............................. Status <str> (ERR "<str>")

Example 1

Example 2

Example 3

Example 4

cns> ledctrl -l A[ledctrl]LED: s0=1 d0=25 s1=0 d1=50 s2=0 d2=75 s3=1 d3=0 status=OK

[!ledctrl] OK

cns> ledctrl -l s2[ledctrl]LED: s2=0 d2=75 status=OK

[!ledctrl] OK

cns> ledctrl -l s1 -d 50[ledctrl]LED: status=OK

[!ledctrl] OK

cns> ledctrl -l s6[ledctrl]INVALID: status=ERR str="invalid parameter."

[!ledctrl] ERR



11.2.19 logSyntaxlog [-h | --help | --version]log [-M | -L | -A | -F ] FILENAMElog [ --export ] [ --archive ] [ -p <VolID> ]DescriptionWithout a filename, will list log files that are available for viewing. With filename, will display text of the log file. By default, only the last 100 are shown, but viewing mode can be modified with options.Options-h, --help.............................. Print help message.--version .............................. Print program version.

List log files.-M........................................ Paged using 'more' utility. 'q' to quit.-L ......................................... Paged using 'less' utility. 'q' to quit.-A......................................... All. Unpaged full text dump.-F......................................... Follow output with 'tail -f'. Ctrl-C to quit.--export................................ Export log files to an FSM-C NAS partition selected by -p.--archive .............................. Like --export, but package files in a .tar.gz file.-p <number>........................ Selects FSM-C NAS partition used by --export or --archive.

Example 1. View list of log files

Enumerated Types<filename> ......................... Name of a log file.<summary> ......................... Command status summary (OK, ERR).

NOTEOutput of viewer(s) not formalized.

Example 2. View log file pbit.log using page viewer

Example 3. Export an archive of log files to the fsm_nas1 partition

Line IdentifierLOG..................................... Log export status line.Fieldsstatus=<sts>........................ Summary status for the line.Enumerated Types<sts> ................................... Status message (OK, ERR "<str>").<str> .................................... Text string.<summary> ......................... Command status summary (OK, ERR).

cns> log[log]<filename><filename>...

[!log] <summary>

cns> log -M pbit.log<file contents>

cns> log --archive -p 1[log]LOG: status=<sts>

[!log] <summary>



11.2.20 passwordSyntaxpassword [-h | --help | --version]password [-u userName] [-p userPass]DescriptionThe password command allows the user to change the login password. The -u option can beprovided to change the password for a different login account.Password QualityNew Passwords must be a minimum of 15 characters. Maximum number of allowed same consecutive characters is two. Maximum number of allowed consecutive characters of the same class is four. Password must contain one lowercase character, one upper case character, one digit and one other character.Options-h, --help.............................. Print help message.--version .............................. Print program version.-u, --user <str> .................... Username of account.-p, --pass <str>.................... New password.ResponsesPASS <status>PASS................................... CNS4 login password<status> .............................. Status <enum> (OK, NA, ERR "<str>")INVALID <status>INVALID .............................. Command parameter(s) invalid<status> ............................. Status <str> (ERR "<str>")ERROR <status>ERROR ............................... Critical error has occurred<status> ............................. Status <str> (ERR "<str>")

Example 1

Example 2

cns> password -u admin -p My_Secr_Pass_Word#1[password]PASS: status=OK

[!password] OK

cns> password -u admin[password]INVALID: status=ERR str="invalid parameter."

[!password] ERR



11.2.21 rebootSyntaxreboot [-h | --help | --version]DescriptionThe reboot command stops all services, unmounts the storage, and does a soft reset of thehardware.Options-h, --helpPrint help message.--versionPrint program version.ResponsesREBOOT <status>REBOOT............................. CNS4 reboot<status> .............................. Status <enum> (OK, NA, ERR "<str>")INVALID status>INVALID .............................. Command parameter(s) invalid<status> .............................. Status <str> (ERR "<str>")ERROR <status>ERROR ............................... Critical error has occurred<status> ............................. Status <str> (ERR "<str>")

Examplecns> reboot[reboot]REBOOT: status=OK

[!reboot] OK



11.2.22 serial_configSyntaxserial_config [-h | --help | --version | --info ][ -baud <num> | --xonoff <e|d> | --parity <n|e|o> ]serial_config [ --stop <1|2> | --char <7|8> ]DescriptionThe serial_config command allows the user to changes the serial port configuration.Options-h, --help.............................. Print help message.--baud | -B <num> ............... Set baud rate. 1200, 2400, 4800, 9600, 19200, 38400, 57600 or

115200--xonfoff | -X <e/d> .............. Enable softare (XON/XOFF) flow control e=Enable XON/XOFF,

d=Diable XON/XOFF--parity | -P <neo> ............... Set device parity n=none, o=odd, e=even--stop | -S <12> .................. Set Stop bits 1 or 2--char | -C <78>................... Set charater bits 7 or 8.--info | -i .............................. Show current device settings--version .............................. Show command version string--sw ..................................... Generate single line machine output --fsep "<char>" ................... Specify field separation char for machine output. When used --sw or -

-fsep should be the first argumentExample 1

Example 2

cns> serial_config --baud 115200 [serial_config]Set_config: baud=9600 Char=8 Parity=n Stop=1 XON_XOFF=Disabled

[!serial_config] OK

cns> serial_config -i[serial_config]Baud_rate=9600 Char_size=8 Parity=none Stop_bits=1 XON_XOFF=Disabled

[!serial_config] O



11.2.23 servSyntaxserv [-h | --help | --version]serv [-a val] [-n val] [-w val] [-h val] [-f val] [-d val] [-t val]serv --boot [-a val] [-n val] [-w val] [-h val] ...DescriptionThe serv command allows the user to set the boot configuration for CNS4 services and tomanually start/stop services. When no options are given, the current boot configuration andactive status is displayed for all the services.Options-h, --help.............................. Print help message.--version .............................. Print program version.-B, --boot ............................. Apply the settings to the boot-time configuration.-a, --all <num> .................... All Services--nas <num>........................ All NAS Services. (CIFS, NFS, FTP, HTTP and TFTP)-c, --cifs <num> ................... CIFS Service-n, --nfs <num> ................... NFS Service-f, --ftp <num> ..................... FTP Service-w, --http <num>.................. HTTP Read Service-d, --dhcp <num>................. DHCP Service-s, --snmp <num>................ SNMP Service-i, --iscsi <num> .................. iSCSI Service-m, --mnt <num> ................. Mount NAS partitions--force.................................. Force active services using nas volumes to stop when unmounting (--

mnt 0) nas disk volumes.--wrap <0,1> ....................... Output word wrap. 1=word wrap 0=no wrap. Default:1 --sw ..................................... Generate single line machine output. --fsep "<char>" ................... Specify field separation character for machine output. When used --

sw or --fsep should be the first argument.Enumerated Type<num>................................. Selects server state. 0=Disable, 1=Enable, 2=Use boot setting.Enumerated type:<num>................................. Selects server state. 0=Disable, 1=Enable, 2=Use boot setting

Example 1. Status/configuration display

Line IdentifierBOOTCFG .......................... Reports of service states to be applied at boot-up.LIVECFG............................. Reports the current operation state of each service.

NOTEThe 'status' field appears on the same line as the others. The example output above is line wrapped for clarity.Fieldscifs=<s>............................... Common Internet File System service state (SMB Server Message

Block).nfs=<s> ............................... Network File System service state.ftp=<s> ............................... File Transfer Protocol service state.http=<s> ............................. Hypertext Transfer Protocol service state.dhcp=<s> ............................ Dynamic Host Configuration Protocol service state.snmp=<s> ........................... Simple Network Management Protocol service state.iscsi=<s> ............................. SCSI service state.mnt=<s> .............................. Mount NAS partitions.status=<sts> ....................... Summary status for the line.

cns> serv[serv]BOOTCFG: cifs=<s> nfs=<s> ftp=<s> http=<s> dhcp=<s> tftp=<s> tel=<s> snmp=<s> <iscsi=<s> mnt=<s> status=<sts>LIVECFG: cifs=<s> nfs=<s> ftp=<s> http=<s> dhcp=<s> tftp=<s> tel=<s> snmp=<s> status=<sts>

[!serv] <summary>



Enumerated Types<s> ...................................... Configuration state. 0=Disabled, 1=Enabled, ERR=Unknown.<sts> ................................... Status (OK, NA, ERR "<str>").<str> .................................... Text string.<summary> ......................... Command status summary (OK, ERR).

Example 2. Boot Configuration

Line IdentifierBOOTSET ........................... Indicates boot configuration update performed.Fieldstatus=<sts>........................ Summary status for the line.

Example 3. Mount nas with machine output mode

Example 3. Start / Stop Servers

Line IdentifierLIVESET ............................. Indicates change to operational state of server.Fields<serv>=<s> ......................... Indicator of which server is being started/stopped.status=<sts>........................ Status for action (OK, ERR "<str>").

cns> serv --boot --cifs 1 --nfs 0[serv]BOOTSET: status=<sts>

[!serv] OK

cns> serv --boot --cifs 1 --nfs 0[serv]LIVESET: mnt=1 status=OK

[!serv] OK

cns> serv --cifs 1 --nfs 0 --ftp 1[serv]

LIVESET: cifs=1 status=OKLIVESET: nfs=0 status=OKLIVESET: ftp=1 status=ERR "Failed to start server"

[!serv] ERR



11.2.24 shutdownSyntaxshutdown [-h | --help | --version]DescriptionThe shutdown command stops all services, unmounts the storage, and halts the CNS4operating system.Options-h, --help.............................. Print help message.--version .............................. Print program version.ResponsesSHUTDOWN <status>SHUTDOWN....................... CNS4 shutdown<status> .............................. Status <enum> (OK, NA, ERR "<str>")INVALID <status>INVALID .............................. Command parameter(s) invalid<status> .............................. Status <str> (ERR "<str>")ERROR <status>ERROR ............................... Critcal error has occurred<status> .............................. Status <str> (ERR "<str>")

Examplecns> shutdown[shutdown]SHUTDOWN: status=OK

[!shutdown] OK



11.2.25 swcryptSyntax[ -h [1|2] | --help # | --version | --verb | --wrap ][ --init <#|# #|all> [ --key-file <str> ] ][ --open <#|# #|all> [ --key-file <str> ] ][ --close <#|# #|all> ][ --erase <#|# #|all> ][ --delfile <str> ] [--status ][ --sw | --fsep <char>DescriptionThe swcrypt command allows the user to view and alter the CNS disk encryption options.Options--help | -h............................. Show help.--version .............................. Show software version.--verb................................... Generate verbose output.--status ................................ Show partition status.Password Quality• Minimum characters: 15.• Minimum numbers: 1.• Minimum lowercase characters: 1.• Minimum uppercase characters: 1.• Minimum special characters: 1.• Maximum consecutive repeating characters: 2.• Maximum consecutive repeating characters of the same class: 4.• Minimum number of different characters: 8.• Minimum days for password change: 1.• Maximum days for password change: 60.• Dictionary words are not valid or accepted.• The last seven passwords cannot be reused.Software encryption options

NOTEA SWE container must be initialed using the --init flag before it can be opened, closed or erased.Create a SWE container on specified partition--init <#|# #|all> [ --key-file <filename>]<# | # # | all> ....................... List of one or more partitions or all for all partitions[--key-file <filename> ]......... Use passphrase stored in specified file.[--pass <str> ] ...................... Use password specified on command line as the passphrase. User

will be prompted for a passphrase when --key-file or --pass flag are not present. This is the most secure mode.

WARNINGThe --allow-discard flag can have a negative security impact because it can make filesysem-level operations visible on the physical device. For example, information leaking filesystem type, used i space, etc. may be extractable from the physical device if the discarded blocks can be located later. If in doubt, do not use it.

Open a SWE container on specified partition --open <#|# #|all> [ --pass <passphrase> | --keyFile <filename> ]<# | # # | all> ....................... List of one or more partitions or all for all partitions[--key-file <filename> ]......... Use passphrase stored in specified file.[--pass <str> ] ...................... Use password specified on command line as the passphrase.[--allow-discards ] ................ Allow the use of discard (TRIM) requests for device. User will be

prompted for a passphrase when --key-file or --pass flag are not present. This is the most secure mode.



Close a SWE container on specified partition--close <#|# #|all><# | # # | all> ....................... List of one or more partitions or all for all partitionsErase a SWE container on specified partition--erase <#|# #|all> <# | # # | all> ....................... List of one or more partitions or all for all partitions

NOTEThis option only works with files stored in the /keyfiles folder. Allowing files from other folders to be deleted can lead to security issuesOverwrite and delete the keyfile specified.--delfile <file name><file name> ......................... File name of keyfile to overwite and then delete.

Example 1

Example 2

Example 3

Example 4

Example 5

cns> swcrypt --init 1[swcrypt]cmd=init Part=1Enter passphrase: Verify passphrase:status=OK

[!swcrypt] OK

cns> swcrypt --init 1[swcrypt]cmd=init Part=1 Enter passphrase:Verify passphrase:status=ERR str="Password error: The password contains less than 1 uppercase letters

[!swcrypt] ERR

cns> swcrypt --init all --key-file /keyfiles/keyfile.txt[swcrypt]cmd=init Part=0 status=OKcmd=init Part=1 status=OKcmd=init Part=2 status=OKcmd=init Part=3 status=OK

[!swcrypt] OK

cns> swcrypt --open 1[swcrypt]cmd=open Part=1 Enter passphrase for /dev/md127p2:status=OK

[!swcrypt] OK

cns> swcrypt --close 1[swcrypt]cmd=close Part=1 status=OK

[!swcrypt] OK



Example 6

Example 7

Example 8

cns> swcrypt --erase all[swcrypt]cmd=erase Part=0 status=OKcmd=erase Part=1 status=OKcmd=erase Part=2 status=OKcmd=erase Part=3 status=OK

[!swcrypt] OK

cns> swcrypt --status[swcrypt]Partitions: 4Part0: name=fsm_raida1 swe=closedPart1: name=fsm_raida2 swe=closedPart2: name=fsm_raida3 swe=closedPart3: name=fsm_raida4 swe=closed

[!swcrypt] OK

cns> swcrypt --delfile /keyfiles/pw.txt[swcrypt]cmd=delfile, deleting file=/keyfiles/pw.txt status=OK

[!swcrypt] OK



11.2.26 sysconfig

NOTERefer to System Configuration section for additional information regarding the sysconfig command.Syntax[ -h [1|2] | --help # | --version | --scan | --rescan | --status ][ --numFreeDisks | --numFsmDisks | --numPartitions ] [ --getDevName <vid> | --getFreeDisks | --isMounted <vid> ][ --verb | --all | --hide | --sw | --fsep "char" | --wipe ][ --writecfg | --mount <#|# #|all> | --umount <#|# #|all> ][ --trim <#|# #|all> | --fsck <#|# #|all> | --format <#|# #|all> ][ --setNfsOpt <options> | --getNfsOpt ][ --part <options> | --raid<L> <options> ][ --add <options> | --remove <options> | --raidStatus ][ --nas <options> | --iscsi0 <options> | --iscs1 <options> ][ --iscsi2 <options> | --iscsi3 <options> ][ --free <options> | --multi | --file <options> ]DescriptionThe sysconfig command allows the user to view and alter the CNS disk and system configuration.Options--help, -h [1|2|1 2] ......................Show help. Add 1 and/or 2 for additional help.

1=Additional detail on status and raid config.2=Detailed command and response descriptions.

--version ....................................Show software version. --scan ........................................Delete and then scan for FSM connections. --rescan .....................................Rescan sata hosts for FSM connections. --status, -S.................................Show system status. Default action if no flags. --numFreeDisks.........................Get number of free disks. --numFsmDisks .........................Get total number of disks. --numPartitions..........................Get total number of partitions. --getFreeDisks...........................Get list of unconfigured disks. --getDevName <NAS vol #>......Get device name of specified NAS volume. --isMounted <NAS vol #> ..........Check to see if NAS volume is mounted. <NAS vol #> NAS disk

volume id number 0 to number of fsm_nas? disk volumes. --verb.........................................Generate verbose output. --all, -A.......................................Show all fields even empty ones. --hide, -L....................................Hide most field labels. --wrap [0|1] ................................Word wrap text to screen. 0=no wrap 1=wrap def=0 --sw ...........................................Generate single line machine output. --fsep "<char>" ..........................Specify field separation character for single line machine output.

when used --sw or --fsep should be the first argument. --wipe, -E .................................Wipe raid and partition data from all disks. --writecfg, -W ............................Write system configuration to disks.



11.2.27 sysdateSyntaxsysdate [-h | --help | --version]sysdate [-d M/D/Y] [-t H:M:S]DescriptionThe sysdate command allows for configuration and retrieval of the time and date. When nooptions are given, the current date is printed.Options-h, --help.............................. Print help message.--version .............................. Print program version.-d, --date <str> .................. Set date. (Month/Date/Year)-t, --time <str>.................... Set time. (Hour:Minute:Second)ResponseDATE [date] [time] <status>DATE................................... CNS4 date and time[date] ................................... Date <str> (Month/Date/Year)[time] ................................... Time <str> (Hour:Minute:Second)<status> .............................. Status <enum> (OK, NA, ERR "<str>")INVALID <status>INVALID .............................. Command parameter(s) invalid<status> .............................. Status <str> (ERR "<str>")ERROR <status>ERROR ............................... Critical error has occurred<status> .............................. Status <str> (ERR "<str>")

Example 1

Example 2

cns> sysdate -d 04/01/2018 -t 00:00:01[sysdate]DATE: status=OK

[!sysdate] OK

cns> sysdate[sysdate]DATE: date=04/01/2018 time=00:00:01 status=OK

[!sysdate] OK


CNS4 CSfC A - 1 SpecificationsRevision 0.0

SpecificationsA.1 Envelope / Mounting Dimensions

NOTEDimensions are in inches and (millimeters).

Figure A.1 CNS4 Envelope/ Mounting Dimensions.

(333.1)13.12

(320.4)12.61

(193.5)7.62

(3.18)0.13

(330.2)13.00

(320.5)12.62

(185.55)7.31

(6.35)0.25

DDOC0108-00034

(196.7)7.75

(257.2)10.13

9.37 (238.0)



NOTEDimensions are in inches and (millimeters).

Figure A.1 CNS4 Envelope / Mounting Dimensions (Continued).

0.373 (9.462) 0.373 (9.462)

0.40(10.16)

0.40(10.16)

DDOC0108-0038

13.11(333.0)

13.87(352.3)

2.94(74.55)

4.25(107.95)



A.2 Physical Dimensions / WeightHeight:................................................................................................................ 7.62 in. (193.5 mm)Width: ................................................................................................................ 9.60 in. (243.8 mm)Depth:............................................................................................................... 12.62 in. (320.5 mm)Weight (with Four FSM-C Modules):....................................................................37.8 lbs (16.72 kg)Weight (Chassis / ILE Module Only): ...................................................................31.8 lbs. (14.4 kg)

A.3 Power Dissipation28 VDC input (with ILE/ Four FSM-C Modules): .................................................... 60.0 Watts peak

A.4 Electrical Requirements28 VDC at 2.14 Amps...............................................................................ILE, Four FSM-C ModulesInput Power .................................................................................. 22 - 36 VDC (28 VDC preferred)

A.5 Mean Time Between Failure

NOTEMTBF calculated using MIL-HDBK-217 FN2,Method 1 Case 3 for Airborne Inhabited Cargo (AIC) at 30° C.CNS4 Chassis with FSM-C (Qty 4) and ILE (Qty 1) modules ..................................... 11,875 Hours

A.6 EnvironmentA.6.1 Temperature

Storage:....................................................................................................................... -40° to 71° C*Operation: ................................................................................................................... -40° to 71° C** Ambient at sea level

A.6.2 HumidityStorage:.................................................................................................... 0% to 100% (condensing)Operating: ................................................................................................ 0% to 100% (condensing)

A.6.3 Vibration, Operating0.005 g2/Hz at 20Hz ............................................................................................... X, Y, and Z Axes0.02g2/Hz at 80 to 300Hz ...................................................................................... X, Y, and Z Axes0.003g2/Hz at 2000Hz ............................................................................................ X, Y, and Z Axes

A.7 EMIThe Curtiss-Wright CNS4 was evaluated with respect to MIL-STD-461F electromagnetic interference (EMI) requirements. Testing was performed in accordance with the Standard. The CNS4 has passed and therefore complies with all of the following EMI requirements.CS101 ........................................Conducted Susceptibility, 30kHz to 150kHz Per MIL-STD-461,

CS01CE102 ........................................Conducted Emissions, Power and Signal Leads, 15kHz to 50MHzCS114 ........................................Conducted Susceptibility, Bulk Cable Injection, 10kHz to 200MHzCS115 ........................................Conducted Susceptibility, Bulk Cable Injection, Impulse ExcitationCS116 ........................................Conducted Susceptibility, Damped Sinusoid Transients, Cables

and Power Leads, 10kHz to 100MHz.RE102 ........................................Radiated Emissions, Electric Field, 10kHz to 18 GHzRS103 ........................................Radiated Susceptibility, Electric Field, 2MHz to 40GHz


CNS4 CSfC B - 1 Cables / ConnectorsRevision 0.0

Cables / ConnectorsThe following s provide information regarding cable diagrams and CNS4 connector pinouts

B.1 Power / RS-232Figure B.1 shows the power / RS-232 lab cable wiring diagram. Figure B.2 shows the CNS4 bulkhead power connector pins. Table B.1 shows the power/RS-232 lab cable bulkhead connector pin information. It also shows the cable terminations at the opposite end of the cable.• Power is user-supplied +28 VDC.• Ground is zero voltage reference relative to the user-supplied +28 VDC.• Chassis ground is physically common with the equipment in which the CNS4 is installed.• Signal lines are standard primary RS-232 transmit and receive.• RS-232 ground is the zero voltage reference for the RS-232.Figure B.1 Power / RS-232 Lab Cable

Figure B.2 CNS4 Bulkhead Power Connector

ZeroizeChassisGND

Reserved

4

1 2

3

5

67

89

1011

1213

DDOC0108-0035

28V

GND

DB9

5

234

1

876

9

123456789

10111213

5

2 1

6

4

39

87

1211

1013

DDOC0108-0036

Table B.1 Power / RS-232 Lab Cable Pinout

Description Abbreviation Bulkhead Connector Pin Pigtail Termination

28 VDC 28V 5, 10, 11 Red RCA PlugGround GND 6, 7, 12 Black RCA PlugRS-232 Transmit TxD 4 DB9 connector pin 3RS-232 Receive RxD 8 DB9 connector pin 2RS-232 Ground RS-232 GND 2 DB9 connector pin 5Zeroize Zeroize 13 White WireChassis Ground CH_GND 1 White WireReserved 3 White Wire


CNS4 CSfC B - 2 Cables / ConnectorsRevision 0.0

The zeroize connection is a +5 volt line that when grounded for a minimum of 300ms will zero the encryption key. The CNS4 must be powered on for discrete zeroization to occur. The signal must conform to the following specifications:• Active low• 300ms duration• Connected to CNS4 power connector pin 13.

B.2 EthernetFigure B.3 shows the Ethernet lab cable wiring diagram. Figure B.4 shows the CNS4 bulkhead Ethernet connectors pins. Table B.1 shows the Ethernet lab cable bulkhead connector pin information. It also shows the cable terminations at the opposite end of the cable.Figure B.3 Ethernet Lab Cable

Figure B.4 CNS4 Bulkhead Ethernet Connectors

321

6 754

1098

DDOC0108-0039

AA+

AA-

AB+

AB-

AC+

AC-

AD+

AD-

12345678910Shown Keyed for GBE0

DDOC0108-0037GBE0 GBE1 GBE2 GBE3

3 2 1

67 5 4

10 9 8

3 2 1

67 5 4

10 9 8

3 2 1

67 5 4

10 9 8

3 2 1

67 5 4

10 9 8

Table B.2 Ethernet Lab Cable Pinout

Description Abbreviation Bulkhead Connector Pin Pigtail Termination

BI_DA+ MDI0_P 8 White / OrangeBI_DA- MDI0_M 4 OrangeBI_DB+ MDI1_P 7 White / GreenBI_DB- MDI1_M 3 GreenBI_DC+ MDI2_P 5 White / BlueBI_DC- MDI2_M 1 BlueBI_DD+ MDI3_P 10 White / BrownBI_DD- MDI3_M 1 BrownNot Connected 2 NA


CNS4 CSfC C - 1 Ordering InformationRevision 1.0

Ordering InformationRefer to paragraph 1.6 Ordering Process for information on how to order any of the components and/or assemblies listed in Table C.1.

Table C.1 Ordering Information

Nomenclature Part Number

CNS4-CSfC Chassis (With ILE Module) 3671213E08039-7CNS4-CSfC Chassis 3671213E08039-207CNS4-CSfC Battery Label D800027-R00-LFCNS4-CSfC Tamper Label D800028-R00-LF (or equivalent)FSM-C Storage Module (2 TB) 3671213E08039-405FSM-C Storage Module Tamper Label D800028-R00-LF (or equivalent)ILE Module 3671213E08039-307ILE Module Battery Label D800027-R00-LFILE Module Tamper Label D800028-R00-LF (or equivalent)ILE Battery TLH-5934 (Tadiran)Chassis Battery (Lithium) D700097-000-00 (LS 14500 [Saft])ATR Mounting Tray VS-CNS4Tray-00Power / RS-232 Lab Cable (36-Inch Long) 801-008-16NF8-135AGBE0 Ethernet Lab Cable (12-Inch Long) 801-008-16NF7-10SAGBE1 Ethernet Lab Cable (12-Inch Long) 801-008-16NF7-10SBGBE2 Ethernet Lab Cable (12-Inch Long) 801-008-16NF7-10SCGBE3 Ethernet Lab Cable (12-Inch Long) Not Used

cns4 csfc - niap-ccevs

Documents