Syntax of CP, PP and GP commands of CLI Tool

[Canopus-B]

I was install SKFS and Fidopolicy application and try to get and edit some other policies except MinimalPolicy (with sid=1 and pid=1) by using CLI Tool, but do not understand how to do it. Here https://docs.strongkey.com/index.php/skfs-home/skfs-administration/skfs-skfsclient-cli/skfs-v3-api-usage/get-policy-gp described example for get MinimalPolicy but not syntax. What mean Active and False in arguments? I will be appreciate to person who tell me syntax of this three command. And how to get ModerateSKFSPolicy-SpecificSecurityKeys policy, what is sid, pid for it? Thanks.

[pattycakelol]

Hi @Canopus-B,

When you run the skfsclient.jar with no arguments, a usage will be printed for you that describes these values. The PID (Policy ID) for the ModerateSKFSPolicy-SpecificSecurityKeys policy is 2 by default. The SID (Server ID) should only be 1 if you are using a single machine. If you are using a clustered SKFS environment, then you should have already worked out which SID belongs to which server as per Step 2 in the Clustered Installation steps.

$ skfs01:~> java -jar ~/skfsclient/skfsclient.jar 

Copyright (c) 2001-2022 StrongAuth, Inc. All rights reserved.

Command: R (registration) | A (authentication) | G (getkeysinfo) | U (updatekey) | D (deregister) | P (ping)
| CP (createpolicy) | PP (updatepolicy) | DP (deletepolicy) | GP (getpolicy)
| GC (getconfiguration) | UC (updateconfiguration) | DC (deleteconfiguration)
       java -jar skfsclient.jar R <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username> <origin> <crossorigin>
       java -jar skfsclient.jar A <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username> <origin> <authcounter> <crossorigin>
       java -jar skfsclient.jar AZ <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username> <txid> <txpayload> <origin> <authcounter> <crossorigin> <verify>
       java -jar skfsclient.jar G <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username>
       java -jar skfsclient.jar U <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <random-id> <displayname> <status>
       java -jar skfsclient.jar D <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <random-id>
       java -jar skfsclient.jar P <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ]
       java -jar skfsclient.jar CP <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <status> <notes> <policy>
       java -jar skfsclient.jar PP <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <sid> <pid> <status> <notes> <policy>
       java -jar skfsclient.jar DP <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <sid> <pid>
       java -jar skfsclient.jar GP <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <metatdataonly> <sid> <pid>
       java -jar skfsclient.jar GC <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ]
       java -jar skfsclient.jar UC <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <configkey> <configvalue> [<notes>]
       java -jar skfsclient.jar DC <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <configkey>
       java -jar skfsclient.jar UU <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <oldusername> <newusername>
       java -jar skfsclient.jar GUK <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <usernames>

Acceptable Values:
         hostport            : host and port to access the fido 
                                 SOAP & REST format : http://<FQDN>:<non-ssl-portnumber> or 
                                                      https://<FQDN>:<ssl-portnumber>
                                 example            : https://fidodemo.strongauth.com:8181
         did                 : Unique domain identifier that belongs to SKCE
         wsprotocol          : Web service protocol; example REST | SOAP
         authtype            : Authorization type; example HMAC | PASSWORD
         accesskey           : Access key for use in identifying a secret key
         secretkey           : Secret key for HMACing a request
         svcusername         : Username used for PASSWORD-based authorization
         svcpassword         : Password used for PASSWORD-based authorization
         username            : Username for registration, authentication, or getting keys info
         command             : R (registration) | A (authentication) | G (getkeysinfo) | U (updatekeyinfo) | D (deregister) | P (ping)
         origin              : Origin to be used by the fido client simulator
         crossorigin         : Boolean that will determine if client data allows crossorigin or not - to be used for the simulator
         authcounter         : Auth counter to be used by the fido client simulator
         txid                : Unique identifier for the transaction (Base64URLSafe Strong)
         txpayload           : Transaction payload to be used to generate the challenge for transaction authorization (Base64URLSafe Strong)
         random-id           : String associated to a specific fido key registered to a
                                 specific user. This is needed to perform actions on the key like
                                 de-activate, activate and deregister.
                                 Random-id can be obtained by calling 'G' option.
         good/bad signature  : Optional; boolean value that simulates emiting good/bad signatures
                                 true for good signature | false for bad signature
                                 default is true
         start-date          : Unix Timestamp (in milliseconds) when the policy should take effect
         end-date            : Unix Timestamp (in milliseconds) when the policy should end. Can be "null"
         cert-profile-name   : A human readable name for the policy
         verify              : Verify the authorization once again once we receive the response (Boolean value)
         version             : Version of the policy (currently only value of 1 is accepted)
         status              : Active/Inactive. Status to set the key or policy to.
         notes               : Optional notes to store with the policy or configuration.
         policy              : A JSON object defining the FIDO2 policy.
         sid                 : Server ID: Policy identifier returned by creating a policy.
         pid                 : Policy ID: Policy identifier returned by creating a policy.
         metadataonly        : Boolean. If true, returns only the metadata of the policy. If false, returns the metadata + the policy JSON.
         configkey           : Configuration identifier of server setting.
         configvalue         : Value connected to configuration identifier.
         oldusername         : Existing username for a user.
         newusername         : New username for a user.

[push2085]

Closing this issue but you can find all the documentation about operations on FIDO policy using the client at https://docs.strongkey.com/index.php/skfs-home/skfs-administration/skfs-skfsclient-cli/skfs-v3-api-usage/admin-operations

There are also new articles added to the "How To" section that might be useful for future reference. https://docs.strongkey.com/index.php/skfs-home/skfs-how-to