fido2 copied to clipboard
Syntax of CP, PP and GP commands of CLI Tool
I was install SKFS and Fidopolicy application and try to get and edit some other policies except MinimalPolicy (with sid=1 and pid=1) by using CLI Tool, but do not understand how to do it. Here described example for get MinimalPolicy but not syntax. What mean Active and False in arguments? I will be appreciate to person who tell me syntax of this three command. And how to get ModerateSKFSPolicy-SpecificSecurityKeys policy, what is sid, pid for it? Thanks.
Hi @Canopus-B,
When you run the skfsclient.jar
with no arguments, a usage will be printed for you that describes these values.
The PID (Policy ID) for the ModerateSKFSPolicy-SpecificSecurityKeys policy is 2 by default.
The SID (Server ID) should only be 1 if you are using a single machine. If you are using a clustered SKFS environment, then you should have already worked out which SID belongs to which server as per Step 2 in the Clustered Installation steps.
$ skfs01:~> java -jar ~/skfsclient/skfsclient.jar
Copyright (c) 2001-2022 StrongAuth, Inc. All rights reserved.
Command: R (registration) | A (authentication) | G (getkeysinfo) | U (updatekey) | D (deregister) | P (ping)
| CP (createpolicy) | PP (updatepolicy) | DP (deletepolicy) | GP (getpolicy)
| GC (getconfiguration) | UC (updateconfiguration) | DC (deleteconfiguration)
java -jar skfsclient.jar R <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username> <origin> <crossorigin>
java -jar skfsclient.jar A <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username> <origin> <authcounter> <crossorigin>
java -jar skfsclient.jar AZ <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username> <txid> <txpayload> <origin> <authcounter> <crossorigin> <verify>
java -jar skfsclient.jar G <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <username>
java -jar skfsclient.jar U <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <random-id> <displayname> <status>
java -jar skfsclient.jar D <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <random-id>
java -jar skfsclient.jar P <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ]
java -jar skfsclient.jar CP <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <status> <notes> <policy>
java -jar skfsclient.jar PP <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <sid> <pid> <status> <notes> <policy>
java -jar skfsclient.jar DP <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <sid> <pid>
java -jar skfsclient.jar GP <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <metatdataonly> <sid> <pid>
java -jar skfsclient.jar GC <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ]
java -jar skfsclient.jar UC <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <configkey> <configvalue> [<notes>]
java -jar skfsclient.jar DC <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <configkey>
java -jar skfsclient.jar UU <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <oldusername> <newusername>
java -jar skfsclient.jar GUK <hostport> <did> <wsprotocol> <authtype> [ <accesskey> <secretkey> | <svcusername> <svcpassword> ] <usernames>
Acceptable Values:
hostport : host and port to access the fido
SOAP & REST format : http://<FQDN>:<non-ssl-portnumber> or
example :
did : Unique domain identifier that belongs to SKCE
wsprotocol : Web service protocol; example REST | SOAP
authtype : Authorization type; example HMAC | PASSWORD
accesskey : Access key for use in identifying a secret key
secretkey : Secret key for HMACing a request
svcusername : Username used for PASSWORD-based authorization
svcpassword : Password used for PASSWORD-based authorization
username : Username for registration, authentication, or getting keys info
command : R (registration) | A (authentication) | G (getkeysinfo) | U (updatekeyinfo) | D (deregister) | P (ping)
origin : Origin to be used by the fido client simulator
crossorigin : Boolean that will determine if client data allows crossorigin or not - to be used for the simulator
authcounter : Auth counter to be used by the fido client simulator
txid : Unique identifier for the transaction (Base64URLSafe Strong)
txpayload : Transaction payload to be used to generate the challenge for transaction authorization (Base64URLSafe Strong)
random-id : String associated to a specific fido key registered to a
specific user. This is needed to perform actions on the key like
de-activate, activate and deregister.
Random-id can be obtained by calling 'G' option.
good/bad signature : Optional; boolean value that simulates emiting good/bad signatures
true for good signature | false for bad signature
default is true
start-date : Unix Timestamp (in milliseconds) when the policy should take effect
end-date : Unix Timestamp (in milliseconds) when the policy should end. Can be "null"
cert-profile-name : A human readable name for the policy
verify : Verify the authorization once again once we receive the response (Boolean value)
version : Version of the policy (currently only value of 1 is accepted)
status : Active/Inactive. Status to set the key or policy to.
notes : Optional notes to store with the policy or configuration.
policy : A JSON object defining the FIDO2 policy.
sid : Server ID: Policy identifier returned by creating a policy.
pid : Policy ID: Policy identifier returned by creating a policy.
metadataonly : Boolean. If true, returns only the metadata of the policy. If false, returns the metadata + the policy JSON.
configkey : Configuration identifier of server setting.
configvalue : Value connected to configuration identifier.
oldusername : Existing username for a user.
newusername : New username for a user.
Closing this issue but you can find all the documentation about operations on FIDO policy using the client at
There are also new articles added to the "How To" section that might be useful for future reference.