mrhsm info

Displays HSM configuration information.

Use the mrhsm info command to display HSM configuration information and status. See External KMIP Keystore Overview for more information on HSM keystores.

Use the -config option to display the KMIP configuration.
Use the -file option to display the status of file-based backends.
Use the -kmip option to display the KMIP status.
Use the -slots option to display information on the PKCS#11 slots.

Syntax

mrhsm info

Examples

Viewing the PKCS#11 Slot Configuration

You can view the PKCS#11 slot configuration after initialization. Immediately after a fresh installation, the Token info section will be shown as uninitialized:

# mrhsm info -slots
Available slots:
Slot 0
    Slot info:
        Description:          MapRHSM slot ID 0x0                                             
        Manufacturer ID:      HPE MapR-HSM                    
        Token present:        yes
    Token info:
        Manufacturer ID:      HPE MapR-HSM                    
        Model:                MapRHSM         
        Serial number:                        
       Initialized:          no
        User PIN initialized: no
        Label:

After running the mrhsm init command, the Token info section will be shown as initialized, with a serial number assigned. You will need this serial number for various mrhsm configuration tasks:

# mrhsm info -slots
Available slots:
Slot 1298274617
    Slot info:
        Description:          MapRHSM slot ID 0x4d621939                                      
        Manufacturer ID:      HPE MapR-HSM                    
        Token present:        yes
    Token info:
        Manufacturer ID:      HPE MapR-HSM                    
        Model:                MapRHSM         
       Serial number:        07137a824d621939
        Initialized:          yes
        User PIN initialized: yes
        Label:                Utimaco ESKM

Viewing the KMIP Configuration
You can view the KMIP configuration after initialization. The KMIP configuration constitutes the various configuration settings that you obtain from the KMIP-enabled HSM after setting up the HSM as per the instructions in the Data Fabric HSM integration guides ( (Utimaco ESKM Integration Guide, Gemalto SafeNet KeySecure Key Manager Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide).
Beginning with release 7.0.0, the mrhsm info command shows a Backend parameter with a value of kmip (the default) or file. These values indicate a KMIP- or file-based backend key store.
The following settings are required to connect to the HSM:
1. The comma-separated list of IP addresses.
2. The KMIP port number, which is 5696 by default.
3. The client private key.
4. The client certificate in PEM format.
5. The CA certificate in PEM format. In the case of a certificate chain containing root and intermediate CA certificates, all certificates will be stored sequentially.
```
# mrhsm info -config 
Displaying information for KMIP token with serial b819261a33fbe5a1 
Backend                : kmip 
IP                     : Not configured 
Port                   : 5696 
KMIP Version           : 1.1 
KMIP Client Key        : Not configured 
KMIP Client Certificate: Not configured 
KMIP CA Certificate    : Not configured 
```
For a file-based backend, the Backend value is file, and no other entries are displayed for the mrhsm info -config option:
```
# mrhsm info -config 
Displaying information for file token with serial b54a261a364fe5a1 
Backend                : file
```
All KMIP configuration settings are stored in an encrypted format in /opt/mapr/conf/tokens/mrhsm.conf in each of the CLDB nodes in the cluster.

Viewing the KMIP Configuration for an Enabled HSM

Use the -kmip argument to view the KMIP configuration for an enabled HSM:

# mrhsm info -kmip 
Displaying information for KMIP token with serial b819261a33fbe5a1
CLDB Key        : Set
DARE Key        : Not set
Core KEK UUID   : bba15392-1ef0-4ea6-8156-1da2e86a2771
Common KEK UUID : efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5
Enabled         : Yes

Viewing Information for File-Based Backends

Release 7.0.0 introduced a -file option for displaying the status of file-based backends:

# mrhsm info -file 
Displaying information for file token with serial 9693057db789a262 
Backend                : file 
File Configuration Version 1 
----------------------------- 
CLDB: 
    Encrypted Key   : 95E1DE5CE60E6F6203930223D7CEA090CADF8D444A2E4E0E2A5AC367F4B73A2BC2C55FAAF3CB317A358C06430FD36F8CDC612BE93150DA445015D2D6632D26EB 
    UUID            : 94d33e00-6db3-c308-6f1f-05a952dfe074 
    SHA-256 checksum: 2BF8880892403E993892E7D4BF621EE80E4773A8845CCC7BFB17D258DEF09F3F 
DARE : 
    Encrypted Key   : A4193A186796AF41D80AE61853F53F171ED0679039836BCCD82B2B141B50C5FCC5B80EF5D4E7880064CB390649F728E358E47D35D6DC842C8893D9243A45577C 
    UUID            : 8b545031-123d-29e4-366d-2b77f56dafc7 
    SHA-256 checksum: E01F1D7A6229CC833F3CBF12ED7F6A184901AF1D0D32F5F4A7FD6CDBF27A51AD 
Core KEK : 
    UUID            : bfe8ee8b-816f-c68c-9ead-d15394f353c4 
    SHA-256 checksum: B22C6B9DDB429667DA8887AB552AF1E2F8C15EAD3744CF8F9656A390C1F3F689 
Common KEK : 
    UUID            : 4df7f1d4-884e-f0a6-a7e2-67c84a10c40b 
    SHA-256 checksum: D9D9E0EC1C621314C70AB42524BAA275956BE9CBCED09F604846D0FCEAD3FB8F 
Enabled             : Yes

Using mrhsm info with No Parameters

Using mrhsm info with no parameters automatically detects the store backend and displays the combined output for the -config and -kmip options for the KMIP backend and the -config and -file options for the file backend.

Here is a sample display for a KMIP token that has been enabled:

# mrhsm info 
Displaying information for KMIP token with serial 8ce465dd102da8f6 
Backend                : kmip 
IPs 
    IP  1              : 12.1.78.164 Active 
Port                   : 5696 
KMIP Version           : 1.1 
KMIP Client Key        : Configured 

KMIP Client Certificate: 
    Subject: /C=US/ST=California/L=Santa Clara/O=HPE/OU=MapR/CN=kmipclient/emailAddress=chye-lin.chee@hpe.com 
    Issuer: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com 
    Version: 3 
    Signature Algorithm: ecdsa-with-SHA256 
    Validity: 
        Not before: Jan 13 05:23:00 2020 GMT 
        Not after: Aug  5 05:23:00 2029 GMT 

KMIP CA Certificate: 
    Subject: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com 
    Issuer: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com 
    Version: 3 
    Signature Algorithm: ecdsa-with-SHA256 
    Validity: 
        Not before: Aug  6 23:49:09 2019 GMT 
        Not after: Aug  4 23:49:09 2029 GMT 
 
KMIP Configuration Version 1 
----------------------------- 
CLDB: 
    Encrypted Key   : FA31033A00220EDE67006049FFD98EEFB9D517E3E8BF1EEE35C29726BA11EE34F7118124C17F7C10654AC1D1E5BA16F83FCFAC398F99B392E226C2CE23D29D30 
    UUID            : 260ca605-bb65-4a81-a341-f3fffc8dced8 
    SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC 
DARE : 
    Encrypted Key   : 75E530E5DC12AEDB50AF414B8B7C7B07DCC9532FBE698543EF0A90E58767D03C4BF5B4518ED9F34F8D3379DA87F1C4E467891E22D6404502328D1CC9A69A65EC 
    UUID            : effc0d14-8d8e-4335-8b03-849a0da46eed 
    SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF 
Core KEK : 
    UUID            : a6a07015-4fa0-477f-8bc3-8c5fa272d822 
    SHA-256 checksum: 3A1F6060408025873AD32EA7D05086C6F6D99530DFD7467B677E8A94978DC863 
Common KEK : 
    UUID            : 22812c6f-44b1-4c6a-ad77-1cc21b255d04 
    SHA-256 checksum: 1065ACB3C339AE81ABE43E6D8048795397FE3FD58C4511D63C5C96B2337E4932 
Enabled             : Yes

Here is a sample display for a file-based key store:

# mrhsm info 
Displaying information for file token with serial 8ce465dd102da8f6 
Backend                : file 
 
File Configuration Version 1 
----------------------------- 
CLDB: 
    Encrypted Key   : FA31033A00220EDE67006049FFD98EEFB9D517E3E8BF1EEE35C29726BA11EE34F7118124C17F7C10654AC1D1E5BA16F83FCFAC398F99B392E226C2CE23D29D30 
    UUID            : 260ca605-bb65-4a81-a341-f3fffc8dced8 
    SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC 
DARE : 
    Encrypted Key   : 75E530E5DC12AEDB50AF414B8B7C7B07DCC9532FBE698543EF0A90E58767D03C4BF5B4518ED9F34F8D3379DA87F1C4E467891E22D6404502328D1CC9A69A65EC 
    UUID            : effc0d14-8d8e-4335-8b03-849a0da46eed 
    SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF 
Core KEK : 
    UUID            : a6a07015-4fa0-477f-8bc3-8c5fa272d822 
    SHA-256 checksum: 3A1F6060408025873AD32EA7D05086C6F6D99530DFD7467B677E8A94978DC863 
Common KEK : 
    UUID            : 22812c6f-44b1-4c6a-ad77-1cc21b255d04 
    SHA-256 checksum: 1065ACB3C339AE81ABE43E6D8048795397FE3FD58C4511D63C5C96B2337E4932 
Enabled             : Yes

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0