mrhsm info

Displays HSM configuration information.

Use the mrhsm info command to display HSM configuration information and status. See External KMIP Keystore Overview for more information on HSM keystores.

  • Use the -config option to display the KMIP configuration.
  • Use the -file option to display the status of file-based backends.
  • Use the -kmip option to display the KMIP status.
  • Use the -slots option to display information on the PKCS#11 slots.

Syntax

mrhsm info

Examples

  • Viewing the PKCS#11 Slot Configuration

    You can view the PKCS#11 slot configuration after initialization. Immediately after a fresh installation, the Token info section will be shown as uninitialized:

    # mrhsm info -slots
    Available slots:
    Slot 0
        Slot info:
            Description:          MapRHSM slot ID 0x0                                             
            Manufacturer ID:      HPE MapR-HSM                    
            Token present:        yes
        Token info:
            Manufacturer ID:      HPE MapR-HSM                    
            Model:                MapRHSM         
            Serial number:                        
           Initialized:          no
            User PIN initialized: no
            Label:            

    After running the mrhsm init command, the Token info section will be shown as initialized, with a serial number assigned. You will need this serial number for various mrhsm configuration tasks:

    # mrhsm info -slots
    Available slots:
    Slot 1298274617
        Slot info:
            Description:          MapRHSM slot ID 0x4d621939                                      
            Manufacturer ID:      HPE MapR-HSM                    
            Token present:        yes
        Token info:
            Manufacturer ID:      HPE MapR-HSM                    
            Model:                MapRHSM         
           Serial number:        07137a824d621939
            Initialized:          yes
            User PIN initialized: yes
            Label:                Utimaco ESKM             
  • Viewing the KMIP Configuration

    You can view the KMIP configuration after initialization. The KMIP configuration constitutes the various configuration settings that you obtain from the KMIP-enabled HSM after setting up the HSM as per the instructions in the Data Fabric HSM integration guides ( (Utimaco ESKM Integration Guide, Gemalto SafeNet KeySecure Key Manager Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide).

    Beginning with release 7.0.0, the mrhsm info command shows a Backend parameter with a value of kmip (the default) or file. These values indicate a KMIP- or file-based backend key store.

    The following settings are required to connect to the HSM:

    1. The comma-separated list of IP addresses.
    2. The KMIP port number, which is 5696 by default.
    3. The client private key.
    4. The client certificate in PEM format.
    5. The CA certificate in PEM format. In the case of a certificate chain containing root and intermediate CA certificates, all certificates will be stored sequentially.
    # mrhsm info -config 
    Displaying information for KMIP token with serial b819261a33fbe5a1 
    Backend                : kmip 
    IP                     : Not configured 
    Port                   : 5696 
    KMIP Version           : 1.1 
    KMIP Client Key        : Not configured 
    KMIP Client Certificate: Not configured 
    KMIP CA Certificate    : Not configured 
    For a file-based backend, the Backend value is file, and no other entries are displayed for the mrhsm info -config option:
    # mrhsm info -config 
    Displaying information for file token with serial b54a261a364fe5a1 
    Backend                : file

    All KMIP configuration settings are stored in an encrypted format in /opt/mapr/conf/tokens/mrhsm.conf in each of the CLDB nodes in the cluster.

  • Viewing the KMIP Configuration for an Enabled HSM

    Use the -kmip argument to view the KMIP configuration for an enabled HSM:

    # mrhsm info -kmip 
    Displaying information for KMIP token with serial b819261a33fbe5a1
    CLDB Key        : Set
    DARE Key        : Not set
    Core KEK UUID   : bba15392-1ef0-4ea6-8156-1da2e86a2771
    Common KEK UUID : efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5
    Enabled         : Yes   
  • Viewing Information for File-Based Backends
    Release 7.0.0 introduced a -file option for displaying the status of file-based backends:
    # mrhsm info -file 
    Displaying information for file token with serial 9693057db789a262 
    Backend                : file 
    File Configuration Version 1 
    ----------------------------- 
    CLDB: 
        Encrypted Key   : 95E1DE5CE60E6F6203930223D7CEA090CADF8D444A2E4E0E2A5AC367F4B73A2BC2C55FAAF3CB317A358C06430FD36F8CDC612BE93150DA445015D2D6632D26EB 
        UUID            : 94d33e00-6db3-c308-6f1f-05a952dfe074 
        SHA-256 checksum: 2BF8880892403E993892E7D4BF621EE80E4773A8845CCC7BFB17D258DEF09F3F 
    DARE : 
        Encrypted Key   : A4193A186796AF41D80AE61853F53F171ED0679039836BCCD82B2B141B50C5FCC5B80EF5D4E7880064CB390649F728E358E47D35D6DC842C8893D9243A45577C 
        UUID            : 8b545031-123d-29e4-366d-2b77f56dafc7 
        SHA-256 checksum: E01F1D7A6229CC833F3CBF12ED7F6A184901AF1D0D32F5F4A7FD6CDBF27A51AD 
    Core KEK : 
        UUID            : bfe8ee8b-816f-c68c-9ead-d15394f353c4 
        SHA-256 checksum: B22C6B9DDB429667DA8887AB552AF1E2F8C15EAD3744CF8F9656A390C1F3F689 
    Common KEK : 
        UUID            : 4df7f1d4-884e-f0a6-a7e2-67c84a10c40b 
        SHA-256 checksum: D9D9E0EC1C621314C70AB42524BAA275956BE9CBCED09F604846D0FCEAD3FB8F 
    Enabled             : Yes 
  • Using mrhsm info with No Parameters

    Using mrhsm info with no parameters automatically detects the store backend and displays the combined output for the -config and -kmip options for the KMIP backend and the -config and -file options for the file backend.

    Here is a sample display for a KMIP token that has been enabled:
    # mrhsm info 
    Displaying information for KMIP token with serial 8ce465dd102da8f6 
    Backend                : kmip 
    IPs 
        IP  1              : 12.1.78.164 Active 
    Port                   : 5696 
    KMIP Version           : 1.1 
    KMIP Client Key        : Configured 
    
    KMIP Client Certificate: 
        Subject: /C=US/ST=California/L=Santa Clara/O=HPE/OU=MapR/CN=kmipclient/emailAddress=chye-lin.chee@hpe.com 
        Issuer: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com 
        Version: 3 
        Signature Algorithm: ecdsa-with-SHA256 
        Validity: 
            Not before: Jan 13 05:23:00 2020 GMT 
            Not after: Aug  5 05:23:00 2029 GMT 
    
    KMIP CA Certificate: 
        Subject: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com 
        Issuer: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com 
        Version: 3 
        Signature Algorithm: ecdsa-with-SHA256 
        Validity: 
            Not before: Aug  6 23:49:09 2019 GMT 
            Not after: Aug  4 23:49:09 2029 GMT 
     
    KMIP Configuration Version 1 
    ----------------------------- 
    CLDB: 
        Encrypted Key   : FA31033A00220EDE67006049FFD98EEFB9D517E3E8BF1EEE35C29726BA11EE34F7118124C17F7C10654AC1D1E5BA16F83FCFAC398F99B392E226C2CE23D29D30 
        UUID            : 260ca605-bb65-4a81-a341-f3fffc8dced8 
        SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC 
    DARE : 
        Encrypted Key   : 75E530E5DC12AEDB50AF414B8B7C7B07DCC9532FBE698543EF0A90E58767D03C4BF5B4518ED9F34F8D3379DA87F1C4E467891E22D6404502328D1CC9A69A65EC 
        UUID            : effc0d14-8d8e-4335-8b03-849a0da46eed 
        SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF 
    Core KEK : 
        UUID            : a6a07015-4fa0-477f-8bc3-8c5fa272d822 
        SHA-256 checksum: 3A1F6060408025873AD32EA7D05086C6F6D99530DFD7467B677E8A94978DC863 
    Common KEK : 
        UUID            : 22812c6f-44b1-4c6a-ad77-1cc21b255d04 
        SHA-256 checksum: 1065ACB3C339AE81ABE43E6D8048795397FE3FD58C4511D63C5C96B2337E4932 
    Enabled             : Yes 
    Here is a sample display for a file-based key store:
    # mrhsm info 
    Displaying information for file token with serial 8ce465dd102da8f6 
    Backend                : file 
     
    File Configuration Version 1 
    ----------------------------- 
    CLDB: 
        Encrypted Key   : FA31033A00220EDE67006049FFD98EEFB9D517E3E8BF1EEE35C29726BA11EE34F7118124C17F7C10654AC1D1E5BA16F83FCFAC398F99B392E226C2CE23D29D30 
        UUID            : 260ca605-bb65-4a81-a341-f3fffc8dced8 
        SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC 
    DARE : 
        Encrypted Key   : 75E530E5DC12AEDB50AF414B8B7C7B07DCC9532FBE698543EF0A90E58767D03C4BF5B4518ED9F34F8D3379DA87F1C4E467891E22D6404502328D1CC9A69A65EC 
        UUID            : effc0d14-8d8e-4335-8b03-849a0da46eed 
        SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF 
    Core KEK : 
        UUID            : a6a07015-4fa0-477f-8bc3-8c5fa272d822 
        SHA-256 checksum: 3A1F6060408025873AD32EA7D05086C6F6D99530DFD7467B677E8A94978DC863 
    Common KEK : 
        UUID            : 22812c6f-44b1-4c6a-ad77-1cc21b255d04 
        SHA-256 checksum: 1065ACB3C339AE81ABE43E6D8048795397FE3FD58C4511D63C5C96B2337E4932 
    Enabled             : Yes