mrhsm info
Displays HSM configuration information.
Use the mrhsm info
command to display HSM configuration information
and status. See External KMIP Keystore Overview for more information
on HSM keystores.
Syntax
mrhsm info
Examples
- Viewing the PKCS#11 Slot Configuration
You can view the PKCS#11 slot configuration after initialization. Immediately after a fresh installation, the Token info section will be shown as uninitialized:
# mrhsm info -slots Available slots: Slot 0 Slot info: Description: MapRHSM slot ID 0x0 Manufacturer ID: HPE MapR-HSM Token present: yes Token info: Manufacturer ID: HPE MapR-HSM Model: MapRHSM Serial number: Initialized: no User PIN initialized: no Label:
After running the
mrhsm init
command, theToken info
section will be shown as initialized, with a serial number assigned. You will need this serial number for various mrhsm configuration tasks:# mrhsm info -slots Available slots: Slot 1298274617 Slot info: Description: MapRHSM slot ID 0x4d621939 Manufacturer ID: HPE MapR-HSM Token present: yes Token info: Manufacturer ID: HPE MapR-HSM Model: MapRHSM Serial number: 07137a824d621939 Initialized: yes User PIN initialized: yes Label: Utimaco ESKM
- Viewing the KMIP Configuration
You can view the KMIP configuration after initialization. The KMIP configuration constitutes the various configuration settings that you obtain from the KMIP-enabled HSM after setting up the HSM as per the instructions in the Data Fabric HSM integration guides ( (Utimaco ESKM Integration Guide, Gemalto SafeNet KeySecure Key Manager Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide).
Beginning with release 7.0.0, the mrhsm info command shows a
Backend
parameter with a value ofkmip
(the default) orfile
. These values indicate a KMIP- or file-based backend key store.The following settings are required to connect to the HSM:
- The comma-separated list of IP addresses.
- The KMIP port number, which is
5696
by default. - The client private key.
- The client certificate in PEM format.
- The CA certificate in PEM format. In the case of a certificate chain containing root and intermediate CA certificates, all certificates will be stored sequentially.
# mrhsm info -config Displaying information for KMIP token with serial b819261a33fbe5a1 Backend : kmip IP : Not configured Port : 5696 KMIP Version : 1.1 KMIP Client Key : Not configured KMIP Client Certificate: Not configured KMIP CA Certificate : Not configured
For a file-based backend, theBackend
value isfile
, and no other entries are displayed for themrhsm info -config
option:# mrhsm info -config Displaying information for file token with serial b54a261a364fe5a1 Backend : file
All KMIP configuration settings are stored in an encrypted format in
/opt/mapr/conf/tokens/mrhsm.conf
in each of the CLDB nodes in the cluster. - Viewing the KMIP Configuration for an Enabled HSM
Use the
-kmip
argument to view the KMIP configuration for an enabled HSM:# mrhsm info -kmip Displaying information for KMIP token with serial b819261a33fbe5a1 CLDB Key : Set DARE Key : Not set Core KEK UUID : bba15392-1ef0-4ea6-8156-1da2e86a2771 Common KEK UUID : efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5 Enabled : Yes
- Viewing Information for File-Based BackendsRelease 7.0.0 introduced a
-file
option for displaying the status of file-based backends:# mrhsm info -file Displaying information for file token with serial 9693057db789a262 Backend : file File Configuration Version 1 ----------------------------- CLDB: Encrypted Key : 95E1DE5CE60E6F6203930223D7CEA090CADF8D444A2E4E0E2A5AC367F4B73A2BC2C55FAAF3CB317A358C06430FD36F8CDC612BE93150DA445015D2D6632D26EB UUID : 94d33e00-6db3-c308-6f1f-05a952dfe074 SHA-256 checksum: 2BF8880892403E993892E7D4BF621EE80E4773A8845CCC7BFB17D258DEF09F3F DARE : Encrypted Key : A4193A186796AF41D80AE61853F53F171ED0679039836BCCD82B2B141B50C5FCC5B80EF5D4E7880064CB390649F728E358E47D35D6DC842C8893D9243A45577C UUID : 8b545031-123d-29e4-366d-2b77f56dafc7 SHA-256 checksum: E01F1D7A6229CC833F3CBF12ED7F6A184901AF1D0D32F5F4A7FD6CDBF27A51AD Core KEK : UUID : bfe8ee8b-816f-c68c-9ead-d15394f353c4 SHA-256 checksum: B22C6B9DDB429667DA8887AB552AF1E2F8C15EAD3744CF8F9656A390C1F3F689 Common KEK : UUID : 4df7f1d4-884e-f0a6-a7e2-67c84a10c40b SHA-256 checksum: D9D9E0EC1C621314C70AB42524BAA275956BE9CBCED09F604846D0FCEAD3FB8F Enabled : Yes
- Using
mrhsm info
with No ParametersUsing
mrhsm info
with no parameters automatically detects the store backend and displays the combined output for the-config
and-kmip
options for the KMIP backend and the-config
and-file
options for the file backend.Here is a sample display for a KMIP token that has been enabled:# mrhsm info Displaying information for KMIP token with serial 8ce465dd102da8f6 Backend : kmip IPs IP 1 : 12.1.78.164 Active Port : 5696 KMIP Version : 1.1 KMIP Client Key : Configured KMIP Client Certificate: Subject: /C=US/ST=California/L=Santa Clara/O=HPE/OU=MapR/CN=kmipclient/emailAddress=chye-lin.chee@hpe.com Issuer: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com Version: 3 Signature Algorithm: ecdsa-with-SHA256 Validity: Not before: Jan 13 05:23:00 2020 GMT Not after: Aug 5 05:23:00 2029 GMT KMIP CA Certificate: Subject: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com Issuer: /C=US/ST=OR/L=Campbell/O=Utimaco/OU=Atalla/CN=LocalCA/emailAddress=support@utimaco.com Version: 3 Signature Algorithm: ecdsa-with-SHA256 Validity: Not before: Aug 6 23:49:09 2019 GMT Not after: Aug 4 23:49:09 2029 GMT KMIP Configuration Version 1 ----------------------------- CLDB: Encrypted Key : FA31033A00220EDE67006049FFD98EEFB9D517E3E8BF1EEE35C29726BA11EE34F7118124C17F7C10654AC1D1E5BA16F83FCFAC398F99B392E226C2CE23D29D30 UUID : 260ca605-bb65-4a81-a341-f3fffc8dced8 SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC DARE : Encrypted Key : 75E530E5DC12AEDB50AF414B8B7C7B07DCC9532FBE698543EF0A90E58767D03C4BF5B4518ED9F34F8D3379DA87F1C4E467891E22D6404502328D1CC9A69A65EC UUID : effc0d14-8d8e-4335-8b03-849a0da46eed SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF Core KEK : UUID : a6a07015-4fa0-477f-8bc3-8c5fa272d822 SHA-256 checksum: 3A1F6060408025873AD32EA7D05086C6F6D99530DFD7467B677E8A94978DC863 Common KEK : UUID : 22812c6f-44b1-4c6a-ad77-1cc21b255d04 SHA-256 checksum: 1065ACB3C339AE81ABE43E6D8048795397FE3FD58C4511D63C5C96B2337E4932 Enabled : Yes
Here is a sample display for a file-based key store:# mrhsm info Displaying information for file token with serial 8ce465dd102da8f6 Backend : file File Configuration Version 1 ----------------------------- CLDB: Encrypted Key : FA31033A00220EDE67006049FFD98EEFB9D517E3E8BF1EEE35C29726BA11EE34F7118124C17F7C10654AC1D1E5BA16F83FCFAC398F99B392E226C2CE23D29D30 UUID : 260ca605-bb65-4a81-a341-f3fffc8dced8 SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC DARE : Encrypted Key : 75E530E5DC12AEDB50AF414B8B7C7B07DCC9532FBE698543EF0A90E58767D03C4BF5B4518ED9F34F8D3379DA87F1C4E467891E22D6404502328D1CC9A69A65EC UUID : effc0d14-8d8e-4335-8b03-849a0da46eed SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF Core KEK : UUID : a6a07015-4fa0-477f-8bc3-8c5fa272d822 SHA-256 checksum: 3A1F6060408025873AD32EA7D05086C6F6D99530DFD7467B677E8A94978DC863 Common KEK : UUID : 22812c6f-44b1-4c6a-ad77-1cc21b255d04 SHA-256 checksum: 1065ACB3C339AE81ABE43E6D8048795397FE3FD58C4511D63C5C96B2337E4932 Enabled : Yes