mrhsm rekey
Rekeys the common or core Key Encryption Keys (KEK).
Use the mrhsm rekey
command on a CLDB node to rekey the common or core
KEK, and use the core KEK to re-encrypt the CLDB and DARE keys. See External KMIP Keystore Overview for more information on HSM keystores.
See KMIP Rekey Process for a discussion on the KMIP Rekey process.
Rekeying the Core KEK also involves decrypting the CLDB and DARE keys using the existing Core KEK before generating a new Core KEK, and then re-encrypting the CLDB and DARE keys using the new Core KEK. This command only updates the KMIP configuration on the CLDB node onwhich this command was invoked.
On successful re-keying, copy the contents of the token directory
${MAPR_HOME}/conf/tokens
to all CLDB and ZooKeeper nodes in the
cluster. Ensure that all files in the ${MAPR_HOME}/conf/tokens
directory are owned by the mapr
user and group.
Syntax
# mrhsm rekey
-keytype core|common Specifies the key type, which is either core or common
-sopin <so-pin> PIN for SO (Security Officer)
Parameters
- keytype
- The type of key , either common or core, to rekey.
- sopin
- The PIN for the Security Officer. If not specified in the command line, a prompt will be displayed to enter the SO PIN.
Example
A sample session
is as follows. Use mrhsm info -kmip
to display the SHA-256 checksums of
the various keys before the re-key. After the re-key, use mrhsm info
-kmip
to display the SHA-256 checksums again. The UUID and SHA-256 checksums
for the CLDB and DARE keys should remain the same since the CLDB and DARE keys are not
changed, but instead re-encrypted with the re-keyed Core KEK.
The UUID and SHA-256 checksum for the Core KEK is now different, since it is rekeyed.
# mrhsm info -kmip
Displaying information for KMIP token with serial 8ce465dd102da8f6
KMIP Configuration Version 1
-----------------------------
CLDB:
Encrypted Key : FA31033A00220EDE67006049FFD98EEFB9D517E3E8BF1EEE35C29726BA11EE34F7118124C17F7C10654AC1D1E5BA16F83FCFAC398F99B392E226C2CE23D29D30
UUID : 260ca605-bb65-4a81-a341-f3fffc8dced8
SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC
DARE :
Encrypted Key : 75E530E5DC12AEDB50AF414B8B7C7B07DCC9532FBE698543EF0A90E58767D03C4BF5B4518ED9F34F8D3379DA87F1C4E467891E22D6404502328D1CC9A69A65EC
UUID : effc0d14-8d8e-4335-8b03-849a0da46eed
SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF
Core KEK :
UUID : a6a07015-4fa0-477f-8bc3-8c5fa272d822
SHA-256 checksum: 3A1F6060408025873AD32EA7D05086C6F6D99530DFD7467B677E8A94978DC863
...
# mrhsm rekey -keytype core
Enter SO PIN: ****
SHA-256 checksum for Core KEK is D2834502967ADBE2AC5FBF7312EC459C3FA6497DA60D8FCAC146A68AF616FE54
Successfully rekeyed Core KEK, new UUID 73a72eb1-39b3-4d22-8fcd-083306faa9d5
Copy the entire contents of the KMIP token directory /opt/mapr/conf/tokens to
all CLDB and Zookeeper nodes. All files in /opt/mapr/conf/tokens must be owned
by the mapr user and mapr group.
# mrhsm info -kmip
Displaying information for KMIP token with serial 8ce465dd102da8f6
KMIP Configuration Version 1
-----------------------------
CLDB:
Encrypted Key : E0A622C133EDD564023BA19CCA8632125BFF7E983387F7B3219C212A8E1DD8CFD4E67207C5B3E0BF0E3AAFC0551B7D17F880831F769EA9A155ABA8E6AD300414
UUID : 260ca605-bb65-4a81-a341-f3fffc8dced8
SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC
DARE :
Encrypted Key : 6FB954C86EC823469FBF2DDEA860138F7004DCA75B9B6BA05DAA20EE374C76BF5AB3BD15E5C5F6CF56E0E4E4EAD3C9893DBA080DFF60EE5A6DF3FE89BEF9A09A
UUID : effc0d14-8d8e-4335-8b03-849a0da46eed
SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF
Core KEK :
UUID : 73a72eb1-39b3-4d22-8fcd-083306faa9d5
SHA-256 checksum: D2834502967ADBE2AC5FBF7312EC459C3FA6497DA60D8FCAC146A68AF616FE54