mrhsm set
Sets KMIP parameters.
Use the mrhsm set
command to configure KMIP settings. This command is usually run as
part of the configure.sh script to configure the system for
a fresh install or upgrade. However, you can run this command manually as the superuser
(root
) to change settings such as client certificates.
Syntax
# mrhsm set
[ -cacert <ca-cert> ] Path to KMIP server CA certificate in PEM format
[ -clientcert <cert> ] Path to client certificate in PEM format
[ -clientkey <key> ] Path to client private key in PEM format
[ -ip <ip1,ip2,...> ] Comma-separated list of KMIP server IP addresses
[ -kmipversion <version>] KMIP version: 1.0, 1.1, 1.2, 1.3, or 1.4. Default: 1.1
[ -storetype file|kmip ] Store type. Default: kmip
[ -port <kmip-port> ] KMIP port number. Default is 5696
-sopin <so-pin> PIN for SO (Security Officer)
Run this command ONLY after you have configured the external KMIP server. See the appropriate Data Fabric KMIP Integration Guide (Gemalto SafeNet KeySecure Key Manager Integration Guide, Utimaco ESKM Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide, or HashiCorp Vault Integration Guide) for instructions on how to configure the external KMIP server and obtain the CA certificate chain, client certificate, and client private key.
Set all the parameters before running the mrhsm enable command to establish a connection to the KMIP server and initialize it.
Parameters
- cacert
-
The full or relative path name of the CA certificate chain in PEM format used to sign the KMIP server certificate. The Data Fabric KMIP client enforces peer validation and requires the CA certificate chain to verify the KMIP server. At the minimum, the root CA certificate is required. If an intermediate CA is used to sign the KMIP server certificate, then this file must contain all the certificates in the chain starting from the root CA certificate in PEM format.
Refer to the KMIP Integration Guide for the respective KMIP server (Gemalto SafeNet KeySecure Key Manager Integration Guide, Utimaco ESKM Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide, or HashiCorp Vault Integration Guide) for instructions on how to obtain the CA certificate chain.
- clientcert
-
The full or relative path name of the client certificate in PEM format. Pre-configure this certificate in the KMIP server so that the server recognizes and trusts the Data Fabric KMIP client.
Refer to the KMIP Integration Guide for the respective KMIP server (Gemalto SafeNet KeySecure Key Manager Integration Guide, Utimaco ESKM Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide, or HashiCorp Vault Integration Guide) for instructions on how to obtain the client certificate.
- clientkey
-
The full or relative path name of the client private key used to generate the client CSR.
Refer to the KMIP Integration Guide for the respective KMIP server (Gemalto SafeNet KeySecure Key Manager Integration Guide, Utimaco ESKM Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide, or HashiCorp Vault Integration Guide) for instructions on how to obtain the private client key.
- ip
- A comma-separated list of host names or IP addresses of KMIP servers. Most KMIP deployments have at least two KMIP servers in the HSM cluster for reliability and high availability. The Data Fabric KMIP client cycles through each KMIP server in the list in a round-robin manner until an accessible server is reached.
- kmipversion
-
The KMIP version to use when communicating with the external KMIP -enabled key management appliance. Supported values are 1.0, 1.1, 1.2, 1.3 and 1.4
Refer to the vendor-specific documentation for information about the KMIP versions they support. At present, set this value to
1.1
for SafeNet KeySecure. Utimaco ESKM and Vormetric DSM should work with all Data Fabric supported KMIP versions. Default value is1.1
. - storetype
- A descriptor for the type of object store. Beginning with release 7.0.0, possible
values are
file
andkmip
. The default store type is set tokmip
. Thefile
option designates a file-based object store. - port
- The listening port number of the KMIP server. All KMIP servers in the HSM cluster must
listen to the same port. Port numbers must be from 1-65535 inclusive and cannot
start with a 0.
Default is
5696
. - sopin
- The PIN for the Security Officer. If not specified in the command line, a prompt will be displayed to enter the SO PIN.