HPE Ezmeral Data Fabric 6.2 is In Maintenance and transitions to "End of Maintenance" in June 2024. Please see the latest documentation.

About Release 6.2
This site contains documentation for HPE Ezmeral Data Fabric release 6.2 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
6.2 Installation
This section contains information about installing and upgrading HPE Ezmeral Data Fabric software. It also contains information about how to migrate data and applications from an Apache Hadoop cluster to a HPE Ezmeral Data Fabric cluster.
6.2 Data Fabric
HPE Ezmeral Data Fabric is the industry-leading data platform for AI and analytics that solves enterprise business needs.
- HPE Ezmeral Data Fabric File Store
  HPE Ezmeral Data Fabric File Store is a distributed file system for data storage, data management, and data protection. File Store supports mounting and cluster access via NFS and FUSE-based POSIX clients (basic, platinum, or PACC) and also supports access and management via HDFS APIs.
- HPE Ezmeral Data Fabric Database
  HPE Ezmeral Data Fabric Database is an enterprise-grade, high-performance, NoSQL database management system that you can use for real-time, operational analytics.
- HPE Ezmeral Data Fabric Streams
  HPE Ezmeral Data Fabric Streams brings integrated publish and subscribe messaging to the Data Fabric Converged Data Platform.
- Kubernetes Interfaces for Data Fabric
  This section describes the Kubernetes Interfaces for Data Fabric, which include the Container Storage Interface (CSI) driver for multiple container-orchestration systems, and the FlexVolume driver for Kubernetes.
- Cluster Management
  Provides a synopsis of the various cluster components and their management.
- Performance
  Describes how to tune system performance, manage RDMA, and optimize CLDB tables.
- Security
  Provides an overview of the data-fabric security features.
  - Authentication in Data Fabric
    Describes types of authentication available with the HPE Ezmeral Data Fabric and how to manage user authentication with the maprlogin utility.
  - Authorization in Data Fabric
    Describes the basics of authorization including Access Control Lists and Access Control Expressions.
  - Encryption in Data Fabric
    Describes encryption types available on the HPE Ezmeral Data Fabric.
  - Prevent Storage of Specified Types of Files
    Provides an overview of how to prevent certain types of files from being stored on certain volumes.
  - Impersonation in Data Fabric
    Describes impersonation in data-fabric, which allows centralized control of access to resources in the file system, HPE Ezmeral Data Fabric Database, and HPE Ezmeral Data Fabric Streams.
  - Auditing in Data Fabric
    Data Fabric allows you to log audit records of cluster-administration operations, and operations on directories, files, streams and tables.
  - Policy-Based Security
    Starting in core version 6.2.0 (EEP 7.0.0), HPE Ezmeral Data Fabric supports Policy-Based Security, a feature that administrators can use to classify security controls into a manageable number of security policies.
  - External KMIP Keystore Overview
    Describes the External KMIP Keystore functionality.
    - HSM Functionality Description
      Describes how KMIP Keystores work.
    - KMIP Supported Operations
      Lists the KMIP operations that HSM should support, to use the external KMIP keystore.
    - KMIP Supported Attributes
      Lists the KMIP attributes supported by the data-fabric KMIP client library.
    - KMIP Supported Versions
      Lists the KMIP versions supported by the key management vendors.
    - KMIP Rekey Process
      Describes the rekey process for CLDB and DARE keys.
    - Setting Up the External KMIP Keystore
      Describes how to set up the KMIP keystore and how to enable integration with data-fabric.
    - mrhsm Commands
      This section discusses the mrhsm commands.
      - mrhsm dump
        Dumps the contents of the PKCS#11 KMIP token.
      - mrhsm enable
        Enables external KMIP keystore support.
      - mrhsm get
        Retrieves the contents of the CA and client certificates, and puts them in a file.
      - mrhsm info
        Displays HSM configuration information.
      - mrhsm init
        Creates the KMIP token and initializes the KMIP configuration for first use.
      - mrhsm rekey
        Rekeys the common or core Key Encryption Keys (KEK).
      - mrhsm remove
        Removes specified components of the KMIP configuration.
      - mrhsm set
        Sets KMIP parameters.
      - mrhsm sopin
        Changes the security officer PIN (SO PIN).
      - About the SO PIN
        The Security Officer PIN (SO PIN) is a string of at least four characters that the cluster administrator must supply to perform certain operations that modify the PKCS#11 file or KMIP store.
    - Integration Guides
      This section contains the data-fabric integrations guides with external vendors for KMIP.
    - Frequently Asked Questions
      Answers the frequently asked questions on disaster recovery for KMIP.
  - Security for Ecosystem Components
    Whether you install data-fabric software by using the Installer or by using manual steps, the platform and its ecosystem components are installed with security ON by default.
  - Security Settings for Ecosystem Components
    Lists the security settings for all HPE Ezmeral Data Fabric ecosystem components.
  - Security Exceptions
    "Secure by default" means network-safe authentication and encryption. This page describes areas in which secure-by-default capabilities are not yet implemented for the data-fabric platform or ecosystem components. Included where applicable, are links to more information to help you work around those issues.
- YARN
- Client Connections
  The following sections describe how a client connects to local and remote data-fabric clusters.
6.2 Administration
This section describes how to manage the nodes and services that make up a cluster.
6.2 Development
This section contains information related to application development for Ezmeral ecosystem components and HPE Ezmeral Data Fabric products, including the file system, Database (Key-Value and JSON), and Event Streams.
Other Docs
This section contains release-independent information, including: Installer documentation, Ecosystem release notes, interoperability matrices, security vulnerabilities, and links to other data-fabric version documentation.
Glossary
Definitions for commonly used terms in MapR Converged Data Platform environments.

About the SO PIN

The Security Officer PIN (SO PIN) is a string of at least four characters that the cluster administrator must supply to perform certain operations that modify the PKCS#11 file or KMIP store.

How the SO PIN Is Used

In a KMIP environment, the cluster admin must enter the SO PIN to change certain system settings, which can include:

Rekeying the common or core KEK keys.
Setting a new client certificate to replace an expired certificate.
Configuring KMIP IP addresses.

In the file-store environment:

The SO PIN prevents unauthorized configuration changes to the PKCS#11 store.
The cluster admin does not need to use the SO PIN directly, but it is a best practice to change it to something other than the default value.
You must provide the SO PIN only during an mrhsm rekey operation. mrhsm rekey creates a new Core KEK, which is used to encrypt the CLDB key and DARE key.
The SO PIN becomes more useful if the cluster is later reconfigured to use an external KMIP keystore.

Specifying the SO PIN

The SO PIN is configured during the initial invocation of configure.sh after you specify the -hsmsopin <so-pin> parameter. See configure.sh. The PIN you specify can be 4-255 characters. All characters are allowed, including combinations of alphabetic, numeric, and special characters.

Default SO PIN

For a new installation of a release 7.0.0 or later Data Fabric cluster, the default SO PIN is 1234 unless you specify the SO PIN after you use configure.sh.

Changing the SO PIN

To change the SO PIN, use the mrhsm sopin command. The command requires you to specify the old (current) and new SO PIN values. For example:

# mrhsm sopin
Current SO PIN: ****
Enter new SO PIN (4-255 characters): ****
Please reenter new SO PIN: ****
New SO PIN is set successfully

If You Lose the SO PIN

Losing or forgetting the SO PIN does not affect normal cluster operations but prevents certain KMIP configuration changes. See FAQ #2 in Frequently Asked Questions.

Upgrading and the SO PIN

By default, the Data Fabric software initializes mrhsm using the same default hsm label and SO PIN as done during a new release 7.0.0 installation (if mrhsm has not already been initialized). You can change default values by specifying -hsmlabel <label> and -hsmsopin <so-pin> options in configure.sh.