mrhsm enable

Enables external KMIP keystore support.

Use the mrhsm enable command to enable external KMIP keystore support, which is disabled by default. See External KMIP Keystore Overview for more information. This command is usually run as part of the script to configure the system for a fresh install or upgrade. However, you can run this command manually as the superuser (root) to change settings such as client certificates.

Note: Run this command only after you run the mrhsm init and mrhsm set commands to initialize and set the KMIP parameters.


mrhsm enable
  [ -active true|false ] Activate/Deactivate the KMIP configuration. Default: true 
  [ -dare ]              Generate the DARE key. Set for DARE-enabled clusters
  -sopin <PIN>           The PIN for the Security Officer (SO) 



Activates or deactivates the KMIP configuration. If set to true, this command activates (enables) the KMIP feature by creating/retrieving the Core and Common KEKs in the HSM, as well as importing/creating the CLDB and DARE keys. When this is successful, the data-fabric core platform components, including the CLDB and MFS, retrieves the CLDB and DARE keys that are protected by the HSM Core KEK instead of from configuration files.

The KMIP configuration cannot be modified using the mrhsm set command if it is active. To modify any part of the KMIP configuration after activating it, you need to first deactivate the KMIP feature by using mrhsm enable -active false. After the configuration is deactivated, modify the KMIP configuration as needed, and use the mrhsm enable command to activate it again.
Generate the DARE key. This option takes no parameters. Specify this option to generate the DARE key for fresh installations for a DARE-enabled cluster.
The PIN for the Security Officer. If not specified in the command line, a prompt will be displayed to enter the SO PIN.

Once enabled, you cannot disable the external KMIP feature without reconfiguring data-fabric security using the script.


A sample session is as follows:

# mrhsm enable -sopin 12345678
Dare key not found in /opt/mapr/conf/dare.master.key
Found slot ID 1365794501
Obtained cluster name from mapr-clusters.conf
Enabling MapR HSM on cluster
Successfully generated CLDB key, UUID b2cc0c4f-9a7b-4580-8577-a81ac44cc022
Successfully generated Core KEK, UUID bba15392-1ef0-4ea6-8156-1da2e86a2771
Successfully generated Common KEK, UUID efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5