mrhsm info

Displays HSM configuration information.

Use the mrhsm info command to display HSM configuration information and status. See External KMIP Keystore Overview for more information on HSM keystores.

  • Use the -slots option to display information on the PKCS#11 slots.
  • Use the -config option to display the KMIP configuration.
  • Use the -kmip option to display the KMIP status.

Syntax

mrhsm info

Examples

  1. Viewing the PKCS#11 Slot Configuration

    You can view the PKCS#11 slot configuration after initialization. Immediately after a fresh installation, the Token info section will be shown as uninitialized:

    # mrhsm info -slots
    Available slots:
    Slot 0
        Slot info:
            Description:          MapRHSM slot ID 0x0                                             
            Manufacturer ID:      HPE MapR-HSM                    
            Token present:        yes
        Token info:
            Manufacturer ID:      HPE MapR-HSM                    
            Model:                MapRHSM         
            Serial number:                        
           Initialized:          no
            User PIN initialized: no
            Label:            

    After running the mrhsm init command, the Token info section will be shown as initialized, with a serial number assigned. You will need this serial number for various mrhsm configuration tasks:

    # mrhsm info -slots
    Available slots:
    Slot 1298274617
        Slot info:
            Description:          MapRHSM slot ID 0x4d621939                                      
            Manufacturer ID:      HPE MapR-HSM                    
            Token present:        yes
        Token info:
            Manufacturer ID:      HPE MapR-HSM                    
            Model:                MapRHSM         
           Serial number:        07137a824d621939
            Initialized:          yes
            User PIN initialized: yes
            Label:                Utimaco ESKM             
  2. Viewing the KMIP Configuration

    You can view the KMIP configuration after initialization. The KMIP configuration constitutes the various configuration settings that you obtain from the KMIP-enabled HSM after setting up the HSM as per the instructions in the data-fabric HSM integration guides ( (Utimaco ESKM Integration Guide, Gemalto SafeNet KeySecure Key Manager Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide).

    The following settings are required to connect to the HSM:

    1. The comma-separated list of IP addresses.
    2. The KMIP port number, which is 5696 by default.
    3. The client private key.
    4. The client certificate in PEM format.
    5. The CA certificate in PEM format. In the case of a certificate chain containing root and intermediate CA certificates, all certificates will be stored sequentially.
    # mrhsm info -config
    Displaying information for KMIP token with serial b819261a33fbe5a1
    IP                     : Not configured
    Port                   : 5696
    KMIP Version           : 1.1
    KMIP Client Key        : Not configured
    KMIP Client Certificate: Not configured
    KMIP CA Certificate    : Not configured         

    All KMIP configuration settings will be stored in an encrypted format in /opt/mapr/conf/tokens/mrhsm.conf in each of the CLDB nodes in the cluster.

  3. Viewing the KMIP Configuration for an Enabled HSM

    Use the -kmip argument to view the KMIP configuration for an enabled HSM:

    # mrhsm info -kmip 
    Displaying information for KMIP token with serial b819261a33fbe5a1
    CLDB Key        : Set
    DARE Key        : Not set
    Core KEK UUID   : bba15392-1ef0-4ea6-8156-1da2e86a2771
    Common KEK UUID : efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5
    Enabled         : Yes