mrhsm info

Displays HSM configuration information.

Use the mrhsm info command to display HSM configuration information and status. See External KMIP Keystore Overview for more information on HSM keystores.

  • Use the -config option to display the KMIP configuration.
  • Use the -kmip option to display the KMIP status.
  • Use the -slots option to display information on the PKCS#11 slots.

Syntax

mrhsm info

Examples

  • Viewing the PKCS#11 Slot Configuration

    You can view the PKCS#11 slot configuration after initialization. Immediately after a fresh installation, the Token info section will be shown as uninitialized:

    # mrhsm info -slots
Available slots:
Slot 0
    Slot info:
        Description:          MapRHSM slot ID 0x0                                             
        Manufacturer ID:      HPE MapR-HSM                    
        Token present:        yes
    Token info:
        Manufacturer ID:      HPE MapR-HSM                    
        Model:                MapRHSM         
        Serial number:                        
       Initialized:          no
        User PIN initialized: no
        Label:

    After running the mrhsm init command, the Token info section will be shown as initialized, with a serial number assigned. You will need this serial number for various mrhsm configuration tasks:

    # mrhsm info -slots
Available slots:
Slot 1298274617
    Slot info:
        Description:          MapRHSM slot ID 0x4d621939                                      
        Manufacturer ID:      HPE MapR-HSM                    
        Token present:        yes
    Token info:
        Manufacturer ID:      HPE MapR-HSM                    
        Model:                MapRHSM         
       Serial number:        07137a824d621939
        Initialized:          yes
        User PIN initialized: yes
        Label:                Utimaco ESKM
  • Viewing the KMIP Configuration

    You can view the KMIP configuration after initialization. The KMIP configuration constitutes the various configuration settings that you obtain from the KMIP-enabled HSM after setting up the HSM as per the instructions in the Data Fabric HSM integration guides ( (Utimaco ESKM Integration Guide, Gemalto SafeNet KeySecure Key Manager Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide).

    The following settings are required to connect to the HSM:

    1. The comma-separated list of IP addresses.
    2. The KMIP port number, which is 5696 by default.
    3. The client private key.
    4. The client certificate in PEM format.
    5. The CA certificate in PEM format. In the case of a certificate chain containing root and intermediate CA certificates, all certificates will be stored sequentially. 
    # mrhsm info -config
Displaying information for KMIP token with serial b819261a33fbe5a1
IP                     : Not configured
Port                   : 5696
KMIP Version           : 1.1
KMIP Client Key        : Not configured
KMIP Client Certificate: Not configured
KMIP CA Certificate    : Not configured

    All KMIP configuration settings are stored in an encrypted format in /opt/mapr/conf/tokens/mrhsm.conf in each of the CLDB nodes in the cluster.

  • Viewing the KMIP Configuration for an Enabled HSM

    Use the -kmip argument to view the KMIP configuration for an enabled HSM:

    # mrhsm info -kmip 
Displaying information for KMIP token with serial b819261a33fbe5a1
CLDB Key        : Set
DARE Key        : Not set
Core KEK UUID   : bba15392-1ef0-4ea6-8156-1da2e86a2771
Common KEK UUID : efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5
Enabled         : Yes