mrhsm info
Displays HSM configuration information.
Use the mrhsm info
command to display HSM configuration information
and status. See External KMIP Keystore Overview for more information
on HSM keystores.
Syntax
mrhsm info
Examples
- Viewing the PKCS#11 Slot Configuration
You can view the PKCS#11 slot configuration after initialization. Immediately after a fresh installation, the Token info section will be shown as uninitialized:
# mrhsm info -slots Available slots: Slot 0 Slot info: Description: MapRHSM slot ID 0x0 Manufacturer ID: HPE MapR-HSM Token present: yes Token info: Manufacturer ID: HPE MapR-HSM Model: MapRHSM Serial number: Initialized: no User PIN initialized: no Label:
After running the
mrhsm init
command, theToken info
section will be shown as initialized, with a serial number assigned. You will need this serial number for various mrhsm configuration tasks:# mrhsm info -slots Available slots: Slot 1298274617 Slot info: Description: MapRHSM slot ID 0x4d621939 Manufacturer ID: HPE MapR-HSM Token present: yes Token info: Manufacturer ID: HPE MapR-HSM Model: MapRHSM Serial number: 07137a824d621939 Initialized: yes User PIN initialized: yes Label: Utimaco ESKM
- Viewing the KMIP Configuration
You can view the KMIP configuration after initialization. The KMIP configuration constitutes the various configuration settings that you obtain from the KMIP-enabled HSM after setting up the HSM as per the instructions in the Data Fabric HSM integration guides ( (Utimaco ESKM Integration Guide, Gemalto SafeNet KeySecure Key Manager Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide).
The following settings are required to connect to the HSM:
- The comma-separated list of IP addresses.
- The KMIP port number, which is
5696
by default. - The client private key.
- The client certificate in PEM format.
- The CA certificate in PEM format. In the case of a certificate chain containing root and intermediate CA certificates, all certificates will be stored sequentially.
# mrhsm info -config Displaying information for KMIP token with serial b819261a33fbe5a1 IP : Not configured Port : 5696 KMIP Version : 1.1 KMIP Client Key : Not configured KMIP Client Certificate: Not configured KMIP CA Certificate : Not configured
All KMIP configuration settings are stored in an encrypted format in
/opt/mapr/conf/tokens/mrhsm.conf
in each of the CLDB nodes in the cluster. - Viewing the KMIP Configuration for an Enabled HSM
Use the
-kmip
argument to view the KMIP configuration for an enabled HSM:# mrhsm info -kmip Displaying information for KMIP token with serial b819261a33fbe5a1 CLDB Key : Set DARE Key : Not set Core KEK UUID : bba15392-1ef0-4ea6-8156-1da2e86a2771 Common KEK UUID : efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5 Enabled : Yes