mrhsm rekey

Rekeys the common or core Key Encryption Keys (KEK).

Use the mrhsm rekey command on a CLDB node to rekey the common or core KEK, and use the core KEK to re-encrypt the CLDB and DARE keys. See External KMIP Keystore Overview for more information on HSM keystores. See KMIP Rekey Process for a discussion on the KMIP Rekey process.

Rekeying the Core KEK also involves decrypting the CLDB and DARE keys using the existing Core KEK before generating a new Core KEK, and then re-encrypting the CLDB and DARE keys using the new Core KEK. This command only updates the KMIP configuration on the CLDB node onwhich this command was invoked.

On successful re-keying, copy the contents of the token directory ${MAPR_HOME}/conf/tokens to all CLDB and ZooKeeper nodes in the cluster. Ensure that all files in the ${MAPR_HOME}/conf/tokens directory are owned by the mapr user and group.

Syntax

# mrhsm rekey
  -keytype core|common  Specifies the key type, which is either core or common
  -sopin <so-pin>       PIN for SO (Security Officer)

Parameters

keytype: The type of key , either common or core, to rekey.
sopin: The PIN for the Security Officer. If not specified in the command line, a prompt will be displayed to enter the SO PIN.

Example

A sample session is as follows. Use mrhsm info -kmip to display the SHA-256 checksums of the various keys before the re-key. After the re-key, use mrhsm info -kmip to display the SHA-256 checksums again. The UUID and SHA-256 checksums for the CLDB and DARE keys should remain the same since the CLDB and DARE keys are not changed, but instead re-encrypted with the re-keyed Core KEK.

The UUID and SHA-256 checksum for the Core KEK is now different, since it is rekeyed.

# mrhsm info -kmip 
Displaying information for KMIP token with serial 8ce465dd102da8f6
KMIP Configuration Version 1
-----------------------------
CLDB:
    Encrypted Key   : FA31033A00220EDE67006049FFD98EEFB9D517E3E8BF1EEE35C29726BA11EE34F7118124C17F7C10654AC1D1E5BA16F83FCFAC398F99B392E226C2CE23D29D30
    UUID            : 260ca605-bb65-4a81-a341-f3fffc8dced8
    SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC
DARE :
    Encrypted Key   : 75E530E5DC12AEDB50AF414B8B7C7B07DCC9532FBE698543EF0A90E58767D03C4BF5B4518ED9F34F8D3379DA87F1C4E467891E22D6404502328D1CC9A69A65EC
    UUID            : effc0d14-8d8e-4335-8b03-849a0da46eed
    SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF
Core KEK :
    UUID            : a6a07015-4fa0-477f-8bc3-8c5fa272d822
    SHA-256 checksum: 3A1F6060408025873AD32EA7D05086C6F6D99530DFD7467B677E8A94978DC863
...
# mrhsm rekey -keytype core
Enter SO PIN: ****
SHA-256 checksum for Core KEK is D2834502967ADBE2AC5FBF7312EC459C3FA6497DA60D8FCAC146A68AF616FE54
Successfully rekeyed Core KEK, new UUID 73a72eb1-39b3-4d22-8fcd-083306faa9d5
Copy the entire contents of the KMIP token directory /opt/mapr/conf/tokens to
all CLDB and Zookeeper nodes. All files in /opt/mapr/conf/tokens must be owned
by the mapr user and mapr group.
# mrhsm info -kmip
Displaying information for KMIP token with serial 8ce465dd102da8f6
KMIP Configuration Version 1
-----------------------------
CLDB:
    Encrypted Key   : E0A622C133EDD564023BA19CCA8632125BFF7E983387F7B3219C212A8E1DD8CFD4E67207C5B3E0BF0E3AAFC0551B7D17F880831F769EA9A155ABA8E6AD300414
    UUID            : 260ca605-bb65-4a81-a341-f3fffc8dced8
    SHA-256 checksum: 9C1F76DAE7F9C0EC49153AA91B420DFF07276E896DC858A18F3FD20D551340CC
DARE :
    Encrypted Key   : 6FB954C86EC823469FBF2DDEA860138F7004DCA75B9B6BA05DAA20EE374C76BF5AB3BD15E5C5F6CF56E0E4E4EAD3C9893DBA080DFF60EE5A6DF3FE89BEF9A09A
    UUID            : effc0d14-8d8e-4335-8b03-849a0da46eed
    SHA-256 checksum: D062D60D6D3AFC1906660FA373C12A05BA40EA4CB077195116399B009E3CDDDF
Core KEK :
    UUID            : 73a72eb1-39b3-4d22-8fcd-083306faa9d5
    SHA-256 checksum: D2834502967ADBE2AC5FBF7312EC459C3FA6497DA60D8FCAC146A68AF616FE54