mrhsm set

Sets KMIP parameters.

Use the mrhsm set command to configure KMIP settings. This command is usually run as part of the configure.sh script to configure the system for a fresh install or upgrade. However, you can run this command manually as the superuser (root) to change settings such as client certificates.

Syntax

# mrhsm set 
  [ -cacert <ca-cert> ]     Path to KMIP server CA certificate in PEM format
  [ -clientcert <cert> ]    Path to client certificate in PEM format
  [ -clientkey <key> ]      Path to client private key in PEM format 
  [ -ip <ip1,ip2,...> ]     Comma-separated list of KMIP server IP addresses
  [ -kmipversion <version>] KMIP version: 1.0, 1.1, 1.2, 1.3, or 1.4. Default: 1.1 
  [ -port <kmip-port> ]     KMIP port number. Default is 5696
  -sopin <so-pin>           PIN for SO (Security Officer)

Run this command ONLY after you have configured the external KMIP server. See the appropriate data-fabric KMIP Integration Guide (Gemalto SafeNet KeySecure Key Manager Integration Guide, Utimaco ESKM Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide, or HashiCorp Vault Integration Guide) for instructions on how to configure the external KMIP server and obtain the CA certificate chain, client certificate, and client private key.

Set all the parameters before running the mrhsm enable command to establish a connection to the KMIP server and initialize it.

Parameters

cacert

The full or relative path name of the CA certificate chain in PEM format used to sign the KMIP server certificate. The data-fabric KMIP client enforces peer validation and requires the CA certificate chain to verify the KMIP server. At the minimum, the root CA certificate is required. If an intermediate CA is used to sign the KMIP server certificate, then this file must contain all the certificates in the chain starting from the root CA certificate in PEM format.

Refer to the KMIP Integration Guide for the respective KMIP server (Gemalto SafeNet KeySecure Key Manager Integration Guide, Utimaco ESKM Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide, or HashiCorp Vault Integration Guide) for instructions on how to obtain the CA certificate chain.

clientcert

The full or relative path name of the client certificate in PEM format. Pre-configure this certificate in the KMIP server so that the server recognizes and trusts the data-fabric KMIP client.

Refer to the KMIP Integration Guide for the respective KMIP server (Gemalto SafeNet KeySecure Key Manager Integration Guide, Utimaco ESKM Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide, or HashiCorp Vault Integration Guide) for instructions on how to obtain the client certificate.

clientkey

The full or relative path name of the client private key used to generate the client CSR.

Refer to the KMIP Integration Guide for the respective KMIP server (Gemalto SafeNet KeySecure Key Manager Integration Guide, Utimaco ESKM Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide, or HashiCorp Vault Integration Guide) for instructions on how to obtain the private client key.

ip
A comma-separated list of host names or IP addresses of KMIP servers. Most KMIP deployments have at least two KMIP servers in the HSM cluster for reliability and high availability. The data-fabric KMIP client cycles through each KMIP server in the list in a round-robin manner until an accessible server is reached.
kmipversion

The KMIP version to use when communicating with the external KMIP -enabled key management appliance. Supported values are 1.0, 1.1, 1.2, 1.3 and 1.4

Refer to the vendor-specific documentation for information about the KMIP versions they support. At present, set this value to 1.1 for SafeNet KeySecure. Utimaco ESKM and Vormetric DSM should work with all data-fabric supported KMIP versions. Default value is 1.1.

port
The listening port number of the KMIP server. All KMIP servers in the HSM cluster must listen to the same port. Port numbers must be from 1-65535 inclusive and cannot start with a 0.

Default is 5696.

sopin
The PIN for the Security Officer. If not specified in the command line, a prompt will be displayed to enter the SO PIN.