mrhsm enable

Enables external KMIP keystore support.

Use the mrhsm enable command to enable external KMIP keystore support, which is disabled by default. See External KMIP Keystore Overview for more information. This command is usually run as part of the configure.sh script to configure the system for a fresh install or upgrade. However, you can run this command manually as the superuser (root) to change settings such as client certificates.

NOTE Run this command only after you run the mrhsm init and mrhsm set commands to initialize and set the KMIP parameters.
Release 7.0.0 enhanced the mrhsm enable command to generate either the CLDB and DARE master key in the file-based store or the KMIP-based store. The invocation sequence remains the same as in release 6.2.0, but the behavior is different:
  • Enabling a file-based store has the following effect:
    • The Core KEK and Common Root master keys are created in ${MAPR_HOME}/conf/tokens.
    • If the CLDB and/or DARE master keys exist in ${MAPR_HOME}/conf/cldb.key and ${MAPR_HOME}/conf/dare.master.key, they are imported into the mrhsm configuration file. Otherwise, new CLDB and DARE master keys are generated. In both cases, the keys are encrypted using the Core KEK in the file store. Note that importing from the KMIP store into the file store is not supported.
  • Once the file store is enabled, there is no way to disable it, and attempting to do so with the -active false flag yields an error while the storetype is file.
  • The Data Fabric software can enable both the KMIP and File store at the same time. To load the keys, the software first checks the KMIP-based store, then the file-based store. Finally, the software checks the cldb.key/dare.master.key.
  • Enabling a KMIP-based store is similar to release 6.2.0, except in the case when the CLDB and DARE master keys already exist. In this case, the keys are either imported from the file-based store in ${MAPR_HOME}/conf/tokens or the ${MAPR_HOME}/conf/cldb.key and ${MAP_HOME}/conf/dare.master.key. If the file-based store is enabled and the cldb.key and dare.master.key are available, the software checks for consistency between the two. If they are different, the software returns an error on the enable.
  • While there is consistency between any CLDB or DARE keys that are stored, the Core KEK and the Common KEK are different in the KMIP and file stores, yielding different encrypted text.

Syntax

# /opt/mapr/server/mrhsm enable 
enable 
  -sopin <PIN>            The PIN for the Security Officer (SO). 
  [ -dare ]               Generate the DARE key. Set for DARE-enabled clusters 
  [ -active true|false ]  Activate/Deactivate the KMIP configuration. Default: true

Parameters

active

Activates or deactivates the KMIP configuration. If set to true, this command activates (enables) the KMIP feature by creating or retrieving the Core and Common KEKs in the HSM, as well as importing or creating the CLDB and DARE keys. When this is successful, the Data Fabric core platform components, including the CLDB and MFS, retrieve the CLDB and DARE keys that are protected by the HSM Core KEK instead of from configuration files.

The KMIP configuration cannot be modified using the mrhsm set command if it is active. To modify any part of the KMIP configuration after activating it, you need to first deactivate the KMIP feature by using mrhsm enable -active false. After the configuration is deactivated, modify the KMIP configuration as needed, and use the mrhsm enable command to activate it again.
dare
Generate the DARE key. This option takes no parameters. Specify this option to generate the DARE key for fresh installations for a DARE-enabled cluster.
sopin
The PIN for the Security Officer. If not specified in the command line, a prompt will be displayed to enter the SO PIN.

After it is enabled, you cannot disable the external KMIP feature without reconfiguring Data Fabric security using the configure.sh script.

Example

A sample session is as follows:

# mrhsm enable -sopin 12345678
Dare key not found in /opt/mapr/conf/dare.master.key
Found slot ID 1365794501
Obtained cluster name abc.cluster.com from mapr-clusters.conf
Enabling MapR HSM on cluster abc.cluster.com
Successfully generated CLDB key, UUID b2cc0c4f-9a7b-4580-8577-a81ac44cc022
Successfully generated Core KEK, UUID bba15392-1ef0-4ea6-8156-1da2e86a2771
Successfully generated Common KEK, UUID efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5