Enables external KMIP keystore support.
Use the mrhsm enable command to enable external KMIP keystore support,
which is disabled by default. See External KMIP Keystore Overview for
more information. This command is usually run as part of the configure.sh script to configure the system for a fresh
install or upgrade. However, you can run this command manually as the superuser
(root) to change settings such as client certificates.
mrhsm enable
[ -active true|false ] Activate/Deactivate the KMIP configuration. Default: true
[ -dare ] Generate the DARE key. Set for DARE-enabled clusters
-sopin <PIN> The PIN for the Security Officer (SO) Activates or deactivates the KMIP configuration. If set to
true, this command activates (enables) the KMIP feature by creating/retrieving
the Core and Common KEKs in the HSM, as well as importing/creating the CLDB and
DARE keys. When this is successful, the data-fabric core platform components,
including the CLDB and MFS, retrieves the CLDB and DARE keys that are protected
by the HSM Core KEK instead of from configuration files.
mrhsm
enable -active false. After the configuration is deactivated, modify
the KMIP configuration as needed, and use the
mrhsm enable command to activate it again.Once enabled, you cannot disable the external KMIP feature without reconfiguring data-fabric security using the configure.sh script.
A sample session is as follows:
# mrhsm enable -sopin 12345678
Dare key not found in /opt/mapr/conf/dare.master.key
Found slot ID 1365794501
Obtained cluster name abc.cluster.com from mapr-clusters.conf
Enabling MapR HSM on cluster abc.cluster.com
Successfully generated CLDB key, UUID b2cc0c4f-9a7b-4580-8577-a81ac44cc022
Successfully generated Core KEK, UUID bba15392-1ef0-4ea6-8156-1da2e86a2771
Successfully generated Common KEK, UUID efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5