mrhsm info

Use the mrhsm info command to display HSM configuration information and status. See External KMIP Keystore Overview for more information on HSM keystores.

• Use the -slots option to display information on the PKCS#11 slots.
• Use the -config option to display the KMIP configuration.
• Use the -kmip option to display the KMIP status.

Syntax

mrhsm info

Examples

1. Viewing the PKCS#11 Slot Configuration

   You can view the PKCS#11 slot configuration after initialization. Immediately after a fresh installation, the Token info section will be shown as uninitialized:

   # mrhsm info -slots
   Available slots:
   Slot 0
       Slot info:
           Description:          MapRHSM slot ID 0x0                                             
           Manufacturer ID:      HPE MapR-HSM                    
           Token present:        yes
       Token info:
           Manufacturer ID:      HPE MapR-HSM                    
           Model:                MapRHSM         
           Serial number:                        
          Initialized:          no
           User PIN initialized: no
           Label:            

   After running the mrhsm init command, the Token info section will be shown as initialized, with a serial number assigned. You will need this serial number for various mrhsm configuration tasks:

   # mrhsm info -slots
   Available slots:
   Slot 1298274617
       Slot info:
           Description:          MapRHSM slot ID 0x4d621939                                      
           Manufacturer ID:      HPE MapR-HSM                    
           Token present:        yes
       Token info:
           Manufacturer ID:      HPE MapR-HSM                    
           Model:                MapRHSM         
          Serial number:        07137a824d621939
           Initialized:          yes
           User PIN initialized: yes
           Label:                Utimaco ESKM             

2. Viewing the KMIP Configuration

   You can view the KMIP configuration after initialization. The KMIP configuration constitutes the various configuration settings that you obtain from the KMIP-enabled HSM after setting up the HSM as per the instructions in the data-fabric HSM integration guides ( (Utimaco ESKM Integration Guide, Gemalto SafeNet KeySecure Key Manager Integration Guide, or Vormetric Data Security Manager (DSM) Integration Guide).

   The following settings are required to connect to the HSM:

   1. The comma-separated list of IP addresses.
   2. The KMIP port number, which is 5696 by default.
   3. The client private key.
   4. The client certificate in PEM format.
   5. The CA certificate in PEM format. In the case of a certificate chain containing root and intermediate CA certificates, all certificates will be stored sequentially.

   # mrhsm info -config
   Displaying information for KMIP token with serial b819261a33fbe5a1
   IP                     : Not configured
   Port                   : 5696
   KMIP Version           : 1.1
   KMIP Client Key        : Not configured
   KMIP Client Certificate: Not configured
   KMIP CA Certificate    : Not configured         

   All KMIP configuration settings will be stored in an encrypted format in /opt/mapr/conf/tokens/mrhsm.conf in each of the CLDB nodes in the cluster.

3. Viewing the KMIP Configuration for an Enabled HSM

   Use the -kmip argument to view the KMIP configuration for an enabled HSM:

   # mrhsm info -kmip 
   Displaying information for KMIP token with serial b819261a33fbe5a1
   CLDB Key        : Set
   DARE Key        : Not set
   Core KEK UUID   : bba15392-1ef0-4ea6-8156-1da2e86a2771
   Common KEK UUID : efac20ec-e9d2-40f3-9bd7-bbdc63b10fd5
   Enabled         : Yes