The nzkeydb command

Use the nzkeydb command to create a keystore for securely storing the SED AEKs.

Syntax

The nzkeydb command has the following syntax.

nzkeydb  create -pw <password> [-sklm]
nzkeydb  changepw -new_pw <password> -pw <password> [-sklm]
nzkeydb  validate [-sklm]

Inputs

The nzkeydb command takes the following inputs:

Table 1. The nzkeydb input options
Input Description
create Creates a new local keystore in the /nz/var/keystore directory. This command fails if there is already a keystore present in the directory.

If you include the -sklm option, the command creates a /nz/var/keystore directory if one does not already exist and sets the correct permissions.

changepw Changes the password for accessing the local keystore. You must specify the new password and the current password to change the password.

If you include the -sklm option, the command does not take any action since keystore passwords are not used when the system is configured to use IBM Security Key Lifecycle Manager (ISKLM) for managing AEKs.

validate Performs a check for a local keystore to validate the following:
  • The keystore is empty if there are no keys currently defined or in use.
  • The keystore has keys to match the hardware components that are configured to use keys.
  • There keystore contains the correct set of labels for the authentication keys. That is, there are labels for the host keys as well as the SPU key. If a key has been changed, the store also contains the previous key as well as the current key.
Important: If the validation fails, contact IBM Support immediately to troubleshoot the problems with the keystore. The problem could prevent the disks from being read the next time a disk or system is powered on.

If you include the -sklm option, the command checks to make sure that the keystore directory is set up correctly.

Options

The nzkeydb command takes the following options:

Table 2. The nzkeydb input options
Input Description
-new_pw <new_password> For the changepw option, specifies the new password for the keystore.
-pw <password> Specifies the current password to the keystore.
-sklm Indicates that the system uses an IBM Security Key Lifecycle Manager (ISKLM) server to manage AEKs. See the input descriptions earlier in the topic for create, changepw, and validate.

Description

You use the nzkeydb command to create a keystore that stores and manages the current and previous host and SPU AEKs for the IBM® PureData® System for Analytics N3001 systems. The command logs information when it runs to /nz/kit/log/keydb/keydb.log.

The nzkeydb command is installed in /nz/kit/bin/adm. You must be logged in to the NPS system as the root user to run the command. You must either change to the adm directory and run the command from that location or have that directory in your root user's path to run the command.

Usage

The following provides some of the command uses and sample syntax:
  • To create a new keystore:
    [root@nzhost-h1 ~]# /nz/kit/bin/adm/nzkeydb create -pw password
     DB creation successful
  • To validate the keystore:
    [root@nzhost-h1 adm]# /nz/kit/bin/adm/nzkeydb validate
     Validation succeeded