The nzkmip command
Use the nzkmip command to manage IBM Security Key Lifecycle Manager AEK configuration and setup.
Syntax
The nzkmip command has the following syntax.
nzkmip [-h | -rev] [-hc] subcmd [subcmd options]
nzkmip get {-label label | -uuid uuid} [-file file]
nzkmip populate [-keystore keystore]
nzkmip test -label label {-key key | -file file} [-updateDb]
Inputs
The nzkmip command takes the following inputs:
| Input | Description |
|---|---|
| get | Extracts the specified key defined in the ISKLM keystore. You must specify a label or the ISKLM UUID for the key that you want to extract. The command displays the AEK on the screen, or you can use the -file option to store the command output in a file. |
| populate | Reads the keys from a local keystore and adds those keys to the ISKLM keystore for management. The command uses the default local keystore in the /nz/var/keystore directory unless you specify an alternate location with the -keystore option. |
| test | Tests the ISKLM key storage and retrieval operations. You must specify a label for the test key, and specify the key or the file that holds the key. The command stores the input label and key in the ISKLM server and then retrieves the stored key by its ISKLM-supplied UUID for comparison against the input key to confirm that they are the same. If the key comparison fails, the problem may be an issue with the processes that store and return the key at the ISKLM server. |
Options
The nzkmip command takes the following options:
| Input | Description |
|---|---|
| -label label | Specifies the label of the key to get or to test such as spuaek, spuaekOld, hostkey1, hostkey1Old, hostkey2 or hostkey2Old. With the nzkmip test command, you could specify any label name for the test operations. |
| -uuid uuid | Specifies the ISKLM-supplied UUID value of the key to get/extract. |
| -file file | For the get subcommand, specifies the file to which you want to write the host or SPU key. For the test subcommand, specifies the file that contains the test key that you want to use. |
| -keystore keystore | Specifies the fully qualified pathname of the local keystore from which you are obtaining the keys to send to (populate) the ISKLM server. The default is /nz/var/keystore. |
| -key key | When used with the nzkmip test command, specifies the key that you want to test for the storage and retrieval from the ISKLM server. |
| -updateDb | When used with the nzkmip test command, causes the test key to be inserted as a row in the _t_kmip_mapping table to confirm that the key is stored in the NPS database. If you use this option, you should delete the row from the table after the test is complete. |
Description
You use the nzkmip command to extract, populate, and test the ISKLM server connection and management for the authentication keys (AEKs) that are used for the SED drives in the host and in the storage arrays of the IBM® PureData® System for Analytics N3001 systems.
The nzkmip command is installed in /nz/kit/bin/adm. You must be logged in to the NPS system as the root user to run the command. You must either change to the adm directory and run the command from that location or have that directory in your root user's path to run the command.
Usage
- To extract a key:
[root@nzhost ~]# /nz/kit/bin/adm/nzkmip get -uuid KEY-70a07fcc-1a01-4628-979c-bd75fe5e4557 Key Value : t7Nº×n¸¦CÃ<"*"ºìýGse»¤;|% - To test a key:
[root@nzhost ~]# /nz/kit/bin/adm/nzkmip test -label spuaek -file /tmp/new_spukey.pem Connecting to SKLM server at tls://1.2.3.4:5696 Success: Connection to SKLM store succeeded