mmkeyserv command

Manages encryption key servers and clients.

Synopsis

mmkeyserv server {add | update}
   ServerName [--port RestPortNumber] [--user-id RestUserID]
   [--server-pwd PasswordFile] [--accept] [--kmip-cert CertFilesPrefix]
   [--backup ServerName[,ServerName...]] [--distribute | --nodistribute]
   [--timeout ConnectionTimeout] [--retry ConnectionAttempts]
   [--interval Microseconds]
or
mmkeyserv server delete ServerName
or
mmkeyserv server show [ServerName] [-Y]
or
mmkeyserv tenant add TenantName
    --server ServerName [--server-pwd PasswordFile]
or
mmkeyserv tenant delete TenantName
   --server ServerName [--server-pwd PasswordFile]
or
mmkeyserv tenant show [TenantName] [--server ServerName] [-Y]
or
mmkeyserv key create --server ServerName [--server-pwd PasswordFile]
   --tenant TenantName [--count NumberOfKeys]
or
mmkeyserv key delete --server ServerName [--server-pwd PasswordFile]
   {--all --tenant TenantName | --file ListOfKeysFile}
or
mmkeyserv key show --server ServerName [--server-pwd PasswordFile]
   --tenant TenantName
or
mmkeyserv client create ClientName
   --server ServerName [--server-pwd PasswordFile]
   [--keystore-pwd PasswordFile]
or
mmkeyserv client delete ClientName
or
mmkeyserv client register ClientName
   --rkm-id RkmID --tenant TenantName [--server-pwd PasswordFile]
or
mmkeyserv client deregister ClientName
   --tenant TenantName [--server-pwd PasswordFile]
or
mmkeyserv client show [ClientName | --server ServerName] [-Y]
or
mmkeyserv rkm change RkmID {[--rkm-id NewRkmID]
   [--backup ServerName[,ServerName...]] [--distribute | --nodistribute]
   [--timeout ConnectionTimeout] [--retry ConnectionAttempts]
   [--interval Microseconds]}
or
mmkeyserv rkm show

Availability

Available with IBM Spectrum Scale Advanced Edition, IBM Spectrum Scale Data Management Edition, or IBM Spectrum Scale Erasure Code Edition.

Description

With the mmkeyserv command, you can configure a cluster and a remote key manager (RKM) server so that nodes in the cluster can retrieve master encryption keys when they need to. You must set up an RKM server before you run this command. The RKM server software must be IBM® Security Key Lifecycle Manager (SKLM). Nodes in the cluster must have direct network access to the RKM server.

With this command you can connect to an RKM server, create GPFS tenants, create encryption keys, and create and register key clients. The command automatically generates and exchanges certificates and sets up a local keystore. You can also use this command to securely delete key clients, encryption keys, and tenants. You can run this command from any node in the cluster. Each node has a configuration file and a copy of the local keystore. Configuration changes affect all nodes in the cluster.

Password files: Several of the command options require a password file as a parameter. A password file is a text file that contains a password at the beginning. A password must be 1 - 20 characters in length. Because the password file is a security-sensitive file, it must have the following characteristics:
  • It must be a regular file.
  • It must be owned by the root user.
  • Only the root user must have permission to read or write it.
The following terms are used:
Start of changeclient or key clientEnd of change
Start of changeAn entity in the cluster that represents the nodes that access encrypted files. The key client receives master encryption keys from the tenant of the RKM server.End of change
IBM Security Key Lifecycle Manager (SKLM)
Required key management server software.
Master encryption key (MEK)
A key for encrypting file encryption keys.
Remote key management (RKM) server
A server with software that authenticates clients and provides them with master encryption keys.
RKM.conf file
A configuration file that the mmkeyserv command maintains. Each node in the cluster has a copy of this file. The full path is /var/mmfs/ssl/keyServ/RKM.conf.
RKM stanza
A block of configuration information that describes a registered key client. RKM stanzas are stored in the RKM.conf file.
RKM ID
An identifier for an RKM stanza.
tenant
A device group in SKLM that contains MEKs for registered key clients.

Parameters

server
Manages a connection with an RKM server.
add
Adds an RKM server connection to the IBM Spectrum Scale cluster. You can adjust the values of some of these parameters later with the mmkeyserv rkm change command.
ServerName
Specifies the host name or IP address of the RKM server.
--port RestPortNumber
Specifies the port number for the Representational State Transfer (REST) interface. The default value is 9080. For SKLM v2.7 and later, the default port number is 443.
--user-id RestUserID
Specifies the user ID for the RKM server. The default value is SKLMAdmin.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
--accept
Configures the command to automatically accept certificates from the RKM server. The acceptance prompt is suppressed.
[--kmip-cert CertFilesPrefix]
Specifies the path and the file name prefix of non-self-signed certificate files in a certificate chain.
Important:
  • You must use this option when the specified key server is using a chain of certificates from a certificate authority or other non-self-signed certificate chain for communication on the KMIP port.
  • If you omit this option, the command assumes that the specified key server is using a self-signed certificate for communication on the KMIP port. The command retrieves the self-signed certificate from the key server automatically.
For more information about adding certificates of either kind to the configuration, see Simplified setup: Using SKLM with a self-signed certificate.
The certificate files must be formatted as PEM-encoded X.509 certificates. You must manually retrieve the certificate files from the key server. Copy the files to the node on which you are issuing the mmkeyserv command. Rename the files so that the full path and the file name of each file in the chain has the following format:
CertFilesPrefix.n.cert
where:
CertFilesPrefix
Is the full path and the file name prefix of the certificate file.
n
Is an integer that identifies the place of the certificate in the certificate chain:
  • 0 indicates that the file is the root CA certificate.
  • 1 - (n-1) indicates that the file is an intermediate CA certificate.
  • n indicates that the file is the endpoint certificate.
Note: A valid certificate chain can contain zero or more intermediate certificates.
cert
Is the suffix of the certificate file.
For example, in the following set of certificate files, the CertFilesPrefix is /tmp/certificate/sklmChain:
  • /tmp/certificate/sklmChain.0.cert contains the root certificate.
  • /tmp/certificate/sklmChain.1.cert contains an intermediate certificate.
  • /tmp/certificate/sklmChain.2.cert contains the endpoint certificate.
--backup ServerName[,ServerName...]
Specifies a comma-separated list of server names that you want to add to the list of backup RKM servers in the RKM.conf file. If an IBM Spectrum Scale node cannot retrieve a master encryption key from its main RKM server, it tries each backup server in the list until it either retrieves a key or exhausts the list.
Note: The mmkeyserv command itself does not attempt to contact backup servers or to replicate client information across background servers. The system administrator is responsible for maintaining replication across backup servers.
--distribute | --nodistribute
--distribute
Attempts to arrange the list of RKM server names (main RKM server and backup RKM servers) in the RKM.conf file in a different order on each node so that each node connects with the servers in a different order. This option provides some performance advantage in retrieving MEKs. This option is the default.
--nodistribute
Does not attempt to arrange the list of backup RKM server names in the RKM.conf file.
--timeout ConnectionTimeout
Sets the connection timeout in seconds for retrieving an MEK from an RKM server. The valid range is 1 - 120 seconds. The default value is 60 seconds.
--retry ConnectionAttempts
Sets the number of attempts to retry a connection to an RKM server. The valid range is 1 - 10 retries. The default value is three retries.
--interval Microseconds
Specifies the number of microseconds to wait between connection retries. The valid range is 1 - 1000000000. The default value is 10000 (0.1 seconds).
update
Updates a connection between an IBM Spectrum Scale cluster and an RKM server. If you do not specify a parameter after update, the command does the following actions:
  • It gets a fresh certificate from the RKM server.
  • It updates the default port number for the Representational State Transfer (REST) interface to match the default on the key server. The default REST port number is 443 for SKLM v2.7. For earlier versions it is 9080.
ServerName
Specifies the host name or IP address of the RKM server.
--port RestPortNumber
Specifies the port number for the Representational State Transfer (REST) interface.
--user-id RestUserID
Specifies the user ID for the RKM server. The default value is SKLMAdmin.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password if one is required.
--accept
Configures the command to automatically accept certificates from the RKM server. The acceptance prompt is suppressed.
[--kmip-cert CertFilesPrefix]
Specifies the path and the file name prefix of non-self-signed certificate files in a certificate chain.
Important:
  • You must use this option when the specified key server is using a chain of certificates from a certificate authority or other non-self-signed certificate chain for communication on the KMIP port.
  • If you omit this option, the command assumes that the specified key server is using a self-signed certificate for communication on the KMIP port. The command retrieves the self-signed certificate from the key server automatically.
For more information about adding certificates of either kind to the configuration, see Simplified setup: Using SKLM with a self-signed certificate.
The certificate files must be formatted as PEM-encoded X.509 certificates. You must manually retrieve the certificate files from the key server. Copy the files to the node on which you are issuing the mmkeyserv command. Rename the files so that the full path and the file name of each file in the chain has the following format:
CertFilesPrefix.n.cert
where:
CertFilesPrefix
Is the full path and the file name prefix of the certificate file.
n
Is an integer that identifies the place of the certificate in the certificate chain:
  • 0 indicates that the file is the root CA certificate.
  • 1 - (n-1) indicates that the file is an intermediate CA certificate.
  • n indicates that the file is the endpoint certificate.
Note: A valid certificate chain can contain zero or more intermediate certificates.
cert
Is the suffix of the certificate file.
For example, in the following set of certificate files, the CertFilesPrefix is /tmp/certificate/sklmChain:
  • /tmp/certificate/sklmChain.0.cert contains the root certificate.
  • /tmp/certificate/sklmChain.1.cert contains an intermediate certificate.
  • /tmp/certificate/sklmChain.2.cert contains the endpoint certificate.
--backup ServerName[,ServerName...]
Specifies a comma-separated list of server names that you want to add to the backup RKM servers that are listed in the RKM.conf file. If an IBM Spectrum Scale node cannot retrieve a master encryption key from its main RKM server, it tries each backup server in the list until it either retrieves a key or exhausts the list.
Important: To remove a backup list, specify delete instead of a list of server names, as in the following example:
mmkeyserv server update ServerName --backup delete

The backup parameter does not change the RKM.conf file.

Note: The mmkeyserv command itself does not attempt to contact backup servers or to replicate client information across background servers. The system administrator is responsible for maintaining replication across backup servers.
--distribute | --nodistribute
You must specify one of these two options. There is no default value.
--distribute
Attempts to arrange the RKM server names (main RKM server and backup RKM servers) that are listed in the RKM.conf file in a different order on each node so that each node connects with the servers in a different order. This option provides some performance advantage in retrieving MEKs.
--nodistribute
Does not attempt to arrange the backup RKM server names that are listed in the RKM.conf file.

Neither parameter changes the RKM.conf file.

--timeout ConnectionTimeout
Sets the connection timeout in seconds for retrieving an MEK from an RKM server. The valid range is 1 - 120 seconds. To restore the system default value (60 seconds), you can specify either 60 or the keyword default as the ConnectionTimeout value.

This parameter does not change the RKM.conf file.

--retry ConnectionAttempts
Sets the number of attempts to retry a connection to an RKM server. The valid range is 1 - 10 retries. To restore the system default value (3 retries), you can specify either 3 or the keyword default as the ConnectionAttempts value.

This parameter does not change the RKM.conf file.

--interval Microseconds
Specifies the number of microseconds to wait between connection retries. The valid range is 1 - 1000000000. To restore the system default value (10000, which is 0.1 seconds), you can specify either 10000 or the keyword default as the Microseconds value.

This parameter does not change the RKM.conf file.

delete
Removes a connection with an RKM server from the cluster.
ServerName
Specifies the host name or IP address of the RKM server that you want to disconnect from.
show
Displays information about RKM servers. The following table shows the display options:
Table 1. mmkeyserv server show
Option Displays information about
show All servers.
show ServerName The specified server.
ServerName
Specifies the host name or IP address of an RKM server.
tenant
Manages tenants on RKM servers. A tenant is an SKLM device group for holding encryption keys.
add
Specifies the name of a tenant to add to the IBM Spectrum Scale cluster.
  • If the tenant is already added to the cluster, the command returns with an error.
  • If the tenant exists on the RKM server but is not added to the cluster, the command adds the tenant to the cluster.
  • If the tenant does not exist on the RKM server, the command creates the tenant on the server and adds the tenant to the cluster.
TenantName
Specifies the name of the tenant that you want to create.
--server ServerName
Specifies the name of the RKM server to which the tenant belongs.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
delete
Deletes a tenant from an RKM server.
Note:
  • If you delete a tenant that has encryption keys on the key server, the command deletes the tenant from the cluster configuration but not from the key server.
  • If you delete a tenant that has no encryption keys on the key server, the command deletes the tenant from both the cluster configuration and the key server.
TenantName
Specifies the name of the tenant that you want to delete.
--server ServerName
Specifies the name of the RKM server to which the tenant belongs.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
show
Displays information about tenants and RKM servers. The following table shows the results of various combinations of options:
Table 2. mmkeyserv tenant show
Option Displays information about
show All tenants from all RKM servers.
show TenantName The specified tenant.
show ---server ServerName All tenants from the specified RKM server.
show TenantName --server ServerName The specified tenant and the specified server.
TenantName
Specifies the name of a tenant.
--server ServerName
Specifies the name of an RKM server.
key
Manages encryption keys.
create
Creates encryption keys in a tenant and displays the key IDs on the console.
Note: Make a note of the key IDs. You must specify an encryption key ID and an RKM ID when you write an encryption policy rule.
--server ServerName
Specifies the host name or IP address of an RKM server.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
--tenant TenantName
Specifies the name of the tenant in which you want to create the encryption keys.
--count NumberOfKeys
Specifies the number of keys to create. The default value is 1.
delete
Deletes encryption keys from a tenant.
CAUTION:
When you delete an encryption key, any data that was encrypted by that key becomes unrecoverable.
--server ServerName
Specifies the host name or IP address of an RKM server.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
--all --tenant TenantName
Deletes all the encryption keys in the specified tenant.
--file ListOfKeysFile
Specifies a file that contains a list of the key IDs of encryption keys that you want to delete, one key per line.
show
Displays information about the encryption keys in a tenant.
--server ServerName
Specifies the host name or IP address of an RKM server.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
--tenant TenantName
Specifies the name of the tenant that contains the keys that you want to display.
client
Manages key clients. The following facts are important:
  • You need only one key client per cluster per RKM server. However, you can create and use multiple key clients on the same RKM server.
  • You can register only one key client per tenant per cluster. However, you can register one key client to more than one tenant in the same RKM server.
create
Creates a key client to communicate with the RKM server.
ClientName
Specifies the name of the key client that you want to create. A key client name must be 1 - 16 characters in length and must be unique within an IBM Spectrum Scale cluster.
--server ServerName
Specifies the name of the RKM server to which the key client belongs.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
--keystore-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
delete
Deletes a key client.
ClientName
Specifies the name of the key client that you want to delete.
register
Registers a key client to a tenant.
ClientName
Specifies the name of the key client that you want to register.
--rkm-id RkmID
Specifies a new RKM ID. An RKM ID must be unique within the cluster, must be 1 - 21 characters in length, and can contain only alphanumeric characters or underscore (_). It must begin with a letter or an underscore. An RKM ID identifies an RKM stanza in the RKM.conf file. The stanza contains the information that a node needs to retrieve a master encryption key (MEK) from an RKM.
--tenant TenantName
Specifies the name of the tenant to which you want to register the client.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
deregister
Unregisters a key client from a tenant.
ClientName
Specifies the name of the key client that you want to unregister.
--tenant TenantName
Specifies the name of the tenant that you want to unregister the key client from.
--server-pwd PasswordFile
Specifies a password file that contains a password for accessing the RKM server. See the requirements for password files in the Description section of this topic. If this parameter is omitted, the command prompts for a password.
show
Displays information about a key client.
ClientName
Specifies the name of the client whose information you want to display.
--server ServerName
Specifies the name of the server to which the client belongs.
rkm
change
Changes the properties of an RKM stanza. For more information about an RKM stanza, see the Description section of this topic.
RkmID
Specifies the RKM ID of the stanza whose properties you want to change.
--rkm-id RkmID
Specifies a new RKM ID. An RKM ID must be unique within the cluster, must be 1 - 21 characters in length, and can contain only alphanumeric characters or underscore (_). It must begin with a letter or an underscore. An RKM ID identifies an RKM stanza in the RKM.conf file. The stanza contains the information that a node needs to retrieve a master encryption key (MEK) from an RKM.
--backup ServerName[,ServerName...]
Specifies a comma-separated list of server names that you want to add to the backup RKM servers that are listed in the RKM.conf file. If an IBM Spectrum Scale node cannot retrieve a master encryption key from its main RKM server, it tries each backup server in the list until it either retrieves a key or exhausts the list.
Important: To remove a backup list, specify delete instead of a list of server names, as in the following example:
mmkeyserv rkm change RkmID --backup delete

The backup parameter does not change the RKM.conf file.

Note: The mmkeyserv command itself does not attempt to contact backup servers or to replicate client information across background servers. The system administrator is responsible for maintaining replication across backup servers.
--distribute | --nodistribute
--distribute
Attempts to arrange the list of RKM server names (main RKM server and backup RKM servers) in the RKM.conf file in a different order on each node so that each node connects with the servers in a different order. This option provides some performance advantage in retrieving MEKs.
--nodistribute
Does not attempt to arrange the list of backup RKM server names in the RKM.conf file.
--timeout ConnectionTimeout
Sets the connection timeout in seconds for retrieving an MEK from an RKM server. The valid range is 1 - 120 seconds. To restore the system default value (60 seconds), you can specify either 60 or the keyword default as the ConnectionTimeout value.

This parameter does not change the RKM.conf file.

--retry ConnectionAttempts
Sets the number of attempts to retry a connection to an RKM server. The valid range is 1 - 10 retries. To restore the system default value (3 retries), you can specify either 3 or the keyword default as the ConnectionAttempts value.

This parameter does not change the RKM.conf file.

--interval Microseconds
Specifies the number of microseconds to wait between connection retries. The valid range is 1 - 1000000000. To restore the system default value (10000, which is 0.1 seconds), you can specify either 10000 or the keyword default as the Microseconds value.

This parameter does not change the RKM.conf file.

show
Displays information about all the RKM stanzas in the RKM.conf file of the node.
-Y
Displays the command output in a parseable format with a colon (:) as a field delimiter. Each column is described by a header.
Note: Fields that have a colon (:) are encoded to prevent confusion. For the set of characters that might be encoded, see the command documentation of mmclidecode. Use the mmclidecode command to decode the field.

Exit status

0
Successful completion.
Nonzero
A failure occurred.

Security

You must have root authority to run the mmkeyserv command.

The node on which you enter the command must be able to execute remote shell commands on any other administration node in the cluster. It must be able to do so without the use of a password and without producing any extraneous messages. For more information, see Requirements for administering a GPFS file system.

Examples

Examples 1 - 5 illustrate the steps in configuring an RKM server and a key client and generating an encryption key:
  1. The following command makes an RKM server known to an IBM Spectrum Scale cluster. The name keyserver01 is the host name of the SKLM server:
    # mmkeyserv server add keyserver01
Enter password for the RKM server keyserver01:
The security certificate(s) from keyserver01.gpfs.net must be accepted to continue.  View the 
certificate(s) to determine whether you want to trust the certifying authority.
Do you want to view or trust the certificate(s)? (view/yes/no) view

Serial number:          01022a8adf20f3
SHA-256 digest:         2ca4a48a3038f37d430162be8827d91eb584e98f5b3809047ef4a1c72e15fc4c
Signature:              7f0312e7be18efd72c9d8f37dbb832724859ba4bb5827c230e2161473e0753b367ed49d9935
05bd23858541475de8e021e0930725abbd3d25b71edc8fc3de20b7c2db5cd4e865f41c7c410c1d710acf222e1c45189108e
40568ddcbeb21094264da60a1d96711015a7951eb2655363309d790ab44ee7b26adf8385e2c210b8268c5aede5f82f26855
4a6fc22ece6efeee2a6264706e71416a0dbe8c39ceacd86054d7cc34dda4fffea4605c037d32129055610821af85dd9819a
4d7e4baa70c51addcda720d33bc9f8bbde6d292c028b2f525a0275ebea968c26f8f0c4b604719ae3b04e71ed7a8188cd6ad
f68764374b29c91df3d101a941bf8b7189485ad72
Signature algorithm:    SHA256WithRSASignature
Key size:               2048
Issuer:                 C=US, O=IBM, OU=SKLMNode, SKLMCell, Root Certificate, CN=c40bbc1xn3.gpfs.net
Subject:                C=US, O=IBM, OU=SKLMNode, SKLMCell, CN=c40bbc1xn3.gpfs.net

Serial number:          01022a24475466
SHA-256 digest:         077c3b53c5046aa893b760c11cca3a993efbc729479771e03791f9ed4f716879
Signature:              227b5befe89f2e55ef628da6b50db1ab842095a54e1505655e3d95fee753a7f7554868aa79b
294c503dc34562cf69c2a20128796758838968565c0812c4aedbb0543d396646a269c02bf4c5ce5acba4409a10effbd47ca
38ce492698e2dcdc8390b9ae3f4a47c23ee3045ff0145218668f35a63edac68201789ed0db6e5c170f5c6db49769f0b4c9a
5f208746e4342294c447793ed087fa0ac762588faf420febeb3fca411e4e725bd46476e1f9f44759a696573af5dbbc95532
18c7083c80440f2e542bf56cc5cc18156cce05efd6c2e5fea2b886c5c1e262c10af18b13ccf38c3533ba025b97bbe62f271
545b2ab5c1f50c1dca45ce504dfcfc257362e9b43
Signature algorithm:    SHA256WithRSASignature
Key size:               2048
Issuer:                 C=US, O=IBM, OU=SKLMNode, SKLMCell, Root Certificate, CN=c40bbc1xn3.gpfs.net
Subject:                C=US, O=IBM, OU=SKLMNode, SKLMCell, Root Certificate, CN=c40bbc1xn3.gpfs.net

Do you trust the certificate(s) above? (yes/no) yes
To display all RKM servers information, enter:
c34f2n03:~ # mmkeyserv server show
keyserver01
        Type:                         SKLM
        Hostname:                     keyserver01.gpfs.net
        User ID:                      SKLMAdmin
        REST port:                    9080
        Label:                        1_keyserver01
        NIST:                         on
        FIPS1402:                     off
        Backup Key Servers:
        Distribute:                   yes
        Retrieval Timeout:            120
        Retrieval Retry:              3
        Retrieval Interval:           10000
Start of change        REST Certificate Expiration:  2030-12-22 21:48:53 (-0500)
        KMIP Certificate Expiration:  2021-11-02 13:03:52 (-0400)End of change
    The following command displays information about all RKM servers that are known to the cluster. At the moment, the only one is keyserver01:
    # mmkeyserv server show
keyserver01
        Type:                         SKLM
        Hostname:                     keyserver01.gpfs.net
        User ID:                      SKLMAdmin
        REST port:                    9080
        Label:                        1_keyserver01
        NIST:                         on
        FIPS1402:                     off
        Backup Key Servers:
        Distribute:                   yes
        Retrieval Timeout:            120
        Retrieval Retry:              3
        Retrieval Interval:           10000
Start of change        REST Certificate Expiration:  2030-12-22 21:48:53 (-0500)
        KMIP Certificate Expiration:  2021-11-02 13:03:52 (-0400)End of change
  2. The following command creates a tenant in the server that you defined in Example 1, keyserver01. The name of the tenant is devG1:
    # mmkeyserv tenant add devG1 --server keyserver01
Enter password for the RKM server keyserver01:
    The following command displays all the current tenants of keyserver01:
    # mmkeyserv tenant show
devG1
        Key Server:          keyserver01.gpfs.net
        Registered Client:   (none)
  3. The following command adds a key client to the tenant that you created in Example 2. The command does not specify password files for the server and the new keystore, so the command prompts for the passwords. The name of the key client is c34f2n03Client1:
    # mmkeyserv client create c34f2n03Client1 --server keyserver01
Enter password for the RKM server keyserver01:
Create a pass phrase for keystore:
Confirm your pass phrase:
    The following command displays information about all the key clients on the RKM server:
    # mmkeyserv client show
c34f2n03Client1
        Label:                   c34f2n03Client1
        Key Server:              keyserver01.gpfs.net
        Tenants:                 (none)
Start of change        Certificate Expiration:  2021-08-20 14:20:46 (-0400)End of change
  4. The following command registers the key client from Example 3 to the tenant from Example 2. To ensure uniqueness in RKM IDs, it is a good practice to create the RKM ID name by combining the names of the RKM server and the tenant. However, the RKM ID cannot be longer than 21 characters. In this example the RKM ID is keyserver01_devG1:
    # mmkeyserv client register c34f2n03Client1 --tenant devG1 --rkm-id keyserver01_devG1
Enter password for the RKM server :

mmkeyserv: [I] Client currently does not have access to the key.  Continue the registration process ...
mmkeyserv: Successfully accepted client certificate
    The following two commands now show that key client c34f2n03Client1 is registered to tenant devG1:
    # mmkeyserv tenant show
devG1
        Key Server:          keyserver01.gpfs.net
        Registered Client:   c34f2n03Client1
        RKM ID:              keyserver01_devG1

# mmkeyserv client show
c34f2n03Client1
        Label:                   c34f2n03Client1
        Key Server:              keyserver01.gpfs.net
        Tenants:                 devG1
Start of change        Certificate Expiration:  2021-08-20 14:20:46 (-0400)End of change
    The following command shows the contents of the new RKM stanza that was added to the RKM.conf file:
    # mmkeyserv rkm show
keyserver01_devG1 {
  type = SKLM
  kmipServerUri = tls://192.168.40.59:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.1_keyserver01.c34f2n03Client1.1.p12
  passphrase = pw4c34f2n03Client1
  clientCertLabel = c34f2n03Client1
  tenantName = devG1
}
    You can also show the contents of the RKM.conf file by routing the contents of the file to the console:
    # cat /var/mmfs/ssl/keyServ/RKM.conf
keyserver01_devG1 {
  type = SKLM
  kmipServerUri = tls://192.168.40.59:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.1_keyserver01.c34f2n03Client1.1.p12
  passphrase = pw4c34f2n03Client1
  clientCertLabel = c34f2n03Client1
  tenantName = devG1
}
  5. The following example creates an encryption key in the tenant from Example 4. In the third line, the command displays the new encryption key (KEY-d4e83148-e827-4f54-8e5b-5e1b5cc66de1):
    # mmkeyserv key create --server keyserver01.gpfs.net --tenant devG1
Enter password for the RKM server keyserver01.gpfs.net:
KEY-d4e83148-e827-4f54-8e5b-5e1b5cc66de1

See also

Location

/usr/lpp/mmfs/bin
Parent topic: Command reference