chsecmode Command

Edit online

Purpose

Changes the security mode and key types and initiates transition to the specified mode.

Syntax

chsecmode -c mode [-m method ] [-s type ] [-f] [-x] [-h]

Description

The chsecmode command sets the Reliable Scalable Cluster Technology (RSCT) security compliance mode to the nist_sp800_131a mode. A new generation method for the public and private keys, the symmetric key for message signing, and verification can also be specified. The NIST compliance mode can also be turned off by passing the mode as none.

If the key generation method is not specified, the current method is not changed even if the mode is still compliant with the specified new compliance mode. If the key generation method is not compliant, the rsa2048_sha256 method is used for the nist_sp800_131a mode and the rsa512 method is used for the none mode.

If the symmetric key type is default, the actual key type is chosen internally by RSCT for the specified compliance mode. In the nist_sp800_131a mode, the aes256_sha256 key is used for the default symmetric key type. If the compliance mode is turned off, the appropriate symmetric key type is chosen based on the situation.

Flags

Item Description
-c mode Specifies the security compliance mode. The valid modes are: nist_sp800_131a and none.
-f Generates new keys even if the key generation method has not changed.
-h Displays the usage information for the chsecmode command.
-m method Specifies an appropriate type, which is valid for the compliance mode that is used for generating the node's public or private keys. For the nist_sp800_131a mode, the following valid key generation methods are listed:
  • rsa2048_sha256
  • rsa2048_sha512
  • rsa3072_sha256
  • rsa3072_sha512
For the non-NIST compliance mode none, any supported key generation methods are valid including the rsa512 and rsa1024 methods.
-stype Specifies the cluster default symmetric key type. The following symmetric key types are valid for the nist_sp800_131a mode:
  • aes128_sha256
  • aes128_sha512
  • aes256_sha256
  • aes256_sha512
For the non-NIST compliance mode none, any supported symmetric key types are valid including:
  • aes128_md5
  • aes256_md5
  • 3des_md5
  • des_md5
-x Forces the pending operation to be overwritten. If a pending change exists and the -x option is not specified, the chsecmode command fails if it is used for changing the security configuration.

Security

The chsecmode command permits only root to run the command.

Exit Status

0
Successful completion.
27
Invalid symmetric or asymmetric key error.
54
Invalid input parameter error.
55
THL file update failed error.
56
The startsrc command failed.
57
The stopsrc command failed.
58
The refresh <subsystem> command failed.
59
Invalid compliance mode error.
60
API error.

Examples

  1. To enable NIST compilance mode with the compliant key generation method and the symmetric key type, enter:
    chsecmode -c nist_sp800_131a
    If the current method and the symmetric key types are compliant, they are not changed. If the current method and type are not compliant, the following values are used: the rsa2048_sha256 mode for key generation method and the aes256_sha256 mode for symmetric key type.
  2. To enable the NIST compliance mode with the rsa2048_sha512 key generation method, enter:
    chsecmode -c nist_sp800_131a -m rsa2048_sha512
    If the current symmetric key is already compliant, it is not changed. If the current symmetric key is not compliant, it is replaced with the aes256_sha256 key.
  3. To enable the NIST compliance mode with the rsa2048_sha512 key generation method and the aes128_sha512 symmetric key, enter: 
    chsecmode -c nist_sp800_131a -m rsa2048_sha512 -s aes128_sha512
  4. To disable NIST compliance mode, enter:
    chsecmode -c none
    The current key generation method and symmetric key type is not changed.
  5. To generate public and private keys by using the rsa512 key generation method, enter:
    chsecmode -m rsa512
    If the current compliance mode is nist_sp800_131a, this operation is rejected. If the current compliance mode is none and the current key generation method is not rsa512, the current key generation method is replaced by rsa512 and a new private or public key pairs are generated.
  6. To force generate the public and private keys even if there is no change in the key generation method, enter:
    chsecmode -m rsa512 -f
    If the current compliance mode is nist_sp800_131a, this operation is rejected. If the current compliance mode is none and the current key generation method is replaced by the rsa512 method, a new private or public key pairs is generated, even if the current public or private keys are already in the rsa512 method.
  7. To overwrite or cancel any pending operation, enter:
    chsecmode -x -c nist_sp800_131a
    If there is a pending compliance mode, the pending operation is ignored and a new compliance mode change to the nist_sp800_131a mode is started.

Location

Item Description
/opt/rsct/bin/chsecmode Contains the chsecmode command.

Files

Item Description
/var/ct/cfg/ct_has.pkf Default location of the cluster security services public key file for the node.
/var/ct/cfg/ct_has.qkf Default location of the cluster security services private key file for the node.
/var/ct/cfg/ct_has.thl Default location of the cluster security services trusted host list for the node.