Managing the Navigator Key HSM Service
Key HSM includes a command line tool for managing basic server operations. You can also manage logging, audits, and keys.
Using the keyhsm service
keyhsm
service for basic server
operations:$ sudo service keyhsm keyHsm service usage: setup <hsm name> - set up a new connection to an HSM trust <path> - add a trusted client certificate validate - validate that Key HSM is properly configured settings - display the current server configuration start - start the Key HSM proxy server status - show the current Key HSM server status stop|shutdown - force Key HSM server to shut down reload - reload the server (without shutdown)
The reload
command causes the application to restart
internal services without ending the process itself. If you want to stop
and start the process, use the restart
command.
Logging and Audits
The Navigator Key HSM logs contain all log and audit information, which by default are
stored in the /var/log/keyhsm
directory.
You can configure the maximum log size (in bytes) and maximum number of log files to retain
by adding or editing the following entries in the
/usr/share/keytrustee-server-keyhsm/conf/logback.xml
file.
<appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>/var/log/keyhsm/keyhsm.log</file> <encoder> <pattern>%date %level %logger: %msg%n</pattern> </encoder> <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> <fileNamePattern>/var/log/keyhsm/keyhsm.log.%i</fileNamePattern> <minIndex>1</minIndex> <maxIndex>10</maxIndex> </rollingPolicy> <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> <maxFileSize>10MB</maxFileSize> </triggeringPolicy> </appender> <root level="info"> <appender-ref ref="FILE" /> </root>
info
. The filename is
/var/log/keyhsm/keyhsm.log
, the max file size is 10MB
,
and the last 10 rolled log files will be retained.Key Naming Convention
To ensure you can manage keys (for example, delete a key), you must understand the naming
convention for keys. Keys adhere to the following naming convention: handle
name-uuid-date
, which means if you know the key name and date, you can make
modifications to it.
[root@user 64]# cmu list Please enter password for token in slot 1 : ********** handle=220 label=key1-3T17-YYdn-2015-07-23 handle=806 label=key2-CMYZ-8Sym-2015-07-23 handle=108 label=key3-qo62-XQfx-2015-07-23 handle=908 label=key2-CMYZ-8Sym-2015-07-23--cert0 handle=614 label=key3-qo62-RWz0-2015-07-23--cert0 handle=825 label=key1-3T11-YYdz-2015-07-23--cert0