Managing Key Trustee Server Organizations
Organizations allow you to configure Key Trustee for use in a multi-tenant environment. Using the keytrustee-orgtool utility, you can create organizations and administrators for multiple organizations. Organization administrators can then approve or deny the registration of clients, depending on the registration method.
The keytrustee-orgtool Utility
keytrustee-orgtool is a command-line utility for administering organizations. The keytrustee-orgtool command must be run as the root user.
The following table explains the various keytrustee-orgtool commands and parameters. Run keytrustee-orgtool --help to view this information at the command line.
| Operation | Usage | Description |
|---|---|---|
| Initialize | keytrustee-orgtool init | Initializes the license authority keyring and creates a signing key. |
| Add | keytrustee-orgtool add [-h] –n name –c contacts | Adds a new organization and administrators for the organization. |
| List | keytrustee-orgtool list | Lists current organizations, including the authorization secret, all administrators, the organization creation date, and the organization expiration date. |
| Activate client | keytrustee-orgtool activate-client [-h] –n name –-fingerprint fingerprint | Approves clients. |
| Reset token | keytrustee-orgtool reset-token [-h] –-fingerprint fingerprint | Resets tokens. Key Trustee client and server exchange sequenced tokens to ensure communication is from the correct client (preventing, for example, attacks by a cloned client). |
| Disable client | keytrustee-orgtool disable-client [-h] -–fingerprint fingerprint | Disables a client that has already been activated by the organization administrator. |
| Enable client | keytrustee-orgtool enable-client [-h] –-fingerprint fingerprint | Enables a client that has requested activation but has not yet been approved by the organization administrator. |
| Disable unactivated client | keytrustee-orgtool disable-unactivated [-h] –l limit | Disables all unactivated clients and deposits from unactivated clients. |
| Set authorization Code | keytrustee-orgtool set-auth [-h] –n name –s secret | Sets the authorization code to a new string, or to blank to allow automatic approvals without the code. |
Create Organizations
Create new organizations using the keytrustee-orgtool add command. Create a new organization for each new Key Trustee tenant.
$ sudo keytrustee-orgtool add -n disaster-recov -c finn@example.com,jake@example.com
- Avoid using spaces or special characters in the organization name. Use hyphens or underscores instead.
- When adding more than one administrator, do not separate the entries with spaces. See the previous example command containing the email addresses finn@example.com and jake@example.com.
- Each contact email address receives “Welcome to Key Trustee” email with the option to register a PGP public key. The public key registry is time-sensitive and must be completed within 12 hours.
- You can add additional administrators after creating an organization. Use the keytrustee-orgtool add command with the existing organization name. For example, the command sudo keytrustee-orgtool add -n disaster-recov -c marceline@example.com adds an administrator to the disaster-recov organization.
List Organizations
"disaster-recov": {
"auth_secret": "/qFiICsyYqMLhdTznNY3Nw==",
"contacts": [
"finn@example.com",
"jake@example.com"
],
"creation": "2013-12-02T09:55:21",
"expiration": "9999-12-31T15:59:59",
"key_info": null,
"name": "disaster-recov",
"state": 0,
"uuid": "xY3Z8xCwMuKZMiTYJa0mZOdhMVdxhyCUOc6vSNc9I8X"
}Change the Authorization Code
$ sudo keytrustee-orgtool set-auth -n disaster-recov -s ThisISAs3cr3t!
"disaster-recov": {
"auth_secret": "ThisISAs3cr3t!",
"contacts": [
"finn@example.com",
"jake@example.com"
],
"creation": "2013-12-02T09:55:21",
"expiration": "9999-12-31T15:59:59",
"key_info": null,
"name": "disaster-recov",
"state": 0,
"uuid": "xY3Z8xCwMuKZMiTYJa0mZOdhMVdxhyCUOc6vSNc9I8X"
}$ sudo keytrustee-orgtool set-auth -n disaster-recov -s ""
Cloudera recommends requiring an authorization code.
Notification Email and GPG Keys
Hello, this is an automated message from your Cloudera keytrustee Server.
Welcome to Cloudera keytrustee! You have been listed as an administrator contact for keytrustee services at your organization [test-org]. As an administrator, you may be contacted to authorize the activation of new keytrustee clients.
We recommend that you register a GPG public key for secure administration of your clients. To do so, visit the link below and follow the instructions.
https://keytrustee01.example.com:11371/?q=CnRV6u0nbm7zB07BQEpXCXsN0QJFBz684uC0lcHMoWL
This link will expire in 12 hours, at Thu Sep 3 00:08:25 2015 UTC.Cloudera highly recommends that each organization administrator register a GPG public key for secure administration of clients by following the link contained in the notification email. Cloudera also highly recommends that the organization administrators import the Key Trustee Server’s public GPG key to verify that the server is the sender.
Organization administrators are notified by email when new clients are registered to the Key Trustee Server.
When creating an organization, if you do not specify an outside organization administrator, or if the server does not have access to send email, use a local system mail address; for example, username@hostname (where hostname is the system hostname, and username is a valid user on the system).
If you use a local system mail address, ensure that the local mailbox is continuously monitored.