Managing the Navigator Key HSM Service

Use the keyhsm service for all basic server operations:

$  sudo service keyhsm
keyHsm service usage:
    setup <hsm name> - set up a new connection to an HSM
    trust <path>     - add a trusted client certificate
    validate         - validate that Key HSM is properly configured
    settings         - display the current server configuration
    start            - start the Key HSM proxy server
    status           - show the current Key HSM server status
    stop|shutdown    - force Key HSM server to shut down
    reload           - reload the server (without shutdown)

The reload command causes the application to restart internal services without ending the process itself. If you want to stop and start the process, use the restart command.

Logging and Audits

The Navigator Key HSM logs contain all log and audit information, and by default are stored in the /var/log/keyhsm directory.

You can configure the maximum log size (in bytes) and maximum number of log files to retain by adding or editing the following entries in the /usr/share/keytrustee-server-keyhsm/conf/logback.xml file.

<appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <file>/var/log/keyhsm/keyhsm.log</file>

        <encoder>
            <pattern>%date %level %logger: %msg%n</pattern>
        </encoder>

        <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
            <fileNamePattern>/var/log/keyhsm/keyhsm.log.%i</fileNamePattern>
            <minIndex>1</minIndex>
            <maxIndex>10</maxIndex>
        </rollingPolicy>

        <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
            <maxFileSize>10MB</maxFileSize>
        </triggeringPolicy>
    </appender>

    <root level="info">
        <appender-ref ref="FILE" />
    </root>

The default log level is info. The filename is /var/log/keyhsm/keyhsm.log, the max file size is 10MB, and the last 10 rolled log files will be retained.

Warning:

Modifying the settings for items such as the log file size, log level, and number of rolled logs should not cause any issues. However, if more extensive changes are made to the logback.xml file (for example, changing the policy classes or log message format) and these changes introduce malformed XML or incorrect logback settings, then the Key HSM service may return an error and fail to start. Check the validity of the logback.xml file by running the command keyhsm after any updates. If there are errors in the formatting of logback.xml, they will appear in the command line:

$ keyhsm
...
06:55:20,208 |-ERROR in ch.qos.logback.core.joran.spi.Interpreter@11:85 - no applicable action for [rollingPolicy], current ElementPath  is [[configuration][appender][rollingPolicy]]
06:55:20,208 |-ERROR in ch.qos.logback.core.joran.spi.Interpreter@12:30 - no applicable action for [fileNamePattern], current ElementPath  is [[configuration][appender][rollingPolicy][fileNamePattern]]

Address any errors before restarting Key HSM to pick up the logging changes. A copy of the default logback.xml file is provided at logback.xml.bkup. If there is an error in the updates, you can use this file to recover the logging configuration.

Key Naming Convention

To ensure you can manage keys (for example, delete a key), you need to understand the naming convention for keys. Keys adhere to the following naming convention: handle name-uuid-date, which means if you know the key name and date, you can make modifications to it.

The following example shows the key nomenclature in the context of a key list query on Luna HSM:

[root@user 64]# cmu list
Please enter password for token in slot 1 : **********
handle=220
label=key1-3T17-YYdn-2015-07-23
handle=806
label=key2-CMYZ-8Sym-2015-07-23
handle=108
label=key3-qo62-XQfx-2015-07-23
handle=908
label=key2-CMYZ-8Sym-2015-07-23--cert0
handle=614
label=key3-qo62-RWz0-2015-07-23--cert0
handle=825
label=key1-3T11-YYdz-2015-07-23--cert0

Validating Key HSM Settings

Integrating Key HSM with Key Trustee Server