Wiki Admin

dsswalletconfig - DSS 6 | Data Source Solutions Documentation

Export as HTML Export as PDF Export as DOCX
Edit

Documentation: dsswalletconfig - DSS 6 | Data Source Solutions Documentation

dsswalletconfig

Usage

  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] List the current wallet configuration.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] [<b>-o</b><em>jsonfile</em>] [<b>-E</b>] [<em>properties</em>]... Print the specified wallet properties (property...), or all if none are specified.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] [<b>-p</b>] [<b>-i</b><em>jsonfile</em>] [<b>-E</b>] [<em>property</em>=[<em>value</em>]]... Set or unset the specific wallet properties supplied in the jsonfile and/or directly on the command line.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] <b>-C</b> Continue re-encrypting the secrets.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] <b>-c</b> [<b>-p</b>] [<b>-i</b><em>jsonfile</em>] [<b>-E</b>] [<em>property</em>=[<em>value</em>]]... Create/configure a wallet with the wallet properties supplied in the jsonfile and/or directly on the command line.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] <b>-d</b> [<b>-f</b>] Delete/disable the wallet.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] <b>-m</b> [<b>-p</b>] [<b>-r</b>] [<b>-i</b><em>jsonfile</em>] [<b>-E</b>] [<em>property</em>=[<em>value</em>]]... Migrate the wallet.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] <b>-r</b> Rotate the encryption key.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] <b>-S</b> Delete old encryption keys.
  • <b>dsswalletconfig</b> [<b>-R</b><em>url</em>] <b>-T</b> Delete old encryption keys.

Description

Command dsswalletconfig allows you to create, delete, configure the encryption wallet and also its properties. This command can be used to enable/disable the hub wallet, set wallet password, auto open hub wallet, rotate the hub wallet encryption key, change wallet password, and delete hub wallet. If this command is executed without supplying any of the options, it will list current wallet configuration.

Argument properties specifies the properties that define the wallet configuration. For more information, see section Wallet Properties.

For more information about the wallet and encryption, see Hub System Encryption Wallet.

Options

This section describes the options available for command dsswalletconfig.

Parameter Description
-c

Configure an encryption wallet.

When configuring a software wallet, you can supply option -p to set a user-defined password for the wallet. If a user-defined password is not supplied then DSS will set an auto-generated password for the wallet.

When configuring a KMS wallet, you must supply option -p to specify the KMS secret access key.
-C Continue re-encrypting secrets. This option is used if a previous Reencrypt_Secrets event failed.
-d Disables the encryption wallet. This option sets the wallet Type to DISABLED.
-Ex

Override automatic encoding/decoding of string properties when reading a property from file using property=@file_name or when writing a property to file using property>@file_name. This option may be required only while setting the property whose argument is base64.

When this option is not used, the default encoding is base64.

Valid values of x are:

  • none: no encoding/decoding will be applied.
  • base64: encode a property in the base64 format.
-f

Force disable wallet or re-encrypt secrets.

Force disabling a hub wallet that is in use may render the existing encrypted secrets unusable.

This option may be used in combination with -d or -C.

When force disabling a wallet that is in use, all encrypted passwords will be redacted automatically. To avoid location connectivity issues/errors, click Replace Redacted Properties in the location details page and update the redacted password(s). For location(s) configured with DSS Agent, all keys and certificates must be regenerated and updated in the repository properties. For more information, see Troubleshooting Hub Encryption Wallet.
-G

Purge cache-based wallet configuration (i.e., wallet properties that have been cached).

If the hub system is wallet encrypted, -G will prevent decryption of the files in DSS_CONFIG directory. Use this option only as a last resort.
-ijsonfile Read wallet properties from JSON file jsonfile.
-m

Migrate a wallet to different storage instead of modifying its configuration in place. Wallet migration moves the encryption key from one wallet configuration to another. The encryption key does not change, but its encrypted storage is first decrypted by the old wallet and then encrypted by a new wallet. For more information, see section Hub Wallet Migration in Hub System Encryption Wallet.

In KMS wallet, this option is used to migrate a hub wallet from a previous KMS account/settings to new KMS account/settings or a user switches to a non-KMS wallet. This option is mandatory when migrating to another KMS wallet.
-ojsonfile Write wallet properties to JSON file jsonfile. If no properties are specified on the command line, then all properties are fetched from the repository.
-p Set a new password for the wallet. The following operations require providing a new password - configure a new wallet, migrate a wallet (to a different wallet type (Type) or to the same wallet type (Type) with a different account).
-r

Rotate (retire and regenerate) the encryption key. This option creates a new encryption key, encrypts it, and stores it in the wallet. The previous encryption key is moved to the history (encrypted with the new key) for the cases when it is needed to decrypt data encrypted with it.

Then DSS decrypts the repository tables with the old key and re-encrypts them with the new key. During this key rotation process, both the old and new keys are available in the history. Historical keys are kept in the wallet configuration, each encrypted with the latest key.

TX/Log files do not undergo key rotation. Instead, the old key is left in the history, protected by the latest key.

This option can also be used together with option -m.
-Rurl

Remote hub server. Access the hub server running on a remote machine, via the REST interface.

This option is required for remote CLI access. When using this option, command dsslogin should be run first, for authentication.
-Ssequence

Delete historical keys older than the sequence number sequence.

This option cannot be combined with other options.
-Ttstamp

Delete historical keys rotated before timestamp tstamp. Valid values for tstamp can be an absolute timestamp or a relative timestamp using seconds.

This option cannot be combined with other options.
-Vaccessmeth

Handle classified data.

  • redact: Redact classified data.

  • storage default: Save classified data as they are stored in the hub system.

  • @outputfile: Apply transport encryption, save key to file outputfile.

  • @print: Apply transport encryption using the transport encryption key and display the key in command terminal.

  • @inputfile: Read transport encryption key stored in a inputfile. This can also be a path (relative or absolute) to this file.

  • @prompt: Prompt a user to enter the transport key via keyboard.

Examples

This section provides examples of using the dsswalletconfig command.

Example 1. Create/configure wallet

  • The following command creates software wallet with the specified Wallet Properties.

    dsswalletconfig -c -p Type=SOFTWARE Auto_Open=true

  • The following command creates KMS wallet with the connection parameters required for the KMS Access Key Id authentication method.

    dsswalletconfig -c -p Type=KMS Auto_Open=true KMS_Region=<em>eu-west-1</em> KMS_Customer_Master_Key_Id=<em>1234abcd-12ab-1234590ab</em> KMS_Access_Key_Id=<em>AKIAJDRSJY123QWERTY</em>

  • The following command creates KMS wallet with the connection parameters required for the KMS IAM Role authentication method.

    dsswalletconfig -c Type=KMS KMS_Region=<em>eu-west-1</em> KMS_Customer_Master_Key_Id=<em>1234abcd-12ab-1234590ab</em> KMS_IAM_Role=<em>AKIAJDRSJY123QWERTY</em>
Example 2. Delete/disable wallet

The following command deletes the existing wallet.

dsswalletconfig -d
Example 3. Get wallet properties

  • The following command displays all properties of the configured wallet.

    dsswalletconfig

  • The following command displays the value of wallet property Auto_Open.

    dsswalletconfig Auto_Open
Example 4. Change wallet password

The following command changes the existing wallet's password. Enter the new password when prompted.

dsswalletconfig -p
Example 5. Rotate wallet encryption key

The following command rotates the wallet encryption key.

dsswalletconfig -r
Example 6. Migrate wallet

  • The following command migrates the existing wallet to the software wallet.

    dsswalletconfig -m -p Type=SOFTWARE Auto_Open=true

  • The following command migrates the existing wallet to the KMS wallet.

    • KMS Access Key Id authentication method

      dsswalletconfig -m -p Type=KMS Auto_Open=true KMS_Region=<em>eu-west-1</em> KMS_Customer_Master_Key_Id=<em>1234abcd-12ab-1234590ab</em> KMS_Access_Key_Id=<em>AKIAJDRSJY123QWERTY</em>

    • KMS IAM Role authentication method

      dsswalletconfig -m Type=KMS KMS_Region=<em>eu-west-1</em> KMS_Customer_Master_Key_Id=<em>1234abcd-12ab-1234590ab</em> KMS_IAM_Role=<em>AKIAJDRSJY123QWERTY</em>
Example 7. Delete historical keys

  • The following command deletes the keys rotated older than the last 86400 seconds (or 24 hours).

    dsswalletconfig -T now-86400

  • The following command deletes the keys rotated older than the specified time.

    dsswalletconfig -T 2019-11-26T10:54:59Z