Lists the specified (or all) system settings.
For example, to list all system settings use:
ucl system-settings get
Modify a system setting.
ucl system-settings set
-k <setting's tag or alias> // refer to System Settings and Static Properties
ucl system-settings set -k no-cert -v 1
ucl system-settings set -k ldap-bind-dn -v 'CORE Attendant DN'
ucl system-settings set -k ldap-provider-url -v ldaps://172.30.99.111:636
This command adds CORE servers to the cluster. It has two options:
- Add an auxiliary server.
- Add a Server Pair.
- Add a Server Triplet.
To activate the new servers, restart the EKMEnterprise Key Management - previous name of the product. service on the new servers. Refer to EKM Service Management.
This command allows the following:
- Delete an auxiliary server:
- Delete an EP-Partner server pair:
- In an EP-Partner-Aux server triplet:
The EKMEnterprise Key Management - previous name of the product. Service Restart is required on all the remaining servers in the cluster. Refer to EKM Service Management.
This command tests readiness of all servers recorded in the CORE database to perform crypto operations. The output format is JSON. Its internal structure depends on the system's operation mode:
- In FIPS modeUKC system mode that allows processing FIPS-certified and not-certified keys - servers are grouped in triplets. The test is done in each triplet separately.
- In non-FIPS modeUKC system advanced execution mode that hasn't yet received the FIPS certification - EPs and Partners are grouped in pairs. All Auxiliary servers are presented as a pool of servers. The test is done in each pair, and each pair tests interworking with all Aux servers.
ucl server test [-full]
- engineStatus is presented in the EP info block. OK indicates that MPCMultiparty computation - A methodology for parties to jointly compute a function of their inputs while keeping those inputs private. engines of EP, its Partner, and Aux are interconnected and functioning.
- requireRestart is presented in the EP info block. Yes indicates that changes made on EP require the EKMEnterprise Key Management - previous name of the product. service restart.
- resolvedIp - the IP of the server as resolved by the server that runs this command.
- duration is the number of milliseconds that took to complete the test.
- serverVersionMatch compares the software versions of the other servers with the software version of the server that runs this command.
--full option enhances the output and adds the following:
- certificateExpiring indicates that the certificate enters the "pre-expiry" period as defined by the system settings.
- lastStart specifies the EKMEnterprise Key Management - previous name of the product. service restart date.
Besides creating a new partition, this command also creates the following:
- The partition's default users: SOSecurity officer - UKC partition administrator role. and USER.
- The partition's first client. Its name is set to the hostname where the command was executed.
- The first client's certificate (
<partition-name>.pfxfile in the KMIP Trust Keystore folder).
[-d --default_client <0 | 1>]- see Allow default-client.
--allow_keystores] - see Keys in External Keystores.
-i --inheritance- see Part-inherit.
-c --certificate- see Cert-propagation.
-f --fips <FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors policy>] - see FIPS Processing Policy .
To use the
-c option, you must specify the
-i option as well.
This command has two options:
ucl partition list
It lists partitions that are accessible from this appliance.
More precisely, this command scans all certificate files in the CORE Client Certificate folder and attempts to decrypt each certificate using the appliance-specific password. Once the file is decrypted, it presents the partition name from the certificate's OU field (see CORE Client Certificate). If the decryption fails, the certificate is silently ignored.
<partition-name>.pfx appears in the client's CORE Client Certificate folder, but the
ucl partition list command fails to list it - renew its registration using the following steps:
- On the client's appliance - delete the file.
- On the EP server - delete the client from the partition.
- Repeat the client registration procedure - see Registered Clients .
ucl partition list --all
This command is available to a Root SOSecurity officer - UKC partition administrator role. (the calling appliance must be registered with the root partition). It lists all partitions from the CORE database.
This command presents the partition's settings.
A partition SOSecurity officer - UKC partition administrator role. can review a subset of these settings using the ucl settings get command.
Deletes the partition if it has no keys, no non-default users, and no clients.
Use this command if and only if partition clients can't use anymore their certificate. This command:
- Clears the partition client list.
- Creates new client and stores its certificate in the local CORE Client Certificates Folder.
To reset the partition's SOSecurity officer - UKC partition administrator role. password, when no other SOSecurity officer - UKC partition administrator role. in the partition can do it, the Root SOSecurity officer - UKC partition administrator role. may use the ucl user recover-pwd command.