Root SO Commands

ucl system-settings get

Lists the specified (or all) system settings.

ucl system-settings get [-k <setting's tag or alias>] // refer to System Settings and Static Properties. Default: all [-w <the root SO password>]

For example, to list all system settings use:

ucl system-settings get

ucl system-settings set

Modify a system setting.

ucl system-settings set
-k <setting's tag or alias> // refer to System Settings and Static Properties
-v <value>

Examples:

ucl server create

This command adds CORE servers to the cluster. It has two options:

  • Add an auxiliary server.
  • ucl server create -a <hostname/IP of an additional server>:[port]
  • Add a Server Pair.
  • ucl server create -e <hostname/IP of an additional server>:[port] // designated to become EP -p <hostname/IP of an additional server>:[port] // designated to become Partner
  • Add a Server Triplet.
  • ucl server create -e <hostname/IP of an additional server>:[port] // designated to become EP -p <hostname/IP of an additional server>:[port] // designated to become Partner -a <hostname/IP of an additional server>:[port] // designated to become Auxiliary

Note
The <hostname/IP of an additional server>:[port] argument must be as specified by the -s (self) parameter in the Add Additional Server script. See Cluster Scale-out.

Important
To activate the new servers, restart the EKMClosedEnterprise Key Management - previous name of the product. service on the new servers. Refer to EKM Service Management.

ucl server delete

This command allows the following:

  • Delete an auxiliary server:
  • ucl server delete -a <IP or hostname of Aux server>[:<its bootstrap port>]
  • Delete an EP-Partner server pair:
  • ucl server delete -e <IP or hostname of EP server>[:<its bootstrap port>] -p <IP or hostname of its Partner server>
  • In an EP-Partner-Aux server triplet:
  • ucl server delete -e <IP or hostname of EP server>[:<its bootstrap port>] -p <IP or hostname of its Partner server> -a <IP or hostname of its Auxiliary server>

Important
The EKMClosedEnterprise Key Management - previous name of the product. Service Restart is required on all the remaining servers in the cluster. Refer to EKM Service Management.

ucl server test

This command tests readiness of all servers recorded in the CORE database to perform crypto operations. The output format is JSON. Its internal structure depends on the system's operation mode:

ucl server test [-full]

{ "pairs": [ { "ep": { "name": "ep1", "address": "ep1:443", "role": "EntryPoint", "status": { "reachable": "YES" } "engineStatus" : "OK", "requireRestart" : "NO", "resolvedIp" : "192.168.0.102" },
"partner": { "name": "partner1", "address": "partner1:443", "role": "Partner", "status": { "reachable": "YES" } "resolvedIp" : "192.168.0.182", "duration" : 102 "serverVersionMatch" : "YES" } ],
"auxiliaries" : [ { "name" : "aux1", "address" : "aux1:443", "role" : "Auxiliary", "status" : { "reachable" : "YES" } "resolvedIp" : "192.168.0.166", "duration" : 2910 "serverVersionMatch" : "YES" } ] }

The --full option enhances the output and adds the following:

"info": { "version": "2.0.2010.37978", "os": "Linux", "available cores": 1, "cpu load": 0, "free memory (MB)": 242, "total memory (MB)": 1039 }
"certificateData": "MIICNTCCAdqgAwIBAgIEYLJInzAMBggqhkjOPQQDAgUAMBExD ---- truncated -------- w7XIUjDcuHbc7pE/4G5pI0=", "certificateExpiring": false "certificateExpiresOn": "2022-06-12T08:29:50Z"
"lastStart" : "2020-04-18T04:13:49Z",

ucl partition create

Besides creating a new partition, this command also creates the following:

ucl partition create -p --partition <partition name> -s --password <partition's SO password> [-d --default_client] <arg> // 0 or 1. Default: 0 [--allow_keystores] // allow using external keystores. Default: no [-i --inheritance ] // Enable the "Root Partition Inheritance" feature [-c --certificate ] // Enable the "Root Certificate Propagation" feature [-f --fips <none|preferred|mandatory>] // FIPS mode requirements. Default: none

Example:

ucl partition create -p CodeSign1 -s CodeSign1!

ucl partition list

This command has two options:

  • ucl partition list
  • It lists partitions that are accessible from this appliance.

    Note
    More precisely, this command scans all certificate files in the CORE Client Certificate folder and attempts to decrypt each certificate using the appliance-specific password. Once the file is decrypted, it presents the partition name from the certificate's OU field (see CORE Client Certificate). If the decryption fails, the certificate is silently ignored.

    Troubleshooting:
    If the <partition-name>.pfx appears in the client's CORE Client Certificate folder, but the ucl partition list command fails to list it - renew its registration using the following steps:

    1. On the client's appliance - delete the file.
    2. On the EP server - delete the client from the partition.
    3. Repeat the client registration procedure - see Registered Clients .
  • ucl partition list --all
  • This command is available to a Root SOClosedSecurity officer - UKC partition administrator role. (the calling appliance must be registered with the root partition). It lists all partitions from the CORE database.

ucl partition show

This command presents the partition's settings.

Note
A partition SOClosedSecurity officer - UKC partition administrator role. can review a subset of these settings using the ucl settings get command.

ucl partition show -p <name of the partition>

ucl partition delete

Deletes the partition if it has no keys, no non-default users, and no clients.

ucl partition delete -p <name of the partition>

ucl partition recover

Use this command if and only if partition clients can't use anymore their certificate. This command:

ucl partition recover -p <name of the partition>

Note
To reset the partition's SOClosedSecurity officer - UKC partition administrator role. password, when no other SOClosedSecurity officer - UKC partition administrator role. in the partition can do it, the Root SOClosedSecurity officer - UKC partition administrator role. may use the ucl user recover-pwd command.