Updating HAF Keys with One Click

Currently, the keys can be updated in either of the following ways:

Restart the HAF process to update the keys. The process determines whether to update the keys based on the key validity period. The update process is automatic.
Use a CLI tool to forcibly update the keys and then restart the service for the keys to take effect.

During the restart, the HAF process checks whether the keys will expire in 30 days. If yes, the HAF process updates the keys. The key expiration does not affect the service. To update the keys, you only need to restart the service process.
When a CLI tool is used, the keys are updated and their validity period is reset regardless of whether the keys are about to expire.

Updating the Keys by Restarting the Node

Parameter	Description
Task Name	Updating the keys with one click
Task Description	Regenerating the keys of the current node
Run Directory	/
Run Command	On offload nodes with the HAF service: Restart haf-tool and the corresponding service. /home/omm/haf-install/haf-target/tools/haf-tool restart && haf-tool service --restart Host nodes and the offload nodes with the HAF library: Restart the main process (similar to restarting the Hetu process) to check whether the keys need to be updated.
Whether to Check Return Code	Yes
Expected Return Code	0

Manually Updating Keys

Go to the tool installation directory and run the following command to manually update the keys: To update the keys of a service node, place the keys in the cert directory of the installation directory.

./tools/haf-tool keystore --update

**Table 1** Using SmartKit to update the certificate on the server or client node
Parameter	Description
Task Name	Manually updating keys
Task Description	Forcibly updating the master key and working key
Run Directory	/
Run Command	/home/omm/haf-install/haf-target/tools/haf-tool keystore --update
Whether to Check Return Code	Yes
Expected Return Code	0

The following steps use the offload nodes with the HAF service as an example. For host nodes and the offload nodes with the HAF library, perform similar steps.

The kmc_tool_bin tool is used to update keys. This tool is stored in bin of the installation directory and is invoked by haf-tool. The internal invoking command is as follows:

LD_LIBRARY_PATH=<haf_dir>/lib/ <haf_dir>/bin/kmc_tool_bin --ksfa <service_ksfa_path> --ksfb <service_ksfb_path> --service_pass <service_pass_path> --output_passwd_file <ip_white_list>

**Table 2** Parameter description
Option	Description	Mandatory
--ksfa <service_ksfa_path>	Path for storing the KMC primary key file. The <cert_path>/service.ksfa parameter is specified when haf-tool invokes the key update command.	√
--ksfb <service_ksfb_path>	Path for storing the KMC backup key file. The <cert_path>/service.ksfb parameter is specified when haf-tool invokes the key update command.	√
--service_pass <service_pass_path>	Path for storing the encrypted password file. The <cert_path>/service.pw parameter is specified when haf-tool invokes the key update command.	√
--output_passwd_file <ip_white_list>	Path for storing the encrypted trustlist file. The <cert_path>/ip_white_list parameter is specified when haf-tool invokes the key update command.	×

haf_dir indicates the directory where HAF is installed.
When invoking kmc_tool_bin, use LD_LIBRARY_PATH to specify the path of the dependency dynamic library.
The --output_passwd_file <ip_white_list> parameter is used only on offload nodes, and a trustlist must have been configured.
kmc_tool_bin is an internal tool of the software. You are not advised to invoke it independently.

Parent topic: Service Management