Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Updating HAF Keys in One-Click Mode

Currently, the key can be updated in either of the following ways:

  • Restart the HAF process to update the key. The process determines whether to update the key based on the key validity period. The update process is automatic.
  • Use a CLI tool to forcibly update the key and then restart the service for the key to take effect.
  • During the restart, the HAF process checks whether the key will expire in 30 days. If yes, the HAF process updates the key. The key expiration does not affect the service. To update the key, you only need to restart the service process.
  • When a CLI tool is used, the key is updated and its validity period is reset regardless of whether the key is about to expire.

Updating the Key by Restarting the Node

Parameter

Description

Task Name

Updating the key in one-click mode

Task Description

Regenerating the key of the current node

Run Directory

/

Run Command
  • On an offload node:

    Restart haf-tool and the corresponding service.

    /home/omm/haf-install/haf-target/tools/haf-tool restart && haf-tool service --restart

  • On a host node:

    Restart the main process (for example, restart the hetu process) to check whether the key needs to be updated.

Whether to Check Return Code

Yes

Expected Return Code

0

If the system has high security requirements, you are advised to periodically restart the process to update the key. This operation must be approved by customers.

Manually Updating Keys

Run the following command to manually update the key:

  • Host node:

    /home/omm/haf-install/haf-host/tools/haf-tool keystore --update

    The new key of the host node is stored in the /home/omm/haf-install/haf-host/omnidata directory.

  • Offload node:

    /home/omm/haf-install/haf-target/tools/haf-tool keystore --update -t [daemon/haf_user]

    Use the -t parameter to specify whether to update the key in /home/omm/haf-install/haf-target/run/daemon or /home/omm/haf-install/haf-target/run/haf_user. When the daemon key is updated, the trustlist is encrypted again.
    Table 1 Using SmartKit to update the certificate on the server or client node

    Parameter

    Description

    Task Name

    Manually updating keys

    Task Description

    Forcibly updating the master key and working key

    Run Directory

    /home/omm/haf-install

    Run Command
    • Offload node:

      /home/omm/haf-install/haf-target/tools/haf-tool cert keystore --update -t [daemon/haf_user]

    • Host node:

      /home/omm/haf-install/haf-host/tools/haf-tool keystore --update

    Whether to Check Return Code

    Yes

    Expected Return Code

    0