3.1.8 Change User Keys

This topic describes how to change a public/private key pair for an Exascale user.

Exascale authentication uses a system of public and private key pairs. Each Exascale user is associated with a public key. To prove their identity, an Exascale user must supply the matching private key, which is stored inside a digital wallet.

If your private key is ever compromised, you will need to generate a new key pair and change to using it. It is also good practice to periodically change, or rotate, your keys.

To change a public/private key pair:

1. Generate a new key pair:

   To create a key pair, you can use standard utilities, such as openssl, or you can use the ESCLI mkkey command. For example:

   @> mkkey --private-key-file newpriv.pem --public-key-file newpub.pem

2. Associate the new public key with the Exascale user:

   Use the ESCLI chuser command and specify:

   • The unique user ID for the user that is being modified in the chuser command. By default, an Exascale user can change their own public key.
   • The location of the file that contains the user's new public key in PEM format.

   For example:

   @> chuser theuserID --public-key-file1 newpub.pem

   If you want to ensure that a previously associated public key is no longer usable, then use the public key slot (--public-key-file1, --public-key-file2, or --public-key-file3) that contains the key that you want to overwrite.

3. Store the new private key in the user's wallet:

   Repeat this step for every copy of the user's wallet, which may reside on different Exascale servers.

   Use the ESCLI chwallet command and specify:

   • The wallet location.
   • The location of the file that contains the user's new private key in PEM format.

   For example:

   @> chwallet --wallet /home/user/user.wallet --private-key-file
         newpriv.pem

   When prompted, specify that you want to overwrite the existing private key in the wallet.