Configure StorageGRID as a client in the KMS
You must configure StorageGRID as a client for each external key management server or KMS cluster before you can add the KMS to StorageGRID.
These instructions apply to Thales CipherTrust Manager k170v, versions 2.0, 2.1, and 2.2. If you have questions about using a different key management server with StorageGRID, contact technical support.
-
From the KMS software, create a StorageGRID client for each KMS or KMS cluster you plan to use.
Each KMS manages a single encryption key for the StorageGRID appliances nodes at a single site or at a group of sites.
-
From the KMS software, create an AES encryption key for each KMS or KMS cluster.
The encryption key needs to be exportable.
-
Record the following information for each KMS or KMS cluster.
You need this information when you add the KMS to StorageGRID.
-
Host name or IP address for each server.
-
KMIP port used by the KMS.
-
Key alias for the encryption key in the KMS.
The encryption key must already exist in the KMS. StorageGRID does not create or manage KMS keys.
-
-
For each KMS or KMS cluster, obtain a server certificate signed by a certificate authority (CA) or a certificate bundle that contains each of the PEM-encoded CA certificate files, concatenated in certificate chain order.
The server certificate allows the external KMS to authenticate itself to StorageGRID.
-
The certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.
-
The Subject Alternative Name (SAN) field in each server certificate must include the fully qualified domain name (FQDN) or IP address that StorageGRID will connect to.
When you configure the KMS in StorageGRID, you must enter the same FQDNs or IP addresses in the Hostname field. -
The server certificate must match the certificate used by the KMIP interface of the KMS, which typically uses port 5696.
-
-
Obtain the public client certificate issued to StorageGRID by the external KMS and the private key for the client certificate.
The client certificate allows StorageGRID to authenticate itself to the KMS.