Configure StorageGRID as a client in the KMS
PDF of this doc site
- Get started
Install and maintain appliance hardware
SG100 and SG1000 services appliances
- Prepare for installation (SG100 and SG1000)
SG6000 storage appliances
- Prepare for installation (SG6000)
- Configure hardware (SG6000)
SG5700 storage appliances
- Prepare for installation (SG5700)
- Configure hardware (SG5700)
SG5600 storage appliances
- Prepare for installation (SG5600)
- Configure hardware (SG5600)
- SG100 and SG1000 services appliances
Install and upgrade software
- Upgrade StorageGRID software
- Install Red Hat Enterprise Linux or CentOS
- Install Ubuntu or Debian
Perform system administration
- Manage security settings
- Manage Admin Nodes
- Manage Archive Nodes
Manage objects with ILM
- ILM and object lifecycle
- Create storage grades, storage pools, EC profiles, and regions
- Administer StorageGRID
- Use a tenant account
- S3 REST API supported operations and limitations
Monitor and maintain StorageGRID
Monitor and troubleshoot
- Troubleshoot a StorageGRID system
- Expand your grid
Recover and maintain
Grid node recovery procedures
- Recover from Storage Node failures
- Recover from Admin Node failures
- All grid node types: Replace Linux node
- Grid node decommission
- Network maintenance procedures
- Grid node procedures
- Grid node recovery procedures
Review audit logs
- Audit messages and the object lifecycle
- Monitor and troubleshoot
You must configure StorageGRID as a client for each external key management server or KMS cluster before you can add the KMS to StorageGRID.
These instructions apply to Thales CipherTrust Manager k170v, versions 2.0, 2.1, and 2.2. If you have questions about using a different key management server with StorageGRID, contact technical support.
From the KMS software, create a StorageGRID client for each KMS or KMS cluster you plan to use.
Each KMS manages a single encryption key for the StorageGRID appliances nodes at a single site or at a group of sites.
From the KMS software, create an AES encryption key for each KMS or KMS cluster.
The encryption key needs to be exportable.
Record the following information for each KMS or KMS cluster.
You need this information when you add the KMS to StorageGRID.
Host name or IP address for each server.
KMIP port used by the KMS.
Key alias for the encryption key in the KMS.
The encryption key must already exist in the KMS. StorageGRID does not create or manage KMS keys.
For each KMS or KMS cluster, obtain a server certificate signed by a certificate authority (CA) or a certificate bundle that contains each of the PEM-encoded CA certificate files, concatenated in certificate chain order.
The server certificate allows the external KMS to authenticate itself to StorageGRID.
The certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.
The Subject Alternative Name (SAN) field in each server certificate must include the fully qualified domain name (FQDN) or IP address that StorageGRID will connect to.
When you configure the KMS in StorageGRID, you must enter the same FQDNs or IP addresses in the Hostname field.
The server certificate must match the certificate used by the KMIP interface of the KMS, which typically uses port 5696.
Obtain the public client certificate issued to StorageGRID by the external KMS and the private key for the client certificate.
The client certificate allows StorageGRID to authenticate itself to the KMS.