- You need to first create the initial KMIP configuration file:
A sample configuration can be used as a template:
IMPORTANT: The remaining steps are to be performed on both storage controllers prior to encrypting the CBS storage array with a KMIP protected password (where active goes first, then passive).
- Configure the KMIP Server IP by discovering the host name or IP address of the KMIP server, and setting this value in the configuration.
- After the server has been configured, you need the server CA. Import the KMIP Server Certificate Authority as follows.
If you are using Vormetric DSM (KMIP Server) run the following script:
/usr/share/cloudistics/kmip/get_vormetric_certificate.sh <KMIP Server IP>
If you are using SafeNet, follow the guide, and after generating the Server Certificate, copy it into this file on the client:
You can check that the hostname/IP and the certificate are valid by running this script:
- Generate the KMIP Client Certificate. You will generate a client certificate and a public/private key signed by it for communication with the KMIP server.
- This script will generate the following files:
- The KMIP Client certificate's Common Name field (CN) will be generated with the Storage Controller's Appliance Serial Number located here: /etc/cloudistics/appliance_serial_number. The format will be cloudistics-<SERIAL NUMBER>. For the KMIP server to authenticate the connection, the host (Vormetric) or user (SafeNet) will need to be registered with this name, or the server will deny the connection if they do not match.
- To verify the certificate run the following command:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Virginia, L=Reston, O=Cloudistics, CN=cloudistics-DDVWFB2
- This script will generate the following files:
- Upload the Client Certificate to the KMIP Server.
- For Vormetric and SafeNet you will have to create a new host (Vormetric) or user (SafeNet) for each Storage Controller that you intend to configure for KMIP. The name of the host/user must match the following format cloudistics-<Storage Controller Serial Number>.
- For Vormetric you will need to upload the client.pem previously created.
- For SafeNet you will need to copy the client_ca.crt file for each host you configure on the server within the new Cloudistics Ignite Domain the to the server. Since SafeNet only requires the Client CA for security reasons or to save time you can reuse the same client CA on every host and only upload the Client CA once to the SafeNet KMIP server. To do this generate the first certificate as usual then copy the client_ca.crt to the other Storage Controllers you wish to configure and run:
This will use the existing CA client_ca.crt but generate a new client certificate.
- Verify KMIP Configuration: The final step is to perform a test that checks that the certificates are correct, the configuration is valid, the server is configured to accept connections from our storage controller, and there is connectivity between the two. Run the following command:
Migrating from TPM to KMIP security
- With the configuration complete and the verification successful, you can finalize the process of switching from TPM to KMIP.
Both storage controllers will need to setup a new password and store this "Private Data" object with the Vormetric KMIP server. Both need to use the same password.
- Active Controller
Run the following script which will ask for a new password, change the encryption key on the drives, store the password on the KMIP server, and change the FDE security mode to KMIP from TPM.
The storage controller FDE security mode will be automatically be updated from TPM to KMIP in /etc/cloudistics/fde_security_mode.
- Passive Controller
echo "KMIP" > /etc/cloudistics/fde_security_mode
Enter new password: <NEW PASSWORD>
Changing the KMIP-protected password
- This will work with either TPM or KMIP with the following command:
Adding or replacing disks
- Adding or replacing new disks will work with either TPM or KMIP with the following command:
After the disk(s) are encrypted, we will need to still add them to the RAID array and CBS pool as usual.
Testing KMIP communication
- The following commands can be run to test the KMIP communication. These commands will get and set passwords but will not make any changes to the actual encryption password on the Storage Controller.
IMPORTANT: If you change the password, make sure you change it back, or the Storage Controller will be unable to decrypt the drives on the next reboot.
- Get the password:
- Change the password:
You can reset the password by issuing the command again with the --set_password option. It will locate the original record, destroy it, and store a new record.
Enter new password: ABC123
cldtx_kmip_client - INFO - Successfully registered secret data with ID:
- Get the New Password: