Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

IBM Spectrum Scale

Pre-Integration

search
printsuggest an editpdf paneldownload

Pre-Integration

This section lists the following procedure that needs to be performed before integration.

  1. Creating Certificates

  2. Creating Client Keystore (PKCS#12 file)

  3. Configuring the RKM.conf File

copy link to clipboardCreating Certificates

You can create and use the certificate using any of the following methods:

  • Using KSCTL Utility: Use this method if you want to create and use certificates generated on the CipherTrust Manager using KSCTL utility.

  • Using openssl: Use this method if you want to create and use certificates generated using openssl.

copy link to clipboardCreating Certificates Using KSCTL Utility

Note

KSCTL is used to create CA and CSRs at the CipherTrust Manager. To know about how to install and configure KSCTL refer to the CipherTrust Manager Documentation

Creating the CA Certificate

The rootCA is by default available at the CipherTrust Manager. If you want to create a Local CA other than rootCA, use the following command:

ksctl ca locals create --cn "Test CA" --csr-outfile csrfile

To self-sign the CA for a specific duration, use the id returned in the above command:

ksctl ca locals self-sign --id <id of CA> -x <duration>

For Example:

ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365

Creating Client Certificate

To create the client certificate, use the following steps:

  1. Create CSR and its private key.

    ksctl ca csr --cn "client" --csr-outfile client.csr --key-outfile client.key

    This command generates a CSR along with its private key.

    Note

    In this document, common name CN=client is used, which will be further used as a user name on the CipherTrust Manager.

  2. Sign the CSR with CA.

    ksctl ca locals certs issue --ca-id <id of CA> --csr-infile client.csr -x <duration> -o client

    For Example:

    ksctl ca locals certs issue --ca-id c84d66e1-2101-4a46-ad44-3656354b5097 --csr-infile client.csr -x 700 -o client

    --ca-id is the id which can be obtained from CA details on the Ciphertrust Manager.

    Note

    --csr-infile is the csr name which is created in the previous step.

Creating Server Certificate

Note

This section is applicable if you want to generate certificates at the CipherTrust Manager and sign them using external CA.

To create a server certificate, you need to create the CSR and its Private key, using the following command:

ksctl ca csr --cn "server" --csr-outfile server.csr --key-outfile server.key

This command generates a CSR along with its private key.

You can sign the above created CSR using external CA. The generated certificate will be uploaded to the CipherTrust Manager. Refer to Adding User and Configuring Interface for details.

copy link to clipboardCreating Certificates Using openssl

You can use openssl to create external CA and CSRs outside CipherTrust Manager.

Before creating the CA and CSRs, ensure that the openssl is configured properly.

  • To create the external CA, client, and server certificate, you will need:

    • bash (version 4.4.20 or above)

    • openssl (version 1.1.1 or above)

  • openssl.conf file is at the following location:

    • /etc/pki/tls for RHEL

    • /etc/ssl for Ubuntu

  • Open openssl.conffile and go to [ v3_ca ] tab and add basicConstraints = critical, CA:true.

Creating the CA Certificate

To create an External CA and upload it on the CipherTrust Manager, follow the below steps:

  1. Create a RSA key using the following openssl command:

    openssl genrsa -out rootCAKey.pem 2048

    This command will generate rootCAKey.pem file.

  2. Create a CA certificate using the generated RSA key.

    openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem

    The above command uses rootCAKey.pem generated in previous step to generate the CA Certificate, rootCACert.pem.

  3. Upload the CA on the CipherTrust Manager, using the following steps:

    1. Go to CA > External.

    2. On the CA page, click Add External CA.

    3. Paste the contents of the rootCACert.pem and click Save.

Creating Client Certificate

To create a client certificate, perform the following steps:

  1. Create a key to be used in the client certificate.

    openssl genrsa -out client.key 2048

    This command generates the RSA key client.key.

  2. Create a client CSR using the key generated above.

    openssl req -key client.key -new -sha256 -out client.csr -subj /O=my-org/OU=my-org/OU=client/CN=client

    In this document, common name CN=client is used, which will be further used as a user name on the CipherTrust Manager.

    This command uses the client.key generated in previous step to generate the client CSR client.csr.

  3. Sign the CSR using the RSA key generated above and the CA.

    openssl x509 -req -days 360 -in client.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out client.cert -sha256

Creating Server Certificate

To create a server certificate, perform the following steps:

  1. Create a server key using the following command.

    openssl genrsa -out server.key 2048

  2. Create a CSR for the server using the above generated key.

    openssl req -key server.key -new -sha256 -out server.csr -subj /O=my-org/OU=my-org/OU=server/CN=server

  3. Create a server certificate using the following openssl command.

    openssl x509 -req -days 7300 -in server.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out server.cert -sha256

copy link to clipboardCreating a Client Keystore (PKCS#12 file)

Create a PKCS#12 file by packaging the client key, client certificate, and CA file using the following openssl command.

openssl pkcs12 -export -in client.cert -inkey client.key -certfile rootCACert.pem -out client.p12 -name client

Note

If you are creating certificates using ksctl, then you need to download the client certificate, client key, and Local CA(rootCA) from the CipherTrust Manager and use it while creating the PKCS#12 file.

  • You will be prompted to set a password for the keystore file. Specify the client keystore password, then the client.p12 file will be created. This password and the keystore path will be used later in the Remote Key Management configuration file RKM.conf of the Spectrum Scale. For simplicity, let's assume that the client keystore password specified for this integration is abcd.

  • In the above command, the name client is applied to the collection of files contained within the PKCS#12 package.

copy link to clipboardConfiguring the RKM.conf File

  1. Create a directory /var/mmfs/etc/RKMcerts on all nodes of the Spectrum Scale cluster and copy the client keystore client.p12 created in the previous step to this directory.

  2. Create the Remote Key Management (RKM) configuration file (/var/mmfs/etc/RKM.conf) and add a stanza that contains the information necessary to communicate with the CipherTrust Manager. The stanza should be in the following format:

    client {
type = KMIP
kmipServerUri = tls://10.164.x.xxx:5696
keyStore = /var/mmfs/etc/RKMcerts/client.p12
passphrase = abcd
clientCertLabel = client
}

    Stanza contains the following fields:

    • client: Name of the RKM stanza. It can be set as desired, "client" here is just an example name for the stanza.

    • type: Must be KMIP.

    • kmipServerUri: IP addresses or the DNS names of the CipherTrust Managers and their SSL ports.

      In the above example, 10.164.x.xxx is the CipherTrust Manager IP and 5696 is the SSL port.

      Note

      • For high availability (HA), multiple kmipServerUri entries can be added.

      • In an event when a CipherTrust Manager fails or is inaccessible, then request is sent to the other CipherTrust Managers configured using kmipServerUri.

      Refer to High Availability for High Availability.

    • keyStore: The name and path of the client.p12 file (for example: /var/mmfs/etc/RKMcerts/client.p12).

    • passphrase: The password of the client keystore and client certificate. This is the same password which you specified while creating client.p12 file.

    • clientCertLabel: The label of the client certificate in the client keystore. This is the same label which you specified while creating client.p12 file.

  3. Copy the /var/mmfs/etc/RKM.conf and the client keystore /var/mmfs/etc/RKMcerts/client.p12 file to all nodes in the cluster.

    Caution

    Ensure the user has READ and WRITE permissions (mode '0600') for the files var/mmfs/etc/RKM.conf and var/mmfs/etc/RKMcerts/client.12.

On this page