Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

IBM Spectrum Scale

Integration with CipherTrust Manager

search

Integration with CipherTrust Manager

To integrate Spectrum Scale with the CipherTrust Manager, you need to:

Configuring the CipherTrust Manager

To configure the CipherTrust Manager, you need to perform the following steps:

  1. Add User

  2. Registering a KMIP Client

  3. Configure Interface

  4. Create Key

  5. Update the Key Attributes

Add User

Note

Username should be same as the CN (Common Name) specified while creating the client certificate.

  1. In the CipherTrust Manager UI, go to Access Management -> Users and create a new user.

  2. Select the newly created user and then click GROUPS. Further, select the Key Users and Key Admins Group.

Registering a KMIP Client

You can register a KMIP client on the CipherTrust Manager using:

Using Auto-Registration

  1. Create a registration token using the following steps:

    1. Log on to the CipherTrust Manager.

    2. Go to Access Management > Registration Tokens in the sidebar.

    3. Click Create New Registration Token.

    Copy the Registration Token once it is created.

  2. Turn ON Auto Registration using the following steps:

    1. Go to Admin Settings > Interfaces.

    2. Click the ellipsis button corresponding to the kmip interface.

    3. Click Edit.

    4. Under Configure KMIP window, select Auto Registration.

    5. Paste the Registration Token.

    6. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    7. Click Update.

Using Manual Registration

  1. Log on to the CipherTrust Manager.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select CN in Username Location in Certificate.

    4. Click Certificate Details.

    5. Paste the content of client.csr.

    6. Click Save.

  4. Create Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Click Select CA.

    4. Select CA type as Local if you are using Local CA or select external if you are using External CA.

    5. Select appropriate CA from dropdown menu and click Select Profile.

    6. Select the Client Profile from dropdown which you have created in the above step.

    7. Click Create Token.

    8. Copy the Token created and click Done.

    Note

    If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.

  5. Go to Registered Clients and click Add Client.

    • Specify client name and paste the Registration Token generated in the above step.

      Note

      If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.

    • Click Save to save the client certificate.

Configure Interface

Configure a KMIP Interface using the following steps:

  1. Go to Admin Settings > Interfaces.

  2. On the KMIP Interface, click the action button (...) and then click Edit.

    Configure KMIP popup opens.

  3. Check Auto Registration option if you are going with Auto Registration or uncheck if you are going with the Manual Registration.

  4. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  5. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Note

    Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.

  6. Select the CA according to your preference.

    • If you are using External CA then select the CA under External Trusted CAs

    • If you are using Local CA then select the CA under Local Trusted CAs

  7. This step is required if you are using external CA.

    Expand the Upload Certificate section:

    • In the Certificate field, paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space or character or symbol between the contents of these files.

    • Select certificate Format as PEM.

    • Password field is optional and can be skipped.

    • Click Update.

Creating Key using API Playground

  1. At the top right corner of the main toolbar, click API to go to the API playground.

  2. Click Authenticate on the top right corner. Specify username and password, then click Post.

    Note

    The session will be valid for 300 seconds. You can also authenticate later if you are unable to perform the following steps within this time frame.

  3. Go to Keys section in the left sidebar. Click Create - Post.

  4. Specify the following content in the body, and click POST. Specify a value equal to or less than 60 characters.

    {
"idSize": 60
}

    Here idSize:60 will be set to the ID of the key, which will be further used while configuring the policy file of the Spectrum Scale.

    Caution

    Specifying a value greater than 60 leads to integration failure. To view the list of possible errors, go to the Troubleshooting section.

Updating the Key Attributes

  1. In the CipherTrust Manager UI, go to Keys and click the Key you have created using API.

  2. Ensure that Exportable option is checked.

  3. Select the user (created above) as the Key Owner.

  4. Click Update.

Configuring the Spectrum Scale

  1. IBM Spectrum Scale connects with the CipherTrust Manager configured using the RKM.conf stanza.

    For more details, refer to the Pre-Integration section.

  2. Create a policy file with any desired name, ex hsm62 in any of the client node. Paste the following content in this policy file.

    RULE 'p1' SET POOL 'system' /* one placement rule is required at all times */
RULE 'Encrypt all files in file system with rule E1'
SET ENCRYPTION 'E1'
WHERE NAME LIKE '%'
RULE 'rule1' ENCRYPTION 'E1' IS
ALGO 'DEFAULTNISTSP800131A'
KEYS('cd1929c52e4b2e5a8047d6e6815cf41df8d4d664bb78b85991ecce5bce56:client')

    Note

    • cd1929c52e4b2e5a8047d6e6815cf41df8d4d664bb78b85991ecce5bce56 is the ID of the key created on the CipherTrust Manager.

    • client is the RKM stanza ID in /var/mmfs/etc/RKM.conf.

    • Ensure that the correct key ID and RKM ID are used in the policy. For details regarding the IBM Spectrum Scale policy rules, click here.

  3. Install the encryption policy, using the following command.

    /usr/lpp/mmfs/bin/mmchpolicy fs0 hsm62

    Note

    fs0 is an IBM Spectrum Scale file system that is created during installation and deployment phase of IBM Spectrum Scale.

    Upon successful encryption, following message is displayed:

    Policy 'hsm62' installed and broadcast to all nodes.

If all steps were followed correctly, the integration between CipherTrust Manager and IBM Spectrum Scale will be successful. Both devices can now communicate with each other, and the IBM Spectrum Scale can now encrypt the data present in its nodes using the HSM key.

You can further verify if the integration is successful, using the steps mentioned in Verifying Your Integration.

On this page