Configuring encryption with the Vormetric DSM key server
Setting up an encryption environment with Vormetric Data Security Manager (DSM) key server requires IBM Spectrum Scale™ Advanced Edition V4.2.1 or later and Vormetric DSM V5.2.3 or later.
You should be aware of the following items:
The IBM Spectrum Scale node that you are configuring for encryption must have direct network access to the system where the key server is installed.
- The RKM.conf file:
- For the simplified setup: /var/mmfs/ssl/keyServ/RKM.conf
- For the regular setup and the Vormetric DSM setup: /var/mmfs/etc/RKM.conf
- The directory for the client keystore:
- For the simplified setup: /var/mmfs/ssl/keyServ
- For the regular setup and the Vormetric DSM setup: /var/mmfs/etc/RKMcerts
- They are regular files that are owned by the root user.
- They are in the root group.
- They are readable and writable only by the user.
- For the simplified
setup:
-rw-------. 1 root root 2454 Mar 20 10:32 /var/mmfs/ssl/keyServ/RKM.conf drw-------. 2 root root 4096 Mar 20 11:15 /var/mmfs/ssl/keyServ/ -rw-------. 1 root root 3988 Mar 20 11:15 /var/mmfs/ssl/keyServ/keystore_name.p12
Note: In the simplified setup, the mmkeyserv command sets the permission bits automatically. - For the regular setup and the Vormetric DSM
setup:
-rw-------. 1 root root 2446 Mar 20 12:15 /var/mmfs/etc/RKM.conf drw-------. 2 root root 4096 Mar 20 13:47 /var/mmfs/etc/RKMcerts -rw-------. 1 root root 3988 Mar 20 13:47 /var/mmfs/etc/RKMcerts/keystore_name.p12
- Ensure that the passphrase for the client certificate file is not leaked through other means, such as the shell history.
- Take appropriate precautions to ensure that the security-sensitive files are not lost or corrupted. IBM Spectrum Scale does not manage or replicate the files.
Part 1: Creating credentials for the key client
- Some of the commands in the following instructions require you to specify values for the following two parameters:For both parameters, follow these guidelines:
- --fips
- Specifies whether the key client complies with the requirements of FIPS 140-2.
- --nist
- Specifies whether security transport for the key client complies with the NIST SP800-131A recommendations.
- If the key client complies, set the parameter to on; otherwise, set the parameter to off.
- Specify the same setting for each parameter as the setting in the IBM
Spectrum Scale cluster. To display these settings, enter the
following two commands:
mmlsconfig nistCompliance mmlsconfig FIPS1402mode
Follow these steps:
- Client credentials
- The certificate chain of the Vormetric DSM key server as trusted certificates
Part 2: Configuring the Vormetric DSM key server
In DSM, a host is a system to which DSM provides security services. In these instructions, the host is the IBM Spectrum Scale node that you are configuring for encryption. A DSM domain is an administrative group of one or more hosts. In these instructions, the domain contains the single IBM Spectrum Scale node. For more complex configurations, see the DSM product documentation.