Configuring KMIP Keystore Encryption (BUI)

To configure encryption using KMIP, upload the key and certificates, and specify the KMIP server.

Before You Begin

Before setting up KMIP keystore on clustered controllers, perform the following procedures:

• For each cluster node, configure a private network resource that is able to reach the KMIP servers. This private network interface ensures that each cluster node can communicate with the KMIP server in case the data service network interfaces failover. For information about private resources, see Cluster Resource Management.

• Appropriately configure a route to each KMIP server for the private network link. For information about route configuration, see Configuring Network Routing.

Caution:

Failure to meet these prerequisites results in service interruption during takeover and failback operations.

1. From the Configuration menu, select Settings, then Certificates.
2. Upload the private key.
   1. Click the upload icon to the left of System.
   2. Click Browse.

      Navigate to the location where your key and certificates are stored.

      For Oracle Key Vault, the key and certificates are contained in a jar file that you received from your Oracle Key Vault administrator.

   3. Select the PEM-format file that contains the private key.

      For Oracle Key Vault, this is the key.pem file.

   4. Click the UPLOAD button.

      A new row with a Type value of key appears in the System table.

3. Upload the system certificate.

   Select the PEM-format file that contains the client certificate for this system. For Oracle Key Vault, this is the cert.pem file.

   Follow the same steps that you used to upload the private key.

   The row that had a Type of key changes so that it now has a Type of cert. The certificate is matched to the existing key and combined into one object on the appliance. The Subject, Issued By (CN), and Expires fields are populated. Click the information icon in the row to see the full values of these fields and more information.

4. Upload the trust anchor certificate.

   The CA certificate is the issuer of the client certificate.

   Select the PEM-format file that contains the CA certificate that issued the client certificate. For Oracle Key Vault, this is the CA.pem file.

   If your KMIP deployment uses multiple CA certificates, repeat this step to upload each certificate and set the services property to kmip. Multiple CA certificates might be necessary if the client certificate for Oracle ZFS Storage Appliance and the KMIP server certificate are issued from different CAs, or when there are intermediate CAs in the chain to the CA root certificate.

   1. Click the Trusted tab.
   2. Click the upload icon to the left of Trusted.
   3. Click Browse.
   4. Select the CA certificate file.
   5. Click the UPLOAD button.

      A new row appears in the Trusted table.

   6. Click the edit icon in the new row.
   7. At the bottom of the Certificate Details dialog box, check the kmip box, and click OK.

      In the table row, the Service column now shows kmip.

5. From the Shares menu, select Encryption, then KMIP.
6. From the Certificate drop-down menu, select the certificate that you just uploaded.
7. Enter the hostname or IP address of the KMIP server.

   The recommended value to use is the KMIP server's hostname. See the discussion of hostname validation in Key Management Interoperability Protocol (KMIP) Keystore.

   If you specify an IP address, check with your KMIP server administrator regarding whether you need to include the port number.

8. Verify the Match Hostname and Removing a key options.

   By default, both of these options are enabled (checked). See Key Management Interoperability Protocol (KMIP) Keystore for information about what these options do.

9. Click APPLY.

   If you receive a warning that the server failed to validate in the certificate, click Cancel in the warning dialog box, and check whether you specified the correct server hostname in the KMIP Server field. If you specify an IP address for the KMIP server, and the CA-signed certificate subject common name only has a domain name, then host validation for the certificate fails.

   If you uncheck the Match Hostname option, host validation is not performed, and security is weaker.

10. Give the key a name.
    1. Click the add icon to the left of Keys.
    2. Enter a Keyname and click ADD.
11. Optional: Identify pools, projects, and shares that are encrypted with this key.

    To identify which pools, projects, and shares are encrypted with this key, start the process of deleting the key, but cancel the key delete operation after you view the list of data that will be affected. When you initiate deleting the key, a warning is displayed that all data that is encrypted with this key will become inaccessible. The warning displays a list of all pools, projects, and shares that are encrypted with this key. Click the Cancel button and not the OK button to cancel deleting the key. For more details, see Deleting an Encryption Key (BUI).

Related Topics

• Key Management Interoperability Protocol (KMIP) Keystore

• Configuring LOCAL Keystore Encryption (BUI)

• Configuring OKM Keystore Encryption (BUI)

• Configuring KMIP Keystore Encryption (CLI)

• Creating an Encrypted Pool (BUI)

• Creating an Encrypted Project (BUI)