Exchanging certificates with a KMS server

Content Platform for Cloud Scale Administration Guide

File Size
1945 KB
Part Number

Before you can configure a connection to an external KMS server, the HCP for cloud scale system and an external server must exchange SSL certificates to establish mutual trust.

To enable data-at-rest encryption with keys managed by an external key management system (KMS) that supports the Key Management Interoperability Protocol (KMIP), you need to exchange SSL certificates between the HCP for cloud scale system and the KMS so that they can establish mutual transport layer security (mTLS). HCP for cloud scale supports mTLS v1.3 and, for backward compatibility, v1.2. Both systems need to have certificates granted by a certificate authority (CA).

Note: If you use the built-in internal key management service, mutual certificate exchange is not required.

Before you begin, you must have entered a serial number in your HCP for cloud scale and then uploaded a digital license to use the encryption feature. For information on entering a serial number, see Entering your serial number. For information on uploading a license, see Uploading a license.

The following workflow uses Thales CipherTrust Manager as an example of an external KMS, but you can use any third-party product that supports the KMIP protocol. Some steps in the workflow are performed on the Thales system. Before you begin the workflow, you need the following information:

  • The certificate of the certificate authority that signed the HCP for cloud scale system certificate
  • The URL and login credentials for the Thales system
  • The HCP for cloud scale certificate signing request and signed system certificate

These are the tasks involved:

  1. Creating a certificate signing request from the HCP for cloud scale system
  2. Installing the certificates returned for a system-generated CSR on the HCP for cloud scale system
  3. Restarting (repairing) the S3 Gateway, MAPI Gateway, and Key Management Server services on the HCP for cloud scale system
  4. Retrieving the KMIP certificate from the KMS server
  5. Uploading the client certificate (the KMIP certificate) from the KMS server to the HCP for cloud scale system
  6. Retrieving the system certificate from the HCP for cloud scale system and uploading the CA certificate to the KMS server
  7. Creating a new user, profile, registration token, and registered client on the KMS server

Next steps

Once the HCP for cloud scale and external KMS have exchanged certificates, you can configure external encryption key management.