Configure the KMIP client

Complete these steps to configure the KMIP client.

Note: The ThinkAgile CP storage controller acts as a KMIP client.
  1. You need to first create the initial KMIP configuration file:

    /etc/pykmip/pykmip.conf

    A sample configuration can be used as a template:

    /etc/pykmip/pykmip.conf.sample

    Note:

    The remaining steps are to be performed on both storage controllers prior to encrypting the CBS storage array with a KMIP protected password (where active goes first, then passive).

  2. Configure the KMIP Server IP by discovering the host name or IP address of the KMIP server, and setting this value in the configuration.

    host=1.2.3.4

  3. After the server has been configured, you need the server CA. Import the KMIP Server Certificate Authority as follows.

    If you are using Vormetric DSM (KMIP Server) run the following script:

    /usr/share/tacp/kmip/get_vormetric_certificate.sh <KMIP Server IP>

    If you are using SafeNet, follow the guide, and after generating the Server Certificate, copy it into this file on the client:

    /usr/share/tacp/kmip/certs/server_ca.pem

    You can check that the hostname/IP and the certificate are valid by running this script:

    /usr/share/tacp/kmip/verify_server_cert.sh 1.2.3.4

  4. Generate the KMIP Client Certificate. You will generate a client certificate and a public/private key signed by it for communication with the KMIP server.

    /usr/share/tacp/kmip/generate_client_certificates.sh

    This script will generate the following files:

    /usr/share/tacp/kmip/certs/client_ca.crt
    /usr/share/tacp/kmip/certs/client.key
    /usr/share/tacp/kmip/certs/client.pem

    The KMIP Client certificate's Common Name field (CN) will be generated with the Storage Controller's Appliance Serial Number located here: /etc/tacp/appliance_serial_number. The format will be tacp-<SERIAL NUMBER>. For the KMIP server to authenticate the connection, the host (Vormetric) or user (SafeNet) will need to be registered with this name, or the server will deny the connection if they do not match. To verify the certificate run the following command:

    deployment/storage-controller/kmip/check_cert.sh

    /usr/share/tacp/kmip/certs/client.pem

    Certificate: Data:Version: 3 (0x2) Serial Number: 2 (0x2)Signature Algorithm: sha256WithRSAEncryptionIssuer: C=US, ST=Virginia, L=Reston, O=Lenovo, CN=tacp-DDVWFB2

  5. Upload the Client Certificate to the KMIP Server.

    For Vormetric and SafeNet you will have to create a new host (Vormetric) or user (SafeNet) for each Storage Controller that you intend to configure for KMIP. The name of the host/user must match the following format tacp-<Storage Controller Serial Number>.

    For Vormetric you will need to upload the client.pem previously created.

    For SafeNet you will need to copy the client_ca.crt file for each host you configure on the server within the new ThinkAgile CP Domain the to the server. Since SafeNet only requires the Client CA for security reasons or to save time you can reuse the same client CA on every host and only upload the Client CA once to the SafeNet KMIP server. To do this generate the first certificate as usual then copy the client_ca.crt to the other Storage Controllers you wish to configure and run:

    /usr/share/tacp/kmip/generate_client_certificates.sh --skip_ca

    This will use the existing CA client_ca.crt but generate a new client certificate.

  6. Verify KMIP Configuration: The final step is to perform a test that checks that the certificates are correct, the configuration is valid, the server is configured to accept connections from our storage controller, and there is connectivity between the two. Run the following command:

    /usr/share/tacp/kmip/verify_kmip_configuration.py

Migrate from TPM to KMIP Security

With the configuration complete and the verification successful, you can finalize the process of switching from TPM to KMIP.

Both storage controllers will need to setup a new password and store this "Private Data" object with the Vormetric KMIP server. Both need to use the same password.
  • Active Controller

    Run the following script which will ask for a new password, change the encryption key on the drives, store the password on the KMIP server, and change the FDE security mode to KMIP from TPM.

    /usr/share/tacp/kmip/setup_kmip_security.sh

    The storage controller FDE security mode will be automatically updated from TPM to KMIP in /etc/tacp/fde_security_mode.

  • Passive Controller

    echo "KMIP" > /etc/tacp/fde_security_mode

    /usr/share/tacp/kmip/tacp_kmip_client.py --set_password

    Enter new password: <NEW PASSWORD>

Change the KMIP-Protected Password

This will work with either TPM or KMIP with the following command:

/usr/share/tacp/encryption/tacp-change-sed-password

Add or Replace Disks

Adding or replacing new disks will work with either TPM or KMIP with the following command:

/usr/share/tacp/encryption/tacp-add-sed-disks

After the disk(s) are encrypted, we will need to still add them to the RAID array and CBS pool as usual.

Test KMIP Communication

The following commands can be run to test the KMIP communication. These commands will get and set passwords but will not make any changes to the actual encryption password on the Storage Controller.

If you change the password, make sure you change it back, or the Storage Controller will be unable to decrypt the drives on the next reboot.

  1. Get the Password

    /usr/share/tacp/kmip/tacp_kmip_client.py --get_password

  2. Change the Password

    You can reset the password by issuing the command again with the --set_password option. It will locate the original record, destroy it, and store a new record.

    /usr/share/tacp/kmip/tacp_kmip_client.py --set_password

    Enter new password: ABC123

    tacp_kmip_client - INFO - Successfully registered secret data with ID:

    c3383b8b-4f30-44c1-8d69-2b8665b45dd

  3. Get the New Password

    /usr/share/tacp/kmip/tacp_kmip_client.py --get_password