Generating the KBS key and certificate

Edit online

You must create KBS key and certificate to configure the secure Trustee server.

  1. Obtain the LPAR IP where trustee would be provisioned on CCRV
  2. Create the localhost.conf file.
    $ cat << EOF > localhost.conf

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
countryName                 = Country Name (2 letter code)
countryName_default         = IN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Karnataka
localityName                = Locality Name (eg, city)
localityName_default        = Bangalore
organizationName            = Organization Name (eg, company)
organizationName_default    = localhost
organizationalUnitName      = organizationalunit
organizationalUnitName_default = Development
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

[alt_names]
IP.1    = <CCRV_KBS_IP> 
DNS.1   = localhost
DNS.2   = 127.0.0.1
EOF

    1: Specify the <CCRV_KBS_IP> with your LPAR IP where KBS server is configured (e.g., IP.1 = 9.20.x.xx).

  3. Generate the KBS key and self-signed certificate by running the following command:
    openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout localhost.key \
  -out localhost.crt \
  -config localhost.conf \
  -passin pass:<password>
    Note: These certificate key pairs are used for TLS communication between SE PeerPod VM and CCRV instance where KBS is been deployed.
  4. Copy localhost.crt to the kbs directory by running the following command:
    $ cp localhost.crt kbs/localhost.crt
  5. Copy localhost.key to the kbs directory by running the following command:
    $ cp localhost.key kbs/localhost.key