Using Key Protect for external key management

The Security administrator must perform certain preparation and configuration steps to enable Key Protect external key management for your Content Cortex system. This configuration is optional and does not apply if you do not plan to use external key management in your environment.

About this task

You can use IBM® Key Protect to manage keys for your FileNet® P8 environment. This choice moves the management of encryption keys to a cloud-based key management service, under your control, for improved security and privacy protection. This centralized, external option can replace the default method- internal key management in Content Platform Engine.

The external key management implementation relies on Key Protect services. If it does not already exist, you configure Key Protect in your IBM Cloud® environment as part of the preparation for your installation or upgrade. Then, you specify the service connection details for key management as part of the domain creation wizard in the Administration Console for Content Platform Engine.

You can configure external key management when you create new P8 domains. You can also change the key management service for existing P8 domains from the internal Content Platform Engine key management to an external service.

Procedure

To configure Key Protect:

  1. Prepare your IBM Cloud environment for Key Protect configuration:
    1. Create an IBM Cloud ID External link opens a new window or tab.
      Click Create an IBM Cloud account.
    2. Install the IBM Cloud command line.
      For details, see Getting started with the IBM Cloud CLI External link opens a new window or tab.
  2. Log in to IBM Cloud and create the Key Protect service on your IBM Cloud account.
    1. Create the Key Protect External link opens a new window or tab service.
    2. Acquire the service instance ID. External link opens a new window or tab
  3. Create a Service ID and API key:
    1. Create a Service ID for your application.
      For details, see Creating and working with Service IDs External link opens a new window or tab.
    2. Assign an access policy for the Service ID.
      The Service ID requires at minimum the following access types:
      • Viewer with Access Type Account Management
      • Writer with Access Type Service
      For details, see Managing Service ID access policies External link opens a new window or tab

      For more information on the roles and permissions, see Managing user access External link opens a new window or tab.

    3. Create a Service ID API key.
      For details, see Managing Service ID API keys External link opens a new window or tab
    Tip: You can use the IBM Cloud command line to perform these actions. For more information, see Retrieving an access token External link opens a new window or tab.
  4. Lock the Service ID and the Service ID API key.
    1. From the list of Service IDs, select the ID that you want to lock.
    2. Click the drop down menu on the list row, and click Lock.
    3. Click the API keys tab, and select the key that you want to lock.
    4. From the drop down menu on the list row, click Lock.
  5. From your service configuration, collect the details to enter in the New Domain wizard, after you complete the installation:
    • Connection URL: Provide the region designation for your Key Protect service. For more information, look for the correct region and service endpoint URL format in Regions and locations External link opens a new window or tab.
    • IAM URL: Confirm the URL for Identities and Access Manager in IBM Cloud. This value is preset and requires an update only if changes occur to the Identities and Access Manager from IBM Cloud.
    • Service instance ID: The instance ID that uniquely identifies your Key Protect service instance.
    • API key: Provide the API key that you created for your service functional ID.