Preparing for IBM Key Protect for external key management

You create a secret with your IBM Key Protect certificate before preparing to deploy your Content Platform Engine container environment.

Procedure

To configure external key management in a container environment that is deployed by an operator:

  1. Contact the key management service administrator to acquire the IBM Key Protect certificate or the instructions to download the certificate.
  2. Save the certificate file to a location in your container environment.
  3. From the directory where the downloaded certificate file is located, run the following command:
    kubectl create secret generic <secret name> --from-file=tls.crt=<CERT FILE_NAME> -n <namespace>
    Note: The tls.crt component is part of the command and must not be changed.
  4. After the secret is created, edit the CR YAML file to add the name of the new secret.
    Under the shared_configuration section, find the following parameters:
    root_ca_secret: icp4a-root-ca
    sc_deployment_platform: OCP
    trusted_certificate_list: [<secret name>]

    Add the secret name as the value for trusted_certificate_list, and include the square brackets around the secret name.

What to do next

You can do one of the following:
  • To manage your encryption keys by using a KMIP external key management service, see topic Using KMIP for external key management.
  • Continue to prepare for operator deployment by providing the other required values in the CR YAML file, then deploy the Content Platform Engine container image. When the Content Platform Engine container is up and running, use the Administration Console for Content Platform Engine in the new environment to create a FileNet P8 domain and enable external key management for the domain. For more information, see Creating the FileNet® P8 domain.