Using KMIP for external key management

You can manage your encryption keys by using a KMIP external key management service with a Content Platform Engine container environment.

Procedure

To configure external key management in a container environment:

  1. Set up the key management service that provides the external key management repository for your FileNet® P8 system.
    Use the following instructions to configure the key management service: Using KMIP for external key management
  2. Obtain the cpeTrustStore and cpeKeyStore.jceks files. Add them to the /configDropins/overrides directory in the cpe-cfgstore volume.
  3. Create or update the cpe-ssl.xml file with the KMIP configuration:
    • If the cpe-ssl.xml file exists in the /configDropins/overrides directory for the Content Platform Engine container deployment. add the following configuration details:
      <server description="custom SSL configuration">
<ssl id ="kmipSSLSettings" keyStoreRef="cpeKeyStore"
trustStoreRef="cpeTrustStore" clientKeyAlias="client"></ssl>
<keyStore id="kmipKeyStore"
location="/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/cpeKeyStore.jceks"
type="JCEKS" password="password" />
<keyStore id="kmipTrustStore"
location="/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/cpeTrustStore"
type="JCEKS" password="password" />
</server>
    • If the cpe-ssl.xml file does not exist in the /configDropins/overrides directory, create the file in that directory with the following content:
      <?xml version="1.0" encoding="UTF-8"?>
<server description="custom SSL configuration">
<ssl id ="kmipSSLSettings" keyStoreRef="cpeKeyStore"
trustStoreRef="cpeTrustStore" clientKeyAlias="client"></ssl>
<keyStore id="kmipKeyStore"
location="/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/cpeKeyStore.jceks"
type="JCEKS" password="password" />
<keyStore id="kmipTrustStore"
location="/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/cpeTrustStore"
type="JCEKS" password="password" />
</server>

    The ssl id setting must be kmipSSLSettings. The keystore and truststore file names can be named differently, if necessary, but then you must modify the location with the correct name. The client key alias value is used in the keystore.

  4. Save the file in the configuration overrides directory for the Content Platform Engine container deployment.
  5. From the configuration overrides directory, change the permission on the three new files: 
    chown 50001:50000 cpeTrustStore
chown 50001:50000 cpeKeyStore.jceks
chown 50001:50000 cpe-ssl.xml

What to do next

  • Deploy the Content Platform Engine container image. When the Content Platform Engine container is up and running, use the Administration Console for Content Platform Engine in the new environment to create a FileNet P8 domain and enable external key management for the domain. For more information, see Creating the FileNet P8 domain.