Accessing IBM Security Guardium Key Lifecycle Manager on IPP and KMIP ports

You can access IBM Security Guardium Key Lifecycle Manager that is installed on a Red Hat® OpenShift® cluster only on an HTTP port by default. To access IBM Security Guardium Key Lifecycle Manager on non-HTTP ports, such as IPP and KMIP, complete the steps in this topic.

Procedure

  1. Log in to the Red Hat OpenShift console as the cluster administrator, kube-admin.
  2. Create a route for the IPP or KMIP port.
    1. In the left pane, expand Networking > Routes, and click Create Route.
    2. Specify values for the following properties on the page.
      Table 1. Properties and their description
      Property Description
      Name For IPP: ipp-route-name

      For KMIP: kmip-route-name

      Service sklmapp
      Target port For IPP: 3801

      For KMIP: 5696

      Security Select the Secure route check box.
      TLS Termination Select Passthrough as the TLS termination type.
      Insecure Traffic Select Passthrough as the insecure traffic type.
    3. Click Create.
  3. Log in to infrastructure node with root privileges.
  4. Depending on the port type, add the following front-end and back-end entries to the /etc/haproxy/haproxy.cfg file.
    For IPP:
    frontend ipp-route-name
    bind *:IPP Node Port
    default_backend ipp-route-name
    mode tcp
    option tcplog
    backend ipp-route-name
    balance source
    mode tcp
    server worker0 private-ip:IPP Node Port check
    server worker1 private-ip:IPP Node Port check
    server worker2 private-ip:IPP Node Port check
    Where, ipp-route-name is the route name and IPP Node Port is the corresponding node port that is assigned to this route.
    For KMIP:
    frontend kmip-route-name
    bind *:KMIP Node Port
    default_backend kmip-route-name
    mode tcp
    option tcplog
    backend kmip-route-name
    balance source
    mode tcp
    server worker0 private-ip:KMIP Node Port check
    server worker1 private-ip:KMIP Node Port check
    server worker2 private-ip:KMIP Node Port check
    Where, kmip-route-name is the route name and KMIP Node Port is the corresponding node port that is assigned to this route.
  5. Restart the haproxy service using the following command:
    systemctl restart haproxy
  6. You can now access IBM Security Guardium Key Lifecycle Manager on the respective node ports (IPP Node Port or KMIP Node Port) for IPP devices and KMIP clients.