Creating locked vaults

To deploy WORM solutions by using IBM Storage Scale, create two locked vaults.

IBM Cloud® Object Storage Manager enables administrators to create vaults, which are under the exclusive control of a given external application (Transparent cloud tiering). This process allows the application to have full control over the vault, but does not allow a user or administrator to bypass the application and directly access the vault. Users are allowed to create WORM-style vaults that enforce read or write restrictions on the objects in the vault, which an administrator cannot bypass.

The two locked vaults required for Transparent cloud tiering (data and metadata vaults) need to be created on the IBM Cloud Object Storage by using Create vault from the template REST API. When these vaults are created, they can be specified on the mmcloudgateway filesystem create command through the –container-prefix option.
Note: You can create a locked vault by using the mcstore_createlockedvault.sh script available at /opt/ibm/MCStore/scripts.
  1. Convert the JKS keystore to the PKCS12 format by issuing this command: 
    keytool -importkeystore -srckeystore mydomain2.jks -destkeystore new-store.p12 -deststoretype PKCS12
  2. Extract the private key and convert it to an RSA key by issuing the following commands: 
    • openssl pkcs12 -in "<keystore_directory>"/newkeystore.p12 -nocerts 
-out "<keystore_directory>"/privateKey.pem -passin pass:<keystore_password>
-passout pass:<keystore_password>


    • 
openssl rsa -in "<keystore_directory>"/privateKey.pem -out "<keystore_directory>"/rsaprivateKey.pem 
-passin pass:<keystore_password>
  3. By using the private key and certificate, create a locked vault (one for data and one for metadata) by issuing the following commands:
    • For data vault:
      
curl --key ./ privateKeynew.pem --cert  <certificate-file>  -k -v 
'https://9.114.98.187/manager/api/json/1.0/createVaultFromTemplate.adm'
-d 'id=1&name=demolockedvault&description=newlockedvaultdescription'
    • For metadata vault:
      
curl --key ./ privateKeynew.pem --cert <certificate-file>  -k -v 
'https://9.114.98.187/manager/api/json/1.0/createVaultFromTemplate.adm'
-d 'id=1&name=demolockedvault.meta&description=newlockedvaultmetadescription'
    Note: To find the provisioning template IDs, on the IBM Cloud Object Storage Manager GUI, click Template Management. Then, hover the mouse over the template that is listed under Vault Template, and find the number that is displayed on the footer.
  4. Print the locked vaults by issuing this command: 
    curl --key privateKeynew.pem --cert <certificate-file>  -k '<COS Accesser IP Address>'
    Note: The names of the locked vaults must be noted down, and they must be specified to the mmcloudgateway filesystem create command by using the --container-prefix option.
    Creating a locked vault by using automation scripts
    1. Go to /opt/ibm/MCStore/scripts and run mcstore_createlockedvault.sh <keystorealiasname> <keyStorePath> <lockeddatavaultname> <lockeddatavaultDescription> <lockedmetavaultname> <lockedmetavaultDescription> <COSManagerIP> <dataVaultTemplateID> <metaVaultTemplateID>, where all parameters are mandatory.
    2. For description of the parameters, see the mmcloudgateway command.

      For example, mcstore_createlockedvault.sh test /root/svt/test.ssl/test.jks demodatacontainer test demometacontainer metacontainer 9.10.0.10 1 1.

      The system displays output similar to the example shown:
      Enter KeyStore Password:
Validating the inputs and the configuration....
COS Manager is reachable. Proceeding with Configuration...

Transparent Cloud Tiering Server RPM already installed. Proceeding with Configuration...
openssl libraries are already installed. Proceeding with Configuration...

curl already installed. Proceeding with Configuration...
Certificate stored in file </root/svt/test.ssl/test_new.crt>
Creating locked vault...
MAC verified OK
writing RSA key
Locked data vault creation completed successfully.
Creating locked meta vault demofeb15.meta

Creating of Data and Meta Locked Meta Vault completed successfully.
Use mmcloudgateway filesystem create command to configure transparent cloud tiering
with locked vault.