Simplified setup: Doing other tasks

Learn how to do other tasks after you complete the simplified setup.

For the first three tasks in this topic, you need the password for your SKLM key server.

Adding a node to the cluster

When you add a node to a cluster that is configured for encryption by the simplified setup, the cluster automatically detects the node and copies the encryption configuration to it. To encrypt files, the node must have direct network access to the Remote Key Management (RKM) server. For more information, see the section "Requirements" in the topic Preparation for encryption.

Creating encryption keys

This task shows how to create encryption keys in a tenant:

  1. The following command creates five encryption keys in tenant devG1 on key server keyserver01 and displays the UUIDs of the keys on the console: 
     mmkeyserv key create --server keyserver01.gpfs.net --tenant devG1 --count 5
Enter password for the key server keyserver01.gpfs.net:
KEY-492911c8-e3d4-4670-9868-617243d4ca57
KEY-5f24d71f-daf3-4df8-90e4-5f6475370f70
KEY-a487b01d-f092-4895-b537-139edeb57239
KEY-b449b3a2-73c5-499f-b575-fc7ba95541a8
KEY-fd3dbee9-0e6c-4662-9410-bfe3b73272b9
  2. The following command shows the UUIDs of the encryption keys on tenant devG1 in keyserver01: 
     mmkeyserv key show --server keyserver01.gpfs.net --tenant devG1
Enter password for the key server keyserver01.gpfs.net:
KEY-492911c8-e3d4-4670-9868-617243d4ca57
KEY-5f24d71f-daf3-4df8-90e4-5f6475370f70
KEY-a487b01d-f092-4895-b537-139edeb57239
KEY-b449b3a2-73c5-499f-b575-fc7ba95541a8
KEY-d4e83148-e827-4f54-8e5b-5e1b5cc66de1
KEY-fd3dbee9-0e6c-4662-9410-bfe3b73272b9
    The command displays the UUIDs of the previously existing key and the five new keys.

Adding a tenant to GKLM

A tenant is a container that resides on a key server and contains encryption keys. Before a key client can request master encryption keys from a key server, you must add a tenant to the key server, create a key client, and register the key client with the tenant. For more information, see Simplified setup: Using SKLM with a self-signed certificate.

In some situations, you might need to access more than one tenant on the same key server. For example, if you have several key clients that you want to use with the same key server, each key client must register with a different tenant. For more information, see Simplified setup: Valid and invalid configurations.

This task shows how to add a tenant, register an existing key client with the tenant, and create encryption keys in the tenant.

  1. Add the tenant:
    1. Add a tenant devG2 on keyserver01: 
       mmkeyserv tenant add devG2 --server keyserver01
Enter password for the key server keyserver01:
    2. Verify that the tenant is added. The following command displays all the existing tenants: 
       mmkeyserv tenant show
devG1
        Key Server:          keyserver01.gpfs.net
        Registered Client:   c1Client1

devG2
        Key Server:          keyserver01.gpfs.net
        Registered Client:   (none)
      The tenants are devG1 and devG2.
  2. Register the existing key client with the tenant:
    1. Register client c1Client1 with tenant devG2: 
       mmkeyserv client register c1Client1 --tenant devG2 --rkm-id keyserver01_devG2
Enter password for the key server :
mmkeyserv: [I] Client currently does not have access to the key. 
Continue the registration process...
mmkeyserv: Successfully accepted client certificate
    2. Verify that the key client is registered to the tenant: 
       mmkeyserv client show
c1Client1
        Label:               c1Client1
        Key Server:          keyserver01.gpfs.net
        Tenants:             devG1,devG2
      The command output shows that c1Client1 is registered to both devG1 and the new devG2.
    3. Verify the configuration of the RKM stanza. The following command displays all the RKM stanzas: 
       mmkeyserv rkm show 
keyserver01_devG1 {
  type = ISKLM
  kmipServerUri = tls://192.168.40.59:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.1_keyserver01.c1Client1.1.p12
  passphrase = pw_c1Client1
  clientCertLabel = label_c1Client1
  tenantName = devG1
}
keyserver01_devG2 {
  type = ISKLM
  kmipServerUri = tls://192.168.40.59:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.1_keyserver01.c1Client1.1.p12
  passphrase = pw_c1Client1
  clientCertLabel = label_c1Client1
  tenantName = devG2
}
      The command shows the following relationships:
      • Client c1Client1 is registered with tenant devG1 on keyserver01.
      • Client c1Client1 is also registered with tenant devG2 on keyserver01.
  3. Create keys in the tenant.
    The following command creates three keys in tenant devG2:
     mmkeyserv key create --server keyserver01 --tenant devG2 --count 3
Enter password for the key server keyserver01:
KEY-43cf5e69-1640-4056-b114-bdbcf2914189
KEY-4c7540cd-0346-4733-90eb-8df4c0f16008
KEY-c86a523b-e04f-4536-86a6-c6f83f845265

Create keys on Vault

This task shows how to create encryption keys on Vault RKM server.

  1. The following command uses role gpfsAdmin to create four additional encryption keys in the spectrumscale scope on Vault key server tru-4pub and displays the UUIDs of the keys on the console: 
     mmkeyserv key create --role gpfsAdmin --count 4
mdA0DrDVZdERX4jaN926kzUSNfPDSk3i
nlnBBOfRQz71IzfnuuxACZwloRGUcURB
qMCnHy10ILWE4y2BWMKJkfrb6t3h5GkJ
t5etBuZuWjnBF42dfpxdWvfuYHQq1gq
  2. The following command shows the UUIDs of the encryption keys: 
     mmkeyserv key show --role gpfsAdmin
leCTiYYS6fUPCgQsk5SHFBtTgADJHgax
mdA0DrDVZdERX4jaN926kzUSNfPDSk3i
nlnBBOfRQz71IzfnuuxACZwloRGUcURB
qMCnHy10ILWE4y2BWMKJkfrb6t3h5GkJ
t5etBuZuWjnBF42dfpxdWvfuYHQq1gqd

Managing another key server

This task shows how to add a key server, add a tenant, create a new key client, and register the key client with the tenant. The steps are the same as the ones that you follow in the simplified setup:
Table 1. Managing another key server
Item Step
Install and configure SKLM. Step 1
Add a key server Step 2
Add a tenant to the key server Step 3
Create a key client Step 4
Register the key client with the tenant Step 5

  1. Install and configure IBM Security Key Lifecycle Manager (SKLM).
    For more information, see the topic Simplified setup: Using SKLM with a self-signed certificate.
  2. Add the key server, keyserver11. If backup key servers are available, you can add them now. You can have up to five backup key servers.
    1. Add keyserver11 and backup key servers keyserver12 and keyserver13. Enter the requested information when prompted: 
       mmkeyserv server add keyserver11 --backup keyserver12,keyserver13
Enter password for the key server keyserver11:
The security certificate(s) from keyserver11.gpfs.net must be accepted to continue.
View the certificate(s) to determine whether you want to trust the certifying authority.
Do you want to view or trust the certificate(s)? (view/yes/no) view

Serial number:          0361e7075056
SHA-256 digest:         2a7ab79d52cca7d2cae6e88077ee48b405a9e87d03d47023fdf1d4e185f18f75
Signature:              55a4350778446ac1f74fe25016bc9efd86893b8c5e9a4c3ebc4662d7cafce8697bfbf98
f8ce62ab976fb10270a006074bd36a3c0321bb99417dcd6d9d18c06ca380f1a89aacf3d0b5d84a7fdde5d4c1b9377a0
e725d65dee819f489a9c51c2017ac6633304a3973c7e13ddc611aae6d2ba35c8571b6ca1388dbb1b91a51b00f09fe37
2846dbe0139e4f942ed317809c0b7d0cd651a3273b4df041719f99847923e5ec58517fd778d46ea44647149c5d52287
ee9705aa292c1d2942b27dd7f07d6bae2b1f29a4a818655c582ef0ce9102e70a7df68ee0c0732a66b2960959f38f964
0c599a3203ff6fcafc13f40e9922fa439d016937a00d0f5a7f571d174f277
Signature algorithm:    SHA256WithRSASignature
Key size:               2048
Issuer:                 C=US, O=IBM, OU=SKLMNode, SKLMCell, Root Certificate, CN=vmip131.gpfs.net
Subject:                C=US, O=IBM, OU=SKLMNode, SKLMCell, CN=vmip131.gpfs.net

Serial number:          03615d201517
SHA-256 digest:         4acb77202f885f4c6b4c858f701394f18150fd683a0d155885399bbb5b8cc0b1
Signature:              15e2011efd402b4834c677c9bcdca9914f457a9573bf1568c4d309cd1a9b873b857566c
f9653a736e34b63f8e600e1bee2450c838bbf49c6291548f0bb4ee82d8243ba60dcfbcc42f25f965fa36483441dfe7e
b2089361dbee77e333d2711ee8364f9d5005cf382a42fa90dec8f0e279b5cecb6d5ef3da2d75cdc1e70d7f4545afc13
547135c4978b717c6572b3d8c569cd44f15c0b084fe92a9e2878bcf34518882c1461e832e014d56d981ad40ef2c6760
71f49571a91e036c84ab58b3d22d0d971990624751ea6d74a420cfbf2e00d718e263184c97091404d295adb56467237
09decacebd7dbfa1927a8143bdf6d6640b72ec7c588b00cf0521c67f6efe9
Signature algorithm:    SHA256WithRSASignature
Key size:               2048
Issuer:                 C=US, O=IBM, OU=SKLMNode, SKLMCell, Root Certificate, CN=vmip131.gpfs.net
Subject:                C=US, O=IBM, OU=SKLMNode, SKLMCell, Root Certificate, CN=vmip131.gpfs.net

Do you trust the certificate(s) above? (yes/no) yes
    2. Verify that the key server is added. The following command displays information about all the existing key servers: 
       mmkeyserv server show
keyserver01.gpfs.net
        Type:                ISKLM
        IPA:                 192.168.40.59
        User ID:             SKLMAdmin
        REST port:           9080
        Label:               1_keyserver01
        NIST:                on
        FIPS1402:            off
        Backup Key Servers:
        Distribute:          yes
        Retrieval Timeout:   120
        Retrieval Retry:     3
        Retrieval Interval:  10000

keyserver11.gpfs.net
        Type:                ISKLM
        IPA:                 192.168.9.131
        User ID:             SKLMAdmin
        REST port:           9080
        Label:               2_keyserver11
        NIST:                on
        FIPS1402:            off
        Backup Key Servers:  keyserver12.gpfs.net,keyserver13.gpfs.net
        Distribute:          yes
        Retrieval Timeout:   120
        Retrieval Retry:     3
        Retrieval Interval:  10000
      The command shows two key servers, keyserver01 and the keyserver11.
  3. Add a tenant to the key server.
    The name of the tenant must be unique within the same key server, but it can be the same as the name of a tenant in another key server:
    1. Add the tenant devG1 to keyserver11: 
      mmkeyserv tenant add devG1 --server keyserver11
Enter password for the key server keyserver11:
    2. Verify that the tenant is added: 
      mmkeyserv tenant show
devG1
        Key Server:          keyserver01.gpfs.net
        Registered Client:   c1Client1

devG2
        Key Server:          keyserver01.gpfs.net
        Registered Client:   c1Client1

devG1
        Key Server:          keyserver11.gpfs.net
        Registered Client:   (none)
      The command shows the following tenants:
      • Tenant devG1 on keyserver01.
      • Tenant devG2 on keyserver01.
      • Tenant devG1 on keyserver11.
  4. Create a key client:
    Note: A key client name must be 1-16 characters in length and must be unique within an IBM Storage Scale cluster.
    1. Create c1Client11 on keyserver11. 
       mmkeyserv client create c1Client11 --server keyserver11
Enter password for the key server keyserver11:
Create a pass phrase for keystore:
Confirm your pass phrase:
    2. Verify that the client is created. The command shows all the existing key clients: 
       mmkeyserv client show
c1Client1
        Label:               c1Client1
        Key Server:          keyserver01.gpfs.net
        Tenants:             devG1,devG2

c1Client11
        Label:               c1Client11
        Key Server:          keyserver11.gpfs.net
        Tenants:             (none)
      The key clients are c1Client1 and c1Client11.
    3. You can also display all the clients of keyserver11: 
       mmkeyserv client show --server keyserver11
c1Client11
        Label:               c1Client11
        Key Server:          keyserver11.gpfs.net
        Tenants:             (none)
  5. Register the key client with the tenant:
    1. Verify that tenant devG1 on keyserver11 has no registered clients: 
       mmkeyserv tenant show --server keyserver11
devG1
        Key Server:          keyserver11.gpfs.net
        Registered Client:   (none)
    2. Register the key client c1Client11 with the devG1 on keyserver11: 
       mmkeyserv client register c1Client11 --tenant devG1 --rkm-id keyserver11_devG1
Enter password for the key server of client c1Client11:
mmkeyserv: [I] Client currently does not have access to the key.  
Continue the registration process ...
mmkeyserv: Successfully accepted client certificate
    3. Verify that the tenant shows that the client c1Client11 is registered with it: 
        mmkeyserv tenant show --server keyserver11
devG1
        Key Server:          keyserver11.gpfs.net
        Registered Client:   c1Client11
    4. You can also verify that the client shows that it is registered with tenant devG1: 
       mmkeyserv client show --server keyserver11
c1Client11
        Label:               c1Client11
        Key Server:          keyserver11.gpfs.net
        Tenants:             devG1
    5. Display the RKM stanzas for the cluster. They show the following relationships:
      • With keyserver01, c1Client1 is registered with devG1 and devG2.
      • With keyserver11, c1Client11 is registered with devG1.
       mmkeyserv rkm show
keyserver01_devG1 {
  type = ISKLM
  kmipServerUri = tls://192.168.40.59:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.1_keyserver01.c1Client1.1.p12
  passphrase = pw4c1Client1
  clientCertLabel = c1Client1
  tenantName = devG1
}
keyserver01_devG2 {
  type = ISKLM
  kmipServerUri = tls://192.168.40.59:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.1_keyserver01.c1Client1.1.p12
  passphrase = pw4c1Client1
  clientCertLabel = c1Client1
  tenantName = devG2
}
keyserver11_devG1 {
  type = ISKLM
  kmipServerUri = tls://keyserver12.gpfs.net:5696
  kmipServerUri2 = tls://keyserver13.gpfs.net:5696
  kmipServerUri3 = tls://192.168.9.131:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.2_keyserver11.c1Client11.1.p12
  passphrase = pw4c1Client11
  clientCertLabel = c1Client11
  tenantName = devG1
    6. Create encryption keys. The following command creates two keys in tenant devG1 on keyserver11. 
       mmkeyserv key create --server keyserver11 --tenant devG1 --count 2
Enter password for the key server keyserver11:
KEY-86f601ba-0643-4f94-92b2-12c8765512cc
KEY-cdcf058f-ae30-41e8-b6f7-754e23322428

Adding backup key servers

If multiple key servers exist, you can add them to an RKM stanza to provide backup capability in case the main key server becomes unavailable. You can add up to five backup key servers.

Important: IBM Storage Scale does not manage backup key servers. You must configure them and maintain them.
Note: For information about using backup key servers, see the subtopic "Adding backup RKM servers in a high-availability configuration" in Preparation for encryption.

This task shows how to add backup key servers to the RKM stanza of one of your key clients. You can add backup key servers when you create a key server, as shown in Step 2 of the previous subtopic. Or you can add them later, as in this subtopic.

In this task the primary key server is keyserver11. The backup key servers for the RKM stanza are keyserver12 and keyserver13. You want to add three more backup key servers to the list: keyserver14, keyserver15, and keyserver16.

Follow these steps:

  1. Add the three backup key servers. You must specify the entire list of key servers, including ones that are already in the list. The following command is on one line. In the list of servers, do not put spaces on either side of the commas (,): 
     mmkeyserv rkm change keyserver11_devG1 --backup 
keyserver12,keyserver13,keyserver14,keyserver15,keyserver16
    Attention:
    • You can change the order in which the client tries backup key servers, by running the same command with the key servers in a different order.
    • You can delete backup key servers by specifying a list that contains the backup key servers that you want to keep and omits the ones that you want to delete.
  2. To verify, issue the mmkeyserv rkm show command to display the RKM stanzas: 
     mmkeyserv rkm show
keyserver01_devG1 {
  type = ISKLM
  kmipServerUri = tls://192.168.40.59:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.1_keyserver01.c1Client1.1.p12
  passphrase = pw4c1Client1
  clientCertLabel = c1Client1
  tenantName = devG1
}

keyserver01_devG2 {
  type = ISKLM
  kmipServerUri = tls://192.168.40.59:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.1_keyserver01.c1Client1.1.p12
  passphrase = pw4c1Client1
  clientCertLabel = c1Client1
  tenantName = devG2
}

keyserver11_devG1 {
  type = ISKLM
  kmipServerUri = tls://keyserver11.gpfs.net:5696
  kmipServerUri12 = tls://keyserver12.gpfs.net:5696
  kmipServerUri13 = tls://keyserver13.gpfs.net:5696
  kmipServerUri14 = tls://keyserver14.gpfs.net:5696
  kmipServerUri15 = tls://keyserver15.gpfs.net:5696
  kmipServerUri16 = tls://keyserver16.gpfs.net:5696
  keyStore = /var/mmfs/ssl/keyServ/serverKmip.2_keyserver11.c1Client11.1.p12
  passphrase = pw4c1Client11
  clientCertLabel = c1Client11
  tenantName = devG1
}
    The command output shows the following relationships:
    • The configuration of c1Client1, devG1, and keyserver01 has zero backup servers.
    • The configuration of c1Client1, devG2, and keyserver01 has zero backup servers.
    • The configuration of c1Client11, devG1, and keyserver11 has five backup servers.

Adding a role or scope to Vault

Within an IBM Storage Scale cluster, only one role can be created per scope. The mmkeyserv role create command creates a scope and a role at the same time.

Follow these steps:

  1. Create the role.
    1. Create a scope spectrumscale2 and a role gpfsAdmin2: 
       mmkeyserv role create gpfsAdmin2 --scope spectrumscale2 --server tru-4pub --auth-token tempToken
Create a pass phrase for keystore: 
Confirm your pass phrase: 
mmkeyserv: Propagating the cluster configuration data to all
  affected nodes.  This is an asynchronous process.
    2. To verify the scope and role are created, issue the following command: 
      
# mmkeyserv role show gpfsAdmin2
gpfsAdmin2
        Key Server:                 tru-4pub.fyre.ibm.com
        Scope:                      spectrumscale2
        Role Label:                 4_gpfsAdmin2
        RKM Id:                     
        CA Chain Expiration:        2032-05-11 12:40:00 (-0400)
        Certificate Expiration:     2025-07-12 15:17:04 (-0400)
        Certificate Serial Number:  301049472216982094185931943435573692776800291659
        Certificate Type:           system-generated
  2. Register the new role.
    1. Register role gpfsAdmin2: 
       mmkeyserv role register gpfsAdmin2 --rkm-id gpfsRKMstanza2
mmkeyserv: Propagating the cluster configuration data to all
  affected nodes.  This is an asynchronous process.
    2. Verify that the role is registered: 
       mmkeyserv role show gpfsAdmin2
gpfsAdmin2
        Key Server:                 tru-4pub.fyre.ibm.com
        Scope:                      spectrumscale2
        Role Label:                 4_gpfsAdmin2
        RKM Id:                     gpfsRKMstanza2
        CA Chain Expiration:        2032-05-11 12:40:00 (-0400)
        Certificate Expiration:     2025-07-12 15:17:04 (-0400)
        Certificate Serial Number:  301049472216982094185931943435573692776800291659
        Certificate Type:           system-generated
    3. Verify the configuration of the RKM stanza. The following command displays all the RKM stanzas: 
       mmkeyserv rkm show
gpfsRKMstanza {
  type = KMIP
  kmipServerUri = tls://9.46.79.137:5696
  keyStore = /var/mmfs/ssl/keyServ/roleCred.1_gpfsAdmin.1.p12
  passphrase = pass!@#ForDemo
  clientCertLabel = 1_gpfsAdmin
}
gpfsRKMstanza2 {
  type = KMIP
  kmipServerUri = tls://9.46.79.137:5696
  keyStore = /var/mmfs/ssl/keyServ/roleCred.4_gpfsAdmin2.1.p12
  passphrase = pass!@#4admin2
  clientCertLabel = 4_gpfsAdmin2
  connectionTimeout = 15
  connectionAttempts = 4
  retrySleep = 5000
}
  3. Create a key from new role. 
     mmkeyserv key create --role gpfsAdmin2
JKua674cMKT1oNdrP7PZQO1wBBc31iVV