This article is intended for administrators wishing to use StorMagic SvKMS solution as an External Key Manager for Commvault backup software.
Note: All images are clickable for enlarging, or can be opened in a new tab
Resolution/Information
Table of Contents
- Add a Group for Commvault Keys.
- Create a Key Access User
- Export the SvKMS CA root certificate.
- Configure the Integration within Commvault.
- Enable the encryption on the backup store.
This guide will run through the different steps required to configure SvKMS as an External Key Manager for use with Commvault to separate lock (encryption engine in the form of Commvault) and key (encryption keys created, managed and distributed by SvKMS)
For details on deployment of an SvKMS Cluster please see the SvKMS Documentation
Required Steps
Step 1: Add a Group for Commvault Keys.
Create a group for the Commvault encryption keys to belong to.
Once logged into the main SvKMS interface Select GROUPS and Add Group
Create the group
Step 2: Create a Key Access User.
Create a Commvault user (key access user) utilizing a certificate and download the certificate storing it somewhere safely
Via the main SvKMS menu Select USERS and Add User
Create a User to be the trusted certificate that will be used to integrate with Commvault.
SvKMS generated user certificates are valid for 1 year so this step will need to be completed again, in a year, to renew the certificate.
Having selected Add User Download the certificate per the below:
To generate a new dated certificate on an existing User, via USERS, select the AuthCertificate hyperlink and select Generate New to download a fresh certificate with another year validity.
Step 3: Export the SvKMS CA root certificate.
From the Web Browser accessing SvKMS select the shield in the URL and view the certificate details:
With the top level selected (it defaults to the *.svkms.local wildcard so this ill need to be manually selected) in the Certificate Hierarchy select Export.
Step 4: Configure the Integration within Commvault.
Copy both to a fixed path location on the file system accessible by Commvault.
Note that Commvault will need this path available to it at all times!
Step 4.1: Configure the KMS within Commvault
From the Manage>Security menu select Key management servers
Select to Add a KMIP (key management interoperability protocol) KMS
Select the folder:
And browse the file system to find the downloaded in Step 2 user certificate .pem file
Utilize this for both the Certificate and Certificate Key fields.
Enter a password into the Certificate Password field, however this is NOT utilized for the integration and may be any string.
Browse to the CA certificate downloaded in Step 3, so that the KMS configuration looks similar to the below:
Submit this, noting that this will NOT try the connection.
Step 5: Enable the encryption on the backup store.
Under Storage>Disk>LOCALBACKUP enable encryption with the slider, selecting AES - 256 bit cipher and changing the Built-in KMS to leverage the separate KMIP SvKMS we configured in Step 4:
Debug
If there is an issue at Step 5 the below error will be displayed:
and something similar to the below in the gxtail utility viewing the kmipclient.log file
A successful communication will look like:
With the key ID from the log visible within SvKMS
Any issues with the integration please raise a ticket with support support@stormagic.com or raise a ticket at https://support.stormagic.com.
See Also
https://stormagic.com/doc/svkms/svkms_2.6.5/Content/Release_Notes/Release_Notes.htm
https://stormagic.com/doc/svkms/svkms_2.6.5/Content/Web_Portal/Overview.htm
Comments
0 comments
Article is closed for comments.