The configuration of each RKM backend must be described in a /var/mmfs/etc/RKM.conf file on each such node. The /var/mmfs/etc/RKM.conf file does not have to be identical; by controlling the contents of this file, the cluster administrator can control which client nodes have access to which keys. For example, the same RKM server could be given two different names in /var/mmfs/etc/RKM.conf stanzas, allowing the administrator to partition a set of MEKs hosted on a single RKM server into separate subsets of MEKs, which might belong to subsets of the nodes of the cluster.
The /var/mmfs/etc/RKM.conf file consists of a series of stanzas, each of which uses the following syntax:
# RKM entry
RkmId {
type = ISKLM # The RKM is an ISKLM
kmipServerUri = tls://host:port # TLS connection to host on port
keyStore = /PathToKeyStoreFile # The path to the PKCS#12 file containing server certificate
# and client public/private keypair
passphrase = Password # Passphrase protecting the key store file
clientCertLabel = LabelName # Label of the client key pair to be used among those in the
# key store file
tenantName = NameOfTenant # Name of tenant, set in IBM Security Key Lifecycle Manager set-up
[connectionTimeout = ConnectionTimeout] # Connection timeout, in seconds (default 60 seconds)
[connectionAttempts = ConnectionAttempts] # Number of connection attempts (default 3)
[retrySleep = RetrySleepUsec] # Retry sleep time, in microsecsonds
# (default 100000 = 0.1 seconds)
}
rkmname3 {
...
kmipServerUri2 = tls://host:port # TLS connection to clone number 1 to host on port
kmipServerUri3 = tls://host:port # TLS connection to clone number 2 to host on port
kmipServerUri4 = tls://host:port # TLS connection to clone number 3 to host on port
kmipServerUri5 = tls://host:port # TLS connection to clone number 4 to host on port
kmipServerUri6 = tls://host:port # TLS connection to clone number 5 to host on port
...
}
If at least one backup is configured, whenever key retrieval from the master fails, GPFS will attempt to fetch the key from each backup in turn until it is able to retrieve the desired MEK. Note that the addition of the URIs for the clone servers is the only required change within GPFS; all other configuration parameters (certificates, keys, node and tenant info) need not change, as they are also part of the set of information that is replicated. The administrator is responsible for creating and maintaining any backups.
Additionally, setting up ISKLM key server clones can help gain some performance advantage by distributing MEK retrieval requests across the different clones in a round-robin fashion. To achieve this, the administrator must specify different orderings of the server endpoints on different GPFS nodes in the /var/mmfs/etc/RKM.conf file.
...
kmipServerUri = tls://keysrv.ibm.com:5696
kmipServerUri2 = tls://keysrv_backup.ibm.com:5696
...
...
kmipServerUri = tls://keysrv_backup.ibm.com:5696
kmipServerUri2 = tls://keysrv.ibm.com:5696
...