Configuring KMIP

Introduction

StorReduce can optionally encrypt all traffic to and from the backend Object Store using secure cryptographic keys generated by industry standard KMIP servers. Transport Layer Security, also known as TLS or SSL, is used to secure (encrypt and authenticate) communications between the StorReduce server and the KMIP server. These TLS connections are in turn secured using X.509 Certificates, commonly known as SSL Certificates.

The SSL certificate sent from the KMIP server to StorReduce may be used to authenticate the KMIP server through the use of Certificate Authority Certificates (CA Certs.)

An optional username and password combination and/or a client X.509 certificate and key combination may be used to authenticate and identify StorReduce with the KMIP server. The optional certificate presented to the KMIP server from StorReduce may have additional requirements (e.g.
the requirement of a username in the Common Name (CN) field of the certificate.)

Generating the X.509 certificates and keys is beyond the scope of this document, but the KMIP server administrator and online resources will be a significant help. StorReduce KMIP settings will differ based upon the policies instituted by the KMIP server administrator. Therefore, it’s important to communicate with the KMIP server administrator and ascertain:

  1. What is the hostname and port number of the KMIP server?

  2. What Certificate Authority Certificates (CACerts) are required to authenticate the KMIP TLS connection and how can they be obtained?

  3. Is a KMIP username/password combination to be used to authentication StorReduce communication with the KMIP server? If so, what are those?

  4. Is a Client X.509 certificate/key combination required for StorReduce to authenticate with the KMIP server? Is there a suggested method for generating and signing that client certificate? Are there any specific requirements for the Client Certificate (e.g. a username and/or IP address in specific certificate fields, etc.)

There are a number of different file formats for certificates. StorReduce uses the PEM format, PEM files usually have a .pem extension. If your certificates are in a different format, then you will need to convert them into the PEM format. Instructions for converting the formats are beyond the scope of this document but they can be easily found on the Internet (e.g., http://stackoverflow.com/questions/4691699/how-to-convert-crt-to-pem ).

After the above questions have been determined with the KMIP server administrator, StorReduce may be configured by the following:

1. Enable KMIP and Set the Hostname and Port

Open the StorReduce dashboard and browse to the Settings tab, then click on the Storage section and scroll down until you find the Use KMIP checkbox and enable it.

Basic KMIP Settings

Set the KMIP server hostname as given by the KMIP server administrator.
Note that the hostname should not contain a prefix (https: or other.)

Set the KMIP server port as given by the KMIP server administrator. The port should be a simple numeric integer with no other characters.

2. Paste the Certificate Authority Certificate(s)

KMIP CA Certs

While setting the CA certificate(s) is optional, it is highly recommended since KMIP server communications could be “spoofed” without this setting thereby putting the encryption of the backup data at risk. This data can likely be obtained by the KMIP server administrator.

3. Set the KMIP Username & Password if Applicable

KMIP Username and Password

If needed by the KMIP server administrator, the KMIP username and password should be set in their respective fields.

4. Paste the KMIP Client Key and Client Certificate if Applicable

KMIP Client Key

KMIP Client Certificate

If the KMIP server administrator requires a client key and certificate for authentication, then both should be pasted in their appropriate settings boxes. Note that the client key should be created PEM format without a password.

5. Restart the StorReduce server

Click the Save Settings ... button at the bottom of the Settings page. If StorReduce cannot connect to the KMIP Server with the supplied parameters, an error will be shown at this point. Otherwise, KMIP for StorReduce has been configured.

Summary

In this document we have explained how to configure the KMIP Settings in the StorReduce server. If you have any questions please contact StorReduce Support help@storreduce.com.