StorReduce can optionally encrypt all traffic to and from the backend Object Store using secure cryptographic keys generated by industry standard KMIP servers. Transport Layer Security, also known as TLS or SSL, is used to secure (encrypt and authenticate) communications between the StorReduce server and the KMIP server. These TLS connections are in turn secured using X.509 Certificates, commonly known as SSL Certificates.
The SSL certificate sent from the KMIP server to StorReduce may be used to authenticate the KMIP server through the use of Certificate Authority Certificates (CA Certs.)
An optional username and password
combination and/or a client X.509 certificate and key combination may
be used to authenticate and identify StorReduce with the
KMIP server. The optional certificate presented
to the KMIP server from StorReduce may have additional requirements (e.g.
the requirement of a username in the Common Name (CN) field of the certificate.)
Generating the X.509 certificates and keys is beyond the scope of this document, but the KMIP server administrator and online resources will be a significant help. StorReduce KMIP settings will differ based upon the policies instituted by the KMIP server administrator. Therefore, it’s important to communicate with the KMIP server administrator and ascertain:
What is the hostname and port number of the KMIP server?
What Certificate Authority Certificates (CACerts) are required to authenticate the KMIP TLS connection and how can they be obtained?
Is a KMIP username/password combination to be used to authentication StorReduce communication with the KMIP server? If so, what are those?
Is a Client X.509 certificate/key combination required for StorReduce to authenticate with the KMIP server? Is there a suggested method for generating and signing that client certificate? Are there any specific requirements for the Client Certificate (e.g. a username and/or IP address in specific certificate fields, etc.)
There are a number of different file formats for certificates.
StorReduce uses the
PEM files usually have a
.pem extension. If your certificates are in
a different format, then you will need to convert them into the PEM
format. Instructions for converting the formats are beyond the scope
of this document but they can be easily found on the Internet (e.g.,
After the above questions have been determined with the KMIP server administrator, StorReduce may be configured by the following:
1. Enable KMIP and Set the Hostname and Port
Open the StorReduce dashboard and browse to the
Settings tab, then
click on the
Storage section and scroll down until you find the
Use KMIP checkbox and enable it.
Set the KMIP server hostname as given by the KMIP server administrator.
Note that the hostname should not contain a prefix (https: or other.)
Set the KMIP server port as given by the KMIP server administrator. The port should be a simple numeric integer with no other characters.
2. Paste the Certificate Authority Certificate(s)
While setting the CA certificate(s) is optional, it is highly recommended since KMIP server communications could be “spoofed” without this setting thereby putting the encryption of the backup data at risk. This data can likely be obtained by the KMIP server administrator.
3. Set the KMIP Username & Password if Applicable
If needed by the KMIP server administrator, the KMIP username and password should be set in their respective fields.
4. Paste the KMIP Client Key and Client Certificate if Applicable
If the KMIP server administrator requires a client key and certificate for authentication, then both should be pasted in their appropriate settings boxes. Note that the client key should be created PEM format without a password.
5. Restart the StorReduce server
Save Settings ... button at the bottom of the
Settings page. If StorReduce cannot connect to the KMIP Server
with the supplied parameters, an error will be shown at this point. Otherwise, KMIP for StorReduce has been configured.
In this document we have explained how to configure the KMIP Settings in the StorReduce server. If you have any questions please contact StorReduce Support firstname.lastname@example.org.