[gpfsug-discuss] Reg: Help/Process on Spectrum Scale Encryption key renewal using SKLM
Pradeep Srinivasagam
pradeep.srinivasagam at outlook.com
Tue Sep 12 08:53:40 BST 2023
Dear All,
I'm Pradeep, and I manage Spectrum Scale in a Stretched cluster environment for a financial institution.
Prior to this, I was supporting GPFS protocol nodes in the Media & Entertainment industry using a tailored environment.
City: Basingstoke, UK
Country: United Kingdom
Here is my first post, for which I am asking for clarity.
Subject: Query on renewing the certificates for Spectrum Scale via SKLM.
Environment:
Spectrum Scale Version: 5.1.1
We have 2 certificate present that seem to be authenticating to SKLM.
One expires in October (REST) and one is next year (KMIP)
[cid:cb0f8fd5-a48d-4d42-82eb-7ed583f89254]
We are currently therefore seeing the rkmconf_certexp_warn event within the node health status…
[cid:102dd4cb-190b-4824-9804-7715bc52555c]
Query 1:
We want to update the REST certificate; we have a key group setup in SKLM where the keys for Scale are held – it is labelled as follows
[cid:40dba048-5f9d-4324-87da-1f1d2c8de215]
The key is stored in SKLM within these management groups.
The question we have is, in terms of updating the key on the Spectrum Scale environment – basically – how do we do it. So, we would like if possible a step by step guide on how to replace the key on the Spectrum Scale side and how that interacts with SKLM.
As encryption is already up and running and we are just refreshing / renewing an existing deployment I am really looking to know what I need to do and in what order, and where we drop between SKLM activities and Scale activities. Also once we have the key in place does it just propagate to all servers within scale once one has picked it up?
Example
1. Create a key within Scale
2. Add third party data to key, and then chain together using scale utility – example below?
[cid:66d2775a-0456-4a80-8a15-41224f1c6cb7]
1. Register key? In effect how do we get the server to “pickup” the new key?
2. Copy key over to SKLM server
3. Add key to SKLM within the existing group
4. Create a file check it is encrypted
Query 2:
What is KMIP Certificate for and how to renew that certificate before it expires.
[cid:2a66373a-17d8-40d5-8d11-2d7d4599c234]
Thanks in advance
Regards
Pradeep S
<http://aka.ms/weboutlook>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20230912/c1774024/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 5257 bytes
Desc: image.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20230912/c1774024/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 4585 bytes
Desc: image.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20230912/c1774024/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 2596 bytes
Desc: image.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20230912/c1774024/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 15940 bytes
Desc: image.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20230912/c1774024/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 5257 bytes
Desc: image.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20230912/c1774024/attachment-0009.png>
More information about the gpfsug-discuss
mailing list