Data Domain: Configuring external key manager (KMIP) fails when there is a chain of trust for the KMIP server certificate
概要: When configuring an external key manager (KIMP), if trust between the DD and the KMIP server is through a chain of trust (KMIP certificate is not issued by a root CA, but by an intermediate CA), this cannot be properly configured from either the DD CLI or the UI. ...
この記事は次に適用されます:
この記事は次には適用されません:
この記事は、特定の製品に関連付けられていません。
すべての製品パージョンがこの記事に記載されているわけではありません。
現象
The CLI or web UI may be used to set up an external key manager using the KMIP protocol, for FS encryption or other uses.
At some point in the process, DD asks for the public certificate corresponding to the root of the Certification Authority (CA) used to sign for the certificate used by the KMIP server to authenticate itself.
If the KMIP certificate was not issued by the CA root, but by an intermediate CA, all the intermediate CAs' public certificates would have to be passed to the DD concatenated in textual, PEM form.
In this is the case despite the file with the chain of trust being correct, the DD will fail to trust the KMIP server SSL certificate, and errors such as below would be seen in the logs (ddfs.info / messages.engineering / kmip.log):
With the external key manager status showing as below from the DD CLI (filesys encryption key-manager show):
At some point in the process, DD asks for the public certificate corresponding to the root of the Certification Authority (CA) used to sign for the certificate used by the KMIP server to authenticate itself.
If the KMIP certificate was not issued by the CA root, but by an intermediate CA, all the intermediate CAs' public certificates would have to be passed to the DD concatenated in textual, PEM form.
In this is the case despite the file with the chain of trust being correct, the DD will fail to trust the KMIP server SSL certificate, and errors such as below would be seen in the logs (ddfs.info / messages.engineering / kmip.log):
Mar 14 00:00:04 cdd01 ddfs[23019]: NOTICE: cp_keys_get_active_from_plugin: Error [Failed to synchronize keys] in retrieving the active key for CipherTrust plugin
03/14 00:00:04.109243 [7fef03520040] ERROR: Failed validating server, error code = -300, error_msg = There was an error with the TLS connection
With the external key manager status showing as below from the DD CLI (filesys encryption key-manager show):
Key manager in use: CipherTrust
Server: kmip-server.example.com Port: 5697
Status: Offline: ** KMIP is not configured correctly.
Key-class: redacted KMIP-user: REDACTED-FOR-PRIVACY
Key rotation period: not-configured
Last key rotation date: N/A
Next key rotation date: N/A
原因
As of March 2023, the CLI and web UI workflow is such that DDOS does not allow import of multiple CA certificates for KMIP to trust. This is by design.
When the KMIP server certificate is not signed for by the root CA, DDOS refuses to accept all certificates in the chain, hence the DD cannot connect securely to KMIP server using SSL, because it will not trust the KMIP server certificate's issuer (intermediate) CA.
When the KMIP server certificate is not signed for by the root CA, DDOS refuses to accept all certificates in the chain, hence the DD cannot connect securely to KMIP server using SSL, because it will not trust the KMIP server certificate's issuer (intermediate) CA.
解決方法
Workaround:
Contact DELL Data Domain Support for assistance carrying out this configuration outside the regular CLI and web UI. This will require no downtime, but needs BASH level access so that the file with the chain of trust for the KMIP server may be built manually on the system.
Permanent Solution:
There is no target release for this functionality to be added to DDOS, so that when configuring KMIP for external key managers, if the signing CA is not the root one, all intermediate certificates may be imported from the CLI or the web UI.
Contact DELL Data Domain Support for assistance carrying out this configuration outside the regular CLI and web UI. This will require no downtime, but needs BASH level access so that the file with the chain of trust for the KMIP server may be built manually on the system.
Permanent Solution:
There is no target release for this functionality to be added to DDOS, so that when configuring KMIP for external key managers, if the signing CA is not the root one, all intermediate certificates may be imported from the CLI or the web UI.
対象製品
Data Domain文書のプロパティ
文書番号: 000211676
文書の種類: Solution
最終更新: 19 7月 2023
バージョン: 3
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。