Adding a Key Management Interoperability Protocol Server

You can add or modify a Key Management Interoperability Protocol (KMIP) server with access node from the CommCell Console.

Before You Begin

• Certificate and certificate keys must be in PEM encoded format.

• To use your own key, obtain the key ID provided by your key management service (KMS) provider after you import or generate the key using the KMS provider interface.

• Commvault software uses the following custom attributes. Ensure that the KMIP server supports these custom attributes. Otherwise, contact your KMIP server vendor.

  Attribute Name	Attribute Type
  CommVaultCommCell	String
  CommVaultCommCellGUID	String
  CommVaultStoragePolicy	String
  CommVaultStoragePolicyCopy	String
  CommVaultStoragePolicyCopyId	Integer
  FirstRetrieveTimestamp	Date/Time
  LastRetrieveTimestamp	Date/Time

Procedure

1. From the CommCell Console ribbon, on the Home tab, click Control Panel.

   The Control Panel window appears.

2. Under Storage, click Key Management Servers.

   The Encryption Key Management Servers dialog box appears.

3. Click Add, and then select KMIP.

   The Key Provider Properties dialog box appears.

4. In the Key Provider Name box, enter a unique name for the key provider.

5. From the Key Length list, select the key length to use with the Advanced Encryption Standard (AES) cipher.

6. In the Server box, enter IP address or hostname of the third-party key management server.

   If the server is a cluster server, then specify the IP addresses or the hostnames of all the servers in the cluster, separated by a comma.

   Note: If you use third-party key management servers, and you decide to migrate clients from one CommCell environment to another CommCell environment, then both the source CommCell environment and the destination CommCell environment must use the same third-party key management server.

7. In the Port box, enter the port that is used by the key management server.

   If the server is a cluster server, then all the servers in the cluster must use the same port.

8. In the Credentials area, enter the following information:

   • Certificate: Select the location of the client certificate.

     Examples of certificate locations:

     For SafeNet, enter the location: C:\Certificates\client.crt.

     For Vormetric, enter the location C:\Certificates\client.pem.

   • Certificate Key: Select the location of the client certificate key.

     Examples of certificate key locations:

     For SafeNet, enter the location C:\Certificates\clientkey.

     For Vormetric, enter the location C:\Certificates\client_private.pem.

   • Certificate Password: If you set a password when you generated the certificate, then enter the password.

   • CA Certificate: Select the location of the key management server certificate authority (CA) certificate.

     Examples of CA certificate locations:

     For SafeNet, enter the location: C:\Certificates\Local_CA.crt.

     For Vormetric, enter the location C:\Certificates\1.2.3.4_CA.pem.

9. To use access node, complete the following steps:

   1. Select Use Access Node checkbox.

      The Access Nodes area appears.

   2. Click Add.

      The Access Node dialog box appears.

   3. From the Access Node list, select the MediaAgent that you want to use as access node.

   4. Enter the credential information.

      For details about the credential information, see step 8 above.

   5. Click OK.

10. To use your own key, complete the following steps:

    1. Click the Bring Your Own Keys tab.

    2. To enable Bring your Own Key (BYOK), select the Enable Bring Your Own Keys checkbox.

    3. To add a key, complete the following steps:

       1. Click Add.

          The Bring Your Own Key dialog box appears.

       2. Enter Key ID, and then click OK.

11. Click OK.