You can use XML to add a key management server.
-
Use the qlogin command to log on to the CommServe computer.
-
Download the Add_KMS.xml file and save it on the computer where the command is run.
-
The following table displays the parameters you can use with the command..
Attribute
Description
Parent Element
keyProviderName
The name of the key provider.
provider
keyProviderType
The type of the key provider.
To add a Safenet or Vormetric key management server, set the value to KMIP.
To add an AWS key management server, set the value to AWS_KMS.
To add a passphrase key management server, set the value to PASSPHRASE.
keyProvider
encryptionKeyLength
The key length to use with the AES cipher.
The following are the supported key lengths for AES cipher:
-
128
-
256
keyProvider
host
The IP address or hostname of the third-party key management server. In case of a cluster server, specify the host values of all servers separated with a comma during command execution.
Note: For CommCell migration, make sure that both the source and the destination CommCells are pointing to the same third-party key management server.
properties
port
The port used by the key management server.
In case of a cluster server, all servers should use the same port.
properties
certFilePath
The location of the client certificate.
Example: C:\Certificates\client.crt (for Salefent) and C:\Certificates\client.pem (for Vormetric)
properties
sslPassPhrase
The passphrase of the certificate if set.
properties
keyFilePath
The location of the client certificate key.
Example: C:\Certificates\clientkey (for Safenet) and C:\Certificates\client_private.pem (for Vormetric)
properties
caCertFilePath
The location of the key management server CA certificate.
Example: C:\Certificates\Local_CA.crt (for Safenet) and C:\Certificates\1.2.3.4_CA.pem (for Vormetric)
properties
regionName
The region where AWS hosts the Key Management Service.
properties
userName
The AWS Access Key.
userAccount
password
The AWS Secret Access Key.
userAccount
passphrase
The passphrase for the passphrase key management server.
properties
clientName
The name of the client to store the passphrase file for a passphrase key management server.
client
path
The location to export the passphrase file for a passphrase key management server.
filePath
-
-
To add a Safenet or Vormetric key management server, execute the following command from the <software_installation_directory>/Base folder after substituting the parameter values:
qoperation execute -af downloaded location\Add_KMS.xml -keyProviderName xxxxx -keyProviderType KMIP -encryptionKeyLength xxx -sslPassPhrase xxx -host xxx -port xxxx -certFilePath xxx -keyFilePath xxx -caCertFilePath xxxExample:
Execute the following command to add a Safenet key management server with key provider name "Safenet", provider type "KMIP", encryption key length "128", passphrase "sslphrase!12", host "172.19.119.222", port "9002", client certificate location "C:\Certificates\client.crt". client certificate key location "C:\Certificates\clientkey", and key management server CA certificate location "C:\Certificates\Local_CA.crt".
qoperation execute -af downloaded location\Add_KMS.xml -keyProviderName Safenet -keyProviderType KMIP -encryptionKeyLength 128 -sslPassPhrase sslphrase!12 -host 172.19.119.222 -port 9002 -certFilePath C:\Certificates\client.crt -keyFilePath C:\Certificates\clientkey -caCertFilePath C:\Certificates\Local_CA.crt -
To add an AWS key management server, execute the following command from the <software_installation_directory>/Base folder after substituting the parameter values:
qoperation execute -af downloaded location\Add_KMS.xml -keyProviderName xxxxx -keyProviderType AWS_KMS -regionName xxxx -userName xxxx -password xxxxExample:
Execute the following command to add an AWS key management server with key provider name "AWS", provider type "AWS_KMS", region name "Asia Pacific (Mumbai)", Access Key "accesskey", and Secret Access Key "secretkey":
qoperation execute -af downloaded location\Add_KMS.xml -keyProviderName AWS -keyProviderType AWS_KMS -regionName 'Asia Pacific (Mumbai)' -userName accesskey -password secretkey -
To add a passphrase key management server, execute the following command from the <software_installation_directory>/Base folder after substituting the parameter values:
qoperation execute -af downloaded location\Add_KMS.xml -keyProviderName xxxxx -keyProviderType PASSPHRASE -encryptionKeyLength xxx –passphrase xxx –passphraseClient/client/clientName xxx -passphraseClient/filePath/path xxxxExample:
Execute the following command to add a passphrase key management server with key provider name "PassphraseKMS", provider type "PASSPHRASE", encryption key length "128", passphrase "demo passphrase", client name "client1", and passphrase file location "C:\Passphrase".
qoperation execute -af c:\Xmls\Add_KMS.xml -keyProviderName PassphraseKMS -keyProviderType PASSPHRASE -encryptionKeyLength 128 –passphrase “demo passphrase” –passphraseClient/client/clientName client1 -passphraseClient/filePath/path c:\PassphraseClick here to see sample output.