Loading...
Loading...
The CLI or web UI may be used to set up an external key manager using the KMIP protocol, for FS encryption or other uses. At some point in the process, DD asks for the public certificate corresponding to the root of the Certification Authority (CA) used to sign for the certificate used by the KMIP server to authenticate itself. If the KMIP certificate was not issued by the CA root, but by an intermediate CA, all the intermediate CAs' public certificates would have to be passed to the DD concatenated in textual, PEM form. In this is the case despite the file with the chain of trust being correct, the DD will fail to trust the KMIP server SSL certificate, and errors such as below would be seen in the logs ( ddfs.info / messages.engineering / kmip.log ): Mar 14 00:00:04 cdd01 ddfs[23019]: NOTICE: cp_keys_get_active_from_plugin: Error [Failed to synchronize keys] in retrieving the active key for CipherTrust plugin03/14 00:00:04.109243 [7fef03520040] ERROR: Failed validating server, error code = -300, error_msg = There was an error with the TLS connection With the external key manager status showing as below from the DD CLI (filesys encryption key-manager show): Key manager in use: CipherTrustServer: kmip-server . example . com Port: 5697 Status: Offline: ** KMIP is not configured correctly. Key-class: redacted KMIP-user: REDACTED-FOR-PRIVACY Key rotation period: not-configured Last key rotation date: N/A Next key rotation date: N/A
As of March 2023, the CLI and web UI workflow is such that DDOS does not allow import of multiple CA certificates for KMIP to trust. This is by design. When the KMIP server certificate is not signed for by the root CA, DDOS refuses to accept all certificates in the chain, hence the DD cannot connect securely to KMIP server using SSL, because it will not trust the KMIP server certificate's issuer (intermediate) CA.
Workaround: Contact DELL Data Domain Support for assistance carrying out this configuration outside the regular CLI and web UI. This will require no downtime, but needs BASH level access so that the file with the chain of trust for the KMIP server may be built manually on the system. Permanent Solution: There is no target release for this functionality to be added to DDOS, so that when configuring KMIP for external key managers, if the signing CA is not the root one, all intermediate certificates may be imported from the CLI or the web UI.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.