Configuring a credential store for DAOS tier 2 storage

Before you enable DAOS tier 2 storage, configure a Domino® credential store to store the credentials that are used for connections to the storage service.

About this task

Starting in Domino 12, you can also use the credential store to store shared keys that are used to encrypt attachment objects. If you use tier 2 storage, attachment objects encrypted with a shared key resolve to a single object in tier 2 that all participating servers share. For more information, see Sharing DAOS tier 2 objects across servers.

Procedure

  1. Refer to your storage service vendor documentation. Create credentials for Domino to use to connect to the storage service. (Your storage service may do this step for you).
  2. Refer to your storage service vendor documentation. Create a bucket for Domino to use. (Your storage service may do this step for you). Multiple Domino servers can use the same bucket. You can use any name for a bucket. The following AWS command example creates a bucket named aws-hcl-dominocos at the endpoint us-east-1:
    aws s3api create-bucket --bucket aws-hcl-dominocos --region us-east-1
    
  3. In Domino, complete the following steps to create a Domino credential store to securely store the credentials used to connect to the storage service. If you have an existing credential store (typically IBM_CredStore\credstore.nsf), you can use it but you must replace the design with the websecuritystore.ntf provided with Domino 12 or a later version. For detailed information on setting up a Domino credential store, see Using a credential store to share credentials in the Domino documentation.
    To create a Domino credential store on a Dominoserver:
    1. From the server console, use the following command to create a named encryption key (NEK) which is added to the server ID file. Domino uses the key to encrypt the credentials that are stored in the credential store.
      KEYMGMT CREATE NEK <named key>
      where <named key> is a name you give the key. For example:
      KEYMGMT CREATE NEK credstorenek
      • Verify that you see a message in the server console log similar to the following one, indicating that the key is created successfully:
        [024C:0008-3848] 04/16/2019 05:04:13.06 PM NEK > NEK credstorenek - 
        Fingerprint 44A5 624A 65CD 1771 F274 4779 C7AB 2FE0 9671 BB30
        [024C:0008-3848] NEK credstorenek created successfully
        
      • Make a note of the displayed fingerprint for the key.
      .
    2. From the server console, use the following command to create a credential store using the NEK you created.
      KEYMGMT CREATE CREDSTORE <nek>
      For example:
      KEYMGMT CREATE CREDSTORE credstorenek
      Verify that:
      • The Fingerprint matches the one you noted in the previous step.
      • The database credstore.nsf is created in the Domino \data\IBM_CredStore directory.
  4. If additional Domino servers will use the same bucket in the storage service, set up those servers to use the credential store. These servers must be in the same cluster:
    Note: Setting up multiple Domino servers to be in one Domino cluster and to share one bucket is recommended because it simplifies management of the credential store and credential store key.
    1. From the server console of the server on which you created the credential store, enter the following command to export the NEK from the server ID file to a key file in the Domino data directory:
      KEYMGMT EXPORT NEK <nek> <nek>.key <password>
      For example:
      KEYMGMT EXPORT NEK credstorenek credstorenek.key passw0rd
    2. Copy the key file, for example, credstorenek.key, to the Domino data directory on the other Domino servers.
    3. From the server console of each additional Domino server, enter the following command to import the NEK into the server.id file:
      KEYMGMT IMPORT NEK <nek>.key <password>
      For example:
      KEYMGMT IMPORT NEK credstorenek.key passw0rd
    4. Create a replica of the credential store database on each additional Domino server.
  5. Complete the following steps to add the storage service credentials to the Domino credential store:
    1. Create a text file, for example, dominocred.txt, that contains the service credentials you created in Step 1. For example:
      [dominocos]
      aws_access_key_id = AWDOTJVLSIIGTJ7SJ489F
      aws_secret_access_key = Flx9zD25RvyKQDKq5PjM521akIfPxtcaleW7Mtn

      The name in brackets [dominocos] is used as the name of the credential in the credential store. You specify this name when you complete the procedure Enabling DAOS tier 2 storage.

    2. From the server console of a DAOS server, use the following command to add the credentials to the Domino credential store.
      tell daosmgr S3 storecred <filename>
      where <filename> is the name of the text file with the credentials.
      For example:
      tell daosmgr S3 storecred dominocred.txt

      The credentials are added to the credential store with the named credential, for example, dominocos. The text file is deleted when the command completes. No credentials are visible at the console or in log files.