Re: [gpfsug-discuss] Encryption - checking key server health (SKLM)

Wed, 19 Feb 2020 14:08:29 -0800

Bob,
 
Scale does not yet have a tool to perform a health-check on a key server, or an independent mechanism to retrieve keys.
 
One can use a command such as 'mmkeyserv key show' to retrieve the list of keys from a given SKLM server (and use that to determine whether the key server is responsive), but being able to retrieve a list of keys does not necessarily mean being able to retrieve the actual keys, as the latter goes through the KMIP port/protocol, and the former uses the REST port/API:
 
# mmkeyserv key show --server 192.168.105.146 --server-pwd /tmp/configKeyServ_pid11403914_keyServPass --tenant sklm3Tenant
KEY-ad4f3a9-01397ebf-601b-41fb-89bf-6c4ac333290b
KEY-ad4f3a9-019465da-edc8-49d4-b183-80ae89635cbc
KEY-ad4f3a9-0509893d-cf2a-40d3-8f79-67a444ff14d5
KEY-ad4f3a9-08d514af-ebb2-4d72-aa5c-8df46fe4c282
KEY-ad4f3a9-0d3487cb-a674-44ab-a7d0-1f68e86e2fc9
[...]
 
Having a tool that can retrieve keys independently from mmfsd would be useful capability to have. Could you submit an RFE to request such function?
 
Thanks,
 
  Felipe
 
----
Felipe Knop [email protected]
GPFS Development and Security
IBM Systems
IBM Building 008
2455 South Rd, Poughkeepsie, NY 12601
(845) 433-9314 T/L 293-9314
 
 
 
----- Original message -----
From: "Oesterlin, Robert" <[email protected]>
Sent by: [email protected]
To: gpfsug main discussion list <[email protected]>
Cc:
Subject: [EXTERNAL] [gpfsug-discuss] Encryption - checking key server health (SKLM)
Date: Wed, Feb 19, 2020 11:35 AM
 

I’m looking for a way to check the status/health of the encryption key servers from the client side - detecting if the key server is unavailable or can’t serve a key. I ran into a situation recently where the server was answering HTTP requests on the port but wasn’t returning they key. I can’t seem to find a way to check if the server will actually return a key.

 

Any ideas?

 

 

Bob Oesterlin

Sr Principal Storage Engineer, Nuance

 

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss 
 

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Reply via email to