Set Up an External KMIP KMS with MarkLogic Server Encryption
To configure the external key management system using the MarkLogic Server Admin Interface on the MarkLogic Server host, you will need the following information for your external KMS:
Host name - the hostname of the key management system
Port number - the port number used to communicate with KMS
Data encryption key ID (UUID generated by external KMS)
Configuration encryption key ID (UUID generated by external KMS)
Logs encryption key ID (UUID generated by external KMS)
The TLS certificates, used to secure the communication with the KMS, must be stored locally on each host in the MarkLogic Server data directory (/var/opt/MarkLogic). By default, the files are expected to be located in the MarkLogic Server data directory and must have the following names:
kmip-CA.pem- The root/certificate of the CA that signed the certificate request for MarkLogic Server.kmip-cert.pem- The certificate that was issued to MarkLogic Server and the one that was signed by the CA.kmip-key.pem- The private key that was generated for MarkLogic Server and is associated with the Certificate issued to MarkLogic (kmip-cert). (Optional for some KMS servers.)
These certificates are the Certificate Authority (CA) for the root of the certificate chain for the kmip-cert.pem. A certificate could be a self-signed root used by an enterprise or an external CA. Copy these files into the MarkLogic Server data directory (/var/opt/MarkLogic). The location and name of these files can be changed by calling the admin functions. See Admin APIs for Encryption at Rest for details.
Note
These settings are cluster wide, so each individual host must have a local copy at the location specified.