Skip to main content

Securing MarkLogic Server

AWS KMS on EC2

If your cluster is running on AWS, the IAM role associated with the EC2 instance running MarkLogic Server is used to access the AWS KMS on behalf of MarkLogic Server. The hostname and port number will be automatically entered in the correct fields in the Keystore tab of the Admin Interface.

The key policy is tied to the user’s IAM role. To set up your IAM role and privileges, see Creating an IAM Role in the MarkLogic Server on Amazon Web Services (AWS) Guide.

Once you have set up your MarkLogic Server (and IAM roles if necessary), follow these steps:

  1. In AWS, navigate to the AWS IAM Management Console.

  2. Click Encryption keys at the bottom of the left navigation bar.

    AWS Screenshot illustrating the location of [Encryption keys]
  3. In the next screen, pick a region (in the same region as your MarkLogic Server instance).

  4. Create the key following the steps indicated. In the next step, be sure to give each key you create a descriptive name so that you can tell them apart.

  5. In the last step of this process, you can preview the key policy you just created. Be sure to authorize your MarkLogic Server instance to use the key.

    AWS Screenshot illustrating the Key Policy Preview page
  6. Click Previous to go back and make any changes, if necessary. Click Finish when you are done checking the Key policy you just created.

  7. From the AWS IAM Management Console, click Encryption keys in the left navigation bar again and open the list of encryption keys. Be sure to select the same region from the drop down that you chose when creating the key to see the correct list.

  8. Find the key that you just created. Select and copy the key ID from the list. Repeat the process for the other keys.

    Note

    To separate the encryption keys for data, configuration, and log files, we recommend that you create three separate encryption keys. Give each type of key a descriptive name (for example, ML_data_key) for the type of content it will be used to encrypt.

  9. On the MarkLogic Server Admin Interface, on the cluster's Keystore tab, enter the following information to identify the external KMS and the required encryption keys into the External KMS tab fields. Add the appropriate encryption key ID to each field.

    Note

    We recommend that you create three separate encryption key IDs (one for data, one for configuration, and one for logs). Give each a descriptive name in order to help distinguish between them.

    Setting

    Description

    host name

    The host name of the external Key Management Server (KMS).

    port

    The external KMS client socket port number.

    external data encryption key id

    The UUID that identifies the encryption key from the external KMS that is to be used to encrypt data files.

    external config encryption key id

    The UUID that identifies the encryption key from the external KMS that is to be used to encrypt config files.

    external logs encryption key id

    The UUID that identifies the encryption key from the external KMS that is to be used to encrypt log files.

For more about IAM roles and privileges, see Creating an IAM Role in the MarkLogic Server on Amazon Web Services (AWS) Guide. To learn more about using MarkLogic Server with Amazon Web Services, see the MarkLogic Server on Amazon Web Services (AWS) Guide.