Skip to main content

Securing MarkLogic Server

Keystores - PKCS #11 Secured Wallet or External KMS

A keystore is a secure location where the actual encryption keys used to encrypt data are stored. The keystore for encryption at rest is a key management system (KMS). This keystore can be either the MarkLogic Server embedded PKCS #11 secured wallet, an external KMS that conforms to the KMIP-standard interface, or the native AWS KMS (Amazon Web Services Key Management System). The embedded keystore is installed by default when you install MarkLogic Server 9.0-x or later.

The MarkLogic Server embedded wallet uses a standard PKCS #11 protocol, using the PKCS #11 APIs. The wallet or another KMS, must be available during the MarkLogic Server startup process (or be bootstrapped from MarkLogic Server during start-up). You can also use any KMIP-compliant external keystore with MarkLogic Server or the native AWS KMS.

To configure an external KMS you will need the following information for your cluster:

  • Host name

  • Port number

  • Client certificate

  • Server certificate

If you are using the native AWS KMS, you will not need the Client certificate or the Server certificate. You will need the other information.

Note

If you plan to use an external key management system, configure the external KMS first, then turn on encryption in MarkLogic Server.

For details, see Configuring an External Keystore.