Set Up the External KMS
In most cases, an external KMS is configured by security administrator, a separate role from the MarkLogic Server admin role. However, in some cases the security administrator may also be the MarkLogic admin role.
If you don’t already have the external KMS configured and running, set up the external KMS using the appliance’s interface before turning on MarkLogic Server encryption. The steps in the process for setting up the external KMS will depend on the type of KMIP-compliant external KMS you are using.
Make sure that:
The external key management system is set up, running, and provisioned first to use KMIP 1.2, before you configure MarkLogic Server encryption.
To secure communications between the KMS and MarkLogic Server obtain the required certificates; KMIP TLS certificate, CA of the KMS, private key for the client (optional for some KMS servers).
The security administrator can enable encryption for user data, configuration files, and/or logs, either per cluster or per database. You must use the administration tools that come with the external KMS to set up the external keystore.
Note
The external key management system (KMS) must be available during the MarkLogic Server startup process. Access to the external KMS must be granted to all nodes in the cluster.