Creating the credential store application in a cluster

You use Keymgmt commands at the Domino® server console to set up the credential store application (credstore.nsf). When the application is used in a cluster, you also create replicas of it on each server.

About this task

Setting up the application includes the following tasks:
  • creating the document encryption key in the Domino® server's ID file
  • exporting the document encryption key and importing it into the ID files of the other servers in the cluster
  • creating the credential store application and assigning the document encryption key to it
  • checking whether the credential store exists and includes the document encryption key
  • creating replicas of the credential store on each server in the cluster
The console commands create the application from the websecuritystore.ntf template.
Restriction: Do not use this template to create the database manually.
Tip: The console commands use the abbreviation nek for named encryption key, which is another term for the document encryption key.

You perform all of the following steps at the Domino® server console, and you can check the key fingerprints displayed either in the console itself or in the server console log.

Procedure

  1. At the server console for the first Domino® server in the cluster, use the keymgmt create nek command to create the document encryption key in the Domino® server ID file. For syntax and examples, see the related topics.
  2. Take note of the displayed fingerprint for the key, and make sure you see the message: NEK credstorekey created successfully.
  3. Use the keymgmt export nek command to create a local file that contains the key. For syntax and examples, see the related topics.
  4. Make sure the displayed fingerprint matches the one you made note of in the previous step, and make sure you see the message: NEK credstorekey exported successfully.
  5. Copy the key file to all servers in the cluster.
  6. At the console on each of the other servers, use the keymgmt import nek command to import the document encryption key from the file you created into the ID file of each server. For syntax and examples, see the related topics.
  7. Make sure the displayed fingerprint matches the one you made note of in the previous steps, and make sure you see the message: NEK credstorekey imported successfully.
  8. Back on the original server, use the keymgmt create credstore command to create the credential store application and to assign the document encryption key. For syntax and examples, see the related topics.
  9. Make sure the displayed fingerprint matches the one you made note of in the previous steps.
  10. Make sure the Domino® server \data directory now has a directory \IBM_CredStore.
  11. Make sure credstore.nsf exists in the directory.
  12. Create replicas of the credstore.nsf in a \data\IBM_CredStore directory on the rest of the servers in the cluster.