Creating a shared key in a credential store

To share a key to be used to encrypt DAOS objects across servers, create a shared key in a credential store.

Before you begin

  • Make sure that the design of the Domino credential store database (credstore.nsf ) in the IBM_CredStore directory) has been refreshed with the websecuritystore.ntf template provided with Domino 12 or later.
  • A credential store is a required part of configuring DAOS tier 2 storage. If you do not use tier 2 storage and do not already use a credential store, create a credential store on the participating servers. For information, see Using a credential store to store credentials.
  • A credential store may be scoped to a single server or to a cluster. For the latter, ensure that the server on which the credential store is created is already part of a cluster when the credential store is created. Assuming that the credential store is clustered, if the scope of your DAOS object sharing is also within that cluster, you only need create the shared key in one replica of the credential store, and it will replicate across the cluster. If the scope of your DAOS object sharing is wider (e.g. across multiple clusters), you must create a shared key in one credential store then export shared keys and import them into another credential store.
  • If the credential store is used across a cluster, make sure to replicate the credstore.nsf to all servers in the cluster.

About this task

You can choose AES-128 or AES-256 encryption for the shared key. AES-128 provides strong security. AES-256 provides stronger security but may cause a small decrease in performance during object encryption and decryption.

Procedure

  1. To create the shared key in credstore.nsf, enter one of the following commands from the console of any Domino server that uses the credential store:
    To use AES-128 encryption:
    keymgmt create sharedkey <keyname> 
    To use AES-256 encryption:
    keymgmt create sharedkey <keyname> 256
    For example, to create a shared key called MyCluster_AES_128 that uses AES 128-bit encryption, enter:
    keymgmt create sharedkey MyCluster_AES_128
  2. The command output shows the hash of the shared key that uniquely identifies it within the DAOS code. Optionally, enter the following command to verify that the shared key is created:
    keymgmt show sharedkey <keyname>
    Or, enter this command to verify all the current shared keys:
    keymgmt show sharedkey all

What to do next