Creating the credential store application in a cluster

Use keymgmt commands at the Domino® server console to set up the credential store application (credstore.nsf) for all servers in a cluster.

About this task

All servers in a cluster must share one credential store application that is replicated.

The console commands described in this task create the credential store database from the websecuritystore.ntf template. Do not use this template to create the database manually. Do not change the file name of the credential store.

Procedure

  1. Set up the credential store application on one server in the cluster:
    1. From the server console, use the following command to create a named encryption key (NEK) which is added to the server ID file. Domino® uses the key to encrypt the credentials that are stored in the credential store. 
      keymgmt create nek <nekname>
      where <nekname> is a name you give the key. For example: 
      keymgmt create nek credstorekey
    2. Verify that you see a message in the server console log similar to the following one indicating that the key is created successfully: 
      
[5558:0006-4A64] 06/12/2020 09:06:18.27 AM NEK > NEK credstorekey - Fingerprint A8C5 9018 C714 3F05 E574 93D9 5E70 005A 5371 4A71
[5558:0006-4A64] NEK credstorekey created successfully
    3. Make note of the displayed fingerprint for the key.
    4. From the server console, use the following command to create the credential store application and encrypt it using the key you created: 
      keymgmt create credstore <nekname>
      For example: 
      keymgmt create credstore credstorekey
      Verify that:
      • The fingerprint matches the one you noted in Step 1c.
      • The database credstore.nsf is created in the Domino® \data\IBM_CredStore directory.
  2. Set up the credential store application on the other servers in the cluster:
    1. From the server console of the server on which you created the credential store, enter the following command to export the key from the server ID file to a key file in the Domino program directory: 
      keymgmt export nek <nekname> <nekname>.key <password>
      where <nekname> is the key name, <nekname>.key is the name of the key file to create, and <password> is a password for the key file.
      For example: 
      keymgmt export nek credstorekey credstorekey.key passw0rd
    2. Verify that you see a message similar to the following one indicating that the export was successful: 
      5558:0006-4A64] 06/12/2020 09:07:42.69 AM NEK > NEK credstorekey - Fingerprint A8C5 9018 C714 3F05 E574 93D9 5E70 005A 5371 4A71
[5558:0006-4A64] NEK credstorekey exported successfully
    3. Copy the key file to the program directory of the other servers in the cluster.
    4. Complete the following step at the console of each other server in the cluster to import the named encryption key into the server ID file of each server: 
      keymgmt import nek overwrite <nekname>.key <password>
      where <nekname>.key is the name of the key file and <password> is the password for the key file. For example: 
      keymgmt import nek overwrite credstorekey.key passw0rd
    5. Verify that you see a message similar to the following one indicating that the import was successful: 
      5558:0006-4A64] 06/12/2020 09:09:28.40 AM NEK > NEK credstorekey - Fingerprint A8C5 9018 C714 3F05 E574 93D9 5E70 005A 5371 4A71
[5558:0006-4A64] NEK credstorekey imported successfully
    6. Create replicas of the \data\IBM_CredStore\credstore.nsf on the original server to the other servers in the cluster.