Configuring a credential store for DAOS tier 2 storage

Before you enable DAOS tier 2 storage, configure a Domino® credential store to store the credentials that are used for connections to the storage service.

About this task

Starting in Domino 12, you can also use the credential store to store shared keys that are used to encrypt attachment objects. If you use tier 2 storage, attachment objects encrypted with a shared key resolve to a single object in tier 2 that all participating servers share. For more information, see Using a shared key to encrypt DAOS objects across servers.

Prerequisite: The AWS IAM credential must have the following minimum permissions on the S3 bucket:
  • Permission: s3:ListBucket
  • Scope: Bucket root

Procedure

  1. Refer to your storage service vendor documentation. Create credentials for Domino® to use to connect to the storage service. (Your storage service may do this step for you).
  2. Refer to your storage service vendor documentation. Create a bucket for Domino® to use. (Your storage service may do this step for you). Multiple Domino® servers can use the same bucket. You can use any name for a bucket. The following AWS command example creates a bucket named aws-hcl-dominocos at the endpoint us-east-1: 
    aws s3api create-bucket --bucket aws-hcl-dominocos --region us-east-1
  3. Create a Domino credential store to securely store the credentials used to connect to the storage service.
    • If you already use a credential store (typically IBM_CredStore\credstore.nsf), you can use it to store the storage service credentials if you replace the design with the websecuritystore.ntf provided with Domino 12 or a later version.
    • Setting up multiple Domino servers to be in one Domino cluster and to share one bucket is recommended because it simplifies management of the credential store and credential store key.
    • For information in setting up a credential store, see Using a credential store to store credentials.
  4. Complete the following steps to add the storage service credentials to the Domino® credential store:
    1. Create a text file, for example, dominocred.txt, that contains the service credentials you created in Step 1. For example: 
      [dominocos]
aws_access_key_id = AWDOTJVLSIIGTJ7SJ489F
aws_secret_access_key = Flx9zD25RvyKQDKq5PjM521akIfPxtcaleW7Mtn

      The name in brackets [dominocos] is used as the name of the credential in the credential store. You specify this name when you complete the procedure Enabling DAOS tier 2 storage.

    2. From the server console of a DAOS server, use the following command to add the credentials to the Domino® credential store. 
      tell daosmgr S3 storecred <filename>
      where <filename> is the name of the text file with the credentials.
      For example: 
      tell daosmgr S3 storecred dominocred.txt

      The credentials are added to the credential store with the named credential, for example, dominocos. The text file is deleted when the command completes. No credentials are visible at the console or in log files.

What to do next

Enable DAOS tier 2 storage