Step 4: Create the Data Fabric KMIP Group and User for the Cluster

Describes how to create the KMIP group and user to store cluster keys on the ESKM server.

You now need to create a KMIP user/object group pair to store your keys. As KMIP keys for data-fabric are cluster-specific, you should create a different KMIP user/object group pair for each cluster so that each cluster can only access its own KMIP keys.

Create the Cluster-Specific Data Fabric KMIP Group

To create a cluster-specific KMIP group:

  1. Navigate to Security > Local Users & Groups > Local Groups and click Add.
  2. Enter the name of the group in the format mapr-<cluster> where <cluster> is the cluster name.
  3. In the drop-down box for the Group Type, select KMIP.

  4. Click Next.

    The system displays a confirmation page to create two KMIP groups:

    • A KMIP user group called mapr-<cluster>_user

    • A KMIP object group called mapr-<cluster>

  5. Click Save.

    The system creates two KMIP groups. In this example, the data-fabric cluster is named my.cluster.com. Therefore, the system creates the KMIP group pair: mapr-my.cluster.com object group, and mapr-my.cluster.com_user user group, as shown.



Create the Data Fabric KMIP User for the Cluster

To create the KMIP user:

  1. Navigate to Security > Local Users & Groups > Local Users and click Add. The Create Local User page appears.
  2. Enter the information for the local user:
    1. The user name must match the CN of the client certificate. In the example, the CN for the client certificate is maprkmipclient1, and therefore this is also the user name.
    2. The User Administration Permission and Change Password Permission fields do not apply to KMIP groups, so leave these unchecked.
    3. Check the Enable KMIP option.
    4. Leave the Map non-existent Object Group to x-Object Group option unchecked.
    5. Set the KMIP User Group to the user group that you created earlier. In this example, the user group is mapr-my.cluster.com_user.
    6. Set the KMIP Object Group to the object group that you created earlier. In this example, the object group is mapr-my.cluster.com.
    7. In the KMIP Client Certificate field, paste the contents of the signed client certificate that you copied to your clipboard.
  3. Click Create. The system creates the KMIP user (maprkmipclient1 in this example), and returns to the Local Users listing.


At the end of this phase, you should have the following files that are needed to set up your data-fabric KMIP client, in addition to the list of IP addresses and port number of the key management appliances:
  • The CA used to sign the client certificate. This is the local CA that is downloaded from the ESKM.
  • The signed client certificate that was signed by the KeySecure local CA and downloaded from the ESKM.
  • The client private key which was generated using OpenSSL.

Continue the setup on the data-fabric CLDB node using the configure.sh script with the HSM parameters, or the mrhsm Commands.