Before you enable DAOS tier 2 storage, configure a Domino® credential store to store the credentials that are used for connections to the storage service.

Procedure

1. Refer to your storage service vendor documentation. Create credentials for Domino to use to connect to the storage service. (Your storage service may do this step for you).

2. Refer to your storage service vendor documentation. Create a bucket for Domino to use. (Your storage service may do this step for you). Multiple Domino servers can use the same bucket. You can use any name for a bucket. The following AWS command example creates a bucket named aws-hcl-dominocos at the endpoint us-east-1:

aws s3api create-bucket --bucket aws-hcl-dominocos --region us-east-1

To create a Domino credential store on a Dominoserver:

a. From the server console, use the following command to create a named encryption key (NEK) which is added to the server ID file. Domino uses the key to encrypt the credentials that are stored in the credential store.


KEYMGMT CREATE NEK <named key>

where <named key> is a name you give the key. For example:

KEYMGMT CREATE NEK credstorenek

• Verify that you see a message in the server console log similar to the following one, indicating that the key is created successfully:

  [024C:0008-3848] 04/16/2019 05:04:13.06 PM NEK > NEK credstorenek - Fingerprint 44A5 624A 65CD 1771 F274 4779 C7AB 2FE0 9671 BB30[024C:0008-3848] NEK credstorenek created successfully

• Make a note of the displayed fingerprint for the key.
.

b. From the server console, use the following command to create a credential store using the NEK you created.

KEYMGMT CREATE CREDSTORE <nek>

For example:

KEYMGMT CREATE CREDSTORE credstorenek

Verify that:

• The Fingerprint matches the one you noted in the previous step.
• The database credstore.nsf is created in the Domino\data\IBM_CredStore directory.

Note: Setting up multiple Domino servers to be in one Domino cluster and to share one bucket is recommended because it simplifies management of the credential store and credential store key.

a. From the server console of the server on which you created the credential store, enter the following command to export the NEK from the server ID file to a key file in the Domino data directory:


KEYMGMT EXPORT NEK <nek> <nek>.key <password>

For example:

KEYMGMT EXPORT NEK credstorenek credstorenek.key passw0rd


b. Copy the key file, for example, credstorenek.key, to the Domino data directory on the other Domino servers.

c. From the server console of each additional Domino server, enter the following command to import the NEK into the server.id file:


KEYMGMT IMPORT NEK <nek>.key <password>

For example:

KEYMGMT IMPORT NEK credstorenek.key passw0rd


d. Create a replica of the credential store database on each additional Domino server.

a. Create a text file, for example, dominocred.txt, that contains the service credentials you created in Step 1. For example:

[dominocos]aws_access_key_id = AWDOTJVLSIIGTJ7SJ489Faws_secret_access_key = Flx9zD25RvyKQDKq5PjM521akIfPxtcaleW7Mtn

The name in brackets [dominocos] is used as the name of the credential in the credential store. You specify this name when you complete the procedure Enabling DAOS tier 2 storageAfter you configure the credential store, enable DAOS tier 2 storage on Domino servers. Follow the procedure that corresponds to your storage service..


b. From the server console of a DAOS server, use the following command to add the credentials to the Domino credential store.

tell daosmgr S3 storecred <filename>

where<filename> is the name of the text file with the credentials.

For example:

tell daosmgr S3 storecred dominocred.txt

The credentials are added to the credential store with the named credential, for example, dominocos. The text file is deleted when the command completes. No credentials are visible at the console or in log files.

Related tasks
Enabling DAOS tier 2 storage
Tell daosmgr commands for tier 2 storage

Related reference
DAOS tier 2 best practices

Help on Help

All Help Contents

Help on Help