MTG KMS BYOK Tool Application configuration
Configuration file
The application config is done inside an application.properties file.
This file can be placed in the same directory where the tool is started. If not the full path to the file must be set via the commandline option --spring.config.location.
| Parameters in configuration files are always case-sensitive! |
|
In case of Command |
The application configuration consists of the following parts
Connecting to the KMS-Server
kmip.server-url=http://localhost:8080/kms-server/kmip (1)
kmip.truststore-file=truststore.p12 (2)
kmip.truststore-password=changeit (3)| 1 | The address of the KMS server |
| 2 | The truststore file for the TLS connections |
| 3 | The truststore password for the TLS connections |
Definitions of the Azure Key Vaults
|
All following values come from the Azure Key Vault and app registration details in the Azure portal. |
config.vaults.<vault-name>.url=https://<vault-name>.vault.azure.net (1)
config.vaults.<vault-name>.tenant-id=00000000-0000-0000-0000-000000000000 (2)
config.vaults.<vault-name>.client-id=00000000-0000-0000-0000-000000000000 (3)
config.vaults.<vault-name>.client-secret=00000000-0000-0000-0000-000000000000 (4)
config.vaults.<vault-name>.kek-name=<kek-name> (5)| 1 | The url for the Azure Key Vault |
| 2 | The Azure tenant id for accessing the Azure key vault |
| 3 | The Azure client id for accessing the Azure key vault |
| 4 | The Azure client secret for accessing the Azure key vault |
| 5 | The name of the Azure key, used as kek |
| Each key vault configuration needs an individual name. In general, this should be the Azure name of the Azure Key Vault. |
Definitions of rekey policies
| Each policy configuration must have an individual name. |
config.policies.<policy-name>.renewal-interval=P1Y (1)
config.policies.<policy-name>.validity-period=P2Y (2)| 1 | The period, after which a renewal should be made. |
| 2 | The validity period for the new key(s). |
| Values must be in ISO-8601 period format. The minimum period which can be configured is one day. |
Definitions of the MTG KMS tenants/keys
This section configures the tenant specific kms clients for accessing the MTG KMS and the tenant specific keys for the rekey and import tasks.
config.tenants[0].default-vault=vaultA (1)
config.tenants[0].default-policy=policyA (2)
config.tenants[0].kms-client.username=sdsadasdasdsdsad (3)
config.tenants[0].kms-client.password=sff545ffflj (4)
config.tenants[0].kms-client.keystore-file=keystore.p12 (5)
config.tenants[0].kms-client.keystore-password=<password> (6)
config.tenants[0].keys[0].uuid=00000000-0000-0000-0000-000000000000 (7)
config.tenants[0].keys[1].uuid=00000000-0000-0000-0000-000000000000 (8)
config.tenants[0].keys[1].vault=vaultB (9)
config.tenants[0].keys[1].policy=policyB (10)| 1 | The name of the Azure key vault, which should be used if not otherwise configure.
(In this example, we assume there is an Azure key vault with the name vaultA configured, which is the <vault-name> at Definitions of the Azure Key Vaults) |
| 2 | The name of the rekey policy, which should be used if not otherwise configured.
(In this example, we assume there is a rekey policy with the name policyA configured, which is the <policy-name> at Definitions of rekey policies) |
| 3 | The username of the kms client configured for the tenant. |
| 4 | The password of the kms client configured for the tenant. |
| 5 | The keystore file for the TLS client authentication. |
| 6 | The keystore password for the TLS client authentication. |
| 7 | The uuid of an MTG KMS private key which will use the default values for the Azure key vault and the rekey policy. |
| 8 | The uuid of an MTG KMS key private which will override the default values. |
| 9 | For each key, the Azure key vault to use can be overridden.
For this key the Azure key vault vaultB will be used (we assume there is an Azure key vault with the name vaultB configured, which is the <vault-name> at Definitions of the Azure Key Vaults). |
| 10 | For each key, the policy to use can be overridden.
For this key, the rekey policy policyB will be used (we assume, there is a rekey policy with the name policyB configured, which is the <policy-name> at Definitions of rekey policies). |
| Which parts of the KMS client must be configured (username/password or keystore) depends on the configuration in the MTG KMS. |
Logging
Logging to stdout can be controlled by the --verbose options.
If there is need for more (e.g., logging to a file) the logging can be further configured by adding a logback.xml configuration file in the application directory (See logback).
The full path to the logback.xml configuration file must be set via the commandline option --logging.config=logback.xml