Encrypted Data Store (EDS) Configuration

The high-performance edition TIBCO Enterprise Message Service™ Appliance supports encrypted data store locations.

You can configure your high-performance edition TIBCO Enterprise Message Service™ Appliance for use with applications that require an encrypted data store. The high-performance edition appliance supports writing data to an encrypted data store by creating encrypted store file locations called ESSD on the appliance. Once you configure the encrypted store file location, you can select this encrypted data store (ESSD) from the drop down menu that is available in Central Administration when configuring the data store on your appliance. The appliance uses the Key Management Interoperability Protocol (KMIP) technology to connect to your key server for storage and retrieval of the associated data encryption key.

After the appliance is configured for encrypted data storage support, the appliance connects to your KMIP key server and creates a key that the appliance uses to access the ESSD data store. When an appliance is rebooted, the KMIP key server must be reachable, or the encrypted stores cannot be opened and the EMS server instances will fail to start.

Note: If the key on the KMIP server has an expiration date, you must refresh the key by running the eds-key-refresh command. See eds-key-refresh details on this command.

The appliance then mounts the ESSD encrypted storage area using the encryption credentials that you provided during the encrypted data storage setup. If the connection to the KMIP key server fails, your TIBCO Enterprise Message Service™ servers on the appliance will not start. In such a situation, check the connection to the key server and make sure the address and port are correct in the appliance setup.