Configuring the Encrypted Data Store on EMS Appliance

Note: In a Fault Tolerant Environment, you must stop all servers in the fault tolerant pair before you can configure the appliances for encrypted data storage support. Run the eds-config command on Peer A.
To configure your TIBCO Enterprise Message Service™ Appliance to support a solution that requires an encrypted data store, follow these steps on the appliance:

Procedure

  1. Make sure your KMIP key server is up and running.
  2. Make sure the peer appliance is up and running.
  3. Rename the KMIP key server certificate files to KEYSERVER.pem and KEYSERVER_CA.pem certificate files. These certificate files are used by the TIBCO Enterprise Message Service™ Appliance to connect to the KMIP key server.
    Warning: Keep in mind that the TIBCO Enterprise Message Service™ Appliance automatically shuts down the TIBCO Enterprise Message Service™ servers before it applies the following changes.
  4. Import the KEYSERVER.pem and KEYSERVER_CA.pem files into the TIBCO Enterprise Message Service™ Appliance’s instance 0 certs directory. This is required in order for the appliance to securely communicate with the KMIP key server. See the command import for details.
  5. Run the eds-config command from the CLI and set the encrypted data store size, KMIP key server host name or IP address and port number when prompted.
  6. Save and apply your changes using the config-save and config-apply commands.
  7. Connect to the EMS server using Central Administration in order to create store files that use the new ESSD encrypted storage area.