eds-config

This command allows you to configure the appliance to support encrypted data storage. 

eds-config

It is currently available only on high-performance models. Running this command on a standard model results in an error.

Before using this command, you must import the KEYSERVER.pem and KEYSERVER_CA.pem certificate files into the TIBCO Enterprise Message Service™ Appliance using the import 0 certs command. This enables the appliance to communicate with the KMIP key server.

The default certificate file names are KEYSERVER.pem and KEYSERVER_CA.pem. You do not need to modify these file names. However, if you need to modify them you can do so:
  1. Use the export 0 certs command to export the eds-params.json file.
  2. Modify key_server parameters to specify the new file names.
  3. Re-import the eds-params.json file using the import command.

When issued, the eds-config command offers the following prompts.

Prompt Description
Do you want to enable encrypted stores? [y/n](no): Enter y to enable encrypted data storage.

Note that when you enable encrypted stores, the EMS server instances on both appliances of a fault tolerant pair are stopped, and you will not be able to access them through the EMS-IP address. After the changes are applied and confirmed, the servers are restarted.

Do you want to proceed (y/n)? Enter y to proceed, or n to exit the setup.
EDS Key Server IP Address [addr:port](): Enter the IP address and port, or hostname and port for the encrypted data key server.

For example: interop3.cryptsoft.com:5696

Encrypted store allocation(5G): Enter the disk size for the storage. This represents the maximum amount of disk space the encrypted store can use on the appliance. Specify the size as an integer using M to indicate megabytes or G for gigabytes. For example, 350M or 6G.

If no value is entered, a default of 5G is used.

Once configured, the encrypted storage is treated like any other appliance disk. Low disk space is reported with appliance health checks.

Issue Ctrl-d at any time to exit the command. Note that if you exit after enabling encrypted data storage but before providing the key server address, you will receive an error if you try to apply your changes.

When you apply your encrypted data storage configuration, the appliance validates that the KMIP key server is reachable before proceeding to create the encrypted store. If the server is not reachable, or if the encrypted store fails to mount for any reason, the EMS servers are not started.

Note: When you choose the initial EDS pool size, keep in mind that the initial DR synchronization sends the fully allocated EDS store, for example, 5G by default. This could impact the DR synchronization initialization time as the full pool size will need to be transmitted to the backup site on the initial send. During any subsequent synchronizations, only changed blocks are sent.

You can also use this command to disable the encrypted data storage. Keep in mind that the appliance automatically shuts down the EMS servers when disabling the encrypted data storage. Before disabling encrypted stores, you must remove all encrypted stores that are using the ESSD store location from the TIBCO Enterprise Message Service™ Appliance server configurations.