Connecting to external keystores

Connecting to external keystores with the UI

To connect to an external keystore by using the UI, complete the following steps:

1. Log in to the Hyper Protect Crypto Services instance.

2. Click Keystores from the navigation to view all the available keystores.

3. To connect to an external keystore, click Add keystore.

4. Under Vault, select a vault for the keystore for access control, and click Next.

   If you want to assign the keystore to a new vault, click Create vault. For more instructions, see Creating vaults.

5. Under Keystore type, select one of the following types and click Next:

   • AWS keystore: Create a keystore that can store AWS KMS keys.
   • Azure Key Vault: Create a keystore that can store Azure Key Vault keys, both Azure Key Vault (Premium) and Azure Key Vault (Standard) are supported.
   • Google Cloud KMS keystore: Create a keystore that can store Google Cloud KMS keys.
   • Key Protect: Create a keystore that can store Key Protect keys.
   • IBM Cloud KMS keystore in another instance: Create a keystore that can store KMS keys in another Hyper Protect Crypto Services instance.

   You can change the currency that is displayed by selecting your country or location. After you connect to the first external keystore, Unified Key Orchestrator base price applies additionally. For more information about pricing, see the pricing sample.

6. Under Keystore properties, specify the details of based on the keystore type that you want to connect to.

   Table 1. AWS Key Management Service properties

   Property	Description
   Keystore name	A unique, human-readable name for easy identification of your keystore, with 1–100 characters in length. The first character must be a letter (case-sensitive) or digit (0–9). The rest can also be symbols (.-_) or spaces.
   Description	(Optional) An extended description for your keystore, with up to 200 characters in length.
   Region on AWS	The geographical location where the AWS keystore is located in.
   Access key ID on AWS	All requests to AWS KMS must be signed by using an access key ID and a secret access key. For more information, see Understanding and getting your AWS credentials.
   Secret access key on AWS	All requests to AWS KMS must be signed by using an access key ID and a secret access key. The secret access key is available for download only when you create it.

   Table 2. Azure Key Vault properties

   Property	Description
   Keystore name	A unique, human-readable name for easy identification of your keystore, with 1–100 characters in length. The first character must be a letter (case-sensitive) or digit (0–9). The rest can also be symbols (.-_) or spaces.
   Description	(Optional) An extended description for your keystore, with up to 200 characters in length.
   Service name on Azure	The name must match the name of the Key Vault in Azure.
   Resource group on Azure	A logical construct that groups multiple resources. Obtain it from the Azure portal.
   Service principal client ID on Azure	Application ID that identifies the application of service principal.
   Service principal password on Azure	Only password based authentication is supported for service principals.
   Tenant ID on Azure	A tenant is the organization that owns and manages a specific instance of Microsoft cloud services. Use Microsoft Entra ID for authenticating requests to the Key Vault.
   Subscription ID on Azure	A GUID that uniquely identifies your subscription to use Azure services.

   Table 3. Google Cloud KMS keystore properties

   Property	Description
   Keystore name	A unique, human-readable name for easy identification of your keystore, with 1–100 characters in length. The first character must be a letter (case-sensitive) or digit (0–9). The rest can also be symbols (.-_) or spaces.
   Keystore description	(Optional) An extended description for your keystore, with up to 200 characters in length.
   Upload JSON key file	The private key file that is downloaded from your service account on Google Cloud in step 2 of Setting up required user access in Google Cloud KMS. The file type must be .json and the maximum file size is 4 KB.
   Project on Google Cloud	Read only. The name of your Google Cloud project. It is automatically extracted from the JSON key file that you upload.
   Location on Google Cloud	The geographical region where you want to store your Google Cloud KMS resources. For more details about the location, see Google Cloud KMS locations.
   Key ring on Google Cloud	A human-readable name of the key ring that organizes your keys. The name must be unique within a location. For more information about key rings, see Key rings.
   Private key ID on Google Cloud	Read only. The ID of the public/private RSA key pair in Google. It is used for establishing a secure connection to Google Cloud Platform. It is automatically extracted from the JSON key file that you upload.

   Table 4. Key Protect keystore properties

   Property	Description
   Keystore name	A unique, human-readable name for easy identification of your keystore, with 1–100 characters in length. The first character must be a letter (case-sensitive) or digit (0–9). The rest can also be symbols (.-_) or spaces.
   Description	(Optional) An extended description for your keystore, with up to 200 characters in length.
   Service instance ID on IBM Cloud	The unique identifier that is assigned to your Key Protect service instance. For more information, see Retrieving your instance ID and cloud resource name.
   Key ring ID on IBM Cloud	The unique identifier of the key ring in the Key Protect instance that you want to connect to. For more information, see Grouping keys together using key rings. If you are not sure which key ring to connect to, specify default to connect to the default key ring.
   Key Protect API endpoint	The service endpoint of your Key Protect instance in the format of https://<region>.kms.cloud.ibm.com. For more information, see Regions and endpoints.
   IBM Cloud Identity and Access Management endpoint	The endpoint of IAM, which is https://iam.cloud.ibm.com.
   Service ID API key	A unique code that is passed to an API to identify the calling application. For more information, see Managing service ID API keys.

   Table 5. IBM Cloud Hyper Protect Crypto Services KMS keystore properties

   Property	Description
   Keystore name	A unique, human-readable name for easy identification of your keystore, with 1–100 characters in length. The first character must be a letter (case-sensitive) or digit (0–9). The rest can also be symbols (.-_) or spaces.
   Description	(Optional) An extended description for your keystore, with up to 200 characters in length.
   Service instance ID on IBM Cloud	The unique identifier that is assigned to your service instance. For more information, see Retrieving your instance ID.
   Key ring ID on IBM Cloud	The unique identifier of the key ring in the Hyper Protect Crypto Services instance Standard Plan that you want to connect to. For more information, see Managing key rings. If you are not sure which key ring to connect to, specify default to connect to the default key ring.
   Key management endpoint	The service endpoint of your Hyper Protect Crypto Services instance in the format of https://api.<region>.hs-crypto.cloud.ibm.com:<port>. You can get the <region> and <port> in your provisioned service instance UI dashboard through Overview > Connect > Key managment endpoint URL**.
   IBM Cloud Identity and Access Management endpoint	The endpoint of IAM, which is https://iam.cloud.ibm.com.
   Service ID API key	A unique code that is passed to an API to identify the calling application. For more information, see Managing service ID API keys.

   You cannot make further changes to identifying properties that are marked with a Lock icon after the keystore is connected.

7. Optionally, click Test connection to test the connection to the external keystore that you configure. When completed, click Next to continue.

   You can complete the subsequent steps even if the test fails. To adjust the connection settings in case of a connection failure, check and adjust the connection properties. If you connect to an external keystore of type Microsoft Azure Key Vault, after clicking Test connection, you will be notified that whether the keystore is Azure Key Vault (Premium) or Azure Key Vault (Standard).

8. Under Summary, view the summary of your Azure Key Vault and the estimated additional cost.

9. After you confirm the keystore details, click Connect to keystore.

If you connect to an external keystore of type Azure Key Vault, a key named EKMF-BYOK-KEK-FOR-IMPORT is automatically created in the Azure Key Vault instance that you connect to. You can view the key from the Azure Key Vault instance UI. Don't delete this key. Otherwise, you will not be able to create and distribute managed keys to the Azure Key Vault instance. For more information, see Why can't I distribute keys in Azure Key Vault.

You have successfully connected to the external keystore that you select.

Connecting to external keystores with the API

To connect to an external keystore through the API, follow these steps:

1. Retrieve your service and authentication credentials to work with keystores in the service.

2. Connect to an external keystore by making a POST call to the following endpoint.

   https://uko.<region>.hs-crypto.cloud.ibm.com:<port>/api/v4/keystores
   

   For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.

If you connect to an external keystore of type Azure Key Vault, a key named EKMF-BYOK-KEK-FOR-IMPORT is automatically created in the Azure Key Vault instance that you connect to. You can view the key from the Azure Key Vault instance UI. Don't delete this key. Otherwise, you will not be able to create and distribute managed keys to the Azure Key Vault instance. For more information, see Why can't I distribute keys in Azure Key Vault.