[SERVER-28011] Support multiple KMIP hosts in the --kmipServerName parameter Created: 14/Feb/17 Updated: 10/Jun/20 Resolved: 03/Sep/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.2.1, 4.3.1, 4.0.14 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Adam Cooper (Inactive) |
| Resolution: | Done | Votes: | 6 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||
| Backport Requested: |
v4.2, v4.0, v3.6, v3.4, v3.2
|
||||||||||||||||||||||||
| Sprint: | Security 2019-08-26, Security 2019-09-09 | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||
| Description |
|
Some KMIP appliances appear to use an internal replication system to ensure keys are distributed across multiple physical servers. Instead of backing a single hostname with multiple machines through a High Availability infrastructure, they seem to be relying on clients to perform some operation analogous to our Server Discovery and Monitoring to find a working server with the data they're requesting. We need to be able to specify multiple hostnames to kmipServerName to enable our client to fallback to backup KMIP servers if it encounters network errors. |
| Comments |
| Comment by Andrew Feierabend (Inactive) [ 10/Jun/20 ] |
|
For the curious, stumbling on this ticket in the future: yes, all KMIP servers specified to --kmipServerName or security.kmip.serverName must use the same port: 5696 by default, or the port specified to kmipPort. It is not possible presently to specify different ports to different KMIP servers. |
| Comment by Githook User [ 02/Oct/19 ] |
|
Author: {'name': 'Adam Cooper', 'username': 'super-cooper', 'email': 'adam.cooper@mongodb.com'}Message: (cherry picked from commit 3f36c8438fe410f2bb31d805ff8c8e4ea1421d49) |
| Comment by Githook User [ 24/Sep/19 ] |
|
Author: {'username': 'super-cooper', 'email': 'adam.cooper@mongodb.com', 'name': 'Adam Cooper'}Message: (cherry picked from commit 3f36c8438fe410f2bb31d805ff8c8e4ea1421d49) |
| Comment by Githook User [ 03/Sep/19 ] |
|
Author: {'name': 'Adam Cooper', 'username': 'super-cooper', 'email': 'adam.cooper@mongodb.com'}Message: |
| Comment by Chris Smith [ 14/Aug/19 ] |
|
We are currently working with Thales Vormetric DSM which does not support a load balancer as they use an active/active solution for HA. This feature is something that we would need in order to implement encryption within MongoDB. |
| Comment by Davi Ottenheimer [ 17/Dec/18 ] |
|
thanks andrey.brindeyev. KMIP scaling was a popular question at SF.local so we pushed the blog post out to point attendees there |