Configuring a Google Cloud KMS keystore
Version:
Configure a keystore by referencing an encryption key that is stored in Google Cloud key management service (KMS).
-
If you have not yet defined your cryptographic key in Google Cloud KMS, create a Google project, a service account, and a keyring. For details, see your Google Cloud KMS documentation and the Pega Community article Configuring a Google Cloud KMS keystore.
-
Create a service account with a role equal to Cloud KMS CryptoKey Encrypter/Decrypter, and download the account credentials as a .json file.
-
Create a keyring and a symmetric key, and copy the key ID in Google resource name format.
-
-
Open a keystore from the navigation panel by clicking
and selecting a Google Cloud KMS keystore from the instance list. -
Click Upload file, and select the service account credentials file that you downloaded in step 1a.
-
In the Customer master key ID field, enter the key in Google resource name format that you copied in step 1b.
-
In the Customer data key rotation in days field, enter the number of days after which the customer data key (CDK) rotates.
The recommended (default) value is 90 days. You can set the rotation to any time between 30 and 365 days. -
Click Test connectivity to verify that all fields are filled out correctly and that Pega Platform can connect to Google Cloud KMS and find your key.
-
Click Save.
- Keystores
A keystore is a file that contains keys and certificates that you use for encryption, authentication, and serving content over HTTPS. In Pega Platform, you create a keystore data instance that points to a keystore file.
- Creating a keystore for application data encryption
Create a keystore instance for your keystore file, which contains the keys and certificates that are used, for example, to support Web Services Security and outbound email security.