Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Configuring an Amazon Key Management Service (KMS) key rotation

Updated on July 1, 2021

To configure a keystore, you can reference the encryption key that is stored in the Amazon Web Services Key Management Service (AWS KMS).

Before you begin: You must create a keystore data instance in Pega Platform with Keystore location equal to Amazon Key Management Service (KMS) before you can configure the keystore.
  1. If you have not yet defined your keys in Amazon, log in to your Amazon Web Services account, and under Identity and Access Management (IAM), create a Customer Master Key (CMK) and access key.
    • For information about how to create a Customer Master Key, see the AWS Developer Guide that describes the AWS Key Management Service and Configuring an Amazon Web Services Key Management Service keystore.
    • The access key provides the access key ID and secret access key that you need to enter in the keystore form. For more information, see the Amazon guide Managing Access Keys for IAM Users.
    • When you create the encryption key, select the same geographic region for your key that your application is deployed in. Selecting the same geographic region gives your application the best network performance.
  2. Open a keystore from the navigation panel by clicking RecordsSecurityKeystore and selecting a KMS keystore from the instance list.
  3. In the Access key ID field, enter the access key ID that you created in AWS KMS.
  4. In the Secret access key field, enter the secret access key that you created in AWS KMS.
  5. In the Customer master key ID field, enter the Amazon Resource Name (ARN) of the customer master key created in AWS KMS.
  6. In the Customer data key rotation in days field, enter the number of days after which the customer data key (CDK) rotates.
    Note: The recommended (default) value is 90 days. You can set the rotation to any time between 30 and 365 days.
  7. Click Test connectivity to verify that all fields are filled out correctly and that Pega Platform is able to connect to AWS KMS.
  8. Click Save.
  • Previous topic Configuring an Amazon Web Services Key Management Service keystore
  • Next topic Configuring a Microsoft Azure Key Vault keystore

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us