DOCSP-14356 KMIP config parameters (#742)

jocelyn-mendez1 · Jocelyn Mendez · web-flow · commit c6851b0d6106 · 2022-03-08T09:32:07.000-08:00
* DOCSP-14356 adding new config parameters * DOCSP-14356 adding new config parameters * DOCSP-14356 adding new config parameters * DOCSP-14356 definition corrections * DOCSP-14356 definition rework * DOCSP-14356 definition rework * DOCSP-20679 authentication methods * DOCSP-14356 test * DOCSP-14356 correction masterKey option * DOCSP-14356 rewording definition * DOCSP-14356 nit changes Co-authored-by: Jocelyn Mendez <jocelyn.mendez@Jocelyns-MacBook-Pro.local>
diff --git a/source/reference/configuration-file-settings-command-line-options-mapping.txt b/source/reference/configuration-file-settings-command-line-options-mapping.txt
@@ -264,6 +264,12 @@ and :binary:`~bin.mongos` command-line options.
    * - :setting:`security.kmip.serverName`
      - | :option:`mongod --kmipServerName`
 
+   * - :setting:`security.kmip.activateKeys`
+     - | :option:`mongod --kmipActivateKeys`
+
+   * - :setting:`security.kmip.keyStatePollingSeconds` 
+     - | :option:`mongod --kmipKeyStatePollingSeconds`
+
    * - :setting:`security.ldap.authz.queryTemplate`
      - | :option:`mongod --ldapAuthzQueryTemplate`
 
diff --git a/source/reference/configuration-options.txt b/source/reference/configuration-options.txt
@@ -2766,6 +2766,8 @@ Key Management Configuration Options
          serverCAFile: <string>
          connectRetries: <int>
          connectTimeoutMS: <int>
+         activateKeys: <boolean>
+         keyStatePollingSeconds: <int>
 
 .. setting:: security.enableEncryption
 
@@ -3052,6 +3054,41 @@ Key Management Configuration Options
    .. include:: /includes/fact-enterprise-only-admonition.rst
 
 
+.. setting:: security.kmip.activateKeys
+
+   *Type*: boolean
+
+   *Default*: true
+
+
+   .. versionadded:: 5.3
+
+   Activates all newly created KMIP keys upon creation and then periodically 
+   checks those keys are in an active state.  
+
+   When ``security.kmip.activateKeys`` is ``true`` and you have existing keys 
+   on a KMIP server, the key must be activated first or the :binary:`mongod` 
+   node will fail to start.
+
+   If the key being used by the mongod transitions into a non-active state, 
+   the :binary:`mongod` node will shut down unless ``kmipActivateKeys`` is 
+   false. To ensure you have an active key, rotate the KMIP master key by 
+   using :setting:`security.kmip.rotateMasterKey`.
+
+
+.. setting:: security.kmip.keyStatePollingSeconds
+
+   *Type*: int
+
+   *Default*: 900 seconds
+
+   .. versionadded:: 5.3
+
+   Frequency in seconds at which mongod polls the KMIP server for active keys. 
+
+   To disable disable polling, set the value to ``-1``. 
+
+
 .. _security.sasl.options:
 
 ``security.sasl`` Options
diff --git a/source/reference/program/mongod.txt b/source/reference/program/mongod.txt
@@ -3431,9 +3431,36 @@ Encryption Key Management Options
       
       Starting in 4.0, on macOS or Windows, you can use a certificate
       from the operating system's secure store instead of a PEM key
-      file. See :option:`--kmipClientCertificateSelector`. When using the secure store, you do not
-      need to, but can, also specify the :option:`--kmipServerCAFile`.
+      file. See :option:`--kmipClientCertificateSelector`. When using the secure 
+      store, you do not need to, but can, also specify the :option:`--kmipServerCAFile`.
 
+.. option:: --kmipActivateKeys <boolean>
+
+   *Default*: true
+
+   .. versionadded:: 5.3
+
+   Activates all newly created KMIP keys upon creation and then periodically 
+   checks those keys are in an active state. 
+
+   When ``--kmipActivateKeys`` is ``true`` and you have existing keys on a 
+   KMIP server, the key must be activated first or the :binary:`mongod` node 
+   will fail to start. 
+
+   If the key being used by the mongod transitions into a non-active state, 
+   the :binary:`mongod` node will shut down unless ``kmipActivateKeys`` is 
+   false. To ensure you have an active key, rotate the KMIP master key by 
+   using :option:`--kmipRotateMasterKey`.
+
+.. option:: --kmipKeyStatePollingSeconds <integer>
+
+   *Default*: 900 seconds 
+   
+   .. versionadded:: 5.3
+
+   Frequency in seconds at which mongod polls the KMIP server for active keys. 
+
+   To disable disable polling, set the value to ``-1``.
 
 .. option:: --eseDatabaseKeyRollover
 
diff --git a/source/release-notes/5.3.txt b/source/release-notes/5.3.txt
@@ -93,6 +93,20 @@ Management Interoperability Protocol (KMIP) server to securely manage
 the keys for :ref:`encrypting the MongoDB audit log
 <security-encryption-at-rest-audit-log>`.
 
+KMIP Key Activation
+~~~~~~~~~~~~~~~~~~~
+
+Starting in MongoDB 5.3, :setting:`security.kmip.activateKeys` activates all 
+newly created KMIP keys upon creation and then periodically checks that 
+keys are in an active state. 
+
+Polling for Active State Keys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Starting in MongoDB 5.3, :setting:`security.kmip.keyStatePollingSeconds` sets 
+the polling interval in seconds at which :binary:`mongod` polls the KMIP server 
+for active keys. 
+
 .. _5.3-rel-notes-sharding:
 
 Sharding
