New KMS troubleshooting guide

Author: gbarideau

pages/index.md

@@ -1941,6 +1941,7 @@
                 + [Pushing logs from a Kubernetes cluster to Logs Data Platform using Fluent Bit](manage_and_operate/observability/logs_data_platform/ingestion_kubernetes_fluent_bit)
                 + [Pushing logs from OVHcloud account to Logs Data Platform](manage_and_operate/iam/iam-logs-forwarding)
                 + [Pushing logs from SAP to Logs Data Platform](hosted_private_cloud/sap_on_ovhcloud/cookbook_sap_logs_on_ovhcloud_logs_data_platform_solution_setup)
+                + [Pushing logs from OVHcloud KMS to Logs Data Platform](manage_and_operate/kms/kms-troubleshooting)
                 + [Logs Data Platform - Collect VMware on OVHcloud logs](/pages/hosted_private_cloud/hosted_private_cloud_powered_by_vmware/vmware_ldp)
             + [Visualizing, querying and exploiting your logs](observability-logs-data-platform-visualizing-querying-exploiting)
                 + [Exposing your logs to third-party tools via the OpenSearch API](manage_and_operate/observability/logs_data_platform/integration_opensearch_api)
@@ -1966,6 +1967,7 @@
         + [OVHcloud KMS Architecture overview](manage_and_operate/kms/architecture-overview)
         + [OVHcloud KMS - Responsibility model](manage_and_operate/kms/responsibility-model-kms)
         + [How to connect a compatible product using KMIP protocol with OVHcloud KMS](manage_and_operate/kms/kms-kmip)
+        + [How to troubleshoot OVHcloud KMS access](manage_and_operate/kms/kms-troubleshooting)
 + OVHcloud Labs
     + [Data Collector](products/ovhcloud-labs-data-collector)
         + [Getting started](ovhcloud-labs-data-collector-getting-started)

pages/manage_and_operate/kms/kms-troubleshooting/guide.en-gb.md

@@ -0,0 +1,103 @@
+---
+title: "How to troubleshoot OVHcloud KMS access"
+excerpt: "Analyze KMS logs through LDP"
+updated: 2025-06-13
+---
+
+## Objective
+
+This guide aim to introduce logs generated by OVHcloud KMS and how to analyze them
+
+## Requirements
+
+- An [OVHcloud customer account](/pages/account_and_service_management/account_information/ovhcloud-account-creation).
+- An [OVHcloud KMS ordered and an access certificate created](/pages/manage_and_operate/kms/quick-start)
+
+## Instructions
+
+### Description
+
+OVHcloud KMS has a native integration with [Logs Data Plateform](https://www.ovhcloud.com/en/identity-security-operations/logs-data-platform/) for logs management
+
+### Logs direct access
+
+KMS logs are available from each KMS `Logs`{.action} tab
+
+![Logs tab](images/kms-logs-tab.png){.thumbnail}
+
+This tab display in real time all KMS logs
+A selector allow to switch display between the two types of logs
+
+- REST API audit logs
+- KMIP audit logs
+
+### Logs access through LDP
+
+From the `Logs`{.action} tab, it's possible to subscribe to a LDP data stream
+One the subscribtion enable, all the logs will be pushed to [Logs Data Plateform](https://www.ovhcloud.com/fr/identity-security-operations/logs-data-platform/) to archive generated logs and perform advanced searches, create alerts and visualisations
+
+![LDP Subscription](images/kms-ldp-subscription.png){.thumbnail}
+
+For more informations, please look the [dedicated documentation](pages\manage_and_operate\observability\logs_data_platform\getting_started_quick_start)
+
+### Available logs details
+
+KMS logs contains following information:
+
+- REST API
+
+Logs are display with this format:
+
+```bash
+{{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}
+```
+
+As example: INFO | GET /v1/servicekey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - 200 - identity: urn:v1:eu:identity:group:xx1111-ovh/john.smith - operation: okms:apiovh:serviceKey/get on urn:v1:eu:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxx/serviceKey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - from Manager/APIv2 - request id: EU.manager-5.684c3abe.3880620.2080cff16eaa5539bf92cxxxxxxxx
+
+Elements that can be pushed to Logs Data Plateform:
+
+|**Field**|**Description**|
+| :-: | :-: |
+|domain_id|OKMS domain ID|
+|request_id|request ID|
+|log_level|Log priority level|
+|client_ip|IP of the client making the request|
+|tls_cert_id|Authentication certificate ID used|
+|res_urn|target resource URN|
+|region|OKMS domain region|
+|iam_operation|IAM action evalutated|
+|iam_identities|IAM identity used for rights evaluation|
+|http_path|Request path|
+|http_status|HTTP answer status|
+|http_method|Request method|
+|err_category|Error category|
+
+- KMIP
+
+Logs are display with this format:
+
+```bash
+{{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}
+```
+
+As example : INFO | GET on urn:v1:eu:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxxx/kmip/ff55638c-3e86-4cb3-xxxx-xxxxxxxx - identity: urn:v1:eu:identity:account:xx1111-ovh - operation: okms:kmip:get - from XXX.XXX.XXX.XXX with certificate e7850a19-a5de-4527-xxxx-xxxxxxxxx - request id: OKMS.db61c455-abfa-4a66-xxxx-xxxxxxxxxxx"
+
+Elements that can be pushed to Logs Data Plateform:
+
+|**Field**|**Description**|
+| :-: | :-: |
+|domain_id|OKMS domain ID|
+|request_id|request ID|
+|log_level|Log priority level|
+|client_ip|IP of the client making the request|
+|tls_cert_id|Authentication certificate ID used|
+|res_urn|target resource URN|
+|region|OKMS domain region|
+|iam_operation|IAM action evalutated|
+|iam_identities|IAM identity used for rights evaluation|
+|kmip_operation|KMIP operation used|
+|kmip_reason|[Standard KMIP error code](https://docs.oasis-open.org/kmip/spec/v1.4/kmip-spec-v1.4.pdf#%5B%7B%22num%22%3A484%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C69%2C720%2C0%5D)|
+
+## Go further
+
+Join our [community of users](/links/community).

pages/manage_and_operate/kms/kms-troubleshooting/guide.fr-fr.md

@@ -0,0 +1,105 @@
+---
+title: "Comment diagnostiquer les accès sur un OVHcloud KMS"
+excerpt: "Analyser les logs KMS via LDP"
+updated: 2025-06-13
+---
+
+## Objectif
+
+L'objectif de ce guide est de présenter les logs générés par le KMS OVHcloud et comment les interprêter
+
+## Prérequis
+
+- Disposer d'un [compte client OVHcloud](/pages/account_and_service_management/account_information/ovhcloud-account-creation).
+- Avoir [commandé un KMS OVHcloud et créer un certificat d'accès](/pages/manage_and_operate/kms/quick-start)
+
+## En pratique
+
+### Description
+
+Le KMS OVHcloud dispose d'une intégration native avec [Logs Data Plateform](https://www.ovhcloud.com/en/identity-security-operations/logs-data-platform/) pour la gestion des logs
+
+### Accès aux logs en direct
+
+Les logs du KMS sont accessibles depuis l'onglet `Logs`{.action} d'un KMS
+
+![Logs tab](images/kms-logs-tab.png){.thumbnail}
+
+Cet onglet affiche en temps réel les logs du KMS.
+Le sélecteur permet de choisir le type de logs affichés :
+
+- REST API audit logs
+- KMIP audit logs
+
+### Accès aux logs via LDP
+
+Depuis l'onglet `Logs`{.action} il est possible de s'abonner à un flux LDP.
+Une fois l'abonnement actif, l'ensemble des logs seront transmis à [Logs Data Plateform](https://www.ovhcloud.com/fr/identity-security-operations/logs-data-platform/) pour retrouver l'historique des logs généré et la possiblité de faire des recherches plus avancées, créer des alertes et des visualisations.
+
+![LDP Subscription](images/kms-ldp-subscription.png){.thumbnail}
+
+Pour plus d'informations, il est possible de regarder la [documentation dédiée](pages\manage_and_operate\observability\logs_data_platform\getting_started_quick_start)
+
+### Liste des logs générés
+
+Les logs du KMS comportent les informations suivantes :
+
+- API REST
+
+Les logs sont sous le format suivant :
+
+```bash
+{{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}
+```
+
+Par exemple : INFO | GET /v1/servicekey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - 200 - identity: urn:v1:eu:identity:group:xx1111-ovh/john.smith - operation: okms:apiovh:serviceKey/get on urn:v1:eu:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxx/serviceKey/77f0a3f6-c2ef-4e76-xxxx-xxxxxxxxxxxx - from Manager/APIv2 - request id: EU.manager-5.684c3abe.3880620.2080cff16eaa5539bf92cxxxxxxxx
+
+Les éléments pouvant être transmis à Logs Data Plateform étant :
+
+|**Champ**|**Description**|
+| :-: | :-: |
+|domain_id|ID du domaine OKMS|
+|request_id|ID de la requête|
+|type||
+|log_level|Niveau de priorité du log|
+|client_ip|IP du client réalisant la requête|
+|tls_cert_id|ID du certificat utilisé pour l'authentification|
+|res_urn|URN de la ressource ciblé|
+|region|Région du domaine OKMS|
+|iam_operation|Action IAM évaluée|
+|iam_identities|Identitée IAM utilisé pour l'évaluation des droits|
+|http_path|Chemin de la requête|
+|http_status|Status de la réponse HTTP|
+|http_method|Methode de la requête|
+|err_category|Catégorie de l'erreur|
+
+- KMIP
+
+Les logs sont sous le format suivant :
+
+```bash
+{{ http_method }} {{ http_path }} - {{ http_status }} - identity: {{ iam_identities }} - operation: {{ iam_operation }} on {{ res_urn }} - from {{ip}} with certificate {{cert_id}} - request id: {{ request_id }}
+```
+
+Par exemple : INFO | GET on urn:v1:eu:resource:okms:8d1c84cc-1128-4629-xxxx-xxxxxxxxxxx/kmip/ff55638c-3e86-4cb3-xxxx-xxxxxxxx - identity: urn:v1:eu:identity:account:xx1111-ovh - operation: okms:kmip:get - from XXX.XXX.XXX.XXX with certificate e7850a19-a5de-4527-xxxx-xxxxxxxxx - request id: OKMS.db61c455-abfa-4a66-xxxx-xxxxxxxxxxx"
+
+Les éléments pouvant être transmis à Logs Data Plateform étant :
+
+|**Champ**|**Description**|
+| :-: | :-: |
+|domain_id|ID du domaine OKMS|
+|request_id|ID de la requête|
+|type||
+|log_level|Niveau de priorité du log|
+|client_ip|IP du client réalisant la requête|
+|tls_cert_id|ID du certificat utilisé pour l'authentification|
+|res_urn|URN de la ressource ciblé|
+|region|Région du domaine OKMS|
+|iam_operation|Action IAM évaluée|
+|iam_identities|Identitée IAM utilisé pour l'évaluation des droits|
+|kmip_operation|Opération KMIP utilisée|
+|kmip_reason|[code d'erreur KMIP](https://docs.oasis-open.org/kmip/spec/v1.4/kmip-spec-v1.4.pdf#%5B%7B%22num%22%3A484%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C69%2C720%2C0%5D)|
+
+## Aller plus loin
+
+Échangez avec notre [communauté d'utilisateurs](/links/community).

pages/manage_and_operate/kms/kms-troubleshooting/images/kms-ldp-subscription.png

@@ -0,0 +1,3 @@
+id: 751e237a-47e4-4ac8-854d-189530462197
+full_slug: kms-troubleshooting
+reference_category: manage-operate-kms