Key Management Interoperability Protocol key servers
The storage system supports data encryption with key servers that use Key Management Interoperability Protocol (KMIP). KMIP provides more flexibility and choice in key management.
With KMIP support, you can add the DS8000® encryption feature to an existing key management infrastructure that uses KMIP.
DS8000 supports the
following KMIP key servers:
- IBM® Security Key Lifecycle Manager V2.5 or later (a multi-master configuration is required). IBM Fibre Channel Endpoint Security requires v3.0.1 fix-pack 2 or later.
- Gemalto Safenet KeySecure V8.0.0 or later. IBM Fibre Channel Endpoint Security does not support Gemalto Safenet KeySecure.
Communication between the DS8000 storage system and the KMIP key server is secured with Transport Layer Security V1.2.
DS8000 storage
systems manufactured after V8.0.1 support three modes of client certificate authentication on
Gemalto Safenet KeySecure:
- No Client Certificate Verification (least secure)
- Client Certificate Verification of SSL Session (more secure)
- Client Certificate Verification of SSL Session and User ID (most secure)
Notes:
- If you upgraded your storage system to DS8000 V8.1 from a previous version, the encryption certificate that is installed on your storage system does not support the Client Certificate Verification of SSL Session and User ID authentication method.
- If you upgraded your storage system to DS8000 V8.1 from a previous version, you can use Client Certificate Verification of SSL Session authentication method if you import the DS8000 Gen1 and Gen2 root certificates into the KMIP server's list of trusted certificates.