mkkeymgr
The mkkeymgr command creates an entry in the storage complex to access one or more key servers.
The storage system includes support for the industry-standard Key Management Interoperability Protocol (KMIP) for disk encryption. This support means that environments without IBM® key management infrastructure can incorporate the storage system encryption feature into their environments that by using KMIP.
The terms key server and key manager are closely related and sometimes used interchangeably. The key manager is the program that runs on a physical server and provides key services to key clients, such as the storage system. Key services include generating, storing, and retrieving encryption keys. This command uses the term key server to indicate both the physical server and the key manager.
To use a key group, the key client on the storage system HMC must have access to two or more key servers. A given key server is identified by an IP address and an IP port number. The IP port determines whether the key server requires the security protocol, Transport Layer Security (TLS), for communications. The storage system key client uses a TLS protocol if, and only if, a certificate is provided. However, if a certificate is provided and the specified IP port is a non-TLS port, or if no certificate is provided and the specified IP port is a TLS port, then the storage system key client cannot connect to the key server.
Parameters
- -serverport port_ID
- (Optional) The key server port ID. The key server port ID is 4 or 5 decimal characters. For example, 8100 is a valid server port ID.
- -cert location
- (Optional) The location of the certificate file to use as a trust anchor to authenticate the certificate of the specified key server when using a TLS security protocol. If not specified, then only non-TLS protocols that do not require a trust anchor certificate are allowed. The certificate is in the PEM or DER format. For example, C:\mystore\trust.pem.
- -keyprotocol IPP | KMIP
- The key server protocol that the storage system communicates with to provide key server
management operations.
- IPP
- The storage system communicates with the specified key server using the IBM Proprietary Protocol (IPP). This value is the default.
- KMIP
- The storage system communicates with the specified key server using the Key Management Interoperability Protocol (KMIP).
- -state active | inactive
- (Optional) Specifies the state of the key
manager.
- active
- The key manager is to be used to store encryption keys and it should be checked periodically to verify the status of the key manager.
- inactive
- The key manager is not to be used to store encryption keys and it should not be checked periodically.
- -type dar | tct | endpoint
- (Optional) The type of encryption that is used by the key groups that are managed by the key
manager.
- dar
- Encryption for data at rest, which encrypts data that is stored on your storage system. This value is the default.
- tct
- Encryption for transparent cloud tiering, which ensures that data is encrypted before it is transferred to cloud storage. The data remains encrypted in cloud storage and is decrypted after it is transferred back to the storage system.
- endpoint
- Encryption for IBM Fibre Channel Endpoint Security, which establishes authenticated communication and encryption of data in flight for Fibre Channel connections between an IBM Z® host and the storage system. The connections are secured by Fibre Channel security protocols and key server authentication that uses communication certificates. If both the host and storage system use a connection with Fibre Channel ports that support encryption, the connection will transmit encrypted data between the ports.
- -keygrp key_group_ID | -
- (Optional) The ID for the key group. The key group ID is a decimal number that ranges from 1 to N, where N is the maximum number of key groups that are supported by the storage system. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode. The default ID value is 1, which indicates a key group that is configured for data at rest encryption.
- -addr IP_address
- (Required) The IP address for the key manager. The IP address can be an IPv4 address, an IPv6 address, or a DNS name.
- key_server_ID | -
- (Required) The key
server ID. The
key server ID is a decimal number that ranges
from 1 to N, where N is the maximum number of key servers that the storage system can support. For
example, 4.
Use the showsp command to determine this maximum number. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.
Example: Creating an entry in the storage complex to access one or more key servers.
dscli> mkkeymgr -cert /home/hscroot/keyppard.pem -keyprotocol KMIP -addr keyppard.tuc1.stglabs.ibm.com 1Output:
The key server 1 created successfully.