Configure encryption key servers to support NIST SP 800-131A security conformance.
About this task
You can choose to configure encryption by using IBM Security Key
Lifecycle Manager or a non-IBM key server that supports OASIS Key Management Interoperability
Protocol (KMIP).
IBM Security Guardium Key Lifecycle Manager is
encryption key server software that is used with DS8000® and other
devices. Some versions of this software conform with NIST SP 800-131A security
guidelines and include pre-configured trust anchors for key client certificates that are used on
DS8000
storage systems. If you choose to configure encryption by using
Security Key Lifecycle Manager, select the appropriate
version for your encryption key server host type and connection network protocol requirements.
- If your encryption key server runs on an open system host and you do not plan to use the
Transport Layer Security (TLS) 1.2 or 1.3 protocol with this key server, use IBM®
Security Guardium Key Lifecycle Manager V2.6 or
later.
- If your encryption key server runs on an open system host and you plan to use the TLS 1.2 or 1.3
protocol with this key server, use IBM
Security Guardium Key Lifecycle Manager V2.6 or
later.
- If your encryption key server runs on an IBM
Z
host LPAR with
z/OS®, use IBM
Security Guardium Key Lifecycle Manager for z/OS
V1.1.0.3 or later.
- If your encryption key server is Gemalto Safenet KeySecure, select
version 8.0.0 or later.
If you choose to configure encryption by using a non-IBM key server
that supports KMIP, it must support TLS 1.2 or 1.3. It is recommended to select a key server that is
NIST SP 800-131A
compliant. To run in NIST SP 800-131A mode, the Gen2
certificate must be the active certificate. DS8A00 storage
systems that are manufactured with DS8A00 V8.1 or
later come with an encryption certificate that is already updated to Gen2. If the DS8A00 was
manufactured with a previous release level and upgraded to DS8A00 V8.1, it
might have a Gen1 certificate that must be updated to Gen2 to run in NIST SP 800-131A compliant
mode.
Notes:
- Use of TLS protocols with an encryption key server (TCP port 441) is recommended even if
NIST SP 800-131A
compliance is not required for your system.
- Compliance with NIST SP 800-131A requires the use
of TLS 1.2 or 1.3 protocols if used with an encryption key server (TCP port 441). If TLS protocols
are not used with the key server (TCP port 3801), the key server does not require TLS 1.2 or 1.3
support.
Procedure
Complete the following steps to install and configure encryption key servers that
conform with the NIST SP 800-131A security
guidelines.
- To update an existing key server with existing encryption
key clients, complete the following steps:
- Optional:
Deactivate any existing encryption key server clients that are using this key server. Use the
following DS CLI
command.
dscli> chkeymgr -state inactive key_server_ID
- Quiesce the encryption key server.
- Update the encryption key server software to the required
version.
-
If the encryption key server certificate is not NIST SP 800-131A compliant,
update the certificate. See Updating encryption certificates.
-
Obtain the trust anchor for the key server certificate that is used to configure encryption key
clients. If the key server certificate is self-signed, the trust anchor is the key server
certificate. The trust anchor can be DER or PEM encoded for DS8A00.
-
If your key server supports it, set the SSL protocol on the encryption key server to allow, but
not require, TLS 1.2 or 1.3 protocols. Refer to your key server documentation for instructions to
configure TLS levels.
- Resume the encryption key server.
- If any of the existing key clients did not previously use TLS protocols, but are going
to use TLS protocols now, update the trust anchor and change the key server IP port on the key
client. Use the following DS CLI commands:
- Delete the encryption key server:
dscli> rmkeymgr key_server_ID
- Create the key server with the TLS port and add the trust anchor file with name
location:
dscli> mkkeymgr -serverport port -addr IP_address -cert location -state active key_server_ID
- Verify that the encryption key server port is active before you proceed:
dscli> lskeymgr key_server_ID
- If the key server certificate was modified, for any of the existing key clients that
are already using TLS protocols and require a trust anchor for the key server certificate, follow
the previous steps to update the trust anchor and change the key server IP port on the key client.
- Configure any new key clients that are going to be attached
to this key server. Use the following DS CLI commands:
- If you are configuring the new key client to use TLS protocols:
dscli> mkkeymgr -serverport port -addr IP_address -cert location -state active key_server_ID
- Verify that the encryption key server port is active before you
proceed:
dscli> lskeymgr key_server_ID
- Reactivate any existing key clients that are still inactive
on this key server. Use the following DS CLI commands:
dscli> chkeymgr -state active key_server_ID
- Verify that the encryption key server port is active before you
proceed:
dscli> lskeymgr key_server_ID
- To configure a new encryption key server, complete the
following steps:
- If this key server has encryption keys that are active
for existing key clients on existing key servers, complete the following
steps:
- Install the version of key server software currently running on
existing key servers.
- If the key server is SKLM, back up the keystore on an existing key
server and restore it on the new key server. If the key server is Gemalto Safenet KeySecure, add the
new key server to the cluster.
- Install the appropriate version of the key server software.
- If the encryption key server certificate is not NIST SP 800-131A compliant,
update the certificate.
-
Obtain the trust anchor for the key server certificate that is used to configure encryption key
clients. If the key server certificate is self-signed, the trust anchor is the key server
certificate. The trust anchor can be DER or PEM encoded for DS8A00.
-
If your key server supports it, set the SSL protocol on the encryption key server to allow, but
not require, TLS 1.2 or 1.3 protocols. Refer to your key server documentation for instructions to
configure TLS levels.
- Activate the encryption key server.
- If any existing key clients are moving from an old key server to the new key server
that did not previously use TLS protocols, but are going to use TLS protocols now, update the trust
anchor for the current key server certificate and change the key server IP address and IP port on
the key client. Use the following DS CLI commands:
- Delete the encryption key server:
dscli> rmkeymgr key_server_ID
- Create the key server with the TLS port:
dscli> mkkeymgr -serverport port -addr IP_address -cert location -state active key_server_ID
- Verify that the encryption key server port is active before you proceed:
dscli> lskeymgr key_server_ID
- If any existing key clients are moving from an old key server to the new key server,
are already using TLS protocols, and require a trust anchor for the key server certificate, follow
the previous steps to update the trust anchor for the current key server certificate and change the
key server IP address and IP port on the key client.
- Configure any new encryption key clients that are going
to be attached to this key server. Use the following DS CLI commands:
- If you are configuring the new key client to use TLS protocols:
dscli> mkkeymgr -serverport port -addr IP_address -cert location -state active key_server_ID
- Verify that the encryption key server port is active before you
proceed:
dscli> lskeymgr key_server_ID
- Repeat the previous procedures to update all required key
servers.
-
After you update all of the encryption key servers, activate the NIST SP 800-131A compliant
encryption key client certificate on each DS8900F. Use the following DS CLI commands:
- Optional:
You can enforce NIST SP 800-131A security conformance for
encryption key server connections after you complete other required actions that are described in
Configuring the DS Network Interface server to enforce NIST SP 800-131A.
Notes:
- Quiescing an encryption key server without deactivating the DS8000 encryption key client might result in the generation of SNMP traps that indicate that
an activated configured key server is inaccessible. These SNMP traps do not affect the operation of
the DS8000.
- The encryption key server allows enforcement of NIST SP 800-131A security conformance. However,
if a mix of key clients that support and do not support NIST SP 800-131A are attached to
the key server, do not enforce NIST SP 800-131A security conformance from the
key server side. Enforcing it prevents clients that do not support NIST SP 800-131A from
connecting.
- If only two encryption key servers are configured for a DS8000 encryption group, removing one of the key servers might result in the generation of
SNMP traps that indicate that there are fewer than two key servers activated. In some cases, these
SNMP traps can be avoided by adding a new key server before the old key server is removed. In other
words, in the procedure for configuring a new key server, reverse the order of the
rmkeymgr and mkkeymgr commands.