Upgrading and configuring encryption key servers

Configure encryption key servers to support NIST SP 800-131A security conformance.

About this task

You can choose to configure encryption by using IBM Security Key Lifecycle Manager or a non-IBM key server that supports OASIS Key Management Interoperability Protocol (KMIP).

IBM Security Guardium Key Lifecycle Manager is encryption key server software that is used with DS8000® and other devices. Some versions of this software conform with NIST SP 800-131A security guidelines and include pre-configured trust anchors for key client certificates that are used on DS8000 storage systems. If you choose to configure encryption by using Security Key Lifecycle Manager, select the appropriate version for your encryption key server host type and connection network protocol requirements.

  • If your encryption key server runs on an open system host and you do not plan to use the Transport Layer Security (TLS) 1.2 or 1.3 protocol with this key server, use IBM® Security Guardium Key Lifecycle Manager V2.6 or later.
  • If your encryption key server runs on an open system host and you plan to use the TLS 1.2 or 1.3 protocol with this key server, use IBM Security Guardium Key Lifecycle Manager V2.6 or later.
  • If your encryption key server runs on an IBM Z host LPAR with z/OS®, use IBM Security Guardium Key Lifecycle Manager for z/OS V1.1.0.3 or later.
  • If your encryption key server is Gemalto Safenet KeySecure, select version 8.0.0 or later.

If you choose to configure encryption by using a non-IBM key server that supports KMIP, it must support TLS 1.2 or 1.3. It is recommended to select a key server that is NIST SP 800-131A compliant. To run in NIST SP 800-131A mode, the Gen2 certificate must be the active certificate. DS8A00 storage systems that are manufactured with DS8A00 V8.1 or later come with an encryption certificate that is already updated to Gen2. If the DS8A00 was manufactured with a previous release level and upgraded to DS8A00 V8.1, it might have a Gen1 certificate that must be updated to Gen2 to run in NIST SP 800-131A compliant mode.

Notes:
  1. Use of TLS protocols with an encryption key server (TCP port 441) is recommended even if NIST SP 800-131A compliance is not required for your system.
  2. Compliance with NIST SP 800-131A requires the use of TLS 1.2 or 1.3 protocols if used with an encryption key server (TCP port 441). If TLS protocols are not used with the key server (TCP port 3801), the key server does not require TLS 1.2 or 1.3 support.

Procedure

Complete the following steps to install and configure encryption key servers that conform with the NIST SP 800-131A security guidelines.

  1. To update an existing key server with existing encryption key clients, complete the following steps:
    1. Optional: Deactivate any existing encryption key server clients that are using this key server. Use the following DS CLI command.
      dscli> chkeymgr -state inactive key_server_ID
    2. Quiesce the encryption key server.
    3. Update the encryption key server software to the required version.
    4. If the encryption key server certificate is not NIST SP 800-131A compliant, update the certificate. See Updating encryption certificates.
    5. Obtain the trust anchor for the key server certificate that is used to configure encryption key clients. If the key server certificate is self-signed, the trust anchor is the key server certificate. The trust anchor can be DER or PEM encoded for DS8A00.
    6. If your key server supports it, set the SSL protocol on the encryption key server to allow, but not require, TLS 1.2 or 1.3 protocols. Refer to your key server documentation for instructions to configure TLS levels.
    7. Resume the encryption key server.
    8. If any of the existing key clients did not previously use TLS protocols, but are going to use TLS protocols now, update the trust anchor and change the key server IP port on the key client. Use the following DS CLI commands:
      1. Delete the encryption key server:
        dscli> rmkeymgr key_server_ID 
      2. Create the key server with the TLS port and add the trust anchor file with name location:
        dscli> mkkeymgr -serverport port -addr IP_address -cert location -state active key_server_ID
      3. Verify that the encryption key server port is active before you proceed:
        dscli> lskeymgr key_server_ID
    9. If the key server certificate was modified, for any of the existing key clients that are already using TLS protocols and require a trust anchor for the key server certificate, follow the previous steps to update the trust anchor and change the key server IP port on the key client.
    10. Configure any new key clients that are going to be attached to this key server. Use the following DS CLI commands:
      1. If you are configuring the new key client to use TLS protocols:
        dscli> mkkeymgr -serverport port -addr IP_address -cert location -state active key_server_ID
      2. Verify that the encryption key server port is active before you proceed:
        dscli> lskeymgr key_server_ID
    11. Reactivate any existing key clients that are still inactive on this key server. Use the following DS CLI commands:
      1. dscli> chkeymgr -state active key_server_ID
      2. Verify that the encryption key server port is active before you proceed:
        dscli> lskeymgr key_server_ID
  2. To configure a new encryption key server, complete the following steps:
    1. If this key server has encryption keys that are active for existing key clients on existing key servers, complete the following steps:
      1. Install the version of key server software currently running on existing key servers.
      2. If the key server is SKLM, back up the keystore on an existing key server and restore it on the new key server. If the key server is Gemalto Safenet KeySecure, add the new key server to the cluster.
    2. Install the appropriate version of the key server software.
    3. If the encryption key server certificate is not NIST SP 800-131A compliant, update the certificate.
    4. Obtain the trust anchor for the key server certificate that is used to configure encryption key clients. If the key server certificate is self-signed, the trust anchor is the key server certificate. The trust anchor can be DER or PEM encoded for DS8A00.
    5. If your key server supports it, set the SSL protocol on the encryption key server to allow, but not require, TLS 1.2 or 1.3 protocols. Refer to your key server documentation for instructions to configure TLS levels.
    6. Activate the encryption key server.
    7. If any existing key clients are moving from an old key server to the new key server that did not previously use TLS protocols, but are going to use TLS protocols now, update the trust anchor for the current key server certificate and change the key server IP address and IP port on the key client. Use the following DS CLI commands:
      1. Delete the encryption key server:
        dscli> rmkeymgr key_server_ID 
      2. Create the key server with the TLS port:
        dscli> mkkeymgr -serverport port -addr IP_address -cert location -state active key_server_ID
      3. Verify that the encryption key server port is active before you proceed:
        dscli> lskeymgr key_server_ID
    8. If any existing key clients are moving from an old key server to the new key server, are already using TLS protocols, and require a trust anchor for the key server certificate, follow the previous steps to update the trust anchor for the current key server certificate and change the key server IP address and IP port on the key client.
    9. Configure any new encryption key clients that are going to be attached to this key server. Use the following DS CLI commands:
      1. If you are configuring the new key client to use TLS protocols:
        dscli> mkkeymgr -serverport port -addr IP_address -cert location -state active key_server_ID
      2. Verify that the encryption key server port is active before you proceed:
        dscli> lskeymgr key_server_ID
  3. Repeat the previous procedures to update all required key servers.
  4. After you update all of the encryption key servers, activate the NIST SP 800-131A compliant encryption key client certificate on each DS8900F. Use the following DS CLI commands:
    • If you are using an SKLM key server, activate the NIST SP 800-131A compliant certificate, delete the legacy certificate, and rekey the data key with new key labels.
      dscli> managekeygrp -action updatecert -key data -label key_label -label2 second_key_label encryption_group_ID
      Or activate the NIST SP 800-131A compliant certificate, delete the legacy certificate, and rekey with the existing key labels:
      dscli> managekeygrp -action updatecert -key data encryption_group_ID
    • If you are using a KMIP key server, activate the NIST SP 800-131A compliant certificate, delete the legacy certificate, and rekey.
      dscli> managekeygrp -action updatecert -key data_encryption_group_ID
  5. Optional: You can enforce NIST SP 800-131A security conformance for encryption key server connections after you complete other required actions that are described in Configuring the DS Network Interface server to enforce NIST SP 800-131A.
    Notes:
    1. Quiescing an encryption key server without deactivating the DS8000 encryption key client might result in the generation of SNMP traps that indicate that an activated configured key server is inaccessible. These SNMP traps do not affect the operation of the DS8000.
    2. The encryption key server allows enforcement of NIST SP 800-131A security conformance. However, if a mix of key clients that support and do not support NIST SP 800-131A are attached to the key server, do not enforce NIST SP 800-131A security conformance from the key server side. Enforcing it prevents clients that do not support NIST SP 800-131A from connecting.
    3. If only two encryption key servers are configured for a DS8000 encryption group, removing one of the key servers might result in the generation of SNMP traps that indicate that there are fewer than two key servers activated. In some cases, these SNMP traps can be avoided by adding a new key server before the old key server is removed. In other words, in the procedure for configuring a new key server, reverse the order of the rmkeymgr and mkkeymgr commands.