Configuring key servers

If you have an administrator user role, you can configure a key server compatible with Key Management Interoperability Protocol (KMIP) or with IBM Proprietary Protocol (IPP).

Before you begin

  • Ensure that at least two key servers are online, accessible, and synchronized.
  • If you are using an IBM® Security Guardium Key Lifecycle Manager key server with IBM Proprietary Protocol (IPP), ensure that the key labels are available.
  • The recovery key must be either configured or disabled by the security administrator and ready to be authorized by the storage administrator.
To enable encryption on a storage system using TKLM or SKLM, you must upgrade to one of the following versions of TKLM or SKLM that has the Gen2 CA root installed:
  • TKLM version 2.0.1 or later on Open Systems
  • SKLM (all versions) on Open Systems
  • SKLM version 1.1.0.2 or later on z/OS
DS8000® supports the following KMIP key servers:
  • IBM Security Guardium Key Lifecycle Manager 3.0 or later (a multi-master or incremental replication configuration is required). IBM Fibre Channel Endpoint Security requires 3.0.1 fix-pack 2 or later.
  • Gemalto Safenet KeySecure Classic 8.0.1, 8.3.2, 8.4.2, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, and 8.11.1
  • Gemalto Safenet KeySecure Next Generation 1.7.0 and 1.8.0
  • Thales CipherTrust Manager 2.0.0- 2.12.0 or later
  • Vormetric DSM V6100 version 6.4.0.15031 or later
  • Migration from Gemalto Safenet KeySecure 8.X to Thales CipherTrust Manager 2.X
Note: IBM Fibre Channel Endpoint Security does not support Gemalto Safenet KeySecure Classic, Gemalto Safenet KeySecure Next Generation, or Vormetric DSM. Security Guardium Key Lifecycle Manager must be configured with multi-master replication.

The following guidelines apply to key servers:
  • For SKLM key servers, compliance with NIST SP 800-131A requires the use of Transport Layer Security (TLS) 1.2 or 1.3 protocols if used with an encryption key server (TCP port 441). If SSL or TLS protocols are not used with the key server (TCP port 3801), the key server does not require TLS 1.2 or 1.3 support.
  • For KMIP key servers, only TLS 1.2 or 1.3 is supported.