The Endpoint security tab on the Security
page displays information about key servers and encryption certificates that are used for IBM® Fibre
Channel Endpoint Security. If you have a storage administrator role, you can use the
Endpoint security tab to enable and manage IBM Fibre
Channel Endpoint Security.
IBM Fibre
Channel Endpoint Security establishes authenticated communication and encryption of data in flight
for Fibre Channel connections between a host and the storage system. The connections are secured by
Fibre Channel security protocols and key server authentication that uses communication certificates.
If both the host and storage system use a connection with Fibre Channel ports that support
encryption, the connection will transmit encrypted data between the ports.
Enabling Fibre Channel Endpoint Security
To open the Enable Endpoint Security wizard and enable encryption, click Enable
Endpoint Security. For more information, see Enabling IBM Fibre Channel Endpoint Security.
Enabling Fibre Channel Endpoint Security includes the following prerequisites:
- The key servers must be online and accessible.
- KMIP compatible key servers must have the SSL certificate available.
Managing Fibre Channel Endpoint Security
After Fibre Channel Endpoint Security is enabled, use the Endpoint Security page to manage
encryption settings.
- State
- Indicates whether Fibre Channel Endpoint Security is enabled or disabled.
To enable Fibre
Channel Endpoint Security after is disabled, click Enabled to open the Enable
Endpoint Security wizard.
To disable Fibre Channel Endpoint Security, select
Disabled.
- Key Servers
- View the properties of the external key server where encryption keys are stored.
- Host name
- The name or IP address of the key server where the encryption key is located.
- State
- The status of the key server.
- Critical
- Only one Hardware Management Console (HMC) has access to the
specified key server and it represents a potential single point of failure.
Use the
showkeymgr command with the –access parameter to determine the
status of each HMC.
Note: For storage systems with only one HMC configured, the
showkeymgr command displays the status as normal.
- Deactivated
- The key server was deactivated by a user on the storage system.
- Inaccessible
- The storage system cannot access the key server.
- Online
- The key server can be accessed by the storage system.
- Unwrap failing
- The storage system is unable to obtain the encryption key from the key server.
- Port
- The I/O port on the key server that the storage system uses to access the encryption key.
- Type
- The type of the key server.
- IBM SKLM (IPP)
- IBM Proprietary Protocol (IPP) that is used to communicate with the IBM Security Key Lifecycle Manager (SKLM) for encryption management.
- IBM SKLM (TLS)
- The SKLM server that supports Transport Layer Security (TLS) for encryption management.
- KMIP compatible
- The Key Management Interoperability Protocol (KMIP) server used for encryption management.
- Encryption Communication Certificates
-
- DS8000® Encryption Communication Certificate
-
- Certificate
- The certificate that is installed on the key server: a system defined Gen2, system defined Gen3,
or a customer defined certificate.
- Expires
- The expiration date for the certificate.
- Export Public Key
- Export the DS8000 encryption certificate to a file on the local system.
- Update Certificate
- Update the DS8000 encryption certificate to a system defined (Gen2 or Gen3) or customer defined certificate.
This action will also update the
encryption certificate for data at rest encryption and transparent cloud tiering, if either option
is enabled.
For more information about updating encryption certificates, see
Updating encryption certificates.
- View Certificate
- View the encryption certificate.
- Key Server Communication Certificates
- Certificates from Key Management Interoperability Protocol (KMIP) compatible key servers or IBM® SKLM servers that provide encryption.
- Update Certificate
- Update the key server certificate.
- View Certificate
- View the encryption certificate. (Not available for SKLM servers without TLS.)