Endpoint security

The Endpoint security tab on the Security page displays information about key servers and encryption certificates that are used for IBM® Fibre Channel Endpoint Security. If you have a storage administrator role, you can use the Endpoint security tab to enable and manage IBM Fibre Channel Endpoint Security.

IBM Fibre Channel Endpoint Security establishes authenticated communication and encryption of data in flight for Fibre Channel connections between a host and the storage system. The connections are secured by Fibre Channel security protocols and key server authentication that uses communication certificates. If both the host and storage system use a connection with Fibre Channel ports that support encryption, the connection will transmit encrypted data between the ports.

Enabling Fibre Channel Endpoint Security

To open the Enable Endpoint Security wizard and enable encryption, click Enable Endpoint Security. For more information, see Enabling IBM Fibre Channel Endpoint Security.

Enabling Fibre Channel Endpoint Security includes the following prerequisites:
  • The key servers must be online and accessible.
  • KMIP compatible key servers must have the SSL certificate available.

Managing Fibre Channel Endpoint Security

After Fibre Channel Endpoint Security is enabled, use the Endpoint Security page to manage encryption settings.
State
Indicates whether Fibre Channel Endpoint Security is enabled or disabled.

To enable Fibre Channel Endpoint Security after is disabled, click Enabled to open the Enable Endpoint Security wizard.

To disable Fibre Channel Endpoint Security, select Disabled.

Key Servers
View the properties of the external key server where encryption keys are stored.
Host name
The name or IP address of the key server where the encryption key is located.
State
The status of the key server.
Critical
Only one Hardware Management Console (HMC) has access to the specified key server and it represents a potential single point of failure.

Use the showkeymgr command with the –access parameter to determine the status of each HMC.

Note: For storage systems with only one HMC configured, the showkeymgr command displays the status as normal.
Deactivated
The key server was deactivated by a user on the storage system.
Inaccessible
The storage system cannot access the key server.
Online
The key server can be accessed by the storage system.
Unwrap failing
The storage system is unable to obtain the encryption key from the key server.
Port
The I/O port on the key server that the storage system uses to access the encryption key.
Type
The type of the key server.
IBM SKLM (IPP)
IBM Proprietary Protocol (IPP) that is used to communicate with the IBM Security Key Lifecycle Manager (SKLM) for encryption management.
IBM SKLM (TLS)
The SKLM server that supports Transport Layer Security (TLS) for encryption management.
KMIP compatible
The Key Management Interoperability Protocol (KMIP) server used for encryption management.
Encryption Communication Certificates
DS8000® Encryption Communication Certificate
Certificate
The certificate that is installed on the key server: a system defined Gen2, system defined Gen3, or a customer defined certificate.
Expires
The expiration date for the certificate.
Export Public Key
Export the DS8000 encryption certificate to a file on the local system.
Update Certificate
Update the DS8000 encryption certificate to a system defined (Gen2 or Gen3) or customer defined certificate.

This action will also update the encryption certificate for data at rest encryption and transparent cloud tiering, if either option is enabled.

For more information about updating encryption certificates, see Updating encryption certificates.

View Certificate
View the encryption certificate.
Key Server Communication Certificates
Certificates from Key Management Interoperability Protocol (KMIP) compatible key servers or IBM® SKLM servers that provide encryption.
Update Certificate
Update the key server certificate.
View Certificate
View the encryption certificate. (Not available for SKLM servers without TLS.)