Planning for remote encryption-key servers
If the local key manager (feature 0405) is not enabled, two encryption-key servers and associated software are required for each site that has one or more encryption-enabled storage systems.
One encryption-key server must be isolated. An isolated encryption-key server is a set of dedicated server resources that run only the encryption-key lifecycle manager application and its associated software stack. This server is attached directly to dedicated non-encrypting storage resources containing only key server code and data objects.
The remaining key servers can be of any supported key-server configuration. Any site that operates independently of other sites must have key servers for the encryption-enabled storage systems at that site.
For DS8000® encryption environments a second Hardware Management Console (HMC) should be configured for high availability.
You can configure each encryption-enabled storage system with two independent key labels. This capability allows the use of two independent key-servers when one or both key-servers are using secure-key mode keystores. The isolated key-server can be used with a second key-server that is operating with a secure-key mode keystore.
- TKLM version 2.0.1 or later on Open Systems
- SKLM (all versions) on Open Systems
- SKLM version 184.108.40.206 or later on z/OS
- IBM® Security Guardium Key Lifecycle Manager 3.0 or later (a multi-master or incremental replication configuration is required). IBM Fibre Channel Endpoint Security requires 3.0.1 fix-pack 2 or later.
- Gemalto Safenet KeySecure Classic 8.0.1, 8.3.2, 8.4.2, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, and 8.11.1
- Gemalto Safenet KeySecure Next Generation 1.7.0 and 1.8.0
- Thales CipherTrust Manager 2.0.0- 2.12.0 or later
- Vormetric DSM V6100 version 220.127.116.1131 or later
- Migration from Gemalto Safenet KeySecure 8.X to Thales CipherTrust Manager 2.X