Configuring encryption with IBM Security Guardium Key Lifecycle Manager key servers

Edit online

Encryption key servers create and manage encryption keys that are used by the system. In environments with many systems, key servers distribute keys remotely without requiring physical access to the systems.

IBM® Security Guardium® Key Lifecycle Manager key servers support Key Management Interoperability Protocol (KMIP), which is a standard for encryption of stored data and management of cryptographic keys.

The system supports different types of key server configurations on IBM Security Guardium Key Lifecycle Manager. The following configurations are supported:
  • IBM Security Guardium Key Lifecycle Manager key servers designate one primary key server, which can have up to three secondary key servers (also known as clones) defined. These additional key servers support more paths when it delivers keys to the system. However, during rekeying only the path to the primary key server is used. When the system is rekeyed, secondary key servers are not used until the primary key server replicates the new keys to these secondary key servers. The amount of time it takes to replicate the key to a secondary key server depends on the amount of key and certificate information that is being replicated. Each replication to a secondary key server can take some time. Replication must complete before keys can be used on the system. You can either schedule automatic replication or complete it manually with IBM Security Guardium Key Lifecycle Manager. During replication, key servers are not available to distribute keys or accept new keys. The total time that it takes for a replication to complete on the IBM Security Guardium Key Lifecycle Manager depends on the number of key servers that are configured as clones. If replication is triggered manually, the IBM Security Guardium Key Lifecycle Manager issues a completion message when the replication completes. Verify that all key servers contain replicated key and certificate information before keys are used on the system.
  • Key servers can also be configured with multiple primary key servers where each key server can create new encryption keys. In this instance, any server can be set as the primary key server. The primary key server is the key server that the system uses when you create any new key server encryption keys. If multiple primary servers are enabled on the IBM Security Guardium Key Lifecycle Manager, the key is immediately replicated to the other key servers in the configuration.
Ensure that you complete the following tasks on the IBM Security Guardium Key Lifecycle Manager before you enable encryption:
  1. Define the IBM Security Guardium Key Lifecycle Manager to use Transport Layer Security version 1.2 (TLSv1.2). The default setting on IBM Security Guardium Key Lifecycle Manager is TLSv1, but the system supports only TLS versions 1.2. In the IBM Security Guardium Key Lifecycle Manager, specify SSL_TLSv2 to use TLS1.2 protocol.
  2. Ensure that the database service is started automatically on startup.
  3. Ensure that a valid SSL certificate from IBM Security Guardium Key Lifecycle Manager is installed on the system and in use. If automatic replication is configured on IBM Security Guardium Key Lifecycle Manager, then this certificate needs to be uploaded to the system one time. However, if automatic replication is not configured on the IBM Security Guardium Key Lifecycle Manager, a certificate for each stand-alone key server must be uploaded to the system.
  4. Specify the SPECTRUM_VIRT device group for the system definition. If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all secondary key servers.
  5. If encryption is enabled with USB flash drives, insert at least one of the USB flash drives into the system before key servers can be configured for managing keys.
For more information about completing these tasks, see the IBM Documentation for IBM Security Guardium Key Lifecycle Manager.

When you create key server objects on the system for IBM Security Guardium Key Lifecycle Manager key servers, you must create a device group, in addition to name, IP address, port, and certificate information. The device group is a collection of security credentials (including keys and groups of keys) that allows for restricted management of subsets of devices within a larger pool. The system must be defined on the key server to the SPECTRUM_VIRT device group if you are using the default settings. If the SPECTRUM_VIRT device group does not exist on the key server, it must be created based on the GPFS device family. If you are configuring multiple key servers, the SPECTRUM_VIRT device group must be defined on the primary and all additional key servers.

To enable encryption with a IBM Security Guardium Key Lifecycle Manager key server in the management GUI, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Click Enable Encryption.
  3. On the Welcome page, select Key Servers. Click Next.
    Note: You can also select both Key Servers and USB flash drives to configure both methods to manage encryption keys. If either method becomes disabled, you can use the other method to access encrypted data on your system.
  4. Select IBM Security Guardium Key Lifecycle Manager (with KMIP) for the key server type.
  5. Enter the name, IP address or domain name, and port for each key server. If you are configuring multiple key servers, the first key server that you specify is the primary key server. If you specify a domain name, a DNS server must be configured on your system. To configure a DNS server for the system, select Settings > Network > DNS. You can also use the mkdnsserver command to configure DNS servers.
  6. Select SPECTRUM_VIRT for the device group for the key servers. This device group must also be configured on each of the key servers for the system.
  7. On the Key Server Certificate page, you must upload all the necessary key server certificates to the system. The key servers can use either the server certificate for each key server, or the root CA certificate or a file that contains all CA certificates within that chain. This file does not need to include the key server certificate, only the intermediate and root CA certificates. Any server certificates take priority over any CA certificate that is installed on the system for the key servers. If key servers are configured for automatic replication, this certificate is copied from the primary key server to all secondary key servers. All IBM Security Guardium Key Lifecycle Manager instances are connected to over secure connections with the same key server certificate. If replication is used on the IBM Security Guardium Key Lifecycle Manager, only one key server certificate needs to be installed. The IBM Security Guardium Key Lifecycle Manager uses this single certificate to replicate keys with each other. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers. If only one certificate is used and automatically replicated to all configured key servers, select the certificate that you downloaded to the system in the certificate in the Certificate field. If automatic replication is not configured, select all the valid certificates that you downloaded to the system for each of the configured key servers. Click Next.
  8. On the System Encryption Certificate page, click Export Public Key to download the public key to the system. System encryption certificates can also be self-signed or CA-certificate. These certificates are uploaded to each of the key servers to establish trust for the system to communicate with individual key servers. If IBM Security Guardium Key Lifecycle Manager servers are configured for automatic replication, this certificate is copied from the primary key server to all secondary key servers. All IBM Security Guardium Key Lifecycle Manager instances are connected to over secure connections with the same key server certificate. If replication is used on the IBM Security Guardium Key Lifecycle Manager, the primary key server replicates the system certificate to the other key servers. If the IBM Security Guardium Key Lifecycle Manager servers are not configured for automatic replication, you must install the system certificate to each stand-alone key server. If a certificate does not exist, select Settings > Security > Secure Communications. On the Secure Communications page, select Update Certificate to create or import a certificate. For more information about certificates, see the topic about certificates that are used for key servers.
  9. Return to the System Encryption Certificate page and select The system’s public key certificate has been transferred to each configured key server.
  10. If you have USB flash drives configured as your encryption method, the Disable USB Encryption page displays. If you want to migrate to key servers and disable USB flash drives, select Yes. If you want both encryption methods that are configured simultaneously, click No.
  11. Click Next.
  12. On the Summary page, verify the configuration for the key servers and click Finish.
To enable encryption with a IBM Security Guardium Key Lifecycle Manager key server in the command-line interface, complete the following steps:
  1. Export the SSL Certificate (public key) that is installed on the system. This certificate can be the self-signed certificate that is generated by the system or one that you previously obtained from a CA and installed on the system:
    svctask chsystemcert -export

    This action creates a /dumps/certificate.pem file.

  2. Copy the system's public key as a trusted certificate to each configured key server. For information, see IBM Documentation for the IBM Security Guardium Key Lifecycle Manager.
  3. Enter the following CLI command to enable encryption on your system:
    chencryption -keyserver enable
  4. Enable the key server type and supply the certificate authority (CA) signed certificate, if one is necessary:
    chkeyserverisklm -enable -sslcert /tmp/CASigned.crt
  5. Create the primary key server and specify the key server certificate:
    mkkeyserver -ip ip_address_or_domain_name -port port -primary
  6. Create up to three more secondary key servers with the same key server certificate:
    mkkeyserver -ip ip_address_or_domain_name -port port
  7. Create the encryption key for the system on the key server:
    chencryption -keyserver newkey -key prepare
    This command requests the primary key server to create a new key.
  8. To verify that the system is prepared, enter the following command:
    lsencryption
    Check that the keyserver_rekey parameter has the prepared. The prepared value indicates that the new key is ready to be committed.
  9. To commit the key, enter the following command:
    chencryption -keyserver newkey -key commit
    This command makes the new key the current key on the system.