Configuring encryption for Global Data Platform storage

You can set the encryption for the IBM Fusion local storage.

Before you begin

Prepare IBM® Security Guardium® Key Lifecycle Manager (GKLM) server for IBM Fusion. To establish an encryption-enabled environment, see part 1 of Simplified setup: Using GKLM with a self-signed certificate.

Ensure that you go through the firewall recommendations for GKLM. See Firewall recommendations for IBM GKLM

About this task

The IBM Storage Scale admin encrypts the remote file system. As a IBM Fusion user, you must connect to the same key management server so that encrypted data can be accessed.

Procedure

  1. Go to the Storage > Remote file systems page in IBM Fusion user interface to configure encryption for remote IBM Storage Scale filesystem.
    For Global Data Platform local storage, go to Storage > Local storage
  2. Click Connect in the Encryption tile.
  3. Enter the following connection details:
    Hostname
    For local storage, enter the Security Key Lifecycle Manager host name to connect.
    Backup host name
    Optionally, enter secondary GKLM server host name.
    Port number (optional)
    The REST port number connects IBM Fusion to Security Key Lifecycle Manager REST admin interface. The default port number is 9443.
    Note: It can depend on Security Key Lifecycle Manager version. See Firewall recommendations for IBM GKLM.
    User name
    The administrator user name for GKLM Server. The default value is GKLMAdmin.
    Password
    The administrator password for the GKLM Server.
  4. Enter the following Certificate details.
    Note: TLS/KMIP Certificates for secure communication on the KMIP port, only require when the key server is running with a certificate chain from a Certificate Authority (CA) rather than with a self-signed server certificate. The certificates must be formatted as PEM-encoded X.509 certificates.
    Root certificate
    The root CA certificate from the Certificate Authority.
    Endpoint certificate
    The server certificate that is signed by a CA.
    Intermediate certificate (optional)
    The intermediate CA certificates are required only when the server certificate is signed by one of them. If you have more intermediate certificates, then click Add intermediate certificate to add them.
  5. For the local storage, to encrypt data, select NIST SP 800-131A or NIST SP 800-131AFAST for the Encryption algorithm.
  6. For the remote file systems, enter the following values for File system tenants.
    Encryption tenant ID
    Represents the keyspace configured on the GKLM server. All IBM Fusion systems that want to share or use encryption keys must use the same tenant ID.
    Remote key management ID
    It is the remote key management ID. All nodes in the IBM Fusion system must use the same RKMID, which describes a combination of keyserver, tenant, and client on the remote scale cluster.

    You can add more such Encryption tenant ID and Remote key management ID pairs.

    Run the following commands on the remote scale cluster to retrieve the values: 
    mmkeyserv client show
    This command gives the tenant name. If the tenant name is displayed as (none), then first register client using mmkeyserv client register command. For more details about this command, see mmkeyserv command.
    To get Remote key management ID, run the following command on the remote scale cluster: 
    mmkeyserv tenant show
  7. Click Configure.