Enabling encryption using Thales CipherTrust Manager (manual part)

Configure the Key Management Interoperability Protocol (KMIP) settings in Thales CipherTrust Manager server.

About this task

IBM Fusion HCI System with IBM Spectrum® Storage Scale Erasure Code Edition (ECE) does not support the Thales or Vormetric CipherTrust Manager, and that the current encryption CR implementation in CNSA or IBM Fusion HCI System works only with IBM Security GKLM (with simplified setup).

Procedure

  1. If KMIP client does not exist, then create it.
    1. From the Thales CipherTrust Manager user interface, select Products > KMIP > Client Profile > Add Profile.
    2. Add the username location to the Common Name (CN) field during profile creation.
  2. Create a token.
    1. Go to KMIP > Registration Token > New Registration Token.
    2. Copy the token for the next step.
  3. Register the client.
    1. Go to KMIP > Registered Clients > Add Client.
    2. Specify the name.
    3. Paste the Registration Token from the previous step.
    4. Click Save.
  4. To download the Private Key and Client Certificate, click Save Private Key and Save Certificate respectively.
  5. Create a KMIP interface.
    1. Go to Admin Settings > Interfaces > Add Interface.
    2. Select KMIP Key Management Interoperability Protocol and click Next.
    3. Select an available Port.
    4. Select Network Interface as all.
    5. Select Interface Mode for TLS. Verify client certificate and the username that is taken from the client certificate. The auth request is optional.
    6. Select the CA to be used, and click Save.
  6. To get the server CA certificate, click ellipsis overflow menu of the newly created interface, and click Download Certificate.
    Whenever you configure encryption from the IBM Fusion user interface, use these downloaded files.