Storage hardware encryption prerequisites

Following is a list of prerequisites that must be met to successfully set up and enable hardware key encryption on IBM Integrated Analytics System.

  • About the IBM® Security Key Lifecycle Manager support:

    In this configuration, generating and managing the key uses KMIP protocol between the appliance flash storage devices and ISKLM. The ISKLM server can't be used to automatically create and rotate the encryption on a scheduled basis. You must have an ISKLM server already set up and running in your environment.

    ISKLM administrator assistance might be required to add the IIAS appliance storage devices as a client of the ISKLM server, update the device group, transfer the certificates and get the KMIP port information. The IIAS documentation doesn't provide instructions for setting up and activating ISKLM in your environment.

    You can have clone SKLM server as replication of primary (master) SKLM server for backup management of key.

    Note:
    • It’s recommended to have clone SKLM server and encryption connection added to ensure the backup of the encryption key, in a case when primary (master) SKLM server went down for unknown technical issues.
    • Certificate location for storage devices and ISKLM certificates is a temporary location. You should remove certificates from the temporary location on completion of encryption enabling.
    • You should not enable encryption of the clone server until you have enabled encryption on the primary (master) server, and the primary key has been copied to the clone server through the scheduled replication process.
    • Enabling encryption with the clone server will fail if the primary encryption key isn’t replicated to the clone SKLM server first. You should wait until replication of the primary key connection server to the clone server is complete before enabling encryption.
    • You should await at least minimum 5 minutes after completion of the replication process before enabling encryption with the clone SKLM server.
  • ISKLM version required: 3.0.0.
    Note: The support for ISKLM version 3.0.0 is ended now. For assistance, contact IBM support.
  • IIAS software requirements: Version 1.0.25.0.
  • Firmware version required:
    • FSN (Maverick) - 1.6.1.2-515.154 and beyond
    • FSN (Texan) - 1.6.1.2-515.154 and beyond
    • DSN - 8.2.1.6 and beyond
  • Hardware encryption is only supported on compute-only systems.
  • apesklm utility must be installed on all the nodes of Rack1.
  • System state before starting the process to enable hardware encryption:
    • All Flash devices should be reachable to all the nodes from Rack1 of the appliance.
    • Master node needs to be online in Rack1 of the appliance.
    • All the nodes from Rack1 of the appliance must have an external IP setup. You can use apsetup command to set up external IP.
    • All the nodes from Rack1 of the appliance need to be reachable to the SKLM server.