If you want to use apesklm command in IIAS version 1.0.14.0 to enable
encryption for supplied storage type or device, follow these steps.
Before you begin
- Ensure that all the nodes of Rack1 have the
apsecurity-1.0.14.0.xxxxx
package
installed.
Run:apuser@node0101]$ rpm -qa | grep aps
apsecurity-1.0.14.0-20181126185627.noarch
- Log in to the appliance by using an
ibmapadmin
group user, such as
apuser
.
- Identify the master node by running the ap node command.
Sample output:
[apuser@node0101]$ ap node
+-----------------+----------+-----------+-----------+
| Node | State | Monitored | Is Master |
+-----------------+----------+-----------+-----------+
| hadomain1.node1 | ENABLED | YES | YES|
| hadomain1.node2 | ENABLED | YES | NO|
| hadomain1.node3 | ENABLED | YES | NO|
+-----------------+----------+-----------+-----------+
Generated: 2018-11-28 11:25:49
- Log in to the master node as
apuser
or other user from the
ibmapadmin
group.
Procedure
-
Add SKLM server by using apesklm add-sklm command. You must have the SKLM
primary server. To ensure key backup operations, clone server is also required. For more
information, see Storage hardware encryption prerequisites.
Example usage:
[apuser@node0101Proxy_Socket]$ apesklm add-sklm -i w.x.y.z -p #### -t primary
Added sklmip :w.x.y.z port :#### type:primary to sklmconf successfully
[apuser@node0101Proxy_Socket]$ apesklm add-sklm -i a.b.c.d -p #### -t clone
Added sklmip :a.b.c.d port :#### type:clone to sklmconf successfully
You
can also view the SKLM host, port and type by running
apesklm info-sklm:
[apuser@node0101Proxy_Socket]$ apesklm info-sklm
SKLM HOST Port Type
w.x.y.z :#### :primary
a.b.c.d :#### :clone
-
Important: This step needs to be executed with SKLM Admin assistance.
Import the SKLM server certificate by using scp command.
-
Create a folder to manage certificates:
-
Copy the SKLM server certificate to the master node by using scp or
equivalent scp sklmuser@sklmserver:Export path/servercertificate <Local
folder>.
Example usage:
scp root@e.f.g.h:/opt/IBM/WebSphere/AppServer/products/sklm/data/server_cert.cer /tmp/fsntest/
Warning: Permanently added 'e.f.g.h' (ECDSA) to the list of known hosts.
root@e.f.g.h's password: Warning: Permanently added 'e.f.g.h' (ECDSA) to the list of known hosts.
root@e.f.g.h's password:
-
Run the apesklm export-cert command to export certificates to the head node
from FSNs:
[apuser@node0101]$ apesklm export-cert -s fsn -l /tmp/fsntest/
Copied fsn certificates to /tmp/fsntest/ successfully
[apuser@node0101]$ ll /tmp/fsntest/
total 12
-rw-r--r--. 1 root root 1379 Nov 26 15:57 fsn0101_certficate.pem
-rw-r--r--. 1 root root 1379 Nov 26 15:57 fsn0104_certficate.pem
-rw-r--r--. 1 apuser ibmapadmin 1044 Nov 21 14:58 server_cert.cer
[apuser@node0101]$
-
Important: This step needs to be executed with SKLM Admin assistance.
Upload each of the FSN certificates to SKLM by using scp or equivalent
scp <Local folder with certificates>
sklmuser@primarysklmserver:/exportpath>:
[apuser@node0101]$ scp /tmp/fsntest/*
root@e.f.g.h:/opt/IBM/WebSphere/AppServer/products/sklm/data/
root@e.f.g.h's password:
fsn0101_certficate.pem
100% 1379 18.2KB/s 00:00
fsn0104_certficate.pem
100% 1379 18.2KB/s 00:00
server_cert.cer
100% 1044 14.0KB/s 00:00
[apuser@node0101]$
-
Important: This step needs to be executed with help from SKLM Admin.
Add FSN certificate into the appropriate device group on primary SKLM server by using IBM® SKLM GUI.
Note: The default device group on Flash 900 is FLASHSYSTEM
and needs to be in
primary SKLM (master) with GPFS type.
-
Enable encryption for all FSN devices of appliance with primary (master) SKLM server by running
the following command:
apesklm enable -s fsn -t primary -n <connection_name> -c <sklm_cert> -g <device_groupname> -a yes
Example usage:
[apuser@node0102]$ apesklm enable -s fsn -t primary -n sklm1 -c /tmp/fsntest/server_cert.cer -g FLASHSYSTEM -a yes
Enabled encryption successfully
Note
that you can enable encryption key for specific FSN device by supplying device host name with
-d option, and choosing
no for
-a
parameter (which is the same as
--alldevices no).
-
Display the encryption key server status by using:
[apuser@node0101]$ apesklm status -s fsn -a yes
RACK FSN ID NAME STATUS TYPE PRI CERT
1 fsn0101 0 sklm1 online isklm yes yes
2 fsn0104 0 sklm1 online isklm yes yes
[apuser@node0101]$
If
the key servers are listed and online, FSNs are connected with the keys from the servers.
-
Display the array encryption status for each FSN with the ap hw <fsn> -d
command.
Sample output:
[apuser@node0101 ~]$ ap hw hadomain1.fsn1 -d
Type : fsn
Location : hadomain1.fsn1
Status : OK
creator_id : fsn@hw://hadomain1.fsn1
model : 9840-AE2
serial : 77E00S
type_desc : Flash Storage Node
version : 1.5.2.1
build : 126.1.1809162054000.468.028
hardware_encryption: no
partnum : 00DH521
position : U-8
update_status : success
Generated: 2018-12-17 15:37:05
[apuser@node0101 ~]$