Enabling storage hardware encryption with apesklm in IIAS 1.0.14.0

If you want to use apesklm command in IIAS version 1.0.14.0 to enable encryption for supplied storage type or device, follow these steps.

Before you begin

  1. Ensure that all the nodes of Rack1 have the apsecurity-1.0.14.0.xxxxx package installed. Run:
    apuser@node0101]$ rpm -qa | grep aps
    apsecurity-1.0.14.0-20181126185627.noarch
  2. Log in to the appliance by using an ibmapadmin group user, such as apuser.
  3. Identify the master node by running the ap node command.
    Sample output:
    [apuser@node0101]$ ap node
    +-----------------+----------+-----------+-----------+
    | Node            |    State | Monitored | Is Master |
    +-----------------+----------+-----------+-----------+
    | hadomain1.node1 |  ENABLED |       YES |        YES|
    | hadomain1.node2 |  ENABLED |       YES |         NO|
    | hadomain1.node3 |  ENABLED |       YES |         NO|
    +-----------------+----------+-----------+-----------+
    Generated: 2018-11-28 11:25:49
  4. Log in to the master node as apuser or other user from the ibmapadmin group.

Procedure

  1. Add SKLM server by using apesklm add-sklm command. You must have the SKLM primary server. To ensure key backup operations, clone server is also required. For more information, see Storage hardware encryption prerequisites.

    Example usage:

    [apuser@node0101Proxy_Socket]$ apesklm add-sklm -i w.x.y.z -p #### -t primary
    Added sklmip :w.x.y.z port :#### type:primary to sklmconf successfully
    [apuser@node0101Proxy_Socket]$ apesklm add-sklm -i a.b.c.d -p #### -t clone
    Added sklmip :a.b.c.d port :#### type:clone to sklmconf successfully
    You can also view the SKLM host, port and type by running apesklm info-sklm:
    [apuser@node0101Proxy_Socket]$ apesklm info-sklm
    SKLM HOST       Port    Type
    w.x.y.z        :####   :primary
    a.b.c.d        :####   :clone  
  2. Important: This step needs to be executed with SKLM Admin assistance.
    Import the SKLM server certificate by using scp command.
    1. Create a folder to manage certificates:
      mkdir /tmp/fsntest/
    2. Copy the SKLM server certificate to the master node by using scp or equivalent scp sklmuser@sklmserver:Export path/servercertificate <Local folder>.

      Example usage:

      scp root@e.f.g.h:/opt/IBM/WebSphere/AppServer/products/sklm/data/server_cert.cer /tmp/fsntest/  
      Warning: Permanently added 'e.f.g.h' (ECDSA) to the list of known hosts.
      root@e.f.g.h's password: Warning: Permanently added 'e.f.g.h' (ECDSA) to the list of known hosts.
      root@e.f.g.h's password:
  3. Run the apesklm export-cert command to export certificates to the head node from FSNs:
    [apuser@node0101]$ apesklm export-cert -s fsn -l /tmp/fsntest/
    Copied fsn certificates to /tmp/fsntest/ successfully
    [apuser@node0101]$ ll /tmp/fsntest/
    total 12
    -rw-r--r--. 1 root   root       1379 Nov 26 15:57 fsn0101_certficate.pem
    -rw-r--r--. 1 root   root       1379 Nov 26 15:57 fsn0104_certficate.pem
    -rw-r--r--. 1 apuser ibmapadmin 1044 Nov 21 14:58 server_cert.cer
    [apuser@node0101]$ 
  4. Important: This step needs to be executed with SKLM Admin assistance.
    Upload each of the FSN certificates to SKLM by using scp or equivalent scp <Local folder with certificates> sklmuser@primarysklmserver:/exportpath>:
    [apuser@node0101]$ scp /tmp/fsntest/* 
    root@e.f.g.h:/opt/IBM/WebSphere/AppServer/products/sklm/data/
    root@e.f.g.h's password:
    fsn0101_certficate.pem       
    100% 1379    18.2KB/s   00:00    
    
    fsn0104_certficate.pem                              
    100% 1379    18.2KB/s   00:00    
    
    server_cert.cer                                                                                         
    100% 1044    14.0KB/s   00:00   
    [apuser@node0101]$
  5. Important: This step needs to be executed with help from SKLM Admin.
    Add FSN certificate into the appropriate device group on primary SKLM server by using IBM® SKLM GUI.
    Note: The default device group on Flash 900 is FLASHSYSTEM and needs to be in primary SKLM (master) with GPFS type.
  6. Enable encryption for all FSN devices of appliance with primary (master) SKLM server by running the following command:
    apesklm enable -s fsn -t primary -n <connection_name> -c <sklm_cert> -g <device_groupname> -a yes
    Example usage:
    [apuser@node0102]$ apesklm enable -s fsn -t primary -n sklm1 -c /tmp/fsntest/server_cert.cer -g FLASHSYSTEM -a yes
    Enabled encryption successfully 
    Note that you can enable encryption key for specific FSN device by supplying device host name with -d option, and choosing no for -a parameter (which is the same as --alldevices no).
  7. Display the encryption key server status by using:
    [apuser@node0101]$ apesklm status -s fsn -a yes
    RACK      FSN       ID        NAME      STATUS    TYPE      PRI       CERT      
    1         fsn0101   0         sklm1     online    isklm     yes       yes       
    2         fsn0104   0         sklm1     online    isklm     yes       yes       
    [apuser@node0101]$ 
    If the key servers are listed and online, FSNs are connected with the keys from the servers.
    For more information on the apesklm command and its options, see IIAS 1.0.14.0 apesklm command.
  8. Display the array encryption status for each FSN with the ap hw <fsn> -d command.
    Sample output:
    [apuser@node0101 ~]$ ap hw hadomain1.fsn1  -d
    
        Type               : fsn
        Location           : hadomain1.fsn1
        Status             : OK
        creator_id         : fsn@hw://hadomain1.fsn1
        model              : 9840-AE2
        serial             : 77E00S
        type_desc          : Flash Storage Node
        version            : 1.5.2.1
        build              : 126.1.1809162054000.468.028
        hardware_encryption: no
        partnum            : 00DH521
        position           : U-8
        update_status      : success
    
    Generated: 2018-12-17 15:37:05
    
    [apuser@node0101 ~]$