Starting from IIAS version 1.0.15.0, if you want to use apesklm
command to enable encryption for supplied storage type or device, follow these steps.
Before you begin
- On non-tiered flash based appliances ensure that all the nodes of Rack1 have the package version
with at least
apsecurity-1.0.15.0.xxxxx
installed.
Run:[apuser@node0101 ~]$ rpm -qi apsecurity
apsecurity-1.0.15.0-20190122002611b3.noarch
[apuser@node0101 ~]$
- Log in to the appliance by using an
ibmapadmin
group user, such as
apuser
or puffin
.
- Identify the master node by running the ap node command.
Sample output:
[apuser@node0101]$ ap node
+-----------------+----------+-----------+-----------+
| Node | State | Monitored | Is Master |
+-----------------+----------+-----------+-----------+
| hadomain1.node1 | ENABLED | YES | YES|
| hadomain1.node2 | ENABLED | YES | NO|
| hadomain1.node3 | ENABLED | YES | NO|
+-----------------+----------+-----------+-----------+
Generated: 2018-11-28 11:25:49
- Log in to the master node as
apuser
or other user from the
ibmapadmin
group.
Procedure
-
Add SKLM server by using apesklm add-sklm command. You must have the SKLM
primary server. To ensure key backup operations, clone server is also required. For more
information, see Storage hardware encryption prerequisites.
Example usage:
[apuser@node0101 Proxy_Socket]$ apesklm add-sklm -i w.x.y.z -p #### -t primary
Added sklmip :w.x.y.z port :#### type:primary to sklmconf successfully
[apuser@node0101 Proxy_Socket]$ apesklm add-sklm -i a.b.c.d -p #### -t clone
Added sklmip :a.b.c.d port :#### type:clone to sklmconf successfully
You
can also view the SKLM host, port and type by running
apesklm info-sklm:
[apuser@node0101 Proxy_Socket]$ apesklm info-sklm
SKLM HOST Port Type
w.x.y.z :#### :primary
a.b.c.d :#### :clone
-
Important: This step needs to be executed with SKLM Admin assistance.
Import the SKLM server certificate by using scp command.
-
Create a folder to manage certificates:
-
Copy the SKLM server certificate to the master node by using scp or
equivalent scp sklmuser@sklmserver:Export path/servercertificate <Local
folder>.
Example usage:
scp root@e.f.g.h:/opt/IBM/WebSphere/AppServer/products/sklm/data/server_cert.cer /tmp/certs/
Warning: Permanently added 'e.f.g.h' (ECDSA) to the list of known hosts.
root@e.f.g.h's password: Warning: Permanently added 'e.f.g.h' (ECDSA) to the list of known hosts.
root@e.f.g.h's password:
-
Run the apesklm export-cert command to export certificates to the head node
from FSNs:
apuser@node0101 ~]$ mkdir /tmp/certs
[apuser@node0101 ~]$ apesklm export-cert -l /tmp/certs
Copied fsn certficates to /tmp/certs successfully
[apuser@node0101 ~]$ ll /tmp/certs
total 16
-rw-r--r--. 1 root root 1379 Jan 22 10:46 fsn0101_certficate.pem
-rw-r--r--. 1 root root 1379 Jan 22 10:46 fsn0104_certficate.pem
[apuser@node0101 ~]$
Important: Rename all the FSN certificates ending with certificate.pem
by prefixing them with host name such as sf58_fsn0101_certificate.pem
before
copying into, and register under devices group on SKLM server.
-
Important: This step needs to be executed with SKLM Admin assistance.
Upload each of the FSN certificates to SKLM by using scp or equivalent
scp <Local folder with certificates>
sklmuser@primarysklmserver:/exportpath>:
[apuser@node0101]$ scp /tmp/certs/*.pem
root@9.30.220.247:/opt/IBM/WebSphere/AppServer/products/sklm/data/
Warning: Permanently added '9.30.220.247' (ECDSA) to the list of known hosts.
root@9.30.220.247's password:
Permission denied, please try again.
root@9.30.220.247's password:
sf58_fsn0101_certficate.pem
100% 1379 18.1KB/s 00:00
sf58_fsn0104_certficate.pem
100% 1379 15.4KB/s 00:00
-
Important: This step needs to be executed with help from SKLM Admin.
Add FSN certificate into the appropriate device group on primary SKLM server by using IBM® SKLM GUI.
Note: The device group name is preferred to be created with appliance host name such as
SAIL73
, SAIL77
and needs to be in primary SKLM (master) with GPFS type.
-
Enable encryption for all FSN devices of appliance with primary (master) SKLM server by running
the following command:
apesklm enable -t primary -n <connection_name> -c <sklm_cert> -g <device_groupname> -a yes
Note: -a yes option attempts to enable encryption for all storage devices
irrespective of storage type with -s storage type value. If you want to enable
encryption for specific storage device, choose value no for parameter
-a. When -a yes is given, -s and
-d options should not be supplied.
Example usage:
apuser@node0101 ~]$ apesklm enable -a yes -n sklm1 -t primary -c /tmp/cert/server_cert.cer -g SAIL58
***Warning : 1. Enabling encryption key management with the primary sklm for storage device(s)
2. Clone sklm operations are recommended to add
3. User is recommended to maintain the primary sklm on working state
Do you want to continue to enable encryption key management with primary ...? (Yes/No) Yes
Enabled encryption for fsn device(s) successfully
[apuser@node0101 ~]$
Note
that you can enable encryption key for specific FSN/DSN device by supplying device host name with
-d option, storage type option
-s and choosing
no for
-a parameter (which is the same as
--alldevices no). This method is applied only during troubleshooting
operations.
-
Display the encryption key server/array status by using:
[apuser@node0101]$ apesklm status
RACK FSN ID NAME STATUS TYPE PRI CERT ENCRYPTED_ARRAY
1 fsn0101 0 sklm1 online isklm yes yes yes
2 fsn0104 0 sklm1 online isklm yes yes yes
[apuser@node0101]$