Enabling storage hardware encryption with apesklm in IIAS 1.0.15.0 and later

Starting from IIAS version 1.0.15.0, if you want to use apesklm command to enable encryption for supplied storage type or device, follow these steps.

Before you begin

  1. On non-tiered flash based appliances ensure that all the nodes of Rack1 have the package version with at least apsecurity-1.0.15.0.xxxxx installed. Run:
    [apuser@node0101 ~]$ rpm -qi apsecurity
    apsecurity-1.0.15.0-20190122002611b3.noarch
    [apuser@node0101 ~]$
  2. Log in to the appliance by using an ibmapadmin group user, such as apuser or puffin.
  3. Identify the master node by running the ap node command.
    Sample output:
    [apuser@node0101]$ ap node
    +-----------------+----------+-----------+-----------+
    | Node            |    State | Monitored | Is Master |
    +-----------------+----------+-----------+-----------+
    | hadomain1.node1 |  ENABLED |       YES |        YES|
    | hadomain1.node2 |  ENABLED |       YES |         NO|
    | hadomain1.node3 |  ENABLED |       YES |         NO|
    +-----------------+----------+-----------+-----------+
    Generated: 2018-11-28 11:25:49
  4. Log in to the master node as apuser or other user from the ibmapadmin group.

Procedure

  1. Add SKLM server by using apesklm add-sklm command. You must have the SKLM primary server. To ensure key backup operations, clone server is also required. For more information, see Storage hardware encryption prerequisites.

    Example usage:

    [apuser@node0101 Proxy_Socket]$ apesklm add-sklm -i w.x.y.z -p #### -t primary
    Added sklmip :w.x.y.z port :#### type:primary to sklmconf successfully
    [apuser@node0101 Proxy_Socket]$ apesklm add-sklm -i a.b.c.d -p #### -t clone
    Added sklmip :a.b.c.d port :#### type:clone to sklmconf successfully
    You can also view the SKLM host, port and type by running apesklm info-sklm:
    [apuser@node0101 Proxy_Socket]$ apesklm info-sklm
    SKLM HOST       Port    Type
    w.x.y.z        :####   :primary
    a.b.c.d        :####   :clone  
  2. Important: This step needs to be executed with SKLM Admin assistance.
    Import the SKLM server certificate by using scp command.
    1. Create a folder to manage certificates:
      mkdir /tmp/certs/
    2. Copy the SKLM server certificate to the master node by using scp or equivalent scp sklmuser@sklmserver:Export path/servercertificate <Local folder>.

      Example usage:

      scp root@e.f.g.h:/opt/IBM/WebSphere/AppServer/products/sklm/data/server_cert.cer /tmp/certs/  
      Warning: Permanently added 'e.f.g.h' (ECDSA) to the list of known hosts.
      root@e.f.g.h's password: Warning: Permanently added 'e.f.g.h' (ECDSA) to the list of known hosts.
      root@e.f.g.h's password:
  3. Run the apesklm export-cert command to export certificates to the head node from FSNs:
    apuser@node0101 ~]$ mkdir /tmp/certs
    [apuser@node0101 ~]$ apesklm export-cert -l /tmp/certs
    Copied  fsn certficates to /tmp/certs successfully
    [apuser@node0101 ~]$ ll /tmp/certs
    total 16
    -rw-r--r--. 1 root root 1379 Jan 22 10:46 fsn0101_certficate.pem
    -rw-r--r--. 1 root root 1379 Jan 22 10:46 fsn0104_certficate.pem
    [apuser@node0101 ~]$
    Important: Rename all the FSN certificates ending with certificate.pem by prefixing them with host name such as sf58_fsn0101_certificate.pem before copying into, and register under devices group on SKLM server.
  4. Important: This step needs to be executed with SKLM Admin assistance.
    Upload each of the FSN certificates to SKLM by using scp or equivalent scp <Local folder with certificates> sklmuser@primarysklmserver:/exportpath>:
    [apuser@node0101]$ scp /tmp/certs/*.pem 
    root@9.30.220.247:/opt/IBM/WebSphere/AppServer/products/sklm/data/
    Warning: Permanently added '9.30.220.247' (ECDSA) to the list of known hosts.
    root@9.30.220.247's password: 
    Permission denied, please try again.
    root@9.30.220.247's password:  
    
    sf58_fsn0101_certficate.pem                                                                            
    100% 1379    18.1KB/s   00:00   
     
    sf58_fsn0104_certficate.pem       
    100% 1379    15.4KB/s   00:00
  5. Important: This step needs to be executed with help from SKLM Admin.
    Add FSN certificate into the appropriate device group on primary SKLM server by using IBM® SKLM GUI.
    Note: The device group name is preferred to be created with appliance host name such as SAIL73, SAIL77 and needs to be in primary SKLM (master) with GPFS type.
  6. Enable encryption for all FSN devices of appliance with primary (master) SKLM server by running the following command:
    apesklm enable -t primary -n <connection_name> -c <sklm_cert> -g <device_groupname> -a yes
    Note: -a yes option attempts to enable encryption for all storage devices irrespective of storage type with -s storage type value. If you want to enable encryption for specific storage device, choose value no for parameter -a. When -a yes is given, -s and -d options should not be supplied.
    Example usage:
    apuser@node0101 ~]$ apesklm enable -a yes -n sklm1 -t primary -c /tmp/cert/server_cert.cer -g SAIL58
    ***Warning : 1. Enabling encryption key management with the primary sklm for storage device(s)
    2. Clone sklm operations are recommended to add
    3. User is recommended to maintain the primary sklm on working state
    Do you want to continue to enable encryption key management with primary ...? (Yes/No) Yes
    Enabled encryption for   fsn device(s) successfully
    [apuser@node0101 ~]$
    Note that you can enable encryption key for specific FSN/DSN device by supplying device host name with -d option, storage type option -s and choosing no for -a parameter (which is the same as --alldevices no). This method is applied only during troubleshooting operations.
  7. Display the encryption key server/array status by using:
    [apuser@node0101]$ apesklm status 
    RACK      FSN       ID        NAME      STATUS    TYPE      PRI     CERT      ENCRYPTED_ARRAY
    1         fsn0101   0         sklm1     online   isklm     yes      yes       yes
    2         fsn0104   0         sklm1     online   isklm     yes      yes       yes
    [apuser@node0101]$ 
    For more information on the apesklm command and its options, see IIAS 1.0.15.0 and later apesklm command.