Configuring encryption with SKLM 2.7 or later

Learn to do tasks that are required for the Security Key Lifecycle Manager (SKLM) server 2.7 or later.

Simplified setup: Updating the REST port after upgrading SKLM

Note: IBM Storage Scale supports IBM Security Guardium Key Lifecycle Manager (GKLM) 4.1.0.1 (IF01), 4.1.1, or later. The older versions of GKLM are referred to as IBM Security Lifecycle Manager or SKLM in the documentation. The configuration information is the same for both GKLM and SKLM.

When SKLM is upgraded to a later version, the system administrator might configure the REST interface port of SKLM to a different value. If so, and if the IBM Storage Scale cluster is configured with the simplified setup, you can run the mmkeyserv server update command to connect the key client to the new REST interface port. If the new port is not the default REST interface port, you must also specify the new port number in the --port parameter of the mmkeyserv server update command. For more information, see mmkeyserv command.

For example, when SKLM is upgraded from 2.6 to 2.7, the REST interface port might be changed from the 2.6 default port (port 9080) to the 2.7 default port (port 443). If this situation occurs, you can run the mmkeyserv server update command to connect the IBM Storage Scale key client to the new REST interface port.

Resolving the UUID length problem in IBM Storage Scale versions earlier than 4.2.3

A UUID-length problem arises if a key client that is running a version of IBM Storage Scale earlier than 4.2.3 connects with SKLM version 2.7 or later as the key server. IBM Storage Scale versions earlier than 4.2.3 support a maximum length of 42 characters for the Universally Unique Identifier (UUID) of an encryption key. However, SKLM versions 2.7 and later generate UUIDs of up to 48 characters in length, including a 7 - 8 character Instance ID. To work around this problem, you can configure the SKLM 2.7 or later key server to use one-character instance IDs. After the configuration, the server generates UUIDs that have a maximum length of 42 characters. This method does not change existing UUIDs.
Note:
  • IBM Storage Scale supports a maximum key UUID length of 65 characters in versions 4.2.3 and later.
  • The instructions in this subsection apply only to versions of IBM Storage Scale earlier than 4.2.3. Do not follow these steps with later versions of IBM Storage Scale.

To configure an SKLM 2.7 or later key server to generate UUIDs with a maximum length of 42 characters, follow these steps:

  1. Stop the SKLM server.
  2. From the command line, change to the DB2®/bin directory.
    Note: The location of the DB2/bin directory depends on the operating system:
    • On AIX®, Linux®, and similar operating systems, the directory is at the following location:
      • /opt/IBM/DB2SKLMV27/bin
    • On Microsoft Windows, the directory is at the following location:
      • Drive:\Program Files\IBM\DB2SKLMV27\bin
    If SKLM uses a preexisting DB2 installation, then the location of the bin directory might be different and might be on another system.
  3. Start the DB2 command-line tool. The method depends on the operating system:
    • On AIX, Linux, and similar operating systems, enter the following command:
      • ./db2
    • On Microsoft Windows, enter the following command:
      • db2
  4. At the db2 command-line prompt, enter the following command to list the database directory: 
    list database directory
    DB2 displays output like the following example:
    System Database Directory
 Number of entries in the directory = 1

Database 1 entry:

 Database alias                       = SKLMDB27
 Database name                        = SKLMDB27
 Local database directory             = /home/sklmdb27
 Database release level               = 14.00
 Comment                              =
 Directory entry type                 = Indirect
 Catalog database partition number    = 0
 Alternate server hostname            =
 Alternate server port number         =
    Make a note of the database name.
  5. Enter the following command to connect to the SKLM database: 
    connect to database user userName using password
    Where:
    database
    Specifies the database name from the previous step.
    userName
    Specifies the SKLM DB2 user name that you set during SKLM installation. The default value is sklmdb27.
    password
    Specifies the SKLM DB2 password that you set during SKLM installation.
  6. Enter the following command to change the SKLM instance ID. The command is on one line: 
    update KMT_CFGT_INSTDETAILS set INSTANCEID='1' where INSTANCEID in
(select INSTANCEID from KMT_CFGT_INSTDETAILS)
    where 1 is the one-character Instance ID that you want to set. DB2 displays output like the following example:
    DB20000I  The SQL command completed successfully.
  7. Enter the following command to commit the change: 
    commit
    DB2 displays output like the following example:
    DB20000I  The SQL command completed successfully.
  8. Enter the following command to close the DB2 command-line tool: 
    quit
  9. Start the SKLM system.
The SKLM key server now generates UUIDs that have a maximum length of 42 characters.