Configuring cloud services with SKLM (optional)

To encrypt data that is tiered to the cloud storage, you need to first configure a key manager, before creating a container pair set in the next step. Two types of key manager are supported - local key manager (simple JCEKS based one) and IBM® Security Key Lifecycle Manager (SKLM) server. You need to create one local key manager per cluster. The SKLM key manager is optional and might be created per cluster or per sets of file systems, depending on your security needs.

Before you configure cloud services with IBM Security Key Lifecycle Manager, ensure that an SKLM server is installed. For more information, see Preparation for encryption.
Note:
  • transparent cloud tiering supports only IBM Security Key Lifecycle Manager versions 2.6.0 and 2.7.0.
  • transparent cloud tiering cannot communicate with IBM Security Key Lifecycle Manager server that does not support TLSv1.2.
You can create a key manager when you want to use this parameter while you configure a container pair set in the next topic.
  • To create an SKLM key manager, issue a command similar to the following command:
    mmcloudgateway keymanager create --cloud-nodeclass cloud
                                           --key-manager-name vm1
                                           --key-manager-type RKM
                                           --sklm-hostname vm1
                                           --sklm-port 9080
                                           --sklm-adminuser SKLMAdmin
                                           --sklm-groupname tct
    The system displays output similar to the following:
    
Please enter a password:
Confirm your password:
mmcloudgateway: Sending the command to the first successful node starting with vmip51.gpfs.net
mmcloudgateway: This may take a while...
mmcloudgateway: Command completed successfully on vmip51.gpfs.net.
mmcloudgateway: Command completed.
  • To rotate a key manager, issue a command according to the following:
    mmcloudgateway keymanager rotate --cloud-nodeclass cloud --key-manager-name vmip131
    The system displays output similar to the following:
    
mmcloudgateway: Sending the command to the first successful node starting with c01.gpfs.net
mmcloudgateway: This may take a while...
mmcloudgateway: Command completed successfully on c80f4m5n01.gpfs.net.
mmcloudgateway: Command completed.
  • To update a key manager, issue a command according to the following:
    
mmcloudgateway keymanager update --cloud-nodeclass cloud  
--key-manager-name sklm --update-certificate
    The system displays output similar to this:
    
mmcloudgateway: Sending the command to the first successful node starting with c01.gpfs.net
mmcloudgateway: This may take a while...
mmcloudgateway: Command completed successfully on c01.gpfs.net.
mmcloudgateway: Command completed.

Next step: Binding your file system or fileset to the Cloud service by creating a container pair set.

Note: The local key manager is simpler to configure and use. It might be your best option unless you are already using SKLM in your IBM Storage Scale cluster or in cases where you have special security requirements that require SKLM.