Configuring Library Managed Encryption

Library-Managed Encryption (LME) is a built-in feature that is enabled by using a purchased license.

The LME feature can be ordered from the factory, or you can order it as a field upgrade. To order a feature, contact your IBM® Sales Representative or Business Partner. See Optional Features.

Two versions of Library-Managed Encryption are available for configuration.
Access the wizard from the Actions menu with the Manage Encryption option.
Notes: Before you run the Encryption wizard.
  • Confirm that the Library-Managed Encryption license is activated on the Settings > Library > Licensed Features page.
  • Verify that the server is available on the network and is configured for use with this library. For information on configuring servers for use with the library, see the server documentation.
    Note: See IBM Guardium Key Lifecycle Manager for information on setup and configuration.
  • If Library Encryption settings are cleared and reconfigured, you're required to accept the new certificate on the server when the Library Self-Signed Certificate is used.

Key Management Interoperability Protocol (KMIP) Encryption

  1. In the Actions menu, click Manage KMIP Encryption to start the wizard.
  2. The Logical Library Selection screen displays the KMIP configuration options that can be set as the default for all logical libraries, or on a per logical library basis. The second section provides the option to copy the KMIP configuration settings to all logical libraries (default) or to specified logical libraries.
  3. The Wizard Information screen displays information about the wizard. On this screen, it’s also possible to Reset Encryption Settings. If the library configuration is complete and the KMIP server is available on the network, click Next.
  4. The Certificate Option screen displays the different certificate options that can be used to establish a secure communication to the KMIP server. You can select from the following options:
    • Library Self-Signed Certificate (default option) - A self-signed certificate that is generated by the library is used.
    • Uploaded Certificate - Upload a PCKS #12 file that includes a certificate and corresponding key.
    • Generate Certificate Request (CSR) - A CSR is generated by the library that must be signed by a CA server. This method requires a CA certificate that must be provided during the wizard steps.
      1. Certification Configuration
        • Library Self-Signed Certificate – skip to the next step.
        • Uploaded Certificate
          1. Upload the PKCS #12 file in the certificate area on the Certificate Option screen.
          2. If this file requires a password, it must be provided in the Certificate Password input field. If no password, the field can be left empty.
          3. After successfully upload of the certificate, click Next.
        • Generate Certificate Request (CSR)
          1. The Certificate Authority Information screen displays prerequisites for using the KMIP certificate. When the prerequisites are met, click Next.
          2. The Certificate Authority Certificate Entry screen displays instructions for obtaining the CA certificate for the KMIP server. Follow the instructions to copy the CA certificate from the Management Console. Paste the CA certificate into the wizard and then click Next.
          3. The Library Certificate Information screen displays information about the next wizard steps. Click Next.
      2. The KMIP Client Configuration screen provides options for two types of server authentication.
        • If your KMIP server uses a client username and password for authentication, enter the username and password that were specified on the KMIP Management Console for the library.
        • If your KMIP server uses certificate validation for authentication, select Enable KMIP Certificate only authentication. Select this option if you use a KMIP server that doesn’t support a client username and password. This default method is used when KMIP is used with the IBM Security Key Lifecycle Manager.
          1. In the KMIP Server Configuration screen, enter the IP address or fully qualified hostname and port number for up to ten KMIP servers. Also, choose which key server type services the encryption keys. You can select from the following options:
            • IBM SKLM - IBM Security Lifecycle Manager 2.6.0 or higher KMIP server.
            • KMIP Compatible - Key server that is supporting the OASIS standard key management interoperability protocol (KMIP).
          2. To verify access to the KMIP servers, click Connectivity Check.
          3. Check at the KMIP server side that the server accepts the certificate of the library.
          4. The Setup Summary screen displays the settings that are collected by the wizard. Verify that the settings are correct and that no errors are in the Done column.
            • If you need to modify any settings or fix any issues, either click Back to reach the applicable screen or Cancel to leave the wizard to fix the issues and return later.
            • If the settings are correct and no errors are reported, click Finish.

When the wizard finishes, the Library Managed Encryption (KMIP) encryption mode is selectable in the Logical Library Wizard (Expert Mode) on the Library > Logical Libraries page.

Security Key Lifecycle Manager (SKLM) for z/OS Encryption

  1. Go to the Library menu. Then, go to Logical Libraries. Select Actions, then select Manage SKLM for z/OS Encryption.
  2. Enter the IP address and the port of the SKLM z/OS server, then click Modify.
  3. Go back to Actions and select Manage Logical Library (Expert Mode).
  4. On the Expert Logical Library Wizard screen, click General Settings.
  5. Next to Encryption Mode, choose Library Managed Encryption (SKLM for z/OS) (Licensed).
  6. Click Next, and then click Finish Configuration.
  7. A message appears when the Logical Library was successfully enabled for SKLM for z/OS.
  8. Go to Settings > Security > Encryption. The Security Encryption Status and the Logical Library Encryption Status shows Library Managed Encryption (SKLM for z/OS) as Enabled.

Key Path Diagnostics

The Key Path Diagnostic test checks all communication paths to ensure that a key can be transmitted from the encryption key servers to the drive to properly encrypt and decrypt the tape cartridges.

The test consists of two parts. The first part, the drive test, verifies whether the communication between library and drive is working properly. This test is run only on the drives that are configured to library-managed encryption (LME).

The second part verifies the communication between the library and the encryption key servers. If the secondary ethernet port is enabled and configured, the tests are run on both ports separately.

The test consists of four subtests:

  • Ping

    This test checks if the key server can be reached. If ICMP requests are blocked on the server side, this test fails as well. Therefore, the following tests are run regardless the result of the ping test.

  • SSL/TLS

    This test tries to establish a SSL/TLS connection with the key server. If this test fails, the following tests are skipped because they would also fail. This test is skipped if SSL/TLS is not enabled.

  • Key Server Login

    This test is run only in combination with a KMIP encryption server since SKLM currently does not support login. If this test fails, the following Key Retrieval test is skipped because it would also fail.

  • Key Retrieval

    This test requests a key from the encryption server. For SKLM servers, a key from the key pool is requested. On other servers, the library acquires a specific diagnostic key.