Enabling external disk encryption
How to enable external disk encryption.
About this task
To enable external disk encryption the TS7700 must be at microcode level 8.33.x.x or later and all storage subsystems must be CC9, CS9, or CSA.
The customer has ordered FC 5276 (Disk Encryption with External Key Management) installed on the TS7700 server. Refer to the FC 5272/5276 Installation Instructions for more detailed procedures.
Procedure
-
In the TS7700 MI, Go to Security Settings (inside "user" icon)
- Change SSL/TLS Level to TLS 1.2
- Click Submit Changes
-
Go to SSL Certificates (inside "user" icon) then choose + New
Certificate
- Pick a method, your choice; for this example, I choose Retrieve certificate from server
- Enter your x.xx.xxx.xxx, Host and xxxx Port, click Next
- Assign an alias (I used "mi5_sklm"). Click Finish and then Close
_ -
Go to Cluster Settings (inside gears icon) then choose Data
at Rest Encryption
- Enter your x.xx.xxx.xxx as Address under Primary key server
- If tape attached (or you just want to)
- Check box for IPP TLS 1.2
- Change IPP port from 3801 to 441
- Click on 'Test connectivity' next to IPP port 441
- Get success message
- Click on Submit Changes. Get success message
Attention: DO NOT Click on 'Test connectivity' next to KMIP port 5696, it will not work until later when we have instructed the SKLM to accept our certificate -
Verify the settings were accepted
root@clover[/home/pfe] eidiskconfighydra -get 1 disk x.xx.xxx.xxx 3801 441 5696 tls=true external key management is not enabled.
-
Enable external disk encryption
- Go to SMIT menu IBM TS7700 Maintenance > Utility Menus > Disk Cache Utility Menus > Disk Cache Encryption Menus > Change Encryption Settings
- Change Local to External and hit Enter
- Values filled in from MI should already be here, don't change anything and just hit Enter
-
Leave the SMIT screen as it is and go to the SKLM GUI
- On the Welcome page near the top on the right, under the heading for
Key Groups and Certificates, find Pending client device
communication certificates and click on the
link.
Command: running stdout: yes stderr: no Before command completion, additional instructions may appear below. Executing command: eiconfighydra -put -1t x.xx.xxx.xxx 0 441 5696 tls=true Enabling disk cache encryption... Executing command: vtd_cache_cfg -F setExternalEncryption . . . MSG: Starting external encryption Please go to the encryption server administration page And accept the CSB certificate under Pending client device communication certificates
- On the Welcome page near the top on the right, under the heading for
Key Groups and Certificates, find Pending client device
communication certificates and click on the
link.
-
Return to SMIT and hit Enter where it is sitting and waiting here:
Please go to the encryption server administration page And accept the CSB certificate under Pending client device communication certificates . . . MSG: Starting external encryption Please remember to disconnect the USB drives from the back of string S0 The USB drives contain previous keys that are no longer valid.
Note: **** THIS IS WAITING FOR YOU TO PRESS ENTER EVEN THOUGH IT DOESN'T SAY SO **** -
This shows up several minutes AFTER you press Enter
Press <Enter> when USB drives are disconnected to continue... External Encryption correctly set on S0 Operation Completed MSG : external disk cache encryption was successfully enabled Ended execution of : dsEncrypt -C encrypt -t external 08/12 23:20:50 Disk cache encryption with external key management was successfully enabled The process completed successfully. Press F3 to exit to the menus [BOTTOM]
-
Verify that it worked.
Show Encryption Settings Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] Disk Encryption: Enabled Disk Encryption Management Type: External Disk Encryption Type: AES-256 bit Primary key server address: x.xx.xxx.xxx Port: 0 Secondary key server address: Port: FIPS compliant: no root@clover[/home/pfe] eidiskconfighydra -get 1 disk x.xx.xxx.xxx 0 441 5696 tls=true external key management is enabled.