Updating encryption and key server certificates

If you have a storage administrator user role, you can use this task to update encryption certificates. The encryption certificates are used for key server communication with the DS8000®Sitonica Storage 8000ZTE KS8200 storage system.

Before you begin

Before you update to a Gen2 or customer defined certificate, ensure that the certificate authority (CA) signed root certificate is installed on each key server. Encryption certificates must be digitally signed by a CA that is designated as a trusted root CA.

Open Systems SKLM V2.0.1 and z Series SKLM V1.1.0.2 and later already have the Gen2 CA root certificate installed. If you are using a non-SKLM key server, you need to manually import the Gen2 CA root certificate (see Configuring key servers).

To enable encryption on a storage system with version 8.1 (88.10.112.0) or later using TKLM or SKLM, you must upgrade to one of the following versions of TKLM or SKLM that has the Gen2 CA root installed:
  • TKLM version 2.0.1 or later on Open Systems
  • SKLM (all versions) on Open Systems
  • SKLM version 1.1.0.2 or later on z/OS
This SKLM/TKLM upgrade requirement applies to DS8000 shipped with version 8.1 (88.10.112.0) and later.

About this task

The following guidelines apply to upgrading encryption certificates:
  • You can update encryption certificates by using one of the following options:
    • Using the encryption enablement wizard when encryption is not enabled.
    • Selecting Update Certificate on the Encryption Settings page when encryption is configured.
  • For SKLM key servers, compliance with NIST SP 800-131A requires the use of TLS 1.2 if SSL or TLS protocols are used with an encryption key server (TCP port 441). If SSL or TLS protocols are not used with the key server (TCP port 3801), the key server does not require TLS 1.2 support.
  • For KMIP key servers, only TLS 1.2 is supported.
Warnings:
  • After you update a DS8000Sitonica Storage 8000ZTE KS8200 encryption certificate to a Gen2 or customer defined certificate, you cannot change the certificate back to Gen1.
  • After you update a DS8000Sitonica Storage 8000ZTE KS8200 encryption certificate to a customer defined certificate, you can change the certificate back to Gen2.

If this DS8000Sitonica Storage 8000ZTE KS8200 was manufactured with V8.1 or later, the Gen2 certificate is already updated and this step is not required.

Procedure

Update encryption certificates from the Encryption tab on the Settings > Security page of the DS8000 Storage Management GUI.

  1. To update a DS8000 encryption certificate, complete the following steps:
    1. Click Certificate to view the DS8000 Encryption Certificate.
    2. Click Update Certificate.
      The Update DS8000 Encryption Certificate window opens.
    3. Select the type of certificate to use for the upgrade, System defined Gen 2 or Customer defined.
      If you select Customer defined, you must browse for the certificate location and enter a password for the certificate.
    4. Click Update to update the certificate.
  2. To update a key server certificate, complete the following steps:
    1. Click Certificate to view the key server certificates.
    2. Click Update Certificate for the certificate you want to update.
      A window opens that prompts you to browse for the new certificate.
    3. Select the new certificate and click Update.