Updating encryption and key server certificates
If you have a storage administrator user role, you can use this task to update encryption certificates. The encryption certificates are used for key server communication with the DS8000®Sitonica Storage 8000ZTE KS8200 storage system.
Before you begin
Before you update to a Gen2 or customer defined certificate, ensure that the certificate authority (CA) signed root certificate is installed on each key server. Encryption certificates must be digitally signed by a CA that is designated as a trusted root CA.
Open Systems SKLM V2.0.1 and z Series SKLM V1.1.0.2 and later already have the Gen2 CA root certificate installed. If you are using a non-SKLM key server, you need to manually import the Gen2 CA root certificate (see Configuring key servers).
- TKLM version 2.0.1 or later on Open Systems
- SKLM (all versions) on Open Systems
- SKLM version 1.1.0.2 or later on z/OS
About this task
- You can update encryption certificates by using one of the following options:
- Using the encryption enablement wizard when encryption is not enabled.
- Selecting Update Certificate on the Encryption Settings page when encryption is configured.
- For SKLM key servers, compliance with NIST SP 800-131A requires the use of TLS 1.2 if SSL or TLS protocols are used with an encryption key server (TCP port 441). If SSL or TLS protocols are not used with the key server (TCP port 3801), the key server does not require TLS 1.2 support.
- For KMIP key servers, only TLS 1.2 is supported.
- After you update a DS8000Sitonica Storage 8000ZTE KS8200 encryption certificate to a Gen2 or customer defined certificate, you cannot change the certificate back to Gen1.
- After you update a DS8000Sitonica Storage 8000ZTE KS8200 encryption certificate to a customer defined certificate, you can change the certificate back to Gen2.
If this DS8000Sitonica Storage 8000ZTE KS8200 was manufactured with V8.1 or later, the Gen2 certificate is already updated and this step is not required.
Procedure
Update encryption certificates from the Encryption tab on the page of the DS8000 Storage Management GUI.