Note: DS8000 does not support communication with SKLM over IPP using custom device groups. KMIP is
recommended for DS8000 systems communicating with IBM SKLM Key Servers in a Multi-Master
conguration. When using IPP to communicate with IBM SKLM Key Servers in a Multi-Master
conguration, it is not possible for the DS8000 systems to automatically detect problems related to key
redundancy, leaving you responsible for determining when high availability disaster recovery (HADR)
synchronization is not functioning properly. Loss of data in the SKLM key store can result in loss of
DS8000 data.
Planning for key lifecycle managers
DS8000 storage systems support IBM Security Key Lifecycle Manager.
If NIST 800-131A security conformance is required on your storage system, select the version of IBM
Security Key Lifecycle Manager that is appropriate for your encryption key server host and connection
network protocol requirements.
• If your encryption key server runs on an open system host and you do not plan to use the Transport
Layer Security (TLS) 1.2 protocol with this key server, use IBM Security Key Lifecycle Manager V2.0.1 or
later.
• If your encryption key server runs on an open system host and you plan to use the TLS 1.2 protocol with
this key server, use IBM Security Key Lifecycle Manager V2.5 or later.
• If your encryption key server runs on an IBM Z host LPAR with z/OS, use IBM Security Key Lifecycle
Manager for z/OS V1.1.0.3 or later.
• If your encryption key server is Gemalto Safenet KeySecure, select version 8.0.0 or later.
If NIST 800-131A security conformance is not required on your storage system, select the appropriate
encryption key manager for your encryption key server host.
• If your encryption key server runs on an open system host, install IBM Security Key Lifecycle Manager
V2.0.1 or later.
• If your encryption key server runs on an IBM Z host LPAR with z/OS, install IBM Security Key Lifecycle
Manager for z/OS v1.0.1 or later.
IBM Storage Appliance 2421 Model AP1 can be ordered either as a single isolated key server (feature
code 1761) or as two isolated key servers (feature codes 1761 and 1762, ordered together). This order
must include an indicator for IBM Security Key Lifecycle Manager (feature code 0204), which indicates
that a DVD with IBM Security Key Lifecycle Manager software is provided with Storage Appliance AP1. For
more information, search for "IBM Storage Appliance 2421 Model AP1" at the IBM Publications Center
website (www.ibm.com/shop/publications/order).
If you want to acquire a different isolated key server, refer to the IBM Security Key Lifecycle Manager
Installation and Conguration Guide (SC27-5335) or IBM Security Key Lifecycle Manager online product
documentation (www.ibm.com/support/knowledgecenter/SSWPVP/) for hardware and operating system
requirements.
Note: You must acquire an IBM Security Key Lifecycle Manager license for use of the IBM Security Key
Lifecycle Manager software that is ordered separately from the stand-alone server hardware. The IBM
Security Key Lifecycle Manager license includes both an installation license for the IBM Security Key
Lifecycle Manager management software and a license for encrypting drives.
IBM Security Key Lifecycle Manager for z/OS generates encryption keys and manages their transfer to and
from devices in an IBM Z environment.
Planning for full-disk encryption activation
Full-disk-encryption drives are standard on the storage system. These drives encrypt and decrypt at
interface speeds, with no impact on performance.
Full disk encryption offerings must be activated before use, as part of the system installation and
conguration. This installation and activation review is performed by the IBM Systems Lab Services team.
To submit a request or inquiry, see the Storage Services website
(www-03.ibm.com/systems/services/
labservices/platforms/labservices_storage.html), and click Contact us.
116
IBM DS8900F: DS8900F Introduction and Planning Guide
To Next Page
Loading...
Need help?
General