– If your KMIP server uses a client username and password for authentication, enter the
username and password that were specied on the KMIP Management Console for the library.
– If your KMIP server uses certicate validation for authentication, select Enable KMIP
Certicate only authentication. Select this option if you use a KMIP server that doesn’t
support a client username and password. This default method is used when KMIP is used with
the IBM Security Key Lifecycle Manager.
1) In the KMIP Server Conguration screen, enter the IP address or fully qualied hostname
and port number for up to ten KMIP servers. Also, choose which key server type services
the encryption keys. You can select from the following options:
- IBM SKLM - IBM Security Lifecycle Manager 2.6.0 or higher KMIP server.
- KMIP Compatible - Key server that is supporting the OASIS standard key management
interoperability protocol (KMIP).
2) To verify access to the KMIP servers, click Connectivity Check.
3) Check at the KMIP server side that the server accepts the certicate of the library.
4) The Setup Summary screen displays the settings that are collected by the wizard. Verify
that the settings are correct and that no errors are in the Done column.
- If you need to modify any settings or x any issues, either click Back to reach the
applicable screen or Cancel to leave the wizard to x the issues and return later.
- If the settings are correct and no errors are reported, click Finish.
When the wizard nishes, the Library Managed Encryption (KMIP) encryption mode is selectable in the
Logical Library Wizard (Expert Mode) on the Library > Logical Libraries page.
Security Key Lifecycle Manager (SKLM) for z/OS Encryption
1. Go to the Library menu. Then, go to Logical Libraries. Select Actions, then select Manage SKLM for
z/OS Encryption.
2. Enter the IP address and the port of the SKLM z/OS server, then click Modify.
3. Go back to Actions and select Manage Logical Library (Expert Mode).
4. On the Expert Logical Library Wizard screen, click General Settings.
5. Next to Encryption Mode, choose Library Managed Encryption (SKLM for z/OS) (Licensed).
6. Click Next, and then click Finish Conguration.
7. A message appears when the Logical Library was successfully enabled for SKLM for z/OS.
8. Go to Settings > Security > Encryption. The Security Encryption Status and the Logical Library
Encryption Status shows Library Managed Encryption (SKLM for z/OS) as Enabled.
Key Path Diagnostics
The Key Path Diagnostic test checks all communication paths to ensure that a key can be transmitted
from the encryption key servers to the drive to properly encrypt and decrypt the tape cartridges.
The test consists of two parts. The rst part, the drive test, veries whether the communication between
library and drive is working properly. This test is run only on the drives that are congured to library-
managed encryption (LME).
The second part veries the communication between the library and the encryption key servers. If the
secondary ethernet port is enabled and congured, the tests are run on both ports separately.
The test consists of four subtests:
• Ping
This test checks if the key server can be reached. If ICMP requests are blocked on the server side, this
test fails as well. Therefore, the following tests are run regardless the result of the ping test.
• SSL/TLS
Chapter 4. Managing
75
To Next Page
Loading...
Need help?
General
