– If your KMIP server uses a client username and password for authentication, enter the
username and password that were speciîš³ed on the KMIP Management Console for the library.
– If your KMIP server uses certicate validation for authentication, select Enable KMIP
Certicate only authentication. Select this option if you use a KMIP server that doesn’t
support a client username and password. This default method is used when KMIP is used with
the IBM Security Key Lifecycle Manager.
1) In the KMIP Server Conîš³guration screen, enter the IP address or fully qualiîš³ed hostname
and port number for up to ten KMIP servers. Also, choose which key server type services
the encryption keys. You can select from the following options:
- IBM SKLM - IBM Security Lifecycle Manager 2.6.0 or higher KMIP server.
- KMIP Compatible - Key server that is supporting the OASIS standard key management
interoperability protocol (KMIP).
2) To verify access to the KMIP servers, click Connectivity Check.
3) Check at the KMIP server side that the server accepts the certiîš³cate of the library.
4) The Setup Summary screen displays the settings that are collected by the wizard. Verify
that the settings are correct and that no errors are in the Done column.
- If you need to modify any settings or îš³x any issues, either click Back to reach the
applicable screen or Cancel to leave the wizard to îš³x the issues and return later.
- If the settings are correct and no errors are reported, click Finish.
When the wizard îš³nishes, the Library Managed Encryption (KMIP) encryption mode is selectable in the
Logical Library Wizard (Expert Mode) on the Library > Logical Libraries page.
Security Key Lifecycle Manager (SKLM) for z/OS Encryption
1. Go to the Library menu. Then, go to Logical Libraries. Select Actions, then select Manage SKLM for
z/OS Encryption.
2. Enter the IP address and the port of the SKLM z/OS server, then click Modify.
3. Go back to Actions and select Manage Logical Library (Expert Mode).
4. On the Expert Logical Library Wizard screen, click General Settings.
5. Next to Encryption Mode, choose Library Managed Encryption (SKLM for z/OS) (Licensed).
6. Click Next, and then click Finish Conîš³guration.
7. A message appears when the Logical Library was successfully enabled for SKLM for z/OS.
8. Go to Settings > Security > Encryption. The Security Encryption Status and the Logical Library
Encryption Status shows Library Managed Encryption (SKLM for z/OS) as Enabled.
Key Path Diagnostics
The Key Path Diagnostic test checks all communication paths to ensure that a key can be transmitted
from the encryption key servers to the drive to properly encrypt and decrypt the tape cartridges.
The test consists of two parts. The îš³rst part, the drive test, veriîš³es whether the communication between
library and drive is working properly. This test is run only on the drives that are conîš³gured to library-
managed encryption (LME).
The second part veriîš³es the communication between the library and the encryption key servers. If the
secondary ethernet port is enabled and conîš³gured, the tests are run on both ports separately.
The test consists of four subtests:
• Ping
This test checks if the key server can be reached. If ICMP requests are blocked on the server side, this
test fails as well. Therefore, the following tests are run regardless the result of the ping test.
• SSL/TLS
Chapter 4. Managing
75
To Next Page
Loading...
Need help?
General