Configuring the Security Key Management (SKM)

Use the information in this topic to create and manage security keys.

This feature uses centralized Key Management server to provide keys that unlock storage hardware, to gain access to data stored on SEDs in a ThinkSystem server. The Key Management server includes SKLM - IBM SED Key Management server, and KMIP - Thales/Gemalto SED Key Management servers (KeySecure and CipherTrust).

The XClarity Controller uses the network to retrieve keys from the Key Management server, the Key Management server must be accessible to the XClarity Controller. The XClarity Controller provides the communication channel between the Key Management server and the requesting ThinkSystem server. The XClarity Controller firmware attempts to connect with each configured Key Management server, stopping when a successful connection is established.

A Transport Layer Security (TLS) connection must be established between the XClarity Controller and the Key Management server. The XClarity Controller authenticates the Key Management server by comparing the server certificate submitted by the Key Management server, with the Key management server certificate previously imported into the XClarity Controller's trust store. The Key Management server authenticates each XClarity Controller that communicates with it and checks to verify that the XClarity Controller is permitted to access the Key Management server. This authentication is accomplished by comparing the client certificate that the XClarity Controller submits, with a list of trusted certificates that are stored on the Key Management server.

At least one Key Management server will be connected, and the device group is considered optional. The Key Management server certificate will need to be imported, while the client certificate needs to be specified. By default, the HTTPS certificate is used. If you wish to replace it, you can generate a new one.