Skip to main content

Configuring the Security Key Management (SKM)

Use the information in this topic to create and manage security keys.

This feature uses centralized Key Management server to provide keys that unlock storage hardware, to gain access to data stored on SEDs in a ThinkSystem server. The Key Management server includes SKLM - IBM SED Key Management server, and KMIP - Thales/Gemalto SED Key Management servers (KeySecure and CipherTrust).

The XClarity Controller uses the network to retrieve keys from the Key Management server, the Key Management server must be accessible to the XClarity Controller. The XClarity Controller provides the communication channel between the Key Management server and the requesting ThinkSystem server. The XClarity Controller firmware attempts to connect with each configured Key Management server, stopping when a successful connection is established.

The XClarity Controller establishes communication with the Key Management server if the following conditions are met:
  • One or more Key Management server host name/IP addresses are configured in the XClarity Controller.
  • Two certificates (client and server) for communication with the Key Management server are installed in the XClarity Controller.
Note
Configure at least two (a primary and a secondary) Key Management servers with the same protocol for your device. If the primary Key Management server does not respond to the connection attempt from the XClarity Controller; connection attempts are initiated with the additional Key Management servers until a successful connection is established.

A Transport Layer Security (TLS) connection must be established between the XClarity Controller and the Key Management server. The XClarity Controller authenticates the Key Management server by comparing the server certificate submitted by the Key Management server, with the Key management server certificate previously imported into the XClarity Controller's trust store. The Key Management server authenticates each XClarity Controller that communicates with it and checks to verify that the XClarity Controller is permitted to access the Key Management server. This authentication is accomplished by comparing the client certificate that the XClarity Controller submits, with a list of trusted certificates that are stored on the Key Management server.

At least one Key Management server will be connected, and the device group is considered optional. The Key Management server certificate will need to be imported, while the client certificate needs to be specified. By default, the HTTPS certificate is used. If you wish to replace it, you can generate a new one.

Note
To connect the KMIP server(KeySecure and CipherTrust), must generate a certificate signing request (CSR), and its common name must be matched with the user name defined in the KMIP server, then import a certificate that has been signed by the Certificate Authority (CA) trusted by the KMIP server for the CSR.