Skip to main content

Configuring the Security Key Management (SKM)

Use the information in this topic to create and manage security keys.

This feature uses centralized Key Management server to provide keys that unlock storage hardware, to gain access to data stored on SEDs in a ThinkSystem server. The Key Management server includes SKLM - IBM SED Key Management server, and KMIP - Thales/Gemalto SED Key Management servers (KeySecure and CipherTrust).

The XClarity Controller uses the network to retrieve keys from the Key Management server, the Key Management server must be accessible to the XClarity Controller. The XClarity Controller provides the communication channel between the Key Management server and the requesting ThinkSystem server. The XClarity Controller firmware attempts to connect with each configured Key Management server, stopping when a successful connection is established.

The XClarity Controller establishes communication with the Key Management server if the following conditions are met:
  • One or more Key Management server host name/IP addresses are configured in the XClarity Controller.
  • Two certificates (client and server) for communication with the Key Management server are installed in the XClarity Controller.
Note
Configure at least two (a primary and a secondary) Key Management servers with the same protocol for your device. If the primary Key Management server does not respond to the connection attempt from the XClarity Controller; connection attempts are initiated with the additional Key Management servers until a successful connection is established.

A Transport Layer Security (TLS) connection must be established between the XClarity Controller and the Key Management server. The XClarity Controller authenticates the Key Management server by comparing the server certificate submitted by the Key Management server, with the Key management server certificate previously imported into the XClarity Controller's trust store. The Key Management server authenticates each XClarity Controller that communicates with it and checks to verify that the XClarity Controller is permitted to access the Key Management server. This authentication is accomplished by comparing the client certificate that the XClarity Controller submits, with a list of trusted certificates that are stored on the Key Management server.

At least one Key Management server will be connected, and the device group is considered optional. The Key Management server certificate will need to be imported, while the client certificate needs to be specified. By default, the HTTPS certificate is used. If you wish to replace it, you can generate a new one.

Note

  • To connect the KMIP server (KeySecure and CipherTrust), you must generate a certificate signing request (CSR), and its common name must be matched with the user name defined in the KMIP server, then import a certificate that has been signed by the Certificate Authority (CA) trusted by the KMIP server for the CSR.

  • To enable drive security on self-encrypted drives (SED) that are connected to an adapter, boot the server to the UEFI Setup menu and navigate to System Setting > Storage to configure the adapter. For more information, see ThinkSystem Storage Adapter options and navigate to the software guide for your adapter.

  • To enable drive security on self-encrypted drives (SED) that are directly attached to the system board, use a command or Redfish client tool to enable the settings. For more information, see PATCH – Add KMIP servers and POST – Local SED key management navigate to the software guide for your adapter.