Key management server requirements

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17

The following table lists the key management server (KMS) support specifications and requirements for the Encryption License Key feature.

Item Requirements
Key Management Interoperability Protocol (KMIP) KMIP version: 1.0, 1.1, 1.2, 1.3, or 1.4

VSP E series: The storage system must have an SVP (physical or virtual) to support KMIP.

Software Encryption License Key supports several key management servers (for example, SafeNet KeySecure). For the latest information about KMS software support, go to the Product Compatibility Guide website and then select Encryption Key Management Server.
TLS security settings For VSP 5000 series, the TLS security settings for Device Manager - Storage Navigator (displayed and set on the TLS Security Settings window of the Tool Panel) must be enabled. For details, see the System Administrator Guide.
Certificates Caution about certificate expiration: The certificates have expiration dates. If a certificate expires, you will not be able to connect to the KMS. Make sure to update the certificate before the expiration date.
(VSP 5000 series) Caution about revocation verification:
  • When performing revocation verification by using CRL, set the CRL repository URI for the cRLDistributionPoint (CRL distribution point) of the certificate. For VSP 5000 series, set the CRL repository URI for the CRL distribution point of the intermediate certificate and of the server certificate set on the connected server. The CRL repository must exist on a network that can be accessed from the SVP to communicate with the SVP. If the SVP and CRL repository cannot communicate, the communications with the KMS will fail.
  • When performing revocation verification by using OCSP, set correctly the OCSP responder URI for the authorityInfoAccess (agency access information) of the certificate. For VSP 5000 series, set correctly the OCSP responder URI for the authorityInfoAccess (agency access information) of the intermediate certificate and of the server certificate set on the connected server. The OCSP responder must exist on a network that can be accessed from the SVP to communicate with the SVP. If the SVP and OCSP responder cannot communicate, the communications with the KMS will fail.
Certificate requirements for VSP 5000 series
Requirements for the server certificate for the KMIP server:
  • If the public key of the server certificate is RSA, the key length must be 2,048 bits or more.
  • If the public key of the certificate is ECDSA, the key length parameter must be one of the following: ECDSA_P256 (secp256r1), ECDSA_P384 (secp384r1), or ECDSA_P521 (secp521r1).
  • The signature hash algorithm of the server certificate must be SHA-256, SHA-384, or SHA-512.
  • When setting a host name to connect to the KMS, enter the host name of the server in subjectAltName or CommonName of the server certificate.
  • When setting an IP address to connect to the KMS, enter the IP address of the server in subjectAltName or CommonName of the server certificate.
  • Check the number of tiers of the certificate chain. The maximum number of tiers is 20. Make sure to use a certificate in a certificate chain that has 20 or fewer tiers.
Requirements for the root certificate for the KMS:
  • Format: X.509 DER, or X.509 PEM
  • The extended profile fields in the X.509 certificate must support the following items as specified in RFC5280:
    • subjectAltName
    • CRLDistributionPoint
    • AuthorityInfoAccess
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier
  • If the public key of the root certificate to be uploaded is RSA, the key length must not be less than the Minimum Key Length (Key Exchange) setting displayed on the TLS Security Settings window of the Tool Panel.
  • If the public key of the certificate is ECDSA, the key length parameter must be one of the following: ECDSA_P256 (secp256r1), ECDSA_P384 (secp384r1), or ECDSA_P521 (secp521r1).
  • The signature hash algorithm of the root certificate must be SHA-256, SHA-384, or SHA-512.
Requirements for the client certificate:
  • Format: PKCS#12

    If you do not know the password of the client certificate in the PKCS#12 format, contact the KMS administrator.

  • The client certificate must be signed by the CA (Certificate Authority) for the KMS.
  • If the public key of the client certificate to be uploaded is RSA, the key length must not be less than the Minimum Key Length (Key Exchange) setting displayed on the TLS Security Settings window of the Tool Panel.
  • If the public key of the certificate is ECDSA, the key length parameter must be one of the following: ECDSA_P256 (secp256r1), ECDSA_P384 (secp384r1), or ECDSA_P521 (secp521r1).
  • The signature hash algorithm of the client certificate must be SHA-256, SHA-384, or SHA-512.
  • If an intermediate certificate exists, you must prepare a signed public key certificate in a certificate chain that contains the intermediate certificate.
  • The certificate chain for the certificate to be uploaded must have 20 tiers or fewer including the root CA certificate.
Certificate requirements for VSP E series
  • The public key of the server certificate for the KMIP server must be RSA.
  • Check the number of tiers of the certificate chain. The maximum number of tiers is 5. Make sure to use a certificate in a certificate chain that has 5 or fewer tiers.
  • The root certificate must be in X.509 DER or X.509 PEM format and must be placed on the KMS. For details, see the documentation for the server.
  • The extended profile fields in the X.509 certificate must support the following items as specified in RFC5280:
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier
    In addition, the following extensions are also supported for VSP E series with DKCMAIN firmware 93-06-22-xx/xx or later. Do not use an extension other than those listed.
    • Authority Key Identifier
    • Certificate Policies
    • Subject Alternative Name
    • Name Constraints
    • Policy Constraints
    • Extended Key Usage
    • Inhibit anyPolicy
  • The client certificate must be current, not expired, and in PKCS#12 format.
    • If an intermediate certificate exists, you must prepare a signed public key certificate in a certificate chain that contains the intermediate certificate.
    • The certificate chain for the certificate to be uploaded must have 5 tiers or fewer including the root CA certificate.
    • The public key of the certificate to be uploaded must be RSA.
  • The client certificate must be converted to the PKCS#12 format. The client certificate that is not converted to the PKCS#12 format must be signed by the CA (Certificate Authority) for the KMS.
  • If you do not know the password of the client certificate in the PKCS#12 format, contact the KMS administrator.