Configuring the key management server

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17
If you are planning to use a key management server, the following configuration tasks must be performed on the key management server before you perform the initial configuration of the encryption environmental settings:
  • The key management server must be configured to allow the storage system's KMIP client to authenticate, store, fetch, and generate keys on the key management server.
  • The storage system negotiates a secure TLS 1.2 channel to the key management server using the exchange of mutually authenticated certificates. The storage system requires that a certificate be generated for this purpose; a self-signed certificate cannot be used. The key management server KMIP TLS service must trust the certificate authority that signs the certificate generated for the storage system. A copy of the root certificate from the signing certificate authority is also required. For assistance in obtaining the unique certificates and proper connection parameters required for this operation, contact your Key Management Server administrator.

    For details about how to obtain the root certificate of the key management server, see the documentation for the key management server.

  • If you want to connect to the key management server using the host name instead of the IP address, the IP address of the DNS server must be configured on the SVP of the storage system.
  • If you plan to protect the key encryption key at the key management server, the key management server must be configured using two clustered servers, and you must enable the secondary key management server when you configure the encryption environmental settings.
  • You must establish and verify the network connections from the storage system to each key management server.
  • If you plan to enable regular encryption key backups on the key management server, you must designate a user for the regular backups (called the regular backup user) and assign the Security Administrator (View & Modify) role to this user.

Depending on the type of key management server (vendor, software version), you might need to perform additional configuration tasks. For further information about preparing the necessary services to accept connections from the storage system, refer to the documentation for your key management server.