Ds8000 Encryption Considerations - IBM DS8800 Introduction And Planning Manual

10. For the second Tivoli Key Lifecycle Manager instance, issue the tklmKeyImport
11. Optionally, add the DS8000 devices listed in step 1 on page 85 to the second

DS8000 encryption considerations

This section discusses the considerations for DS8000 encryption.
The following information might be helpful in using data encryption on DS8000:
v DS8000 ships from the factory with encryption disabled on each SFI. You must
v An encryption-capable DS8000 can be configured to either enable or disable
v The DS8000 Storage Manager and command-line interface must be upgraded to
v CIM support for DS8000 encrypting storage at this time does not support the
v Tivoli Key Lifecycle Manager has a policy input for setting the length of time
v When using the RACF
86
Introduction and Planning Guide
7. For each alias, issue the tklmKeyExport command with the -type parameter
set to privatekey. This command creates a file for each key alias. The
following is an example of the command and output:
wsadmin>print AdminTask.tklmKeyExport ('[ -alias certa -fileName mysecretkeys1
-keyStoreName "Tivoli Key Lifecycle Manager Keystore" -type privatekey
-keyAlias certa]')
8. Transfer the files created in step 7 to the server where the second Tivoli Key
Lifecycle Manager instance is running.
9. For the second Tivoli Key Lifecycle Manager instance, ensure that the
ds8k.acceptUnknownDrives parameter is set to true in the Tivoli Key Lifecycle
Manager configuration file to allow requests from unknown DS8000 storage
images.
command for each of these files. The password that you must specify is the
password that was used for the keystore of the Tivoli Key Lifecycle Manager
server for which the files were created.
Tivoli Key Lifecycle Manager instance using the tklmDeviceAdd command.
follow the procedures described to have IBM activate encryption on each DS8000
SFI.
encryption. Ensure that the needed configuration is achieved before storing data
on any configured storage.
the appropriate level to enable encryption on an encryption capable DS8000. If
you use an earlier version of DS8000 Storage Manager and command-line
interface, the DS8000 is configured with encryption disabled.
configuration of Tivoli Key Lifecycle Manager IP ports, encryption groups,
encrypting ranks, or encrypting extent pools. A system that is configured with
encrypting extent pools can use the CIM agent to configure encrypting logical
volumes and host attachments for encrypting logical volumes.
that key label remains valid. For example, the validity period for a new
certificate. This input controls the time that a key label supports requests for a
new data key. It does not prevent any existing data keys created for that key
label from being unwrapped. This input is set for each key label as it is created.
Because disks typically obtain a new key after an encryption group is
configured, the expiration of the certificate is not significant to the going
operation of currently installed and configured encryption groups. It affects
whether a new encryption group can be configured with that key label. The
default validity period is 20 years.
2048-bit data keys. Tivoli Key Lifecycle Manager generates 1024 bit wrapping
keys when running on this operating system. Tivoli Key Lifecycle Manager key
servers that run on other operating systems can import 1024 bit wrapping keys
®
on z/OS 1.9, the RACF keystore does not support