Configuring Library Managed Encryption - IBM TS4300 User Manual

Table 40. Magazine state (continued)
Magazine state
Closed
Closed
Closed
Opened

Configuring Library Managed Encryption

Library-Managed Encryption (LME) is a built-in feature that is enabled by using a purchased license.
The LME feature can be ordered from the factory, or you can order it as a field upgrade. To order a feature,
contact your IBM Sales Representative or Business Partner. See Optional Features.
Two versions of Library-Managed Encryption are available for configuration.
• Key Management Interoperability Protocol (KMIP) Encryption (v1.2)
• Security Key Lifecycle Manager (SKLM) for z/OS
Access the wizard from the Actions menu with the Manage Encryption option.
Notes: Before you run the Encryption wizard.
• Confirm that the Library-Managed Encryption license is activated on the Settings > Library > Licensed
Features page.
• Verify that the server is available on the network and is configured for use with this library. For
information on configuring servers for use with the library, see the server documentation.
Note: If you plan to use the IBM Security Key Lifecycle Manager (SKLM), go to "Related Publications" on
page xxxi for information on setup and configuration.
• If Library Encryption settings are cleared and reconfigured, you're required to accept the new certificate
on the server when the Library Self-Signed Certificate is used.
Key Management Interoperability Protocol (KMIP) Encryption
1. In the Actions menu, click Manage KMIP Encryption to start the wizard.
2. The Logical Library Selection screen displays the KMIP configuration options that can be set as the
default for all logical libraries, or on a per logical library basis. The second section provides the option
to copy the KMIP configuration settings to all logical libraries (default) or to specified logical libraries.
3. The Wizard Information screen displays information about the wizard. On this screen, it's also
possible to Reset Encryption Settings. If the library configuration is complete and the KMIP server is
available on the network, click Next.
4. The Certificate Option screen displays the different certificate options that can be used to establish a
secure communication to the KMIP server. You can select from the following options:
• Library Self-Signed Certificate (default option) - A self-signed certificate that is generated by the
library is used.
• Uploaded Certificate - Upload a PCKS #12 file that includes a certificate and corresponding key.
• Generate Certificate Request (CSR) - A CSR is generated by the library that must be signed by a CA
server. This method requires a CA certificate that must be provided during the wizard steps.
a. Certification Configuration
– Library Self-Signed Certificate – skip to the next step.
– Uploaded Certificate
i) Upload the PKCS #12 file in the certificate area on the Certificate Option screen.
88 IBM TS4300 Tape Library Machine Type 3555: User's Guide
LED state
Slow Flash
Fast Flash
OFF
OFF
®
Encryption
IBM Confidential
Description
Magazine open is in process.
Magazine is opened.
I/O station is not enabled.
Magazine is opened.