Two versions of Library-Managed Encryption are available for conguration.
• Key Management Interoperability Protocol (KMIP) Encryption
• Security Key Lifecycle Manager (SKLM) for z/OS
®
Encryption
Access the wizard from the Actions menu with the Manage Encryption option.
Notes: Before you run the Encryption wizard.
• Conrm that the Library-Managed Encryption license is activated on the Settings > Library > Licensed
Features page.
• Verify that the server is available on the network and is congured for use with this library. For
information on conguring servers for use with the library, see the server documentation.
Note: If you plan to use the IBM Security Key Lifecycle Manager (SKLM), go to “Related Publications” on
page xxx for information on setup and conguration.
• If Library Encryption settings are cleared and recongured, you're required to accept the new certicate
on the server when the Library Self-Signed Certicate is used.
Key Management Interoperability Protocol (KMIP) Encryption
1. In the Actions menu, click Manage KMIP Encryption to start the wizard.
2. The Logical Library Selection screen displays the KMIP conguration options that can be set as the
default for all logical libraries, or on a per logical library basis. The second section provides the option
to copy the KMIP conguration settings to all logical libraries (default) or to specied logical libraries.
3. The Wizard Information screen displays information about the wizard. On this screen, it’s also
possible to Reset Encryption Settings. If the library conguration is complete and the KMIP server is
available on the network, click Next.
4. The Certicate Option screen displays the different certicate options that can be used to establish a
secure communication to the KMIP server. You can select from the following options:
• Library Self-Signed Certicate (default option) - A self-signed certicate that is generated by the
library is used.
• Uploaded Certicate - Upload a PCKS #12 le that includes a certicate and corresponding key.
• Generate Certicate Request (CSR) - A CSR is generated by the library that must be signed by a CA
server. This method requires a CA certicate that must be provided during the wizard steps.
a. Certication Conguration
– Library Self-Signed Certicate – skip to the next step.
– Uploaded Certicate
1) Upload the PKCS #12 le in the certicate area on the Certicate Option screen.
2) If this le requires a password, it must be provided in the Certicate Password input eld.
If no password, the eld can be left empty.
3) After successfully upload of the certicate, click Next.
– Generate Certicate Request (CSR)
1) The Certicate Authority Information screen displays prerequisites for using the KMIP
certicate. When the prerequisites are met, click Next.
2) The Certicate Authority Certicate Entry screen displays instructions for obtaining the
CA certicate for the KMIP server. Follow the instructions to copy the CA certicate from
the Management Console. Paste the CA certicate into the wizard and then click Next.
3) The Library Certicate Information screen displays information about the next wizard
steps. Click Next.
b. The KMIP Client Conguration screen provides options for two types of server authentication.
74
IBM TS4300 Tape Library Machine Type 3555: User's Guide
To Next Page
Loading...
Need help?
General