Enabling encryption with key servers

Encryption key servers create and manage encryption keys that are used by the system. In environments with many systems, key servers distribute keys remotely without requiring physical access to the systems.

A key server is a centralized system that generates, stores, and sends encryption keys to the system. Some key server providers support replication of keys among multiple key servers. If multiple key servers are supported, you can specify up to four key servers that connect to the system over both a public network or a separate private network. The system supports IBM® Security Guardium® Key Lifecycle Manager or Gemalto SafeNet Key Secure key servers to handle key management on the system. These supported key server management applications create and manage cryptographic keys for the system and provide access to these keys through a certificate. Only one type of key server management application can be enabled on the system at a time. Authentication takes place when certificates are exchanged between the system and the key server. Certificates must be managed closely because expired certificates can cause system outages. Key servers must be installed and configured before they are defined on the system.

System certificates are used to communicate with external key servers. When the encryption is set up using a key server, this system certificate is exported and trusted on the key servers. When the SSL certificate expires, the key server communication is broken. Reinstall a new valid system certificate to reestablish communication with the key servers.
Important: Reinstall the SSL certificate before it expires to avoid GUI or key servers communication failure.
Note:

When using key servers to manage the master key for the system, the encryption key is stored on each key server. The master key is an AES-256 bit key generated by the key server.

The supported key server versions for IBM Spectrum Virtualize products are shown at the following website:

http://www.ibm.com/support/docview.wss?uid=ibm10738187