Add Key Server

Overview

This function adds a key server.

A key server is an external server that manages the SED authentication key (hereinafter, referred to as "key"). By using the key server to obtain and update the key via SSL to establish secure communication with the storage system, an environment in which the key can be managed more safely can be created. Up to two key servers can be registered.

For the key server, use a server in which the key management software "ETERNUS SF KM" is installed. Note that "IBM Security Key Lifecycle Manager" is also available as the key management software.

Caution
  • By using a key server to manage the key, the storage system obtains the key from the key server when required. For example, the key is obtained when RAID groups are added to the key group or when maintenance is performed for SEDs that configure a RAID group in the key group. Make sure that communication is always maintained between the storage system and the key server. To obtain the key from a key server, the key server must respond to the storage system within 30 seconds. Do not use the key server function in an environment in which a network timeout may occur.

User Privileges

Availability of Executions in the Default Role

Default role Availability of executions
Monitor  
Admin
StorageAdmin  
AccountAdmin  
SecurityAdmin
Maintainer  

Refer to "User Roles and Policies" for details on the policies and roles.

Settings

Key Server Setting

Item Description Setting values

Server ID

"1" or "2" is displayed as the ID for unregistered servers. When a key server is registered for "1", "2" is displayed.

The server ID for the master or the slave server is specified when creating the key group. Refer to the [Create Key Group] function for details.

Domain Name / IP Address

Input the domain name (FQDN) or the IP address of the key server.

There are two methods to specify an IP address; "IPv4" and "IPv6". The following IPv6 addresses can be used; "link local address", "global address", "unique local address", or "6to4 address". Refer to "Available IPv6 Address" for details. When the current setting is displayed, the IPv6 address is displayed as an abbreviation.

For domain name specification

Up to 63 alphanumeric characters and symbols

For IPv4 address

xxx.xxx.xxx.xxx

xxx: 1 - 255 for the top field (decimal)

xxx: 0 - 255 for other fields (decimal)

For IPv6 address

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

xxxx: 0 - ffff (FFFF) (hexadecimal, alphanumeric characters)

Refer to "IPv6 Address Notation" for details.

Port No.

Input the port number used to communicate with the key server.

Numeric characters

1 - 65535

5696 (Default)

LAN Port

Select "MNT" or "RMT" for the LAN port that is to be used to communicate with the key server.

MNT (Default)

RMT

Operating Procedures

  1. Click [Add Key Server] in [Action].

  2. Specify the parameters, and click the [Add] button.

    → A confirmation screen appears.

    Caution
    • An error screen appears in the following conditions:
      • When each parameter fails to satisfy the input conditions

      • When inputting a domain name or an IP address that is already used for another key server

      • When the IP address that was input and the IP address of the LAN port (MNT or RMT) are the same

      • When the IP address that was input and the network address of the LAN port (MNT or RMT) are the same

  3. Click the [OK] button.

    → Adding of the key server starts.

  4. Click the [Done] button to return to the [Key Management] screen.