Add Key Server
Overview
This function adds a key server.
A key server is an external server that manages the SED authentication key (hereinafter, referred to as "key"). By using the key server to obtain and update the key via SSL to establish secure communication with the storage system, an environment in which the key can be managed more safely can be created. Up to two key servers can be registered.
For the key server, use a server in which the key management software "ETERNUS SF KM" is installed. Note that "IBM Security Key Lifecycle Manager" is also available as the key management software.
By using a key server to manage the key, the storage system obtains the key from the key server when required. For example, the key is obtained when RAID groups are added to the key group or when maintenance is performed for SEDs that configure a RAID group in the key group. Make sure that communication is always maintained between the storage system and the key server. To obtain the key from a key server, the key server must respond to the storage system within 30 seconds. Do not use the key server function in an environment in which a network timeout may occur.
User Privileges
Availability of Executions in the Default Role
| Default role | Availability of executions |
|---|---|
| Monitor | |
| Admin | |
| StorageAdmin | |
| AccountAdmin | |
| SecurityAdmin | |
| Maintainer |
Refer to "User Roles and Policies" for details on the policies and roles.
Settings
Key Server Setting
| Item | Description | Setting values |
|---|---|---|
Server ID |
"1" or "2" is displayed as the ID for unregistered servers. When a key server is registered for "1", "2" is displayed. The server ID for the master or the slave server is specified when creating the key group. Refer to the [Create Key Group] function for details. |
|
Domain Name / IP Address |
Input the domain name (FQDN) or the IP address of the key server. There are two methods to specify an IP address; "IPv4" and "IPv6". The following IPv6 addresses can be used; "link local address", "global address", "unique local address", or "6to4 address". Refer to "Available IPv6 Address" for details. When the current setting is displayed, the IPv6 address is displayed as an abbreviation. |
For domain name specification Up to 63 alphanumeric characters and symbols For IPv4 address xxx.xxx.xxx.xxx xxx: 1 - 255 for the top field (decimal) xxx: 0 - 255 for other fields (decimal) For IPv6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx xxxx: 0 - ffff (FFFF) (hexadecimal, alphanumeric characters) Refer to "IPv6 Address Notation" for details. |
Port No. |
Input the port number used to communicate with the key server. |
Numeric characters 1 - 65535 5696 (Default) |
LAN Port |
Select "MNT" or "RMT" for the LAN port that is to be used to communicate with the key server. |
MNT (Default) RMT |
Operating Procedures
Click [Add Key Server] in [Action].
Specify the parameters, and click the [Add] button.
→ A confirmation screen appears.
Caution- An error screen appears in the following conditions:
When each parameter fails to satisfy the input conditions
When inputting a domain name or an IP address that is already used for another key server
When the IP address that was input and the IP address of the LAN port (MNT or RMT) are the same
When the IP address that was input and the network address of the LAN port (MNT or RMT) are the same
- An error screen appears in the following conditions:
Click the [OK] button.
→ Adding of the key server starts.
Click the [Done] button to return to the [Key Management] screen.