Users Guide
2) If this le requires a password, it must be provided in the Certicate Password input eld.
If no password, the eld can be left empty.
3) After successfully upload of the certicate, click Next.
– Generate Certicate Request (CSR)
1) The Certicate Authority Information screen displays prerequisites for using the KMIP
certicate. When the prerequisites are met, click Next.
2) The Certicate Authority Certicate Entry screen displays instructions for obtaining the
CA certicate for the KMIP server. Follow the instructions to copy the CA certicate from
the Management Console. Paste the CA certicate into the wizard and then click Next.
3) The Library Certicate Information screen displays information about the next wizard
steps. Click Next.
b. The KMIP Client Conguration screen provides options for two types of server authentication.
– If your KMIP server uses a client username and password for authentication, enter the
username and password that were specied on the KMIP Management Console for the library.
– If your KMIP server uses certicate validation for authentication, select Enable KMIP
Certicate only authentication. Select this option if you use a KMIP server that doesn’t
support a client username and password. This default method is used when KMIP is used with
the IBM Security Key Lifecycle Manager.
1) In the KMIP Server Conguration screen, enter the IP address or fully qualied hostname
and port number for up to ten KMIP servers. Also, choose which key server type services
the encryption keys. You can select from the following options:
- IBM SKLM - IBM Security Lifecycle Manager 2.6.0 or higher KMIP server.
- KMIP Compatible - Key server that is supporting the OASIS standard key management
interoperability protocol (KMIP).
2) To verify access to the KMIP servers, click Connectivity Check.
3) Check at the KMIP server side that the server accepts the certicate of the library.
4) The Setup Summary screen displays the settings that are collected by the wizard. Verify
that the settings are correct and that no errors are in the Done column.
- If you need to modify any settings or x any issues, either click Back to reach the
applicable screen or Cancel to leave the wizard to x the issues and return later.
- If the settings are correct and no errors are reported, click Finish.
When the wizard nishes, the Library Managed Encryption (KMIP) encryption mode is selectable in the
Logical Library Wizard (Expert Mode) on the Library > Logical Libraries page.
Security Key Lifecycle Manager (SKLM) for z/OS Encryption
1. Go to the Library menu. Then, go to Logical Libraries. Select Actions, then select Manage SKLM for
z/OS Encryption. The Library Managed Encryption Licensed Feature is already activated on your
library, and cannot be deactivated. However, the feature must be congured before LME can be used.
2. Enter the IP address and the port of the SKLM z/OS server, then click Modify.
3. Go back to Actions and select Manage Logical Library (Expert Mode).
4. On the Expert Logical Library Wizard screen, click General Settings.
5. Next to Encryption Mode, choose Library Managed Encryption (SKLM for z/OS) (Licensed).
6. Click Next, and then click Finish Conguration.
7. A message appears when the Logical Library was successfully enabled for SKLM for z/OS.
8. Go to Settings > Security > Encryption. The Security Encryption Status and the Logical Library
Encryption Status shows Library Managed Encryption (SKLM for z/OS) as Enabled.
Chapter 4. Managing
73