Primary Storage

 View Only

Approaching SKLM with eyes wide open

By Martin OHara posted Wed September 29, 2021 04:42 AM


Like most applications, especially those regarding storage and security, IBM Security Guardium Key Lifecycle Manager (SKLM) needs to have all the things required from it stated and planned out before deploying code. The IBM SKLM InfoCenter provides printable sheets that enable you to plan the deployment, installation locations, ports and networking details, and user details. However, without completely satisfying the software and hardware prerequisites for the host servers, SKLM isn't going to perform to its best, or in a worst case scenario may not work at all.


I've found many gotchas while installing SKLM, including the required use of local Administrator IDs to install, issues installing the Db2 component on non-default disk locations, and having enough space on the / (root) disk to enable DB2 to unpack during the SKLM installation process.  And then there is the GUI versus Silent Install script installs too.


All of these things can be resolved, but it is better to approach a deployment with eyes wide open and all details (and requirements) stated, rather than starting only to grind to a frustrating halt when something that could have been mitigated during planning wasn't.


SKLM can provide the encryption key management for a lot more devices than you think: it isn't just LTO tape drives that can make use of it. IBM DS8000 devices and Spectrum Scale (GPFS) are two examples of encryption which SKLM provides secure, effective and thorough encryption key management.


There are a whole raft of IBM devices that can utilize SKLM almost from the box, and SKLM also supports Key Management Interoperability Protocol (KMIP) communications with clients for key management operations on cryptographic materials. That material includes symmetric and asymmetric keys, certificates, and even the templates that are used to create and control their use. Any KMIP based storage product (storage or application) can work with IBM Security Guardium Key Lifecycle Manager.


IBM Systems Lab Services can help you plan and implement an SKLM solution. Additionally, my virtual TechU session covers SKLM from a high level including security, a bit on planning (HSM and SKLM resiliency), installation, operation and some common errors. I hope it will be a good starting point of showcasing SKLM and what it can do to help your security encryption needs. You can register today and get my session and hundreds more.


Martin O'Hara is a Spectrum Storage Software consultant for IBM Systems Lab Services and is based in the UK. He works with the Storage team across projects throughout the UK and Ireland involving the Tivoli Storage Manager/Spectrum Protect Storage family of enterprise backup and disaster recovery solutions. He provides knowledge and support for the Tivoli Storage Manager/Spectrum Storage range, as well as being involved in all stages of the deployment of Spectrum Storage from initial consultations, through design, installation, testing, knowledge handover and troubleshooting