MAP4980 Encryption and key management server SRCs and repairs

The encryption key management server works with IBM encryption-enabled storage components (drives, device adapter, and functional code) in generating, protecting, storing, and maintaining encryption keys that are used to encrypt information that is written to and decrypt information that is read from storage media. Encryption gives the customer an added layer of protection for their data. The combination of data encryption on the DS8000® and the customer data encryption key stored on the customer's encryption key management server external to the DS8000 ensures that if the DS8000 or any drives with encrypted data are stolen, data cannot be accessed. With TCT encryption, the data is protected while in transit from the DS8000 to the cloud server and while it is stored on the cloud server.

About this task

To enable data-at-rest encryption, you must have encryption-capable drives along with supporting encryption software stack that is installed on the DS8000. The customer must configure at least two encryption key management servers.

To enable TCT encryption, you must configure a cloud server with appropriate network connection along with supporting encryption software that is installed on the DS8000. The customer must configure at least two encryption key management servers.

Note: In other IBM publications, the encryption key management server is called:
  • Encryption key server
  • Key server
  • IBM Security Key Lifecycle Manager
  • IBM Tivoli Key Lifecycle Manager key server
  • Gemalto Safenet Key Secure server

MAP4980-Section 1

About this task

Use Table 1 to find the appropriate action for the SRC in the serviceable event that sent you here.
Note: A drive pseudo repair means performing a drive repair that uses the Exchange FRU option and continuing through the repair without unseating and reseating the drive.
Table 1. Encryption SRC repair actions
SRC SRC Description Service action/machine state when serviceable event is generated Action
BE14CFE0 The DS8000 could not retrieve keys from any of the configured encryption key management server(s). Dual cluster IML
  1. Refer to actions for BE14EAF1. The customer must confirm that the DS8000 is configured with at least two encryption key management servers.
  2. Ask customer to verify whether the encryption key management server protocol is either TLS-enabled IPP or TLS-enabled KMIP (See Note 10).
    Is the protocol TLS-enabled IPP or TLS-enabled KMIP?
    • Yes, go to step 3.
    • No, another protocol is in use. Go to step 5.
  3. Ask customer to verify that every configured encryption key management server has a valid certificate including its certificate expiration date.
  4. If the encryption key management server certificate has expired, ask the customer to update the certificate accordingly.
  5. Test access to the specified key group (see note 11). Refer to DS8000 Knowledge Center for instructions to test access by using by using DS CLI or DS8000 Storage Management GUI.
  6. If the test to verify access to the key group completes successfully, close the existing BE14CFE0 serviceable event. Otherwise, check for any open serviceable events that begin with BE14E0xx or BE14EAxx and repair that serviceable event.

If the problem persists, contact your next level of support.

BE14CFE1 The DS8000 regained access to customer encryption key management servers. An automatic dual partition (LPAR) reboot was initiated. No further action is needed. Dual cluster IML This is an informational serviceable event.
BE14CFE5 The DS8000 detected a potential key store corruption and recovered by an automatic reboot of the partitions (LPARs). Dual cluster IML This is an informational serviceable event.
BE14CFEA The DS8000 detected that periodic key retrieval failed for one or more configured encryption key management server(s). Periodic key retrieval
Note: This serviceable event does not indicate loss of access to data due to inability to retrieve keys from the affected server, as long as the storage facility did not report BE14CFE0 serviceable event. It is important to resolve this serviceable event immediately to prevent any potential loss of access after a storage facility IPL.
  1. The serviceable event includes the encryption key management server that failed the periodic key retrieval operation. Refer to actions for BE14EAF1 for this affected encryption key management server.
  2. Ask customer to verify whether the affected encryption key management server protocol is either TLS-enabled IPP or TLS-enabled KMIP (See Note 10).
    Is the protocol TLS-enabled IPP or TLS-enabled KMIP?
    • Yes, go to step 3.
    • No, another protocol is in use. Go to step 5.
  3. Verify that the affected encryption key management server has a valid certificate including its certificate expiration date.
  4. If the encryption key management server certificate has expired, ask the customer to update the certificate accordingly.
  5. Test access to the specified key group (see note 11). Refer to DS8000 Knowledge Center for instructions to test access by using DS CLI or DS8000 Storage Management GUI.
  6. If the test to verify access to the key group completes successfully, close the existing BE14CFEA serviceable event. Otherwise, check for any open serviceable events that begin with BE14E0xx or BE14EAxx and repair that serviceable event.

If the problem persists, contact your next level of support.

BE14CFEB The DS8000 detected that fewer than the minimum required number of key servers are configured for periodic key retrieval. Periodic key retrieval
  1. Refer to actions for BE14EAF1. The customer must confirm that the DS8000 is configured with the minimum number of encryption key management servers required for the specified encryption group type. The key server requirements are described in the DS8000 Knowledge Center.
  2. List the key server information, including status. Refer to DS8000 Knowledge Center for instructions to list this information by using DS CLI or DS8000 Storage Management GUI.
  3. Test access to the specified key group (see note 11). Refer to DS8000 Knowledge Center for instructions to test access by using DS CLI or DS8000 Storage Management GUI.
  4. If the test to verify access to the key group completes successfully, close the existing BE14CFEB serviceable event. Otherwise, check for any open serviceable events that begin with BE14E0xx or BE14EAxx and repair that serviceable event.

If the problem persists, contact your next level of support.

BE14CFF5 An invalid encryption-capable SFI configuration has been detected. A valid certificate is not installed on the SFI or the SFI does not have a homogeneous configuration of encryption-capable drives. Field install when drive certify is initiated Customer has received a DS8000 with an invalid configuration for encryption-capable SFI. Contact next level of support for problem determination and resolution.
BE14E004 The DS8000 cannot retrieve encryption keys from the customer's encryption key management server because the DS8000 could not detect any active encryption key management server paths. Suspected configuration error. Dual cluster IML; Periodic key retrieval
  1. The customer must verify whether encryption key management servers are configured and active by using one of the methods identified in note 2.
  2. If all encryption key management servers are inactive, the customer must activate the encryption key management servers by using the DS CLI or DS Storage Manager and reverify the encryption key management server path status.
  3. If the DS8000 fails to recognize one or more active encryption key management server paths, work with the DS8000 service representative or your next level of support to correct the connectivity.
  4. For data-at-rest cases where there is no access to customer data; that is, IML is "complete" but global data is inaccessible due to lack of encryption key management server access: when the DS8000 regains access to the active encryption key management server paths, a dual cluster IML will occur within 12 minutes on the DS8000 partitions reporting the serviceable event. (See note 5.)
  5. For cases other than data-at-rest, where a key group is marked inaccessible due to lack of encryption key management server access, when the DS8000 detects the active encryption key management server paths, the key group will be marked accessible on the DS8000 partitions reporting the serviceable event. After the key group is marked accessible, if the serviceable event remains open, it must be manually closed.
BE14E008 The DS8000 cannot retrieve encryption keys from the customer's encryption key management server(s) because of communication errors between the DS8000 management console (HMC) and encryption key management servers. A suspected network error. Dual cluster IML; Periodic key retrieval – ESSNI is running on the HMC but is encountering a socket open error with the encryption key management servers.
  1. The customer must verify network connectivity and path status between the DS8000 HMC and encryption key management servers by using one of the methods described in note 2.
    1. If network connectivity does not exist or if the path status is inactive or failed, the customer must verify that the configured encryption key management servers are operational and paths are active.
    2. The customer must reverify network connectivity, path status, or both between the encryption key management servers and the DS8000.
  2. If network connectivity, path status, or both cannot be established, work with the DS8000 service representative or your next level of support to resolve the issue.
  3. For data-at-rest cases where there is no access to customer data; that is, IML is "complete" but global data is inaccessible due to lack of encryption key management server access: when the DS8000 regains access to the active encryption key management server(s), dual cluster IML will occur within 12 minutes on the DS8000 partitions reporting the serviceable event. (See note 5.)
  4. For cases other than data-at-rest, where a key group is marked inaccessible due to lack of encryption key management server access, when the DS8000 detects the active encryption key management server paths, the key group will be marked accessible on the DS8000 partitions reporting the serviceable event. After the key group is marked accessible, if the serviceable event remains open, it must be manually closed.
BE14E009 The DS8000 cannot retrieve encryption keys from the configured encryption key management server because of communication errors between the DS8000 partitions (LPARs) and the management console (HMC). Dual cluster IML; Periodic key retrieval
  1. Display and repair open serviceable events that are related to “CEC failures and/or internal network failures.”
  2. If connectivity is restored, the customer must verify that their configured encryption key management servers path status is active by using one of the methods identified in note 2.
  3. For data-at-rest cases where there is no access to customer data; that is, IML is "complete" but global data is inaccessible due to lack of encryption key management server access: when the DS8000 regains access to the active encryption key management servers, dual cluster IML occurs within 12 minutes on the DS8000 partitions reporting the serviceable event (See note 5.)
  4. For cases other than data-at-rest, where a key group is marked inaccessible due to lack of encryption key management server access, when the DS8000 detects the active encryption key management server paths, the key group will be marked accessible on the DS8000 partitions reporting the serviceable event. After the key group is marked accessible, if the serviceable event remains open, it must be manually closed.
BE14E00B The DS8000 cannot retrieve encryption keys from the configured encryption key management server. A command timeout occurred between DS8000 partitions (LPARs) and the management console (HMC). Dual cluster IML; Periodic key retrieval Contact your next level of support for resolution.
BE14E011 All configured encryption key management servers cannot provide one or more keys requested by the DS8000. Dual cluster IML; Periodic key retrieval Contact your next level of support for resolution.
BE14E012 The DS8000 cannot unwrap the group key by using a data key that is received from any configured encryption key management servers. Dual cluster IML; Periodic key retrieval
  1. The serviceable event text should indicate the encryption key management server error code that was generated and the encryption key management server that delivered incorrect keys. See notes 4 and 6 for sample serviceable events. Refer to the encryption key management server documentation to obtain information on the encryption key management error code and contact the customer for further resolution.

    As part of error diagnostics, inform customer to verify that DS8000 data encryption certificate has not expired. See Note 9 for guidance to verify certificate expiration information

  2. The customer must verify that encryption key management errors are resolved.
  3. For data-at-rest cases where there is no access to customer data; that is, IML is "complete" but global data is inaccessible due to lack of encryption key management server access: after the customer resolves encryption key management errors, a dual cluster IML will occur within 12 minutes on the DS8000 partitions reporting the serviceable event. (See note 5.)
  4. For cases other than data-at-rest, where a key group is marked inaccessible due to lack of encryption key management server access, when the DS8000 detects the active encryption key management server paths, the key group will be marked accessible on the DS8000 partitions reporting the serviceable event. After the key group is marked accessible, if the serviceable event remains open, it must be manually closed.
BE14E013 The DS8000 detected that the data key signature calculated does not match the expected value. Dual cluster IML; periodic key retrieval. Contact your next level of support for resolution.
BE14E0F1 The DS8000 cannot access the customer's encryption key management server. Dual cluster IML
  1. The customer must verify network connectivity and path status between the configured encryption key management servers and the DS8000 by using one of the methods identified in note 2.
    • If network connectivity does not exist or path status is inactive or failed, the customer must verify that the configured encryption key management servers are operational and that paths are active.
    • The customer must reverify network connectivity, path status, or both between the encryption key management servers and the DS8000.
  2. If the connectivity fails, work with the DS8000 service representative to correct the connectivity.
  3. For cases where there is no access to customer data; that is, IML is "complete" but global data is inaccessible due to lack of encryption key management server access: when the DS8000 detects the active encryption key management server paths, dual cluster IML will occur within 12 minutes on the DS8000 partitions reporting the serviceable event. (See note 5.)
BE14E1F6 The DS8000 partitions (LPARs) were activated without access to the customer’s encryption key management servers. Encryption key management key servers are now available and the DS8000 partitions (LPARs) must be re-cycled to allow data access. DS8000 partitions regained access to encryption key management servers. However, a dual cluster reboot and IML was not attempted because of a service action in progress. Dual cluster IML could not be attempted on the DS8000 partitions because of the service action in progress. The DS8000 partitions must be re-IMLed (shutdown and rebooted) by using the following steps:
  1. From the navigation area, click Storage Facility Management > storage facility > SF image.
  2. From the bottom Task area, select Service Utilities > Change/Show SFI State.

Valid state should be "quiesce." Click Quiesce SFI, then monitor by refreshing the panel.

When valid state is "shutdown," click Shutdown SFI, then monitor by refreshing the panel.

When valid state is "resume," click Resume SFI, then monitor by refreshing the panel.
BE14E3F7 DS8000 data encryption key repository reported a permanent error. Failure to read record or certificate.   Contact your next level of support for resolution.
BE14EA0B The DS8000 cannot retrieve encryption keys from some of the configured encryption key management servers. A command timeout has occurred between DS8000 partitions (LPARs) and the management console (HMC). Periodic key retrieval Contact your next level of support for resolution.
BE14EA11 One or more configured encryption key management servers are unable to provide the key(s) requested by the DS8000. Periodic key retrieval
  1. The serviceable event text should indicate the encryption key management server error code that was generated and the IP address of the encryption key management server that has an invalid key, corrupted record, or failed to unwrap keys. (See notes 4 and 6 for a sample serviceable event).
    Note: An encryption key management server error code is not shown for a corrupted record.
  2. Ask the customer to contact the encryption key management server support team for problem resolution.
  3. As part of error diagnostics, inform customer to verify that DS8000 data encryption certificate is not expired. See Note 9 for guidance to verify certificate expiration information.
  4. Ask the customer to verify that encryption key management server error(s) are resolved.
  5. Test access to the specified key group (see note 11). Refer to DS8000 Knowledge Center for instructions to test access by using DS CLI or DS8000 Storage Management GUI.
  6. If the test to verify access to the key group completes successfully, close the existing BE14EA11 serviceable event. Otherwise, check for any open serviceable events that begin with BE14E0xx or BE14EAxx and repair that serviceable event.

If the problem persists, contact your next level of support.
BE14EA12 The DS8000 cannot unwrap the group key by using a data key received from one or more configured encryption key management servers. Periodic key retrieval
  1. The serviceable event text should indicate the encryption key management server error code that was generated and the IP address of the encryption key management server that delivered incorrect keys. (See notes 4 and 6 for a sample serviceable event.) Refer to the encryption key management server documentation to obtain information on the encryption key management server error code and contact the customer for further resolution.
  2. Ask the customer to contact the encryption key management server support team and provide the team with the encryption key management server error code for problem resolution.

    As part of error diagnostics, inform customer to verify that DS8000 data encryption certificate has not expired. See Note 9 for guidance to verify certificate expiration information

  3. Ask the customer to verify that encryption key management server errors are resolved.
  4. Test access to the specified key group (see note 11). Refer to DS8000 Knowledge Center for instructions to test access by using DS CLI or DS8000 Storage Management GUI.
  5. If the test to verify access to the key group completes successfully, close the existing BE14EA12 serviceable event. Otherwise, check for any open serviceable events that begin with BE14E0xx or BE14EAxx and repair that serviceable event.

If the problem persists, contact your next level of support.

BE14EA13 The DS8000 detected that the calculated data key signature does not match the expected value. Periodic key retrieval Contact your next level of support for resolution.
BE14EAF1 The DS8000 failed to communicate with the encryption key management server. If the communication continues to fail after four hours, a request for service will occur.  
  1. The customer must verify network connectivity and path status between the configured encryption key management servers and the DS8000 by using one of the methods that are identified in note 2.
    1. If network connectivity does not exist or path status is inactive or failed, the customer must verify that the configured encryption key management servers are operational and paths are active.
    2. The customer must reverify network connectivity, path status, or both between the encryption key management servers and the DS8000.
  2. If the connectivity fails, work with the DS8000 service representative or your next level of support to correct the connectivity.
    Note: The network connectivity between encryption key management servers and DS8000 can also be verified with the Key Manager Utilities (See Note 7 below for a sample screen capture of Key Manager Utilities).
BE14EAF2 The DS8000 has failed to communicate with the encryption key management server for four hours.   Refer to actions for BE14EAF1.
BE14EAF3 The DS8000 failed to communicate with the encryption key management server by using an SSL link. If the communication continues to fail after four hours, a request for service will occur.   Refer to actions for BE14EAF1.
If connectivity works with an unencrypted link but fails when using an SSL link, a likely cause is an untrusted certificate. Contact your next level of support.
BE14EAF4 The DS8000 has failed to communicate with the encryption key management server for four hours, by using an SSL link.   Refer to actions for BE14EAF1.
If connectivity works with an unencrypted link but fails when using an SSL link, a likely cause is an untrusted certificate. Contact your next level of support.
BE316023 A severe software error has been discovered.   Contact your next level of support for resolution.
BE31CFE8 A severe software error has been discovered.   Contact your next level of support for resolution.
BE31F004 Failed to initialize the replacement encryption-capable drive to the existing configured encryption group during its repair. The likely cause is a drive hardware problem. Access credential migration failed after drive repair during the drive resume operation.
Access credential migration was initiated because of one of the following conditions:
  • The device adapter pair has one or more exposed or degraded RAID arrays.
  • A drive migration condition was detected and loop balance had to be restored.
Use this procedure to do software checks before replacing the drive:
  1. Run the Manage SFI Resources utility to verify the state of configured encryption group. See note 3.
    1. If a configured encryption group is accessible, go to step 2.
    2. Otherwise, contact your next level of support.
  2. Display and repair any open serviceable event for this drive.
  3. If there is not an open serviceable event for this drive, contact your next level of support.
BE34009E An encryption-capable drive was not cryptographically erased during a drive repair, drive install, rank removal, or recovery after a failed rank creation. A drive repair; storage enclosure/drive Install MES operation; rank removal appeared successful to the customer. Recovery after a failed rank creation.
  1. If this serviceable event was reported during a drive repair or install, replace the drive with a new encryption-capable drive using the Parts Exchange procedure.
  2. If this serviceable event was reported after a customer's rank removal appeared to be successful, check for and repair any open serviceable events for this drive.
  3. If this serviceable event was reported during a customer's rank creation process, check for and repair any open serviceable events for this drive. The customer needs to remove the failing rank. The drives will automatically begin to reformat. When complete, the customer must re-create the rank.
BE34009F One or more encryption-capable drives were not automatically cryptographically erased after the customer removed one or more ranks. This serviceable event is generated when a SF Discontinue utility queries the cryptographically erase status of all FDE drives and detects that one ore more drives are security degraded. This condition is only detected during a check for a storage facility removal process. If the customer removed all their data and logical configuration including ranks, the encrypted drives should have been automatically cryptographically erased. Contact your next level of support for resolution.
BE3400A2 Failed to initialize the replacement encryption-capable drive to the existing configured encryption group during its repair. The existing encryption group is inaccessible. RAS initiated an issraid exchange Smart rebuild. Perform the following software checks before replacing the drive:
  1. Run the Manage SFI Resources utility to verify the state of configured encryption group. (See note 3.)
    • If the configured encryption group is inaccessible, go to step 2.
    • Otherwise, contact your next level of support.
  2. Check for any open serviceable events that begin with BE14E0xx or BE14EAxx.
    • If any such serviceable event is found, repair that serviceable event before replacing the drive again.
    • Otherwise, contact your next level of support.
BE3400A3 Adding or replacing an encryption-capable drive and the drive FRU is already in a configured state. A cryptographic erase could not be initiated. This should not occur during any RAS-initiated service action. A probable cause for this serviceable event is a cryptographic erase that was attempted on a drive that stores customer data during manual recovery. Contact your next level of support for resolution.
BE3400B3 Hourly health checks on the partitions detected one or more encryption-capable drives inaccessible (security degraded). This serviceable event is generated during a RAS hourly health check running on the partitions. Perform the following software checks:
  1. Run the Manage SFI Resources utility to verify the state of configured encryption group. (See note 3,
    • If the configured encryption group is inaccessible, go to step 2.
    • Otherwise, contact your next level of support.
  2. Check for any open serviceable events that begin with BE14E0 or BE14EA.
    • If any such serviceable event is found, repair that serviceable event before replacing the drive again.
    • Otherwise, contact your next level of support.
Other SRCs     Contact your next level of support for resolution.
Notes:
  1. A drive pseudo repair means performing a drive repair by using the Exchange FRU option and continuing through the repair without unseating and reseating the drive.
  2. The customer can use either the DS CLI or DS Storage Manager to query the list of configured encryption key management servers and the path status of each configured encryption key management server:
    • DS CLI: The customer can enter the lskeymgr command to obtain the list of configured encryption key management servers and the path status of each configured encryption key management server.
      Sample lskeymgr output: 
      dscli> lskeymgr
Date/Time: July 31, 2018 4:14:13 PM PDT IBM DSCLI Version: 7.8.50.417 DS: -
ID  state   status keyprotocol addr                         port type keygrp
============================================================================
  1 active  normal KMIP        vinz.tuc.stglabs.ibm.com     5696 TCT  2
  2 active  normal KMIP        zuul.tuc.stglabs.ibm.com     5696 TCT  2
  3 active  normal KMIP        keyhler.tuc.stglabs.ibm.com  5696 DAR  1
  4 active  normal KMIP        keyppard.tuc.stglabs.ibm.com 5696 DAR  1
dscli>
    • DS Storage Manager : The customer can use the key manager option to obtain the list of configured encryption key management servers and the path status of each configured encryption key manager server. Figure 1 shows an example of a key manager window.
      Figure 1. Window: Key Managers
      Window: Key Managers
  3. IBM support or service representative can use the Manage Storage Facility Image (SFI) Resources utility to determine the state of the configured encryption group. Figure 2 shows the encryptionGroupsStates value {3,0} indicating that the customer configured encryption group is accessible.
    To display the Manage SFI Resources utility:
    1. From the navigation area, click Storage Facility Management > storage facility > SF image.
    2. From the Task area, select Service Utilities > Manage SFI Resources.
    Figure 2. Window: Manage SFI Resources
    Window: Manage SFI Resources
  4. Figure 3 shows an example of a serviceable event text with encryption key management server error code detected by the DS8000. Figure 4 is a continuation of Figure 3 that shows additional serviceable event text.
    Figure 3. Window: Manage Serviceable Events
    Window: Manage serviceable events
    Figure 4. Window: Manage Serviceable Events (continued)
    Window: Manage serviceable events
  5. The DS8000 partitions that reported BE14E004, BE14E008, or BE14E009 will query for encryption key management servers connectivity every 12 minutes. When connectivity is regained, a dual cluster IML (that is, a shutdown; reboot; IML) will be attempted if, and only if, both of the following are true:
    1. There is no service action in progress
    2. There is no access to customer data; that is, IML is "complete" but global data is inaccessible due to lack of encryption key management server access
    IBM service representatives must wait for dual cluster IML completion before they attempt any scheduled service actions. A BE14CFE1 serviceable event is logged after dual cluster IML is completed.
    Note: The BE14CFE1 serviceable event is auto-closed along with any other BE14E0xx serviceable events that are reported against the same partitions.
  6. Figure 5 shows a sample serviceable event with an encryption key management server ID and IP address in the location code field of the serviceable event.
    Figure 5. Window: Serviceable Event with an ID and an IP address in the location code field
    Window: Serviceable Event with a ID and an IP address in the location code field
  7. Example of the key server utilities and retrieval status.
    Figure 6. Window: Key Server Utilities Test Key Retrieval panel
    Window: Key Server Utilities Test Key Retrieval
    Figure 7. Window: Test Key Retrieval status
    Window: Test Key Retrieval status
  8. Upon successful resolution of the BE14xxxx serviceable event, the serviceable event has to be closed manually.
  9. The customer can use either the DS CLI or the DS Storage Manager to query DS8000 data encryption certificate expiration status.
    DS CLI:

    The customer can enter the showkeygrp command to determine whether a customer-generated certificate is installed on the DS8000 storage facility and its expiration status is stored in certificateexpiry field.

    Sample showkeygrp output:
    dscli> showkeygrp 1
Date/Time: February 18, 2016 5:07:08 PM EST IBM DSCLI Version: 0.0.0.0 DS: IBM.2107-75NR641
ID                1
numranks          0
numpools          0
state             accessible
reckeystate       disabled
reckeydate        -
datakeydate       02/18/2016 17:06:39 EST
grpstatus         normal
mgrstatus         normal
label             -
label2            -
certificate       CUSTOMER
certificateexpiry 02/19/2016 00:19:25 EST
uuid              548229806B8C57ACC41732383052286EBC9670006C45911641A3C062C8FFC2FA
keyprotocol       KMIP
dscli>
    DS Storage Manager:
    The customer can use the Setting->Security->Encryption window to determine whether a customer-defined certificate is installed on the DS8000 storage facility and its expiration status. Figure 8 shows an example of the DS Storage Manager Encryption page with a customer-defined certificate expiration date.
    Figure 8. Window: Setting->Security->Encryption
    Screen capture of the Setting->Security->Encryption window.
  10. The customer can use DSCLI to determine whether encryption key management server protocol is TLS-enabled IPP, TLS-enabled KMIP, or another protocol.
    DSCLI:
    The customer can issue the showkeymgr command and query the protocol, keyprotocol, and certificate fields to determine this information. Ask the customer to refer to the DSCLI documentation to get further information on the showkeymgr command.
    Sample showkeymgr output for TLS-enabled IPP:
     dscli> showkeymgr 1
Date/Time: February 16, 2017 4:49:05 PM MST IBM DSCLI Version: 7.8.22.45 DS: -
ID 1
State active
Status normal
addr mynode.mydomain.ibm.com
port 441
protocol tls   
keyprotocol IPP  
certificate mycert_ssl.pem
    Sample showkeymgr output for TLS-enabled KMIP:
    dscli> showkeymgr 1
Date/Time: February 16, 2017 5:41:15 PM EST IBM DSCLI Version: 7.8.30.20 DS: -
ID 1
State active
Status normal
addr mynode.mydomain.ibm.com
port 5696
protocol tls 
keyprotocol KMIP 
certificate mycert_kmip.pem
    Sample showkeymgr output for non-TLS-enabled IPP:
    dscli> showkeymgr 1
Date/Time: February 16, 2017 5:36:18 PM EST IBM DSCLI Version: 7.8.30.20 DS: -
ID 1
State active
Status normal
addr mynode.mydomain.ibm.com
port 3801
protocol none 
keyprotocol IPP  
certificate -
  11. The customer can use DS CLI or the DS8000 Storage Management GUI to test access to the specified key group.
    DS CLI:
    The customer can issue the managekeygrp -action testaccess command to test access to the specified key group. Ask the customer to refer to the DS CLI documentation to get further information on the managekeygrp -action testaccess command.
    Sample output:
    • Initiate “-testaccess”
      dscli> managekeygrp -action testaccess 1
Date/Time: June 20, 2018 1:23:21 PM PDT IBM DSCLI Version: 7.8.50.376 DS: IBM.2107-75DLR51
CMUC00480W managekeygrp: Are you sure that you want to initiate a key retrieval for key group 1? [y/n]: y
CMUC00481I managekeygrp: The Test Access action is submitted for key server encryption group 1.
dscli>
    • View “testaccess” results:
      dscli> showkeygrp -access 1
Date/Time: June 20, 2018 1:29:00 PM PDT IBM DSCLI Version: 7.8.50.376 DS: IBM.2107-75DLR51
ID KeyMgr lastaccess lastsuccess              lastfailure
=========================================================
1  1      success    2018-06-20T13:23:32-0700 -
1  2      success    2018-06-20T13:23:32-0700 -
1  3      -          -                        -
1  4      -          -                        -
dscli>
    DS8000 Storage Management GUI:
    The customer can select an encryption key management server and click Actions > Test to initiate key retrieval for the chosen key management server.
    Note: This action can be used only for data-at-rest key groups.
    See Figure 9 for sample output.
    Figure 9. Testing access to a key group
    Testing access to a key group