Key management server connections
The VSP F series and VSP G series storage systems support an optional connection to an external key management server. For details about supported key management servers, see the Encryption Key Management Server Support Matrix on the Hitachi interoperability site: https://support.hitachivantara.com/en_us/interoperability.html.
When a key management server is used, several configuration tasks must be performed on the key management server before you can perform the initial configuration of the Encryption License Key feature. The key management server must be configured to allow the storage system's KMIP client to authenticate, store, fetch, and generate keys on the key server. The required configuration tasks for the key management server vary depending on the type of server (vendor, software version). For information about preparing the necessary services to accept connections from the storage system, refer to the documentation for your key management server.
The storage system negotiates a secure TLS 1.2 channel to the key management server using the exchange of mutually authenticated certificates. The storage system requires that a certificate be generated for this purpose; a self-signed certificate cannot be used. The key server KMIP TLS service must trust the certificate authority that signs the certificate generated for the storage system. A copy of the root certificate from the signing certificate authority is also required. For assistance in obtaining the unique certificates and proper connection parameters required for this operation, contact your Key Server administrator.