Important: The IBM System Storage SAN32B-E4 Encryption Switch (2498-E32) and IBM FC Encryption Blades must be used with TKLM V2.0 or later. Preferred practice: For the implementations and examples in this book, we used TKLM Version 2.0.0.2 and the latest fix pack, which is Fix Pack 2 of TKLM. Our TKLM servers were installed under VMware clients running Microsoft Windows Server 2008 R2 Enterprise Edition. Running TKLM servers on VMware clients is advantageous, because it is easy to add an additional server or go back to a clean starting installation that you saved initially as a VM image. But, in terms of high availability, it is more likely that you will install each TKLM on its own physical hardware platform, for example, an INTEL-based server and a supported Windows version. TKLM is designed to be a shared resource that is deployed in several locations within an enterprise. It is capable of serving numerous IBM encryption-enabled hardware devices, regardless of where those devices reside. The communication and key exchange between TKLM and the devices is typically done via standard IP communication protocol (out-of-band-managed keys). Nevertheless, certain devices support key exchange within the storage communication protocol, for example, native attached tape drives to System z via the IBM FICON® protocol. This method of exchanging keys is called the in-band exchange of keys. This specific architecture of key exchange is not part of the examples that are covered in this book. TKLM provides the following functions: Key serving with lifecycle management using a GUI, such as Tivoli Integrated Portal and a command-line interface (CLI) Support for the new IBM SAN Encryption Switch products SAN32B-E4 (2498-E32) and IBM FC Encryption Blades Support for encryption-enabled IBM System Storage TS1100 family tape drives (3592 tape drives) Support for IBM Systems Storage Linear Tape-Open (LTO) Ultrium Generation 4 and 5 tape drives Support for the IBM System Storage DS8000/DS5000 disk series Backup and recovery to protect your keys and certificates Notification of the expiration of certificates Audit records to allow you to track the encryption of your data Automatic rollover of key groups and certificates (This capability applies to 3592 and LTO drives; it does not apply to DS8000/DS5000 series.) Key lifecycle management function that allows a user to define when to use a new key group with LTO tape drives or new certificates with TS1100 tape drives 3.2 Tivoli Key Lifecycle Manager components and resources TKLM does not perform any cryptographic operations, such as generating encryption keys, and it does not provide storage for keys and certificates. The major purpose for TKLM is to serve and manage the keys of an enterprise. Chapter 3. Initial setup for the IBM Tivoli Key Lifecycle Manager and the SAN32B-E4 Encryption Switch 39