Enable OpenManage Secure Enterprise Key Manager (SEKM) on Dell EMC PowerEdge Servers This Dell EMC technical white paper describes the process of enabling SEKM on iDRAC, PERC of PowerEdge servers. Key tips and troubleshooting techniques for using SEKM are also discussed. Abstract Keeping your business-critical operations and IT infrastructure safe and secure is key to providing seamless services.
Set up the SEKM solution on PowerEdge servers Revisions 2 Date Description July 2019 Initial release Enable OpenManage Secure Enterprise Key Manager (SEKM) on Dell EMC PowerEdge Servers Dell Customer Communication - Confidential
Set up the SEKM solution on PowerEdge servers Acknowledgements This technical white paper was produced by the following members of the Dell EMC Enterprise Server Solutions team: Author—Sanjeev Dambal and Texas Romer Support—Sheshadri PR Rao (InfoDev) Other—N/A The information in this publication is provided “as is.” Dell Inc.
Set up the SEKM solution on PowerEdge servers Contents Revisions.............................................................................................................................................................................2 Acknowledgements .............................................................................................................................................................3 Executive summary...............................................................................
Set up the SEKM solution on PowerEdge servers 6.8 I moved a SEKM enabled PERC to another server and now my PERC encryption mode shows as SEKM Failed. How do I enable SEKM on the PERC? ..........................................................................................................46 6.9 What key size and algorithm is used to generate the key at the KMS? ...........................................................46 6.10 I had to replace my motherboard.
Set up the SEKM solution on PowerEdge servers Executive summary Advantages of SEKM over LKM in Dell EMC PowerEdge servers The OpenManage SEKM enables you to use an external Key Management Server (KMS) to manage keys that can then be used by iDRAC to lock and unlock storage devices on a Dell EMC PowerEdge server.
Set up the SEKM solution on PowerEdge servers 1 Set up the SEKM solution on PowerEdge servers • • • • • 1.1 Set up SEKM on external KMS Set up SEKM on iDRAC Enable SEKM on the PERC of iDRAC Enable SEKM on Storage Controllers Configure SEKM by using a Server Configuration Profile (SCP) Set up SEKM on external KMS This section describes the Gemalto KeySecure features that are supported by iDRAC.
Set up the SEKM solution on PowerEdge servers When set to one of these values, the iDRAC username on the KMS must be set up on the iDRAC as explained later in Set up SEKM on iDRAC. Require client certificate to contain source IP It is recommended that you enable this option only if the iDRAC IP address does not change frequently. If this option is enabled and the iDRAC IP address changes then the SEKM will stop functioning until the SSL certificates are set up again.
Set up the SEKM solution on PowerEdge servers 1.3 Configure SEKM on the iDRAC GUI Key processes in configuring SEKM on PowerEdge servers by using iDRAC GUI For the Key Management Server, this workflow will be using Gemalto KeySecure as the Key Management Server. 1. Start iDRAC by using any supported browser. 2. Click iDRAC Settings → Services. 3. Expand the SEKM Configuration menu and click Generate CSR.
Set up the SEKM solution on PowerEdge servers Generate CSR on the iDRAC GUI 4. In the Generate Certificate Signing Request (CSR) dialog box, select or enter data. 5. Click Generate. 6. The CSR file is generated. Save it to your system.
Set up the SEKM solution on PowerEdge servers Enter or select data in the CSR dialog box of iDRAC 7. Get the full CSR file contents signed on Gemalto. See Get the CSR file signed on Gemalto. 8. Download the signed image file, and then upload it to iDRAC.
Set up the SEKM solution on PowerEdge servers 1.3.
Set up the SEKM solution on PowerEdge servers Enter or select data in the Select Request section of Gemalto 4. Select Client as the purpose of generating the certificate. 5. Paste the complete CSR content in the Certificate Request box. 6. Click Sign Request.
Set up the SEKM solution on PowerEdge servers Request for certificate signing on Gemalto 7. After the request is signed, click Download to save the signed CSR file to your system.
Set up the SEKM solution on PowerEdge servers Download and save the CSR file on Gemalto 8. On the iDRAC GUI, in the SEKM Certificate page, click Upload Signed CSR to upload the file you just got signed on Gemalto. A message is displayed to indicate the successful upload.
Set up the SEKM solution on PowerEdge servers Upload the signed CSR certificate on iDRAC GUI 1.3.2 Download the server CA file from Gemalto and upload to iDRAC 1. On the Gemalto GUI, click Security Tab → Local CA. 2. Select the Server CA you are using and click Download. The file is saved to your local system.
Set up the SEKM solution on PowerEdge servers Download the server CA file from Gemalto 17 Enable OpenManage Secure Enterprise Key Manager (SEKM) on Dell EMC PowerEdge Servers Dell Customer Communication - Confidential
Set up the SEKM solution on PowerEdge servers 3. On the iDRAC GUI, in the KMS CA Certificate section, click Upload KMS CA Certificate. 4. Upload the Server CA you just downloaded from Gemalto. A message is displayed to indicate the successful upload.
Set up the SEKM solution on PowerEdge servers 1.3.3 Configure the Key Management Server (KMS) settings on iDRAC 1. Enter or select data in the fields, and then click Apply. IMPORTANT—Make sure you already have a user created on the KMS you will be using for key exchange with the iDRAC.
Set up the SEKM solution on PowerEdge servers 2. Go to the Job Queue page and ensure that the job ID is marked as successfully completed. 3. If you see any job status failures, view Lifecycle Logs for more information about the failure. A job is created on iDRAC for configuring KMS on iDRAC iDRAC SEKM configuration is now complete.
Enable SEKM on the iDRAC PERC 2 Enable SEKM on the iDRAC PERC 1. On the iDRAC GUI, click Configuration → Storage Configuration. 2. Select your storage controller. 3. Expand Controller Configuration. 4. From the Security (Encryption) down-down menu, select Secure Enterprise Key Manager. 5. Click Add to Pending Operations. Enable SEKM on iDRAC PERC 6. Select At Next Reboot. A message is displayed indicating that the job ID is created. 7.
Enable SEKM on the iDRAC PERC A job is created to enable SEKM on IDRAC PERC A job is scheduled to enable SEKM on iDRAC PERC After restarting the server, the configuration job is run in the Automated Task Application to enable SEKM on the PERC. The server is automatically restarted. 9. After the POST or Collecting Inventory operation is completed, ensure that the job ID has been marked as “Completed” on the Job Queue page.
Enable SEKM on the iDRAC PERC A job successfully run to enable SEKM on iDRAC PERC 2.1 Ensure that SEKM is enabled on iDRAC PERC 1. On the iDRAC GUI, click Storage → Overview. 2. Expand your storage controller and ensure the following statuses: • • Security Status = Security Key Assigned Encryption Mode = Secure Enterprise Key Manager Ensure that SEKM is enabled on your controller 3. On the Gemalto GUI, click the Security tab.
Enable SEKM on the iDRAC PERC A Key ID is generated and displayed for the user you assigned to the iDRAC. This is the key ID that iDRAC uses for key exchange. The iDRAC key ID is generated on Gemalto The SEKM setup operation is completed. You can now start creating locked RAID volumes and perform key exchanges.
Configure the SEKM Solution by using iDRAC RACADM CLI 3 Configure the SEKM Solution by using iDRAC RACADM CLI In this workflow example, an iDRAC RACDM (remote) is used to set up the complete SEKM solution for the iDRAC. For the Key Management Server (KMS), Gemalto KeySecure is used as the Key Management Server. 1. Configure the iDRAC SEKM certificate attributes. These must be configured first before you generate a CSR file. 2. To set each attribute, run the SET command.
Configure the SEKM Solution by using iDRAC RACADM CLI C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn set idrac.sekmcert.OrganizationUnit Test [Key=idrac.Embedded.1#SEKMCert.1] Object value modified successfully C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn set idrac.sekmcert.StateName Texas [Key=idrac.Embedded.1#SEKMCert.1] Object value modified successfully 3.1 Generate a CSR 1. Get the CSR contents signed on the Gemalto server. See Get the CSR file signed on Gemalto. 2.
Configure the SEKM Solution by using iDRAC RACADM CLI Get the CSR request signed on Gemalto GUI 3. Select Client as the purpose of generating a certificate. 4. Paste the complete CSR contents and click Sign Request.
Configure the SEKM Solution by using iDRAC RACADM CLI Submit a Sign Request job 28 Enable OpenManage Secure Enterprise Key Manager (SEKM) on Dell EMC PowerEdge Servers Dell Customer Communication - Confidential
Configure the SEKM Solution by using iDRAC RACADM CLI 5. After the CSR is successfully signed, click Download. The signed CSR file is saved to your system.
Configure the SEKM Solution by using iDRAC RACADM CLI 6. Upload the CSR certificate to the iDRAC. Run the following the command at the RACADM CLI: C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn sslcertupload -t 6 -f C:\Users\tester\Downloads\signed_cert.crt Certificate is successfully uploaded to the RAC. 3.3 Download the server CA file from Gemalto and upload to iDRAC 1. On the Gemalto GUI, click Security Tab → Local CA. 2. Select the Server CA you are using and click Download.
Configure the SEKM Solution by using iDRAC RACADM CLI 3.4 Upload the Server CA file to the iDRAC Run the following command at the RACADM CLI: C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn sslcertupload -t 7 -f C:\Users\texas_roemer\Downloads\Server_CA.crt The certificate is successfully uploaded to the RAC. 3.
Configure the SEKM Solution by using iDRAC RACADM CLI C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn set idrac.kms.iDRACPassword P@ssw0rd [Key=idrac.Embedded.1#KMS.1] Object value modified successfully 3. After configuring all the KMS attributes, enable the SEKM on the iDRAC. When you execute the command, job ID is returned. 4. Query the job ID to ensure that the job status is displayed as “Completed”. 5. If you see a job failure, check Lifecycle logs for more information about the failure: C:\
Enable SEKM on Storage Controllers 4 Enable SEKM on Storage Controllers 1. Get the FQDD of the controller you are going to enable SEKM. In this workflow, the controller FQDD is “RAID.Slot.3-1”. Run the following RACADM command at the CLI: C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn storage get controllers -o -p name RAID.Slot.3-1 Name = PERC H740P Adapter (PCI Slot 3) 2. Use this controller FQDD and run the command to enable SEKM pending value: C:\>racadm -r 100.65.99.
Enable SEKM on Storage Controllers C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn storage get controllers:RAID.Slot.3-1 -p encryptionmode,keyid RAID.Slot.3-1 EncryptionMode = Secure Enterprise Key Manager KeyID = 4163A493F1B50C8E727E9474627DC9D19193B0FEB0F40CAA03FD42DC81447BED The SEKM solution is now completely set up. You can now create locked RAID volumes and perform key exchanges.
Configure SEKM by using a Server Configuration Profile (SCP) 5 Configure SEKM by using a Server Configuration Profile (SCP) In this workflow example, the Server Configuration Profile (SCP) feature is used to set up the complete SEKM solution for the iDRAC. For the Key Management Server, Gemalto KeySecure is used as the Key Management Server. 1. Using SCP, import the signed SSL certificate, Server CA, iDRAC KMS attributes. 2. Enable SEKM on the iDRAC.
Configure SEKM by using a Server Configuration Profile (SCP) PAGE 37Configure SEKM by using a Server Configuration Profile (SCP) f5NQGVZNtZnYzdTCkQnwmfseBRfJSzbxTm8HpoT9KGchVsYZDpPSz54ZIRlbqRmz wJBlcyEPq63CjFp4RxfmZW0IPOGbmmcnGy3Rd4YFBmiC75pR3Wx+J1Xzr3inyRJ2 /XWpgm4XYfGSbyQ2in6Kzwf8CA3hTdsdx20FGJ0j3EUnj1PpOOq1AgMBAAGjLTAr MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIF4DANBgkq hkiG9w0BAQsFAAOCAQEAVJdEgKMfmhjrRulC/f7SZjy6pDhLSGM5KwJjQm/8fSjm lfEyVTbD/eedWo6U6cah2uZrY0jD6SN17CAGMU/J6r4jkhZMrmB/cr3HXiCDQd/x ReqmjVWOCJDb/tStOkWAS3VFuRZzXfkO83Kp6Zzak4Ue3mwJywThklOsoyXx1
Configure SEKM by using a Server Configuration Profile (SCP) 38 NewValue = Enabled Status = Success ErrCode = 0 SeqNumber = 5963 FQDD = iDRAC.Embedded.1 Job Name = Import Configuration DisplayValue = Certificate Data Name = SecurityCertificate.1#CertData OldValue = ****** NewValue = ****** Status = Success ErrCode = 0 DisplayValue = Certificate Type Name = SecurityCertificate.
Configure SEKM by using a Server Configuration Profile (SCP) ErrCode = 0 DisplayValue = iDRAC Password Name = KMS.1#iDRACPassword OldValue = ****** NewValue = ****** Status = Success ErrCode = 0 5. Check to validate iDRAC SEKM is enabled, and the SSL certificate and Server CA are installed. C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn sekm getstatus SEKM Status = Enabled C:\>racadm -r 100.65.99.
Configure SEKM by using a Server Configuration Profile (SCP) Issuer Information: Country Code (CC) : US State (S) : Texas Locality (L) : Round Rock Organization (O) : Dell EMC Organizational Unit (OU) : Product Group Validation Common Name (CN) : Dell CA Valid From : Feb 14 20:56:48 2019 GMT Valid To : Feb 12 20:56:48 2029 GMT 6. After setting up iDRAC SEKM, use SCP to enable SEKM on the PERC along with creating a locked RAID volume.
Configure SEKM by using a Server Configuration Profile (SCP) The SCP file is located on HTTP share and imported by using the RACADM set command to import it. 8. After the SCP import job is marked as completed, verify configuration results to see what changes are applied. 9. Check storage configuration now to ensure that the PERC is in SEKM mode along with locked volume created. C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn set -f 2019-5-17_135217_export.
Configure SEKM by using a Server Configuration Profile (SCP) NewValue = Disk.Virtual.0:RAID.Slot.3-1 Status = Success SeqNumber = 6091 FQDD = RAID.Slot.3-1 DisplayValue = PERC H740P Adapter Name = PERC H740P Adapter Status = Success DisplayValue = PERC H740P Adapter Name = PERC H740P Adapter Status = Success C:\>racadm -r 100.65.99.179 -u root -p calvin --nocertwarn storage get controllers -o -p encryptionmode,keyid RAID.Slot.
Configure SEKM by using a Server Configuration Profile (SCP) BadBlocksFound = NO Secured = YES RemainingRedundancy = 1 EnhancedCache = Not Applicable T10PIStatus = Disabled BlockSizeInBytes 43 = 512 Enable OpenManage Secure Enterprise Key Manager (SEKM) on Dell EMC PowerEdge Servers Dell Customer Communication - Confidential
Troubleshoot issues while setting up SEKM on iDRAC 6 Troubleshoot issues while setting up SEKM on iDRAC This section addresses some of the common issues encountered when using SEKM. 6.1 I installed the SEKM license, but I cannot enable the SEKM on iDRAC? Make sure you update the iDRAC firmware after you install the SEKM license. This is required even if you had a SEKM supported iDRAC firmware version prior to installing the SEKM license. 6.
Troubleshoot issues while setting up SEKM on iDRAC 6.5 I checked the SEKM status on iDRAC and it shows “Unverified Changes Pending”. What does that mean? This means that changes were made to the SEKM settings on iDRAC, but these changes were never validated. Use the racadm command “racadm sekm enable” to enable SEKM to ensure that iDRAC can validate the changes made and set the SEKM status back to either Enabled or Failed. 6.
Troubleshoot issues while setting up SEKM on iDRAC 6.8 I moved a SEKM enabled PERC to another server and now my PERC encryption mode shows as SEKM Failed. How do I enable SEKM on the PERC? Follow the steps outlined in I moved a SED from one SEKM enabled PERC to another SEKM enabled PERC on another server and now my drive shows up as Locked and Foreign. How do I unlock the drive? and restart the host. 6.
Troubleshoot issues while setting up SEKM on iDRAC 6.13 I am unable to rollback iDRAC firmware – what could be the reason for rollback to be blocked? Make sure that there are no storage devices that are in SEKM mode. iDRAC will block a rollback to a version that does not support SEKM if there are any storage devices that are in the SEKM mode. This is to prevent data lockout since after rollback iDRAC will not be able to provide keys to the storage devices to be unlocked. 6.
Troubleshoot issues while setting up SEKM on iDRAC 6.19 I cannot switch PERC to SEKM mode when it is in eHBA personality mode This is an expected behavior. In eHBA personality mode, the SEKM encryption mode is not supported. 6.20 Where can I get more information about any type of failures when setting up SEKM or for key exchange failures, successful key exchanges or rekey operations? In all these cases, refer to the iDRAC Lifecycle logs for detailed log entries.
Troubleshoot issues while setting up SEKM on iDRAC A Technical support and resources Dell.com/support is focused on meeting customer needs with proven services and support.
