1. Installation and Administration Guide
  2. Configure a KMA with QuickStart
  3. Configure the Network in QuickStart
  4. Set Acceptable TLS Versions (using QuickStart)

Set Acceptable TLS Versions (using QuickStart)

Set the TLS versions after setting the DNS configuration within the QuickStart Wizard.

  1. When prompted, select the TLS versions to enable:
    (1) TLSv1.0 and higher
(2) TLSv1.1 and higher
(3) TLSv1.2 and higher
(4) TLSv1.3 and higher
  2. Proceed to Name the KMA.

By default, a KMA will accept connections using TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3. While TLSv1.0 is no longer considered secure, if you have KMAs in the cluster running OKM versions prior to OKM 3.1.0, or you have Agents (such as tape drives) that cannot connect using later versions of TLS, you may need to leave all versions of TLS enabled.

OpenSSL 0.9.x and 1.0.0 do not support TLS v1.2. If you configure a KMA to accept only connections that use TLS v1.2, the KMA will not accept connections from an OKM GUI or CLI that uses OpenSSL 0.9.x or 1.0.0. You should plan on installing the latest OKM GUI and CLIs if migrating to OKM 3.3.2 or later.

Table 3-1 Tape Drive TLS Compatibility

Tape Drive Type Supported Version of TLS

StorageTek T10000 and 9840

v1.0

IBM LTO with Belisarius 4.x

v1.0

IBM LTO with Belisarius 5.x or LKM

v1.2