Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Verify your environment meets these requirements.

Supported hardware

  • CryptoHub, 7.0.3.x or later.

Hitachi VSP requirements

  • Hitachi VSP G900 with firmware 83-03-0x or later.
  • Encryption License Key installed and activated on the VSP.
  • Access to the Service Processor (SVP) for certificate generation and Storage Navigator.

Required access

  • An account on the CryptoHub with administrator permissions.
  • Security Administrator (View & Modify) role in Device Manager - Storage Navigator.
  • Access to the SVP (Service Processor) for OpenSSL certificate operations.

Network and firewall

  • Allow outbound TCP port 5696 (standard KMIP port) from the SVP (Service Processor) to the CryptoHub, specified by FQDN (for example, cryptohub.example.com) or IP address.
  • If connecting by hostname rather than IP, a DNS server must be configured on the SVP’s OS network settings.
TLS inspection or SSL proxies can break mutual TLS handshakes. Exempt the CryptoHub FQDN(s) from inspection. Configure the CryptoHub with a FQDN so the exemption applies.

Certificate requirements

  • The VSP requires mutual TLS 1.2 authentication with X.509 certificates.
  • Root certificate: X.509 format (PEM or DER) from the CA that signed the CryptoHub’s KMIP server certificate.
  • Client certificate: Must be in PKCS #12 format (.p12 or .pfx).
  • The client certificate must include x509v3 extensions. Certificates without these extensions will be silently rejected by the VSP.
  • Self-signed certificates are not supported by the VSP.
  • Client certificate password: 0-128 characters (alphanumeric plus ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~).

Important considerations

KMIP-lock mode is permanently irreversible. If you choose to disable local key generation, there is no way to revert to local key management. Plan this decision carefully.
  • KMS unavailability at boot time: If you enable “Protect the Key Encryption Key on the Key Management Server” and the CryptoHub is unreachable when the VSP powers on, all volumes will be blocked and the system will not fully boot. A secondary KMS is required for this option.
  • SVP replacement destroys KMS settings: If the SVP is replaced due to failure, the client certificate and KMS connection settings are not automatically restored. Maintain independent backups of the PKCS #12 client certificate file and the KMS configuration.
  • Certificate expiration: If the client certificate expires, the storage system completely loses access to the KMS with no grace period. Monitor certificate expiration proactively.

Other requirements

  • OpenSSL must be available on the SVP or a management workstation for certificate generation. On the VSP E990/E1090, OpenSSL is available at C:\Mapp\OSS\apache\bin\openssl. On other models, download OpenSSL to C:\openssl on the SVP.