Abstract: Aspects of the invention include channel key loading of a host bus adapter (HBA) based on a secure key exchange (SKE) authentication response by a responder node of a computing environment. A non-limiting example computer-implemented method includes receiving an authentication response message at an initiator channel on an initiator node from a responder channel on a responder node to establish a secure communication, the receiving at a local key manager (LKM) executing on the initiator node. A state check can be performed based on a security association of the initiator node and the responder node. An identifier of a selected encryption algorithm can be extracted from the authentication response message. The initiator channel can request to communicate with the responder channel based at least in part on a successful state check and the selected encryption algorithm.

Abstract: Aspects of the invention include initializing a local key manager (LKM) on a node of a computing environment. The node includes a plurality of channels. The LKM is configured to provide a secure data transfer between the node and an other node of the computing environment. A connection is established, by the LKM, between the LKM and an external key manager (EKM) that stores a shared key for the node and the other node. In response to establishing the connection, the LKM registers security capabilities of the plurality of channels. The security capabilities are used by the LKM to provide the secure data transfer between the node and the other node.

Abstract: Aspects of the invention include receiving a request from an initiator channel on an initiator node to initiate a secure communication with a responder channel on a responder node. The receiving is at a local key manager (LKM) executing on the initiator node. A security association is created at the LKM between the initiator node and the responder node. An identifier of a shared key assigned for communication between the initiator node and the responder node is obtained, and a message requesting initialization of the secure communication between the initiator channel and the responder channel is built. The message includes the identifier of the shared key. The message is sent to the initiator channel.

Abstract: A host port is enabled for security. In response to a determination by the host port that authentication or security association negotiation with a storage port cannot be completed successfully, the host port determines whether an audit mode indicator has been enabled in a login response from the storage port. The host port preserves input/output (I/O) access to the storage port based on determining whether the audit mode indicator has been enabled in the login response from the storage port.

Abstract: Aspects of the invention include generation of a secure key exchange (SKE) authentication response by a responder node of a computing environment. A computer-implemented method includes receiving an authentication request message at a responder channel on the responder node from an initiator channel on an initiator node to establish a secure communication, the receiving at a local key manager (LKM) executing on the responder node. A state check is performed based on a security association of the initiator node and the responder node. A validation of the authentication request message is performed. A proposal list of the authentication request message is checked. An authentication response message is built based at least in part on a successful state check, a successful validation, and selecting an encryption algorithm from the proposal list. The authentication response message is sent from the LKM to the responder channel.

Abstract: A host port is enabled for security. In response to a determination by the host port that authentication or security association negotiation with a storage port cannot be completed successfully, the host port determines whether an audit mode indicator has been enabled in a login response from the storage port. The host port preserves input/output (I/O) access to the storage port based on determining whether the audit mode indicator has been enabled in the login response from the storage port.

Abstract: Provided are a computer program product, system, and method embodiments for reverting from a new security association to a previous security association in response to an error during a rekey operation. The responder maintains a first security association with the initiator having a first key to use to encrypt and decrypt messages transmitted with the initiator. The responder receives a message from the initiator for a rekey operation to establish a second security association with the initiator using a second key. The responder queues Input/Output (I/O) for transmission using the second key after completing the rekey operation. After activating the second security association, the responder receives a revert message from the initiator to revert back to using the first security association and first key in response to a failure of the rekey operation.

Abstract: In response to receiving a login request message with a security indicator enabled for security, a storage port establishes a security association by transmitting a response indicating a login accept with the security indicator enabled for security. In response to establishing the security association, the storage port modifies a protocol behavior for transmitting and receiving information units.

Abstract: Provided are a computer program product, system, and method embodiments for reverting from a new security association to a previous security association in response to an error during a rekey operation. An initiator maintains a first security association with the responder having a first key to use to encrypt and decrypt data transmitted with the responder. The initiator initiates a rekey operation to establish a second security association with the responder using a second key. The initiator detects a failure of the rekey operation after the responder started using the second key for transmissions. A revert message is sent to the responder to revert back to using the first security association and first key in response to detecting the failure of the rekey operation.

Abstract: Aspects of the invention include channel key loading of a host bus adapter (HBA) based on a secure key exchange (SKE) authentication response by a responder node of a computing environment. A non-limiting example computer-implemented method includes receiving an authentication response message at an initiator channel on an initiator node from a responder channel on a responder node to establish a secure communication, the receiving at a local key manager (LKM) executing on the initiator node. A state check can be performed based on a security association of the initiator node and the responder node. An identifier of a selected encryption algorithm can be extracted from the authentication response message. The initiator channel can request to communicate with the responder channel based at least in part on a successful state check and the selected encryption algorithm.

Abstract: Provided are a computer program product, system and method embodiments for secure communication between an initiator and a responder over a network. The responder receives, from the initiator, a security association initialization message to establish a security association with the responder including key material used to generate a key for the security association. The responder receives an authentication message from the initiator to program the responder to establish authentication between the responder and the initiator after establishing the security association. The responder sends an authentication message response to the initiator to establish authentication with the responder in response to the authentication message. The responder sends an authentication done message to the initiator after sending the authentication message response to cause the initiator to activate using the security association and the key to encrypt and decrypt communication between the responder and initiator.

Abstract: Provided are a computer program product, system and method embodiments for secure communication between an initiator and a responder over a network. The initiator sends a security association initialization message to the responder to establish a security association including key material used to generate a key for the security association. In response to receiving a security association initialization response to accept the security association, the initiator sends an authentication message to the responder to establish authentication between the responder and the initiator. In response to receiving an authentication message response to the authentication message, the initiator is programmed with the security association. An authentication done message is received from the responder after receiving the authentication message response.

Abstract: A storage port is enabled for security. The storage port performs Input/Output (I/O) in plaintext on a path between the storage port and a host port, in response to determining that an audit mode indicator has been enabled to allow I/O even if authentication or security association negotiation between the storage port and the host port cannot be completed successfully. Concurrently with performing of I/O in plaintext on the path, the storage port enables encryption of data for I/O on the path.

Abstract: A host port is enabled for security. The host port performs Input/Output (I/O) in plaintext on a path between the host port and a storage port, in response to determining that an audit mode indicator has been enabled to allow I/O even if authentication or security association negotiation between the host port and the storage port cannot be completed successfully. Concurrently with performing of I/O in plaintext on the path, the host port enables encryption of data for I/O on the path.

Abstract: Aspects of the invention include channel key loading of a host bus adapter (HBA) based on a secure key exchange (SKE) authentication response by a responder node of a computing environment. A non-limiting example computer-implemented method includes receiving an authentication response message at an initiator channel on an initiator node from a responder channel on a responder node to establish a secure communication, the receiving at a local key manager (LKM) executing on the initiator node. A state check is performed based on a security association of the initiator node and the responder node. A validation of the authentication response message is performed. An identifier of a selected encryption algorithm is extracted from the authentication response message. The initiator channel requests to communicate with the responder channel based at least in part on a successful state check, a successful validation, and the selected encryption algorithm.

Abstract: Aspects of the invention include receiving a request from an initiator channel on an initiator node to initiate a secure communication with a responder channel on a responder node. The receiving is at a local key manager (LKM) executing on the initiator node. A security association is created at the LKM between the initiator node and the responder node. An identifier of a shared key assigned for communication between the initiator node and the responder node is obtained, and a message requesting initialization of the secure communication between the initiator channel and the responder channel is built. The message includes the identifier of the shared key. The message is sent to the initiator channel.

Abstract: Aspects of the invention include initializing a local key manager (LKM) on a node of a computing environment. The node includes a plurality of channels. The LKM is configured to provide a secure data transfer between the node and an other node of the computing environment. A connection is established, by the LKM, between the LKM and an external key manager (EKM) that stores a shared key for the node and the other node. In response to establishing the connection, the LKM registers security capabilities of the plurality of channels. The security capabilities are used by the LKM to provide the secure data transfer between the node and the other node.

Abstract: Aspects of the invention include channel key loading of a host bus adapter (HBA) based on a secure key exchange (SKE) authentication response by a responder node of a computing environment. A non-limiting example computer-implemented method includes receiving an authentication response message at an initiator channel on an initiator node from a responder channel on a responder node to establish a secure communication, the receiving at a local key manager (LKM) executing on the initiator node. A state check is performed based on a security association of the initiator node and the responder node. A validation of the authentication response message is performed. An identifier of a selected encryption algorithm is extracted from the authentication response message. The initiator channel requests to communicate with the responder channel based at least in part on a successful state check, a successful validation, and the selected encryption algorithm.

Abstract: Aspects of the invention include generation of a secure key exchange (SKE) authentication response by a responder node of a computing environment. A computer-implemented method includes receiving an authentication request message at a responder channel on the responder node from an initiator channel on an initiator node to establish a secure communication, the receiving at a local key manager (LKM) executing on the responder node. A state check is performed based on a security association of the initiator node and the responder node. A validation of the authentication request message is performed. A proposal list of the authentication request message is checked. An authentication response message is built based at least in part on a successful state check, a successful validation, and selecting an encryption algorithm from the proposal list. The authentication response message is sent from the LKM to the responder channel.

Abstract: In response to receiving a login request message with a security indicator enabled for security, a storage port establishes a security association by transmitting a response indicating a login accept with the security indicator enabled for security. In response to establishing the security association, the storage port modifies a protocol behavior for transmitting and receiving information units.