Abstract: Key management for encrypted data. A node, such as a storage device, obtains a shared key to be used in cryptographic operations. The obtaining includes using an identifier of another node, such as a host of the computing environment, and a unique identifier of the shared key to obtain the shared key. The obtained shared key is then used in one or more cryptographic operations.

Abstract: A computer-implemented method, according to one embodiment, includes: in response to a determination that an available capacity of one or more buffers in a primary cache is not outside a predetermined range, using the one or more buffers in the primary cache to satisfy all incoming I/O requests. In response to a determination that the available capacity of the one or more buffers in the primary cache is outside the predetermined range, one or more buffers in a secondary cache are allocated, and the one or more buffers in the secondary cache are used to satisfy at least some of the incoming I/O requests.

Abstract: Provided are a computer program product, system, and method for determining key server type and key server redundancy information to enable encryption. A first key server type for a first protocol is indicated in a key server type field in response to determining a current protocol used to communicate with the key server comprises the first protocol. A query information request is submitted to the key server to determine a key server type in response to determining that the current protocol comprises the second protocol. The second key server type indicated in the response to the query information request is indicated in the key server type field in response to the response indicating the second key server type. The first or second type of key server indicated in the key server type field is used to determine information to include in a key retrieval request.

Abstract: Provided are a computer program product, system, and method for processing request directed through a channel subsystem to a storage server. In one embodiment, a pattern search request is embedded in a Device Command Word (DCW) which allows the storage server to do all or substantially all of the search and comparison work in response to as few as a single DCW from the host. In addition, I/O processing can be enhanced to use the target record of interest of a successful embedded pattern search request as the starting point for read/write I/O processing, all in response to as few as a single DCW. Still further, orientation rules can also be relaxed such that once a target record is found, any and all fields of the record can be accessed and utilized in execution of subsequent commands of the initial or subsequent DCWs of the chain.

Abstract: A host is configured to communicate with a storage controller over a first storage area network. A request is transmitted from the host to the storage controller to provide read diagnostic parameters of a second storage area network that is used to mirror data controlled by the storage controller to another storage controller. The host receives the read diagnostic parameters of the second storage area network from the storage controller.

Abstract: Provided are a computer program product, system, and method for processing request directed through a channel subsystem to a storage server. In one embodiment, a pattern search request is embedded in a Device Command Word (DCW) which allows the storage server to do all or substantially all of the search and comparison work in response to as few as a single DCW from the host. In addition, I/O processing can be enhanced to use the target record of interest of a successful embedded pattern search request as the starting point for read/write I/O processing, all in response to as few as a single DCW. Still further, orientation rules can also be relaxed such that once a target record is found, any and all fields of the record can be accessed and utilized in execution of subsequent commands of the initial or subsequent DCWs of the chain.

Abstract: A path is secured from one node to another node of the computing environment. The one node obtains a first encryption key and a second encryption key. A shared key is obtained by the one node from a key server, and the shared key is used to encrypt a message. The encrypted message includes the first encryption key and the second encryption key. The encrypted message and an identifier of the shared key is sent from the one node to the other node, and a response message is received by the one node. The response message at least provides an indication that the other node received the encrypted message and obtained the shared key.

Abstract: A path for a node of a computing environment is secured. The securing includes obtaining, by the node, a message that includes an identifier of a shared key and an encrypted message. The node obtains the shared key from a key server and uses it to decrypt the encrypted message to obtain an encryption key and one or more parameters. A security parameters index to be associated with the encryption key and the one or more parameters is obtained. The node sends a response message to another node, the response message including the security parameters index.

Abstract: A computer-implemented method, according to one embodiment, includes: in response to a determination that an available capacity of one or more buffers in a primary cache is not outside a predetermined range, using the one or more buffers in the primary cache to satisfy all incoming I/O requests. In response to a determination that the available capacity of the one or more buffers in the primary cache is outside the predetermined range, one or more buffers in a secondary cache are allocated, and the one or more buffers in the secondary cache are used to satisfy at least some of the incoming I/O requests.

Abstract: A computer-implemented method, according to one approach, includes: receiving a stream of incoming I/O requests, all of which are satisfied using one or more buffers in a primary cache. However, in response to determining that the available capacity of the one or more buffers in the primary cache is outside a predetermined range: one or more buffers in the secondary cache are allocated. These one or more buffers in the secondary cache are used to satisfy at least some of the incoming I/O requests, while the one or more buffers in the primary cache are used to satisfy a remainder of the incoming I/O requests. Moreover, in response to determining that the available capacity of the one or more buffers in the primary cache is not outside the predetermined range: the one or more buffers in the primary cache are again used to satisfy all of the incoming I/O requests.

Abstract: Provided are a computer program product, system, and method for determining key server type and key server redundancy information to enable encryption. A first key server type for a first protocol is indicated in a key server type field in response to determining a current protocol used to communicate with the key server comprises the first protocol. A query information request is submitted to the key server to determine a key server type in response to determining that the current protocol comprises the second protocol. The second key server type indicated in the response to the query information request is indicated in the key server type field in response to the response indicating the second key server type. The first or second type of key server indicated in the key server type field is used to determine information to include in a key retrieval request.

Abstract: A host port is enabled for security. In response to a determination by the host port that authentication or security association negotiation with a storage port cannot be completed successfully, the host port determines whether an audit mode indicator has been enabled in a login response from the storage port. The host port preserves input/output (I/O) access to the storage port based on determining whether the audit mode indicator has been enabled in the login response from the storage port.

Abstract: A computational device receives an indication of a minimum retention time in a cache for a plurality of tracks of an application. In response to determining that tracks of the application that are stored in the cache exceed a predetermined threshold in the cache, the computational device demotes one or more tracks of the application from the cache even though a minimum retention time in cache has been indicated for the one or more tracks of the application, while performing least recently used (LRU) based replacement of tracks in the cache.

Abstract: Provided are a computer program product, system, and method for determining key server type and key server redundancy information to enable encryption. A first key server type for a first protocol is indicated in a key server type field in response to determining a current protocol used to communicate with the key server comprises the first protocol. A query information request is submitted to the key server to determine a key server type in response to determining that the current protocol comprises the second protocol. The second key server type indicated in the response to the query information request is indicated in the key server type field in response to the response indicating the second key server type. The first or second type of key server indicated in the key server type field is used to determine information to include in a key retrieval request.

Abstract: A storage port receives a login request. The storage port configures an audit mode indicator as enabled in a login response to a host port to enter a security enabled mode to indicate to the host port that Input/Output (I/O) operations are to be transmitted from the host port to the storage port even if authentication or security association negotiation with the storage port cannot be completed successfully.

Abstract: A host port is enabled for security. In response to a determination by the host port that authentication or security association negotiation with a storage port cannot be completed successfully, the host port determines whether an audit mode indicator has been enabled in a login response from the storage port. The host port preserves input/output (I/O) access to the storage port based on determining whether the audit mode indicator has been enabled in the login response from the storage port.

Abstract: A storage controller is configured to communicate with a host over a first storage area network. Data controlled via the storage controller is mirrored to another storage controller over a second storage area network. The storage controller receives a request from the host to provide read diagnostic parameters of the second storage area network. In response to receiving the request, the storage controller secures the read diagnostic parameters of the second storage area network. The storage controller transmits the read diagnostic parameters of the second storage area network to the host.

Abstract: A storage port receives a login request. The storage port configures an audit mode indicator as enabled in a login response to a host port to enter a security enabled mode to indicate to the host port that Input/Output (I/O) operations are to be transmitted from the host port to the storage port even if authentication or security association negotiation with the storage port cannot be completed successfully.

Abstract: Provided are a computer program product, system, and method embodiments for reverting from a new security association to a previous security association in response to an error during a rekey operation. The responder maintains a first security association with the initiator having a first key to use to encrypt and decrypt messages transmitted with the initiator. The responder receives a message from the initiator for a rekey operation to establish a second security association with the initiator using a second key. The responder queues Input/Output (I/O) for transmission using the second key after completing the rekey operation. After activating the second security association, the responder receives a revert message from the initiator to revert back to using the first security association and first key in response to a failure of the rekey operation.

Abstract: In response to receiving a login request message with a security indicator enabled for security, a storage port establishes a security association by transmitting a response indicating a login accept with the security indicator enabled for security. In response to establishing the security association, the storage port modifies a protocol behavior for transmitting and receiving information units.