Dell PowerVault TL2000 Dell PowerVault ML6000 Encryption Key Manager User's
Dell PowerVault TL2000 Manual
View all Dell PowerVault TL2000 manuals
Add to My Manuals
Save this manual to your list of manuals |
Dell PowerVault TL2000 manual content summary:
- Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 1
Dell™ PowerVault™ Encryption Key Manager User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 2
in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. Trademarks used in this text: Dell, the DELL logo and PowerVault are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 3
Encryption Key Manager Environment 2-1 Encryption Setup Tasks at a Glance 2-1 Encryption Key Manager Setup Tasks . . . . 2-1 Planning for Library-Managed Tape Encryption 2-1 Hardware and Software Requirements . . . . . 2-2 Linux Solution Components 2-2 Windows Solution Components 2-3 Keystore - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 4
Appendix A. Sample Files A-1 Sample startup daemon script A-1 Linux Platforms A-1 Sample Configuration Files A-1 Appendix B. Encryption Key Manager . . B-9 Appendix C. Frequently Asked Questions C-1 Notices D-1 Trademarks D-1 Glossary E-1 Index X-1 iv Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 5
Tape Drive Request for Encryption Write Operation 2-4 LTO 4 or LTO 5 Tape Accessing the Same Devices 2-9 3-1. 3-2. 3-3. 3-4. 3-5. 3-6. 3-7. 3-8. 3-9. 3-10. 5-1. 5-2. Choose Destination Location window 3-3 Set this version of JVM to default of Keys 3-15 Change Default Write Key Group 3-16 - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 6
vi Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 7
Tables 1. Typographic Conventions used in this Book ix 1-1. Encryption Key Summary 1-7 2-1. Minimum Software Requirements for Linux 2-2 2-2. Minimum Software Requirements for Windows 2-3 6-1. Errors that are reported by the encryption key manager 6-5 7-1. Audit record types that the - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 8
viii Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 9
Preface About this Book This manual contains information and instructions necessary for the installation and operation of the Dell™ Encryption Key Manager. It includes concepts and procedures pertaining to: | v Encryption-capable LTO 4 and LTO 5 Tape Drives v Cryptographic keys v Digital - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 10
Started with the Dell™ PowerVault™ TL2000 and TL4000 Tape Libraries provides installation information. v Dell™ PowerVault™ TL2000 Tape Library and TL4000 Tape Library SCSI Reference provides supported SCSI commands and protocol governing the behavior of SCSI interface. Linux Information Red Hat - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 11
several online and telephone-based support and service options. Availability varies by country and product, and some services may not be available in your area. To contact Dell for sales, technical support, or customer service issues: 1. Visit http://support.dell.com. 2. Verify your country or - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 12
xii Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 13
comprises three major elements: The Encryption-Enabled Tape Drive | All LTO 4 and LTO 5 Tape Drives must be enabled through the library | interface. See "Hardware and Software Requirements" on page 2-2 for more information on tape drives. Encryption Key Management Encryption involves the - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 14
being written to, and decrypt information being read from, tape media (tape and cartridge formats). The Encryption Key Manager operates on Linux (SLES and RHEL) and Windows, and is designed to run in the background as a shared resource deployed in several 1-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 15
available on the Dell Encryption Key Manager graphical user interface (GUI). errors do not occur. However, if the machine hosting the Encryption Key Manager is not using Error Correction Code communication path between itself and the tape library. When a tape drive writes encrypted data, it first - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 16
tape storage. See "Application-Managed Tape Encryption" for supported applications. Library Layer The enclosure for tape storage, such as the Dell PowerVault TL2000/TL4000 and ML6000 family. A modern tape library or used by, application-managed tape encryption. The following minimum version - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 17
supported in LTO 4 and LTO 5 Tape Drives in: v Dell™ PowerVault™ TL2000 Tape Library v Dell™ PowerVault™ TL4000 Tape Library v Dell™ PowerVault™ ML6000 Tape Library See your tape backup software application documentation to learn how to manage encryption policies and keys. Library-Managed Tape - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 18
server database, for example, in order for the volume to be read. | LTO 4 and LTO 5 Tape Drives can use applications such as Yosemite (for Dell PowerVault TL2000 and TL4000 Tape Libraries), CommVault, and Symantec Backup Exec for application-managed encryption. | Alternatively, LTO 4 and LTO - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 19
of encryption keys that may be used for each volume depends on the tape drive, the encryption standard, and method used to manage the encryption. | For transparent encryption of LTO 4 and LTO 5, (that is, using library-managed encryption with the Encryption Key Manager,) the uniqueness of DKs - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 20
1-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 21
Setup Tasks at a Glance Before you can use the encryption capability of the tape drive, certain software Software Requirements" on page 2-2.) v Install Java Unrestricted Policy Files. (See "Hardware and Software "Automatically Update Tape Drive Table Planning for Library-Managed Tape Encryption In - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 22
.com 32-bit Intel® compatible Tape Libraries | For the Dell PowerVault TL2000 Tape Library, TL4000 Tape Library, and ML6000 | Tape Library, assure that the firmware level is the latest available. For firmware | updates, visit http://support.dell.com. 2-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 23
Version 6.0 SR5 Tape Libraries | For the Dell™ PowerVault™ TL2000 Tape Library, Dell™ PowerVault™ TL4000 Tape | Library, and Dell™ PowerVault™ ML6000 Tape Library, assure that the firmware | level is the latest available. For firmware update, visit http://support.dell.com. Tape Drive | For - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 24
Tape Drives The Dell Encryption Key Manager and its supported tape a specific alias for the tape drive Tape Drive Request for Encryption Write Operation 1. Tape drive requests key to encrypt tape 2. Encryption Key Manager verifies tape device in Drive Table 2-4 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 25
can recover it as needed and be able to read the tapes that were encrypted using those certificates associated with that tape drive or library. Failure to backup your keystore properly will result in irrevocably losing all access to your encrypted data. There are many ways to backup this keystore - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 26
(be careful not to encrypt this copy using the encrypting tape drives as it would be impossible to decrypt it for recovery Windows Navigate to c:\ekm\gui and click LaunchEKMGui.bat On Linux platforms Navigate to /var/ekm/gui and enter . ./LaunchEKMGui Dell Encryption Key Mgr User's Guide a14m0241 - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 27
tape drives and libraries to allow redundancy, and thus high availability, so you can have multiple key managers servicing the same tape drives and libraries . They must be copied manually. Encryption Key Manager Server Configurations The Encryption Key Manager may be installed on a single-server or - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 28
manually. Refer to "Synchronizing Data Between Two Key Manager Servers" on page 4-2 for more information. | Primary Key Store Encryption Drive Table Key Manager Config File Key Groups = = = = Key Store Drive Table Config File Key Groups Secondary Encryption Key Manager a14m0254 Tape Library - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 29
a14m0255 Tape Library Tape Library Tape Library A B C | | Figure 2-6. Two Servers with Different Configurations Accessing the validity of a certificate can be verified if it was securely guarded in transit. Failure to verify a certificate's validity in one of these ways may open the door to - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 30
then be able to read the data on the tape. Federal Information Processing Standard 140-2 Considerations Federal documentation from specific hardware and software cryptographic providers for information on whether their products are FIPS 140-2 certified. 2-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 31
go to http:// support.dell.com. Installing the Encryption Key Manager on Linux Installing the Encryption Key Manager on Linux From the CD 1. Insert the Dell Encryption Key Manager CD and enter Install_Linux from the CD root directory. The installation copies all contents (documentation, GUI files - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 32
Install the Software Developer Kit Manually on Linux Follow these steps if you are not installing from the CD. 1. From http://support.dell.com, download the correct runtime environment for Java based on your operating to launch the Encryption Key Manager. 3-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 33
Destination Location window Click Next. 5. A window opens asking if you want this Java Runtime Environment as the default system JVM (Figure 3-2). Figure 3-2. Set this version of JVM to default Click No. 6. The Start Copying Files window opens (Figure 3-3 on page 3-4). Make sure you have taken note - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 34
window Click Next. 7. The status window indicates installation progress. 8. The Browser Registration window -20090 | 519_35743 (JIT enabled, AOT enabled) | ... 10. Update the PATH variable as follows:(required for Encryption Key Manager 2.1 but optional Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 35
. | The default install is C:\PROGRA~1\IBM\Java60\jre\bin. | IMPORTANT: Insert a semicolon at the end of the path can use the Dell Encryption Key Manager Server Graphical User Interface (GUI to c:\ekm\gui and click LaunchEKMGui.bat On Linux platforms Navigate to /var/ekm/gui and enter . ./ - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 36
list in system memory while running in order to have quick access to the keys when the library sends a key request from the drive. Note: Interrupting the Encryption Key Manager GUI during key generation requires an Encryption Key Manager re-install. 3-6 Dell Encryption Key Mgr User's Guide a14m0247 - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 37
Encryption Key Manager was interrupted during the initial Encryption Key Manager install, navigate to the directory where the Encryption Key Manager directory time stamp as part of the file name (for example, 2007_11_19_16_38_31_EKMKeys.jck). The date and time stamp must be removed once the file is - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 38
. v If the Encryption Key Manager application is installed in a Linux system, the Encryption Key Manager application displays the accessing the network configuration. v In a Windows system, open a command window and enter ipconfig. v For Linux enter isconfig. 3-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 39
userID = EKMAdmin and password = changeME (This is the default Password. If you previously changed the default password use your new password.) Once login is successful User successfully logged in is displayed. 4. Identify the SSL port by entering the following command: status The displayed response - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 40
. After generating keys and aliases, update the symmetricKeySet property in the KeyManagerConfig. Linux machine because of ^M. If you use Windows, edit the file with gvim/vim. 3. Change the property value(s) according to the directions provided in this document Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 41
Linux platforms Navigate to /var/ekm and enter . ./updatePath.sh | The Keytool utility generates aliases and symmetric keys for encryption on LTO 4 | and LTO 5 Tape Drives using LTO 4 and LTO 5 tape password, do not change it unless its security has been breached. See "Changing Keystore Passwords - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 42
KeyManagerConfig.properties to change the keystore password in every server configuration file property where to serve to the LTO 4 and LTO 5 drives for tape encryption: -keyalias Specifies the alias of a private key ] [-storepass ] 3-12 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 43
LTO 5 drives for tape encryption: -alias Specify an Alias and Symmetric Key Setup for LTO 4 and password setup the keysize 256 -keypass password -storetype jceks - -keystore option. Update the symmetricKeySet property Other causes for validation check failure may include incorrect bit size - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 44
way, you can group keys according to the type of data they encrypt, the users who have access to them, or by any other meaningful characteristic. Once a key group is created, you can associate it with a specific tape drive using the -symrec keyword in the adddrive command. See "adddrive" on page - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 45
to c:\ekm\gui and click LaunchEKMGui.bat On Linux platforms Navigate to /var/ekm/gui and default key group: 1. Select Administration Commands in the navigator on the left of the GUI. 2. Click Change Default Write Key Group at the bottom of the window (Figure 3-8 on page 3-16). Chapter 3. Installing - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 46
of the window and click Submit Changes. To assign a specific key group to a specific tape drive: 1. Select Administration Commands in the navigator on the left of the GUI. 2. Click Assign Group to Drive at the bottom of the window (Figure 3-9 on page 3-17). 3-16 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 47
the key group from the Group List. 5. Verify the drive and key group at the bottom of the window and click Submit Changes. To delete a tape drive from the drive table: 1. Select Administration Commands in the navigator on the left of the GUI. 2. Click Delete Drive at the bottom of the - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 48
key group alias password. Therefore no key in the KeyGroups.xml file is in the clear. Example: createkeygroup -password a75xynrd 2. Run the addkeygroup command. This command creates an instance of a key group with a unique Group ID in the KeyGroups.xml. 3-18 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 49
for addition to a specific key group ID. Syntax front of the 10-digit serial | number to reach a total of 12 digits. -symrec Specifies an alias (of the symmetric key) or a groupID for the tape drive. Example: adddrive -drivename 000123456789 -symrec keygroup1 To specify a key group as default - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 50
Copying Keys From One Key Group to Another Run addaliastogroup command. This command copies a specific alias from an existing (source) key group to a new (target) key group. Syntax keygroup1 -targetGroupID keygroup2 Note: Key is available in both key groups. 3-20 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 51
enter the 10-digit serial number for each of the tape drives the Encryption Key Manager will service, it also allows a default environment for large systems configurations. It should be noted that such convenience comes at the price of reduced security. Since the devices are added automatically - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 52
between two Encryption Key Manager servers. This can be done manually by using the CLI client sync command or automatically by setting file is always a rewrite.) This is the default. -rewrite Replace the current data on the receiving server with new data. 4-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 53
receiving server Valid values are merge (default) and rewrite. Synchronizing the configuration advantage of additional configuration options. Note to Windows Users: Windows does not accept commands with directory with your tape drives to this new keystore. (See "Generating Chapter - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 54
edit the file for a Linux machine because of ^M. If you use Windows, edit the file with gvim/vim. Note to Windows Users: The Java SDK uses tape drives that contact the Encryption Key Manager to be automatically added to the drive table. The default is false. 5. The following optional password - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 55
property is set to LocalOS, additional setup is required for Linux platforms. For more information, see the readme file at http://support.dell.com or on the Dell Encryption Key Manager media provided with your product. "Authenticating CLI Client Users" on page 5-5 contains more information. 7. Save - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 56
4-6 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 57
being lost in the event of a system crash or power outage. Start the Encryption Key Manager server from the Dell Encryption Key Manager GUI: 1. Open the GUI if it is not yet started: On Windows Navigate to c:\ekm\gui and click LaunchEKMGui.bat On Linux platforms Navigate to /var/ekm/gui and enter - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 58
IP address of the host system, locate the IP port address by accessing the network configuration. In a Windows system open a command window and enter ipconfig. For Linux enter isconfig. 6. Click Login. Use the same Server Status page to stop the server. Starting the Key Manager Server Using a Script - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 59
cleanly. For example, on Linux systems, enter kill -SIGTERM pid or kill -15 pid. On Windows platforms, when the Dell Encryption Key Manager is started as a Windows Service, it can be stopped from the Control Panel. Installing the Key Manager Server as a Window Service Installing default install - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 60
to be passed in as an argument. The default path and filename are C:\ekm\gui\ KeyManagerConfig.properties. -u Uninstalls the key manager Windows Service if you no longer need to run it as a service. Note that the EKMServer service must be stopped before it 5-4 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 61
. Now your user ID and password for the Encryption Key Manager server match the OS user account. Note that only users allowed to login and submit commands to the server and have administrator privileges can manage the Encryption Key Manager server For local OS-based authentication on Linux platforms - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 62
support.dell.com and extract the files to a directory of your choice. 2. Locate the LocalOS directory in the download. 3. Copy the libjaasauth.so file from the JVM-JaasSetup directory appropriate to your platform to java_home/jre/bin. v On 32-bit Intel Linux environments, copy the LocalOS-setup - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 63
execute this command file, start the CLI client: java com.ibm.keymanager.admin.KMSAdminCmd CLIconfiglfile_name -filename clifile One command at a time You can run a single command at a time by specifying the CLI userid_ID and password for each command. From any command window or shell, enter: java - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 64
Automatically Update Tape Drive Table" on page 4-1 to learn how to add tape drives | Note: You must add two leading zeros (0) in front of the 10-digit serial | number to reach a specific key group ID. addkeygroupalias -alias aliasname -groupID groupname 5-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 65
the CLI client's user (EKMAdmin) default password. chgpasswd -new password -new The new password that replaces the previous password. Example: chgpasswd - . -alias The aliasname for the key alias to be removed. Example: delgroupalias -groupID keygroup1 -alias aliasname Chapter 5. Administering the Encryption - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 66
the new data with current data. -rewrite Replace the current data with new data. -drivetab Import the drive table. -config Import the configuration file. 5-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 67
List symmetric keys in the specified keystore. -alias alias specifies a specific certificate to list. -verbose|-v Display more information about the certificate(s). Examples contents of the KeyManagerConfig.properties file plus any updates made with the modconfig command. listconfig listdrives List - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 68
CLI Client Users" on page 5-5). -ekmpassword Valid password for user ID. Example: login -ekmuser EKMAdmin -ekmpassword changeME logout Logs off the current user. Equivalent -symrec [alias]} -drivename drivename specifies the serial number of the tape drive. 5-12 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 69
symmetric key) or a key group name for the tape drive. Example: moddrive -drivename 000123456789 -rec1 newalias1 refresh status Displays whether key manager server is started or stopped. Example: status keystore or KeyGroups.xml file. These must be copied manually. sync {-all | -config | -drivetab} - - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 70
file of the receiving server. -merge Merge new drive table data with current data. (The configuration file is always a rewrite.) This is the default. -rewrite Replace the current data with new data. Example: sync -drivetab -ipaddr remoteekm.ibm.com:443 -merge version Displays the version of the - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 71
Entries for Keystore Passwords Greater than 127 Characters When the Encryption Key Manager is installed as a Windows Service and the keystore passwords in the KeyManagerConfig Default keystore failed to load native_stderr.log at com.ibm.keymanager.KeyManagerException: Default keystore failed to load - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 72
about authentication. Debugging Key Manager Server Problems Most problems concerning the key manager involve configuration or starting the key manager server. Refer to Appendix B, Default Configuration File, for information on specifying the debug property. 6-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 73
fails to start, check for a firewall. Either a software firewall or a hardware firewall may be blocking the Encryption Key Manager from accessing the port. EKM server not started. EKM.properties config could not be loaded or found. 1. This error occurs when starting the KMSAdminCmd or EKMLaunch - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 74
server. Find ports that are not in use by another service and use those to configure the Key Manager server. 3. On systems running Linux operating systems, this error may occur if one or both of the ports are lower than 1024 and the user starting the Key Manager server is not root. Modify the - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 75
or proxy server firmware and update them to the latest release, if needed. Enable debug tracing on the key manager server. Try to recreate the problem and gather debug logs. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the front of this publication - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 76
Check the versions of drive or proxy server firmware and update them to the latest release, if needed. Enable debug tracing and retry the operation. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the front of this publication for information on getting - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 77
the problem persists, refer to "Contacting Dell" in the "Read this First" section at the front of this publication for information on getting technical assistance. EE2C Encryption Read Message Failure: The tape drive asked the Encryption Key QueryDSKParameterError: ″Error parsing a Manager - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 78
logs. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the front of this publication for information on getting technical assistance. EE2E Encryption Read Message Failure: Internal The message received from the drive or error: Invalid signature type - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 79
drive or proxy server firmware and update them to the latest release, if needed. Enable debug on the key manager server. Try to recreate the problem and gather debug logs. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the front of this publication for - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 80
modconfig command. Operator Response Check the command syntax using help make sure parameters supplied are correct. Please check the audit logs for more information. 6-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 81
correct. Please check the audit logs for more information. File Name Cannot be Null Text File name was not supplied for audit log file. Chapter 6. Problem Determination 6-11 - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 82
using config.drivetable.file.url. Check the syntax using help and retry the sync command. Invalid Input Text Invalid input parameters for the CLI. 6-12 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 83
valid port number for the TransportListener.tcp.port property in the configuration file when starting the Encryption Key Manager and try to restart. The default TCP port number is 3801. Must Specify SSL Port Number in Configuration File Text SSL port number is not configured in the properties file - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 84
.port property and try to restart the Encryption Key Manager. The default TCP port number is 3801. Server Failed to Start Text EKM Explanation The Encryption Key Manager server cannot start because of configuration problems. Operator Response Check the parameters in the configuration file supplied. - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 85
cannot be loaded. Admin keystore is used between Encryption Key Manager servers for server side communication in multi-server environment. System Response The Encryption Key Manager does not start. Operator Response Check the configuration file setup. Make sure the properties admin.keystore.file - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 86
password supplied for admin keystore either through transport.keystore.password property or entered on the command line is correct. Try restarting Encryption Key Manager. Unsupported Action Text User entered action for the CLI which is not supported for EKM. 6-16 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 87
Explanation Action supplied for sync command is not supported or understood by the Encryption Key Manager. The valid actions are merge or rewrite. Operator Response Check the command syntax using help and try again. Chapter 6. Problem Determination 6-17 - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 88
6-18 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 89
records may change from release to release. The format is documented in this chapter in case some parsing of the audit term, continuous log location and then cleared. Be careful not to remove or alter the file which is having records written to it by occur as a part of processing operations and requests - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 90
Used to set the maximum number of event objects to be held in the memory queue. This parameter is optional but recommended. the default is zero. Example Audit.eventQueue.max=8 Audit.handler.file.directory Syntax Audit.handler.file.directory=directoryName 7-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 91
start. It is recommended that the directory exist prior to running the Encryption Key Manager. Note also that the User ID under which the Encryption Key Manager runs must have write access to the directory specified. Examples To set the directory to /var/ekm/ekm1/audit: Audit.handler.file.directory - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 92
. Use of multiple threads is the default behavior. Examples An example setting the base an audit log entry. This value is used during clean up processing to allow threads to complete their work before type, along with information specific to the audit event which Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 93
The format for these records is: Authentication event:[ timestamp=timestamp event source=source outcome=outcome event type=SECURITY_AUTHN message=message authentication type=type users=users ] Note that the message value only appears if information for it is available. Chapter 7. Audit Records 7-5 - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 94
event source=source outcome=outcome event type=SECURITY_MGMT_RESOURCE message=message action=action user=user resource=resource ] Note that the message value only appears if event source=source outcome=outcome event type=SECURITY_MGMT_CONFIG message=message 7-6 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 95
processed successfully runtime Message processing started runtime Command line processing started runtime Problem found using cryptographic services runtime New drive discovered runtime Error configuring drive to drive table runtime Successfully started processing messages from drive - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 96
configuration_management Error importing configuration configuration_management Configuration export successful configuration_management Error exporting configuration configuration_management listconfig command successful configuration_management 7-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 97
that captures vital information as data is being encrypted and written to tape. This file can be queried by volume serial number to display the rolled over to a new file after a maximum file size is reached. The default maximum file size for rollover, which can also be set in the Encryption Key - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 98
the metadata file. This tool parses the XML file using Document Object Model (DOM) techniques and cannot be run from properties file. -volser The volume serial number of the tape cartridge you are searching for in the XML file. error similar to the following: 8-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 99
ibm.keymanager.tools.EKMDataParser.a(EKMDataParser.java:26) at com.ibm.keymanager.tools.EKMDataParser.main(EKMDataParser.java:93) If this error occurs, it is due to a missing XML ending tag for an element. The Encryption Key Manager metadata file can be recovered to allow the EKMDataParser to parse - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 100
8-4 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 101
Sample startup daemon script Attention: It is impossible to overstate the importance of preserving your keystore data. Without access to your keystore you will be unable to decrypt your encrypted tapes. Ensure that you save your keystore and password information. Linux Platforms The following is - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 102
Admin.ssl.keystore.name = /keymanager/adminkeys.jceks Admin.ssl.keystore.type = jceks Admin.ssl.truststore.name = /keymanager/admintrustkeys Admin.ssl.truststore.type = jceks Audit.event.outcome = success,failure .type = jceks TransportListener.tcp.port = 3801 A-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 103
end of a line may be interpreted as part of a property value. Sample configuration properties files are available for download at http://support.dell Optional. Values Possible values are any cipher suites supported by IBMJSSE2. Default JSSE_ALL Admin.ssl.keystore.name = value This is the name - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 104
separated by comma or semicolon. Default success Audit.event.Queue.max = 0 The maximum number of event objects in the audit memory queue before they will be flushed to file. Required Optional. Recommended. Values 0 - ? (0 means flush immediately.) B-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 105
Audit.metadata.file.cachecount = 100 Specifies the number of records to store in memory before writing the metadata file. Required No Default 100 Audit.metadata.file.name = value Specifies the name of the XML file where metadata records are to be saved. Required Yes. Appendix B. Encryption - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 106
Default 1024 config.drivetable.file.url = FILE:../filedrive.table File containing information concerning the tape .password = password Password to access admin | transport | logic | keystore | console | none. Can take multiple values separated by commas. Default Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 107
the KeyManagerConfig.properties file.) The CLI client user must login to the server with OS usr/passwd. For local OS-based authentication on Linux platforms, additional steps are required: 1. Download Dell Release R175158 (EKMServicesAndSamples) from http://support.dell.com and extract the files to - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 108
is the user ID under which the server is running, and which also has superuser/root authority. A readme file included on your Dell product media and available at http://support.dell.com provides more installation details. Required Optional. Values EKM | LocalOS Default EKM Server.password - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 109
data during an auto synchronize. Required Optional. Values rewrite | merge Default merge Note: merging configuration information is the same as rewriting it. Required Optional. Values Values - any cipher suites supported by IBMJSSE2. TransportListener.ssl.clientauthentication = 0 SSL - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 110
Required Yes. TransportListener.ssl.keystore.password = password Password to access TransportListener.ssl.keystore.name. When specified, Key Manager server will listen on for requests from tape drives. The default TCP port number is 3801. Required Yes. B-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 111
Server and act as a Secure Sockets client. Required Yes. TransportListener.ssl.keystore.type = jceks Type of keystore. Required Optional. Recommended. Default jceks TransportListener.ssl.port = value This is the port the CLI client will use to communicate with Encryption Key Manager servers - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 112
Yes. TransportListener.ssl.truststore.type = jceks Type of truststore. Required Optional. Recommended. Default jceks Sample configuration properties files are available for download in the EKMServicesAndSamples file from http://support.dell.com. B-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 113
need not be changed in any way. Must the Encryption Key Manager be installed and running on every system that might generate a request to encrypt or decrypt a tape? With library-managed encryption, the system from which the tape drive write request originates need NOT be the system on which the - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 114
dates) would be renewed but not the associated keys. Will later versions of Encryption Key Manager still read the encrypted tapes created with earlier versions of the software? Yes. The Encryption Key Manager will honor certificates regardless of release. C-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 115
Notices Trademarks Trademarks used in this text: Dell, the Dell logo, and PowerVault are trademarks of Dell Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 116
D-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 117
block cipher adopted as an encryption standard by the US government. alias. See key label. certificate. A digital document provides protection from persons or software that attempt to access the data without the key. keys prior to storing them on the tape cartridge. rekey. The process of changing - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 118
E-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 119
the SSL port 3-9 installing and configuring 4-1 installLinux (Intel) 3-1 J JCEKS 2-3 K key groups creating 3-14 key manager components 1-1 KeyManagerConfig.properties B-1 editing 3-10 keys symmetric for LTO 3-9 keystore passwords 3-12 L library-managed encryption 1-5 Linux prerequisites 2-2 LTO - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 120
6-5 property settings B-1 editing 3-10 publications Linux x online x related x Windows x R requirements hardware and software 2-2 resolving problems with encryption 6-5 S server configurations 2-7, 2-8 synchronizing with another server 4-2 sharing tape 2-9 software developer kit installLinux (Intel - Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager User's - Page 121
- Dell PowerVault TL2000 | Dell PowerVault ML6000 Encryption Key Manager User's - Page 122
Dell
™
PowerVault
™
Encryption Key Manager
User's Guide