Dell PowerVault TL2000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 101

Appendix A. Sample Files

Sample startup daemon script

Attention:

It is impossible to overstate the importance of

preserving your keystore data. Without access to your keystore

you will be unable to decrypt your encrypted tapes. Ensure that

you save your keystore and password information.

Linux Platforms

The following is a sample script that allows EKM to be kicked off in the

background, in a proven manner. This script starts EKM and passes the keystore

password,

keystore_password

, in through the script. In this way the keystore

password does not have to be in the EKM Configuration file. (see note below). The

following should be contained in the script file:

java com.ibm.keymanager.KMSAdminCmd KeyManagerConfig.properties <<EOF

startekm

keystore_password

status

EOF

Note:

If the keystore password is entered into EKM through a script, (that is, the

EKM config file does not contain the keystore password), then when the

EKM is backed up, the files (configuration file, drive table, and keystore

backup file) need not necessarily be treated as secret, but the script that

contains the keystore password

must

be stored securely and resiliently (for

example, multiple copies in multiple locations). The keystore password is

confidential information and must be treated as such. Backing up the script

file securely has the same options that exist for backing up the configuration

file that contains the keystore password. But the scripts might be backed up

and stored/transmitted secretly and separately from the EKM backup files,

which would add a level of indirection for security. Finally, we must

emphasize that however the keystore password is stored (in a script or in

EKM’s configuration file), it must be stored securely and resiliently, such

that the keystore password can always be recovered.

Loss of all copies of

the keystore password would cause loss of all of the keys in the keystore

and there is no recovery path for this

.

Sample Configuration Files

The following is a sample EKM properties file with all of the keystore entries

pointing to the same software keystore:

Admin.ssl.keystore.name = /keymanager/testkeys

Admin.ssl.keystore.type = jceks

Admin.ssl.truststore.name = /keymanager/testkeys

Admin.ssl.truststore.type = jceks

Audit.event.outcome = success,failure

Audit.event.types = all

Audit.eventQueue.max = 0

Audit.handler.file.directory = /keymanager/audit

Audit.handler.file.name = kms_audit.log

Audit.handler.file.size = 10000

Audit.metadata.file.name = /keymanager/metafile.xml

A-1

Section	Page
Contents	3
Figures	5
Tables	7
Preface	9
About this Book	9
Who Should Read this Book	9
Conventions and Terminology Used in this Book	9
Attention Notice	9
Related Publications	10
Linux Information	10
Red Hat Information	10
SuSE Information	10
Microsoft Windows Information	10
Online Support	10
Read this First	11
Contacting Dell	11
Chapter 1. Tape Encryption Overview	13
Components	13
Managing Encryption	14
Application-Managed Tape Encryption	16
Library-Managed Tape Encryption	17
About Encryption Keys	17
Chapter 2. Planning Your Encryption Key Manager Environment	21
Encryption Setup Tasks at a Glance	21
Encryption Key Manager Setup Tasks	21
Planning for Library-Managed Tape Encryption	21
Hardware and Software Requirements	22
Linux Solution Components	22
Windows Solution Components	23
Keystore Considerations	23
The JCEKS Keystore	23
Encryption Keys and the LTO 4 and LTO 5 Tape Drives	24
Backing up Keystore Data	25
Multiple Key Managers for Redundancy	27
Encryption Key Manager Server Configurations	27
Single-Server Configuration	27
Two-Server Configurations	28
Disaster Recovery Site Considerations	29
Considerations for Sharing Encrypted Tapes Offsite	29
Federal Information Processing Standard 140-2 Considerations	30
Chapter 3. Installing the Encryption Key Manager and Keystores	31
Downloading the Latest Version Key Manager ISO Image	31
Installing the Encryption Key Manager on Linux	31
Installing the Encryption Key Manager on Windows	32
Using the GUI to Create a Configuration File, Keystore, and Certificates	35
Generating Keys and Aliases for Encryption on LTO 4 and LTO 5	39
Creating and Managing Key Groups	44
Chapter 4. Configuring the Encryption Key Manager	51
Using the GUI to Configure the Encryption Key Manager	51
Configuration Strategies	51
Automatically Update Tape Drive Table	51
Synchronizing Data Between Two Key Manager Servers	52
Configuration Basics	53
Chapter 5. Administering the Encryption Key Manager	57
Starting, Refreshing, and Stopping the Key Manager Server	57
The Command Line Interface Client	61
CLI Commands	63
Chapter 6. Problem Determination	71
Check These Important Files for Encryption Key Manager Server Problems	71
Debugging Communication Problems Between the CLI Client and the EKM Server	72
Debugging Key Manager Server Problems	72
Encryption Key Manager-Reported Errors	75
Messages	79
Config File not Specified	79
Failed to Add Drive	80
Failed to Archive the Log File	80
Failed to Delete the Configuration	80
Failed to Delete the Drive Entry	81
Failed to Import	81
Failed to Modify the Configuration	81
File Name Cannot be Null	81
File Size Limit Cannot be a Negative Number	82
No Data to be Synchronized	82
Invalid Input	82
Invalid SSL Port Number in Configuration File	83
Invalid TCP Port Number in Configuration File	83
Must Specify SSL Port Number in Configuration File	83
Must Specify TCP Port Number in Configuration File	84
Server Failed to Start	84
Sync Failed	84
The Specified Audit Log File is Read Only	85
Unable to Load the Admin Keystore	85
Unable to load the keystore	86
Unable to Load the Transport Keystore	86
Unsupported Action	86
Chapter 7. Audit Records	89
Audit Overview	89
Audit Configuration Parameters	89
Audit.event.types	89
Audit.event.outcome	90
Audit.eventQueue.max	90
Audit.handler.file.directory	90
Audit.handler.file.size	91
Audit.handler.file.name	91
Audit.handler.file.multithreads	92
Audit.handler.file.threadlifespan	92
Audit Record Format	92
Audit Points in the Encryption Key Manager	93
Audit Record Attributes	93
Audited Events	95
Chapter 8. Using Metadata	97
Appendix A. Sample Files	101
Sample startup daemon script	101
Linux Platforms	101
Sample Configuration Files	101
Appendix B. Encryption Key Manager Configuration Properties Files	103
Encryption Key Manager Server Configuration Properties File	103
CLI Client Configuration Properties File	111
Appendix C. Frequently Asked Questions	113
Notices	115
Trademarks	115
Glossary	117
Index	119
A	119
C	119
D	119
E	119
F	119
G	119
H	119
I	119
J	119
K	119
L	119
M	119
N	119
P	119
R	120
S	120
T	120
W	120

Dell PowerVault TL2000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 101

Appendix A. Sample Files, Sample startup daemon script, Linux Platforms, Sample Configuration Files - backup software

Page 101 highlights