Home » Dell Manuals » Storage Devices » Dell PowerVault TL2000 » Manual Viewer

Dell PowerVault TL2000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 28

Two-Server Configurations, Identical configurations, Separate configurations - user manual

View all Dell PowerVault TL2000 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 28 highlights

Two-Server Configurations A two-server configuration is recommended. This Encryption Key Manager configuration will automatically failover to the secondary key manager should the primary be inaccessible for any reason. Note: When different Encryption Key Manager servers are used to handle requests from the same set of tape drives, the information in the associated keystores MUST be identical. This is required so that regardless which key manager server is contacted, the necessary information is available to support requests from the tape drives. Identical configurations: In an environment with two Encryption Key Manager servers having identical configurations, such as those shown in Figure 2-5, processing will automatically failover to the secondary key manager should the primary go down. In such a configuration it is essential that the two key manager servers be synchronized. Updates to the configuration file and drive table of one key manager server can be duplicated on the other automatically using the sync command, but updates to one keystore must be copied to the other using methods specific to the keystore(s) being used. The keystores and key groups XML file must be copied manually. Refer to "Synchronizing Data Between Two Key Manager Servers" on page 4-2 for more information. | Primary Key Store Encryption Drive Table Key Manager Config File Key Groups = = = = Key Store Drive Table Config File Key Groups Secondary Encryption Key Manager a14m0254 Tape Library Tape Library Tape Library A B C | | Figure 2-5. Two Servers with Shared Configurations | Separate configurations: Two Encryption Key Manager servers may share a common keystore and drive table yet have two different configuration files and two different sets of key groups defined in their XML files. The only requirement is that the keys used to serve the common tape drives must be the same for each server. This allows each key manager server to have its own set of properties. In this type of configuration, shown in Figure 2-6 on page 2-9, only the drive table should be synchronized between key manager servers. (Refer to "Synchronizing Data Between Two Key Manager Servers" on page 4-2 for more information.) Be sure to specify sync.type = drivetab (do not specify config or all) to prevent the configuration files from being overwritten. Note: There is no way to partially share the configuration between servers. 2-8 Dell Encryption Key Mgr User's Guide

Section	Page
Contents	3
Figures	5
Tables	7
Preface	9
About this Book	9
Who Should Read this Book	9
Conventions and Terminology Used in this Book	9
Attention Notice	9
Related Publications	10
Linux Information	10
Red Hat Information	10
SuSE Information	10
Microsoft Windows Information	10
Online Support	10
Read this First	11
Contacting Dell	11
Chapter 1. Tape Encryption Overview	13
Components	13
Managing Encryption	14
Application-Managed Tape Encryption	16
Library-Managed Tape Encryption	17
About Encryption Keys	17
Chapter 2. Planning Your Encryption Key Manager Environment	21
Encryption Setup Tasks at a Glance	21
Encryption Key Manager Setup Tasks	21
Planning for Library-Managed Tape Encryption	21
Hardware and Software Requirements	22
Linux Solution Components	22
Windows Solution Components	23
Keystore Considerations	23
The JCEKS Keystore	23
Encryption Keys and the LTO 4 and LTO 5 Tape Drives	24
Backing up Keystore Data	25
Multiple Key Managers for Redundancy	27
Encryption Key Manager Server Configurations	27
Single-Server Configuration	27
Two-Server Configurations	28
Disaster Recovery Site Considerations	29
Considerations for Sharing Encrypted Tapes Offsite	29
Federal Information Processing Standard 140-2 Considerations	30
Chapter 3. Installing the Encryption Key Manager and Keystores	31
Downloading the Latest Version Key Manager ISO Image	31
Installing the Encryption Key Manager on Linux	31
Installing the Encryption Key Manager on Windows	32
Using the GUI to Create a Configuration File, Keystore, and Certificates	35
Generating Keys and Aliases for Encryption on LTO 4 and LTO 5	39
Creating and Managing Key Groups	44
Chapter 4. Configuring the Encryption Key Manager	51
Using the GUI to Configure the Encryption Key Manager	51
Configuration Strategies	51
Automatically Update Tape Drive Table	51
Synchronizing Data Between Two Key Manager Servers	52
Configuration Basics	53
Chapter 5. Administering the Encryption Key Manager	57
Starting, Refreshing, and Stopping the Key Manager Server	57
The Command Line Interface Client	61
CLI Commands	63
Chapter 6. Problem Determination	71
Check These Important Files for Encryption Key Manager Server Problems	71
Debugging Communication Problems Between the CLI Client and the EKM Server	72
Debugging Key Manager Server Problems	72
Encryption Key Manager-Reported Errors	75
Messages	79
Config File not Specified	79
Failed to Add Drive	80
Failed to Archive the Log File	80
Failed to Delete the Configuration	80
Failed to Delete the Drive Entry	81
Failed to Import	81
Failed to Modify the Configuration	81
File Name Cannot be Null	81
File Size Limit Cannot be a Negative Number	82
No Data to be Synchronized	82
Invalid Input	82
Invalid SSL Port Number in Configuration File	83
Invalid TCP Port Number in Configuration File	83
Must Specify SSL Port Number in Configuration File	83
Must Specify TCP Port Number in Configuration File	84
Server Failed to Start	84
Sync Failed	84
The Specified Audit Log File is Read Only	85
Unable to Load the Admin Keystore	85
Unable to load the keystore	86
Unable to Load the Transport Keystore	86
Unsupported Action	86
Chapter 7. Audit Records	89
Audit Overview	89
Audit Configuration Parameters	89
Audit.event.types	89
Audit.event.outcome	90
Audit.eventQueue.max	90
Audit.handler.file.directory	90
Audit.handler.file.size	91
Audit.handler.file.name	91
Audit.handler.file.multithreads	92
Audit.handler.file.threadlifespan	92
Audit Record Format	92
Audit Points in the Encryption Key Manager	93
Audit Record Attributes	93
Audited Events	95
Chapter 8. Using Metadata	97
Appendix A. Sample Files	101
Sample startup daemon script	101
Linux Platforms	101
Sample Configuration Files	101
Appendix B. Encryption Key Manager Configuration Properties Files	103
Encryption Key Manager Server Configuration Properties File	103
CLI Client Configuration Properties File	111
Appendix C. Frequently Asked Questions	113
Notices	115
Trademarks	115
Glossary	117
Index	119
A	119
C	119
D	119
E	119
F	119
G	119
H	119
I	119
J	119
K	119
L	119
M	119
N	119
P	119
R	120
S	120
T	120
W	120

Match case Limit results 1 per page

Two-Server Configurations

A two-server configuration is recommended. This Encryption Key Manager

configuration will automatically failover to the secondary key manager should the

primary be inaccessible for any reason.

Note:

When different Encryption Key Manager servers are used to handle requests

from the same set of tape drives, the information in the associated keystores

MUST be identical. This is required so that regardless which key manager

server is contacted, the necessary information is available to support

requests from the tape drives.

Identical configurations:

In an environment with two Encryption Key Manager

servers having identical configurations, such as those shown in Figure 2-5,

processing will automatically failover to the secondary key manager should the

primary go down. In such a configuration it is essential that the two key manager

servers be synchronized. Updates to the configuration file and drive table of one

key manager server can be duplicated on the other automatically using the

sync

command, but updates to one keystore must be copied to the other using methods

specific to the keystore(s) being used. The keystores and key groups XML file must

be copied manually. Refer to “Synchronizing Data Between Two Key Manager

Servers” on page 4-2 for more information.

Separate configurations:

Two Encryption Key Manager servers may share a

common keystore and drive table yet have two different configuration files and

two different sets of key groups defined in their XML files. The only requirement is

that the keys used to serve the common tape drives must be the same for each

server. This allows each key manager server to have its own set of properties. In

this type of configuration, shown in Figure 2-6 on page 2-9, only the drive table

should be synchronized between key manager servers. (Refer to “Synchronizing

Data Between Two Key Manager Servers” on page 4-2 for more information.) Be

sure to specify

sync.type = drivetab

(do not specify config or all) to prevent the

configuration files from being overwritten.

Note:

There is no way to partially share the configuration between servers.

Key Store

Drive Table

Config File

Key Groups

Key Store

Drive Table

Config File

Key Groups

Tape Library

a14m0254

Primary

Encryption

Key Manager

Secondary

Encryption

Key Manager

Figure 2-5. Two Servers with Shared Configurations

2-8

Dell Encryption Key Mgr User's Guide