Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager Quick - Page 6

certificate expires, communications between Encryption Key Manager Servers and between the Encryption Key Manager CLI Client and Encryption Key Manager Server may no longer work. Remove the old expired certificate and create a new one as specified in this step. keytool -keystore EKMKeys.jck -storetype jceks -genkey -alias ekmcert -keyAlg RSA -keysize 2048 -validity 1825 The keytool command prompts you for information it uses to create a certificate that allows your Encryption Key Manager identification. The prompts, with sample responses, look similar to these: What is your first and last name? [Unknown]: ekmcert What is the name of your organizational unit? [Unknown]: EKM What is the name of your organization? [Unknown]: Dell What is the name of your City or Locality? [Unknown]: Austin What is the name of your State or Province? [Unknown]: TX What is the two-letter country code for this unit? [Unknown]: US Is CN=ekmcert, OU=EKM, O=Dell, L=Austin, ST=TX, C=US correct?(type "yes" or "no"): Type yes and press Enter. Step 2. Generate Encryption Keys Note: Before using the keytool command for the first time in any session, run the updatePath script to set the correct environment. On Windows Navigate to cd c:\ekm and click updatePath.bat On Linux platforms Navigate to /var/ekm and enter . ./updatePath.sh Note: Specify . ./ (period space period forward slash) before the Linux shell command to ensure that the shell will be able to find the script. For LTO encryption, the Encryption Key Manager needs a number of symmetric keys to be pre-generated and stored in a keystore. This keytool command generates 32 256-bit AES keys and stores them in the keystore created in step 3. Run this command from the Encryption Key Manager directory to have the keystore file created in that directory. The resulting keys will have the names key000000000000000000 through key00000000000000001f. keytool -keystore EKMKeys.jck -storetype jceks -genseckey -keyAlg aes -keysize 256 -aliasrange key00-1f This command prompts you for a keystore password to access the keystore. Enter the desired password and press Enter. Press Enter again when prompted for a key password as that information is not needed. Do not type in a new or different password. This will cause the key password to be the same as the keystore password. Please note the keystore password entered here as it will be needed later when starting the Encryption Key Manager. Note: Once you have set the keystore password, do not change it unless it's security has been breached. Changing the keystore password requires that all the password properties in the configuration file be changed as well. The passwords are obfuscated to eliminate any security exposure. Step 3. Start the Encryption Key Manager Server To start the Encryption Key Manager server without the GUI, launch the startServer script: On Windows Navigate to cd c:\ekm\ekmserver and click startServer.bat On Linux platforms Navigate to /var/ekm/ekmserver and enter . ./startServer.sh Note: Specify . ./ (period space period forward slash) before the Linux shell command to ensure that the shell will be able to find the script. 6