Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's
Dell PowerVault TL4000 Manual
View all Dell PowerVault TL4000 manuals
Add to My Manuals
Save this manual to your list of manuals |
Dell PowerVault TL4000 manual content summary:
- Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 1
Dell™ PowerVault™ Encryption Key Manager User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 2
forbidden. Trademarks used in this text: Dell, the DELL logo and PowerVault are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 3
Manager ISO | Image 3-1 Installing the Encryption Key Manager on Linux 3-1 Installing the Encryption Key Manager on Windows 3-2 Using the GUI to Create a Configuration File, Keystore, and Certificates 3-5 Chapter 5. Administering the Encryption Key Manager 5-1 Starting, Refreshing, and Stopping - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 4
Appendix A. Sample Files A-1 Sample startup daemon script A-1 Linux Platforms A-1 Sample Configuration Files A-1 Appendix B. Encryption Key Manager . . B-9 Appendix C. Frequently Asked Questions C-1 Notices D-1 Trademarks D-1 Glossary E-1 Index X-1 iv Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 5
3-3 Set this version of JVM to default 3-3 Start Copying Files window 3-4 EKM Server Configuration Page. . . . . 3-6 EKM Server Certificate Configuration Page 3-7 Backup Critical Files Window . . . . . 3-8 Create a Group of Keys 3-15 Change Default Write Key Group 3-16 Assign Group to - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 6
vi Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 7
Tables 1. Typographic Conventions used in this Book ix 1-1. Encryption Key Summary 1-7 2-1. Minimum Software Requirements for Linux 2-2 2-2. Minimum Software Requirements for Windows 2-3 6-1. Errors that are reported by the encryption key manager 6-5 7-1. Audit record types that the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 8
viii Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 9
Book This manual contains information and instructions necessary for the installation and operation of the Dell™ Encryption Key Manager. It includes concepts and procedures pertaining to: | v Encryption-capable LTO 4 and LTO 5 Tape Drives v Cryptographic keys v Digital certificates Who Should - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 10
: v Getting Started with the Dell™ PowerVault™ TL2000 and TL4000 Tape Libraries provides installation information. v Dell™ PowerVault™ TL2000 Tape Library and TL4000 Tape Library SCSI Reference provides supported SCSI commands and protocol governing the behavior of SCSI interface. Linux Information - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 11
Dell product catalog. Dell provides several online and telephone-based support and service options. Availability varies by country and product, and some services may not be available in your area. To contact Dell for sales, technical support, or customer service issues: 1. Visit http://support.dell - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 12
xii Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 13
. The Dell Encryption Key Manager (referred to as maintenance, control, and transmission of these keys depends upon the operating environment where the encrypting tape drive is installed part of the Java runtime environment. A keystore holds the certificates and keys (or pointers to the certificates - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 14
being written to, and decrypt information being read from, tape media (tape and cartridge formats). The Encryption Key Manager operates on Linux (SLES and RHEL) and Windows, and is designed to run in the background as a shared resource deployed in several 1-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 15
Dell Encryption Key Manager graphical user interface (GUI). The Encryption Key Manager uses one or more keystores to hold the certificates and keys (or pointers to the certificates it through a TCP/IP communication path between itself and the tape library. When a tape drive writes encrypted data, it - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 16
the key manager, initiates data transfer for tape storage. See "Application-Managed Tape Encryption" for supported applications. Library Layer The enclosure for tape storage, such as the Dell PowerVault TL2000/TL4000 and ML6000 family. A modern tape library contains an internal interface to each - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 17
Library-Managed Tape Encryption | Use this method for LTO 4 and LTO 5 tape drives in the Dell™ PowerVault™ TL2000 Tape Library, Dell™ PowerVault™ TL4000 Tape Library, or Dell™ PowerVault™ ML6000 Tape Library encryption for high-speed encryption of user or host data, and asymmetric encryption - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 18
you can group keys according to the type of data they encrypt, the users who have access to them, or by any other meaningful characteristic. See " LTO 4 and LTO 5 Tape Drives can use applications such as Yosemite (for Dell PowerVault TL2000 and TL4000 Tape Libraries), CommVault, and Symantec Backup - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 19
of encryption keys that may be used for each volume depends on the tape drive, the encryption standard, and method used to manage the encryption. | For transparent encryption of LTO 4 and LTO 5, (that is, using library-managed encryption with the Encryption Key Manager,) the uniqueness of DKs - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 20
1-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 21
Update Tape Drive Table" on page 4-1.) - Start the Encryption Key Manager server. (See "Starting, Refreshing, and Stopping the Key Manager Server" on page 5-1.) - Start the command line interface client. (See "The Command Line Interface Client" on page 5-5.) Planning for Library-Managed Tape - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 22
Install and cable the LTO 4 and LTO 5 Tape Drive(s). v Update library firmware (TL2000, TL4000, ML6000 where necessary). Visit http://support.dell.com. - Dell™ PowerVault™ TL2000 Tape Library minimum required firmware version = 5.xx. - Dell™ PowerVault™ TL4000 Tape Library minimum required firmware - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 23
Version 6.0 SR5 Tape Libraries | For the Dell™ PowerVault™ TL2000 Tape Library, Dell™ PowerVault™ TL4000 Tape | Library, and Dell™ PowerVault™ ML6000 Tape Library, assure that the firmware | level is the latest available. For firmware update, visit http://support.dell.com. Tape Drive | For - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 24
configuration property is used. Lacking a specific alias for the tape drive, aliases are selected from Tape Drive Request for Encryption Write Operation 1. Tape drive requests key to encrypt tape 2. Encryption Key Manager verifies tape device in Drive Table 2-4 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 25
on a non-encrypted device so that you can recover it as needed and be able to read the tapes that were encrypted using those certificates associated with that tape drive or library. Failure to backup your keystore properly will result in irrevocably losing all access to your encrypted data. There - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 26
tape started: On Windows Navigate to c:\ekm\gui and click LaunchEKMGui.bat On Linux path for your backup data in the displayed dialog (Figure 2-3). Figure 2-3. Backup Critical Files Window 4. Click Backup Files. 5. An information message displays the results. 2-6 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 27
outages in your tape operations. Refer to "Synchronizing Data Between Two Key Manager Servers" on page 4-2. Note: Synchronization does not include keystores. They must be copied manually. Encryption Key Manager Server Configurations The Encryption Key Manager may be installed on a single-server - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 28
manually. Refer to "Synchronizing Data Between Two Key Manager Servers" on page 4-2 for more information. | Primary Key Store Encryption Drive Table Key Manager Config File Key Groups = = = = Key Store Drive Table Config File Key Groups Secondary Encryption Key Manager a14m0254 Tape Library - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 29
a14m0255 Tape Library Tape Library Tape Library A one of your existing production key managers to read and write encrypted tapes. v Create a backup certificate. Alternately, the validity of a certificate can be verified if it was securely guarded in transit. Failure to verify a certificate - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 30
the data on the tape. Federal Information Processing Standard has a FIPS 140-2 level 1 certification. By setting the fips configuration specific hardware and software cryptographic providers for information on whether their products are FIPS 140-2 certified. 2-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 31
Key Manager ISO Image | To download the latest version of the Dell ISO image, go to http:// support.dell.com. Installing the Encryption Key Manager on Linux Installing the Encryption Key Manager on Linux From the CD 1. Insert the Dell Encryption Key Manager CD and enter Install_Linux from the CD - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 32
Kit Manually on Linux Follow these steps if you are not installing from the CD. 1. From http://support.dell.com, download the correct runtime environment for Java based on your operating system: | v Java 6 SR 5 (32-bit) or later | v Java 6 SR 5 (64-bit) or later 2. Place the Java linux rpm - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 33
if you want this Java Runtime Environment as the default system JVM (Figure 3-2). Figure 3-2. Set this version of JVM to default Click No. 6. The Start Copying Files window opens (Figure 3-3 on page 3-4). Make sure you have taken note of the target directory. Chapter 3. Installing the Encryption - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 34
JIT enabled, AOT enabled) | ... 10. Update the PATH variable as follows:(required for Encryption Key Manager 2.1 but optional for build date of 05032007 and earlier). If you will be invoking the Java SDK from a command window, you might wish to set the PATH variable if you want to be able to run - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 35
Server Graphical User Interface (GUI) to create your Encryption Key Manager configuration properties file, a keystore, certificate(s), and key(s). A simple CLI configuration properties file is also created as a result of this process. 1. Open the GUI if it is not yet started: On Windows Navigate to - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 36
list in system memory while running in order to have quick access to the keys when the library sends a key request from the drive. Note: Interrupting the Encryption Key Manager GUI during key generation requires an Encryption Key Manager re-install. 3-6 Dell Encryption Key Mgr User's Guide a14m0247 - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 37
backup file contains the date and time stamp as part of the file name (for example, 2007_11_19_16_38_31_EKMKeys.jck Certificate Configuration Page 5. A "Backup Critical Files" window (Figure 3-6 on page 3-8) opens reminding you to back up your Encryption Key Manager data files. Chapter 3. Installing - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 38
Window Verify the path and click Backup. The Dell v If the Encryption Key Manager application is installed in a Linux system, the Encryption Key Manager application displays Windows system, open a command window and enter ipconfig. v For Linux enter isconfig. 3-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 39
the following command: login -ekmuser userID -ekmpassword password where userID = EKMAdmin and password = changeME (This is the default Password. If you previously changed the default password use your new password.) Once login is successful User successfully logged in is displayed. 4. Identify the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 40
reference. After generating keys and aliases, update property, the key manager does not start and an audit record is created. Windows to edit the file for a Linux machine because of ^M. If you use Windows Windows Navigate to cd c:\ekm and click updatePath.bat 3-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 41
Linux platforms Navigate to /var/ekm and enter . ./updatePath.sh | The Keytool utility generates aliases and symmetric keys for encryption on LTO 4 | and LTO 5 Tape Drives using LTO 4 and LTO 5 tape password, do not change it unless its security has been breached. See "Changing Keystore Passwords - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 42
KeyManagerConfig.properties to change the keystore password in every server configuration file property to serve to the LTO 4 and LTO 5 drives for tape encryption: -keyalias Specifies the alias of a private key in ] [-storepass ] 3-12 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 43
tape series password -storetype jceks -keystore path start if an invalid alias is specified. Other causes for validation check failure may include incorrect bit size (for AES keysize MUST be 256) or an invalid algorithm for the platform. -keyalg must be AES and -keysize Chapter 3. Installing - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 44
Key Manager data files. Enter a path where backup data is to be saved. Click Submit. Then verify the backup path and click OK. To create a key group and populate it with keys, or to add keys to an existing keygroup: 1. Open the GUI if it is not yet started: 3-14 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 45
. Click Submit Changes. To change the default key group: 1. Select Administration Commands in the navigator on the left of the GUI. 2. Click Change Default Write Key Group at the bottom of the window (Figure 3-8 on page 3-16). Chapter 3. Installing the Encryption Key Manager and Keystores 3-15 - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 46
of the window and click Submit Changes. To assign a specific key group to a specific tape drive: 1. Select Administration Commands in the navigator on the left of the GUI. 2. Click Assign Group to Drive at the bottom of the window (Figure 3-9 on page 3-17). 3-16 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 47
the Drive List. 4. Select the key group from the Group List. 5. Verify the drive and key group at the bottom of the window and click Submit Changes. To delete a tape drive from the drive table: 1. Select Administration Commands in the navigator on the left of the GUI. 2. Click Delete Drive at the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 48
key group alias password. Therefore no key in the KeyGroups.xml file is in the clear. Example: createkeygroup -password a75xynrd 2. Run the addkeygroup command. This command creates an instance of a key group with a unique Group ID in the KeyGroups.xml. 3-18 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 49
keystore for addition to a specific key group ID. Syntax: default for use when no alias is defined for a tape drive, set the symmetrickeySet property of the configuration properties file to the GroupID of the key group you wish to use. For example, symmetricKeySet = keygroup1 Chapter 3. Installing - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 50
.xml file. If not, the Encryption Key Manager Server will not start. The Encryption Key Manager tracks key usage within a key group. When to Another Run addaliastogroup command. This command copies a specific alias from an existing (source) key group to a 3-20 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 51
enter the 10-digit serial number for each of the tape drives the Encryption Key Manager will service, it also allows a default environment for large systems configurations. It should be noted that such convenience comes at the price of reduced security. Since the devices are added automatically - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 52
the keystore or key groups XML file. They must be copied manually. The automatic synchronization function is enabled only when a valid IP file is always a rewrite.) This is the default. -rewrite Replace the current data on the receiving server with new data. 4-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 53
server is started, that is, the synchronization will occur after the server has been running for the specified number of hours. The default is 24. additional configuration options. Note to Windows Users: Windows does not accept commands with directory paths that contain blanks. When entering - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 54
server is very strict. Do not use Windows to edit the file for a Linux machine because of ^M. If you use Windows, edit the file with gvim/vim. Note to Windows Users: The Java SDK uses forward slashes, even when running on Windows. When specifying paths in the KeyManagerConfig.properties file, be - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 55
for Linux platforms. For more information, see the readme file at http://support.dell.com or on the Dell Encryption Key Manager media provided with your product. "Authenticating CLI Client Users" on page 5-5 contains more information. 7. Save the changes to KeyManagerConfig.properties. 8. Start the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 56
4-6 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 57
the event of a system crash or power outage. Start the Encryption Key Manager server from the Dell Encryption Key Manager GUI: 1. Open the GUI if it is not yet started: On Windows Navigate to c:\ekm\gui and click LaunchEKMGui.bat On Linux platforms Navigate to /var/ekm/gui and enter . ./LaunchEKMGui - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 58
Window Enter EKMAdmin for the User Name. The initial password is changeME. After you are logged in, you can use the chgpasswd command to change the password. See "chgpasswd" on page 5-9. Note: v The Dell Encryption Key Manager application is installed in a Linux system, the application displays the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 59
For example, on Linux systems, enter kill -SIGTERM pid or kill -15 pid. On Windows platforms, when the Dell Encryption Key Manager is started as a Windows Service, it can be stopped from the Control Panel. Installing the Key Manager Server as a Window Service Installing the Encryption Key Manager - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 60
to be passed in as an argument. The default path and filename are C:\ekm\gui\ KeyManagerConfig.properties. -u Uninstalls the key manager Windows Service if you no longer need to run it as a service. Note that the EKMServer service must be stopped before it 5-4 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 61
.exe -i config file 7. Once the service is installed using the command above, EKMServer will appear in the service control panel and you can start and stop the Encryption Key Manager using the Service Control Panel. Note: You must start the Windows service manually the first time it is used by - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 62
commands to the server is the user ID under which the server is running, and which also has superuser/root authority. A readme file included on your Dell product media and available at http://support.dell.com provides more installation details. Starting the Command Line Interface Client Note - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 63
. By default, the start the CLI client: java com.ibm.keymanager.admin.KMSAdminCmd CLIconfiglfile_name -filename clifile One command at a time You can run a single command at a time by specifying the CLI userid_ID and password for each command. From any command window Copy a specific alias from - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 64
drive to key manager drive table. Refer to "Automatically Update Tape Drive Table" on page 4-1 to learn how to add tape drives to the drive table | your keystore for addition to a specific key group ID. addkeygroupalias -alias aliasname -groupID groupname 5-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 65
user (EKMAdmin) default password. chgpasswd -new password -new The new password that replaces the previous password. Example: chgpasswd -new ebw74jxr createkeygroup Create the initial key group object in the KeyGroups.xml file. Run only once. createkeygroup -password password -password The password - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 66
the new data with current data. -rewrite Replace the current data with new data. -drivetab Import the drive table. -config Import the configuration file. 5-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 67
in the specified keystore. -keysym List symmetric keys in the specified keystore. -alias alias specifies a specific certificate to list. -verbose|-v Display more information about the certificate(s). Examples: list -v lists everything in the keystore. list -alias mycert -v lists all available data - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 68
CLI Client Users" on page 5-5). -ekmpassword Valid password for user ID. Example: login -ekmuser EKMAdmin -ekmpassword changeME logout Logs off the current user. Equivalent -symrec [alias]} -drivename drivename specifies the serial number of the tape drive. 5-12 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 69
certificate. -rec2 Specifies a second alias (or key label) of the drive's certificate. -symrec Specifies an alias (of the symmetric key) or a key group name for the tape key manager server is started or stopped. Example: KeyGroups.xml file. These must be copied manually. sync {-all | -config | - - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 70
configuration file is always a rewrite.) This is the default. -rewrite Replace the current data with new data. Example: sync -drivetab -ipaddr remoteekm.ibm.com:443 -merge version Displays the version of the Encryption Key Manager server. Example: version 5-14 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 71
When the Encryption Key Manager is installed as a Windows Service and the keystore passwords in the KeyManagerConfig.properties file are 128 characters in length or greater, the Encryption Key Manager will fail to start because it has no way to prompt for a password of acceptable length. The native - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 72
-an from a command window and confirm that the ports Problems Most problems concerning the key manager involve configuration or starting the key manager server. Refer to Appendix B, Default Configuration File, for information on specifying the debug property. 6-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 73
file is not located in the default path. Default path on Windows is C:/Program Files/IBM/KeyManagerServer/ Default path on Linux platforms is /opt/ibm/KeyManagerServer/ 2. Re-enter the command to start the KMSAdminCmd and include the complete path of the KeyManagerConfig.properties file. See - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 74
server. Find ports that are not in use by another service and use those to configure the Key Manager server. 3. On systems running Linux operating systems, this error may occur if one or both of the ports are lower than 1024 and the user starting the Key Manager server is not root. Modify the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 75
Check the versions of drive or proxy server firmware and update them to the latest release, if needed. Enable debug tracing on the key manager server. Try to recreate the problem and gather debug logs. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 76
update them to the latest release, if needed. Enable debug tracing and retry the operation. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the front of this publication for information on getting technical assistance. 6-6 Dell Encryption Key Mgr User - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 77
Check the versions of drive or proxy server firmware and update them to the latest release, if needed. Enable debug tracing on the key manager server. Try to recreate the problem and gather debug logs. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 78
gather debug logs. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the front of this publication for information on getting technical assistance. EE30 Prohibited request. An unsupported operation has been requested for a tape drive. Enter the correct - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 79
). Check the versions of drive or proxy server firmware and update them to the latest release, if needed. Enable debug on the key manager server. Try to recreate the problem and gather debug logs. If the problem persists, refer to "Contacting Dell" in the "Read this First" section at the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 80
modconfig command. Operator Response Check the command syntax using help make sure parameters supplied are correct. Please check the audit logs for more information. 6-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 81
or configuration files cannot be imported. System Response The Encryption Key Manager server does not start. Operator Response Make sure the specified URL exists and has read permissions. Check the command Text File name was not supplied for audit log file. Chapter 6. Problem Determination 6-11 - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 82
configuration file must be a positive number. System Response The Encryption Key Manager does not start. Operator Response Please specify a valid number for Audit.handler.file.size and try restarting Invalid Input Text Invalid input parameters for the CLI. 6-12 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 83
Response The Encryption Key Manager does not start. Operator Response Specify valid port number for the property in the configuration file when starting the Encryption Key Manager and try configuration file when starting the Encryption Key Manager and try to restart. The default TCP port number is - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 84
. Explanation The Encryption Key Manager server cannot start because of configuration problems. Operator Response Check the parameters in the configuration file supplied. Please check the logs for more information. Sync Failed Text "sync" command failed. 6-14 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 85
The Encryption Key Manager does not start. Operator Response Please check the Key Manager does not start. Operator Response Check the refer to Appendix B) and the keystore file exists and has read permission. Make sure the password supplied for admin keystore either through admin.keystore.password - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 86
password supplied for admin keystore either through transport.keystore.password property or entered on the command line is correct. Try restarting Encryption Key Manager. Unsupported Action Text User entered action for the CLI which is not supported for EKM. 6-16 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 87
Explanation Action supplied for sync command is not supported or understood by the Encryption Key Manager. The valid actions are merge or rewrite. Operator Response Check the command syntax using help and try again. Chapter 6. Problem Determination 6-17 - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 88
6-18 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 89
: all authentication data_synchronization runtime All event types Authentication events Events that occur during synchronization of information between Encryption Key Manager servers Events that occur as a part of processing operations and requests sent to the Encryption Key Manager 7-1 - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 90
Used to set the maximum number of event objects to be held in the memory queue. This parameter is optional but recommended. the default is zero. Example Audit.eventQueue.max=8 Audit.handler.file.directory Syntax Audit.handler.file.directory=directoryName 7-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 91
Manager will not start. It is recommended that the directory exist prior to running the Encryption Key Manager. Note also that the User ID under which this parameter must contain only the base file name and not the fully qualified path name. The full name of the audit log file will have the value - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 92
the audit log to complete. Use of multiple threads is the default behavior. Examples An example setting the base name to true is including timestamp and record type, along with information specific to the audit event which occurred. The general a closing right 7-4 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 93
The format for these records is: Authentication event:[ timestamp=timestamp event source=source outcome=outcome event type=SECURITY_AUTHN message=message authentication type=type users=users ] Note that the message value only appears if information for it is available. Chapter 7. Audit Records 7-5 - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 94
event source=source outcome=outcome event type=SECURITY_MGMT_RESOURCE message=message action=action user=user resource=resource ] Note that the message value only appears if event source=source outcome=outcome event type=SECURITY_MGMT_CONFIG message=message 7-6 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 95
Error computing cryptographic values runtime Message exchange processed successfully runtime Message processing started runtime Command line processing started runtime Problem found using cryptographic services runtime New drive discovered runtime Error configuring drive to drive table - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 96
configuration_management Error importing configuration configuration_management Configuration export successful configuration_management Error exporting configuration configuration_management listconfig command successful configuration_management 7-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 97
as data is being encrypted and written to tape. This file can be queried by volume serial file, the Encryption Key Manager will not start. As encryption processing is performed, the new file after a maximum file size is reached. The default maximum file size for rollover, which can also be set in - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 98
. This tool parses the XML file using Document Object Model (DOM) techniques and cannot be run from This is the same directory path specified for the metadata file file. -volser The volume serial number of the tape cartridge you are searching for in the XML file. Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 99
[Fatal Error] EKMData.xml:290:16: The end-tag for element type "KeyUsageEvent" must end with a '>' delimiter. org.xml.sax.SAXParseException: The end-tag for element type "KeyUsageEvent" must end with a '>' delimiter. at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces. - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 100
8-4 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 101
your encrypted tapes. Ensure that you save your keystore and password information. Linux Platforms The following is a sample script that allows EKM to be kicked off in the background, in a proven manner. This script starts EKM and passes the keystore password - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 102
.type = jceks TransportListener.ssl.port = 443 TransportListener.ssl.protocols = SSL_TLS TransportListener.ssl.truststore.name = /keymanager/ssltrustkeys TransportListener.ssl.truststore.type = jceks TransportListener.tcp.port = 3801 A-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 103
the format and specification of properties: v passwords must not be greater than 127 characters in length. v Accidental whitespace at the end of a line may be interpreted as part of a property value. Sample configuration properties files are available for download at http://support.dell certificate - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 104
separated by comma or semicolon. Default success Audit.event.Queue.max = 0 The maximum number of event objects in the audit memory queue before they will be flushed to file. Required Optional. Recommended. Values 0 - ? (0 means flush immediately.) B-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 105
Audit.metadata.file.cachecount = 100 Specifies the number of records to store in memory before writing the metadata file. Required No Default 100 Audit.metadata.file.name = value Specifies the name of the XML file where metadata records are to be saved. Required Yes. Appendix B. Encryption - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 106
location. Required Optional. Values simple_file | console (not recommended). debug.output.file = debug Path and filename where debug output is to be written. Required Optional. Required when debug.output = simple_file. Path to file must exist. B-4 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 107
the KeyManagerConfig.properties file.) The CLI client user must login to the server with OS usr/passwd. For local OS-based authentication on Linux platforms, additional steps are required: 1. Download Dell Release R175158 (EKMServicesAndSamples) from http://support.dell.com and extract the files to - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 108
is the user ID under which the server is running, and which also has superuser/root authority. A readme file included on your Dell product media and available at http://support.dell.com provides more installation details. Required Optional. Values EKM | LocalOS Default EKM Server.password - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 109
Values - any cipher suites supported by IBMJSSE2. TransportListener.ssl.clientauthentication = 0 SSL authentication needed for communication between Encryption Key Manager servers. Required Optional. Values 0 - no client authentication (default) 1 - server wants to do client authentication with - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 110
with a new stanza that is named 'TransportListener.ssl.keystore.password.obfuscated.' Required Optional. TransportListener.ssl.keystore.type = jceks server will listen on for requests from tape drives. The default TCP port number is 3801. Required Yes. B-8 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 111
Server and act as a Secure Sockets client. Required Yes. TransportListener.ssl.keystore.type = jceks Type of keystore. Required Optional. Recommended. Default jceks TransportListener.ssl.port = value This is the port the CLI client will use to communicate with Encryption Key Manager servers - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 112
Yes. TransportListener.ssl.truststore.type = jceks Type of truststore. Required Optional. Recommended. Default jceks Sample configuration properties files are available for download in the EKMServicesAndSamples file from http://support.dell.com. B-10 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 113
need not be changed in any way. Must the Encryption Key Manager be installed and running on every system that might generate a request to encrypt or decrypt a tape? With library-managed encryption, the system from which the tape drive write request originates need NOT be the system on which the - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 114
dates) would be renewed but not the associated keys. Will later versions of Encryption Key Manager still read the encrypted tapes created with earlier versions of the software? Yes. The Encryption Key Manager will honor certificates regardless of release. C-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 115
this text: Dell, the Dell logo, and PowerVault are trademarks of Dell Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 116
D-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 117
unwrap the protected symmetric data key. Also called alias or certificate label depending on which keystore is used. key ring. See (protect) AES data keys prior to storing them on the tape cartridge. rekey. The process of changing the asymmetric Key Encrypting product of two large prime numbers. E-1 - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 118
E-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 119
installing and configuring 4-1 installLinux (Intel) 3-1 J JCEKS 2-3 K key groups creating 3-14 key manager components 1-1 KeyManagerConfig.properties B-1 editing 3-10 keys symmetric for LTO 3-9 keystore passwords 3-12 L library-managed encryption 1-5 Linux 12 Server failed to start 6-14 sync failed - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager
User's - Page 120
) 3-1 installWindows 3-2 software requirements 2-2 SSL port identifying 3-9 starting command line interface 5-5 starting and stopping server 5-1 synchronizing servers 4-2 T terminology E-1 trademarks D-1 W Windows prerequisites 2-3 X XML metadata file 8-1 X-2 Dell Encryption Key Mgr User's Guide - Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager User's - Page 121
- Dell PowerVault TL4000 | Dell PowerVault ML6000 Encryption Key Manager User's - Page 122
Dell
™
PowerVault
™
Encryption Key Manager
User's Guide