Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 51
Configuring the Encryption Key Manager - price
 |
View all Dell PowerVault TL4000 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 51 highlights
Chapter 4. Configuring the Encryption Key Manager Using the GUI to Configure the Encryption Key Manager The easiest way to create your configuration properties file is to use the Dell Encryption Key Manager GUI following the procedure in "Using the GUI to Create a Configuration File, Keystore, and Certificates" on page 3-5. If you have done so, then you have already created your configuration file and no additional configuration is required. The following information may be helpful if you wish to take advantage of additional Encryption Key Manager configuration options. Configuration Strategies Some configuration settings in the KeyManagerConfig.properties file provide shortcuts that may have effects you should know about. Automatically Update Tape Drive Table The Encryption Key Manager provides a variable in the configuration file (drive.acceptUnknownDrives) that, when set to a value of true, automatically populates the tape drive table when a new tape drive contacts the the Dell Encryption Key Manager. This eliminates the need to use the adddrive command | for each tape drive or library. In this mode, the 10-digit serial number for each of these devices need not be entered using the CLI client commands. The new drives undergo the normal public/private key cryptography exchange to verify the identity of the tape device. Once this verification is complete, the new device is able to read existing tapes based on the key IDs stored on them (assuming the corresponding key information is found in the configured keystore). Note: The Encryption Key Manager server should be refreshed using the GUI or the command "refresh" on page 5-13 after drives are added automatically to ensure that they are stored in the drive table. | For LTO 4 and LTO 5 drives, you can set the default symmetric key pool (symmetricKeySet) for encryption on newly added devices. In other words, you can have the Encryption Key Manager fully configure the device with associated key material when the device makes contact. If you choose not to do this when the device is added to the drive table, you can do so after the tape drive has been added to the tape drive table, using the moddrive command. | In addition to relieving the administrator of the need to enter the 10-digit serial number for each of the tape drives the Encryption Key Manager will service, it also allows a default environment for large systems configurations. It should be noted that such convenience comes at the price of reduced security. Since the devices are added automatically and could be associated with a certificate alias (able to write a tape with that certificate alias), the added security check that the administrator would perform when adding the devices manually is skipped. It is important that you evaluate the advantages and disadvantages of this option to determine if automatically adding the tape drive information to the drive table, and implicitly granting that new device access to the certificate information, is an acceptable security risk. 4-1
-
1 -
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46 -
47 -
48 -
49 -
50 -
51 -
52 -
53 -
54 -
55 -
56 -
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
 |
 |
