Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 72

at com.ibm.keymanager.EKMServer.<init>(EKMServer.java:753)

at com.ibm.keymanager.EKMServer.a(EKMServer.java:716)

at com.ibm.keymanager.EKMServer.main(EKMServer.java:129)

Debugging Communication Problems Between the CLI Client and the

EKM Server

Communication between the EKM CLI client and the EKM Server is done over the

ports specified in the TransportListener.ssl.port property in both the server and

client configuration properties files and is protected by SSL.

The following is a list of possible reasons why the client may not connect to the

EKM Server. It includes steps showing how to determine the problem and correct

it.

v

The EKM Server is not running, therefore the client has nothing to communicate

with.

1.

Issue

netstat –an

from a command window and confirm that the ports

specified by the TransportListener.ssl.port and TransportListener.tcp.port

properties in the EKM Server properties file are displayed. If the ports are

not displayed, then the server is not running

v

The TransportListener.ssl.host property in the EKM CLI client properties file

does not point to the correct host where the EKM Server is running.

1.

The value of the TransportListener.ssl.host property in the EKM CLI client

properties file defaults to

localhost

. Modify the value of this property to

point to the correct host.

v

The EKM Server and the EKM CLI client are not talking on the same port.

1.

Check the TransportListener.ssl.port properties in both the EKM Server and

the EKM CLI client properties files to confirm they are set to the same value.

v

The EKM Server and the EKM CLI client cannot find a common certificate to

use to secure communications.

1.

Ensure the keystores specified in the TransportListener.ssl.keystore and

TransportListener.ssl.truststore CLI client properties contain the same

certificates as the Admin.ssl.keystore and Admin.ssl.truststore keystores in

the server properties.

2.

Ensure the TransportListener.ssl.keystore.password in the client properties

has the correct password.

3.

Ensure none of the certificates in these keystores have expired. JSSE will not

use expired certificates to secure communications.

v

The EKM CLI client properties file is read-only.

1.

Check the attributes or the permissions on the file to ensure the user running

the EKM CLI client has permission to access and modify the file.

v

The EKM Server properties file has Server.authMechanism = LocalOS but the

required file from the EKMServicesAndSamples package has not been installed

or was installed in the wrong location.

1.

See the readme included with the EKMServiceAndSamples package for more

information about authentication.

Debugging Key Manager Server Problems

Most problems concerning the key manager involve configuration or starting the

key manager server. Refer to Appendix B, Default Configuration File, for

information on specifying the debug property.

6-2

Dell Encryption Key Mgr User's Guide

Section	Page
Contents	3
Figures	5
Tables	7
Preface	9
About this Book	9
Who Should Read this Book	9
Conventions and Terminology Used in this Book	9
Attention Notice	9
Related Publications	10
Linux Information	10
Red Hat Information	10
SuSE Information	10
Microsoft Windows Information	10
Online Support	10
Read this First	11
Contacting Dell	11
Chapter 1. Tape Encryption Overview	13
Components	13
Managing Encryption	14
Application-Managed Tape Encryption	16
Library-Managed Tape Encryption	17
About Encryption Keys	17
Chapter 2. Planning Your Encryption Key Manager Environment	21
Encryption Setup Tasks at a Glance	21
Encryption Key Manager Setup Tasks	21
Planning for Library-Managed Tape Encryption	21
Hardware and Software Requirements	22
Linux Solution Components	22
Windows Solution Components	23
Keystore Considerations	23
The JCEKS Keystore	23
Encryption Keys and the LTO 4 and LTO 5 Tape Drives	24
Backing up Keystore Data	25
Multiple Key Managers for Redundancy	27
Encryption Key Manager Server Configurations	27
Single-Server Configuration	27
Two-Server Configurations	28
Disaster Recovery Site Considerations	29
Considerations for Sharing Encrypted Tapes Offsite	29
Federal Information Processing Standard 140-2 Considerations	30
Chapter 3. Installing the Encryption Key Manager and Keystores	31
Downloading the Latest Version Key Manager ISO Image	31
Installing the Encryption Key Manager on Linux	31
Installing the Encryption Key Manager on Windows	32
Using the GUI to Create a Configuration File, Keystore, and Certificates	35
Generating Keys and Aliases for Encryption on LTO 4 and LTO 5	39
Creating and Managing Key Groups	44
Chapter 4. Configuring the Encryption Key Manager	51
Using the GUI to Configure the Encryption Key Manager	51
Configuration Strategies	51
Automatically Update Tape Drive Table	51
Synchronizing Data Between Two Key Manager Servers	52
Configuration Basics	53
Chapter 5. Administering the Encryption Key Manager	57
Starting, Refreshing, and Stopping the Key Manager Server	57
The Command Line Interface Client	61
CLI Commands	63
Chapter 6. Problem Determination	71
Check These Important Files for Encryption Key Manager Server Problems	71
Debugging Communication Problems Between the CLI Client and the EKM Server	72
Debugging Key Manager Server Problems	72
Encryption Key Manager-Reported Errors	75
Messages	79
Config File not Specified	79
Failed to Add Drive	80
Failed to Archive the Log File	80
Failed to Delete the Configuration	80
Failed to Delete the Drive Entry	81
Failed to Import	81
Failed to Modify the Configuration	81
File Name Cannot be Null	81
File Size Limit Cannot be a Negative Number	82
No Data to be Synchronized	82
Invalid Input	82
Invalid SSL Port Number in Configuration File	83
Invalid TCP Port Number in Configuration File	83
Must Specify SSL Port Number in Configuration File	83
Must Specify TCP Port Number in Configuration File	84
Server Failed to Start	84
Sync Failed	84
The Specified Audit Log File is Read Only	85
Unable to Load the Admin Keystore	85
Unable to load the keystore	86
Unable to Load the Transport Keystore	86
Unsupported Action	86
Chapter 7. Audit Records	89
Audit Overview	89
Audit Configuration Parameters	89
Audit.event.types	89
Audit.event.outcome	90
Audit.eventQueue.max	90
Audit.handler.file.directory	90
Audit.handler.file.size	91
Audit.handler.file.name	91
Audit.handler.file.multithreads	92
Audit.handler.file.threadlifespan	92
Audit Record Format	92
Audit Points in the Encryption Key Manager	93
Audit Record Attributes	93
Audited Events	95
Chapter 8. Using Metadata	97
Appendix A. Sample Files	101
Sample startup daemon script	101
Linux Platforms	101
Sample Configuration Files	101
Appendix B. Encryption Key Manager Configuration Properties Files	103
Encryption Key Manager Server Configuration Properties File	103
CLI Client Configuration Properties File	111
Appendix C. Frequently Asked Questions	113
Notices	115
Trademarks	115
Glossary	117
Index	119
A	119
C	119
D	119
E	119
F	119
G	119
H	119
I	119
J	119
K	119
L	119
M	119
N	119
P	119
R	120
S	120
T	120
W	120

Dell PowerVault TL4000 Dell PowerVault ML6000 Encryption Key Manager User's - Page 72

Debugging Communication Problems Between the CLI Client and the EKM Server

Page 72 highlights