hp enterprise secure key manager configuration guide for ...h20628. · hp enterprise secure key...

58
HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries Abstract This document provides information about configuring the HP Enterprise Secure Key Manager (ESKM) for use with HP tape libraries. This book is intended for security officers, system administrators, and IT personnel responsible for operating and maintaining ESKM for use with HP tape libraries. HP Part Number: QN998-96121 Published: September 2013 Edition: 3rd

Upload: hoangduong

Post on 30-Jun-2019

255 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

HP Enterprise Secure Key ManagerConfiguration Guide for HP Tape Libraries

AbstractThis document provides information about configuring the HP Enterprise Secure Key Manager (ESKM) for use with HP tapelibraries. This book is intended for security officers, system administrators, and IT personnel responsible for operating andmaintaining ESKM for use with HP tape libraries.

HP Part Number: QN998-96121Published: September 2013Edition: 3rd

Page 2: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

© Copyright 2011, 2013 Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, CommercialComputer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government undervendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shallnot be liable for technical or editorial errors or omissions contained herein.

Warranty

http://www.hp.com/go/storagewarranty

Page 3: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Contents1 Prerequisites and Planning...........................................................................4

Network Ports..........................................................................................................................4Library Partitioning....................................................................................................................4Determining the Appropriate Key Generation Policies....................................................................5HP Tape Library Hardware and Firmware Requirements.................................................................6ESKM Tiers..............................................................................................................................6ESKM Pre-installation Checklists..................................................................................................7

2 Creating ESKM Client Accounts..................................................................113 Enrolling HP Tape Libraries with the ESKM...................................................15

Enrolling ESL E-Series and EML E-Series Libraries.........................................................................15Verifying Connectivity from the Library to ESKM..........................................................................34Enrolling ESL G3 Libraries........................................................................................................35Enrolling MSL6480 Libraries....................................................................................................44

4 Verifying Proper Configuration of the ESKM and Tape Libraries......................46Test 1: Verify that Tape Backups are Encrypted............................................................................46

Test Summary....................................................................................................................46Prerequisites......................................................................................................................46Pre-test Configuration Steps.................................................................................................47Test Steps..........................................................................................................................47Issues...............................................................................................................................48

Test 2: Verify that Each ESKM Node Supports Tape Library Operations after Failure of a SingleNode....................................................................................................................................48

Test Summary....................................................................................................................48Prerequisites......................................................................................................................48Pre-test Configuration Steps.................................................................................................48Test Steps..........................................................................................................................49Issues...............................................................................................................................49

Example Verification...............................................................................................................495 Support and Other Resources.....................................................................56

Contacting HP........................................................................................................................56Typographic Conventions.........................................................................................................56Documentation feedback.........................................................................................................56

Index.........................................................................................................57

Contents 3

Page 4: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

1 Prerequisites and PlanningThe following must be installed before configuring ESKM to use HP tape libraries:

• All ESKM nodes, configured in a cluster

• Server-side licenses, if necessary

• Tape libraries, must be operational and have firmware installed which supports ESKM

• Client-side licenses for the library's encryption featureBefore configuring ESKM to use HP tape libraries:

• Have the pre-installation checklist from the ESKM Installation and Configuration Guide available.

• Create the ESKM client accounts for each HP tape library. See Creating ESKM ClientAccounts (page 11).

The following sections will help you choose the configuration options and key generation policiesthat are appropriate for your system.

Network PortsNetwork connectivity must be provided between the nodes of the ESKM cluster, the tape libraries,and the Command View management software (if used). If firewalls exist between any of thosecomponents, then ports must be opened to allow this traffic. All ports are TCP ports. SeeTable 1 (page 4) for the ports that are used.

Table 1 SKM or ESKM Network Ports

PurposePort number

SSH login to SKM or ESKM22

SNMP from SKM or ESKM161

ETLA login to SKM or ESKM9000

FIPS status server from SKM or ESKM9081

SKM or ESKM networking9001

Web login to SKM or ESKM9443

Library PartitioningDetermine what portion of your backups will be encrypted and provision sufficient LTO4 or latergeneration drives to meet those requirements. If some of the LTO4 or later generation tape drivesin a library will be used for encryption and others will not, then the library must be partitionedbefore the client account on the ESKM can be created. Each partition must have a separate keygeneration policy that will apply to all LTO4 or later generation drives in that partition. For example,if you have eight LTO4 or later generation drives but only want two of them to be used forencryption, partition the library so that one partition contains two LTO4 or later generation drivesand the other partition contains the remaining six drives. If a library is not partitioned, then allLTO4 or later generation drives will be used for encryption after the ESKM has been configured.The number of libraries and LTO4 or later generation tape drives dedicated to encrypting backupdata will depend on your business needs.

NOTE: Partitioning the library is not part of the ESKM installation service. However, if there willbe both encrypting and non-encrypting drives in the same tape library, it is necessary to partitionthe library. Any partitioning steps must be complete before the ESKM is installed. Consult the usersguide for your tape library for instructions on library partitioning.

4 Prerequisites and Planning

Page 5: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Planning steps: Have a list of libraries to be enrolled with the ESKM. For each library, have a listof LTO4 or later generation drives that will be used for encryption. If there are also LTO4 or latergeneration drives in the libraries that will have different encryption policies, ensure a partition isconfigured for each policy before the ESKM installation occurs.

Determining the Appropriate Key Generation PoliciesKey generation policies allow the security officer (SO) or ESKM administrator to centrally controland audit how encryption is performed. These policies provide a crisp, unambiguous definition ofwhen encryption is and is not performed. This supports the SO’s broader ability to provide specific,auditable security policies for the data center.Each partition in the library must have a key generation policy. Each partition may have a differentkey generation policy, depending on the business needs. If the library is not partitioned, then allLTO4 or later generation drives in the library have the same policy.Consider partitioning the library if any of the following are true:

• If your business needs require more than one key generation policy for a single library, thelibrary must be partitioned before setting up the ESKM client account for that library.

• If the library contains a mixture both encrypting and non-encrypting tape drive technologies,HP recommends creating separate partitions for each drive type. Only LTO4 and latergeneration drives can be configured for encryption.For more information on partitioning HP tape libraries, see the user guide for your HP tapelibrary.

The HP ESKM and HP tape libraries support the following key generation policies:

• Key per tape (KT) — Each LTO4 or later generation tape in the partition (or library) is encryptedwith a different key. Also, a new key is created each time that tape is overwritten from thebeginning. Key names are associated with a unique media ID for that cartridge. All datawritten on the tape is encrypted with the same key, even if data is appended to the medialater. HP recommends using the KT policy.

• Key per partition, or key per library (KP) — All LTO4 or later generation tapes in the partition(or library) use copies of one key. However, each copy has a unique key name. Key namesare associated with a unique ID associated with the tape cartridge. All data written on thetape is encrypted with the same key, even if data is appended to the media later. The keyremains in effect until the ESKM administrator or SO changes it.

• No encryption (NE) — All LTO4 or later generation drives in the partition (or library, if thelibrary is not partitioned) will always read and write without any encryption. These drives arenot configured to read encrypted data from other partitions, either. Furthermore, backup andarchive software using the tape drives cannot enable encryption on the tape drives.

• Externally managed (EM) — Similar to the No Encryption (NE) policy except keys are allowedfrom backup and archive software. However, like NE, the HP tape library and ESKM do notprovide or manage these keys. Currently, only the ESL G3 tape library supports the EM policy.

NOTE:• Non-encrypted tapes can always be read regardless of the policy in effect.

• LTO4 or later generation drives in an encrypting partition managed by ESKM (KT or KP) willonly write encrypted data.

Planning step: For each library being enrolled with the ESKM, list the desired key generation policyfor each partition. If the library is not partitioned, list the key generation policy to be applied tothe entire library.

Determining the Appropriate Key Generation Policies 5

Page 6: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Using the library GUI or CVTL, determine the serial number of each partition in the library. Theserial numbers are part of each partition's key-generation policy. Every partition must have aseparate key generation policy even if all the policies are the same or if a policy is No Encryption.

HP Tape Library Hardware and Firmware RequirementsEarlier versions of CVTL and library firmware only support the HP Secure Key Manager (SKM).More recent versions will support both SKM and ESKM. If necessary, update CVTL and/or libraryfirmware to a version with ESKM support.Planning step: For each HP tape library connected to the ESKM, ensure that the library firmwarehas ESKM support prior to beginning ESKM installation. If necessary, upgrade the firmware.The following are the minimum HP tape library firmware versions required to support ESKM:

• EML E-Series tape library: 1407

Command View TL: 2.7.00◦◦ Interface Manager: I270

◦ LTO4 tape drive: H58S

◦ LTO5 tape drive: I3AS

◦ LTO6 tape drive: J2AS

• ESL E-Series tape library: 7.6

Command View TL: 2.7.00◦◦ Interface Manager: I270

◦ LTO4 tape drive: H58W

◦ LTO5 tape drive: I3BW

• ESL G3 library firmware: 620H.GS07101

Command View TL: 2.8.00◦◦ LTO4 tape drive: H63W

◦ LTO5 tape drive: I3FW

◦ LTO6 tape drive: J2AW

• MSL6480 library firmware: 3.90

Command View TL: 2.8.00◦◦ LTO4 and later generation drives: all supported firmware versions

ESKM TiersEach tape library can communicate with the ESKM server cluster via up to 18 different IP addresses.If the library cannot communicate with one of the ESKM IP addresses, it will failover to the next onthe list. These 18 addresses are provided in three tiers of six addresses each. The purpose of tieringis to control the order used during failover. For example, there may be four ESKM nodes in thecluster, two in the Americas, one in Europe, and one in Asia. For a library in the Americas, thefirst tier would contain the two ESKMs in the Americas. Failover will try to use those units first. Thesecond tier may be the node in Europe, and the third tier may be the node in Asia. This will directthe failover in a way which prefers nearer units over more distant units.

6 Prerequisites and Planning

Page 7: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

ESKM Pre-installation ChecklistsPrepare to install and use the ESKM system by recording the following information. If any informationis missing, it will delay or prevent complete configuration and functioning of the ESKM system andthe library's data encryption feature.You will need the serial number of the HP tape library to be enrolled as an ESKM client. If thelibrary is partitioned, you will need the serial number of each partition.To locate the serial numbers:

• ESL E-Series and EML E-Series librariesThe library serial number is available from Command View TL. Select and manage the libraryto be enrolled. Click the Identity tab. The library serial number is shown at the bottom of thescreen.Partition serial numbers are also available from Command View TL. Select and manage thelibrary to be enrolled. Click the Configuration tab. In the left-hand section of the window, clickPartitioning. The library partitions are shown in the Partitioning section of the window to theright. For each partition, right-click the name of the partition and select Properties. The partitionserial number is shown near the top of the Properties window.

• ESL G3 librariesLog into the library as Security user. All of the library partitions are shown in the ManagedViews window. Select each partition; the partition serial number is shown in the SystemInformation box above the Managed Views.

• MSL6480 librariesLog into the library as the security or administrator user. All of the library partitions are shownin the Status > Partition Map > Configuration Status screen.

ESKM Pre-installation Checklists 7

Page 8: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Table 2 HP Tape Library 1 Device Information

Library Information

Library model

Library firmware• ETLA — 2.7 or higher

• ESL G3 — 620H.GS07101 or higher

• MSL6480 — 3.90 or higher

Library clock is set, or NTP enabled?

Client licenses installed?

IP address of the library or Command View

Security User username and password, for Command View TL orESL G3

Library's ESKM client account name available?

Library's ESKM client account password available?

Partition 1 s/n and Policy (for example, US12345678, KT)

Partition 2 s/n and Policy

Partition 3 s/n and Policy

Partition 4 s/n and Policy

Partition 5 s/n and Policy

ESKM Information

ESKM admin username and password available?

ESKM Key Sharing Group name is available?

ESKM node 1 IP address

ESKM node 1 tier

ESKM node 2 IP address

ESKM node 2 tier

ESKM manageability port (default: 9443)

ESKM KMS server port (default: 9000)

Backup Software Access

Backup servers & application IP address

Backup server username and password

Scratch LTO4/5 media available?

Table 3 HP Tape Library 2 Device Information

Library Information

Library model

Library firmware• ETLA — 2.7 or higher

• ESL G3 — 620H.GS07101 or higher

• MSL6480 — 3.90 or higher

8 Prerequisites and Planning

Page 9: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Table 3 HP Tape Library 2 Device Information (continued)

Library Information

Library clock is set, or NTP enabled?

Client licenses installed?

IP address of the library or Command View

Security User username and password, for Command View TL orESL G3

Library's ESKM client account name available?

Library's ESKM client account password available?

Partition 1 s/n and Policy (for example, US12345678, KT)

Partition 2 s/n and Policy

Partition 3 s/n and Policy

Partition 4 s/n and Policy

Partition 5 s/n and Policy

ESKM Information

ESKM admin username and password available?

ESKM Key Sharing Group name is available?

ESKM node 1 IP address

ESKM node 1 tier

ESKM node 2 IP address

ESKM node 2 tier

ESKM manageability port (default: 9443)

ESKM KMS server port (default: 9000)

Backup Software Access

Backup servers & application IP address

Backup server username and password

Scratch LTO4/5 media available?

Table 4 HP Tape Library 3 Device Information

Library Information

Library model

Library firmware• ETLA — 2.7 or higher

• ESL G3 — 620H.GS07101 or higher

• MSL6480 — 3.90 or higher

Library clock is set, or NTP enabled?

Client licenses installed?

IP address of the library or Command View

Security User username and password, for Command View TL orESL G3

ESKM Pre-installation Checklists 9

Page 10: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Table 4 HP Tape Library 3 Device Information (continued)

Library Information

Library's ESKM client account name available?

Library's ESKM client account password available?

Partition 1 s/n and Policy (for example, US12345678, KT)

Partition 2 s/n and Policy

Partition 3 s/n and Policy

Partition 4 s/n and Policy

Partition 5 s/n and Policy

ESKM Information

ESKM admin username and password available?

ESKM Key Sharing Group name is available?

ESKM node 1 IP address

ESKM node 1 tier

ESKM node 2 IP address

ESKM node 2 tier

ESKM manageability port (default: 9443)

ESKM KMS server port (default: 9000)

Backup Software Access

Backup servers & application IP address

Backup server username and password

Scratch LTO4/5 media available?

10 Prerequisites and Planning

Page 11: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

2 Creating ESKM Client AccountsIn this section, an ESKM client account will be created for each tape library and then each tapelibrary will be configured to obtain keys from the ESKM. The process is the same for all HP tapelibraries that support ESKM.

NOTE: A client-side license is required on most HP tape libraries that support ESKM.Ensure that all HP tape libraries which will use the ESKM are in green status before setting up theirclient accounts.The HP tape libraries must have LTO4 or later generation tape drives installed, and the library andits components must have firmware versions that support the ESKM key manager. Instructions forobtaining and updating firmware can be found in the library's user and service guide.In the following steps, key generation policies are assigned per library partition or per physicallibrary if there are no partitions.

TIP: For ESL E-Series and EML E-Series libraries, if you have Command View TL open in a separatebrowser window you can copy and paste the serial numbers from Command View to the ESKMconsole.

Procedure 11. Complete the pre-installation checklists and have them available. See ESKM Pre-installation

Checklists.2. In an internet browser, login as the administrator to open the ESKM Cluster:

https://eskm-05.example.com:9443/3. Click the Security tab.4. In the navigation column, select Local Users & Groups.5. Click Add to create a user.6. Enter the user name and password in the empty fields.

• User name: can be any value but must be unique for each HP tape library.

• Password: cannot be a dictionary word, must be eight or more characters, must containboth alpha and numeric characters, and must begin with a letter. Passwords arecase-sensitive.

7. Unselect the following check boxes:• User Administration Permission

• Change Password Permission

11

Page 12: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

8. Select the newly created user and click the Custom Attributes tab.9. Click Add.

12 Creating ESKM Client Accounts

Page 13: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

10. Enter the following:a. Attribute name: KeyGenPolicyb. Attribute value (one of the following per partition):

• <Partition Serial Number><space><KP><space><partition master key>

• <Partition Serial Number><space><KT>

• <Partition Serial Number><space><NE>

• <Partition Serial Number><space><EM>Currently, only the ESL G3 tape library supports the EM policy.

KP is Key per Partition, KT is Key per Tape, NE is No Encryption, and EM is ExternallyManaged.

IMPORTANT: Every library partition must have a key generation policy. When enteringpolicies for ESL G3 libraries, be sure to include a policy for the AMP partition; HPrecommends using the NE policy.

c. Click Save.

11. For partitions using the KP policy, select the Security tab.For all other policies, skip to Step 16.

12. In the navigation column, select Keys.13. Click Create Key.14. Enter the following information:

• Key Name (for example, im25key1)

• Owner Username: user created in the previous steps (FCLib01)

• Algorithm: AES-256

• Deletable: checked

• Exportable: checked

• Versioned Key Bytes: unchecked

• Copy Group Permissions From: None (the default)

13

Page 14: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

15. Click Create.16. Create a key sharing group so HP tape libraries can share keys.

IMPORTANT: When keys are created, they are automatically accessible to all the librariesin that key sharing group. Encrypted media may be exported from one library in a key sharinggroup and imported to another tape library for decryption. You may have additional groupsfor more complex sharing requirements.Therefore, HP strongly recommends creating a key sharing group even if you only have onetape library. Key sharing only applies to keys that are created after the group is created, soit is important to create the key sharing group prior to creating keys.

a. Select the Security tab.b. In the Users & LDAP menu, select Local Users & Groups.c. Under User & Group Configuration scroll to the Local Groups section.d. Click Add.e. Type the name of the group in the edit field. For example, MainDataCenter.f. Select the name of the new group.g. Under User List, click Add.h. Type the username of the library client to be added to the group, or use the down arrow

to select the library name from the displayed list.i. Click Save.

17. Repeat this procedure for each library to be enrolled in the ESKM.

14 Creating ESKM Client Accounts

Page 15: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

3 Enrolling HP Tape Libraries with the ESKMEach of the HP tape libraries selected for encryption must be enrolled with the ESKM. Using theKey Management Setup Wizard, you establish a secure communication link between the libraryand the ESKM by setting up the certificate authority and certificates on the library, entering theuser name and password that the library uses to log on to the ESKM, and entering the IP addressesof the ESKM appliances. The wizard will verify the connectivity to the ESKMs after all the data hasbeen provided, and it will retrieve the key generation policies.

NOTE: The ESKM installation and client enrollment service will only include enrollment for thespecific libraries in the installation scope of work. The ESKM installation does not include configuringthe HP tape libraries for backups, connecting them to the SAN, partitioning them, or updating theirfirmware to support configuring the library for backups or encryption.

Enrolling ESL E-Series and EML E-Series LibrariesTo enroll ESL E-Series and EML E-Series libraries with the ESKM:1. As the Security user, manage the library using Command View TL.2. Select the Configuration tab.3. From the navigation pane, select Key Management.4. Under Actions, select Launch Key Manager Setup Wizard. The Welcome page opens.

5. Click Next; this opens the Key Management Setup Wizard Options screen.

Enrolling ESL E-Series and EML E-Series Libraries 15

Page 16: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

6. During the first time encryption, “Select Key Manager Type” should be selected. Verify theselection.

7. Click Next; this opens the Key Manager Selection screen.

16 Enrolling HP Tape Libraries with the ESKM

Page 17: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

8. Verify that “HP Enterprise Secure Key Manager” is selected.9. Click Next; this opens the Certificate Authority Information page which describes the

prerequisites for getting CA certificates.

Enrolling ESL E-Series and EML E-Series Libraries 17

Page 18: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

10. Click Next; this opens the Certificate Authority Selection screen.

11. Verify that “HP Enterprise Secure Key Manager (ESKM) Local Authority (default)” is selected.

NOTE: In some circumstances, the customer may require a different CA than the one on theESKM. If this occurs, select Third-Party Certificate Authority, and ask the customer to displaythe CA certificate so it can be pasted into the following screens.

12. Click Next; this opens the Retrieve the Local Certificate Authority Certificate screen.

18 Enrolling HP Tape Libraries with the ESKM

Page 19: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

13. Click Next; this opens the Certificate Authority Certificate Entry screen which contains anempty box in which to paste the certificate.

14. Go to the ESKM cluster.15. Select the Security tab.16. In the navigation column, select Local CAs to open the Local Certificate Authority List.17. Select the appropriate CA name to open the certificate.

Enrolling ESL E-Series and EML E-Series Libraries 19

Page 20: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

18. Copy the CA certificate from the bottom of the screen. Select all the characters from BEGINCERTIFICATE through END CERTIFICATE, including the dashes. Then right-click and selectCopy.Return to the Certificate Authority Certificate Entry screen of the Command View (Step 13).

19. Right-click within the Certificate Authority Certificate Entry box and select Paste.

20 Enrolling HP Tape Libraries with the ESKM

Page 21: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

20. Click Next; this opens the Library Certificate Information screen. The certificate is not yetcreated.

NOTE: The ESKM refers to the library certificate as a Client Certificate.

Enrolling ESL E-Series and EML E-Series Libraries 21

Page 22: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

21. Click Next to create the library certificate.

22 Enrolling HP Tape Libraries with the ESKM

Page 23: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

22. Once the certificate has successfully been imported, click Next to view and copy the certificate.

Enrolling ESL E-Series and EML E-Series Libraries 23

Page 24: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

23. Copy the certificate. Select all the characters from BEGIN CERTIFICATE through ENDCERTIFICATE, including the dashes. Right-click and select Copy, or click Copy Certificate.

24. Click Next.25. Read the instructions on the screen, then click Next.

24 Enrolling HP Tape Libraries with the ESKM

Page 25: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

26. Return to the ESKM cluster.

Enrolling ESL E-Series and EML E-Series Libraries 25

Page 26: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

27. Click Sign Request.

28. Select the Certificate Purpose as “Client” and enter the appropriate Certification Duration.Unless your organization has specific policies otherwise, HP recommends selecting the defaultduration.

26 Enrolling HP Tape Libraries with the ESKM

Page 27: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

29. Paste the copied certificate from the Prepare to Sign your Library Certificate screen (Step 23)into the Sign Certificate Request screen of the ESKM cluster.

30. Click Sign Request.

31. Copy the generated client certificate that has been signed by the CA.32. Return to the Command View TL GUI.

Enrolling ESL E-Series and EML E-Series Libraries 27

Page 28: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

33. Paste the copied CA certificate from the ESKM cluster into the Signed Certificate Entry box.

28 Enrolling HP Tape Libraries with the ESKM

Page 29: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

34. Click Next to open the HP Enterprise Secure Key Manager Iinformation screen.

Enrolling ESL E-Series and EML E-Series Libraries 29

Page 30: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

35. Click Next; this opens the ESKM Configuration screen.

30 Enrolling HP Tape Libraries with the ESKM

Page 31: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

36. Enter the appropriate details as follows:• Library Username — the case-sensitive username created in the ESKM cluster (Step 6 in

Creating ESKM Client Accounts), in this example FCLib01.• Password — the password created in the ESKM cluster (Step 6 in Creating ESKM Client

Accounts).• Confirm Password — again, the password created in the ESKM cluster.

37. Click Next; this opens the Tier configuration screen.

Enrolling ESL E-Series and EML E-Series Libraries 31

Page 32: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

38. Enter the ESKM cluster IP addresses in the Tier 1 screen. You may also use fully qualified DNSnames.

39. If tiering is used, select the “Add another tier” box. Then enter the IP addresses into the Tier2 and Tier 3 address fields.

40. Click Next; this opens the Key Manager Setup Summary confirmation screen.

32 Enrolling HP Tape Libraries with the ESKM

Page 33: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

41. Verify that the appropriate data is entered in each Tier. The IP addresses should match thoseyou entered in Step 38 and Step 39.

42. Click Next.

Enrolling ESL E-Series and EML E-Series Libraries 33

Page 34: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

43. Click Finish.44. A confirmation box opens; click OK.

This completes the update and verification operation and the ESKM enrollment process. Proceedto Verifying Proper Configuration of the ESKM and Tape Libraries (page 46).

Verifying Connectivity from the Library to ESKMThis step is optional but useful when troubleshooting or updating policies on the ESKM. While thisexample is specific to ETLA, the ESL G3 has a similar feature.To verify connectivity from the library to the ESKM:1. In the Launcher window, click the Library Selection tab. A list of the current libraries appears.2. Double-click the library for which to verify connectivity.3. Log in as the security user.4. Click the Configuration tab.5. In the left panel, select Key Management.

NOTE: The Key Management command will only appear if you have Advanced SecureManager and LTO4 or later generation tape drives installed in your library. (To verify if LTO4or later generation drives are installed, navigate to the Library window, click the Status tab,then in the left panel, click Advanced LTO Drives).

34 Enrolling HP Tape Libraries with the ESKM

Page 35: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

6. Select Actions→Launch Key Management Setup Wizard. The welcome screen appears.7. Read the information on the screen, and click Next. Page 1 of the wizard appears.

8. Select Verify Key Manager Connectivity, and click Next.9. Verify that the configuration is correct, then click Next.10. When the Update and Verification Operation Complete dialog box appears, read whether

the operation completed successfully or not, then click OK.

Enrolling ESL G3 Libraries1. If you are using Command View TL, select the library name under the Managed Views.2. Log onto the library as the Security user.3. Go to Setup→Encryption→Key Management Setup Wizard.

Enrolling ESL G3 Libraries 35

Page 36: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

The Welcome page opens.4. Click Next; this opens the Key Management Setup Wizard Options screen.

36 Enrolling HP Tape Libraries with the ESKM

Page 37: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

5. During the first time encryption, “Select Key Manager Type” should be enabled and everythingelse is disabled by default. Verify the selection.

6. Click Next; this opens the Key Manager Selection screen.

7. Verify that “HP Enterprise Secure Key Manager” is selected by default.8. Click Next; this opens the Certificate Authority Information page which describes the

prerequisites for getting CA certificates.9. Click Next; this opens the Certificate Authority Selection screen.

Enrolling ESL G3 Libraries 37

Page 38: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

10. Verify that “HP Enterprise Secure Key Manager (ESKM) Local Authority (default)” is selected.

NOTE: In some circumstances, the customer may require a different CA than the one on theESKM. If this occurs, select Third-Party Certificate Authority, and ask the customer to displaythe CA certificate so it can be pasted into the following screens.

11. Click Next; this opens the Retrieve the Local Certificate Authority Certificate screen.12. Click Next; this opens the Certificate Authority Certificate Entry screen.

13. Go to the ESKM cluster.14. Select the Security tab.15. In the navigation column, select Local CAs to open the Local Certificate Authority List.16. Select the appropriate CA name.

38 Enrolling HP Tape Libraries with the ESKM

Page 39: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

17. Copy the CA certificate from the bottom of the screen. Select all the characters from BEGINCERTIFICATE through END CERTIFICATE, including the dashes. Then right-click and selectCopy.

Return to the Certificate Authority Certificate Entry screen of the ESL G3 library (Step 12).18. Paste the CA certificate in Certificate Authority Certificate Entry box.

Enrolling ESL G3 Libraries 39

Page 40: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

19. Click Next; this opens the Library Certificate Information screen.

NOTE: The ESKM refers to the library certificate as a Client Certificate.

20. Click Next; this opens the Prepare to Sign your Library Certificate screen.

21. Copy the certificate. Select all the characters from BEGIN CERTIFICATE through ENDCERTIFICATE, including the dashes. Then right-click and select Copy.

22. Click Next; this opens the Sign your Library Certificate screen.23. Click Next.24. Return to the ESKM cluster.

40 Enrolling HP Tape Libraries with the ESKM

Page 41: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

25. Click Sign Request.26. Paste the copied certificate from the Prepare to Sign your Library Certificate screen (Step 21)

into the Sign Certificate Request screen of the ESKM cluster.

27. Select the Certificate Purpose as Client and enter the appropriate Certification Duration. Unlessyour organization has specific policies otherwise, HP recommends selecting the default duration.

28. Click Sign Request.

Enrolling ESL G3 Libraries 41

Page 42: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

29. Copy the generated client certificate that has been signed by the CA.30. Return to the ESL G3 library GUI.31. Paste the copied CA certificate information in the Signed Certificate Entry box.

32. Click Next; this opens the HP Enterprise Secure Key Manager Information screen.33. Click Next; this opens the ESKM Configuration screen.34. Enter the appropriate details as follows:

• Library Username — the case-sensitive username created in the ESKM cluster (Step 6 inCreating ESKM Client Accounts), in this example FCLib01.

• Password — the password created in the ESKM cluster (Step 6 in Creating ESKM ClientAccounts).

• Confirm Password — again, the password created in the ESKM cluster.

42 Enrolling HP Tape Libraries with the ESKM

Page 43: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

35. Click Next; this opens the Tier configuration screen.36. Enter the appropriate Node Address in the Tier 1 screen.

37. If tiering is used, select the Add another tier box. Then enter the IP addresses into the Tier 2and Tier 3 address fields.

38. Click Next; this opens the Key Manager Setup Summary confirmation screen.

Enrolling ESL G3 Libraries 43

Page 44: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

39. Verify that the appropriate data is entered in each Tier.40. Click Finish.41. A confirmation box opens; click Yes; this opens the Key Management Setup Summary.

This completes the enrollment process. The remaining steps are to confirm a successfulenrollment. Proceed to Verifying Proper Configuration of the ESKM and TapeLibraries (page 46).

42. Click Close to exit the wizard.43. Go to Library→Monitor→Key Management.44. Verify the ESKM Server Information.

Enrolling MSL6480 Libraries1. Log into the library remote management interface (RMI) as the security user.2. Verify that library configuration is complete, including defining all library partitions.3. Navigate to the Configuration > System > License Key Handling screen and verify that the

ESKM license has been added.

44 Enrolling HP Tape Libraries with the ESKM

Page 45: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Table 5 MSL6480 ESKM licenses

DescriptionPart number

HP StoreEver MSL6480 ESKM Encryption LicenseTC469A

HP StoreEver MSL6480 ESKM Encryption E-LicenseTC469AAE

4. Click Encryption→ESKM Wizard to start the wizard.5. The Wizard Information screen displays information about the wizard. If the library

configuration is complete, click Next.6. The Certificate Authority Information screen displays prerequisites for using the ESKM certificate.

When the prerequisites are met, click Next.7. The Certificate Authority Certificate Entry screen displays instructions for obtaining the certificate

for the ESKM server. Follow the instructions to copy the certificate from the managementconsole. Paste the certificate into the wizard and then click Next.

8. The Library Certificate Information screen displays prerequisites for generating and signingthe certificate for the library. When you have verified that SSL has been enabled on the ESKMdevice and that the ESKM management console is open and ready for use, click Next.

9. In the ESKM Client Configuration screen enter the username and password that the library willuse to communicate with the ESKM.If the username and password have not already been set up on the ESKM device, follow theinstructions in “Creating ESKM Client Accounts” (page 11) to create a client account for thelibrary.Enter the client username and password, and then click Next.

10. The Certificate Generation screen displays the current library certificate, if one exists. Selectwhether to keep the current certificate or generate a new one and then click Next.

11. In the ESKM Tier Selection screen you can group ESKM devices into tiers so the library willattempt to connect with ESKM devices in the top tier first, and then failover to connect withESKM devices in a lower priority tier if necessary. For example, you might put ESKM devicesin the same data center as the library in Tier 1 with ESKM devices in remote data centers inTiers 2 and 3.One tier is used by default. To add a tier, click Add Tier.Enter the IP address or fully-qualified hostname and port number for up to six ESKM devicesin each tier. To verify access to the ESKM devices, click Connectivity Check.When the tier configuration is complete, click Next.

12. The Setup Summary screen displays the settings that were collected by the wizard. Verify thatthe settings are correct and that there are no errors in the Done column. If you need to modifysetting or address issues, either click Back to reach the applicable screen or Cancel out of thewizard to fix the issues and return later.If the settings are correct and there are no errors, click Finish.

13. To check the connectivity to the ESKM devices, from the Status > Security screen clickConnectivity Check and verify that no errors are returned.

Enrolling MSL6480 Libraries 45

Page 46: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

4 Verifying Proper Configuration of the ESKM and TapeLibraries

This section describes the configuration and execution of a test suite which verifies the ESKM clusteris operational. It can be performed on-site after all the ESKM and library configuration steps arecompleted. These verification steps are the same for all HP tape libraries.

• Test 1 — will encrypt data to a scratch tape, then attempt to read that data in a non-encryptingconfiguration. The failure to read data will verify that encryption has occurred.

• Test 2 — will force the HP tape library client to use a specific node of the ESKM cluster whenobtaining an encryption key. The test will be repeated for each node in the installation, toconfirm that each ESKM node is available and functional.

Test 1: Verify that Tape Backups are EncryptedRepeat this test for each library enrolled with the ESKM.

Test SummaryThis test is comprised of the following steps:1. Load a tape cartridge into a drive, and create an encryption key by writing encrypted data

to the tape. Then unload the cartridge.Demonstrate that the key has been replicated to each of the ESKM nodes.

2. The ability to export that key will be temporarily disabled.3. Re-load the encrypted tape, and read it. Then unload the cartridge.

The read operation will fail, demonstrating that the tape is encrypted.4. The key export property will be re-enabled.5. Load the encrypted tape, and read it. Then unload the cartridge.

The read operation will succeed, demonstrating that the policy has been successfully re-enabled,and the system is ready for production.Demonstrate that key retrieval was logged in the ESKM activity log.

Prerequisites• Successful installation of all ESKM nodes.

• Successfully added all ESKM nodes to the cluster.

• Successfully completed all HP tape library pre-installation steps.

Hardware updates, firmware updates, and partitioning (if required).◦◦ Encryption feature client-side license is installed.

• Successfully completed enrollment of all HP tape libraries with the ESKM cluster.

• Customer’s backup administrator is present.

• At least 1 scratch tape is present in each library. If the library is partitioned, identify thepartition containing that cartridge.

• Customer has a console to access their ISV backup software.

• Customer has a console available to view the ESKM GUI.

46 Verifying Proper Configuration of the ESKM and Tape Libraries

Page 47: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Pre-test Configuration Steps1. Installer. Using a separate browser window for each ESKM node, log into each of the ESKM

nodes via it’s web GUI. Go to the Device Tab, select Log Viewer from the Logs and Statisticspane, select Activity. From Show last number of lines, select All. Click Display Log.

2. Customer. Login to the ISV software and ensure it can access the LTO4 or LTO5 tape drivesto be used in this test.

Test Steps1. Customer. Using the ISV console, load the scratch tape into an LTO4 or LTO5 drive in a

partition or library with an encrypting policy (a partition or library having a KT or KP policy).Now format, or initialize, the tape using the ISV software. Optionally, write a few records tothe tape. The actual operations will depend on the ISV software being used. But the intent isto initialize the tape and write a few records which can be restored later. The initializationprocess may be sufficient, if it writes records which may be later retrieved (timestamps, etc).Now, using the ISV software, read the records from tape. This demonstrates the encrypteddata is readable.a. Installer. Using the ESKM browser windows, demonstrate that the Activity Log of one

ESKM contains a new entry showing a key was created. In each of the other nodes’ GUI,go to the Security tab. In the Keys window, demonstrate that the key has been replicatedto those nodes. Return to the Activity Log viewer after verifying the replication.

NOTE: If the policy is KP (Key per Partition), the log will record a KeyClone operationinstead of a KeyGen operation.

b. Customer. Using the ISV console, unload the media to a library slot.2. Installer. Temporarily disable the Export property for the key created in the previous step. In

one of the ESKM GUIs, select Security tab. In the Keys and Policy Configuration pane, selectthe key created in the previous step. On the Key Properties pane, click Edit, uncheck theExportable property, and click Save.Return to the Activity Log display. In each of the other ESKM GUIs, demonstrate to the customerthat the property change was replicated by viewing the key Exportable property in the keylist. The checkbox will be un-checked. Return to the Activity Log display.

3. Customer. Using the ISV console, load the scratch tape into an LTO4 or LTO5 drive in thesame partition. Using a different drive is possible, to further demonstrate how all drives in thepartition have the same policy. But, using the same drive is sufficient for this test. Read therecords which were earlier written to the tape. This operation will fail, since the key exporthas been temporarily disabled. Unload the tape. Note the error message that is displayed.This will be the error message this ISV uses when encrypted tapes are placed in non-encryptingdrives. In many cases, these messages indicate a write-protect error.

4. Installer. Re-enable the key export property, using the operations in step 2. Verify the propertychange is replicated to each node, by viewing the export property of the key at each of theESKM nodes.

5. Customer. Using the ISV, load the tape into an LTO4 or LTO5 drive in the same partition.Read the records which were earlier written to the tape. This operation will succeed. Unloadthe tape.Installer. Using the Activity Log viewers, demonstrate to the customer that one of the ESKMnodes has now logged a key export.

This concludes ESKM verification test 1.

Test 1: Verify that Tape Backups are Encrypted 47

Page 48: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

IssuesIf issues are found:

• No currently known failure modes. Any failures in this test would have been detected in theconnectivity test, during library enrollment.

• Re-run the connectivity test in the CVTL Wizard.

• The most likely cause of failure of the connectivity test is an incorrectly entered, or missing,KeyGenPolicy. See step 12 in the installation poster.

Test 2: Verify that Each ESKM Node Supports Tape Library Operationsafter Failure of a Single Node

This test will force the HP tape library client to use a specific node of the ESKM cluster whenobtaining an encryption key. The test will be repeated for each node in the installation, to confirmthat each node is available and functional.

Test Summary1. Temporarily configure the ESKM cluster so only 1 ESKM node can export keys, using the

ESKM GUI.2. Load an encrypted tape, and read it. Unload the cartridge.

The read operation will be successful.3. Repeat steps 1 and 2, enabling a different ESKM in the cluster.

The read operation will be successful.4. The read operation will be successful.

Prerequisites• Successful installation of all ESKM nodes.

• Successfully added all ESKM nodes to the cluster.

• Successfully completed all HP tape library pre-installation steps.

Hardware updates, firmware updates, and partitioning (if required).◦◦ Secure Manager is licensed, and configured to allow access to the backup hosts.

• Successfully completed enrollment of all HP tape libraries with the ESKM cluster.

• Successfully completed Test 1.

• Customer’s backup administrator is present.

• At least 1 scratch tape is present in each library. If the library is partitioned, identify thepartition containing that cartridge.

• Customer has a console to access their ISV backup software.

• Customer has a console available to view the ESKM GUI.

Pre-test Configuration Steps1. Installer. Using a separate browser window for each ESKM node, log into each of the ESKM

nodes via it’s web GUI. Go to the Device Tab, select Log Viewer from the Logs and Statisticspane, select Activity. From Show last number of lines, select All. Click Display Log.

2. Customer. Login to the ISV software and ensure it can access the LTO4 or LTO5 tape drivesto be used in this test.

48 Verifying Proper Configuration of the ESKM and Tape Libraries

Page 49: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Test Steps1. Installer. Using ESKM GUIs, disable the KMS server on all ESKM nodes except one. From the

Device tab, select Maintenance, Services. In the Services List, select KMS Server, and clickStop. Click Refresh, and verify the Status of the KMS Server is Stopped.

2. Customer. Using the ISV software, load the tape which was initialized and written in Test 1into an LTO4 or LTO5 drive. Read the data. Then unload the cartridge.a. The read operation will be successful. This demonstrates that the key was available on

the single node, the path to that node is operational, and the library client’s certificatesand credentials at that node are in order.

b. Repeat step 2 for each library enrolled with the ESKM cluster. This verifies each librarycan communicate with that ESKM node.

3. Installer. Referring to step 1, re-start the KMS server on the ESKM node.4. Repeat steps 1 – 3 for each ESKM in the cluster.This concludes ESKM verification test 2.

IssuesIf the test fails for one node, the most likely cause is the server certificate on that node. Review thesteps in the install poster regarding the server certificate (step 9b). Each node has it’s own servercertificate, but these certificates a) must have the same name, and b) must all be signed by thesame CA.

Example VerificationThe following screen shots provide an example using HP Data Protector.ISV Begins the Backup Policy

ISV is Writing Data

Example Verification 49

Page 50: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

ESKM Activity Log Shows Key Generation for MINIME

Second ESKM Node System Log Shows the Key was Replicated

ESKM Key Page Shows New Key for MINIME

ISV Success of the Backup and Unload of Media

50 Verifying Proper Configuration of the ESKM and Tape Libraries

Page 51: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

ISV Begins Restore of Backup

ISV Successful in Restore of Backup and Unload of Media

Example Verification 51

Page 52: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

ESKM Activity Log Shows Success Exporting Key for MINIME

Unchecking the Export Setting of Key

ISV Begins Restore of Backup after Disabling Key Export

ISV Failed to Restore the Backup and Media was Unloaded

52 Verifying Proper Configuration of the ESKM and Tape Libraries

Page 53: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

ISV Log/activity Shows Error that Key Not Available

ESKM Activity Log Shows Error Getting Key for MINIME

Re-enabling Key Export Setting

Example Verification 53

Page 54: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Disabling KMS Server on ESKM Node that is Creating the Keys

ISV Begins Restore of Backup

ISV Successful in Restore of Backup and Unload of Media

54 Verifying Proper Configuration of the ESKM and Tape Libraries

Page 55: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

ESKM Activity Log from Other Node Shows Success Exporting Key for MINIME

Re-enabling First Node KMS Server

Example Verification 55

Page 56: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

5 Support and Other ResourcesContacting HP

For worldwide technical support information, see the HP support website:http://www.hp.com/support

Before contacting HP, collect the following information:

• Product model names and numbers

• Technical support registration number (if applicable)

• Product serial numbers

• Error messages

• Operating system type and revision level

• Detailed questions

Typographic ConventionsTable 6 Document Conventions

ElementConvention

Cross-reference links and e-mail addressesBlue text: Table 6 (page 56)

Website addressesBlue, underlined text: http://www.hp.com

Bold text • Keys that are pressed

• Text typed into a GUI element, such as a box

• GUI elements that are clicked or selected, such as menuand list items, buttons, tabs, and check boxes

Text emphasisItalic text

Monospace text • File and directory names

• System output

• Code

• Commands, their arguments, and argument values

Monospace, italic text • Code variables

• Command variables

Emphasized monospace textMonospace, bold text

IMPORTANT: Provides clarifying information or specific instructions.

NOTE: Provides additional information.

TIP: Provides helpful hints and shortcuts.

Documentation feedbackHP welcomes your feedback.To make comments and suggestions about product documentation, please send a message [email protected]. All submissions become the property of HP.

56 Support and Other Resources

Page 57: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

Index

Cclient accountsESKM, 11

connectivityverifying on key manager, 34

contacting HP, 56conventionsdocument, 56

creating ESKM client accounts, 11

Ddeterming key generation policies, 5documentconventions, 56

documentationproviding feedback on, 56

EEM see externally managedEML E-Seriesenrolling, 15requirements, 6

enrollingEML E-Series, 15ESL E-Series, 15ESL G3, 35MSL6480, 44

enrolling libraries with the ESKM, 15Enterprise Secure Key Manager see ESKMESKMclient accounts, 11enrolling tape libraries, 15pre-installation checklists, 7testing, 46tiers, 6verifying configuration, 46

ESKM configurationprerequisites, 4

ESL E-Seriesenrolling, 15requirements, 6

ESL G3enrolling, 35requirements, 6

externally managed, 5

Hhelpobtaining, 56

HPtechnical support, 56

HP Data Protectorexample of verification, 49

Kkey generation policies, 5externally managed, 5key per partition, 5key per tape, 5no ecryption, 5

Key Management command, 34key managerenroll library, 15verify library connectivity, 34

key per library see key per partitionkey per partition, 5key per tape, 5KP see key per partitionKT see key per tape

LLaunch Key Management Setup Wizard command, 35libraryconnectivity, 34enroll with a key manager, 15partitioning, 4

loginESKM, 4SKM, 4

LTO4 driveskey generation policies, 5partitioning, 4

LTO5 driveskey generation policies, 5partitioning, 4

LTO6 drivespartitioning, 4

Mminimum requirementstape library firmware, 6tape library hardware, 6

MSL6480enrolling, 44requirements, 6

NNE see no ecryptionnetwork ports, 4ESKM, 4SKM, 4

no ecryption, 5

PpartitioningLTO4 drives, 4LTO5 drives, 4LTO6 drives, 4

partitioning the library, 4

57

Page 58: HP Enterprise Secure Key Manager Configuration Guide for ...h20628. · HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

policieskey generation, 5

portsESKM, 4SKM, 4

pre-installation checklists for ESKM, 7prerequisitesconfiguring ESKM, 4

SSecure Key Manager see SKM

Ttape librariesenrolling, 15testing, 46verifying configuration, 46

tape libraryfirmware requirements, 6requirements, 6

technical supportHP, 56

testsverification, 46

tiers, 6typographic conventions, 56

Vverification test 1issues, 48pre-test configuration, 47prerequisites, 46steps, 47summary, 46

verification test 2issues, 49pre-test configuration, 48prerequisites, 48steps, 49summary, 48

verification tests, 46verifying configurationexample, 49tape libraries, 46test 1, 46test 2, 48

58 Index