nonstop volume level encryption guide

NonStop Volume Level Encryption Guide

HP Part Number: 580587-001Published: October 2009Edition: J06.09 and subsequent J-series RVUs, and H06.20 and subsequent H-series RVUs

© Copyright 2009 Hewlett-Packard Development Company, L.P.

Legal Notice

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, CommercialComputer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government undervendor’s standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPshall not be liable for technical or editorial errors or omissions contained herein.

Export of the information contained in this publication may require authorization from the U.S. Department of Commerce.

Microsoft, Windows, and Windows NT are U.S. registered trademarks of Microsoft Corporation.

Intel, Pentium, and Celeron are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and othercountries.

Java is a U.S. trademark of Sun Microsystems, Inc.

Motif, OSF/1, UNIX, X/Open, and the "X" device are registered trademarks, and IT DialTone and The Open Group are trademarks of The OpenGroup in the U.S. and other countries.

Open Software Foundation, OSF, the OSF logo, OSF/1, OSF/Motif, and Motif are trademarks of the Open Software Foundation, Inc. OSF MAKESNO WARRANTY OF ANY KIND WITH REGARD TO THE OSF MATERIAL PROVIDED HEREIN, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. OSF shall not be liable for errors containedherein or for incidental consequential damages in connection with the furnishing, performance, or use of this material.

© 1990, 1991, 1992, 1993 Open Software Foundation, Inc. The OSF documentation and the OSF software to which it relates are derived in partfrom materials supplied by the following:© 1987, 1988, 1989 Carnegie-Mellon University. © 1989, 1990, 1991 Digital Equipment Corporation. ©1985, 1988, 1989, 1990 Encore Computer Corporation. © 1988 Free Software Foundation, Inc. © 1987, 1988, 1989, 1990, 1991 Hewlett-PackardCompany. © 1985, 1987, 1988, 1989, 1990, 1991, 1992 International Business Machines Corporation. © 1988, 1989 Massachusetts Institute ofTechnology. © 1988, 1989, 1990 Mentat Inc. © 1988 Microsoft Corporation. © 1987, 1988, 1989, 1990, 1991, 1992 SecureWare, Inc. © 1990, 1991Siemens Nixdorf Informationssysteme AG. © 1986, 1989, 1996, 1997 Sun Microsystems, Inc. © 1989, 1990, 1991 Transarc Corporation.OSF softwareand documentation are based in part on the Fourth Berkeley Software Distribution under license from The Regents of the University of California.OSF acknowledges the following individuals and institutions for their role in its development: Kenneth C.R.C. Arnold, Gregory S. Couch, ConradC. Huang, Ed James, Symmetric Computer Systems, Robert Elz. © 1980, 1981, 1982, 1983, 1985, 1986, 1987, 1988, 1989 Regents of the Universityof California.

Table of Contents

About This Document.........................................................................................................7Supported Release Version Updates (RVUs)..........................................................................................7Intended Audience.................................................................................................................................7New and Changed Information in This Edition.....................................................................................7Document Organization.........................................................................................................................7Notation Conventions.............................................................................................................................7

General Syntax Notation...................................................................................................................7Related Information................................................................................................................................8Publishing History..................................................................................................................................9HP Encourages Your Comments............................................................................................................9

1 Overview.......................................................................................................................11Encryption.............................................................................................................................................11Encryption principles............................................................................................................................11Encryption techniques..........................................................................................................................11Encryption management.......................................................................................................................11

HP NonStop I/O Essentials .............................................................................................................12Supported systems and devices............................................................................................................12System requirements and planning......................................................................................................12Encryption in a system..........................................................................................................................13Licensing...............................................................................................................................................13

2 Installation.....................................................................................................................15Installation overview............................................................................................................................15Installation steps...................................................................................................................................16

1. Install Storage CLIMs...................................................................................................................162. Install the license..........................................................................................................................163. Configure SAFEGUARD..............................................................................................................164. Create security group...................................................................................................................165. Configure eth1 (enterprise LAN).................................................................................................176. Install the ESKM..........................................................................................................................177. Perform pre-enrollment tasks......................................................................................................198. Register the CLIMs......................................................................................................................419. Verify connection between the CLIM and the key managers......................................................4110. Back up the configuration files..................................................................................................4211. Back up the Key Managers........................................................................................................42

3 Encrypting data on storage devices...........................................................................43Encrypting data on disk drives.............................................................................................................43

Encrypting data with CLIM key rotation........................................................................................43Encrypting data with REVIVE key rotation....................................................................................47Changing encrypted disk keys........................................................................................................51Decrypting a disk.............................................................................................................................51Disk hardware replacement............................................................................................................51

Encrypting data on tape drives.............................................................................................................52Encrypting data on tape drives.......................................................................................................52Clearing tape drive encryption .......................................................................................................53Tape drive hardware replacement...................................................................................................53

Table of Contents 3

4 Maintenance.................................................................................................................55Security.................................................................................................................................................55License...................................................................................................................................................55ESKM license.........................................................................................................................................55SCF commands.....................................................................................................................................55

STATUS SUBSYS $ZZSTO...............................................................................................................56STATUS CLIM, ENCRYPTION.......................................................................................................56STATUS CLIM, KEYMANAGER.....................................................................................................56STATUS CLIM, KEYCHANGE........................................................................................................56STATUS DISK, ENCRYPTION........................................................................................................57STATUS DISK, ENCRYPTION, DETAIL.........................................................................................57STATUS TAPE, ENCRYPTION........................................................................................................58

Troubleshooting....................................................................................................................................58Fallback.................................................................................................................................................59Adding CLIMs .....................................................................................................................................60

A Glossary of terms used in this manual......................................................................61

B Encryption background................................................................................................63

Index.................................................................................................................................65

4 Table of Contents

List of Figures1-1 System Connections......................................................................................................................133-1 Fault tolerant configuration..........................................................................................................443-2 Key rotation...................................................................................................................................443-3 Data encryption using INIT and START.......................................................................................47

5

About This DocumentThis document describes how to install and maintain volume level encryption provided byStorage CLIMs and the HP Enterprise Secure Key Manager.

Supported Release Version Updates (RVUs)This manual supports J06.09 and all subsequent J-series RVUs, and H06.20 and all subsequentH-series RVUs, until otherwise indicated in a replacement publication.

Intended AudienceThis manual is intended for service personnel who will install Storage CLIMs, and for securityencryption administrators at customer sites who will maintain encryption on these devices.Security encryption administrators are expected to have knowledge of security concepts andbest practices.

New and Changed Information in This EditionThis is a new manual.

Document OrganizationThis document is organized as follows:

This chapter provides and overview of encryption,supported systems, system requirements, encryption ina system, and encryption licensing.

Chapter 1: Overview

This chapter describes the steps for installing andconfiguring components required for encryption.

Chapter 2: Installation

This chapter describes how to encrypt data on disk andtape devices.

Chapter 3: Encrypting data on storage devices

This chapter describes maintenance and best practicesrequired for encryption.

Chapter 4: Maintenance

Glossary of terms used in this manual.Appendix A (page 61)

Notation Conventions

General Syntax NotationThis list summarizes the notation conventions for syntax presentation in this manual.UPPERCASE LETTERS

Uppercase letters indicate keywords and reserved words. Type these items exactly as shown.Items not enclosed in brackets are required. For example:MAXATTACH

Italic Letters

Italic letters, regardless of font, indicate variable items that you supply. Items not enclosedin brackets are required. For example:file-name

[ ] BracketsBrackets enclose optional syntax items. For example:

Supported Release Version Updates (RVUs) 7

TERM [\system-name.]$terminal-name

INT[ERRUPTS]

A group of items enclosed in brackets is a list from which you can choose one item or none.The items in the list can be arranged either vertically, with aligned brackets on each side ofthe list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. Forexample:FC [ num ] [ -num ] [ text ]

K [ X | D ] address

| Vertical LineA vertical line separates alternatives in a horizontal list that is enclosed in brackets or braces.For example:INSPECT { OFF | ON | SAVEABEND }

PunctuationParentheses, commas, semicolons, and other symbols not previously described must be typedas shown. For example:error := NEXTFILENAME ( file-name ) ;

LISTOPENS SU $process-name.#su-name

Quotation marks around a symbol such as a bracket or brace indicate the symbol is a requiredcharacter that you must type as shown. For example:"[" repetition-constant-list "]"

Item SpacingSpaces shown between items are required unless one of the items is a punctuation symbolsuch as a parenthesis or a comma. For example:CALL STEPMOM ( process-id ) ;

If there is no space between two items, spaces are not permitted. In this example, no spacesare permitted between the period and any other items:$process-name.#su-name

Related Information

Refer to...For information about...

HP ProLiant DL385 Generation 5 Server Maintenance and Service GuideCLIM hardware

NonStop CLuster I/O Module (CLIM) Installation and Configuration GuideCLIM installation and configuration

NonStop Cluster I/O Protocols (CIP) Configuration and Management ManualCluster I/O Protocols (CIP)subsystem

Enterprise Secure Key Manager Installation and Replacement Guide (on the CDshipped with the device)

Enterprise Secure Key Managerhardware installation andconfiguration

Enterprise Secure Key Manager Users Guide (on the CD shipped with the device)Enterprise Secure Key Managerhardware and key configuration

Operator Messages ManualOperator messages

SCF Reference Manual for the Storage SubsystemSCF device attributes andcommands

8

Refer to...For information about...

NonStop Storage OverviewStorage devices

Virtual TapeServer - Operations and Administration GuideVirtual tape

Publishing History

Publication DateProduct VersionPart Number

November 2009N.A.580587-001

HP Encourages Your CommentsHP encourages your comments concerning this document. We are committed to providingdocumentation that meets your needs. Send any errors found, suggestions for improvement, orcompliments to [email protected] the document title, part number, and any comment, error found, or suggestion forimprovement you have concerning this document.

Publishing History 9

mailto:[email protected]

1 OverviewEncryption

Encryption on storage devices protects sensitive customer data from theft and helps our customerscomply with regulations like HIPAA and the Payment Card Industry (PCI) Data SecurityStandard.Volume level encryption provides system integrated volume level encryption for storage devicesconnected to Integrity NonStop NS Series systems or NonStop Integrity BladeSystems that usea Storage CLIM. Data-at-rest on disks and tape drives is encrypted using IEEE 1619 (disk) andIEEE 1619.1 (tape) industry standard algorithms. Encryption uses keys generated and stored bythe HP Enterprise Secure Key Manager (ESKM).

Encryption principlesKeys generated by the key manager protect storage data. Keys are as valuable an asset as thedata they protect, and they must be protected for the life of the data. If a key is lost or destroyed,the data is effectively lost because it cannot be accessed. Follow these practices:• Keys and system security should be managed by customer security officers, not system

administrators• Keys should be protected by ESKM disk mirroring, backups, and distribution over multiple

nodes so that they can be recovered in case of catastrophic failure

CAUTION: There are no system back doors for recovering data if passwords or keys are lost.If keys are destroyed or lost, the data is lost. HP recommends that all ESKM backup andredundancy mechanisms should be fully used, and that alternate security officers should betrained and enrolled to manage the ESKM cluster and to perform recovery operations if needed.

For more details about encryption, see Appendix B (page 63).

Encryption techniquesVolume level encryption provides data-at-rest encryption for entire disk or tape volumes, insteadof files or columns. The system processes and transmits data in clear (unencrypted) text. Volumelevel encryption does not secure data while it is in transit to or from storage media. Customersmust still configure their environment and applications in such a way as to control data accessto sensitive information when data is in use on the NonStop system.Data comes from ServerNet in the clear and is placed in CLIM memory. It is encrypted and thentransferred to the disk using the SAS or Fibre Channel HBA.Volume level encryption uses symmetric block encryption, also called block cipher, which usesa single key for encryption and decryption.This product uses these algorithms:• Disks: CBC-AES (key size 256) or XTS-AES (key size 256)

— CBC-AES must be used for FIPS 140-2 mode— XTS-AES follows the IEEE 1619 spec

• Tapes: GCM-AES (key size 256)

Encryption managementThe CLIM is managed with a combination of OSM, the CLIMCMD tool, I/O Essentials, and anintegrated Lights Out Management (iLO) interface. For details, see theNonStop Cluster I/OProtocols(CIP) Configuration andManagementManual and theNonStop CLuster I/OModule (CLIM) Installationand Configuration Guide.

Encryption 11

Encrypted disks and drives are managed with the SCF storage subsystem. For descriptions ofdisk and tape attributes and commands to manage them, see the SCF Reference Manual for theStorage Subsystem.The ESKM is managed with the ESKM Management Console. For details, see the Enterprise SecureKey Manager Users Guide.

HP NonStop I/O EssentialsNonStop I/O Essentials is a plug-in to HP Systems Insight Manager (SIM). HP SIM is aninfrastructure management tool for HP systems that runs on the system console. The NonStopI/O Essentials plug-in provides a graphical user interface alternative to the command line interfacesof the CLIMCMD tool and SCF. For more information about using NonStop I/O Essentials, seethe NonStop I/O Essentials Installation and Quick Start Guide.

Supported systems and devicesVolume level encryption is supported on these systems:• NonStop Integrity BladeSystems (J-series)• NonStop Integrity NS16000 series servers (H-series)• NonStop Integrity NS2000 series servers (H-series)Encryption is not available for S-series or other platforms that do not support the Storage CLIM.Encryption is supported on these devices:• SAS disk drives• Enterprise Storage Servers• LTO-4 tape drives — encryption may be applied per-drive or per-mediaFor disks, encryption is performed by the CLIM using keys generated by the key manager.Encryption is compatible with the Write Cache Enable feature.For tapes, encryption is performed by the LTO-4 tape drive. Storage CLIMs with encryptionsupport connections to Secure VTS (Virtual Tape Server) tapes, whose encryption is performedby VTS.Volume level encryption is not compatible with the NetApp DataFort product.

System requirements and planningThis hardware is required to support encryption:• Any NonStop NS-series or NonStop BladeSystem with Storage CLIMs and an NSVLE

encryption license• Storage CLIM• Key manager (ESKM)NonStop disks to be encrypted are not required to be mirrored, but mirroring is strongly advised,for fault tolerance.The CLIM is an HP ProLiant class server that can connect to HP Integrity NonStop BladeSystemor NS-series system to support connections to storage devices or to the network. The StorageCLIM provides fibre channel and SCSI attached storage (SAS) connectivity to storage devices.It supports only the HP documented applications and interfaces. For information about the CLIM,see the appropriate generation of the HP ProLiant DL385 Server Maintenance and Service Guide.The ESKM is based on HP ProLiant server technology. It generates, stores, and serves keys toCLIMs. It automatically replicates keys across clusters, can perform backup and restore of thekey database, and provides a local Certificate Authority (CA) used to create client certificatesfor strong TLS authentication of CLIMs to the key manager.Key managers are installed in pairs or larger clusters for high availability. The key managerdevice may be installed anywhere (in the same or in another datacenter) but must be

12 Overview

network-accessible to Storage CLIMs. The encryption Storage CLIM connects to key managersusing its second LAN port (eth1).

Encryption in a systemCommunication between a NonStop system and Storage CLIMs is done with a combination ofServerNet and the maintenance LAN. Users enter SCF commands to enable or disable encryptionon a particular device and to set up encryption parameters. The second Ethernet port (eth1) onthe CLIM is connected directly to the Enterprise LAN so that Storage CLIMs can communicatewith the key manager.Figure 1-1 shows how system components are connected in a system.

Figure 1-1 System Connections

1 NonStop processors2 System console3 ServerNet4 CLIMs5 Maintenance LAN6 Key managers7 Enterprise LAN

LicensingEncryption is enabled by a license available from HP, which is installed on the NonStop system.Licensing is described in “License” (page 55). Enrolling CLIMs as ESKM clients also requiresthe availability of sufficient client licenses in the ESKM cluster. ESKM Client Licensing and licenseinstallation is described in the Enterprise Secure Key Manager Installation and Replacement Guide,on the CD shipped with the device.

Encryption in a system 13

2 InstallationInstallation overview

In order to use Volume Level Encryption, you must install the ESKM and establish ESKM/CLIMconnectivity over the enterprise LAN. ESKM/CLIM interactions must be able to be authenticatedthrough certificates and encrypted throughSSL, so that the CLIM can securely receive keys fromthe ESKM. The appropriate security officers must be enabled to control volume encryption fromthe NonStop system.To accomplish this, you must perform these installation tasks:• Configure connectivity• Configure an ESKM cluster (if not already done)• Create a certificate authority on the ESKM if one does not exist• Have the ESKM certificate authority created server certificates for each ESKM• Have the CLIM create a client certificate for each CLIM• Have the ESKM CA sign the client certificates• Install the signed client certificates on the CLIMs• Create and populate an encryption group in SafeguardInstallation is done by a service provider and a customer security officer.The service provider:• Installs and configures the CLIM• Installs the key manager• Configures LAN connection• Backs up the CLIM configurationThe security officer:• Installs the license• Configures SAFEGUARD and creates the security group• Configures the connection between the CLIM and the key manager• Configures devices to be encrypted• Performs data encryption proceduresTo prepare for installation, have this information available:• CLIM names for the client certificates• Correct port numbersTo install this product, follow these steps:◦ “1. Install Storage CLIMs” (page 16)◦ “2. Install the license” (page 16)◦ “3. Configure SAFEGUARD” (page 16)◦ “4. Create security group” (page 16)◦ “5. Configure eth1 (enterprise LAN)” (page 17)◦ “6. Install the ESKM” (page 17)◦ “7. Perform pre-enrollment tasks” (page 19)◦ “8. Register the CLIMs” (page 41)◦ “9. Verify connection between the CLIM and the key managers” (page 41)◦ “10. Back up the configuration files” (page 42)◦ “11. Back up the Key Managers” (page 42)

Installation overview 15

Installation steps

1. Install Storage CLIMsIf the system does not have Storage CLIMs, follow the procedures in the NonStop CLuster I/OModule (CLIM) Installation and Configuration Guide to install, connect, and configure them. TheCLIM should be in the STARTED state.

2. Install the licenseObtain the encryption license file by emailing [email protected]. Install the file in$SYSTEM.ZLICENSE.NSVLE and change the filecode to 407.For details about the license, see “License” (page 55).

3. Configure SAFEGUARDSAFEGUARD must be running. Make it a generic process:ADD PROCESS $ZZKRN.#SAFEGUARD , &AUTORESTART 10 , &BACKUPCPU 1 , &DEFAULTVOL $SYSTEM.SYSTEM , &HIGHPIN ON , &HOMETERM $ZHOME , &INFILE $YMIOP.#CLCI , &MEMPAGES 0 , &NAME $ZSMP , &OUTFILE $ZHOME , &PRIMARYCPU 0 , &PRIORITY 198 , &vPROGRAM $SYSTEM.SYSTEM.OSMP , &SAVEABEND ON , &STARTMODE SYSTEM , &STARTUPMSG "BCKP-CPU" , &STOPMODE STANDARD , &TYPE OTHER , &USERID SUPER.SUPER

4. Create security groupThe customer security officer creates a group to administer security whose members will be theonly users allowed to perform security tasks. The members must be in the SUPER group.Use SAFECOM to create the SECURITY-ENCRYPTION-ADMIN group:ADD GROUP SECURITY-ENCRYPTION-ADMIN, NUMBER 65536 ALTER GROUP NUMBER 65536, MEMBER SUPER.officer

Verify the group with the SAFECOM INFO command:

16 Installation


You can create other members now or later. Group membership takes effect at the next logon.

5. Configure eth1 (enterprise LAN)The service provider uses CLIMCMD to configure eth1 (the enterprise LAN) on the CLIM:climconfig interface -add eth1 climconfig ip -add eth1 -ipaddress 16.107.132.108 -netmask 255.255.252.0climconfig route -add eth1 -default -gateway 16.107.132.1ifstart eth1

IP addresses and route options are customer-dependent. See the NonStop Cluster I/O Protocols(CIP) Configuration and Management Manual for details.

6. Install the ESKMThe service provider installs the ESKM device. See the Enterprise Secure Key Manager Installationand Replacement Guide for details. This manual is on the CD shipped with the device.As part of the installation process, you may need to install an ESKM license pack. A client licenseis required for each user device (Storage CLIM) that will be created on the ESKM. Contact HPsupport to obtain it with email sent by Atalla Support. See theEnterprise Secure KeyManagerUsersGuide for additional guidance on installing the license file (on the CD shipped with the device).If the number of created users exceeds the number of available licenses, a warning is displayedin the ESKM GUI and the error is logged. If the license warning appears after registering theCLIMs (“8. Register the CLIMs” (page 41)), you must obtain additional licenses from HP.The Key Manager must be set up so that:• On the High Security Configuration page, FIPS mode is enabled.• On the KMS Server Settings page, “Allow Key and Policy Configuration Operations” and

“Allow Key Export” are selected.• SSL is enabled with client certificate authentication.• The default ports are used.• All server certificates in the cluster have the same name.For the first node only, perform these tasks:1. Start the appliance2. Configure the appliance3. Configure the first ESKM appliance

Installation steps 17

a. If you did not do so during the ESKM installation, create local CANSVLECA (the nameused in this example) and use it to sign the server certificate:1) Log onto the Secure Key Manager GUI as admin. Login name is case sensitive.2) On the Security tab, select Local CAs.3) Enter information to create a local certificate authority:

4) Click Create.You can use the local CA to sign both server and client certificates. You mustdownload this CA to the NonStop system.

If a customer wants to use their own CA, they can import a known CA. See the EnterpriseSecure Key Manager Users Guide for details.

b. Set up the local Certificate Authority1) Create the ESKM server certificate2) Enable SSL on the Key Management System (KMS) Server

4. Establish a clustera. Create the clusterb. Download the cluster key

For all other ESKM nodes, perform these tasks:1. Start the appliance2. Configure the appliance3. Add additional ESKM appliances to the cluster4. Create and install the ESKM Server CertificateFor one node, create the NSSuser (NonStop setup user) login with “User AdministrationPermission” and “Change Password Permission” selected.

18 Installation

For all nodes, back up the configuration. See the Enterprise Secure Key Manager Users Guide fordetails.

7. Perform pre-enrollment tasksBefore you can enroll the CLIMs as ESKM clients, you need to perform these pre-enrollmenttasks:◦ “A. Create server certificates NSLEServerCertificate” (page 19)◦ “B. Sign the server certificate requestNSLEServerCertificatewith the local CANSVLECA”

(page 20)◦ “C. Set FIPS compliant mode” (page 24)◦ “D. Set KMS server settings” (page 24)◦ “E. Set KMS server authentication settings” (page 25)◦ “F. Create the NSSuser local user, if you have not created one, and set security” (page 26)◦ “G. Create client certificate request for the NSSuser local user” (page 27)◦ “H. Add local CA NSVLECA, other local CAs and known CAs to the key manager's trusted

CA list ” (page 39)◦ “I. Verify connection between the NonStop system and the Key Manager” (page 41)After you have performed these tasks, go on to “8. Register the CLIMs” (page 41).

A. Create server certificates NSLEServerCertificatePerform this step for each Key Manager.a. Log on to the Secure Key Manager GUI as admin. Login name is case sensitive.b. On the Security tab, select Certificates.c. Fill in information to create a certificate:

d. Click Create Certificate Request.e. In the Certificate List, select the radio button for NSVLESERVERCERTIFICATE certificate

and click its name to open it:


f. Select and copy the text from----BEGIN CERTIFICATE REQUEST------ through ----ENDCERTIFICATE REQUEST----:

Click Back to leave this screen.

B. Sign the server certificate request NSLEServerCertificate with the local CA NSVLECAPerform this step for each Key Manager.

20 Installation

a. On the Security tab, select Local CAs.b. In the Local Certificate Authority List, select the radio button for NSVLECA and click Sign

Request:

c. Paste the certificate request into theCertificate Request box. ForCertificate Purpose, selectServer :

d. Click Sign Request.e. Select and copy the certificate text from ----BEGIN CERTIFICATE---- to -----END

CERTIFICATE----:


f. On the Security tab, select Certificates. In the Certificate list, select the radio button forNSVLESERVERCERTIFICATE and click its name to open it.

g. Select Install Certificate :

22 Installation

h. Paste the signed certificate into the Certificate Response box and click Save to save the servercertificate.


C. Set FIPS compliant modeFor details about FIPS compliance and the ESKM, see the Enterprise Secure Key Manager UsersGuide.a. On the Security tab, select High Security.b. Select Set FIPS Compliant:

D. Set KMS server settingsFor details about the KMS server, see the Enterprise Secure Key Manager Users Guide.a. On the Device tab, select KMS Server.b. Select NSVLESERVERCERTIFICATE from the Server Certificate drop down list:

c. Make sure all other KMS server settings are set as follows:

lists the correct port on which the KMS Server is listening for clientrequests. The default port is 9000; however, you can use any availableport.

Port

is checkedUse SSL

lists the server certificateServer Certificate

is 3600Connection Timeout (sec)

is checkedAllowKey andPolicyConfigurationOperations

is checkedAllow Key Export

Click Edit and change them if necessary.

24 Installation

d. Click Save.

E. Set KMS server authentication settingsa. On the Device tab, select KMS Server.b. On the KMS Server Authentication Settings screen, select Edit and verify that the settings

are as follows:

is LocalUser Directory

is RequiredPassword Authentication

is Used for SSL session and usernameClient Certificate Authentication

is the Trusted CA list profile that contains the LocalCA that will be used to sign the client certificates

Trusted CA List Profile

is CN (Common Name)When the client certificates are created, this field mustcontain the client (CLIM) username. HP recommendsthat you choose the most secure option. Customerswho provide their own signed certificates must includethe CLIM's username in their certificate, so they mustknow the CLIM usernames before creating the signedcertificate.

Username Field in Client Certificate

is not checkedRequire Client Certificate to Contain Source IP


c. Click Save.

F. Create the NSSuser local user, if you have not created one, and set securitya. On the Security tab, select Local Users & Groups.b. Under Local Users, select Add:

c. Add the NSSuser name, and password, and select all permissions. The user name must beNSSuser This password will only be used in the “Register CLIMs with Key Managers”guided procedure in “8. Register the CLIMs” (page 41).

26 Installation

d. Click Save.

G. Create client certificate request for the NSSuser local userThe certificate request for the NSSuser cannot be created using the key manager. The key managerdoes not allow the private key of the created key pair that corresponds to the certificate requestto be exported. Use OpenSSL to create the NSSuser client certificate request one of these ways:• “Create signed NSSuser client certificate with a PC” (page 27)• “Create signed NSSuser client certificate with CLIMCMD” (page 33)

Create signed NSSuser client certificate with a PC

If you have a PC that has OpenSSL installed, with access to a NonStop TACL session and theKey Manager’s Web Browser interface, you can use it to create the NSSuser private key, NSSusersigned certificate, and NSSuser passphrase files for NonStop.a. Create an empty temporary directory on the PC:

C:\>mkdir zencrypt

and change the directory to that empty temporary directory:


C:\>cd zencrypt

b. Use OpenSSL to create a NSSuser private key and a NSSuser client certificate request. Youwill be prompted to enter a passphrase. Choose a strong passphrase to protect the privatekey. You can fill in the other information any way you see fit. However, the Common Namemust be NSSuser.C:\zencrypt>openssl req -newkey rsa:2048 -keyout client.key -out client.csr

The system responds, prompting you to enter various fields. Responses are shown in bold:Generating a 2048 bit RSA private key.......................................+++...............................................................................................................................................................................+++writing new private key to 'client.key'Enter PEM pass phrase:passphraseVerifying - Enter PEM pass phrase:passphrase

-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:CALocality Name (eg, city) []:CupertinoOrganization Name (eg, company) [Internet Widgits Pty Ltd]:HPOrganizational Unit Name (eg, section) []:NonStopCommon Name (eg, YOUR name) []:NSSuserEmail Address []:[email protected]

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:.An optional company name []:.

C:\zencrypt>

c. Use OpenSSL to convert the NSSuser private key into a PEM formatted private key. Youwill be prompted to enter the passphrase that you used to create the private key:C:\zencrypt>openssl rsa -in client.key -text -out client.key.pemEnter pass phrase for client.key:passphrasewriting RSA key

d. Use OpenSSL to convert the PEM formatted NSSuser private key into a DER formattedprivate key. You will be prompted to enter the passphrase that you used to create the privatekey:C:\zencrypt>openssl pkcs8 -topk8 -in client.key.pem -outform DER -out client.key.derEnter Encryption Password:passphraseVerifying - Enter Encryption Password:passphrase

e. Use the cat command to display the client certificate request:C:\zencrypt>cat client.csr-----BEGIN CERTIFICATE REQUEST-----MIICwzCCAasCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDdXBlcnRpbm8xCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxEDAOBgNVBAMTB05TU3VzZXIxITAfBgkqhkiG9w0BCQEWEm1hcmMucGFsb21hQGhwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmb7qDVMatrKRN8NIepS9f51WawfjTliooc/u3Ke7UK2nk207Rm6elvGwZnomrwFcsbpQnXHuPtaaobu5c0Wcw6Tiap2F36wYb8Zlq8q51pDwa/tUktkmlBWn4aNZJZCL5mIN6u5Jiz+TfHMkLHc1cVxjfm82B6dKip49CePTI5UT4ayBoOQj0NdGtWeQYWhhFJfSu5w6EjHavCANCzl57kHpgOItykW8lrFgM8H57sQ/csBbDVU/fsNiXBnlpxTtq4PvyZvhbcKsfbgXK1zqV/SlEuIgUDfKbU4IuV09Sh6SKORRDRd03NOiSsXfeZGKOo3m87+7ViNzaln93JiF8CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQC0f2yAr8EMo50izNCNskaRRlEQACB275Wd

28 Installation

Zu7iq69t2oiSGdnhF2Qx59wJHfR+/QB9TJdnplVpXfp3U7ZmZBKnZEsnw3jHjTYfvLZUeAwYbLjn2JfuVL8LLDbyRUMvm7NAZMGPsGfhPEev8avBEWshjVa3uBpqc92N9aqqJhxXYCORWQkPdTzRbsCDMemWRILYet0I8smKk0+bp/1p3uEFAOwyYu2Uz4ieVx9jtGN3YoS4fm42QCXQxuLsCIzmEw33Kwae/njyxJML3YWl8Ar3zfPjbBvR77/03f2cvZoUl0ktKSw9BEOVllLkVil/9EkttGZ6djJPQkCDjMAoDFqa-----END CERTIFICATE REQUEST-----

C:\zencrypt>

f. Select and copy the client certificate request text from -----BEGIN CERTIFICATEREQUEST----- through -----END CERTIFICATE REQUEST-----.

g. Sign the NSSuser client certificate request with the local CA NSVLECA:1) Log onto the Enterprise Secure Key Manager GUI as admin. On the Security tab, select

Local CAs.2) Select the trusted local CA NSVLECA and click Sign Request:

h. Select Client as Certificate Purpose. Paste the copied certificate request into the box.


i. Click Sign Request. The Key Manager signs the NSSuser client certificate request with theNSVLECA Local CA and displays the NSSuser signed client certificate:

30 Installation

j. Click Download at the bottom of the NSSuser signed client certificate. When the systemasks if you want to open or save the signed.cer file, select Save.

k. Save the NSSuser signed client certificate in the C:\zencrypt directory on your PC and namethe saved file client.signed. When the download completes, click the Close button.

l. In your temporary directory, create a file called nssupass.txt:Type the NSSuser passphrase that you entered in Step 2 into this file, then save and closethe file. (Do not enter the password for the NSSuser local user; it is used only in the “RegisterCLIMs with Key Managers” guided procedure in “8. Register the CLIMs” (page 41).)

m. Verify that the directory has these files:C:\zencrypt>dir Volume in drive C is PC COE Volume Serial Number is D0BC-6439

Directory of C:\zencrypt

09/17/2009 06:16 PM <DIR> .09/17/2009 06:16 PM <DIR> ..09/17/2009 06:00 PM 1,033 client.csr09/17/2009 06:00 PM 1,751 client.key09/17/2009 06:00 PM 1,261 client.key.der09/17/2009 06:00 PM 5,684 client.key.pem09/17/2009 06:08 PM 1,313 client.signed.cer09/17/2009 06:11 PM 928 client.signed.cer.der09/17/2009 06:16 PM 11 nssupass.txt


7 File(s) 11,981 bytes 2 Dir(s) 426,107,215,872 bytes free

C:\zencrypt>

n. FTP the NSSuser passphrase file (NSSUPASS), the DER formatted NSSuser private key file(NSSUKEY), and the DER formatted NSSuser signed client certificate (NSSUCERT) to the$SYSTEM.ZENCRYPT subvolume on the NonStop system:C:\zencrypt>ftp osm8.caclab.cac.cpqcorp.netConnected to osm8.caclab.cac.cpqcorp.net.220 OSM8.caclab.cac.cpqcorp.net FTP SERVER T9552J01 (Version J01 TANDEM 10JUL2009) ready.User (osm8.caclab.cac.cpqcorp.net:(none)): super.super331 Password required for SUPER.SUPER.Password:230 User SUPER.SUPER logged in. GUARDIAN API enabledftp>ftp> cd $system.zencrypt250 CWD command successful.ftp>ftp> put nssupass.txt nssupass200 PORT command successful.150 Opening data connection for nssupass (16.92.141.110,62449d).226 Transfer complete.ftp: 11 bytes sent in 0.03Seconds 0.42Kbytes/sec.ftp>ftp> binary200 Type set to I.ftp>ftp> put client.key.der nssukey,0200 PORT command successful.150 Opening data connection for nssukey (16.92.141.110,62452d).226 Binary Transfer complete.ftp: 1261 bytes sent in 0.00Seconds 1261.00Kbytes/sec.ftp> put client.signed.cer.der nssucert,0200 PORT command successful.150 Opening data connection for nssucert (16.92.141.110,62455d).226 Binary Transfer complete.ftp: 928 bytes sent in 0.00Seconds 464.00Kbytes/sec.ftp>ftp> quit221 Goodbye.

o. Delete the temporary files in the C:\zencrypt directory and the directory itself:C:\zencrypt>del *C:\zencrypt\*, Are you sure (Y/N)? y

C:\zencrypt>cd ..C:\> rmdir zencrypt

p. Log on onto the NonStop system as SUPER.SUPER, volume to $SYSTEM.ZENCRYPT, andFUP SECURE the files in the ZENCRYPT subvolume that you transferred:$SYSTEM ZENCRYPT 19> fup secure zencrypt*, CCCC$SYSTEM ZENCRYPT 20>$SYSTEM ZENCRYPT 20> fileinfo zencrypt*

$SYSTEM. ZENCRYPT

CODE EOF LAST MODIFIED OWNER RWEP PExt SExtNSSUCERT 0 928 17SEP2009 17:32 255,255 CCCC 14 112NSSUKEY 0 1261 17SEP2009 17:32 255,255 CCCC 14 112NSSUPASS 101 2074 17SEP2009 17:21 255,255 CCCC 14 14$SYSTEM ZENCRYPT 21>

Now the NonStop system has these files: the NSSuser passphrase file (NSSUPASS), the NSSuserprivate key file (NSSUKEY), and the NSSuser signed client certificate (NSSUCERT).Go on to “H. Add local CA NSVLECA, other local CAs and known CAs to the key manager'strusted CA list ” (page 39).

32 Installation

Create signed NSSuser client certificate with CLIMCMD

a. Log on to a TACL prompt as SUPER.SUPER on the system where you are creating theNSSuser files. Use the VOLUME command to create the $SYSTEM.ZENCRYPTsubvolume:$SYSTEM STARTUP 2> VOLUME $SYSTEM.ZENCRYPT$SYSTEM ZENCRYPT 3>$SYSTEM ZENCRYPT 3> fileinfo *

No files match \OSM8.$SYSTEM.ZENCRYPT.*

$SYSTEM ZENCRYPT 4>

b. Use the CLIMCMD mkdir command to create a temporary directory on the CLIM. You canuse any CLIM on the system. This example uses a Storage CLIM named C100231 and atemporary directory “zencrypt”:$SYSTEM ZENCRYPT 4> climcmd c100231 mkdir /tmp/zencrypt/comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086bTermination Info: 0$SYSTEM ZENCRYPT 5>

c. Use the CLIMCMD OpenSSL command to create a NSSuser private key and a NSSuser clientcertificate request. You will be prompted to enter a passphrase. Choose a strong passphraseto protect the private key. You can fill in the other information any way you see fit. However,the Common Name must be NSSuser. Enter this command, all on one line:$SYSTEM ZENCRYPT 5> climcmd c100231 openssl req –newkey rsa:2048 –keyout /tmp/zencrypt/client.key –out /tmp/zencrypt/client.csr

The system responds, prompting you to enter various fields. Responses are shown in bold:comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086bGenerating a 2048 bit RSA private key........................................+++........................................................................................................+++writing new private key to '/tmp/zencrypt/client.key'Enter PEM pass phrase:passphrase

Verifying - Enter PEM pass phrase:passphrase

-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:CALocality Name (eg, city) []:CupertinoOrganization Name (eg, company) [Internet Widgits Pty Ltd]:HPOrganizational Unit Name (eg, section) []:NonStopCommon Name (eg, YOUR name) []:NSSuserEmail Address []:[email protected]

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:.An optional company name []:.Termination Info: 0$SYSTEM ZENCRYPT 6>

d. Use the CLIMCMD OpenSSL command to convert the NSSuser private key into a PEMformatted private key. You will be prompted to enter the passphrase that you used to createthe private key. Enter this command, all on one line:$SYSTEM ZENCRYPT 6> climcmd c100231 openssl rsa -in /tmp/zencrypt/client.key -text -out /tmp/zencrypt/client.key.pem


comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086bEnter pass phrase for /tmp/zencrypt/client.key:passphrase

writing RSA keyTermination Info: 0$SYSTEM ZENCRYPT 7>

e. Use the CLIMCMD OpenSSL command to convert the PEM formatted NSSuser private keyinto a DER formatted private key. You will be asked to enter the passphrase that you usedto create the private key. Enter this command, all on one line::$SYSTEM ZENCRYPT 7> climcmd c100231 openssl pkcs8 -topk8 -in /tmp/zencrypt/client.key.pem -outform DER –out /tmp/zencrypt/client.key.dercomForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086bEnter Encryption Password: passphrase

Verifying - Enter Encryption Password: passphrase

Termination Info: 0$SYSTEM ZENCRYPT 8>

f. Use the CLIMCMD cat command to display the client certificate request:$SYSTEM ZENCRYPT 8> climcmd c100231 cat /tmp/zencrypt/client.csr

The system responds:comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b-----BEGIN CERTIFICATE REQUEST-----MIICwzCCAasCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDdXBlcnRpbm8xCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxEDAOBgNVBAMTB05TU3VzZXIxITAfBgkqhkiG9w0BCQEWEm1hcmMucGFsb21hQGhwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKLFhBMpa0PyyPTMpG8DGqJn97GHl/XGvDOJy6JiHbLAu9/F6Z7LmLIBtdCI3AXcbuX+0T3xnQv2eA+woevy/ddKNGDHhhGI/q2Drix23kZCTfGk2GvTY/cFrpyAgBAzXyzPXqJRFADAu2N/GJrGAfYgX49nWRJ9+dy2+HKUxsRKUFYQ8aZt2B/ySfqLwttAELm+nCqYgYl2HA+JYluLBI7F7ntXZqQQvlvf0eX7oflnHIlZTDgF0LXhUkpoprCrN7VJr/SMjOKQmtUa2wszEKOxbTr16beoDMRA3Xp5luCGVtG9Ez/QuBAjVhMfUDFvfnq0P4C6FnataajjH7w4PNsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAWroF7LGsW2PpAoX3smbtQQEyV1nQusFybs7kTCb6vAYkantN8u0EjZ88GX+b3NcsmohhH5nyeA2oMG50coZSrft4hOFzCh+MNn5REnSsv9gV0m/8vlWN/cnlpFa4zg2HpHmt91O1vGM1iahVLbyiEZeYdobrrjY+CTJesDbYp78lkv9J+fWPfvyd3DSLJmjUZHDmgCmO42n0AmXcilk79WEe/a/WMXRide9Sk3UHafo3in5Hcjd3sp5cDqjt00sAWYFx0dcj7Pta0ZpxpE/H4B11FobEr4d/mhNf8EpSBBte5z/PxYdY5uF4nblTqEFD/ghQi5xRP0kSSWM0pBZOu-----END CERTIFICATE REQUEST-----Termination Info: 0$SYSTEM ZENCRYPT 9>

g. Select and copy the client certificate request text from -----BEGIN CERTIFICATEREQUEST----- through -----END CERTIFICATE REQUEST-----.

h. Sign the NSSuser client certificate request with the local CA NSVLECA:1) Log onto the Secure Key Manager GUI as admin. On the Security tab, select Local CAs.2) Select the trusted local CA NSVLECA and click Sign Request:

34 Installation

i. Select Client as Certificate Purpose. Paste the copied certificate request into the box.

j. Click Sign Request. The Key Manager signs the NSSuser client certificate request with theNSVLECA Local CA and displays the NSSuser signed client certificate:


k. Select and copy the NSSuser client signed certificate text from -----BEGINCERTIFICATE-----through -----END CERTIFICATE-----.

l. Go back to the TACL prompt and use TEDIT to create a file on the NonStop system calledSIGNCERT:$SYSTEM ZENCRYPT 9> tedit SIGNCERT $SYSTEM.ZENCRYPT.SIGNCERT doesn't exist. OK to create? Respond Y or N:y

m. Paste the NSSuser signed client certificate into the SIGNCERT edit file.

36 Installation

Save and close the file. The NSSuser signed client certificate is now on the NonStop system.$SYSTEM ZENCRYPT 10> fileinfo * $SYSTEM.ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt SIGNCERT 101 1514 17SEP2009 17:19 255,255 NUNU 14 14

n. In the same subvolume, use TEDIT to create a file called NSSUPASS. Type the NSSuserpassphrase that you entered in Step 3 into this file, then save and close the file. (Do not enterthe password for the NSSuser local user; it is used only in the “Register CLIMs with KeyManagers” guided procedure in “8. Register the CLIMs” (page 41).) The NSSuser passphraseis now on the NonStop system: $SYSTEM ZENCRYPT 12> fileinfo * $SYSTEM.ZENCRYT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUPASS 101 2074 17SEP2009 17:21 255,255 NUNU 14 14 SIGNCERT 101 1514 17SEP2009 17:19 255,255 NUNU 14 14

o. Use the SCF INFO CLIM $ZZCIP.clim-name, DETAIL command to get the MaintenanceInterface IP address of the CLIM:$SYSTEM ZENCRYPT 14> scf info clim $zzcip.c100231, detailSCF - T9082H01 - (04DEC06) (15NOV06) - 09/21/2009 12:02:28 System \OSM8(C) 1986 Tandem (C) 2006 Hewlett Packard Development Company, L.P.

CIP Detailed Info CLIM \OSM8.$ZZCIP.C100231

Mode....................... STORAGEConfigured Location........ Group 100 , Module 2 , Slot 3 , Port 1ConnPts.................... 2X1 Location................ Group 100 , Module 2 , Slot 3 , Port 1Y1 Location................ Group 100 , Module 3 , Slot 3 , Port 1SvNet ID 1................. 0x000E08C6X2 Location................ Group 100 , Module 2 , Slot 3 , Port 2Y2 Location................ Group 100 , Module 3 , Slot 3 , Port 2SvNet ID 2................. 0x000E09C6Maintenance Interface IP... 192.168.38.31Total Errors = 0 Total Warnings = 0


p. Use SFTP to transfer the SIGNCERT file to the Maintenance Interface IP Address of theCLIM. Once connected to the CLIM, put the SIGNCERT file into the CLIM’s /tmp/zencryptdirectory:$SYSTEM ZENCRYPT 15> sftp -S $zssp0 [email protected] SFTP client version T9999H06_10Jul2009_comForte_SFTP_0086Connecting to 192.168.38.31 via SSH2 process $zssp0 ...sftp> put signcert /tmp/zencrypt/client.signedUploading signcert to /tmp/zencrypt/client.signed---------------------------------- -------- --- ------- ----------Filename BytesNow % Bytes/s Remaining---------------------------------- -------- --- ------- ----------signcert 0 0% 0.0KB --:------------------------------------ -------- --- ------- ----------Filename BytesNow % Bytes/s TimeSpent---------------------------------- -------- --- ------- ----------signcert 1514 100% 0.0KB 00:001514 bytes transferred in 0 seconds ( 0.0KB/s)sftp>sftp> quit

q. Use the CLIMCMD OpenSSL command to convert the PEM formatted NSSuser client signedcertificate that you SFTPed to the CLIM in Step 16 to a DER formatted client signed certificate:$SYSTEM ZENCRYPT 16> climcmd c100231 openssl x509 -inform PEM -in /tmp/zencrypt/client.signed -outform DER -out /tmp/zencrypt/client.signed.dercomForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086bTermination Info: 0$SYSTEM ZENCRYPT 17>

r. Use SFTP to transfer the DER formatted NSSuser client signed certificate and the DERformatted NSSuser client private key back to the NonStop system. Use binary transfer mode:$SYSTEM ZENCRYPT 17> sftp -S $zssp0 [email protected] SFTP client version T9999H06_10Jul2009_comForte_SFTP_0086Connecting to 192.168.38.31 via SSH2 process $zssp0 ...sftp> binaryFile transfermode is now binarysftp> get /tmp/zencrypt/client.signed.der nssucert,0Fetching /tmp/zencrypt/client.signed.der to nssucert,0---------------------------------- -------- --- ------- ----------Filename BytesNow % Bytes/s Remaining---------------------------------- -------- --- ------- ----------/tmp/zencrypt/client.signed.der 0 0% 0.0KB --:------------------------------------ -------- --- ------- ----------Filename BytesNow % Bytes/s TimeSpent---------------------------------- -------- --- ------- ----------/tmp/zencrypt/client.signed.der 928 100% 0.0KB 00:00928 bytes transferred in 0 seconds ( 0.0KB/s)sftp>sftp> get /tmp/zencrypt/client.key.der nssukey,0Fetching /tmp/zencrypt/client.key.der to nssukey,0---------------------------------- -------- --- ------- ----------Filename BytesNow % Bytes/s Remaining---------------------------------- -------- --- ------- ----------/tmp/zencrypt/client.key.der 0 0% 0.0KB --:------------------------------------ -------- --- ------- ----------Filename BytesNow % Bytes/s TimeSpent---------------------------------- -------- --- ------- ----------/tmp/zencrypt/client.key.der 1261 100% 0.0KB 00:001261 bytes transferred in 0 seconds ( 0.0KB/s)sftp>sftp> quit$SYSTEM ZENCRYPT 18>

s. Verify that the NonStop temporary subvolume contains the DER formatted NSSuser signedcertificate, the DER formatted NSSuser private key, the NSSuser passphrase file, and thesigned certificate file:

38 Installation

$SYSTEM ZENCRYPT 18> fileinfo *

$SYSTEM.ZENCRYPT

CODE EOF LAST MODIFIED OWNER RWEP PExt SExtNSSUCERT 0 928 17SEP2009 17:32 255,255 NUNU 14 112NSSUKEY 0 1261 17SEP2009 17:32 255,255 NUNU 14 112NSSUPASS 101 2074 17SEP2009 17:21 255,255 NUNU 14 14SIGNCERT 101 1514 17SEP2009 17:19 255,255 NUNU 14 14

t. Secure these files as “CCCC“:$SYSTEM ZENCRYPT 19> fup secure *, CCCC$SYSTEM ZENCRYPT 20>$SYSTEM ZENCRYPT 20> fileinfo *

$SYSTEM.ZENCRYPT

CODE EOF LAST MODIFIED OWNER RWEP PExt SExtNSSUCERT 0 928 17SEP2009 17:32 255,255 CCCC 14 112NSSUKEY 0 1261 17SEP2009 17:32 255,255 CCCC 14 112NSSUPASS 101 2074 17SEP2009 17:21 255,255 CCCC 14 14SIGNCERT 101 1514 17SEP2009 17:19 255,255 CCCC 14 14$SYSTEM ZENCRYPT 21>

u. Use the CLIMCMD rm command to delete the files on the temporary directory on the CLIM:$SYSTEM ZENCRYPT 23> climcmd c100231 rm -rf /tmp/zencrypt/comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086bTermination Info: 0$SYSTEM ZENCRYPT 24>

The signed NSSuser client certificate has been created. Go on to “H. Add local CA NSVLECA,other local CAs and known CAs to the key manager's trusted CA list ” (page 39).

H. Add local CA NSVLECA, other local CAs and known CAs to the key manager's trusted CA listThe trusted CA list is the list of CAs that can be used by the key manager to verify a clientcertificate. You must add any known CAs that you have installed to the Trusted CA List profile,along with the local CAs created to be used to sign the CLIM client certificates.a. On the Security tab, select Trusted CA Lists.b. Select the radio button for the profile name Default:

c. Select Properties for the Trusted Certificate Authority Listd. Select Edit for the Trusted Certificate Authority List:


e. Find the desired local CA on the “Available CAs” list and the imported CAs (if any) andadd it to the “Trusted CAs” list, using the Add button:

f. Click Save.

40 Installation

I. Verify connection between the NonStop system and the Key ManagerUse ping to verify that the NonStop system and key managers can communicate:\JUNO1.$SYSTEM.STARTUP 1> ping 16.107.200.122PING 16.107.200.122: 56 data bytes64 bytes from 16.107.200.122: icmp_seq=0. time=20. ms64 bytes from 16.107.200.122: icmp_seq=1. time=10. ms64 bytes from 16.107.200.122: icmp_seq=2. time=10. ms64 bytes from 16.107.200.122: icmp_seq=3. time=10. ms

----16.107.200.122 PING Statistics----4 packets transmitted, 4 packets received, 0% packet lossround-trip (ms) min/avg/max = 10/12/20\JUNO1.$SYSTEM.STARTUP 2>

If the key manager is not accessible from the NonStop system, set up access one of these ways:• If the system uses IP CLIMs and has an unused Ethernet port on an IP CLIM, you can connect

the Key Manager to the subnet implemented by the PROVIDER using that IP CLIM. Fordetails, see the NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual. Inthis case, all the applications using this IP CLIM share the same TCP/IP stack.

• If the system has extra IP CLIMs, you can create a PROVIDER and CIPSAM process andconnect the Key Manager to the subnet implemented by that PROVIDER. This option ismore secure because applications using this IP CLIM do not share the same TCP/IP stack.

• If the system uses G4SA or earlier adapters and has an unused Ethernet port on that adapter,you can create a conventional TCP/IP SUBNET object using that port. If the system usesNonStop TCP/IPv6, all TCPSAM processes have access to the port once the environmenthas been configured, except in the case of Logical Network Partitioning (LNP). If the systemuses LNP, all applications using this port must use the TCPSAM process configured for thatLNP. HP recommends using LNP for this purpose for increased security.Once you have configured the conventional TCP/IP process and SUBNET, or you haveconfigured the TCPSAM process, you can associate the Key Manager with the TCP/IP processassociated with that port.For information about creating a SUBNET, see the TCP/IP Configuration and ManagementManual. For information about configuring the NonStop TCP/IPv6 environment, see theTCP/IPv6 Configuration and Management Manual.

This completes NonStop pre-enrollment tasks. Go on to “8. Register the CLIMs” (page 41).

8. Register the CLIMsBe sure that you have obtained and installed (if needed) a license pack on the ESKM (describedin the Enterprise Secure Key Manager Users Guide on the CD), shipped using email for installationon the device. The license installation step can be done before you register the CLIMs to theESKM (i.e. prior to creating users on the ESKM). If you omit this step and the number of createduser exceeds the number of licenses purchased, a warning message will appear in the GUI andin the log file.Register the CLIM to access the Key Manager with the “Register CLIMs with Key Managers”guided procedure. It is launched from an action within OSM Service Connection under the CLIMsobject.The NSSuser local user is a temporary user. Delete it after you complete the registration process.If CLIMs that will be used for encryption are added to the system, you must follow the proceduresto add the NSSuser, register the CLIMs, and delete the user.

9. Verify connection between the CLIM and the key managersUse SCF to verify that CLIMs and key managers can communicate:STATUS CLIM, KEYMANAGER


This example shows the display of links to all key managers:41-> status clim $zzsto.c100281, keymanagerSTORAGE - KeyManager Status CLIM \JUN01.$ZZSTO.#C100281KeyManager 16.107.200.150 OKKeyManager 16.107.200.122 OK

10. Back up the configuration filesBack up the CLIM configuration files. See the NonStop Cluster I/O Protocols (CIP) Configurationand Management Manual.Now the system is ready for the security officer to configure storage devices for encryption.

11. Back up the Key ManagersBack up the key managers. You should also back them up after creating disk volume keys. Seethe Enterprise Secure Key Manager Users Guide on the CD shipped with the device for details.

42 Installation

3 Encrypting data on storage devicesThis section describes how to encrypt data on disk drive and tape devices. Only the securityofficer can enable or disable encryption.

Encrypting data on disk drivesThese procedures describe how to encrypt data on disk drives. Each disk has a unique encryptionkey, which means that primary and mirror disks of a mirrored volume will have differentencryption keys. The CLIM performs the disk data encryption and decryption.You can encrypt data either by using REVIVE key rotation, or CLIM key rotation. Both techniquesare cable of initial encryption, key rotation, and decryption.During a REVIVE key rotation the mirror disk is down, which implies a loss of fault tolerance.During CLIM key rotation, one path to the mirror disk remains up so that fault tolerance ispreserved. The CLIM performs the key rotation and processor performance is not affected.Multiple disks can be encrypted concurrently.

CAUTION: For mirrored drives, HP recommends that you use CLIM key rotation because it ismore fault tolerant and the data is not passed through the host system. If a CLIM key rotationfails for any reason, use REVIVE key rotation to recover. You should consider not usingunmirrored drives for encryption, but if you use them, you must use CLIM key rotation. If CLIMkey rotation fails on an unmirrored disk, there is no way to recover the data.

Encrypting data with CLIM key rotationThis section describes how to encrypt data on disks with CLIM key rotation.CLIM key rotation is performed by doing a CLIM key change. It can change data on a disk fromunencrypted to encrypted, from encrypted to unencrypted, or from encrypted to encrypted witha new key. This encryption method is fault tolerant. The primary and mirror disk are both upduring the encryption, although one path to the mirror is down. This method is the only way toencrypt an un-mirrored disk.The time required to perform a key change depends on the amount of data on the disk.If a CLIM key change failure occurs (that is, the CLIM fails during the key change operation),the disk must be revived from its mirror or recovered from backup. Therefore, HP recommendsthat the disk should be mirrored before key rotation is performed. Only the security officer canenable or disable encryption, or revive a disk. An operator can perform a revive but cannotchange the encryption attributes of a disk.

OverviewIn a typical fault tolerant system there is a primary and a mirror disk, each attached to two CLIMs,with four paths, as shown in Figure 3-1:

Encrypting data on disk drives 43

Figure 3-1 Fault tolerant configuration

1 NonStop processors2 CLIMs3 DisksWhen you issue an SCF ALTER DISK, $disk-name-M NEWENCRYPTKEY command, SCF bringsdown the -MB path. This path stays down during the key rotation operation, as shown inFigure 3-2:

Figure 3-2 Key rotation

1 NonStop processors2 CLIMs3 DisksThe CLIM on the -M path reads the data, re-encrypts it with the new key and writes it back tothe disk. The -MB path is automatically brought up at the completion of the key rotation on the-M path.

Preparation for CLIM key rotationBefore performing CLIM key rotation, prepare the disks:

44 Encrypting data on storage devices

• Use FCHECK to check disk volume for errors:FCHECK –SCAN –VOL volume-name

See FCHECK --HELP for help.• Use the DCOM disk space compression program to de-fragment the disk

CLIM key rotation procedureCLIM key rotation is performed while the drive remains up and its alternate path is down.1. Use the SCF STATUS DISK command to verify that all paths are in STARTED state:

91-> STATUS DISK $SAS112STORAGE - Status DISK \BLDQA2.$SAS112 LDev Primary Backup Mirror MirrorBackup Primary Backup PID PID 438 *STARTED STARTED *STARTED STARTED 2,403 3,544

2. Use the STATUS DISK, ENCRYPTION command to check the encryption state of the primaryand mirror disks:

3. Use the ALTER DISK command to start CLIM key rotation on the primary disk:ALTER disk-name-P | -B | -M | -MB, NEWENCRYPTKEY, KEYALGORITHM keyalgorithm[, KEYSIZE keysize]

You must specify –P, -B, -M or -MB. The default keysize is 256. This example uses theCBC-AES KEYALGORITHM:

4. Now, when you do a STATUS DISK, ENCRYPTION command, it shows ChangeStatus as“In progress at...” for the -P path, “In progress on other CLIM” for the -B path, and “Nochange in progress” for the -M and -MB paths:


The other path to the same physical disk is in the STOPPED state during encryption:92-> STATUS DISK $SAS112STORAGE - Status DISK \BLDQA2.$SAS112 LDev Primary Backup Mirror MirrorBackup Primary Backup PID PID 438 *STARTED STOPPED *STARTED STARTED 2,403 3,544

The other path is updated automatically after the key rotation completes. If you try to startthe path before the encryption finishes you will get an error. After the key rotation on theprimary disk completes, proceed to the next step.

5. Use the SCF STATUS DISK, ENCRYPTION command to check the encryption state of theprimary and mirror disks.

6. Use the SCF STATUS DISK command to verify that all paths are in the STARTED state:7. Use the ALTER DISK command to start a key rotation on the mirror disk:

ALTER disk-name-P | -B | -M | -MB, NEWENCRYPTKEY, KEYALGORITHM keyalgorithm[, KEYSIZE keysize]

You must specify –P, -B, -M or -MB. The default keysize is 256. This example uses theCBC-AES KEYALGORITHM:

8. Now when you do a STATUS DISK, ENCRYPTION command it shows ChangeStatus as“In progress at …” for the -M path, “In progress on other CLIM” for the -MB path and “Nochange in progress” for the -P and -B paths: The other path to the same physical disk is inthe STOPPED state during encryption. The other path is updated automatically after thekey rotation completes. If you try to start the path before the key rotation finishes you willget an error.You can change EncryptRate and EncryptPriority with the ALTER DISK command:ALTER $ENCM21-P, ENCRYPTIONPRIORITY 6, ENCRYPTRATE 70


• If you do not specify these values, the defaults are 50 for ENCRYPTRATE and 4 forENCRYPTPRIORITY. The default values limit potential interference with systemperformance.

• To speed up the encryption operation (even though this change might slow systemperformance), increase the ENCRYPTPRIOITY value and/or increase the ENCRYPTRATEvalue.

• You may change these values only while an encryption operation is in progress. Thenew values affect the ongoing encryption operation from the point at which you enteredthe new values. They have no effect on future encryption operations.

You can abort the key rotation operation (if it is taking too long, for instance) by stoppingthe path and using INITIALIZE on the disk. The data on that disk will be lost, and you mustrevive the disk to restore it. This is similar to encrypting data using INIT and REVIVE:1. STOP the path performing the key rotation.2. INITIALIZE the disk that was performing the key rotation with NEWENCRYPTKEY.3. START the disk to revive it.

Encrypting data with REVIVE key rotationThis section describes how to encrypt data on mirrored disks by initializing and reviving thedisk.

OverviewTo encrypt a mirrored disk volume, use SCF DISK INITIALIZE and START commands, as shownin Figure 3-3:1. Stop the mirror disk.2. Set the mirror disk to be encrypted using the INITIALIZE command. This removes any data

on the mirror disk.3. Start the disk to revive it. This copies data from the primary to the mirror and encrypts it.

During the revive operation only the primary disk is up.4. After the mirror disk revive completes, repeat the process for the primary disk. Both the

primary and mirror are now encrypted.

Figure 3-3 Data encryption using INIT and START


1 NonStop processors2 CLIMs3 Disks

Preparation for REVIVE key rotationBefore performing INIT and REVIVE, prepare the disks:• Use FCHECK to check the disk volume for errors:

FCHECK –SCAN –VOL volume-name

See FCHECK --HELP for help.

REVIVE key rotation procedureTo encrypt a mirrored disk volume, follow these procedures. For details about SCF commands,see the SCF Reference Manual for the Storage Subsystem.1. Use the SCF STOP DISK command to stop both paths to the mirror disk:

STOP disk-name-MSTOP disk-name-MB

2. Use the INITIALIZE DISK command to initialize the stopped mirror disk with the new key:INITIALIZE disk-name-P | -M, NEWENCRYPTKEY, KEYALGORITHM keyalgorithm [, KEYSIZE keysize]

You must specify -P or -M. The default keysize is 256. This example uses the XTS-AESKEYALGORITHM:

3. Issue a START command to revive the downed mirror disk:

The data is read from the primary disk and written, encrypted with the mirror disk key, tothe mirror disk. Wait for the mirror disk revive to complete and the mirror disk to come up,then proceed to the next step.

4. After the revive completes and the mirror disk is up, use the SCF STOP DISK command tostop both paths to the primary disk:STOP disk-name-PSTOP disk-name-B

5. Use the INITIALIZE DISK command to initialize the stopped primary disk with the newkey. Use the same key algorithm and key size that you used for the mirror disk.

6. Issue a START command to revive the downed primary disk. The data is read, decryptedwith the mirror disk key from the mirror disk, and written, encrypted with the primary diskkey, to the primary disk. Wait for the primary disk revive to complete and the primary diskto come up.


7. Use the STATUS DISK, ENCRYPTION command to verify that the disk is now encrypted:

To see the rest of the display, answer Y:


The XTS-AES KeyAlgorithm uses two KeyNames. If the disk was initialized with theCBC-AES algorithm, one KeyName is displayed .

8. Use the STATUS DISK, ENCRYPTION, DETAIL command to verify that the CLIM canaccess the key:

To see the rest of the display, answer Y:


KeyAccess should be OK. Note that the primary and mirror have different key names.

Changing encrypted disk keysTo change disk encryption keys, re-encrypt the data on the disk with either the CLIM key rotationor REVIVE key rotation. The NEWENCRYPTKEY option that is specified in the INITIALIZE orALTER command will cause a new key to be generated for that device.Disk keys should be changed periodically as required by the customer security policy. Thecustomer security officer should determine the schedule of key change.

Decrypting a diskTo clear encryption on an encrypted disk, use the CLEARENCRYPTKEY option. This optionmay be used with the INITIALIZE disk command (during the REVIVE key rotation) or with theALTER disk command (during CLIM key rotation ).To clear encryption using REVIVE key rotation:INITIALIZE disk-name-P | -M, CLEARENCRYPTKEY

To clear encryption using CLIM key rotation:ALTER disk-name-P | -B | -M | -MB, CLEARENCRYPTKEY

Disk hardware replacementIf there is a disk failure and the encrypted disk is replaced with a new disk, the new disk willnot be encrypted. The security officer is expected to INITIALIZE the disk with encryption. Unlessthat disk is altered to be encrypted, when it is revived SCF issues a warning that it is unencryptedand its mirror is encrypted. If the user is logged on as the, security officer, SCF allows the reviveoperation to continue; otherwise that action is not allowed. HP recommends that users verifydevice encryption status after any hardware replacement or software configuration change ofan encrypted device.


Encrypting data on tape drivesTape data encryption and decryption is done by LTO-4. The CLIM gets the key from the keymanager and sends it to the LTO-4 tape drive. The CLIM does not perform the encryption ordecryption of tape data. Tape encryption always uses the GCM-AES algorithm with key size256.This table shows whether encryption can be performed on different tape drives and media:

LTO-4LTO-4LTO-3Tape Drive

LTO-4LTO-3LTO-3Tape Media

Read/Write, no encryptionRead/Write, no encryptionRead/Write, no encryptionUnencrypted CLIM

Read/Write, encryptionRead/Write, no encryptionRead/Write, no encryptionEncrypted CLIM

Encrypting data on tape drivesThese procedures describe how to encrypt data on tape drives. Tape encryption keys may begenerated per drive (KEYPERDRIVE) or per tape media (KEYPERTAPE). KEYPERDRIVE meansthat all tapes that are written by the tape drive will use the same encryption key. KEYPERTAPEmeans that each tape that is written by the tape drive will use a unique encryption key. Anencrypted tape drive can read tapes that were written with either key generation policy.An encrypted tape drive can read non-encrypted tapes. A non-encrypted tape drive can onlyread non-encrypted tapes.

Encrypting tape dataTo encrypt tape data, follow these procedures:1. Use the SCF STOP TAPE command to stop the drive.2. Use the ALTER TAPE, KEYGENPOLICY key-gen-policy command to set the key

generation policy to KEYPERTAPE or KEYPERDRIVE.3. Issue a START TAPE command to start the drive.4. Issue the STATUS TAPE, ENCRYPTION command and verify that the disk is encrypted:

Verify that the key generation policy is the expected value and that KeyAccess is OK.

Changing tape drive keysTo create a new encryption key for a drive whose KEYGENPOLICY is set to KEYPERDRIVE,follow these procedures:1. Use the SCF STOP TAPE command to stop the drive.2. Use the ALTER TAPE, NEWENCRYPTKEY command. The next tapes written will use the

new key.3. Issue a START TAPE command to start the drive.


Clearing tape drive encryptionTo clear tape drive encryption, follow these procedures:1. Use the SCF STOP TAPE command to stop the drive.2. Issue the ALTER TAPE, KEYGENPOLICY NOENCRYPTION command. The next tapes

written will write data in non-encrypted form.3. Issue a START TAPE command to start the drive.4. Issue the STATUS TAPE, ENCRYPTION, DETAIL command and verify that the tape drive

is not encrypted:

Tape drive hardware replacementIf an encrypted tape drive is replaced with a new drive, the new tape drive will not be encrypted.The security officer is expected to ALTER the tape drive to enable encryption. HP recommendsthat users verify device encryption status after any hardware replacement or softwareconfiguration change of an encrypted device.

Encrypting data on tape drives 53

4 MaintenanceSecurity

Security is enhanced for volume level encryption. All users can perform status commands, butalter commands are restricted:• Some SCF commands require the user to be a member of the Safeguard

SECURITY-ENCRYPTION-ADMIN group, 65536.• These SCF commands require the user to be on a user on local system.• Safeguard ($ZSMP) must be running at user logon so it can determine whether the user is

in group 65536.If a user who attempts to perform a command is not in group 65536 or if Safeguard is not running,SCF returns an error:

LicenseObtain the encryption license file by emailing [email protected] You must installthe file on the NonStop system in $SYSTEM.ZLICENSE and give it a filecode of 407:

Once the license file is installed, the system is licensed for encryption. You can use the SCFcommand STATUS SUBSYS $ZZSTO to verify that a valid license is present:8-> status subsys $zzstoSTORAGE - Status SUBSYS $ZZSTO BulkIO EncryptionLicense LabelTape UPS OFF VALID ON OFF

During normal operation you do not need to add or remove the license.

ESKM licenseThe ESKM requires that licenses be installed on that device. For details, see the Enterprise SecureKey Manager Installation and Replacement Guide on the CD shipped with the device.

SCF commandsFor detailed syntax descriptions, see the SCF Reference Manual for the Storage Subsystem.SCF commands to alter encryption attributes cannot include other attributes on the same line.For example, this command is not valid:ALTER DISK,NEWENCRYPTKEY, PRIMARYCPU 2

Security 55


STATUS SUBSYS $ZZSTOUse the STATUS SUBSYS $ZZSTO command to display the license status for the storagesubsystem. The status will be shown as VALID or INVALID:8-> status subsys $zzsto STORAGE - Status SUBSYS $ZZSTO BulkIO EncryptionLicense LabelTape UPS OFF VALID ON OFF

STATUS CLIM, ENCRYPTIONUse the STATUS CLIM, ENCRYPTION command to list encrypted devices by CLIM. Thiscommand is useful to determine which devices on a CLIM are encrypted:

STATUS CLIM, KEYMANAGERUse the STATUS CLIM, KEYMANAGER command to display the CLIM to Key Managerconnectivity status:

STATUS CLIM, KEYCHANGEUse the STATUS CLIM, KEYCHANGE command to display key changes in progress on one orall CLIMs:

56 Maintenance

STATUS DISK, ENCRYPTIONUse the STATUS DISK, ENCRYPTION command to see the encryption status of a disk:

STATUS DISK, ENCRYPTION, DETAILUse the STATUS DISK, ENCRYPTION, DETAIL command to see the detailed encryption statusof a disk:

SCF commands 57

STATUS TAPE, ENCRYPTIONUse the SCF STATUS TAPE, ENCRYPTION command to see the encryption status of a tapedrive:

TroubleshootingSCF uses the maintenance LAN to communicate with the CLIM. If there are SCF to CLIMconnectivity issues, SCF might return errors 120, 121, 122, 123, or 127:

58 Maintenance

Follow these diagnostic strategies:

Check these...For these issues...

Use SCF to check KEYMANAGER status.Check hardware and network connectivity between the CLIM and KeyManager on the enterprise LAN.

CLIM to Key Manager connectivity issues

Use SCF to check ENCRYPTIONLICENSE status. Verify that theZLICENSE file is installed in $SYSTEM.ZLICENSE and has a file codeof 407.

License issues (storage error 126)

• Storage error 115 contains error text from the CLIM.• Use SCF to check device ENCRYPTION status (use DETAIL option).• If key status is not OK, check CLIM to key manager connectivity and

look for the key in the key manager using the key name.• If the license status is not OK, use SCF to check

ENCRYPTIONLICENSE status.

Device encryption issues

Follow these strategies for failure recover:

RecoveryFailure

After you reboot the CLIM, the STATUS DISK, ENCRYPTION shows theChangeStatus for both the paths to the disk as “In progress on other CLIM”.The disk must be initialized and revived from its mirror.

CLIM fails during a disk key change

The STATUS DISK, ENCRYPTION shows ChangeStatus as “Change keyaborted due to I/O errors”. This can occur if the disk hardware fails duringkey rotation. Recovery is the same as when CLIM fails during a disk keychange.

Disk key change failure

• CLIM is unable to communicate with the specific key manager. If otherkey managers in the cluster are still available, volume level encryptionwill continue to work.

• The SCF STATUS KEYMANAGER command will report the failed keymanager.

• OSM will display an alarm for the failed key manager; however, OSMpolls the key managers periodically and failure will not be detectedimmediately.

• Fix the failed Key Manager

Key manager failure

• CLIM will not be able to communicate with any key managers.• Encrypted volumes that are in the STARTED state will continue to work.• New encryption operations will not work: ALTER DISK,

NEWENCRYPTKEY or INIT DISK, NEWENCRYPTKEY.• START command will not work• Fix the enterprise LAN problem.

CLIM LAN failure

Same as CLIM eth1 LAN failure.Key manager cluster failure

The operation terminates abnormally. The CLIM automatically reboots, butthe disk path ChangeStatus is still shown as “In progress on other CLIM”. Torecover, you must initialize the disk. This will destroy all the data on the diskbut it is backed up on its mirror.

Key rotation failure

FallbackVolume level encryption software is fully backward-compatible with non-encrypted disks andtapes. You must decrypt any encrypted disks and tapes before falling back to a previous releaseversion.

Fallback 59

Adding CLIMsIf CLIMs that will be used for encryption are added to the system, you must follow the proceduresto add the NSSuser, register the CLIMs, and delete the user.

60 Maintenance

A Glossary of terms used in this manual

GlossaryA

AES Advanced Encryption Standard is an encryption standard adopted by the U.S. government. The standardcomprises three block ciphers, AES-128, AES-192 and AES-256. Each AES cipher has a 128-bit block size,with key sizes of 128, 192 and 256 bits, respectively. AES ciphers have been analyzed extensively and arenow used worldwide.

B

Block cipher A symmetric key cipher operating on fixed-length groups of bits, termed blocks, with an unvaryingtransformation. For example, a block cipher encryption algorithm might take a 128-bit block of plaintextas input, and output a corresponding 128-bit block of ciphertext. The exact transformation is controlledusing a second input, the key. Decryption is similar: the decryption algorithm takes a 128-bit block ofciphertext together with the secret key, and yields the original 128-bit block of plaintext.

Blowfish Akeyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number ofcipher suites and encryption products. Blowfish provides a good encryption rate in software and noeffective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard is morewidely used.

C

CA Certificate Authority. Creates client certificates for authentication. A trusted third-party organization orcompany that issues digital certificates used to create digital signatures and public-private key pairs. Therole of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact,who he or she claims to be.

CBC Cipher-block chaining. A block-cipher mode of operation invented by IBM in 1976. Each block of plaintextis XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block isdependent on all plaintext blocks processed up to that point. To make each message unique, an initializationvector must be used in the first block.

Certificate name The name of the certificate; this name is used internally by the ESKM. With the ESKM Management Consoleyou can click the certificate name to view properties and access the certificate information.

CN Common Name. Name of entity to which a certificate is issued.

D

DES Data Encryption Standard. A block cipher that was selected by the National Bureau of Standards as anofficial Federal Information Processing Standard (FIPS) for the United States in 1976 and which hassubsequently enjoyed widespread use internationally. It is based on a symmetric-key algorithm that usesa 56-bit key.

E

ESKM Enterprise Services Key Manager. Device that generates and stores keys.

F

FIPS Federal Information Processing Standard Publication. A standard for security categorization of federalinformation and information systems.

61

G

GCM Galois/Counter Mode. A mode of operation for symmetric key cryptographic block ciphers. It is anauthenticated encryption algorithm designed to provide both authentication and privacy. GCM mode isdefined for block ciphers with a block size of 128 bits.

K

KMS Key Management System (KMS) Server. The KMS server is the firmware component of the ESKM serverthat manages communications between the ESKM and the clients.

N

NSSuser NonStop Setup User. The user that performs the “8. Register the CLIMs” (page 41) installation step.

P

PCI Payment Card Industry

R

RSA RSA (which stands for Rivest, Shamir, and Adleman who first publicly described it) is an algorithm forpublic-key cryptography. It is the first algorithm known to be suitable for signing as well as encryption,and one of the first advances in public key cryptography. RSA is widely used in electronic commerceprotocols, and is believed to be secure given sufficiently long keys and the use of up-to-dateimplementations.

S

SSL Secure Sockets Layer. A cryptographic protocol that provides security for communications over networks.

X

XEX Xor-Encrypt-Xor. An encryption mode designed to allow very efficient processing of consecutive blocks.XTS XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS). Ciphertext stealing provides

support for sectors with size not divisible by block size, for example, 520-byte sectors and 16-byte blocks.

62 Glossary

B Encryption backgroundEncryption transforms plaintext data into encrypted data using an encryption key. Decryptiontransforms encrypted data back into the plaintext form using a decryption key. Encrypted datais secure because it cannot be decoded into plaintext form, in a reasonable amount of time,without the decryption key. There are two types of encryption: asymmetric and symmetric.Asymmetric, or public key, encryption

This technique uses a private/public key pair. The private key is kept secret, while the publickey is widely distributed. Data that is encrypted using the public key can only be decryptedwith the corresponding private key. RSA is an example of public key encryption.

Symmetric, or secret key, encryptionThis technique uses a single key for both encryption and decryption. Blowfish, DefenseEncryption Standard (DES), triple DES, and Advanced Encryption Standard (AES) are typicalsecret key examples. This type of encryption is best suited for large amounts of data, usuallyperformed in blocks. Symmetric encryption is subdivided into two classes, block ciphers andstream ciphers. Stream ciphers encrypt character by character providing a continuous streamof encrypted data whereas block ciphers operate on discrete blocks of data.

The algorithms used in symmetric encryption are two-way, meaning that decryption is the reverseprocess of encryption. Symmetric block-level encryption, is sometimes referred to sometimes asa block cipher. There are many block cipher designs such as Blowfish, DES, Triple DES, and AES.The data to be encrypted is divided into blocks or groups of characters and the mathematicalfunctions applied to each block. Key length varies according to the cipher with DES having 56-bitkeys and AES having 128-, 192-, or 256-bit keys.The volume level encryption product follows the IEEE 1619 (disk) and IEEE 1619.1 (tape) standardsusing AES-XTS-256 and AES-CGM-256 encryption algorithms.

63

Index

AAdding CLIMs, 41, 60

CCLIMs

adding to system, 41, 60installing, 16

CLuster I/O Module (see CLIM)Configuration, fault tolerant, 43Configuring eth1, 17

DDecryption, 51Disk

decrypting, 51encrypting, INIT and REVIVE, 47encrypting, key rotation, 43encryption status, 57

EEncrypting

disks, 43, 47tapes, 52

EncryptionLTO-3, 52LTO-4, 52removing, 51supported devices, 12supported systems, 12system requirements, 12

Encryption priority, altering, 46Encryption rate, altering, 46Enterprise Storage Key Manager (see ESKM)ESKM

description, 12installing, 17

eth1, configuring, 17

FFallback, 59

HHP SIM, 12HP Systems Insight Manager (SIM), 12

IInstalling

CLIM, 16ESKM, 17key manager, 17license, 16overview, 15

KKey manager, installing, 17

Key rotationdetailed procedure, 45overview, 43

Keysaltering for disks, 45and ESKM, 12changing for tapes, 52protecting, 11specifying for disks, 48specifying for tapes, 52

LLicense

installing, 16removing, 55status, 55

RRemoving

encryption, 51license, 55

SSAFECOM INFO command, 16SCF commands

ALTER DISK, CLEARENCRYPTIONKEY, 51ALTER DISK, ENCRYPTPRIORITY, 46ALTER DISK, ENCRYPTRATE, 46ALTER DISK, NEWENCRYPTKEY, 45ALTER TAPE, KEYGENPOLICY, 52ALTER TAPE, NEWENCRYPTKEY, 52format, 55INITIALIZE DISK, 48RESET DISK, 48START DISK, 48STATUS CLIM, ENCRYPTION, 56STATUS CLIM, KEYCHANGE, 56STATUS CLIM, KEYMANAGER, 56STATUS DISK, 45STATUS DISK, ENCRYPTION, 45, 49, 57STATUS DISK, ENCRYPTION, DETAIL, 50, 57STATUS SUBSYS, 55STATUS SUBSYS $ZZSTO, 56STATUS TAPE, ENCRYPTION, 58

Securityadmin group, 16requirements, 55

Security encryption groupcreating, 16required for SCF, 55verifying, 16

SECURITY-ENCRYPTION-ADMIN (see securityencryption group)

Statusdisk encryption, 57license, 55

65

tape drive, 58System requirements, 12

TTape drive

encrypting, 52new encryption key, 52status, 58

Tapesencrypting, 52encryption ststatus, 58KEYGENPOLICY, 52new encryption key, 52

VVerifying security encryption group, 16

WWrite Cache Enable, 12

66 Index

nonstop volume level encryption guide

Documents

osf software

open software foundation

commercial computer

osf documentation

free software foundation

osf material

osf logo

encore computer corporation