Encryption With Replication; Configuring The Backup Media Server; Troubleshooting - HP StoreOnce 2700 Installation And Configuration Manual

IP Addresses: 10.1.1.21,10.1.1.22
Net Mask: 255.255.0.0
Domain Name: rnd.mycompany.net
Gateway: 10.1.1.1
Default Network:
Net Usage: data
VLAN tag: 22
Port Set: Port Set_2 with these interfaces: eth5 eth7, Framesize: 1500
Encryption Links: 172.18.198.101
Bonding Mode: 4 (Link Aggregate Control Protocol (LACP) Bonding)

Encryption with replication

StoreOnce Backup systems are treated exactly like clients by IPsec. To set up an encrypted link
between two StoreOnce Backup systems, use the StoreOnce CLI command, net add encryption,
on each system, providing the other system's IP address but using the same passphrase.
In the following example, the Replication source is on a StoreOnce 4900 Backup system that has
a network configuration, called 4900_source and a subnet within it configured to use IP address
10.1.1.16 (we'll call it subnet_1). The Replication target is on a StoreOnce 6500 Backup system
that has a network configuration, called 6500_target with a Data subnet (we'll call it subnet_2)
that has been configured to use IP addresses 172.18.1 1 to 172.18.1 1.26; we will apply data in
flight encryption to IP address 172.18.20.
Configure IPsec as follows:
On the Replication source Backup system (4900), configure the IP address of the Replication
target with the passphrase. For example:
# net add encryption 4900_source_wizard subnet_1 ipaddr 172.18.11.20 passphrase SuperSecure
Command Successful
Validate and activate the 4900_source_wizard network configuration on the 4900 Backup
system so that it becomes the current network configuration.
On the Replication target Backup system (6500), configure the IP address of the Replication
source with the same passphrase. For example:
# net add encryption 6500_target_wizard subnet_2 ipaddr 10.1.1.16 passphrase SuperSecure
Command Successful
Validate and activate the 6500_target_wizard network configuration on the 6500 Backup
system so that it becomes the current network configuration.

Configuring the backup media server

The IPsec pair and rule must be configured on both the backup media server and the StoreOnce
Backup appliance. See the HP StoreOnce Backup system Linux and UNIX Configuration guide for
information about configuring Linux media servers. Configuration of Windows media servers is
via Windows local security policy, as described in
Windows media servers (page
to http://www.hp.com/ebs.
NOTE: The settings for key lifetimes can have an impact on the performance of the data in flight
encryption links. If the lifetime values are set to low values, then there is a risk of low performances
or even failures of the backup jobs. It is recommended, that these values are set sufficiently high
to allow the backup jobs to run as well as maintain the security of the data being transferred

Troubleshooting

A performance drop may be seen when Data in Flight encryption is turned on. The amount of drop
in performance depends on the CPU and memory resources of the backup media servers as well
as the amount of unique data being transmitted. If a data in flight encryption link is to be setup
between a backup media server and a StoreOnce appliance, it is recommended that multiple
Configuring Data in Flight encryption on
80). For full details of which operating systems are supported go
Modifying the current network configuration 51