Enrolling A Storeonce Appliance With An External Key Manager - HPE StoreOnce 6500 User Manual

triggered by manually deleting a VTL cartridge, StoreOnce Catalyst object, or even a whole VTL Library,
NAS Share, or StoreOnce Catalyst store through the StoreOnce web interface or CLI.
NOTE: The Secure Erase process may take some time to complete, depending on the Housekeeping
workload.
WARNING: To immediately remove data, ensure the backup application is configured correctly.
Rotation and retention policies may need to be revisited to ensure that the data is expired.
Only data chunks (processed portions of user data) not referenced by any other items can be securely
erased. If a data chunk is referenced by another item which is not marked for Secure Erase, then the
referenced data chunk will not be erased, securely or otherwise. It is recommended to use the backup
application when performing a Secure Erase on StoreOnce Catalyst stores, NAS shares, or VTL libraries
that have Secure Erase enabled.

Enrolling a StoreOnce appliance with an external key manager

Prerequisites
• A client account must be created on the External Key Manager for the StoreOnce appliance. This
account is used in the enrollment process.
• Ensure that you have the username and password of the client account prior to commencing the
enrollment process.
• The Security Pack license must be purchased and installed on the StoreOnce appliance. Unless the
license is installed, you will not be able to create an encrypted VTL, NAS share, or StoreOnce Catalyst
store or set up a Data in Flight Encryption link.
The enrollment is done using StoreOnce CLI commands. For details about the individual commands,
refer to the HPE StoreOnce CLI Reference Guide.
Procedure
1. In an SSH terminal window (for example, PuTTY), connect to the StoreOnce appliance.
2. Generate a certificate signing request (CSR).
3. Specify the username and password of the client account on the external key manager.
You can also optionally specify the DN values for the StoreOnce appliance. Send the following
command:
keymanager create <username> <password> [dnvalue]
Example:
keymanager create test_account password123 "/OU=HPSP/O=HP/L=Andover/ST=MA/
C=US"
If the command is successful, a certificate request will be generated as output.
Example:
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzENMAsGA1UEAwwEbm9lbDESMBAGA1UECwwJSFBTdG9yYWdl
MSEwHwYDVQQKDBhIZXdsZXR0UGFja2FyZEVudGVycHJpc2UxEDAOBgNVBAcMB0Jy
aXN0b2wxEDAOBgNVBAgMB0VuZ2xhbmQxCzAJBgNVBAYTAkdCMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVzkrDgzcIQ1o0QtkheHX45MGfNVECd+q/v4
Enrolling a StoreOnce appliance with an external key manager 201