HP LTO Ultrium Technical Reference Manual page 73

• Host computers performing backups
• Tape libraries (automation devices)
• LTO-5 tape drives installed in tape libraries (drives may provide connectivity between the library
and hosts)
• Management hosts performing security configuration
• Encryption key managers (EKMs)
• Hosts accessing the drives for debugging information
It may be necessary for a drive to communicate directly with a network entity, such as an external
Key Manager, which requires network traffic to pass through a router on the edge of the library. This
requires careful configuration of the router to ensure security of the network inside the library.
The network inside a library is configured using techniques unique to that library. This section only
gives guidance on the goals of that configuration. The library network configuration has two purposes:
• To permit communication among the library, all drives, and any other entities.
• To ensure the security of those communications.
If the network connects only the library and drives, there should be no physical connection between
the network and any network outside the library. If this is not feasible, then IP packets to or from the
following port numbers should be blocked:
• iADT (TCP/4169)
• iADT-TLS (TCP/9614)
• iADT-DISC (UDP/4169)
If an external host (such asan external Key Manager) requires access to the library only and the library
has two Ethernet ports with a firewall between them, then one port should be used only for external
access and the other for internal access. This is effectively the same as the situation in the previous
paragraph.
If an external host requires access to drives, only the minimum number of protocols should be allowed
to pass into and out of the library, and any connections carrying SCSI commands should be secured
either by using IKEv2-SCSI and ESPSCSI on the iADI port or by using the iADI-TLS port. Either of these
will require security configuration to be performed on the drive.
Public Key Infrastructure (PKI) credentials used by the HP LTO-5 drives consist of three classes of X.509
certificates: root certification authority (CA), device, and management host. If the drive has not received
a root CA certificate and a device certificate, then SSL/TLS connections (such as iADT-TLS) will not
be accepted.
• The root CA certificate is stored in non-volatile memory in the drive and is used to verify credentials
presented to the drive in the course of the TLS and IKEv2-SCSI protocols. To permit this, it is used
to sign the other certificates.
• The device certificate stored in non-volatile memory identifies the drive and contains the public
key programmed into the drive during manufacturing. The subject name field of the certificate is
provided by the system administrator during certificate creation.
• The management host certificates are stored in volatile memory, and are used to verify and authorize
security configuration operations.
Use of PKI credentials requires the system administrator to replace compromised and expired
certificates, and (when certificate validity dates are checked) ensure that the drive's real-time clock is
valid. The LTO-5 drive does not support certificate revocation lists (CRLs). In some circumstances, you
can disable the checking of certificate validity dates.
Volume 1: hardware integration 73