IBM TS2900 Manual page 41

To modify the encryption settings:
1. In the Configure Library menu in the left navigation pane of the Web User Interface, click Encryption
2. Enter the Feature Activation Key (see
3. Select the Security settings.
Enable SSL for EKM - Select to enable secure communications between the tape library and the EKM server.
4. Select the Encryption method settings.
Application Managed Encryption - For encryption in operating environments that run an application capable of generating and managing encryption policies
and keys. If you select application-managed encryption, no further configuration steps are necessary.
System Managed Encryption - For encryption in operating environments where no application is capable of key management runs, and encryption is set up
implicitly through each instance of the IBM device driver.
Library Managed Encryption - For transparent encryption by the TS2900 Tape Autoloader tape drive.
Note: System Managed Encryption and Library Managed Encryption are transparent to each other. A tape encrypted with System Managed Encryption might be
decrypted with Library Managed Encryption, and vice versa, provided both have access to the same EKM keystore.
5. Select the Primary EKM Server Settings (Library Managed Encryption only) - the address of the primary encryption key manager on a server. IPv4 and IPv6
addresses are supported. Host names can be entered instead of numerical IP addresses if the DNS server is specified.
Address - The IP address of the primary encryption key manager.
TCP port number - The port number of the primary encryption key manager for TCP. The default port number is 3801.
SSL port number - The port number of the primary encryption key manager for SSL. The default port number is 443.
6. Select the Secondary EKM Server Settings (Library Managed Encryption only) - The address of the secondary encryption key manager on a server. IPv4 and IPv6
addresses are supported. Host names can be entered instead of numerical IP addresses if the DNS server is specified.
Address - The IP address of the secondary encryption key manager.
TCP port number - The port number of the secondary encryption key manager for TCP. The default port number is 3801.
SSL port number - The port number of the secondary encryption key manager for SSL. The default port number is 443.
7. Select the Encryption policy settings (library-managed encryption only).
Encrypt All - All tape cartridges that are loaded into the tape drive are encrypted.
Internal Label - Selective Encryption - This option is used only for Veritas Technologies NetBackup.
Internal Label - Encrypt All - This option is used only for Veritas Technologies NetBackup.
8. Skip over the Advanced Encryption Settings. The purpose of these advanced encryption settings is to allow only IBM Support personnel (under the direction of the
drive development team) to provide a solution to an unforeseen problem or to support a unique configuration. These options are not intended for use by the
customer without the guidance of IBM Technical Support.
9. Click Submit to enable the settings.
To determine whether a cartridge is encrypted, use Configure Library > Library Map and select the cartridge. The screen displays whether the cartridge is encrypted, not
encrypted, or unknown.
Click Submit to transfer the settings to the library. A dialog message is displayed when the settings are updated successfully.
Key Path Diagnostics
Figure 3. Key path diagnostics screen
36 TS2900 Tape Autoloader
Figure 1) and click Submit to enable encryption in your library.