Dell PowerVault ML6000 User Manual
  1. Manuals
  2. Brands
  3. Dell Manuals
  4. Software
  5. PowerVault ML6000
  6. User manual

Dell PowerVault ML6000 User Manual

Dell powervault ml6000 encryption key manager user's guide
Hide thumbs Also See for PowerVault ML6000:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, Reference Manual
Dell
PowerVault
Encryption Key Manager
User's Guide

Advertisement

Table of Contents
loading

Related Manuals for Dell PowerVault ML6000

Summary of Contents for Dell PowerVault ML6000

  • Page 1 ™ ™ Dell PowerVault Encryption Key Manager User's Guide...
  • Page 2 Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.

  • Page 3: Table Of Contents

    Chapter 5. Administering the Read this First... . xi Encryption Key Manager..5-1 Contacting Dell . . xi Starting, Refreshing, and Stopping the Key Manager Server .
  • Page 4 Appendix A. Sample Files ..A-1 Index ....X-1 Sample startup daemon script . . A-1 Dell Encryption Key Mgr User's Guide...

  • Page 5: Figures

    Figures 1-1. The Encryption Key Manager’s four main 3-1. Choose Destination Location window components . 1-2 3-2. Set this version of JVM to default 1-2. Two possible locations for encryption policy 3-3. Start Copying Files window . . 3-4 engine and key management. .
  • Page 6 Dell Encryption Key Mgr User's Guide...

  • Page 7: Tables

    Tables Typographic Conventions used in this Book 7-1. Audit record types that the Encryption Key 1-1. Encryption Key Summary . . 1-7 Manager writes to audit files . . 7-5 2-1. Minimum Software Requirements for Linux 2-2 7-2. Audit record types by audited event 2-2.
  • Page 8 Dell Encryption Key Mgr User's Guide...

  • Page 9: Preface

    Preface About this Book This manual contains information and instructions necessary for the installation ™ and operation of the Dell Encryption Key Manager. It includes concepts and procedures pertaining to: v Encryption-capable LTO 4 and LTO 5 Tape Drives v Cryptographic keys...

  • Page 10: Related Publications

    Online Support Visit http://support.dell.com for the following related publication: Dell Encryption Key Manager Quick Start Guide provides information for setting up a basic configuration. Visit http://www.dell.com for the following related publication: The Library Managed Encryption for Tape white paper suggests best practices for LTO tape encryption.

  • Page 11: Read This First

    Dell provides several online and telephone-based support and service options. Availability varies by country and product, and some services may not be available in your area. To contact Dell for sales, technical support, or customer service issues: 1. Visit http://support.dell.com.
  • Page 12 Dell Encryption Key Mgr User's Guide...

  • Page 13: Chapter 1. Tape Encryption Overview

    Data encryption is a tool that answers many of these needs. The Dell Encryption Key Manager (referred to as the Encryption Key Manager from this point forward) simplifies encryption tasks.

  • Page 14: Managing Encryption

    Figure 1-1. The Encryption Key Manager’s four main components Managing Encryption ™ The Dell Encryption Key Manager is a Java software program that assists encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys that are used to encrypt information being written to, and decrypt information being read from, tape media (tape and cartridge formats).
  • Page 15 Encryption Key Manager for your environment and monitor its operation. Many customization and monitoring functions are also available on the Dell Encryption Key Manager graphical user interface (GUI). The Encryption Key Manager uses one or more keystores to hold the certificates and keys (or pointers to the certificates and keys) required for all encryption tasks.

  • Page 16: Application-Managed Tape Encryption

    See “Application-Managed Tape Encryption” for supported applications. Library Layer The enclosure for tape storage, such as the Dell PowerVault TL2000/TL4000 and ML6000 family. A modern tape library contains an internal interface to each tape drive within it.

  • Page 17: Library-Managed Tape Encryption

    See your tape backup software application documentation to learn how to manage encryption policies and keys. Library-Managed Tape Encryption ™ ™ Use this method for LTO 4 and LTO 5 tape drives in the Dell PowerVault ™ ™ ™ TL2000 Tape Library, Dell...

  • Page 18: Encryption Using Symmetric Encryption

    LTO 4 and LTO 5 Tape Drives can use applications such as Yosemite (for Dell PowerVault TL2000 and TL4000 Tape Libraries), CommVault, and Symantec Backup Exec for application-managed encryption.

  • Page 19: Encryption Key Summary

    In Summary The number of encryption keys that may be used for each volume depends on the tape drive, the encryption standard, and method used to manage the encryption. For transparent encryption of LTO 4 and LTO 5, (that is, using library-managed encryption with the Encryption Key Manager,) the uniqueness of DKs depends on the availability of a sufficient number of pre-generated keys to the Encryption Key Manager.
  • Page 20 Dell Encryption Key Mgr User's Guide...

  • Page 21: Chapter 2. Planning Your Encryption Key Manager Environment

    Chapter 2. Planning Your Encryption Key Manager Environment This section is intended to provide information to allow you to determine the best Encryption Key Manager configuration for your needs. Many factors must be considered when you are planning how to set up your encryption strategy. Encryption Setup Tasks at a Glance Before you can use the encryption capability of the tape drive, certain software and hardware requirements must be met.

  • Page 22: Hardware And Software Requirements

    ® 32-bit Intel compatible Tape Libraries For the Dell PowerVault TL2000 Tape Library, TL4000 Tape Library, and ML6000 Tape Library, assure that the firmware level is the latest available. For firmware updates, visit http://support.dell.com. Dell Encryption Key Mgr User's Guide...

  • Page 23: Windows Solution Components

    Library, and Dell PowerVault ML6000 Tape Library, assure that the firmware level is the latest available. For firmware update, visit http://support.dell.com. Tape Drive For the LTO 4 and LTO 5 Tape Drives, assure that the firmware level is the latest available.

  • Page 24: Encryption Keys And The Lto 4 And Lto 5 Tape Drives

    Encryption Keys and the LTO 4 and LTO 5 Tape Drives The Dell Encryption Key Manager and its supported tape drives use symmetric, 256-bit AES keys to encrypt data. This topic explains what you should know about these keys and certificates.

  • Page 25: Backing Up Keystore Data

    3. If no alias is specified in the request and no alias is specified in the drive table, Encryption Key Manager selects an alias from the set of aliases or the key group in the keyAliasList. 4. Encryption Key Manager fetches a corresponding DK from the keystore. 5.

  • Page 26: Backup Critical Files Window

    2. Select Backup Critical Files in the navigator on the left of the Encryption Key Manager GUI. 3. Enter the path for your backup data in the displayed dialog (Figure 2-3). Figure 2-3. Backup Critical Files Window 4. Click Backup Files. 5. An information message displays the results. Dell Encryption Key Mgr User's Guide...

  • Page 27: Multiple Key Managers For Redundancy

    Multiple Key Managers for Redundancy The Encryption Key Manager is designed to work with tape drives and libraries to allow redundancy, and thus high availability, so you can have multiple key managers servicing the same tape drives and libraries. Moreover, these key managers need not be on the same systems as the tape drives and libraries.

  • Page 28: Two Servers With Shared Configurations

    Data Between Two Key Manager Servers” on page 4-2 for more information.) Be sure to specify sync.type = drivetab (do not specify config or all) to prevent the configuration files from being overwritten. Note: There is no way to partially share the configuration between servers. Dell Encryption Key Mgr User's Guide...

  • Page 29: Disaster Recovery Site Considerations

    Key Store Key Store Primary Secondary Drive Table Drive Table Encryption Encryption Key Manager Config File Config File Key Manager Key Groups Key Groups Tape Library Tape Library Tape Library Figure 2-6. Two Servers with Different Configurations Accessing the Same Devices Disaster Recovery Site Considerations If you plan to use a disaster recovery (DR) site, the Encryption Key Manager provides a number of options to enable that site to read and write encrypted tapes.

  • Page 30: Federal Information Processing Standard 140-2 Considerations

    Configuration Properties file, you make the Encryption Key Manager use the IBMJCEFIPS provider for all cryptographic functions. See the documentation from specific hardware and software cryptographic providers for information on whether their products are FIPS 140-2 certified. 2-10 Dell Encryption Key Mgr User's Guide...

  • Page 31: Chapter 3. Installing The Encryption Key Manager And Keystores

    (like the Encryption Key Manager) use ECC memory. Downloading the Latest Version Key Manager ISO Image To download the latest version of the Dell ISO image, go to http:// support.dell.com. Installing the Encryption Key Manager on Linux Installing the Encryption Key Manager on Linux From the CD 1.

  • Page 32: Installing The Encryption Key Manager On Windows

    Install the Software Developer Kit Manually on Linux Follow these steps if you are not installing from the CD. 1. From http://support.dell.com, download the correct runtime environment for Java based on your operating system: v Java 6 SR 5 (32-bit) or later v Java 6 SR 5 (64-bit) or later 2.

  • Page 33: Choose Destination Location Window

    Figure 3-1. Choose Destination Location window Click Next. 5. A window opens asking if you want this Java Runtime Environment as the default system JVM (Figure 3-2). Figure 3-2. Set this version of JVM to default Click No. 6. The Start Copying Files window opens (Figure 3-3 on page 3-4). Make sure you have taken note of the target directory.

  • Page 34: Start Copying Files Window

    (java.exe) from any directory without having to enter the full path of the command. If you don’t set the PATH variable, you must specify the full path to the executable every time you run it, such as: C:>\Program Files\IBM\Java60\jre\bin\java ... Dell Encryption Key Mgr User's Guide...

  • Page 35: Using The Gui To Create A Configuration File, Keystore, And Certificates

    Certificates Before launching the Encryption Key Manager, you must create at least one new keystore and at least one self-signed certificate. You can use the Dell Encryption Key Manager Server Graphical User Interface (GUI) to create your Encryption Key Manager configuration properties file, a keystore, certificate(s), and key(s). A simple CLI configuration properties file is also created as a result of this process.

  • Page 36: Ekm Server Configuration Page

    See “Changing Keystore Passwords” on page 3-12. Figure 3-4. EKM Server Configuration Page Although the number of keys that can be generated for the Dell Encryption Key Manager keystore has no limit, the time required to generate keys will increase depending the number of keys requested.

  • Page 37: Ekm Server Certificate Configuration Page

    Keystore file corruption will occur if you stop the Encryption Key Manager key generation process before it is complete. To recover from this event, follow these steps: v If the Encryption Key Manager was interrupted during the initial Encryption Key Manager install, navigate to the directory where the Encryption Key Manager directory is located (example x:\ekm).

  • Page 38: Backup Critical Files Window

    Figure 3-6. Backup Critical Files Window Verify the path and click Backup. The Dell Encryption Key Manager server is launched in the background. The Encryption Key Manager generates a set of backup files every time you click OK when changing the Encryption Key Manager server configuration or Backup in the “Backup Critical Files”...

  • Page 39: Generating Keys And Aliases For Encryption On | Lto 4 And Lto 5

    Close the command window. Generating Keys and Aliases for Encryption on LTO 4 and LTO 5 The Dell Encryption Key Manager Server GUI is the easiest way to generate symmetric encryption keys (see “Using the GUI to Create a Configuration File, Keystore, and Certificates”...
  • Page 40 Generating Data Keys and Aliases Using Keytool -genseckey Note: Before using the keytool command for the first time in any session, run the updatePath script to set the correct environment. On Windows Navigate to cd c:\ekm and click updatePath.bat 3-10 Dell Encryption Key Mgr User's Guide...
  • Page 41 On Linux platforms Navigate to /var/ekm and enter . ./updatePath.sh The Keytool utility generates aliases and symmetric keys for encryption on LTO 4 and LTO 5 Tape Drives using LTO 4 and LTO 5 tape. Use the keytool -genseckey command to generate one or more secret keys and store them in a specified keystore.
  • Page 42 Use the keytool -exportseckey command to export a secret key or a batch of secret keys to an export file. keytool -exportseckey takes the following parameters: -exportseckey [-v] [-alias <alias> | aliasrange <aliasRange>] [-keyalias <keyalias>] [-keystore <keystore>] [-storepass <storepass>] 3-12 Dell Encryption Key Mgr User's Guide...
  • Page 43 [-storetype <storetype>] [-providerName <name>] [-exportfile <exportfile>] [-providerClass <provider_class_name>] [providerArg <arg>] These parameters are of particular importance when exporting data keys for Encryption Key Manager to serve to the LTO 4 and LTO 5 drives for tape encryption: -alias Specify an alias value for a single data key with up to 12 printable characters (for example, abcfrg or key123tape).

  • Page 44: Creating And Managing Key Groups

    Encryption Key Manager Server from starting unless the Encryption Key Manager Server has been configured to use keygroups. Key groups are built using the Dell Encryption Key Manager Server GUI or using the following CLI client commands (see “CLI Commands” on page 5-7 for syntax): Using the GUI to Define Key Groups and Create Keys You can use the GUI to perform all tasks necessary for managing key groups.

  • Page 45: Create A Group Of Keys

    On Windows Navigate to c:\ekm\gui and click LaunchEKMGui.bat On Linux platforms Navigate to /var/ekm/gui and enter . ./LaunchEKMGui.sh 2. Select Administration Commands in the navigator on the left of the GUI. 3. Click Create a Group of Keys at the bottom of the window (Figure 3-7). Figure 3-7.

  • Page 46: Change Default Write Key Group

    To assign a specific key group to a specific tape drive: 1. Select Administration Commands in the navigator on the left of the GUI. 2. Click Assign Group to Drive at the bottom of the window (Figure 3-9 on page 3-17). 3-16 Dell Encryption Key Mgr User's Guide...

  • Page 47: Assign Group To Drive

    Figure 3-9. Assign Group to Drive 3. Select the tape drive from the Drive List. 4. Select the key group from the Group List. 5. Verify the drive and key group at the bottom of the window and click Submit Changes.
  • Page 48 Therefore no key in the KeyGroups.xml file is in the clear. Example: createkeygroup -password a75xynrd 2. Run the addkeygroup command. This command creates an instance of a key group with a unique Group ID in the KeyGroups.xml. 3-18 Dell Encryption Key Mgr User's Guide...
  • Page 49 Syntax: addkeygroup -groupID groupname -groupID The unique groupname used to identify the group in the KeyGroups.xml file. Example: addkeygroup -groupID keygroup1 3. Run the addkeygroupalias command. This command creates a new alias for an existing key alias in your keystore for addition to a specific key group ID.
  • Page 50 -targetGroupID The unique groupname used to identify the group to which the alias is to be added. Example: addaliastogroup -aliasID aliasname -sourceGroupID keygroup1 -targetGroupID keygroup2 Note: Key is available in both key groups. 3-20 Dell Encryption Key Mgr User's Guide...

  • Page 51: Chapter 4. Configuring The Encryption Key Manager

    Chapter 4. Configuring the Encryption Key Manager Using the GUI to Configure the Encryption Key Manager The easiest way to create your configuration properties file is to use the Dell Encryption Key Manager GUI following the procedure in “Using the GUI to Create a Configuration File, Keystore, and Certificates”...

  • Page 52: Synchronizing Data Between Two Key Manager Servers

    Merge (add) new drive table data with current data on receiving server. (The configuration file is always a rewrite.) This is the default. -rewrite Replace the current data on the receiving server with new data. Dell Encryption Key Mgr User's Guide...

  • Page 53: Configuration Basics

    Automatic Synchronization The drive table and properties file can be sent from a primary key manager server to a secondary server automatically. The secondary server must be running for synchronization of the data to occur. To automatically synchronize the data from the primary to the secondary, the following four properties in the primary server KeyManagerConfig.properties file must be specified.
  • Page 54 When added to the KeyManagerConfig.properties file, the Encryption Key Manager obfuscates these passwords for additional security. 6. Optionally set the Server.authMechanism property to a value of LocalOS if CLI client authentication is to be done against the local operating system Dell Encryption Key Mgr User's Guide...
  • Page 55 When the Server.authMechanism property is set to LocalOS, additional setup is required for Linux platforms. For more information, see the readme file at http://support.dell.com or on the Dell Encryption Key Manager media provided with your product. “Authenticating CLI Client Users” on page 5-5 contains more information.
  • Page 56 Dell Encryption Key Mgr User's Guide...

  • Page 57: Chapter 5. Administering The Encryption Key Manager

    Start the Encryption Key Manager server from the Dell Encryption Key Manager GUI: 1. Open the GUI if it is not yet started: On Windows Navigate to c:\ekm\gui and click LaunchEKMGui.bat...

  • Page 58: Login Window

    See “chgpasswd” on page 5-9. Note: v The Dell Encryption Key Manager GUI may not be capable of displaying the host IP address Two limitations in the current GUI prevent it from displaying the Encryption Key Manager host IP address in the Server Health Monitor : v The current application does not recognize IPV6.
  • Page 59 For example, on Linux systems, enter kill -SIGTERM pid or kill -15 pid. On Windows platforms, when the Dell Encryption Key Manager is started as a Windows Service, it can be stopped from the Control Panel.
  • Page 60 The default path and filename are C:\ekm\gui\ KeyManagerConfig.properties. -u Uninstalls the key manager Windows Service if you no longer need to run it as a service. Note that the EKMServer service must be stopped before it Dell Encryption Key Mgr User's Guide...

  • Page 61: The Command Line Interface Client

    is uninstalled. When running this command, you may also see the following error message: Could not remove EKMServer. Error 0. However, the service may still be uninstalled. To install Encryption Key Manager as a Windows service, issue: LaunchEKMService.exe -i config file 7.
  • Page 62 Note that only user ID allowed to login and submit commands to the server is the user ID under which the server is running, and which also has superuser/root authority. A readme file included on your Dell product media and available at http://support.dell.com provides more installation details. Starting the Command Line Interface Client Note: The TransportListener.ssl.port properties in both the Encryption Key...

  • Page 63: Cli Commands

    On Linux platforms Navigate to /var/ekm/ekmclient and enter . ./startClient.sh Interactively To run the commands interactively from any command window or shell, enter: java com.ibm.keymanager.KMSAdminCmd CLIconfiglfile_name -i The # prompt appears. Before submitting any commands, you must log in the CLI client into the key manager server with the following command: #login –ekmuser EKMAdmin –ekmpassword changeME Once the CLI client is successfully logged into the key manager server, you can...
  • Page 64 The unique groupname used to identify the group in the KeyGroup XML file. Example: addkeygroup -groupID keygroup1 addkeygroupalias Create a new alias for an existing key alias in your keystore for addition to a specific key group ID. addkeygroupalias -alias aliasname -groupID groupname Dell Encryption Key Mgr User's Guide...

  • Page 65: Deletedrive

    -alias The new aliasname for the key. -groupID The unique groupname used to identify the group in the KeyGroup XML file. Example: addkeygroupalias -alias aliasname -groupID keygroup1 chgpasswd Change the CLI client’s user (EKMAdmin) default password. chgpasswd -new password -new The new password that replaces the previous password.
  • Page 66 Import a drive table or configuration file from a specified URL. import {-merge|-rewrite} {-drivetab|-config} -url urlname -merge Merge the new data with current data. -rewrite Replace the current data with new data. -drivetab Import the drive table. -config Import the configuration file. 5-10 Dell Encryption Key Mgr User's Guide...
  • Page 67 -url urlname specifies the location from which the new data is to be taken. Example: import -merge -drivetab -url FILE:///keymanager/data/export.table list List certificates contained in keystore named by config.keystore.file property. list [-cert |-key|-keysym][-alias alias -verbose |-v] -cert List certificates in the specified keystore. -key List all keys in the specified keystore.
  • Page 68 Example: modconfig -set -property sync.timeinhours -value 24 moddrive Modify drive information in the drive table. Equivalent command is modifydrive. moddrive -drivename drivename {-rec1 [alias] | -rec2 [alias]| -symrec [alias]} -drivename drivename specifies the serial number of the tape drive. 5-12 Dell Encryption Key Mgr User's Guide...
  • Page 69 -rec1 Specifies the alias (or key label) of the drive’s certificate. -rec2 Specifies a second alias (or key label) of the drive’s certificate. -symrec Specifies an alias (of the symmetric key) or a key group name for the tape drive. Example: moddrive -drivename 000123456789 -rec1 newalias1 refresh Tells the Encryption Key Manager to refresh the debug, audit, and drive table...
  • Page 70 Merge new drive table data with current data. (The configuration file is always a rewrite.) This is the default. -rewrite Replace the current data with new data. Example: sync -drivetab -ipaddr remoteekm.ibm.com:443 -merge version Displays the version of the Encryption Key Manager server. Example: version 5-14 Dell Encryption Key Mgr User's Guide...

  • Page 71: Chapter 6. Problem Determination

    Chapter 6. Problem Determination You can enable debugging for an individual component, multiple components, or all components of the Encryption Key Manager. Check These Important Files for Encryption Key Manager Server Problems When the Encryption Key Manager fails to start there are three files to check to determine the cause of the problem.

  • Page 72: Debugging Communication Problems Between The Cli Client And The Ekm Server

    Debugging Key Manager Server Problems Most problems concerning the key manager involve configuration or starting the key manager server. Refer to Appendix B, Default Configuration File, for information on specifying the debug property. Dell Encryption Key Mgr User's Guide...
  • Page 73 If the Encryption Key Manager fails to start, check for a firewall. Either a software firewall or a hardware firewall may be blocking the Encryption Key Manager from accessing the port. EKM server not started. EKM.properties config could not be loaded or found.
  • Page 74 This message is from the XML parser and does not keep the Encryption Key Manager from starting unless it is configured to use keygroups and the file specified by the config.keygroup.xml.file property in KeyManagerConfig.properties, the Encryption Key Manager Server properties file, is corrupted. Dell Encryption Key Mgr User's Guide...

  • Page 75: Encryption Key Manager-Reported Errors

    Enable debug tracing on the key manager server. Try to recreate the problem and gather debug logs. If the problem persists, refer to “Contacting Dell” in the “Read this First” section at the front of this publication for information on getting technical assistance.
  • Page 76 Try to recreate the problem and gather debug logs. If the problem persists, refer to “Contacting Dell” in the “Read this First” section at the front of this publication for information on getting technical assistance.
  • Page 77 Enable debug tracing on the key manager server. Try to recreate the problem and gather debug logs. If the problem persists, refer to “Contacting Dell” in the “Read this First” section at the front of this publication for information on getting technical assistance.
  • Page 78 If this does not help or the alias/key label exists, then collect debug logs and refer to “Contacting Dell” in the “Read this First” section at the front of this publication in the “Read this First” section at the front of this publication for information on getting technical assistance.

  • Page 79: Messages

    Enable debug on the key manager server. Try to recreate the problem and gather debug logs. If the problem persists, refer to “Contacting Dell” in the “Read this First” section at the front of this publication for information on getting technical assistance.

  • Page 80: Failed To Add Drive

    Failed to delete the Encryption Key Manager configuration through modconfig command. Operator Response Check the command syntax using help make sure parameters supplied are correct. Please check the audit logs for more information. 6-10 Dell Encryption Key Mgr User's Guide...

  • Page 81: Failed To Delete The Drive Entry

    Failed to Delete the Drive Entry Text “deldrive” command failed. Explanation deldrive command failed to delete the drive entry from the drive table. Operator Response Check the command syntax using help and make sure parameters supplied are correct. Make sure the drive is configured with the Encryption Key Manager using listdrives command.

  • Page 82: File Size Limit Cannot Be A Negative Number

    Check the configuration file supplied exists and if drive table is correctly configured in the configuration file using config.drivetable.file.url. Check the syntax using help and retry the sync command. Invalid Input Text Invalid input parameters for the CLI. 6-12 Dell Encryption Key Mgr User's Guide...

  • Page 83: Invalid Ssl Port Number In Configuration File

    Explanation The particular command syntax may not be correct. Operator Response Make sure the command entered is correct. Check the command syntax using help. Make sure parameters supplied are correct and retry. Invalid SSL Port Number in Configuration File Text Invalid SSL port number specified in the EKM configuration file.

  • Page 84: Must Specify Tcp Port Number In Configuration File

    The Encryption Key Manager server cannot start because of configuration problems. Operator Response Check the parameters in the configuration file supplied. Please check the logs for more information. Sync Failed Text “sync” command failed. 6-14 Dell Encryption Key Mgr User's Guide...

  • Page 85: The Specified Audit Log File Is Read Only

    Explanation Sync operation to synchronize the data between two Encryption Key Manager servers failed. Operator Response Make sure IP address specified for remote Encryption Key Manager server is correct and that computer is accessible. Make sure configuration file exists and contains correct drive table information.

  • Page 86: Unable To Load The Keystore

    Try restarting Encryption Key Manager. Unsupported Action Text User entered action for the CLI which is not supported for EKM. 6-16 Dell Encryption Key Mgr User's Guide...
  • Page 87 Explanation Action supplied for sync command is not supported or understood by the Encryption Key Manager. The valid actions are merge or rewrite. Operator Response Check the command syntax using help and try again. 6-17 Chapter 6. Problem Determination...
  • Page 88 6-18 Dell Encryption Key Mgr User's Guide...

  • Page 89: Chapter 7. Audit Records

    Chapter 7. Audit Records Note: The audit record formats described in this chapter are not considered to be programming interfaces. The format of these records may change from release to release. The format is documented in this chapter in case some parsing of the audit records is desired.

  • Page 90: Audit.event.outcome

    Syntax Audit.eventQueue.max=number_events Usage Used to set the maximum number of event objects to be held in the memory queue. This parameter is optional but recommended. the default is zero. Example Audit.eventQueue.max=8 Audit.handler.file.directory Syntax Audit.handler.file.directory=directoryName Dell Encryption Key Mgr User's Guide...

  • Page 91: Audit.handler.file.size

    Usage This parameter is used to indicate into which directory the audit record files should be written. Note that if the directory does not exist, the Encryption Key Manager will attempt to create the directory. If not successful, however, the Encryption Key Manager will not start.

  • Page 92: Audit.handler.file.multithreads

    (;) and an opening left bracket ([). Subsequent lines associated with the same audit record are indented two (2) spaces to assist in readability of the log records. The last line for a single audit record contains a closing right Dell Encryption Key Mgr User's Guide...

  • Page 93: Audit Points In The Encryption Key Manager

    bracket (]) indented two (2) spaces. The number of lines for each audit record varies based on the audit record type and the additional attribute information that is provided with the audit record. The timestamp for the audit records is based on the system clock of the system on which the Encryption Key Manager is running.
  • Page 94 Note that the message value only appears if information for it is available. Configuration Management event The format for these records is: Configuration management event: timestamp=timestamp event source=source outcome=outcome event type=SECURITY_MGMT_CONFIG message=message Dell Encryption Key Mgr User's Guide...

  • Page 95: Audited Events

    action=action command type=type user=user Note that the message value only appears if information for it is available. Audited Events Table 7-2 describes the events that cause audit records to be created. The table lists the audit record type that is logged when this event occurs. Table 7-2.

  • Page 96: Audit Record Types By Audited Event

    Error changing configuration property configuration_management Configuration property deleted configuration_management Error deleting configuration property configuration_management Configuration import successful configuration_management Error importing configuration configuration_management Configuration export successful configuration_management Error exporting configuration configuration_management listconfig command successful configuration_management Dell Encryption Key Mgr User's Guide...

  • Page 97: Chapter 8. Using Metadata

    Chapter 8. Using Metadata The Encryption Key Manager must be configured to create an XML file that captures vital information as data is being encrypted and written to tape. This file can be queried by volume serial number to display the alias or key label that was used on the volume.
  • Page 98 Manager is running crashes. Improper editing or modification of the metadata file can also corrupt it. The corruption will go unnoticed until the EKMDataParser parses the metadata file. The EKMDataParser may fail with an error similar to the following: Dell Encryption Key Mgr User's Guide...
  • Page 99 [Fatal Error] EKMData.xml:290:16: The end-tag for element type "KeyUsageEvent" must end with a '>' delimiter. org.xml.sax.SAXParseException: The end-tag for element type "KeyUsageEvent" must end with a '>' delimiter. at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) at javax.xml.parsers.DocumentBuilder.parse(Unknown Source) at com.ibm.keymanager.tools.EKMDataParser.a(EKMDataParser.java:136) at com.ibm.keymanager.tools.EKMDataParser.a(EKMDataParser.java:26) at com.ibm.keymanager.tools.EKMDataParser.main(EKMDataParser.java:93) If this error occurs, it is due to a missing XML ending tag for an element.
  • Page 100 Dell Encryption Key Mgr User's Guide...

  • Page 101: Appendix A. Sample Files

    Appendix A. Sample Files Sample startup daemon script Attention: It is impossible to overstate the importance of preserving your keystore data. Without access to your keystore you will be unable to decrypt your encrypted tapes. Ensure that you save your keystore and password information. Linux Platforms The following is a sample script that allows EKM to be kicked off in the background, in a proven manner.
  • Page 102 = IBMJCE config.keystore.type = jceks fips = Off TransportListener.ssl.ciphersuites = JSSE_ALL TransportListener.ssl.clientauthentication = 0 TransportListener.ssl.keystore.name = /keymanager/sslkeys TransportListener.ssl.keystore.type = jceks TransportListener.ssl.port = 443 TransportListener.ssl.protocols = SSL_TLS TransportListener.ssl.truststore.name = /keymanager/ssltrustkeys TransportListener.ssl.truststore.type = jceks TransportListener.tcp.port = 3801 Dell Encryption Key Mgr User's Guide...

  • Page 103: Appendix B. Encryption Key Manager Configuration Properties Files

    Accidental whitespace at the end of a line may be interpreted as part of a property value. Sample configuration properties files are available for download at http://support.dell.com in the EKMServicesandSamples file. Encryption Key Manager Server Configuration Properties File The following comprises the complete set of properties in the Encryption Key Manager server configuration file (KeyManagerConfig.properties).
  • Page 104 Default success Audit.event.Queue.max = 0 The maximum number of event objects in the audit memory queue before they will be flushed to file. Required Optional. Recommended. Values 0 - ? (0 means flush immediately.) Dell Encryption Key Mgr User's Guide...
  • Page 105 Default Audit.event.types = value Only audit events that resulted in the specified outcome are recorded Required Yes. Values all | authentication | authorization | data synchronization | runtime | audit management | authorization terminate | configuration management | resource management | none. Multiple values can be specified separated by a comma or semicolon.
  • Page 106 Routes debug output to specified location. Required Optional. Values simple_file | console (not recommended). debug.output.file = debug Path and filename where debug output is to be written. Required Optional. Required when debug.output = simple_file. Path to file must exist. Dell Encryption Key Mgr User's Guide...
  • Page 107 OS usr/passwd. For local OS-based authentication on Linux platforms, additional steps are required: 1. Download Dell Release R175158 (EKMServicesAndSamples) from http://support.dell.com and extract the files to a directory of your choice. 2. Extract the contents of EKMServiceAndSamples.jar (included on your Dell product media and available at http://support.dell.com) into a...
  • Page 108 Note that only user ID allowed to login and submit commands to the server is the user ID under which the server is running, and which also has superuser/root authority. A readme file included on your Dell product media and available at http://support.dell.com provides more installation details. Required Optional.
  • Page 109 sync.action = value Specifies what should be done with the data during an auto synchronize. Required Optional. Values rewrite | merge Default merge Note: merging configuration information is the same as rewriting it. sync.ipaddress = ip_addr:ssl Specifies the IP address and port of the remote Encryption Key Manager to auto synchronize.
  • Page 110 TransportListener.ssl.truststore.type = jceks Required Optional. Recommended. Values JCEKS TransportListener.tcp.port = value Port the Encryption Key Manager server will listen on for requests from tape drives. The default TCP port number is 3801. Required Yes. Dell Encryption Key Mgr User's Guide...

  • Page 111: Cli Client Configuration Properties File

    Values Port number, 10 for example. TransportListener.tcp.timeout = value Specifies how long a socket waits on a read() before throwing a SocketTimeoutException. Required Optional. Values Specified in minutes. 0 means no timeout. Default CLI Client Configuration Properties File This file, ClientKeyManagerConfig.properties, contains a subset of the properties contained in the KeyManagerConfig.properties file.
  • Page 112 Required Yes. TransportListener.ssl.truststore.type = jceks Type of truststore. Required Optional. Recommended. Default jceks Sample configuration properties files are available for download in the EKMServicesAndSamples file from http://support.dell.com. B-10 Dell Encryption Key Mgr User's Guide...

  • Page 113: Appendix C. Frequently Asked Questions

    Appendix C. Frequently Asked Questions Can some combination of application-based key management and library-managed encryption be used? No. When application-managed encryption is used, the encryption is transparent at the library layers. Likewise, when library-managed encryption is used, the process is transparent at the other layers. Each method of encryption management is exclusive of the others.
  • Page 114 Will later versions of Encryption Key Manager still read the encrypted tapes created with earlier versions of the software? Yes. The Encryption Key Manager will honor certificates regardless of release. Dell Encryption Key Mgr User's Guide...

  • Page 115: Notices

    Notices Trademarks Trademarks used in this text: Dell, the Dell logo, and PowerVault are trademarks of Dell Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc.
  • Page 116 Dell Encryption Key Mgr User's Guide...

  • Page 117: Glossary

    Glossary This glossary defines the special terms, Manager uses public keys to wrap (protect) AES data keys prior to storing them on the tape cartridge. abbreviations, and acronyms used in this publication and other related publications. rekey. The process of changing the asymmetric Key Encrypting Key (KEK) that protects the Data Key (DK) AES.
  • Page 118 Dell Encryption Key Mgr User's Guide...

  • Page 119: Index

    Index keys symmetric for LTO 3-9 administering 5-1 encryption keystore passwords 3-12 application-managed encryption 1-4 algorithms 1-5 audit application-managed 1-4 attributes 7-5 asymmetric encryption 1-5 events 7-7 data key 1-5 library-managed encryption 1-5 parameters Encryption Key Manager-reported Linux Audit.event.outcome 7-2 errors 6-5 prerequisites 2-2 Audit.event.types 7-1...
  • Page 120 (Intel) 3-1 installWindows 3-2 software requirements 2-2 SSL port identifying 3-9 starting command line interface 5-5 starting and stopping server 5-1 synchronizing servers 4-2 terminology E-1 trademarks D-1 Windows prerequisites 2-3 XML metadata file 8-1 Dell Encryption Key Mgr User's Guide...

This manual is also suitable for:

Powervault tl2000Powervault tl4000Powervault encryption key manager

Table of Contents