hp storageworks secure key manager - cnet...

HP StorageWorksSecure Key ManagerInstallation and replacement guide, for connecting toETLA libraries

AJ087-96013

Part number: AJ087–960131st edition: November 2008

Legal and notice information

© Copyright 2007-2008 Hewlett-Packard Development Company, I.E.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensedto the U.S. Government under vendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forthin the express warranty statements accompanying such products and services. Nothing herein should be construed as constitutingan additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Compaq Computer Corporation is a wholly-owned subsidiary of Hewlett-Packard Company.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks or registered trademarks of Intel Corporation or itssubsidiaries in the United States and other countries.

Microsoft, Windows, Windows XP, and Windows NT are U.S. registered trademarks of Microsoft Corporation.

Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.

Java is a US trademark of Sun Microsystems, Inc.

Oracle® is a registered U.S. trademark of Oracle Corporation, Redwood City, California.

UNIX® is a registered trademark of The Open Group.

Contents

1 Installing and replacing hardware . . . . . . . . . . . . . . . . . . 7Preparing for the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Tools for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Taking ESD precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Grounding methods to prevent electrostatic discharge . . . . . . . . . . . . . . . . . . . . . 7

Rack planning resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Rack requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Rack warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Optimum environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Space and airflow requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Temperature requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Power requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Electrical grounding requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Unpacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Identifying the shipping carton contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Selecting a rack location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Removing an existing SKM (appliance) from the system . . . . . . . . . . . . . . . . . . . . . 13Installing the rails in the rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Attaching rails to the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Installing the appliance in the rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Attaching the cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 Configuring the system . . . . . . . . . . . . . . . . . . . . . . . 17Starting the SKM appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Configuring the first SKM appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Setting up the local Certificate Authority (CA) . . . . . . . . . . . . . . . . . . . . . . . 20Creating the SKM server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Enabling SSL on the Key Management System (KMS) Server . . . . . . . . . . . . . . . . . 23

Establishing a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Creating the cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Copying the Local CA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Adding SKM appliances to the cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 25Creating and installing the SKM Server Certificate . . . . . . . . . . . . . . . . . . . . . 26

Propagating third-party certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Copying the certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Installing the certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Enrolling client devices with the SKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Enrolling ETLA libraries with the SKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Setting up SKM client accounts for each tape library . . . . . . . . . . . . . . . . . . . . 29Enrolling the library clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3 Verifying that installation and initial configuration is successful . . . . . 33Verify that tape backups are being encrypted . . . . . . . . . . . . . . . . . . . . . . . . . 33Verify all nodes of the SKM cluster are accessible to ETLA libraries . . . . . . . . . . . . . . . . 34

A SKM pre-installation survey and checklist, for connecting to ETLAs . . . 37SKM pre-installation survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Sourcing the SKM security officer (SO) role and ensuring installation support . . . . . . . . . . 37Designing the cluster, identifying any cross-geography requirements . . . . . . . . . . . . . . 37

Secure Key Manager 3

Obtaining a static IP address for the SKM . . . . . . . . . . . . . . . . . . . . . . . . . 38Identifying the ETLA libraries and number of LTO4 drives to be used for encryption . . . . . . . . 38Addressing physical installation and security requirements for the SKM . . . . . . . . . . . . . 38Designing a backup strategy for keys and audit logs . . . . . . . . . . . . . . . . . . . . 38Determining the appropriate key generation policies . . . . . . . . . . . . . . . . . . . . 39Meeting minimum ETLA hardware and firmware requirements . . . . . . . . . . . . . . . . 39Configuring accounts for each ETLA library . . . . . . . . . . . . . . . . . . . . . . . . 39Enrolling the ETLA libraries with the SKM . . . . . . . . . . . . . . . . . . . . . . . . . 39

SKM pre-installation checklists, for connecting to ELTAs . . . . . . . . . . . . . . . . . . . . . 40

B About this guide . . . . . . . . . . . . . . . . . . . . . . . . 47Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Document conventions and symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Rack stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48HP technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Customer self repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Product warranties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Subscription service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49HP websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Documentation feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4

Figures1 Identify the contents of the shipping carton . . . . . . . . . . . . . . . . . . . . . 12

2 Connect the power supplies to AC power sources . . . . . . . . . . . . . . . . . . 15


Tables1 Security officer (SO) information . . . . . . . . . . . . . . . . . . . . . . . . . 40

2 Cluster design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3 ETLA Tape Library 1 device information . . . . . . . . . . . . . . . . . . . . . . 41



6 SKM data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6

1 Installing and replacinghardware

This section details the steps to install or replace the SKM hardware:

• Preparing for the installation• Rack planning resources• Optimum environment• Unpacking• Identifying the shipping carton contents• Removing the existing appliance• Install rails in the rack• Attaching rails to the appliance

Preparing for the installation

Tools for installation• Two people• #2 Phillips screwdriver• Box cutting knife• Laptop or PC that can be attached to the appliance using the null modem cable for the initial

configuration.

Taking ESD precautionsTo prevent damaging the system, be aware of the precautions you need to follow when setting up thesystem or handling parts. A discharge of static electricity from a finger or other conductor may damagesystem boards or other static-sensitive devices. This type of damage may reduce the life expectancy ofthe device.

To prevent electrostatic damage:

• Avoid hand contact by transporting and storing products in static-safe containers.• Keep electrostatic-sensitive parts in their containers until they arrive at static-free workstations.• Place parts on a grounded surface before removing them from their containers.• Avoid touching pins, leads, or circuitry.• Always be properly grounded when touching a static-sensitive component or assembly.

Grounding methods to prevent electrostatic dischargeSeveral methods are used for grounding. Use one or more of the following methods when handling orinstalling electrostatic-sensitive parts:

• Use a wrist strap connected by a ground cord to a grounded workstation or computer chassis.Wrist straps are flexible straps with a minimum of 1 megaohm ±10 percent resistance in theground cords. To provide proper ground, wear the strap snug against the skin.

• Use heel straps, toe straps, or boot straps at standing workstations.Wear the straps on both feet when standing on conductive floors or dissipating floor mats.


• Use conductive field service tools.• Use a portable field service kit with a folding static-dissipating work mat.

If you do not have any of the suggested equipment for proper grounding, have an authorized resellerinstall the part.

For more information on static electricity or assistance with product installation, contact your authorizedreseller.

Rack planning resourcesThe rack resource kit ships with all HP or Compaq branded 9000, 10000, and H9 series racks. Asummary of the content of each resource follows:

• Custom Builder is a web-based service for configuring one or many racks. Rack configurationscan be created using:• A simple, guided interface• Build-it-yourself model

• The Installing Rack Products video provides a visual overview of operations required forconfiguring a rack with rack-mountable components. It also provides the following importantconfiguration steps:• Planning the site• Installing rack servers and rack options• Cabling servers in a rack• Coupling multiple racks

• The Rack Products Documentation CD enables you to view, search, and print documentation forHP and Compaq branded racks and rack options. It also helps you set up and optimize a rackin a manner that best fits your environment.

Rack requirementsHP supports the HP System E racks and the HP 10000 Series racks for use with the SKM. Other racksmight also be suitable, but have not been tested with the SKM.

NOTE:If desired, when installing an SKM expansion unit, place it in a different rack from the other SKMappliances as far away from each other as possible to minimize the chance that they will both bedisabled by the same physical or electrical event.

Rack warnings

WARNING!To reduce the risk of personal injury or damage to the equipment, be sure that:• The leveling jacks are extended to the floor.• The full weight of the rack rests on the leveling jacks.• The stabilizing feet are attached to the rack if it is a single-rack installation.• The racks are coupled together in multiple-rack installations.• Only one component is extended at a time. A rack may become unstable if more than one

component is extended for any reason.

8 Installing and replacing hardware

WARNING!To reduce the risk of personal injury or equipment damage when unloading a rack:• At least two people are needed to safely unload a rack from a pallet. An empty 42U rack can weigh

as much as 115 kg (253 lb), can stand more than 2.1 m (7 ft) tall, and may become unstable whenbeing moved on its casters.

• Never stand in front of a rack when it is rolling down the ramp from the pallet. Always handle arack from both sides.

Optimum environmentWhen installing an SKM in a rack, select a location that meets the environmental standards described inthis section and theHP StorageWorks Secure Key Manager users guide, Environmental specificationssection.

Space and airflow requirementsTo allow for servicing and adequate airflow, observe the following space and airflow requirementswhen deciding where to install a rack:

• Leave a minimum clearance of 122 cm (48 in) in front of the rack.• Leave a minimum clearance of 76.2 cm (30 in) behind the rack.• Leave a minimum clearance of 122 cm (48 in) from the back of the rack to the back of another

rack when racks are back-to-back.

An SKM draws in cool air through the front door and expels warm air through the rear door. Therefore,the front and rear rack doors must be adequately ventilated to allow ambient room air to enter the cabinet,and the rear door must be adequately ventilated to allow the warm air to escape from the cabinet.

CAUTION:To prevent improper cooling and damage to the equipment, do not block the ventilation openings.

When vertical space in the rack is not filled by an SKM or rack component, the gaps between thecomponents cause changes in airflow through the rack and across the servers. Cover all gaps withblanking panels to maintain proper airflow. Using a rack without blanking panels results in impropercooling that can lead to thermal damage.

The Compaq 10000 Series racks provide proper SKM cooling from flow-through perforations in the frontand rear doors that provide 64 percent open area for ventilation.

CAUTION:If a third-party rack is used, observe the following additional requirements to ensure adequate airflowand to prevent damage to the equipment:

• Front and rear doors—If the 42U rack includes closing front and rear doors, you must allow5,350 sq cm (830 sq in) of holes evenly distributed from top to bottom to permit adequate airflow(equivalent to the required 64 percent open area for ventilation).

• Side—The clearance between the installed rack component and the side panels of the rack mustbe a minimum of 7 cm (2.75 in).

Temperature requirementsTo ensure continued safe and reliable equipment operation, install or position the system in awell-ventilated, climate-controlled environment.


The maximum recommended ambient operating temperature (TMRA) for the SKM system is 35° C (95° F).The temperature in the room where the rack is located must not exceed 35° C (95° F).

CAUTION:To reduce the risk of damage to the equipment when installing third-party options:• Do not permit optional equipment to impede airflow around the SKM or to increase the internal rack

temperature beyond the maximum allowable limits.• Do not exceed the TMRA.

Power requirementsInstallation of an SKM must comply with local and regional electrical regulations governing the installationof information technology equipment by licensed electricians. This equipment is designed to operate ininstallations covered by NFPA 70, 1999 Edition (National Electric Code) and NFPA-75, 1992 (code forProtection of Electronic Computer/Data Processing Equipment). For electrical power ratings on options,see the product rating label or the user documentation supplied with that option.

WARNING!To reduce the risk of personal injury, fire, or damage to the equipment, do not overload the AC supplybranch circuit that provides power to the rack. Consult the electrical authority having jurisdiction overwiring and installation requirements of your facility.

CAUTION:Protect the SKM from power fluctuations and temporary interruptions with a regulating uninterruptiblepower supply (UPS). This device protects the hardware from damage caused by power surges andvoltage spikes and keeps the system in operation during a power failure.

When installing an SKM connected to more than one disk array, you may need to use additional powerdistribution devices to safely provide power to all devices. Observe the following guidelines:

• Balance the device power load between available AC supply branch circuits.• Do not allow the overall system AC current load to exceed 80 percent of the branch circuit

AC current rating.• Do not use common power outlet strips for this equipment.• Provide a separate electrical circuit for each device.

Electrical grounding requirementsThe SKM must be grounded properly for proper operation and safety. In the United States, you mustinstall the equipment in accordance with NFPA 70, 1999 Edition (National Electric Code), Article 250, aswell as any local and regional building codes. In Canada, you must install the equipment in accordancewith Canadian Standards Association, CSA C22.1, Canadian Electrical Code. In all other countries,you must install the equipment in accordance with any regional or national electrical wiring codes, suchas the International Electrotechnical Commission (IEC) Code 364, parts 1 through 7. Furthermore, youmust be sure that all power distribution devices used in the installation, such as branch wiring andreceptacles, are listed or certified grounding-type devices.

Because of the high ground-leakage currents associated with multiple SKM and servers connected to thesame power source, HP recommends the use of a power distribution unit (PDU) that is either permanentlywired to the building's branch circuit or includes a non-detachable cord that is wired to an industrial-styleplug. NEMA locking-style plugs or those complying with IEC 60309 are considered suitable for thispurpose. Using common power outlet strips for an SKM is not recommended.


UnpackingPlace the shipping carton as close to the installation site as possible. Before unpacking the SKM, inspectthe shipping carton for damage that may have occurred during shipment. If you detect any damage,notify the carrier and HP before unpacking the unit.

To unpack the SKM:

1. Open the top of the shipping cartons.

2. Carefully lift the units out of the boxes and remove the packing materials.

3. Place the units on a stable work surface.

NOTE:Inspect the units for any damage that may have occurred during shipment. If damage isdetected, contact your authorized service representative.

4. Remove the accessory kits and documentation from the shipping cartons. Set them aside for later use.

5. Place shipping materials back into the shipping cartons.

6. Set the shipping cartons aside for later use.

Identifying the shipping carton contentsA new SKM cluster contains at least two appliances, individually boxed.

NOTE:If the Important System ROM updates for new processors, or the HP ProLiant Essentials Foundation Packare included in the carton, please disregard them.

Each appliance box contains the items shown in Figure 1.


Figure 1 Identify the contents of the shipping carton

Item Description

1 Appliance

2 Power cords (2 — 1 black, 1 gray)

3 Null modem cable

4 1U rack mounting hardware kit and documentation

5 Keys to the bezel (2 sets of 2 keys)

6 Documentation CD

7 1U spacer

8 USB key

9Completed appliance information sheet,Pre-installation survey and checklist, and Installationposter

NOTE:If this is a replacement appliance, note how the unit is packed in the shipping carton. Handle thepacking materials carefully so that you can repackage the old appliance using the replacement cartonand packing materials.

CAUTION:There will be several tamper-evident labels. Do not cut or damage these labels because they are requiredfor FIPS compliance audits.

Selecting a rack locationSelect a rack location that meets the space, airflow, temperature, power, and electrical groundingrequirements described in Rack planning resources.

For adequate airflow within the rack, use appropriate high airflow inserts in rack cabinet doors andobserve industry standard practices for adequate spacing between racks or rows of racks.

NOTE:Do not install an appliance in the bottom unit of the rack; doing so will prevent the locking bezel coverfrom opening.


Removing an existing SKM (appliance) from the systemSkip this step if you are installing a new appliance.

1. Zeroize the original appliance. To do so, sign into the command line interface and enter thefollowing commands:

hostname# configure

hostname# reset factory settings zeroize

Confirm that you wish to perform the zeroize operation.

Allow the system to zeroize the contents of the appliance. During this process the appliance rebootsautomatically several times. The process may take several minutes.

2. Halt the system. At the end of the zeroize process the system displays the following:

Are you ready to begin setup? (y/halt):

Type halt. After you confirm that you want to halt the system, the appliance begins a shutdownprocess. This may take a few minutes and powers off the appliance.

Once the appliance has powered itself off it is ready to be removed and packaged for shipment.

3. Release the power cables from the strain relief clip. Disconnect the Ethernet and power cables fromthe appliance.

4. Unlock and open the locking bezel cover.

5. Loosen the thumbscrews on the front bezel to release the appliance from the rack.

6. Close and re-lock the front bezel and remove the keys.

7. Extend the appliance out of the rack until the slide rails lock into place.

8. With another person, press the inner rail release latches. Pull the appliance out of the rack and setit on a stable work surface.

9. Remove the rails from the original appliance for reuse on the replacement appliance. To do so,pull out on the tab of the rail that locks the center tab of the appliance, slide the rail forward,and pull the rail off the appliance.

10. Return the original appliance to HP according to the repackaging instructions sent separately.

11. Skip to Attaching rails to the appliance.

Installing the rails in the rack1. Locate the rail kit.2. Adjust the outer slide rail to the approximate rack depth.3. At one side of the rack, align the rail with the holes in the rack. The word Front is engraved on

the front of the rails; the word Rear is engraved on the rear of the rails.4. Insert the rail into the holes in the rack and press firmly until the rail is secure.


11776

5. Repeat these steps with the other side rail.

Attaching rails to the appliance1. Align one of the rails with the left side of the appliance (as you face the front of the appliance)

so that the word “FRONT” on the rail is seen right-side-up and at the front of the node.

11184

2. Align the holes in the rail with the round tabs on the side of the appliance.3. Put the rail onto the appliance with the tabs extending into the holes on the side of the rail, then

slide the rail toward the front of the appliance until the tabs are locked into the rail.4. Perform these steps again to install the other rail on the other side of the appliance.

Installing the appliance in the rack1. Align the rails on the appliance with the rails in the rack.2. Slide the appliance fully into the rack.

The rails on the appliance will lock into the rails on the rack. When fully seated against therack, the appliance will also lock into place.

3. With the appliance fully seated in the rack, tighten the thumbscrews just until the bezel issecured to the rack.

Attaching the cables1. Connect a standard Ethernet (CAT-5) cable from your local IP network (LAN) to the 10/100/1000

NIC 1 (RJ-45) connector.

WARNING!

To reduce the risk of electric shock, fire, or damage to the equipment, do notplug telephone or telecommunications connectors into RJ-45 (NIC) connectors.


2. Connect the appliance power supplies' AC power connectors to two separate AC power sourcesusing the power cables provided (see Figure 2).

Figure 2 Connect the power supplies to AC power sources

3. Use the strain relief clip from the hardware kit to secure the power cord to the rack.

4. If this is a replacement appliance, pack the old appliance in the shipping materials for thereplacement appliance. You may need to remove the slide rails and null modem cable from the oldappliance to fit it in the box.

5. Plug one end of the null modem cable into the serial port. Plug the other end into the laptop or PCthat you will use to configure the appliance.


2 Configuring the system

Starting the SKM appliance

NOTE:To prepare to configure the system, have ready all information listed on the pre-install survey. Thisinformation was gathered by your site Security Officer and the HP installation team before the systemwas shipped; if it has been lost, obtain the form from www.hp.com (on the SKM product page, underSupport for your Product, Manuals) and complete it now. If portions of this information are inaccurate orunknown, the installation will be incomplete and data encryption can not occur.

The SKM appliance is configured from the laptop or PC connected to the appliance with the null modemcable.

To configure the SKM appliance, perform the following steps for each appliance being installed:

1. Power on the SKM by pressing the Power On/Standby button located under the front bezel ofthe appliance.

Green LEDs on the front of the appliances should light up (except the UID and NIC2 LEDs). If they donot, ensure that all cables are firmly connected.

2. Sign into the appliance using a terminal emulation program, such as Hyperterminal™.

3. While the SKM is performing the initial boot sequence, use the terminal emulator to specify thefollowing serial port settings.• VT100/ANSI• 9600 bps• 8 data bits• Parity-none• 1 stop bit• Hardware flow control

4. When the appliance is booted, it displays the following prompt:

Are you ready to begin setup? (y/halt):

Enter y.

5. Follow the prompts to enter the necessary information:

TIP:Press Enter to accept the default.

a. Admin account password. The Security Officer will use the admin account to configure the SKMappliances and clustering.

b. Time zone


c. Date

d. Time. The time is based on a 24–hour clock. There is no a.m. or p.m. designation. Forexample, 1:20 p.m. is 13:20:00.

e. IP address of the SKM appliance. The appliance must have a static network address, it cannotobtain an IP address through DHCP.

f. Subnet mask

g. Default gateway

h. Hostname, including the domain. For example, skm.example.com.

The screen displays the information you entered and the message "Is this correct? (y/n):

i. If the information displayed is correct, enter y; if not enter n and make the necessary corrections.

j. Web interface port number. HP recommends using the default port number 9443.

After the configuration settings are saved, a log-in prompt displays.


6. Configure the default settings for the key replication interval and retry attempts.

NOTE:These commands require firmware version 1.1 or greater.

a. Log in to the appliance as admin using the password specified during configuration.

b. Type configure to enter configuration mode.

<hostname>#config

<hostname>(config)#

c. Type the following commands to set both the key replication and key replication retry intervals.

<hostname>(config)# setsv serverpriv nae_repl_retry_attempts 1440

This command returns: Config update successful.

<hostname>(config)# setsv serverpriv nae_repl_retry_interval 60

This command returns: Config update successful.

<hostname>(config)# restart stagd

d. Verify that the settings have taken effect.

<hostname>(config)#display serverpriv nae_repl_retry_attempts

This command returns: 1440

<hostname>(config)# display serverpriv nae_repl_retry_interval

This command returns: 60

e. Log out of the appliance.

<hostname> (config)# exit

<hostname># exit

These commands display:

Exiting command line interface

Release 4.8.1-10

NOTE:These settings can also be entered using a remote ssh connection while logged in as admin.

7. Unplug the null modem cable from the laptop or PC and from the SKM. All further configuration willbe done from the web management console.

Configuring the first SKM applianceIf you have more than one SKM appliance, HP recommends that they be clustered for high availability. Inthis section, one SKM appliance will be configured first. In Establishing a cluster, that configuration willbe transferred to the remaining SKM appliances.

If you are replacing an SKM appliance or adding a member to an existing cluster, skip to Establishing acluster.

The configurations in this step are performed from the SKM management web console, which can beaccessed from any web browser with Internet access to the SKM appliance. The URL for the appliance is:

https://<appliance hostname>:<appliance port number>


Where• <appliance hostname> is the hostname or IP address you provided in Starting the SKM

appliance, step 4.• <appliance port number> is 9443 by default. If you changed the port number in Starting the

SKM appliance, step 4, use that number instead.

Setting up the local Certificate Authority (CA)To create and install local CAs, perform the following steps:

1. Logon to the SKM management web console using the admin password you supplied in Startingthe SKM appliance.

2. Select the Security tab.

3. In Certificates & CAs, click Local CAs.

4. Enter information required by the Create Local Certificate Authority section of the window to createyour local CA, which will be the root for authentication of the clusters.

a. Enter a Certificate Authority Name and Common Name. These may be the same value, forexample SKM Local CA.

b. Enter your organizational information.

c. Enter the Email Address where you want messages to the Security Officer to go.

d. Enter the Key Size. HP recommends using 2048 for maximum security.

e. Click Self-signed Root CA and enter the CA Certification Duration and Maximum User CertificateDuration. These values determine when the certificate must be renewed and should be set inaccordance with your company's security policies. The default value for both is 3650 days or10 years.

5. Click Create.


6. Add the Local CA to the Trusted CAs list.

a. In Certificates & CAs, click Trusted CA Lists to display the Trusted Certificate Authority List Profiles.

b. Click on the Default Profile Name (not the radio button).

c. In the Trusted Certificate Authority List, click Edit.

d. From the list of Available CAs in the right panel, select the CA you created in step 4. Forexample, SKM Local CA.

e. Click Add.

f. Click Save.

7. If appropriate, add known, third-party CAs to the Trusted CAs list.

a. In Certificates & CAs, click Trusted CA Lists to display the Trusted Certificate Authority List Profiles.

b. Click on the Default Profile Name.

c. In the Trusted Certificate Authority List, click Edit.

d. From the list of Available CAs in the right panel, select the third-party CA you require.

e. Click Add.

f. Click Save.

NOTE:Repeat these steps any time another local CA is needed.

Creating the SKM server certificateTo create the SKM server certificate, perform the following steps:

1. Click the Security tab.

2. In Certificates and CAs, select Certificates.

3. Enter information required by the Create Certificate Request section of the window to create theSKM server certificate.

a. Enter a Certificate Name and Common Name, for example SKM Server.

b. Enter your organizational information.

c. Enter the E-mail Address where you want messages to the Security Officer to go.

d. Enter the Key Size. HP recommends using the default value: 1024.


4. Click Create Certificate Request.

5. Click on the newly created certificate from Certificate List, for example SKM Server.

6. Copy the certificate data, from -----BEGIN CERTIFICATE REQUEST----- to -----ENDCERTIFICATE REQUEST--––– lines. Be careful to exclude extra carriage returns or spaces afterthe data. This information will be used in step 10 of this section.

7. In the Certificates & CAs menu, click Local CAs.

8. Click on the CA name you created in Setting up the local Certificate Authority (CA), for exampleSKM Local CA.

9. Click Sign Request.

10. Enter data required by the Sign Certificate Request section of the window.

a. Select the CA name from the Sign with Certificate Authority drop down box. For example,SKM Local CA.

b. Select Server as the Certificate Purpose.

c. Enter the number of days before the certificate must be renewed based on your site's securitypolicies. The default value is 3649 or 10 years.

d. Paste the copied certificate data from step 6 into the Certificate Request box.



12. Copy the signed certificate data, from -----BEGIN to END…----- lines. Be careful to excludeextra carriage returns or spaces after the data. This information will be used in step 16 of this section.

13. In the Certificates & CAs menu, click on Certificates.

14. Click on the certificate name created in steps 3 – 4 of this section. For example, SKM Server.

15. Click Install Certificate.

16. Paste the signed certificate data from step 12 and click Save. Note that the Certificate status isnow Active.

Enabling SSL on the Key Management System (KMS) ServerThe KMS Server provides the interface to the client. Secure Sockets Layer (SSL) must be enabled on theKMS Server before this interface will operate. After SSL is enabled on the first appliance it will beautomatically enabled on the other cluster members.

To configure and enable SSL, perform the following steps:

1. Select the Device tab.

2. In the Device Configuration menu, click KMS Server to display the Key Management ServicesConfiguration window.

3. In the KMS Server Settings section of the window, click Edit. The following warning may display.

4. Configure the KMS Server Settings as shown. (Ensure that the port and connection timeout settingsare 9000 and 3600, respectively). For Server Certificate, select the name of the certificate youcreated in Creating the SKM server certificate, step 4. For example, SKM Server.

5. Click Save.

IMPORTANT:Please apply the most recent security patch(es) to ensure maximum security.Receive support alerts, driver updates, software, firmware, and customer replaceable components, inyour E-mail through HP Subscriber's Choice. Sign up for Subscriber's Choice Driver, Patch, Security, andSupport alerts at the following URL: http://www.hp.com/go/myadvisory

Establishing a clusterThe procedures in this section will establish a cluster configuration on one SKM appliance and thentransfer that configuration to the remaining appliances.


http://www.hp.com/go/myadvisory












• In Creating the cluster, the cluster is created on one SKM appliance.Skip this section if you already have an SKM cluster.

• In Copying the Local CA certificate, the Local CA certificate from an existing cluster member iscopied into the copy buffer in preparation for pasting it into the management console of each ofthe SKM appliances that will be added to the cluster in Adding SKM appliances to the cluster.Start here if you are replacing an SKM or expanding an existing cluster. When replacing anappliance or expanding the cluster, any of the existing cluster members may be used to transferthe cluster configuration.

• In Adding SKM appliances to the cluster, each of the additional SKM appliances will be addedto the cluster.Start here if you already have a cluster and the Local CA certificate from Copying the Local CAcertificate is still available in your copy buffer.

If you only have one SKM appliance, skip Establishing a cluster and continue with Propagatingthird-party certificates.

Creating the clusterTo create the cluster, perform the following steps on one of the SKM appliances to be clustered:

1. From the SKM management console, click the Device tab.

2. In the Device Configuration menu, click Cluster.

3. Type the cluster password in the Create Cluster section of the main window to create the new cluster.

4. If required, change the Local Port. HP recommends using the default value of 9001.

5. Click the Create button.

6. In the Cluster Settings section of the window, click Download Cluster Key and save the key to aconvenient location, such as your computer's desktop.

The cluster key is a text file and is only required temporarily. It may be deleted from your computer'sdesktop after all SKM appliances have been added to the cluster.

Copying the Local CA certificateBefore an SKM appliance can be added to a cluster, the Local CA certificate from an SKM already in thecluster must be installed onto the new SKM appliance.

To copy the Local CA certificate:

1. If you do not have a browser window open from Creating the cluster, log into the SKM managementconsole of one of the existing cluster members.



4. Click on the name of the local CA from the Local Certificate Authority List section of the screen. Thisis the name of the CA created in Setting up the local Certificate Authority (CA), steps 3 — 4. Forexample, SKM Local CA.


5. Copy the certificate data from the CA Certificate Information, from -----BEGIN CERTIFICATEREQUEST----- to -----END CERTIFICATE REQUEST--–––. Be careful to exclude extracarriage returns or spaces after the data. This certificate data will be transferred to the other SKMappliances in Copying the Local CA certificate.

6. Keep this browser window open while adding appliances to the cluster in the next section.

Adding SKM appliances to the clusterTo add SKM appliances to the cluster, perform the following steps on each additional appliance.

1. Open a new browser window, keeping the browser window from Copying the Local CA certificateopen.

2. If you skipped Creating the cluster, retrieve the cluster key text file now. To do so, select the ClusterSettings section of the window, click Download Cluster Key and save the key to a convenientlocation, such as your computer's desktop.

The cluster key is a text file and is only required temporarily. It may be deleted from your computer'sdesktop after all SKM appliances have been added to the cluster.

3. In the new browser window, log into the management console of the SKM appliance that is beingadded to the cluster and click the Security tab.

4. Add the first member's CA to the list of known CAs.

a. In the Certificates & CAs menu, click Known CAs.

b. Enter information required in the Install CA Certificate section near the bottom of the page.

c. Type the Certificate Name of the certificate being transferred from the first cluster member. Thisis the name in Creating the cluster, step 8. For example, SKM Local CA.

d. Paste the copied certificate data into the Certificate box. This is the data copied from Copyingthe Local CA certificate, step 2.

e. Click Install.


5. Add the first member's CA to the Trusted CAs list.

a. In the Certificates & CA menu, click Trusted CA Lists.

b. Click on the Default Profile Name.

c. Click Edit.

d. Select the name of the CA from the list of Available CAs in the right panel. For example,SKM Local CA.

e. Click Add.

f. Click Save.

6. Join the appliance to the cluster.

a. Select the Device tab.

b. In the Device Configuration menu, click on Cluster.

c. In the Cluster, click on Join Cluster.

d. In the Join Cluster section of the window, leave Local IP and Local Port set to their defaults.

e. Type the original cluster member’s IP into Cluster Member IP.

f. Type the original cluster member’s port into Cluster Member Port. The default value of this portis 9001. If this value was changed in Creating the cluster, step 4, use that value.

g. Click Browse and select the Cluster Key File you saved in Creating the cluster, step 6.

h. Type the cluster password into Cluster Password.

i. Click Join.

7. After adding all members to the cluster, delete the cluster key file from the desktop.

Creating and installing the SKM Server CertificateTo create and install the SKM Server Certificate, perform the following steps on each new appliance onthe cluster:


2. In the Certificates & CAs menu, click Certificates.

3. Enter information required in the Create Certificate Request section of the window as shown:

a. Fill in the Certificate Name and Common Name. The Certificate Name must match the nameused for the certificate created in Creating the SKM server certificate.

b. Type your organizational information.

c. Type the E-mail Address where you want messages to the Security Officer to go.

d. Select the Key Size. HP recommends using the default value: 1024.


4. Click Create Certificate Request.

5. Click on the newly created certificate SKM Server from Certificate List.

6. Copy the certificate data, from lines -----BEGIN CERTIFICATE REQUEST----- to -----ENDCERTIFICATE REQUEST-----. Be careful to exclude extra carriage returns or spaces after thedata.


8. Click on the SKM Local CA.


10. Enter information required in the Sign Certificate Request section of the window as shown:

a. In the Sign with Certificate Authority drop down box, select SKM Local CA.

b. Select Server as the Certificate Purpose.

c. Use the default Certificate Duration 3649.

d. Paste the copied certificate data into the Certificate Request box.


12. Copy the certificate data, from lines -----BEGIN CERTIFICATE REQUEST----- to -----ENDCERTIFICATE REQUEST-----. Be careful to exclude extra carriage returns or spaces after thedata.

13. In the Certificates & CAs menu, click Certificates.

14. Click on the SKM Server in the Certificate List.

15. Click Install Certificate.

16. Paste the copied certificate data and click Save.

Propagating third-party certificatesSkip this section if the original cluster member does not have third-party certificates.

Copying the certificatesTo copy the certificates, perform the following steps on the original cluster member:

1. Log into the cluster member's SKM management console and click the Device tab.

2. In the Maintenance menu, click on Backup & Restore and then Create Backup.


3. Click Select None.

4. Select Certificates then Choose from list and select SKM Server.

5. Click Continue.

6. Click Select None.

7. Click Continue.

8. In the Create Backup screen, type a name, description, and password for the certificate backup.

9. Select Download to Browser.

10. Click Backup and save the backup to your desktop.

Installing the certificatesTo install the certificates, perform the following steps on each of the additional cluster members:

1. In the Maintenance menu, click Backup & Restore and then Restore Backup.

2. Click Upload from browser.

3. Click Browse and locate the previously saved backup on your desktop.

4. Type the Backup Password.

5. Click Restore.

6. Click Select All.

7. Type the Backup Password.

8. Navigate to Device > Maintenance > Services > Restart/Halt.

9. In the Maintenance menu, click Services.

10. Click Restart.

11. Click Commit. Wait for the system to reboot.

Enrolling client devices with the SKMThe SKM is compatible with many client devices (for example, ETLA libraries). To establish correctcommunication between the SKM and the client, you must create a client account, then configure theclient to obtain keys from the SKM. Please see the appropriate SKM installation poster for your clientdevice in order to complete these steps.

Enrolling ETLA libraries with the SKMIn this section, an SKM client account will be created for each tape library and then each tape librarywill be configured to obtain keys from the SKM.


Setting up SKM client accounts for each tape library

NOTE:An Advanced Secure Manager license is required on each ETLA library to be enrolled with the SKM.Ensure that all ETLA libraries which will use the SKM are in green status before setting up their clientaccounts.The HP ETLA tape libraries must have LTO4 tape drives installed, and the library and its components musthave firmware versions that support the key management feature. See the pre-installation survey for thespecific firmware versions required. Instructions for obtaining and updating firmware can be found inthe library's user and service guide.In the following steps, key generation policies are assigned per library partition or per physical library ifthere are no partitions. Consider partitioning the library if any of the following are true:• If your key generation policy requires more than one key for a single library, the library must be

partitioned before setting up the SKM client account for that library.• If the library contains a mixture of tape drive technologies, HP recommends creating separate

partitions for each drive type. A tape library can be divided into as many as six partitions, with aminimum of one drive per partition. Only LTO-4 drives can be configured for encryption.For more information on partitioning ETLA libraries, see http://www.hp.com/go/ebs. From the graybox on the right side of the screen, select EBS Whitepapers & Implementation Guides.Under Library Partitioning, select "Partitioning in an EBS Environment Implementation Guide".

Repeat this section for each library to be enrolled in the SKM.

In the following steps you will need the serial number of the ETLA library to be enrolled as an SKM client.If the library is partitioned, you will need the serial number of each partition. The library serial numberis available from Command View TL. Select and manage the library to be enrolled. Click the Identitytab. The library serial number is shown at the bottom of the screen.

Partition serial numbers are also available from Command View TL. Select and manage the library tobe enrolled. Click the Configuration tab. In the left-hand section of the window, click Partitioning. Thelibrary partitions are shown in the Partitioning section of the window to the right. For each partition,right-click the name of the partition and select Properties. The partition serial number is shown near thetop of the Properties window.

TIP:If you have Command View TL open in a separate browser window, you can copy and paste the serialnumbers from Command View to the SKM console.

To set up the accounts for each tape library, perform the following steps:

1. Ensure that the library has the minimum firmware revisions specified on the pre-installation survey.Also ensure that any necessary library partitions have been configured.

2. If necessary, login as admin to the SKM management console.

3. In the Users & LDAP menu, click Local Users & Groups.

4. Below the Local Users section, click Add.

5. Type the library's username and a password into the appropriate fields. The username may be anyvalue, but must be unique for each ETLA library.

6. Click Save.

7. Select the newly created username from the list of local users.

8. Click Properties.

9. Click the Custom Attributes tab.


http://www.hp.com/go/ebs












10. Click Add.

11. In the Attribute Name field, type the word KeyGenPolicy.

12. In the Attribute Value field, enter the key generation policy for the library. If the library is partitioned,enter the key generation policies for each partition on a separate line in the Attribute Value field. Alllibrary partitions must have a policy even if the policy is no encryption.

a. Type or paste the serial number of the library or partition into the Attribute Value field, followedby a space.

b. Type the two-character key generation policy for that library or partition on the same line.

The possible key generation policy values are:

• KT — key per tape• KP — key per partition, or key per library if there are no partitions• NE — no encryption

c. If the key generation policy is KP, type the master key name after the policy value.

13. Click Save.

If you selected KP, key per partition, create a master key for that library or partition. All media in thatlibrary or partition will use this key until you assign a different master key.

To create a master key, perform the following steps:


2. In the Keys menu, click Keys.


3. Enter information in the Create Key section of the window as shown:

• Type the desired key name in Key Name. For example, EML_24uMaster. This must exactlymatch the name entered in the Attribute Value for the KeyGenPolicy field in step 12c of theprevious procedure.

• Type the library username, from step 5 above, in Owner Username.• Use the default value for Algorithm which is AES-256.• Select Deletable.• Select Exportable.• Use the default Copy Group Permissions From which is [None].

Create a key sharing group so ETLA libraries can share keys.

IMPORTANT:Perform this procedure now, even if you do not currently plan to share keys. If the library's username isnot added to a group at this point, the keys generated by the library can never be used by other libraries.Adding the username to a group later will not enable key sharing with this (username) library.

Encrypted media may be exported from one library in the group and imported to another for decryption.You must have at least one local group and you may have additional groups for more complex sharingrequirements.

To create a key sharing group:

1. Select the Security tab.

2. In the Users & LDAP menu, select Local Users & Groups.

3. Under User & Group Configuration scroll to the Local Groups section.

4. Click Add.

5. Type the name of the group in the edit field. For example, MainDataCenter.

6. Select the name of the new group.

7. Under User List, click Add.

8. Type the username of the library client to be added to the group. Or select the library name fromthe list.

9. Click Save.

Enrolling the library clientsUse the configuration wizard on the Command View Tape Library to enroll the library client with the SKM.Repeat this section for each library to be enrolled.

1. If necessary, log onto the Command View Tape Library as the Security Officer.

2. Select and manage the library to be enrolled.


3. Select the Configuration tab.

4. Select Key Management to open the Properties window.

5. Select Actions, then Launch Key Management Setup Wizard to launch the configuration wizard.

The configuration wizard establishes communication between the library and the SKM by settingup the CAs and certificates on the library, entering the username and password, and entering theIP addresses of the SKM. The wizard will verify the connectivity to the SKM when all the data hasbeen provided.

After completing these steps, the encryption policies you have chosen will be applied and maintained tothe LTO4 tape drives in those libraries and partitions.

For LTO4 tape drives in libraries or partitions with a KT (key per tape) or a KP (key per partition) policy,all backups will be encrypted. Those tape drives will be able to read encrypted or unencrypted data.Only LTO4 media may be written, but LTO2 and LTO3 data may be read.

For LTO4 tape drives in libraries or partitions with an NE (no encryption) policy, all backups will bewritten unencrypted. These tape drives will read and write LTO3 and LTO4 media, and will read LTO2media. Only unencrypted data may be read in tape drives with an NE policy.


3 Verifying that installation andinitial configuration is successful

It is crucial to verify the installation and initial configuration. The two tests presented in this section willverify that the tape backups are being encrypted, and that all nodes in the SKM cluster are accessible tothe ETLA library clients.

Verify that tape backups are being encryptedThis test encrypts data to a scratch tape, then attempts to read that data in a non-encrypting configuration.The failure to read data verifies that encryption has occurred.

1. Verify that the following prerequisites have been met.

• All SKM nodes are successfully installed.• All SKM nodes are successfully added to the cluster.• All ETLA library pre-installation steps are complete: hardware and firmware are updated,

partitioning is set-up correctly, Secure Manager is licensed and configured to allow accessto the backup hosts.

• All ETLA libraries are enrolled with the SKM cluster.• The backup administrator is present.• There is at least one scratch tape present in each library. If the library is partitioned, identify

the partition containing the scratch tape.• A console is available from which to access the ISV backup software.• A console is available from which to view the SKM interface.

2. Prepare to conduct the test.

a. Using a separate browser window for each SKM node, log into each of the nodes via theinterface.

b. For each node (in each browser window), on the Device tab in the Logs and Statistics panel,select Log Viewer, then select Activity.

c. In the Show last number of lines field, select All, then click Display Log.

d. On a separate console, log in to the ISV software and ensure that it can access the LTO4tape drives to be used in the test.

3. Use the ISV console to load the scratch tape into an LTO4 drive in a partition or library with anencrypting (KT or KP) policy, then to format or initialize the tape.

Optionally, write a few records to the tape which can be restored later to demonstrate that therestore succeeds. The initialization process may be sufficient, if it writes records which may be laterretrieved (timestamps, etc).

4. Use the ISV software to read the records from tape, to show that the encrypted data is readable.

5. Using the SKM browser windows, demonstrate that the Activity Log of one SKM contains a new entryshowing a key was created.

6. For each of the other SKM browser windows, select the Security tab, then show the key in the Keyswindow to demonstrate that the key has been replicated to each node.

Return to the Activity Log viewer after verifying the replication.

7. Use the ISV console to unload the media to a library slot.


8. Temporarily disable the encryption policy

a. In one of the SKM browser windows, select the Security tab.

b. In the User and LDAP pane, select Local Users and Groups.

c. Select the username of the library client being tested.

d. Select the Custom Attributes tab, then click Edit.

e. For the partition containing the scratch tape, change the policy to NE (No Encryption).

f. Click Save.

9. Demonstrate that the policy change was replicated.

a. Return to the Activity Log display.

b. In each of the other SKM browser windows, view the Custom Attributes of the library client.The policy will show NE.

c. Return to the Activity Log display.

10. Use the ISV console to load the scratch tape into an LTO4 drive in the same partition and attemptto read the records written to the tape earlier in this procedure.

NOTE:If possible, use a different drive in the partition to further demonstrate that all drives in thepartition have the same policy.

This operation will fail because the encryption policy is temporarily disabled.

11. Note the error message that displays. This will be the error message that this ISV uses whenencrypted tapes are placed in non-encrypting drives.

12. Re-enable the encryption policy using the method in Step 8 and changing the policy to the originalsetting.

NOTE:Review the changes to ensure the policies for each partition are correct.

13. In each of the SKM browser windows, view the custom attributes for the library to verify that thepolicy changes were replicated to each node.

14. Use the ISV to load the tape into an LTO4 drive in the same partition, preferably the same drive usedin Step 10 and read the records written to the tape earlier in this procedure.

This operation will succeed because the encryption policy has been re-enabled.

15. Unload the tape.

16. Using the Activity Log viewers, demonstrate that one of the SKM nodes has now logged a key export.

If this test fails, the most likely cause of the failure is an incorrectly entered or missing KeyGenPolicy. SeeEnrolling ETLA libraries with the SKM. You can also rerun the connectivity test in the Command ViewWizard.

Verify all nodes of the SKM cluster are accessible to ETLAlibraries

This test temporarily configures the ETLA library so that only one SKM node is visible at a time, then teststhat each node in the cluster can read an encrypted tape.

34 Verifying that installation and initial configuration is successful

1. Verify that the following prerequisites have been met.

• All SKM nodes are successfully installed.• All SKM nodes are successfully added to the cluster.• All ETLA library pre-installation steps are complete: hardware and firmware are updated,

partitioning is set-up correctly, Secure Manager is licensed and configured to allow accessto the backup hosts.

• All ETLA libraries are enrolled with the SKM cluster.• The procedure in Verify that tape backups are being encrypted is successfully completed.• The backup administrator is present.• There is at least one scratch tape present in each library. If the library is partitioned, identify

the partition containing the scratch tape.• There is a console available from which to access their ISV backup software.• There is a console available from which to view the SKM interface.• There is a console available from which to view Command View TL.

2. Prepare to conduct the test.

a. Using a separate browser window for each SKM node, log into each of the nodes via theinterface.

b. For each node (in each browser window), on the Device tab in the Logs and Statistics panel,select Log Viewer, then select Activity.

c. In the Show last number of lines field, select All, then click Display Log.

d. Log in to the ISV software and ensure that it can access the LTO4 tape drives to be used in the test.

3. Using Command View TL, rerun the SKM Wizard and remove all but one of the SKM IP addressesthat were configured during installation.

The Interface Manager reboots at the end of this step. Reboot takes less than 5 minutes.

4. Use the ISV software to load the tape (from the procedure in Verify that tape backups are beingencrypted) into an LTO4 drive, then read the data.

The read operation will be successful. This verifies that the key is available on the single node,that the path to the node is operational, and the library client’s certificates and credentials at thatnode are correct.

5. Unload the cartridge.

6. Repeat the above steps for each node in the SKM cluster.

7. After all nodes are proven to be accessible, reconfigure the ETLA with the original IP addresses

8. Reboot the Interface Manager.

If the procedure fails for one node, the most likely cause is an issue with the server certificate on thatnode. Review the steps in Creating the SKM server certificate. Each node has its own server certificate,but these must have the same name and must all be signed by the same CA.


36 Verifying that installation and initial configuration is successful

A SKM pre-installation survey andchecklist, for connecting to ETLAs

Use the survey and checklist to establish system-wide information and ensure proper configuration forthe SKM and the Enterprise Tape Libraries with Extended Tape Library Architecture (ETLAs) to which thesystem is attached. This must be done before beginning system installation to ensure success.

SKM pre-installation surveyThe survey identifies critical information HP needs to install and configure the HP Secure Key Manager(SKM). The survey also identifies prerequisites that must be in place prior to installation (for example,ETLA library firmware versions and configurations), even though they are not part of the HP SKMinstallation service. Finally, the survey includes areas which you should consider prior to installation inorder to ensure your security policies are not subject to disruption, and can continue to function withoutinterruption if a disruption does occur. This includes reviewing site requirements and guidelines forplanning backups of the SKM.

NOTE:Standard installation consists of installing two appliances and enrolling one ETLA Tape Library atone location. Requirements exceeding the standard service, such as installing additional appliances,enrolling multiple ETLA Tape Libraries, complex or custom implementation, or integration activities canbe accommodated at additional cost.

Sourcing the SKM security officer (SO) role and ensuring installation supportThe SO role will define and oversee the security policies for your data center, or even for the enterprise. Ifyou already have an SO and security polices, they will define how the SKM integrates and enhancesthose policies. With HP’s SKM and ETLA tape libraries, the SO may be responsible for ensuringthe installation meets your company’s business objectives. This includes ensuring the correct librariesand drives are selected for encryption, and selecting the appropriate key generation policies for yourbusiness. After installation, the SO may be responsible for auditing those policies, and determining whenpolicy changes are needed.

During installation someone representing your SO and your backup administrator must be presentto enter passwords and answer any security-related and company-related questions that arise. Afterinstallation, they will also initiate tests HP has defined which will initialize, write, and read some scratchLTO4 media using your backup application.

Planning step: Designate someone to represent the SO and your backup administrator who will bepresent during all steps of the SKM configuration, the enrollment of the ETLA libraries, and validationtesting of the HP SKM solution.

Designing the cluster, identifying any cross-geography requirementsThe HP SKM is deployed in a minimum configuration of 2 SKM nodes. These nodes may be deployed inthe same or different physical locations. You may, for example, want the nodes to be in different sitesto provide key availability in event of a power outage at one site.

Planning step: If multi-site deployment is needed, HP needs information about both sites before schedulingthe installation.


Obtaining a static IP address for the SKMThe SKM will only accept static IP addresses. If you want to use both network ports on each appliance, youwill need 2 static IP addresses per appliance. IP addresses are typically provided by your IT department.

Planning step: Obtain 1 or 2 static IP addresses per SKM appliance. If you install 2 appliances, youwill need at least 2 — and up to 4— static IP addresses. Also obtain the subnet mask and the defaultgateway for each IP address.

Identifying the ETLA libraries and number of LTO4 drives to be used forencryption

Determine what portion of your backups will be encrypted and provision sufficient LTO4 drives to meetthose requirements. If some of the LTO4 tape drives in a library will be used for encryption and otherswill not, then the library must be partitioned before the SKM is installed. The HP ETLA libraries may beconfigured to contain up to 6 partitions per physical library. Each partition may have a separate keygeneration policy that will apply to all LTO4 drives in that partition. For example, if you have 8 LTO4drives but only want 2 of them to be used for encryption, partition the library so that one partitioncontains 2 LTO4 drives and the other partition contains the remaining 6 drives. If a library is notpartitioned, then all LTO4 drives will be used for encryption after the SKM has been configured.

The number of libraries and LTO4 tape drives dedicated to encrypting backup data will depend onyour business needs.

NOTE:Partitioning the library is not part of the SKM installation. However, if there will be both encrypting andnon-encrypting drives in the same tape library, it is necessary to partition the library. Any partitioningsteps must be complete before the SKM is installed. Consult the users guide for your tape library forinstructions on library partitioning.

Planning steps: Have a list of libraries to be enrolled with the SKM. For each library, have a list of LTO4drives which will be used for encryption. If there are also LTO4 drives in the libraries which will not beused for encryption, ensure partitioning is complete before the SKM installation occurs.

Addressing physical installation and security requirements for the SKMEnsure rack and power requirements are met at each site.

NOTE:Each node of the SKM cluster requires two (2) power connections to the rack’s power distribution unit.Due to the size of the secure bezel, the SKM requires 2U of the rack per appliance, 1U for the applianceand 1U blank below the appliance. HP recommends that a rack blank be installed in the unit directlybelow each appliance.

Also, review the physical security implications of having the SKM at a site. The SKM will contain keys toyour data, and is therefore of high value. Physical security must be appropriate to that value.

Planning step: Review the installation site(s) and ensure they have adequate capacity and security tomeet your business requirements, and to meet the equipment power, rack, and cooling requirements.

Designing a backup strategy for keys and audit logsIn addition to the SKM automated key replication, keys and logs can be backed up to and restored froman external file. HP strongly recommends you backup keys regulary, and periodically test the restoreoperation to ensure the processes work in the event they are needed. This planning includes who does

38 SKM pre-installation survey and checklist, for connecting to ETLAs

the backup, how often, how often the restore-test is performed, and where the backup files are stored.Institute a method of logging these operations and versioning the backups.

Planning step: Identify the server used to store backups. Have a backup schedule and a plan for testingthe backups.

Determining the appropriate key generation policiesKey generation policies allow the SO to centrally control and audit how encryption is performed. Thesepolicies provide a crisp, unambiguous definition of when encryption is and is not performed. Thissupports the SO’s broader ability to provide specific, auditable security policies for the data center.

Each partition in the library may have a different key generation policy, depending on the businessneeds. If the library is not partitioned, then all LTO4 drives in the library have the same policy.

The HP SKM and ETLA libraries support the following key generation policies:

• Key per tape (KT) — Each LTO4 tape in the partition (or library) is encrypted with a different key.All data written on the tape is encrypted with the same key, even if data is appended to themedia later. HP recommends using the Key per Tape policy.

• Key per partition, or key per library (KP) — All LTO4 tapes in the partition (or library) use one key.The key remains in effect until you change it.

• No encryption (NE) — All LTO4 drives the in partition (or library, if the library is not partitioned)read and write without any encryption. These drives are not configured to read encrypted datafrom other partitions, either.

Planning step: For each library being enrolled with the SKM, list the desired key generation policy foreach partition. If the library is not partitioned, list the key generation policy for the entire library.

Meeting minimum ETLA hardware and firmware requirementsTo be compatible with the SKM, an ETLA must meet minimum hardware and firmware requirements. Seethe HP StorageWorks Secure Key Manager product web page and consult the appropriate Quickspecs.

Planning step: For each ETLA connected to the SKM, ensure that these requirements are met prior tobeginning SKM installation. If necessary, upgrade the firmware.

Configuring accounts for each ETLA libraryEach ETLA library selected for encryption requires a client account on the SKM. These accounts provide aunique username and password for the library, so the library can be authenticated when it logs in. Theusername can be any value, but must be unique for each ETLA library.

Planning step: For each ETLA library, define a client account username and password. Passwords mustnot be a dictionary word, must be 8 characters, must contain both alpha and numeric characters, andmust begin with a letter. Passwords are case-sensitive and can include special characters.

Enrolling the ETLA libraries with the SKMEach of the ETLA libraries selected for encryption must be configured to use the SKM. This step consists ofinstalling digital certificates and configuring the library with the IP addresses of the SKM appliances.

The SKM installation will only include enrollment for the specific libraries in the installation scope of work.The SKM installation does not include configuring the ETLA libraries for backups, connecting them to theSAN, partitioning them, or updating their firmware to support configuring the library for backups.

Planning step: Ensure the ETLA libraries to be enrolled with the SKM have the latest firmware updates,are partitioned (if necessary), and are operational for your backup requirements.


SKM pre-installation checklists, for connecting to ELTAsPrepare to install and use the SKM system by recording the following information. If any information ismissing, it will delay or prevent complete installation and functioning of the SKM system.

Table 1 Security officer (SO) information

Name of SO

Phone number of SO

Will be available during SKM installation? (y/n)

Name of SO’s designee who will be present duringinstallation

Phone number of designee

Table 2 Cluster design

Number of installation sites

Number of appliances to be installed

Location of site 1

Number of appliances to be installed at site 1

Location of site 2


Location of site 3



Table 3 ETLA Tape Library 1 device information

Library identifier (for example, asset # or location)

Library type (EML or ESL)

Advanced Secure Manager License is installed? (y/n)

IP address of the library

Library client user name

Client password defined? (y/n)

Library is partitioned, if appropriate? (y/n)

Library or Partition 11 key generation policy (KT, KP, or NE)

Partition 21 key generation policy





If EML, firmware version is 1222 or greater? (y/n)

If ESL, firmware version is 6.22 or greater? (y/n)

If EML, LTO4 drives are at version H36S or greater? (y/n)

If ESL, LTO4 drives are at version H36W or greater? (y/n)

IFC firmware is at version 5.9.3d or greater? (y/n)

IM firmware is at version I231 or greater? (y/n)

Command View TL software is at version 2.3.01 or greater?(y/n)

At least 1 piece of scratch LTO4 media is available? (y/n)

A backup application and operator are available for testingencryption and failover? (y/n)

1If the library is partitioned, assign a key generation policy to each partition.


Table 6 SKM data

Secure location is prepared?

Rack space has been identified?

Rack(s) is/are on the list of supported racks?

Rack(s) contain sufficient power outlets (2 pernode)?

For appliance 1

Admin password defined?

Cluster password defined?

Local CA and Certificate information:

Certificate Authority (CA) name

CA common name

Server certificate name

Organization name

Locality name

State or province name

Country name


E-mail address of SO

Web interface port number for appliance 1

Fully qualified host name for appliance 1

For appliance 1, network port 1

IP address

Subnet mask

Default gateway

For appliance 1, network port 2 (optional)

IP address

Subnet mask (same as port 1 if blank)

Default gateway (same as port 1 if blank)

For appliance 2


Web interface port number

Fully qualified hostname


IP address

Subnet mask

Default gateway

For appliance 2, network port 2 (optional)

IP address



For appliance 3 (optional)


Web interface port number

Fully qualified hostname


IP address

Subnet mask

Default gateway

For appliance 3, port 2 (optional)

IP address




B About this guide

This guide provides information about:

• Installing an HP StorageWorks Secure Key Manager• Configuring an HP StorageWorks Secure Key Manager• Administering security keys

Intended audienceThis guide is intended for system administrators with knowledge of:

• Basic computer system rack installation• Data security administration• Network configuration

Related documentationThe following documents and web sites provide related information:

• HP StorageWorks Command View TL getting started guide• HP StorageWorks Secure Key Manager installation guide• HP StorageWorks appliance information sheet

You can find these documents from the Manuals page of the HP Business Support Center website:

http://www.hp.com/support/manuals

Document conventions and symbolsTable 7 Document conventions

Convention Element

Blue text: Table 7 Cross-reference links and E-mail addresses

Blue, underlined text: http://www.hp.com Website addresses

Bold text

• Keys that are pressed• Text typed into a GUI element, such as a box• GUI elements that are clicked or selected, such as

menu and list items, buttons, tabs, and check boxes

Italic text Text emphasis

Monospace text

• File and directory names• System output• Code• Commands, their arguments, and argument values

Monospace, italic text• Code variables• Command variables

Monospace, bold text Emphasized monospace text














http://www.hp.com

WARNING!Indicates that failure to follow directions could result in bodily harm or death.

CAUTION:Indicates that failure to follow directions could result in damage to equipment or data.

IMPORTANT:Provides clarifying information or specific instructions.

NOTE:Provides additional information.

Rack stabilityRack stability protects personnel and equipment.

WARNING!To reduce the risk of personal injury or damage to equipment:• Extend leveling jacks to the floor.• Ensure that the full weight of the rack rests on the leveling jacks.• Install stabilizing feet on the rack.• In multiple-rack installations, fasten racks together securely.• Extend only one rack component at a time. Racks can become unstable if more than one component

is extended.

HP technical supportFor worldwide technical support information, see the HP support website:

http://www.hp.com/support

Before contacting HP, collect the following information:

• Product model names and numbers• Technical support registration number (if applicable)• Product serial numbers• Error messages• Operating system type and revision level• Detailed questions

Customer self repairHP customer self repair (CSR) programs allow you to repair your StorageWorks product. If a CSR partneeds replacing, HP ships the part directly to you so that you can install it at your convenience. Some

48 About this guide










parts do not qualify for CSR. Your HP-authorized service provider will determine whether a repair can beaccomplished by CSR.

For more information about CSR, contact your local service provider. For North America, see the CSRwebsite:

http://www.hp.com/go/selfrepair

Product warrantiesFor information about HP StorageWorks product warranties, see the warranty information website:

http://www.hp.com/go/storagewarranty

Subscription serviceHP recommends that you register your product at the Subscriber's Choice for Business website:

http://www.hp.com/go/e-updates

After registering, you will receive E-mail notification of product enhancements, new driver versions,firmware updates, and other product resources.

HP websitesFor additional information, see the following HP websites:

• http://www.hp.com• http://www.hp.com/go/storage• http://www.hp.com/support/manuals• http://www.hp.com/support/downloads

Documentation feedbackHP welcomes your feedback.

To make comments and suggestions about product documentation, please send a message [email protected]. All submissions become the property of HP.






































http://www.hp.com

http://www.hp.com

http://www.hp.com

http://www.hp.com

http://www.hp.com

http://www.hp.com

http://www.hp.com/go/storage
























http://www.hp.com/support/downloads












hp storageworks secure key manager - cnet...

Documents