KMS 2.0 Tape Drive Encryption
Contents
1. IEC501A M 01DA T13103 SL HSC6TAM9 GlAL IOP SR7196MG AL FILE84 TAPE MULT TMS008 IEC501A M 01DA T13103 SL HSC6TAM9 G1AL IOP SR7196MG AL FILE84 IOSO00I 01DA A7 10E 02 0600 HSC6TAM9 340 004910D050205451 2502FF30C00032B9 E3F1F3F1F0F30290 4104230007722011 UNSUPPORTED FORMAT OS O ERR 01DA NL HSC6TAM9 G1lAL IOP SR7196MG AL FILE84 TAPE IEC502E R O1DA NL HSC6TAM9 GIAL TMS014 IEC502E R O1DA NL HSC6TAM9 GLIAL TECSO1A M 01DA T13103 SL HSC6TAM9 GIAL IOP SR 196MG AL FILE84 TAPE MULT 6066 SLS1075D DISMOUNT OF T13103 FROM DRIVE O1DA ERROR ON TAPE IGNORE OR BJECT 1 5 SLS00991 DISMOUNT OF T13103 FROM DRIVE 01DA VOLUME AT 0020150231700 SLS0091 DISMOUNT OF FROM DRIVE O1DA COMPLETE 6067 SLS0088D MOUNT OF T13103 ON DRIVE 01DA INTERVENTION REQUIRED MOUNT OR IGNORE M I IOS000I 01DA A7 10E 02 0600 HSC6TAM9 562 004910D050205451 2502FF30C00032B9 E3F1F3F1F0F30290 4104230007722011 UNSUPPORTED FORMAT IEC514D DCK OR LBL ERR 01DA T13103 HSC6TAM9 CIAL IOP SR7 196MG AL FILE84 6068 IEC514D REPLY M UNLOAD OR A ABEND Note FSC 32B9 indicates incompatible format in other words encrypted data can not be read on a non encrypted drive e KMS Symptom None this is not an encrypted drive e Recovery Steps Y Reply I gnore or E ject to message SLS1075D Either will dismount tape v Reply M ount or I gn2. SL8500 Library T10000 Encryption Drives LTO Drives Name SL85006 Seattle Site Secondary Site L700 Library T10000 Non Encryption Drives In the above example Company XYZ manages data storage sites in 4 locations Their primary site is located in Dallas and this is where two of the six total KMA s reside Another set of two KMA s are installed in Atlanta which is used as a disaster recovery site for Dallas final set of KMA s are in Chicago The KMS cluster consists of 6 total KMA s drives from each respective site will pull keys from the KMA s at the site on the service network dashed lines in red from KMS to Drives The KMS Software Manager GUI session administers the cluster on the management network solid lines in grey between sites the updates are propogated to all KMA s The GUI can reside on any selected customer workstation or server anywhere in the management network It is recommended that Company XYZ store a backup of the KMS database at a remote site or in a vault Encrypted T10000 drives are located at three Company XYZ sites In the Dallas site there are also non encrypted T10000 drives which are located in a separate library Of the libraries that contain encrypted T10000 drives some also contain a mix of other drive types Page 15 Per the recommended configuration all T10000 encryption drives that share a library may also share a key group Following this recommendation Company XYZ would begin their encrypt
3. 7 Enable Drives for Encryption This is accomplished via the VOP application a The Customer Service Engineer will supply the PC Key License Key and crypto serial number CSN for each tape drive to the customer This information can be obtained from the Sun Licensing center The information is supplied to the drive via the VOP application to enable encryption activity on the drive The PC Key is used in 2 0 it is referred to as encryption enablement to the drive b The customer will then define the device to the KMS as an encrypting agent Note To accommodate drive replacement we suggest naming the device with a unique characteristic e g drive serial number or date This name will show up in 2 places on the drive as the Agent ID and in the KMS database as the Agent ID Note Use the description field for other miscellaneous information pertinent to the site c Successful enrollment of the drive is indicated by a solid AMBER Encryption LED on the drive and in KMS database as the drive has an Enrolled True condition The drive must be given a default key group from which encryption processing keys are obtained Other key groups can be assigned to the drive for read purposes A more indepth discussion on key management can be found in the KMS 2 0 StorageTek Cypto Key Management Solutions Management Practices white paper a When ever the drive is actively encrypting or decrypting the Encryption LED will be RED This can be seen
4. T10000a Enc 3590 1 37 114 5 00 StorageTek 531002001128 Ficon Drive Configuration World Wide Name Node Port A World Wide Name Port A Enabled Port A Loop ID Port A Speed GB Port A Link status Port B World Wide Name Port B Enabled Port B Loop ID Port B Speed GB Port B Link status 50 01 04 10 00 78 d1 00 50 01 04 10 00 78 d1 01 auto 2 GBIT Initialized 50 01 04 10 00 78 d1 02 auto N A Uninitialized Sun 9 Comm Status UserlD service Library 10 80 39 105 Page 24 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN tHe NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Non Encrypted drive as determined from Drive Type field fi streamline Library Console miax Tools Help System Detail Apply Refresh 9 Drive Folder 1 0 0 0 0 Drive Drive 1 1 1 1 4 Dive 1 214 Drive 1 1 2 1 3 Drive 31 214 Drive 1 1 1 1 2 Drive 1 1 1 1 4 Drive 1 1 2 1 1 Drive 1 1 2 1 3 Drive 1 2 1 1 3 9 Drive 1 2 1 1 4 Drive 1 2 2 1 1 Drive 1 2 2 1 3 Drive 1 2 1 1 1 9 Drive 1 2 1 1 2 Drive 1 2 2 1 2 Status Properties General Drive
5. I C205I CREATE HSC6TSTW G1AL FILESEQ 1 COMPLETE VOLUME LIST 220 N IOP SR7196MG AL FILE1 TAPETST ZIPD VOLS SL8020 TOTALBLOCKS 36572 EF234E K 01E3 SL8020 PVT HSC6TSTW GIAL v EH e Recovery Steps v None the volser is seamlessly re labeled and the label is now encrypted Scenario 7 Drive replacement In the event a drive needs replacement additional coordination is required between the Customer Service Engineer and the customer to enable encryption The steps are a subset of those described in the Installation Maintenance section of this document 1 The Customer Service Engineer will install the drives in the library and must configure to 3592 emulation using a FICON interface via the T10000 Virtual Operator Panel VOP An IP address might also be assigned at this time 2 The Customer Service Engineer will supply the crypto serial number CSN for each tape drive to the customer This information can be obtained from the Sun Licensing Center 3 The customer will first enter the new drive as an agent in the KMS system assigning agent ID passphrase key groups and default key group as appropriate 4 The customer or CSE will then enroll the new drive as an encrypting drive via VOP providing the new agent ID passphrase and KMA IP address 5 Success is indicated by a solid AMBER Encryption LED on the drive and su
6. Page 5 Change History Document Description Document owner Rick Schworm and Mikal Green Systems Integration Engineers O DIES Sun StorageTek Test Engineering Mainframe Customer Emulation amp rganization Test meme e pe 02 06 2007 RAS MWG Initial Draft Completed 06 13 2008 Updates RAS MWG Incorporate comments from initial review and add VSM attach section Page 6 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Introduction The purpose of this document is to present solutions which allow for mixed encryption environment implementations using Sun s Key Management System KMS 2 0 Mixed encryption environments are defined as a library configuration that contains both encrypted and non encrypted drives Currently both T10000 and 9840D drives offer encryption cabability Mixtures of drive families along with the mixture of encrypted and non encrypted drives are supported This document is not intended to be a step by step guide but rather serves to highlight the issues and obstacles involved in a typical mixed drive configuration and present recommended best practices for over
7. icrosystems StorageTek Tape Drive Encryption Solutions Best Practices June 2008 Revision 3 1 icrosystems Copyright 2008 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A All rights reserved Sun Microsystems Inc has intellectual property rights relating to technology embodied in the product that is described in this document In particular and without limitation these intellectual property rights may include one or more of the U S patents listed at http www sun com patents and one or more additional patents or pending patent applications in the U S and in other countries THIS PRODUCT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SUN MICROSYSTEMS INC USE DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR EXPRESS WRITTEN PERMISSION OF SUN MICROSYSTEMS INC Use is subject to license terms This distribution may include materials developed by third parties This distribution may include materials developed by third parties Parts of the product may be derived from Berkeley BSD systems licensed from the University of California UNIX is a registered trademark in the U S and in other countries exclusively licensed through X Open Company Ladson Sun Microsystems the Sun logo Solaris Sun StorageTek Crypto Key Management Station StorageTek and StorageTek are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries Products covered b
8. 01E6 NL HSC6TST6 KIREAD IOP SR 196MG AL FILE 6 TAPE MULT Z HC S02 T LIP NL HSC6TST6 KIREAD IEC501A M 01F6 T13103 SL HSC6TST6 KIREAD IOP SR 196MG AL FILE 6 TAPE MULT ZIPO SLS1075D DISMOUNT OF T13103 FROM DRIVE O1F6 ERROR ON TAPE IGNORE OR EJECT I E SLS0088D MOUNT OF T13103 ON DRIVE 01F6 INTERVENTION REQUIRED MOUNT OR GNORE M I Note FSC 32D0 indicates the key is missing in order to read the encrypted tape Only reply YES to IGF5001 message if you know that the TO device has access to keys on tape during the BLP tape processing Page 42 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries KMS Symptom KMS Manager System View Help H i Connect Disconnect Transfer P a T Help Agents Agent List Key Group Transfer Partr Transfer P Key Group Import Ke Data Unit List Backup List Import 1 0 Kes System Manageme Audit Event Lis Audit Event List Filter Created
9. 1 and later via the application of PTFs Library microcode updates are required along with the microcode update of any non encrypting drive Specifics are located in Prerequisites Page 13 Sample Configuration T10000 Encryption Drives Replication Across h ea Cluster KMA Cluster N T saaa KMS Manager GUI _ ii O Tape Library Simplified Encryption Implementation Using Encrypted T10000 Drives Sample Configuration Overview Administer all Sun Tape Encryption for an entire organization with a KMS cluster This provides a redundant management system that is capable of spanning across multiple site locations and enables encrypted data to be more readily shared within the organization An active KMS cluster is kept current with live updates between all KMA s within the customer organization o All drives in an organization should have access to the same encryption key groups All T10000A tape drives agents in an organization should have access to all key group encryption keys All drives in the same library should share default access to the same key group All T10000A Encryption tape drives that reside in the same library have the same default key group This is important so that allocation of encrypted drives within the library is simply determined by encryption or non encryption status Benefits of the Configuration Key protection Key protection is an important consideration Losing keys is equival
10. DRIVES command demonstrating the difference between encrypted and non encrypted drives SLS4633I DISPLAY DRIVES COMMAND DRIVE LOCATION VOLSER STATUS MODEL MEDIA 01B0 00 02 01 04 TTK031 DISMOUNT T1A35 TIALL onie 00 9 0 3Lg 03Lg 3L3L ic ONDES MOUN TERASS TIALL 01B2 00 00 01 06 T12840 ON DRIVE T1AE35 TIALL OMS 0001 01 00 W3 2 55 0 NINO RIVA ES TIALL GEN 00302 0100 TL25 ON DRIVIT LAE SS TIALL O1B5 00 03 01 13 T12841 ON DRIVE TlAES35 TIALL Note Drives 1B0 1B1 are non encrypted Drives 1B2 1B5 are encrypted e A DISPLAY VOLUME DETAIL command demonstrating the difference between encrypted and non encrypted tapes Note The ENCRYPTED field is only displayed for encryption capable volumes and only in response to a DISPLAY VOLUME DETAIL command It is only updated when the volume is dismounted after being used for a scratch request It can contain two values UNKNOWN and YES e UNKNOWN is the initial status upon the volumes entry into the library e YES indicates the volume has been written to on an encrypted drive Page 22 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Micros
11. Date Set Date to Dont Show Short Term Results in page 20 Sce 008 1 56 13 PM Retrieve Data Unit Key Agent Kev Group acces Message Values Data Unit ID B085002A DIET 1 56 10 PM Retrieve Data Unit Tm Success Success Data Unit ID BO850024 3 28 2008 1 56 10 PM Retrieve Data Unit Success Success Data Unit ID B085002A 3 28 2008 1 53 14 PM Retrieve Data Unit Keys Success Operational Key Retrie Data Unit ID B085002A R 2RI2NNR 1 53 14 PM Retrieve Nata I Init Kewe Suiccese Suirrese Nata Init TA RNSSNN A Audit Log ID KMA ID KMA Name Audit Log Entry ID Class Retention Term EGGSOOZAGGODSFIF ODOODOODOOOAGE4 OGRSOUZAGSODSFIE I TT BORNE T Operation RetieveDataUntKeys Severity error Condition Agent Key Group access denied Created Date 3 28 2008 1 56 13PM Entity ID 1F6 Entity Network Address 10 80 3918 Message Values Solution Data Unit ID BOSS0024030D5F 1F8FD304F334010734 External Unique ID External Tag T13103 Page Size 31 Page Offset 0 Key ID BO8S0024030D5F 1F744946ED156414195 9468665516D1B829B46927BDBE2 Add Entity to Key Group Close l Note Each time the drive attempts to read the tape and the key is not available another audit event will be generated Page 43 e Recovery Steps for BL processing Y Reply NO to message
12. Type T10000a 3590 Code Version 1 37 114 5 00 Vendor StorageTek Serial Number 531002000772 Interface Type Ficon Drive Configuration World Wide Name Node Port A World Wide Name 50 01 04 10 00 78 d0 eb 50 01 04 10 00 78 d0 ec Port A Enabled Port A Loop ID auto 9 Drive 1 2 2 1 4 Drive 1 3 1 1 3 Port A Speed GB Port A Link status Port B World Wide Name 2 GBIT Initialized 50 01 04 10 00 78 d0 ed Drive 1 3 1 1 4 Drive 1 3 2 1 3 Drive 1 3 1 1 2 Drive 1 3 1 1 3 Drive 1 3 1 1 4 v Drive 1 3 2 1 2 Drive 1 4 1 1 2 Drive 1 41 1 1 Osun Comm Status Port B Enabled Port B Loop ID auto Port B Speed GB N A Port B Link status Uninitialized UserlD service 9 Library 10 80 39 105 Note When a drive is initially installed it is non encrypted by default Only when you enable encryption via the VOP application does it identify itself as an encrypted device Only then can the library indicate to HSC the drive is encrypted HSC does not poll the drive status Rather it is queried by four main events HSC initialization ACS Vary processing LSM Vary processing and MODIFY CONFIG processing Page 25 VOP perspective e Drive displays demonstrating an encrypted drive General VOP display 4 110000 virtual Operator Panel O x File Drive Operations Retrieve Configure Diagnostics Help Drive IP 10 80 39 17 JUn
13. a two KMA cluster servicing multiple automated tape libraries Page 10 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries The Sun Encryption Solution The Sun Tape Encryption Solution is a device based encryption implementation Data remains encrypted at rest Initial offerings will support the enrollment of several tape drive models capable of acting as an encryption agents in this solution Key management is performed outside the data path Crypto Key Ethernet switches And APC UPS Management System unit are rack mounted in library p e KMS Software Manager GUI Automated Tape Library Populated with Encryption Capable Drives ai Encryption Agents Ethernet Services Network Figure 1 Sun s Encryption Solution Encryption Components Key Management Appliance KMA A secure dedicated appliance for creating managing and storing encryption keys It delivers policy based lifecycle key management and ensures the security and authenticity of the encryption solution a The KMA is a Sun x2100M2 server hardware with a Sun SCA6000 security card OS KMS Cluster A K
14. cnr J Ep rese f T10000 T10000 i a Ethernet T10000 Switch T10000 T10000 T10000 T10000 T10000 SL 8500 Library T10000 j Tape Drives L700 Library The example illustrated above right shows a simple recommended network for an environment The first step in protecting the network is to connect the KMAs to separate switches on the services network Any KMA can provide full functionality for any drive enrolled in the cluster If a component failure is experienced on a KMA or on the switch to which a KMA is connected the second KMA in the cluster will service available drives and encrypted operations will continue unaffected Ethernet switches that are directly connected to KMAs are referred to as fan out switches The next step in protecting the network is to distribute encrypting tape drives evenly across all available switches including available ports on fan out switches This serves to reduce the impact of a component failure Page 51 at the switch level by rendering only the drives directly connected to the failed switch temporarily inoperable The final step is to utilize redundant cabling methods A good rule of thumb is that any switch that is not directly connected to a KMA should have connections to two switches that are This ensures that a single failure of a KMA or a switch will not impact the ability of the encryption solution to continue processing data Additionally uninterrupted power supplies can be used to protect swit
15. physically on the drive and in the VOP application when connected to the drive b The keys are obtained from the KMS cluster when the write or read operation occurs on the data unit Note If a drive loses power the keys will be lost on the drive but the keys will remain in the KMS database in the KMS cluster 8 Cause NCS to recognize encryption is enabled Page 19 At this point both VOP and SL8500 show encrypted drives but the HSC does not You need to issue an HSC VARY ACS MODIFY LSM or MODIFY CONFIG command for HSC to obtain the encrypted status of a drive MODIFY LSM is recommended because it will cause all HSCs in the complex to become aware of a drive s new characteristics Note An HSC VARY or MODIFY will also be necessary should a drive be replaced Verify your drive model numbers via the DISPLAY DRIVE command before proceeding Chapter 4 Native Attach Recommendations Overview To reiterate NCS management of a mixed encryption solution is analogous to the management of a mixed 9940B and 9940A environment with 9940B equivalent to encrypted and 9940A equivalent to non encrypted T10000 A Documentation excerpts This chapter contains examples which depict a T10000A encryption implementation The same concepts can be used for 9840D To aid in understanding the remainder of this chapter there are now 4 new T10000A models rectechs available Two for native attach and two for VSM nee MODE Drive Description Displa
16. 35 STK2 012C 00 00 01 12 M04111 ON DRIVE T9840D SKIL 012D 00 00 01 00 M04109 ON DRIVE T9840D STK1 91289 00809801 8135 OFFLINE TOGLODIS STKL iz 00303301303 OFFLINE TOSCODSS SLI Note Drives 128 129 are encrypted RTDs and 12C 12D are non encrypted Page 37 VTCS perspective A VTCS Display MVC command SLS66031 MVC M04150 INFORMATION 756 VOLSER M04150 MEDIA STK1RDE ANG SHED 00 SIZE MB 75000 MIGRATED COUNT 207 VIV COUNT 207 SUSED 98 06 SFRAGMENTED 0 00 SAVAILABLE 1 94 SUSABLE 0 00 TIMES MOUNTED 443 LAST MOUNTED 2008MAY20 05 37 43 LAST MIGRATION 2008MAY20 04 41 42 LAST DRAIN RECLAIM 2008MAY19 15 45 16 OWNER MESSU MVCPOOL DEFAULTPOOL SECURIEINAACCHSSE NO PROFILE STATUS 3 INITIALIZED MARKED FULL Note MEDIA STK1RDE indicates volume is intended for use on an encrypted drive Page 38 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries e AVTCS Display CONFIG command demonstrating the difference between encrypted and non encrypted drives SLS6
17. 6031 CONFIGURATION INFORMATION 448 MAXVTV MVCFREE VTVATTR RECALWER REPLICAT VTVPAGE SYNCHR 32000 1 ALLMOUNT YES ALWAYS STANDARD NO Gi Ing MAXRTDS FASTMIGR 16 NO CDS LEVEL SUPPORTS W5 S i WE W6 1 V9 2 RECLAIM THRESHOLD MAX MVC START CONMVC 40 40 35 3 AUTO MIGR THR MIGR TASKS DEFAULT VSM 2GB PAGE VTSSNAME LOW HIGH MIN MAX ACS MODEL 4GB SIZE VISSS 70 80 6 6 Ig 3 YE ARGE VTSSU 70 80 6 6 WIE 4 YE ARGE DEVNO RTD TYPE ACS RETAIN VTSSNAME RTD NAME CHANIF 0120 STK1RC34 00 Il VTSSS 0120840C 00 OA 031211 STK1RC34 00 Il VTSSS OIZIRAUE Ol CE 0126 STK2PB34 00 1 VTSSS 0126940B 04 1A 03 27 STK2PB34 00 IL VISSS 012794083 05 Ja 0128 STKIRDE 00 il VTSSS QUOD 02 t VTSSU 0128840D 05 OL 029 STK1RDE4 00 Il VTSSS 0129840D 03 OM VTSSU OLAX IO OS I OIL ZE STK1RD34 00 Il VTSSS OLZES40OD O6 It VTSSU 012C840D 04 OK 01210 STK1RD34 00 Il VISSS 012D840D 07 1M VTSSU 012D840D 08 LK 01BC T1AE34 00 Il VTSSU O01BOT10K 00 OE 01BD T1AE34 00 1 MESSU ORES 02 0G 01BE T1A34 00 Il VISSU O1B6T1OK 06 lE O1BF T1A34 00 Il VTSSU QUI aO y 1G 0228 STK1RD34 00 Il VTSSU 0228840D 01 OF 022 STK1RD34 00 Il VTSSU 0229840D 03 OH Page 39 SL8500 perspective e Drive display demonstrating an encrypted VSM attached drive Note the Drive Type field Streamline Library Console 28x Tools Help System Det
18. 9 06 Empty Wi Offline Wiclean Boump Connection In Progress ape Cartri 23 AM Mar 28 2008 Connection to 10 80 39 06 23 AM Mar 28 2008 Tape drive is OFF LINE 23 AM Mar 28 2008 Set OFF LINE Operation Started 23 AM Mar 28 2008 Start Update Drive Parameters 24 AM Mar 28 2008 Enrolling 531 1001231 25B in KMS 010 080 039 185 24 AM Mar 28 2008 KMS2 0 msgH 514 AaUDIT CLIENT LOAD PROFILE CREATE PROFILE CONFIG SUCCEEDED 24 AM Mar 28 2008 KMS2 0 msgH 516 AUDIT CLIENT GET ROOT CA CERTIFICATE SUCCESS 24 AM Mar 28 2008 KMS2 0 msgH 517 AUDIT CLIENT GET CERTIFICATE SUCCESS 24 AM Mar 28 2008 KMS2 0 msgH 515 aUDIT CLIENT SAVE CLUSTER INFORMATION SUCCEEDED 24 AM Mar 28 2008 Successfully enrolled 24 AM Mar 28 2008 10 80 39 06 commit SUCCESS Configuration data saved 19 15 a LS 19 Lo ve 15 15 15 KMS perspective e Drives in Agent List panel KMS Manager System View Help Connect Disconnect Help Secure Informatic 4 Agent List i Key Policy Lis El Key Groups iL Key Grou Filter agent ID a da show Agents in any Key Group El Agents NIE Results in page 13 last page Key Grou AgentID Description A site Default Key Group Enabled Failed Login Attempts Enrolled Er Transfer Part STONE NM rate XM E SEE gos A Te rss LT NN i Transfer 1E3 Native 1E3 sl85005 1yr group True 0 True Key Grou 1E4 Native 1E4
19. COWINLs 00000333 MEDIA TYPE T10000T1 REC a Cirle T1AE35 MEDIA LABEL READABLE MEDIA MATCH MES DENS TEYE T1A000T1 ENCRMETEDE YES Note The ENCRYPTED field is YES After a volume has been mounted as scratch on an encrypting drive a specific mount for that volume will always be directed to an encrypting drive and CANNOT be overridden by a VOLATTR If the volume s encrypted status is unknown or non encrypted the VOLATTR Page 23 recording technique is always honored When a volume is mounted as scratch the VOLATTR is always honored SL8500 perspective e Drive display demonstrating the difference between encrypted and non encrypted drives Encrypted drive as determined from Drive Type field Bl Streamline Library Console OI x Tools Help System Detail 9 Drive Folder 1 0 0 0 0 Drive 1 1 1 1 4 Drive 1 1 2 1 1 Drive 1 1 2 1 3 Drive 1 1 2 1 4 Drive 1 1 1 1 2 Drive 1 1 1 1 4 Drive 1 1 2 1 1 Drve 1 1 2 13 Drive 1 2 1 1 3 Drive 1 2 1 1 4 Drive 1 2 2 1 1 9 Drive 1 2 2 1 3 Drive 1 2 1 1 1 9 Drive 1 2 1 1 2 Drive 2 2 1 2 Drive 1 2 2 1 4 Drive 1 3 1 1 3 Drive 1 3 1 1 4 Drive 1 3 2 1 3 Drive 1 3 1 1 2 Drive 1 3 1 1 3 Drive 1 3 1 1 4 Drive 1 3 2 1 2 Drive 1 4 1 1 2 2 Drive 1 4 1 1 1 EE Properties Apply Refresh General Drive Type Code Version Vendor Serial Number Interface Type
20. D drives STK1RDE all 9840D encrypted drives STK1RDN all 9840D non encrypted drives STK1RD34 9840D non encrypted 3490 drive STK1RD35 9840D non encrypted 3590 drive STK1RDE4 9840D encrypted 3490 drive STK1RDE5 9840D encrypted 3590 drive STORCLAS media STK1RD 9840D non encrypted media STK1RDE 9840D encrypted media Page 34 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Media Management Strategy A good media management strategy is a key piece to a successful mixed encryption solution The segregation of non encrypted and encrypted volumes via VOLATTR statements is highly recommended Media The 9840D utilizes the same media as previous 9840 drives however a new cleaning cartridge has been introduced MEDIA values STK1R data cartridge STK1Y new cleaning cartridge unique to 9840D Recording Technique Although the media is physically identical they are logically differentiated because of the recording technique used when writing to the media The following recording techniques apply to a VSM attached 9840D e Non encrypted STK1RDN or STK1RD34 e Encrypted STK1RDE or STK1RDE4 Where a reco
21. IFG5001 to dismount tape and end application job Y Assign drive to correct key group Research must be done in the KMS using the GUI to assertain what tape volume data unit was mounted which key is being requested which key group that key resides in Y Resubmit application job e Recovery Steps for SL processing v R l gnore to message SLS1075D to dismount tape Y Assign drive to correct key group Research must be done in the KMS using the GUI to assertain what tape volume data unit was mounted which key is being requested which key group that key resides in Y Reply to M ount to message SLS0088D Page 44 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN tHe NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Scenario 2 Key has been destroyed thus label is not read This scenario might be encountered after a key management work has been done e Host Symptom iC M O15 TL SL20 Sin COMP HSCOTALA T amp TL TEZA 818 IOP SIRT SOOIRS a PD KL TOS000T 0135 0838 106 02 0600 HSCOTAL4A 265 004910D050205451 2502FF30C00032D5 E3F1F3F1F2F00290 4104230003772011 UNSUPPORTED FORMAT Bc 51 2 Jg HR 01035 NL T13120 SL HSCOTA14 K1TAPE
22. IOP SR7390RS PD K1 DACHOAEN i OMB Sy ERIZOS COME PHS COMME dE TES S0 3E 5 SES 7 S OORS 11D kal 1501 IEC704A REPLY VOLSER OWNER INFORMATION M OR U R 51 EC7051 TAPE ON 0195 3E SL20 Sih COMP WSCOAWAIL4 IENE LOR SIRT SOGIRS a REED Note FSC 32D5 indicates the key has been destroyed e KMS Symptom loxi Audit Log ID SCeDFACFSB7E121COOO000000000BF5C KMA ID pPcebFacesezE i21C 00S KMA Name lmao Audit Log Entry ID 000208000122 Class pata Unit Agent Operations 00 Retention Term Medium Term Operation Retrieve Data Unit Keys Severity feno Condition Data Unit Key is destroyed Created Date 3 26 2008 5 46 22aM Entity ID 1B5 Entity Network Address 10 80 39 31 Message Values Data Unit ID SC6DFACFSB7E121CA70CE5F82124E7E9 External Unique ID External Tag T13120 Page Size 31 Page Offset 0 Key ID 9C6DFACFSB7E121CB95E1115208D004C 390DAD6169D296624DF351819724 e Recovery Steps Y Allow rewrite of label to occur Page 45 Scenario 3 Encrypted tape is mounted on a non encrypted drive for file append or read This scenario might be encountered if a specific unit is requested for an encrypted tape e Host Symptom
23. KMS will create a key from the default key group and assign the key to the dataunit Page 31 e Key group mapped to key policy KMS Manager da Connect Secure Informatic Key Policy Lis Key Groups Agent As Transfer Er Agents B Transfer Part lyr group 1 year group lyr policy i Transfer 2yr group 2year group 2yr policy Key Grou CAP alpha import imported keys i Import Ke import keys From 1 x system imported keys he Data Unit List Note The key group has a policy for encryption process period cypto period export and import status Any particular key resides in one group only e Key policies which were in turn assigned to key group s KMS Manager zl Connect Secure Informati ey Groups Des lyr policy 1 year encrypt policy AES 256 1 Year Years True True 2yr policy Extended encryption AES 256 2 Years 7 Years True False imported keys From 1 x system AES 256 1 Second 6 Years True True Page 32 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUNT THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries e Key for a particular dat
24. Load MI Online clean en amp Sun microsystems Mimedia y Connecting to 10 80 39 17 12 37 PM Mar 27 2008 VOP LOGGED IN to Drive 12 37 PM Mar 27 2008 Tape drive is ON LINE 12 37 PM Mar 27 2008 Tape Cartridge is UNLOADED Connection to 10 80 39 17 Note When a drive is initially installed it is non encrypted by default Only when you enable encryption via the VOP application does the Media indicator appear It then displays identically to the Encryption LED on the drive itself Page 26 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Agent ID must match the KMS Agent ID Page 27 KMS Manager Al Connect Secure Informatic Le Key Policy Lis Br Key Groups PE Key Grou Agent As i Transfer Be Agents s Show Agents in any Key Group ha Key Grou AgentiD Description Site Default Key Group Enabled Failed Login Attempts Enrolled B Transfer Part 531 1001231 25B 931042 drive 258 sl85005 1yr group True 0 True i L2 Tranefar Page 28 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA P
25. MAs and the production KMAs in synch This allows tapes to be freely moved between sites Where this is not possible key transfer partners can be configured When tapes are moved a key transfer file must be generated containing the proper set of keys for the tapes See the StorageTek Crypto Key Management Solution Management Practice Chapter 5 for details of setting up and using transfer partners If drives and KMAs are shared amoung multiple companies in a shared resource center key management is more challenging The tape drives are unaware of which customer is currently using them So itis impossible to configure the drives and KMS to restrict access to key based on the usage of the drives Other functionality such as RACF or Top Secret should be used to control access to tapes Because the KMAs in this secnario are shared among multiple customers it is not possible to configure the shared site KMAs into a production cluster A KMA can only belong to one cluster at a time Disaster Recovery Sites Another common use of shared resource sites is for Disaster Recovery In this usage a customer will only use the drives libraries and other resources of the shared resource site for short periods of time either to do a DR test or to actually recovery from a disaster It is assumed that tape drives libraries and servers will be assigned to a specific user of the shared resouce site only during a DR test or disaster recovery The speci
26. The restore requires a quorum of the key split credential members in effect when the core security backup not the normal backup was performed Restore operations take about 20 minutes per 100 000 keys Once the restore is completed the drive must be enrolled and configured on the provided servers or LPARs Now tape IO can begin Page 54 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN tHe NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries
27. a unit List of data units KMS Manager System View Help a 2 Help Connect Disconnect Secure Informatio 4 Data Unit List Key Policy List Key Groups Key Group Filter Data Unit ID Agent Ass show Data Units in any Key Group Use Transfer F Agents A Agent List Results in page 20 Key Group Data Unit ID A II II External Unique ID Description _ External Tag Created Date 3 Transfer Partr 1D4389CE9D72BBE2123DDF64404399F2 518024 2 5 2008 10 31 53 Transfer F 1D4389CE9D72BBE2EC89227D70A5F381 518022 2 5 2008 10 28 20 Key Group 51B284598E6F22ABA71C513899F4B3AB 518023 1 30 2008 10 37 1 Import Kel BO8S002A030D5F 1F01F0151858AEA9DA TTKOSS 2 27 2008 6 53 16 PM BO8S002A030D5F 1F06426FD6E50844B4 113075 2 22 2008 2 03 39 PM SERI E BO85002A030D5F1F 64EBSE6970EBCIE MYCPOOL TI T13063 2 5 2008 1 56 02 PM Details for data unit volser Data Unit Details General Key List Backups with Destroyed Keys List Data Unit ID 1D4389CE9D72BBE2123DDF64404399F2 Data Unit Description Key List Results in page 1 last page IKeyID Key Type Created Date Activation Date B085002A030DS5F1F556000EB2AC8AEE8104A5D3487C23D1297C5F824EBAC AES 256 1 15 2008 9 45 56 AM 2 5 2008 10 32 Note The actual key is never observed however the keyid is viewable Note The keyid cannot change because it is tied
28. ail Apply Refresh Q Drive Folder 1 0 0 0 Drive Drive 1 1 1 1 3 Drive 1 1 2 1 1 Drive 1 1 2 1 2 Drive 1 1 2 1 4 Drive 1 1 1 1 2 Drive 1 1 1 1 3 Drive 1 1 2 1 1 Drive 1 1 2 1 2 Properties Display General Drive Type Stk9840d Enc Code Version 1 42 706 5 10 Vendor StorageTek Serial Number 570001000130 Interface Type Escon i Merzia Drive 1 2 2 1 2 Drive 1 2 2 1 4 Drive 1 2 1 1 1 Drive 1 2 1 1 3 Drive 1 2 1 1 4 Drive 1 2 2 1 2 Drive 1 2 2 1 4 Drive 1 3 1 1 1 Drive 1 3 1 1 2 TSTTEEXEI Drive 1 3 2 1 2 Drive Configuration World Wide Name Node Port A World Wide Name Port A Enabled Port A Loop ID Port A Speed GB Port A Link status Port B World Wide Name Port B Enabled Port A Loop ID Port B Speed GB Port B Link status Drive 1 3 1 1 4 9 Drive 1 3 2 1 1 Drive 1 3 2 1 4 Drive 1 4 1 1 2 Drive 1 4 2 1 1 Osun Comm Status UserID service 9 Library s185006 Note When a drive is initially installed it is non encrypted by default Only when you enable encryption does it identify itself as an encrypted device Only then can the library indicate to HSC the drive is encrypted HSC does not poll the drive status Rather it is queried by four main events HSC initialization ACS Vary processing LSM Vary processing and MODIFY CONFIG processing Page 40 Sun Mic
29. and MVCs MVC500 MVC999 as encrypted volumes create the following VOLATTR statements Page 35 VOLATTR SERIAL MVC000 MVC499 MEDIA STK1R RECTECH STK1RD34 VOLATTR SERIAL MVC500 MVC999 MEDIA STK1R RECTECH STK1RDE4 MVCPOOL Control Statement If implemented encrypted and non encrypted drives should not share media from the same pool These are defined by SCRPOOL statements as follows MVCPOOL NAME T9840D RANGE VOL000 VOL499 non encrypted only MVCPOOL NAME T9840DE RANGE VOL500 VOL599 encrypted only Drive Management Strategy The MEDIA parameter of the STORCLAS control statement can be used to direct migration to classes of drives STORCLAS Control Statement The following MEDIA values defined within the MGMT class are required to utilize 9840media STOR NAME nnnn MEDIA STK1RD 9840D non encrypted STOR NAME nnnn MEDIA STK1RDE 9840D encrypted Control Statement Interaction This example demonstrates the flow of TAPEREQ MGMTCLAS and STORCLAS control statements which direct migration to encrypted drives TAPEREQ JOB jobname MGMTCLAS ENCRYPT MGMTCLAS NAME ENCRYPT STORCLAS S1 STORCLAS NAME 4 MEDIA STK1RDE Page 36 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trad
30. ated secured network in recommended configurations Encryption keys are never in the clear even during delivery over a secured network Administration of the encryption solution is performed via the KMS manager GUI that can be installed on workstations or management servers Separation of roles and responsibilities are customized to meet the needs of the organization and a quorum is created to govern critical operations such as adding a new KMA to the cluster Key policies key groups and agent assignments are defined through the manager GUI and enable the automated management of encryption keys throughout the lifecycle of the data being encrypted When a tape cartridge is mounted the encryption agent requests the appropriate encryption keys from the KMS cluster Any KMA in the cluster is capable of providing all necessary functions to any drive enrolled in the cluster Keys are transferred to the encryption agent and are used for writing and reading the data A different write key is issued for each tape The KMA database keeps track of all keys used on a tape and supplies the keys automatically when the tape is mounted The expiration period of an encryption key depends on policy based settings that were defined through the KMS manager GUI When a tape is loaded in an encrypted drive after the key s encryption period has expired a new encryption key is generated and issued The illustration below depicts a logical sample environment that consists of
31. ative Attach Recommendations 21 HP REINES 21 Page 3 YOP e tu nubi IE aa AL 27 RS SLT PUR OU tt 30 Chapter 5 VSM Attach Recommendations meme 34 LOUP aaa Gi Sa cien an dead crue clu races 34 9840D Documentation LONE 34 Media Management SMO nag io asd a caa rcr cla c ad d HO dod alg la o eda plc au Ra EU ER 35 Medid canana Hm E 35 Ce TU a ip iii ia iii ridi 35 VIRA cla ea 3 Special VTCS Considerations for 9840D Media 35 MGP OOE CEDRO SASE Deacesita copie Cram rrratde 36 Drive Management SUNY RR 36 SOIORGLAS Contr Sie MEN pe eee ee Lo DOR ru datant ardent hip ap pl C c GR 36 Encryption Emo SCenanos and Recovery uis iie ase acid as iaia ee Ax c uc E CO Eos LE Ro aisi 43 Scenario 1 Drive does not contain necessary key to read an encrypted tape 43 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN tHe NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries ot have key to read an encrypted MVC DI ariagemen ECS i elica
32. cates the ENCRYPTED status is not displayed in response to a DISPLAY VOLUME DETAIL command therefore the volume is NOT encrypted e ENCRYPTED UNKNOWN is the initial status of newly entered volumes Note Unless overridden by RECTECH the default is for a volume to be encrypted e ENCRYPTED YES indicates the volume has been or is destined to be encrypted e RECTECH T1A is a combination recording technique and indicates the volume may be used on either an encrypted or unencrypted drive This is NOT a recommended best practice but may be encounter by customers with existing T10000A devices Specific mount request VOLATTR ENCRYPT INVISIBLE ENCRYPT UNKNOWN _ ENCRYPT YES RECTECH T1A 1A35 amp T1AE35 1AE35 1AE35 RECTECH T1A35 1A35 1A35 1AE35 RECTECH T1AE35 T1AE35 1AE35 1AE35 Note The encrypted status takes precedence over the recording technique for specific mounts Note While a RECTECH T1A35 and ENCRYPT YES seems illogical this situation would only be encountered when the RECTECH of the tape has been changed after the tape was used on an encrypted device Page 21 Scratch mount request When a volume is mounted as scratch the existing encrypted status is ignored and only the VOLATTR is honored Examples This section supplies screen shots of the mixed encryption solution implemented in the Mainframe Customer Emulation and Test lab together with notes identifying pertinent information NCS perspective e A DISPLAY
33. ccessful enrollment of agent in the KMS 6 The customer will verify NCS still identifies drive as T1AE35 via a DISPLAY DRIVES ALL DETAIL command Page 48 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Scenario 8 VSM RTD does not have key to read an encrypted MVC In the event a MVC is mounted on a RTD that either has missing keys or invalid keys it can not read the encrypted data on the media This is the VSM attached version of scenario 2 above Host Symptom IEC501A M 2F16 vtvid BLP COMP jobname stepname lt mount request from job TEACS O MMEM OTEA Lis DGSE VIESS2E SNSRDRE lt mount request VTCS RECALL SLS6643I MVC mvcid MOUNTED ON DRIVE O1E2TKOE SLS6684I RTD OIEATKOE ON VTSS VTSS27 RETURNED ECAM ERROR CC 5 RC 108 SLS6625E RTD O1LEATKOE REPORTED 3480XF2 INCOMPAT 0041205C0000132400E0E3F1F3F0F6F440400032D0000000CE0E372002180000 SLS6605I INITIATING SWAP OF MVC T13064 FROM RTD 01EATKOE Note FSC 32D0 indicates the media key is missing in order to read the encrypted tape Not
34. cenarios document the external manifestations of poor key management To recover itis important to understand how not having the required key when recalling data is presented at the host This is done by examining the Fault Symptom Code FSC in the sense information presented by the drive The FSC definitions can be obtained via the VOP Once the error has been determined recovery steps are suggested Scenario 1 Drive does not contain necessary key to read an encrypted tape This scenario might be encountered if a key is assigned to a key group that the drive being used was not allowed to access Disaster recovery situations will encounter this when the proper key groups are not assigned to the drive e Host Symptom Bypass Label Processing IEC501A M O1F6 T13103 BLP COMP HSC6GENR STEP1 SYS08088 T135456 R A000 HSC6GENR R06 IOS000I 01F6 B6 1I0E 06 0600 T13103 HSC6GENR 963 004910D050205451 2506FF30C00032D0 E3F1F3F1F0F30290 4104230012422011 UNSUPPORT FORMAT IGF500I SWAP 01F6 TO 0124 I O ERROR EF196 GF500I SWAP 01F6 TO 0124 I O ERROR 3580 IGF500D REPLY YES DEVICE OR NO Standard Label Processing IEC501A M O0TF6 T13103 SL HSC6TST6 K1READ IOP SR7196MG AL FILE76 TAPE MULT ZIPO TO ODOT 011 55 165 10 027 0600 5 HS8CG z9q6 448 004910D050205451 2502FF30C00032DO E3F1F3F1F0F30290 4104230012422011 UNSUPPORTED FORMAT 0512 ERR
35. ches and KMA components from loss of power interruptions For customers who place a top priority on redundancy there are some additional configuration changes that will help further mitigate the potential for interrupted operations due to component failure These include the addition of a third KMA to the local KMS cluster and extra switches on the services network to reduce the number of drives that would be impacted by a switch component failure An additional KMA in the local cluster adds security in the event that a component failure forces one KMA to be unavailable for an extended period of time The remaining KMAs can continue to function as a cluster while managing the encryption solutions Load balancing replication and protection of new keys are achieved Multi Site Network A single KMS cluster can administer key management functions for encrypting tape drives spread across many site locations The diagram below provides an example of a configuration that includes encrypting tape drives at two separate locations It is important to note that while all four KMAs in this example are clustered together and replicate changes across the cluster it is still highly recommended to have a local cluster of at least two KMAs at each site This provides path redundancy and load balancing abilities for the drives at that site Multi Site Network ic E S Customer Configuration _ D ilia Customer e di E Secured LAN Rae x Customer E S
36. coming them It describes an encryption solution using the enterprise encryption system known as KMS 2 0 There are substantial differences between Ultra1 x and KMS 2 0 and the best practices discussed in this paper reflect those changes in detail To summarize the Ultra 1 x solution delivered keys on a drive basis via a Token while KMS 2 0 delivers keys on a volume basis via a KMA appliance The information presented in this document is supported by testing initiatives that were conducted in Sun s Mainframe Customer Emulation Test Lab Audience This documentation is intended for Sun employees field personnel partners and customers who are interested in learning more about the Sun StorageTek encryption solution Intended audience are those who are already familiar with the information contained within the systems assurance and installation guide Related Publications Key Management System KMS 2 0 Installation and Service Manual Key Management System KMS 2 0 Administration Guide Key Management System KMS 2 0 Systems Assurance Guide StorageTek Cypto Key Management Solution Version 2 0 Management Practices Whitepaper Key Management System KMS 2 0 Open Systems Implementation Whitepaper NearLine Control Solution T10000 Support Documentation Update NearLine Control Solution 9840D Support Documentation Update Storage Management Component SMC MVS software Config and Admin Guide Sun Storagetek Virtual Tape Control System VTCS A
37. directly to the actual key The keyid is encrypted on the tape and no 2 data units can ever have the same keyid Page 33 Chapter 5 VSM Attach Recommendations Overview To reiterate VTCS management of a mixed encryption solution is analogous to the management of a mixed 9940B and 9940A environment with 9940B equivalent to encrypted and 9940A equivalent to non encrypted It is strongly recommended that all volumes be defined specifically It is possible to direct migration to encrypted drives via the MEDIA and or MVCPOOL parameters of the STORCLAS statement This chapter contains examples which depict a 9840D encryption implementation The same concepts can be used for T10000A 9840D Documentation excerpts To aid in understanding the remainder of this document the following table identies the new Model and RECTECH values HSC Model ni Recommended Drive Description Displayed HSC Rectech T9840D 9840D 3490 emulation STK1RD34 T9840D35 9840D 3590 emulation STK1RD35 T9840DE 9840D 3490 emulation Encrypted STK1RDE4 T9840DE35 9840D 3590 emulation Encrypted STK1RDE5 For completeness the full list of available values are identified below There are combination RECTECH values which are hierarchical in nature but we strongly recommend you use one of the above as applicable MEDIA values STK1R data cartridge STK1Y new cleaning cartridge unique to 9840D RECTECH values STK1R all 9840 drives STK1RD all 9840
38. dmin Guide Command amp Utility Guide Page 7 Chapter 1 Encryption System Overview Encryption serves to limit access to data by making information unreadable without special knowledge This is typically accomplished by applying a cryptographic algorithm called a cipher to the data The result is an encrypted ciphertext that is unreadable until an inverse algorithm is again applied to decrypt the data This requires access to the key value used to encrypt the data Data is transported and stored in this unreadable state thus achieving data security when information is most vulnerable Due to heightened data security requirements and industry compliance standards there is an increasing need for encryption in today s datacenters This need can be met by one of the following options host based in band appliance based or device based encryption Host Based Encryption Host based encryption is also referred to as encryption at creation In this scenario data is encrypted on the host at the time of data creation The encrypted data is then transferred to the storage devices on which it will reside Host based encryption is typically accomplished by enabling special encryption features through the operating system database or backup application Pros 0 Secure Data is encrypted at creation and remains encrypted through the lifecycle of the data Difficult to bypass Central point of encryption at data creation ensures security rega
39. e A swap request will be honored for each valid online RTD for the specified VTSS This swap will occur only once for each RTD In the event that a RTD has the necessary key the RECALL process will complete In the event that no RTD has the necessary key the MVC mount request will timeout after the last swap request is attempted KMS Symptom C xi v Audit Log ID B085002A030DSF1F000000000000AB16 KMA ID possoozaosopsFiF KMA Name kmassoo5s Audit Log Entry ID 000208000114 Class pata Unit Agent Operations Retention Term Medium Term is sSSSCsSs S Operation Retrieve Data Unit Keys Severity Errn Condition Agent Key Group access denied Created Date 3 31 2008 3 02 08PM_ Entity ID 1EA Entity Network Address 10 80 3912 amp Message Values Solution Recovery Steps If the new RTD has the proper key group allow swap processing to find it else continue Data Unit ID BOS50024030D5F1FD4151ESF4FE0ciED External Unique ID External Tag T13064 Page Size 31 Page Offset 0 Key ID BOSS50024030D5F 1FESACBCASFCD27E84 FEF44DE21F9084723448DD260663 add Entity to Key Group Y Assign drive to correct key group vary RTD back online to VTSS Page 49 Chapter 7 Alternate Key Management Scenarios Key Management System Disaster Recovery Key protection is an important consideration as losing keys is equivalent to losing data and no
40. ecured LAN KMA Management A KMA Managmert v d z KMA Management JA KMA Managment ELOM ELOM KMA1 _ e KMA2 KMA3 ELOM ELOM KMAA c lali TL Service Networs Sareca Network co e e ette A Service Network Servce Networks Fanrout Layer LE as m _ a Group of 12 Encrypting Tape Drives Group of 12 Encrypting Tape Drives Group of 12 Encrypting Tape Drives Group of 12 Encrypting Tape Drives Primary Location Alternate Location Shared Tape Resource Centers One challenge of implementing an encryption solution is managing shared tape resource centers Shared tape resource centers generally consist of third party sites that manage archived information Page 52 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries for multiple customers Customers send archived information to shared tape resource centers for data protection and disaster recovery purposes The recommended scenario for a customer to implement a Sun Tape Encryption environment in conjunction with a third party shared tape resource center is to maintain at least 1 KMA a
41. ed solution with the following 3 key groups Dallas1 Atlanta1 Chicago1 In this example each drive at a site will obtain keys in one group for each data unit at the respective site The other 2 key groups will be available to each respective site for read keys only This key management solution allows for encrypted cartridges from any site to be exchanged with any other site if needed Here is an example of what an initial key allocation looks like for three different T10000 encryption drives one drive grouplocated in Dallas one drive group in Atlanta and the other in Chicago Location of Drive Dallas Atlanta Chicago Read Key Group Atlanta Chicago1 Dallasi Read Key Group Chicago Dallas Atlanta The length of proctect time a key offers is based on the policy assigned via the KMS Software Manager GUI For more information on key management practices see StorageTek Cypto Key Management Solution Version 2 0 Management Practices Whitepaper Page 16 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Chapter 3 Implementation Details Overview When implementing a mixed drive solution the selection of the
42. emarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Examples NCS perspective e An HSC Display VOLume DETAIL command of an encrypted MVC SLSO601I VOLUME M04150 DETAIL 321 HOME CELL OOS OZ Or SOOO SCRALCHE NO SEE CANED NO EXTERNAL LABEL YES ABEL READABLE YES INSERTED ZOO7 O5 03 i s4sess ASt SHLECLEED 2008 05 20 05337221 SELECT COUNT 00000488 MEDIA TYPE STK1R RECTECH STK1RDE4 MEDIA LABEL READABLE MEDIA MATCH MES NOT ELIGIBLE FOR SCRATCH DENS TERE UNKNOWN Note RECTECH is the only indication the volume is encrypted and this is because of the VOLATTR specification e An HSC Display DRives ALL DETail command SLS4633I DISPLAY DRIVES COMMAND 604 DRIVE LOCATION VOLSER STATUS MODEL MEDIA 0120 00200801 81 5 ONLINE T9840C STKL 0121 00809501 81 2 ONLINE T9840C SWIK 0122 0080252801 815 ONLINE T9840B STIKI 9125 00501501315 ONLINE T9840B35 STKL 0124 00302301312 ONLINE WOSAOCSS Smil 0125 00301301303 ONLINE T9840C35 STKI1 zo 00301501301 OFFLINE T9940B STK2 0127 0002801803 OFFLINE T9940B STZ OLZ8 005015013138 OFFLINE T9840DE SHDRCIL 0129 00 02 01 00 M04153 ON DRIVE T9840DE SKI zia 00303301300 ONLINE T9940B35 STK2 0128 00500301303 ONLINE T9940B
43. emoving the load of encryption from the host or the network Since the storage device is handling id the encryption process full data compression can be realized Highly Secure Encryption occurs and is validated at a device level Difficult to Bypass Storage devices sit at the end of the data path and cannot be bypassed Devices are only capable of writing encrypted data Legacy Configuration Support No change required to existing hardware and software environment Cons Storage Refresh May require a tape drive upgrade depending on current hardware in place Page 9 Sun Encryption Sun s encryption solution utilizes an AES Advanced Encryption Standard 256 substitution permutation network cipher algorithm that is applied by the storage peripheral device in the example below the T10000 tape drive CCM AES is the mode employed by this solution This is a FIPS Federal Information Processing Standard compliant encryption standard Key management occurs outside of the data path and the encryption of sensitive data is completely transparent to the application A cluster of KMAs manage these encrypting devices by authenticating enrollment processes securing the distribution of encryption keys and providing a policy based lifecycle key management solution The cluster serves to provide failover load balancing and data protection by replicating changes across the cluster in real time KMA to drive communications occur over an isol
44. en sun com richard birkelo sun com Page 2 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN tHe NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Contents StorageTek Tape Drive Encryption Solutions ini 1 Best Practices 1 WENE 200 T 1 cecchini 3 Change HIS d RR rei E RR IR lib 6 lie coe pps uL I MED E 6 misi INI Sa NON RET 6 Wii lei 7 eater ani 7 Related Publications Pill hice hcl i ee 8 Chapter 1 Encryption System Rua b ti RR PRORA 9 Host Based RE PERIERE 9 Tic oun Enea uon ied L9 RR RE rent mre ee ee ee 12 ES ODO si iaa ami Laban dasa ae M MM RO Bo Go ELA lend 12 Bees of the Sun Encryption DIRO on tada aatia eite Ad tibl ataca al n tasas Kat 6 ta ER ilaria 13 Chapter 2 Planning Enerypied Installations uui hence cs ec eie pd a a EL HE RU CE iii 14 ENS di ede AI RE ia ital tla 14 E RAR I IO CORO IE OI FETTE PT NO EDT 14 Seri Reding iii pda 14 Sample Cornfiguratiof 00 crrei a nane rete nea ice iptiolaza il nanana laden ice tap aana 15 T au ee ILS E Le ERR dL iR 15 Liliaceae 16 Chapter 3 Implementelion Details ene ri ir I ili 18 Lelli TERRENCE 18 Chapter 4 N
45. ent to losing data and not having the correct keys available at the right time results in losing access to data Effective key protection is the greatest benefit of the recommended configuration This configuration will serve to limit the number of unnecessary encryption keys and ensure that all T10000A drives will always have access to the proper key Page 14 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries 0 Ease of management By using a KMS cluster administration and implementing a key management strategy where all drives share encryption key groups the management burden is taken off the customer This enables a datacenter to manage an encrypted solution transparently with no impact to day to day operations Sample Configuration B mea COMPANY XYZ Key Management System I b a a ne KMS Software Manager GUI N Chicago Site Secondary Site KeyManagement System ee Dallas Site eS Primary Site oe SL8500 Libra Key Management System T10000 Encryption Drives 9840 LTO Drives Name SL85005 T10000 Non Encryption Drives Atlanta Site Secondary Site
46. es brevets am ricains list s l adresse http www sun com patents et un ou les brevets suppl mentaires ou les applications de brevet en attente aux Etats Unis et dans les autres pays CE PRODUIT CONTIENT DES INFORMATIONS CONFIDENTIELLES ET DES SECRETS COMMERCIAUX DE SUN MICROSYSTEMS INC SON UTILISATION SA DIVULGATION ET SA REPRODUCTION SONT INTERDITES SANS L AUTORISATION EXPRESSE ECRITE ET PREALABLE DE SUN MICROSYSTEMS INC L utilisation est soumise aux termes de la Licence Cette distribution peut comprendre des composants d velopp s par des tierces parties Cette distribution peut comprendre des composants d velopp s par des tierces parties Des parties de ce produit pourront tre d riv es des syst mes Berkeley BSD licenci s par l Universit de Californie UNIX est une marque d pos e aux Etats Unis et dans d autres pays et licenci e exclusivement par X Open Company Ltd Sun Sun Microsystems le logo Sun Solaris Sun StorageTek Crypto Key Management Station StorageTek et StorageTek sont des marques de fabrique ou des marques d pos es de Sun Microsystems Inc aux Etats Unis et dans d autres pays Ce produit est soumis la l gislation am ricaine en mati re de contr le des exportations et peut tre soumis la r glementation en vigueur dans d autres pays dans le domaine des exportations et importations Les utilisations ou utilisateurs finaux pour des armes nucl aires des missiles des armes biologiques et chimiqu
47. es ou du nucl aire maritime directement ou indirectement sont strictement interdites Les exportations ou reexportations vers les pays sous embargo am ricain ou vers des entit s figurant sur les listes d exclusion d exportation am ricaines y compris mais de mani re non exhaustive la liste de personnes qui font objet d un ordre de ne pas participer d une fa on directe ou indirecte aux exportations des produits ou des services qui sont r gis par la l gislation am ricaine en mati re de contr le des exportations et la liste de ressortissants sp cifiquement d sign s sont rigoureusement interdites L utilisation de pi ces d tach es ou d unit s centrales de remplacement est limit e aux r parations ou l change standard d unit s centrales pour les produits export s conform ment la l gislation am ricaine en mati re d exportation Sauf autorisation par les autorit s des Etats Unis l utilisation d unit s centrales pour proc der des mises jour de produits est rigoureusement interdite LA DOCUMENTATION EST FOURNIE EN L ETAT ET TOUTES AUTRES CONDITIONS DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE A L APTITUDE A UNE UTILISATION PARTICULIERE OU A L ABSENCE DE CONTREFACON We welcome your feedback Please contact STK Test Engineering at rick schworm sun com mikal gre
48. ey Management System is comprised of multiple KMAs clustered together Key management appliances are clustered to provide failover load balancing and data protection KMAs in a cluster act in an active active manner comm All KMAs can provide full functionality to any encryption agent and changes made on any one KMA are quickly replicated to all KMAs within the cluster ce SET KMA Manager Software The key management appliance is a locked down security hardened device There are only very limited options available to a privileged security officer through the console or ELOM enhanced lights out manager of the appliance Other than specific operations administration of the StorageTek Crypto Key Management Solution occurs through a GUI management N program that is executed from a customer provided workstation or server gt i Encryption Agent The encryption agent is a generic term for the peripheral device that is used with the KMS to manage encrypted data and obtain keyed material At the time of release the Crypto Key umm Page 11 Management 2 0 System supports only the StorageTek T10000A and 9840D tape drives In subsequent releases T10000B and LTO4 encryption agents will be enhanced to operate with KMS 2 0 The T10000A tape drive has a native transfer rate of 120 MB s and has demonstrated speeds up to 330 MB s using compression The drive utilizes a 4GB FC interface Standard T10000 media have a 500GB uncompressed capacity wit
49. fic equipment that will be made available is not known prior to starting the DR test or recovery There are two approaches for key management The preferred appraoch is for the customer to place KMAs at the DR site and configure these into their production cluster using a WAN connection These KMAs are dedicated to the specific customer This allows the customer s key to always be at the DR site and ready for use A second appraoch is to restore a backup of the customer s production Page 53 KMS onto KMAs provided by the shared resource center management This avoids the need for a WAN link and the on site dedicated KMAs but requires additional time to restore the database In the preferred approach a recovery is begun by enrolling the tape drives provided by the shared resource center management into the customer s KMS cluster This can be done by connecting the KMS Manger GUI to the KMAs at the DR site Drive enrollment can be completed in a matter of minutes In a true disaster recovery these may be the only remaining KMAs from the customer s cluster Once the enrollment is complete and the drives have been configured on the provided servers or LPARs tape IO can begin In the alternative approach KMAs must be provided by the shared resource center management at the beginning of the test or recovery The customer s KMS backup must be restored The restore operation requires both the normal KMS backup two files and a core security backup
50. h a shorter Sport cartridge at 120GB WORM VolSafe media is available in both 500GB and 120GB uncompressed capacity format Benefits of the Sun Encryption Solution Performance Data is encrypted after tape compression occurs which allows for maximum performance and the most efficient possible usage of tape media Sun utilizes a very powerful encryption algorithm CCM AES 256 that is also highly efficient Only a 100 byte overhead is required for each block of encrypted data that is recorded Many backup restore or archiving applications realize maximum performance when utilizing an average blocksize between 256KB and 1MB The T10000 tape drive supports blocksizes up to 2MB Given this the impact of encryption on performance is negligible This gives Sun a significant advantage over competitor products where encryption overhead processing strain and inability to realize maximum compression by encrypting before the data reaches the storage device all contribute to drastic performance degradation Ease of Management The KMS software manager GUI provides a central point of administration for a scalable encryption solution that can grow to manage multiple libraries of encrypted drives in multiple locations Powerful policy based lifecycle management options allow for intuitive and automated administration of encryption keys Security AES 256 which Sun utilizes as a block cipher algorithm is the most powerful commercially available security algor
51. hone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN tHe NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Detail VOP in response to Review gt Drive Settings gt Fibre View Current Drive Settings Manufacturing Encrypt Parameter Definition FICON emulation option Data compression Data security erase Standard Label protect Library address Tape completion display Language World Wide Nametlibrary Pa hrd asgn phys addr Pa arbtrtd loop addr Pa soft asgn phys addr Pa max recv size Pa WWN overrideclibrary Pa speed negotiation Pb hrd asgn phys addr Pb arbtrtd loop addr Pb soft asgn phys addr Pb max recv size Pb WWN override library Pb speed negotiation Channel interface type Missina Rfid Statistics Keyid Parameter Value Network Idsnmp Version Logging 3592 FICON Yes Mo No ff No English 50 01 04 F0 00 78 d0 a9 Mo Lo 2048 50 01 04 F0 00 78 d0 aa Auto Mo 0 Lo 2048 50 01 04 F0 00 78 d0 ab Auto Ficon EH Note Native attached drives can only be configured in 3592 FICON mode Page 29 Detail VOP in response to Commit of enrollment of drive File Drive Operations Retrieve Configure Diagnostics Help Drive IP 10 80 3
52. icrosystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries SCRPOOL Control Statement If implemented encrypted and non encrypted drives should not share media from the same pool These are defined by SCRPOOL statements as follows SCRPOOL NAME T10000 RANGE VOL000 VOL499 LABEL SL non encrypted SCRPOOL NAME T10000E RANGE VOL500 VOL599 LABEL SL encrypted Drive Management Strategy Various alternatives are available to influence SMC to choose an encrypted or non encrypted device Care must be taken to exclude encrypted devices from the non encrypted workloads Select desired drive via the TAPEREQ MODEL parameter For example TAPEREQ DSN BACKUP MODEL T1AE35 encrypted TAPEREQ DSN MODEL T1A35 non encrypted Select desired drive via the TAPEREQ ESOTERIC parameter For example TAPEREQ DSN BACKUP ESOTERIC SL85006E encrypted TAPEREQ DSN ESOTERIC SL85006 non encrypted Select desired drive via the TAPEREQ SUBPOOL parameter For example TAPEREQ DSN BACKUP SUBPOOL T10000E encrypted TAPEREQ DSN SUBPOOL T10000 non encrypted SMC Allocation Matrix The following matrix illustrates the drive type which should be selected based solely on a volume s recording technique and encryption status for both specific and scratch requests Some background on the fields might be helpful e ENCRYPTED INVISIBLE indi
53. ited States Utilize Legacy Infrastructure Ability to fit seamlessly into both legacy operating and storage infrastructure makes for a quick encryption implementation Transparent to Storage and Hosts Encryption process occurs transparent to hosts and storage devices Cons Less Secure Because this is an in band solution it is easier to bypass than other encryption scenarios o Not Scaleable As the number and speed of storage devices grow an increasing amount of individual in band appliances will be required to maintain the encryption solution Commitment After an in band appliance based encryption scenario is implemented the customer is committed to maintaining that in band appliance for the lifecycle of their data even if it negatively impacts performance or cost in the future Device Based Encryption Device based encryption is also referred to as data at rest encryption In this scenario data is encrypted on the storage device as it is written The encrypted data remains on the storage device while at rest and can be physically transported in a secure state Device based encryption removes the load of encryption from the hosts and the network Encryption is handled by the storage device after compression is performed 710000 A sroraceten E Pros o High Performance Device based encryption is the most efficient encryption scenario from a performance perspective Device Based This is accomplished by r
54. ithm and Sun s implementation has been validated by NIST the US Government National Institute of Standards and Technology The key management appliance is a locked down security hardened device Separation of roles and responsibilities allows for a system of checks and balances to be implemented Quorum operations are required for changes to the configuration that could pose a security risk Page 12 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Chapter 2 Planning Encrypted Installations Things to Consider Several things to consider when planning a data encryption implementation are laid out below KMS Deployment One KMS cluster is capable of administering an encryption solution for an entire organization even if that organization contains datacenters in multiple locations Using one cluster introduces a single point of administration and serves to increase ease of management and simplicity of the solution To achieve maximum failover load balancing and redundancy it is required that a minimum of two KMAs be deployed per location For instance if an organization employs an encryption solution acro
55. ommended That is define a volume to be used on either an encrypted or non encrypted device Prerequisites The following section lists the minimum prerequisites for 9840D and T10000A support You should check for later maintenance available in the Sun System Handbook at SunSolve http sunsolve sun com handbook pub validateUser do target STK STK index HSC PTFs L1H136H L1H13Q2 L1H13C4 L1H13ZE SMC PTF L1A00HK L1A00LQ L1A00JI VTCS PTF L1H13ZO L1H13ZC L1H13Y8 CSC PTF L1C1082 L1C1093 Library Station PTF L1S106F L1S106G Page 17 Library Microcode SL8500 9310 FRS 3 95 4 4 08 T10000A Microcode 1 37 114 9840D Microcode 1 42 706 Virtual Operator Panel 1 0 11 17 VTSS Microcode VSM4 amp VSM5 D02 02 00 E6 VTSS Microcode VSM3 N01 00 77 00 Key Management System 2 0 Build308 Note The microcode is required for both encrypted and non encrypted drives This allows a non encrypted drive to recognize an encrypted tape is mounted and present proper error information to the host Note Encryption support is only available in NCS 6 1 and later Installation Maintenance The following section attempts to summarize the installation steps noting subtleties found during test Detailed steps are found in the associated product documentation The following components can be installed independently but this order is recommended 1 Install Library Microcode This enables the library to repor
56. ore to message SLS0088D Mount will only repeat error Ignore waits for intervention by the operator Y Cancel job Y Correct allocation of tape to tape drive so that tape is mounted on an encrypted drive Y Resubmit failing job Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN tHe NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Page 46 Scenario 4 Encrypted tape is mounted on a non encrypted drive for write from Block 0 This scenario might be encountered if the VOLATTR RECECH is changed from T1AE35 to T1A35 thus requiring re initialization of the tape e Host Symptom IOS000I 01DA A7 10E 02 0600 HSC6TAM9 968 004910D050205451 2502FF30C00032B9 E2D3F8F0F2F00290 4104230007722011 UNSUPPORTED FORMAT Tea Ier ERE DIDA NL SL8020 SL HSC6TAM9 G1AL IOP SR7196MG AL IEC704A L 01DA SL8020 SL COMP HSC6TAM9 GIAL IOP SR7196MG AL 6070 IEC704A REPLY VOLSER OWNER INFORMATION M OR U Note FSC 32B9 indicates unsupported format in other words encrypted data can not be read on a non encrypted drive e Recovery Steps Y Determine the appropriate response for your in
57. proper drive for a particular tape is crucial This selection is actually implemented by removing the undesired drives from the candidate list of available drives supplied by the operating system NCS VTCS management of a mixed encryption solution is analogous to the management of a mixed 9940B and 9940A environment with 9940B equivalent to encrypted and 9940A equivalent to non encrypted The HSC and SMC software handles a mixed encrypted and non encrypted environment using the following assumptions and rules e When a new volume is entered into an ACS that contains encrypting drives compatible with the volume media the volume is assumed to be encrypted unless overridden with a VOLATTR statement e A volume s encrypted status is reset only when the volume is mounted as scratch e If a volume is known or assumed to be encrypted SMC allocation will automatically exclude non encrypting drives e Ifa volume is known to be non encrypted SMC allocation will allocate either encrypting or non encrypting drives unless a VOLATTR statement limits the allocation to either encrypting or non encrypting recording techniques e Encrypted data cannot be appended to non encrypted data or vice versa If non encrypted volumes will be appended in a mixed environment VOLATTR statements are required to limit allocation to non encrypting drives To aid this management the segregation of non encrypted and encrypted volumes via VOLATTR statements is rec
58. rding technique is not specified a default of non encrypted applies It follows that the recording technique must be specified for encrypted media VOLATTR Control Statement A combination of MEDIA and RECTECH is used to define a volume The following MEDIA and RECTECH parameters are recommended for 9840D so there is no doubt about your intentions for the volume It will also be your only indication regarding encryption when displaying volume information via a Volume Report 9840D Non encrypted VOLATTR SERIAL vvvvvv vvvvvv MEDIA STK1R RECTECH STK1RD34 9840D Encrypted VOLATTR SERIAL vvvvvv vvvvvv MEDIA STK1R RECTECH STK1RDE4 Special VTCS Considerations for 9840D Media T9840D and T9840DE transports use the same physical form factor but different recording techniques as follows e T9840DEs can read from media written to by T9840Ds but cannot write to T9840DE media unless the entire volume is rewritten from beginning of tape e T9840Ds cannot read from or write to media written to by T9840DEs To ensure media and transport compatibility you must use separate VOLATTR statements to segregate non encrypted and encrypted media as follows e Define the T9840D non encrypted media with VOLATTR statements that specify MEDIA STK1R and RECTECH STK1RD34 e Define the T9840DE encrypted media with VOLATTR statements that specify MEDIA STK1R and RECTECH STK1RDE4 For example to define MVCs MVC000 MVC499 as non encrypted volumes
59. rdless of what storage device the data rests on Cons Performance Hit Data is encrypted before it is transferred to a storage device and unable to be compressed This can reduce performance by up to 6096 and will result in a significant increase in the storage capacity required typically by 2x or more d Resource Intensive Encrypting the data on the host requires significant server resources that would normally be used to serve other functions Infrastructure Refresh This often requires an upgrade to existing legacy operating infrastructure In Band Encryption In Band encryption occurs while data is in transit In this scenario data is encrypted by a dedicated encryption appliance that sits in the data path between the host and the storage device Encryption occurs as data is transferred to storage devices Data leaves the host as plaintext and is converted to encrypted ciphertext before coming to rest on the storage devices Data is retrieved in the same fashion by leaving the storage device as encrypted ciphertext and then decrypted to plaintext before being presented to the host Pros Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN SUN tHe NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the Un
60. rosystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries e Detail VOP in response to Review gt Drive Settings gt Fibre View Current Drive Settings x E Keyid Logging Manufacturing Missing Network Statistics Version Encrypt i Parameter Definition Parameter Value FICON emulation option 3490 FICON Data compression Yes Data security erase No VolSafe enabled No Save fullload No Standard label protect No Tape completion display No CSL power up System Library address ff Language English World Wide Nametlibrary 50 01 04 f0 00 78 ce 72 Pa hrd asgn phys addr No Pa arbtrtd loop addr 0 Pa soft asgn phys addr Hi Pa max recy size 2048 Pa W WN overrideilibrary 50 01 04 f0 00 78 ce 73 Pb hrd asgn phys addr No Pb arbtrtd loop addr 0 Pb soft asgn phys addr Hi Pb max recy size 2112 Pb WWN override library 50 01 04 f0 00 78 ce 74 Channel interface type Ficon Note VSM attached drives can only be configured in 3490 mode Also be aware that a Pa Max Recv Size of 2048 is required Page 41 Chapter 6 Miscellaneous Items Encryption Error Scenarios and Recovery The following s
61. sl85005 1yr group True 0 True i Import Ke 1F5 Native 1F5 sl85005 1yr group True 0 True i un 1F6 Native 1F6 sl85005 1yr group True 0 True j Data Urat List 1F7 Native 1F7 85005 1yr group True 0 True Backup List 1EA RTD 27 sl amp S005 2yr group True 0 True Import 1 0 Ke 1EE RTD 27 sl85005 2yr group True 0 True System Manager 1EB RTD X sl85005 2yr group True 0 True Audit Event L 1EF RTD X sl85005 2yr group True 0 True Note Remember Agent ID must match what has been entered and commited on the drive Page 30 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN TM THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Drives assigned to key group s KMS Manager Gonngect Secure Informatic 4 bs Key Policy Lis B Key Groups CAP alpha import 1F6 only import keys 1F only 1hr group fesce 2yr group Data Unit List 531 1001231 25B Backup List TSTIFS z Import 1 0 Ke E System Manager Audit Event L A KMA List User List Role List Note The drive can have several key groups assigned to it Thus dataunits written with any keys from the allowed key groups can be read on the drive If a new dataunit is presented the
62. ss datacenters in Dallas and Atlanta they would include 2 KMAs at each location All four KMAs would be clustered together and would continually replicate any changes across the cluster The KMA s at each location connect to the drives at that location using the private network within the library If the Sun Service Delivery Platform SDP is deployed it also attaches to that private network An encrypting tape drive in the Dallas site would request encryption keys from either of the two KMAs at that location over the isolated services network Mixing Drives Unlike the Fiber Channel implementation the T10000 and 9840D FICON drive returns a different device type to the library when encryption is enabled versus disabled This information is communicated to NCS enabling the management of encrypted and non encrypted drives Encryption management occurs outside of the data path The solution is application transparent and because of this applications are unaware that encryption is taking place The following are important things to consider when planning an encryption implementation Encrypted drives can read cartridges that contain non encrypted data but they cannot append to them and no drive can read encrypted data or append to an encrypted cartridge without the proper key Software Requirements As stated previously the encryption solution is transparent to customer applications However support for encrypted devices is only available in NCS 6
63. stallation Y A reply of U would create an un encrypted label on the tape v Job continues Volser will be left on drive Scenario 5 Non Encrypted tape is mounted on a encrypted drive for file append This scenario might be encountered if a specific unit is requested for a non encrypted tape e Host Symptom LOSOOOL OIF 137 108 01 0600 SLEO0Z0 ESCOTSIN 357 804400C022212341 0101FF0000000000 00000032BA000092 2004230021742011 WRITE PROTECTED ECI47I 613 10 1FGO0196T HSCGTSTW GIAL CREATE 01ES3 SL8020 10P SR7196MG AL2 DHA ME SMM TOMS DUME SOUL PU SS S IO SYSTEM COMPLETION CODE 613 REASON CODE 00000010 Note FSC 32BA indicates command is rejected encrypted data cannot be written on non encrypted tape except if at block 0 see scenario 6 e Recovery Steps Y Correct allocation of tape to tape drive so that tape is mounted on an encrypted drive Y Resubmit failing job Page 47 Scenario 6 Non encrypted tape is mounted on an encrypted drive for write from Block 0 This scenario might be encountered if the VOLATTR RECECH is changed from T1A35 to T1AE35 It is not an error scenario but is presented here to contrast it from Scenario 4 e Host Symptom IEC501A M 01E3 SL8020 SL COMP HSC6TSTW GIAL IOP SR7196MG AL FILE1 ENC IEC705I TAPE ON 01E3 SL8020 SL COMP HSC6TSTW G1AL IOP SR7196MG AL FILE1 ENC MEDIA5 I D
64. t having the correct keys available at the right time results in losing access to data Because of this it is necessary to plan for disaster recovery situations when implementing a key management strategy An enterprise KMS installation should have five levels of key protection 0 0 Once created keys are encrypted and stored on the KMS server within the KMS database A clustered KMS must be implemented which should include KMA s located in another facility For steps on configuring a clustered KMS please reference the KMS 2 0 Administration Guide A minimum of two KMAs are required at each site Backup of KMS database initiated using the KMS GUI saved to local disk on the server where GUI executes For additional disaster recovery protection it is recommended that the KMS database backup be periodically sent to an off site vault Additional KMA should be placed at the DR site and connected into the production KMAs This allows keys and other KMS information to be automatically replicated to the KMAs at the DR site What happens in the event of a disaster recovery 0 If the disaster that caused KMS database corruption or loss is local to the KMS server itself then the first step would be to execute a restore of the latest KMS database backup if the KMS resides in a single KMA configuration For steps on how to restore a KMS reference the KMS 2 0 Administration Guide and StorageTek Crypto Key Management Solution Management Prac
65. t the correct device type to NCS 2 Install VTSS Microcode This enables both a VSM4 or VSM5 to handle encryption related FSCs returned from the drive 3 Install NCS VTCS PTFs and identify drives These enable NCS to recognize the new device types and implement the new MODEL and RECTECH values required for the correct management of media and drives Use SET Utility to add drives to the NCS Control Data Set 4 Install Drives The Customer Service Engineer will install the drives in the library usingVirtual Operator Panel VOP 5 Install KMS Hardware The Customer Service Engineer will use the KMS 2 0 Installation and Service Manual to install the hardware This hardware is a KMA Cluster consisting of 2 or more KMA units Page 18 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries 6 Configure KMS Software The Customer will use the KMS 2 0 Administration Guide to identify and manage the various encryption components This includes the importing of keys the definition of KMS Roles establishing encryption key policies and the identification of encryption agents drives and dataunits tape volumes
66. t the third party site This KMA would participate in the customer KMS cluster via the management network such that all updates to the KMS cluster are reflected in the KMA at the third party site Drives at the third party site would have to be configured to use the appropriate key groups according to the data in the KMA The drive s needed would only access 1 KMS cluster at any given time frame Essentially at the Shared Resource Center the KMA would be dedicated to 1 customer but the drive s necessary to read tape volumes would be shared Usage of the drive s would not be concurrent amoung customers the drive s would only be dedicated to a single customer for as long as needed The drive s would then be reconfigured to access a different KMA for a different customer Drives and tapes as the shared resource center may be used on a continuous or intermittent basis If drives and tapes are used on a continuous basis the customer will need full time or at least frequent access to drives and KMAs Ideally this will be done using drives and KMAs dedicated to the customer In this case the customer can manage the drives and KMAs just as they do their prodution site drives and KMAs If tapes are to be moved between the shared resource location and the other customer sites there are two approaches for transfering keys The preferred approach is to include the shared resource location KMAs in the prodution KMA cluster This will keep the shared site K
67. tices V2 0 white paper If the disaster occurred in a configuration that includes clustered KMA s the working KMA will service all requests for keys therefore contact Sun service for a replacement KMA In the rare event that all sources have been rendered inoperable in a disaster or are otherwise unavailable for recovery redundant off site KMA s would service requests only from drives at the off site location If the drives are shared it will be necessary to enroll the drives with the remaining KMAs If no redundancy has been configured then restore a KMS database backup from a vault or offsite location onto recovery KMAs For a more comprehensive discussion on disaster recovery of the KMS see StorageTek Crypto Key Management Solution Version 2 0 Management Practices white paper Chapter 8 Page 50 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Chapter 8 Optimizing Encryption Solution for Redundancy Redundant Network Unlike version 1 0 version 2 0 of the Sun StorageTek Crypto Key Management Solution does not retain encryption keys locally on the drive after unloading a tape All requests for ke
68. y and information contained in this service manual are controlled by U S Export Control laws and may be subject to the export or import laws in other countries Nuclear missile chemical biological weapons or nuclear maritime end uses or end users whether direct or indirect are strictly prohibited Export or re export to countries subject to U S embargo or to entities identified on U S export exclusion lists including but not limited to the denied persons and specially designated nationals lists is strictly prohibited Use of any spare or replacement CPUs is limited to repair or one for one replacement of CPUs in products exported in compliance with U S export laws Use of CPUs as product upgrades unless authorized by the U S Government is strictly prohibited DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID Copyright 2008 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 Etats Unis Tous droits r serv s Sun Microsystems Inc d tient les droits de propri t intellectuels relatifs la technologie incorpor e dans le produit qui est d crit dans ce document En particulier et ce sans limitation ces droits de propri t intellectuelle peuvent inclure un ou plus d
69. yed HSC Rectech T1A35 T10000A 3590 emulation MVS attach T1A35 T10000A 3590 emulation MVS attach with Encryption T1AE35 nee enabled T10000A 3490 emulation VSM attach only T1A34 T4AE T10000A 3490 emulation VSM attach only with Encryption T1AE34 enabled There are combination RECTECH values not documented here which are hierarchical in nature but we strongly recommend you use one of the above as applicable Media Management Strategy A good media management strategy is a key piece to a successful mixed encryption solution The segregation of non encrypted and encrypted volumes via VOLATTR statements is highly recommended Do not specify a combination rectech such as VOLATTR RECTECH T1A as this allows a tape to be become either encrypted or non encrypted Although NCS can manage the volume its encryption status is not available from the Volume Report This simply leads to confusion later on VOLATTR Control Statement A combination of MEDIA and RECTECH is used to define a volume The following MEDIA and RECTECH parameters are recommended for T 10000A VOLATTR SERIAL VOL000 VOL499 MEDIA T1 RECTECH T1A35 non encrypted VOLATTR SERIAL VOL500 VOL599 MEDIA T1 RECTECH T1AE35 encrypted Page 20 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com SUN THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun M
70. ys are serviced by a KMA in the KMS cluster and provided to the drive Protecting against component failure is a primary concern in maintaining uninterrupted operation of the encryption solution Each Key Management Appliance is configured with three network ports One port is dedicated to the Enhanced Lights Out Manager ELOM that is used to provide remote access to the console The ELOM is used during initial setup and configuration of the KMA The KMA is a locked down appliance so very few functions are available through the ELOM but the security officer can utilize the ELOM to perform certain operations such as resetting the KMA The second configured Ethernet port is dedicated to KMA management This connects to the customer s secured network and is utilized for the KMS software manager to administer the cluster as well as for replicating changes across the cluster to other KMAs The final configured Ethernet port is dedicated to the service network on which the encrypting tape drives should reside It is recommended that the encrypting tape drives be installed on the services network to reduce network traffic and limit external access To protect against component failure it is recommended to install redundant switches on the services network KMS 2 0 Sample Configuration Site 1 Site 2 CAM ET ET US Station GUI Wide Area Network e i iwi Customer Key Management Network iii B LLL lll QU KMA Cluster KMA Cluster za A rea T10000
71. ystems Inc in the United States and other countries FSi SOG OTT EUMENERRO E HUNE TD Ee TRIS HOME CELL 0o 02 Oda 0 0 SCRATCHE NO SEE Gave Dis NO MOUNTED DRIVE IBO EXTERNAL LABEL YES ABEL READABLE YES INSERTED 2005 05 10 10 29 40 AST SELECTEDs 2009 05 24 08510358 SELECT COUNT 00000309 MEDIA TYPE T10000T1 REC iH CH T1A35 MEDIA LABEL READABLE MEDIA MATCH MES DENSI T1AO000T1 Note The ENCRYPTED field is not displayed SLS0601I VOLUME T12858 DETAIL 089 HOME CELL COS 0 11 8 27 8 0 9 000 S CIRVAINC Tal B NO SELECTED NO EXTERNAL LABEL YES ABEL READABLE YES INSERTED 2008 01 24 10 12 12 AST SHLECMEDS 2008 09 22 11242223 SELECT COUNT 00000001 MEDIA TYPE T10000T1 RE Cah Crs T1AE35 MEDIA LABEL READABLE MEDIA MATCH MES DENS TEYE T1AO000T1 ENCRMETEDE UNKNOWN Note The ENCRYPTED field is UNKNOWN SLSO601I VOLUME T12840 DETAIL 230 HOME CELL 0 s 0002 O00 SCRATCH NO SETEGLED NO EXTERNAL LABEL YES ABEL READABLE YES INSERTED 2007 01 10 10326550 AGIT SELECTED 2007 01 24 07333328 SINC
Download Pdf Manuals
Related Search