Home

HP Enterprise Secure Key Manager User's Guide

1. e Technical support registration number if applicable e Product serial numbers e Error messages e Operating system type and revision level e Detailed questions Typographic conventions Table 4 Document conventions Convention fElememt Blue text Table 4 page 27 Cross reference links and e mail addresses Blue underlined text http www hp com Website addresses Bold text e Keys that are pressed e Text typed into a GUI element such as a box e GUI elements that are clicked or selected such as menu and list items buttons tabs and check boxes Italic text Text emphasis Monospace text File and directory names haan output Code Commands their arguments and argument values Monospace italic text Code variables Command variables Monospace bold text Emphasized monospace text A WARNING Indicates that failure to follow directions could result in bodily harm or death CAUTION Indicates that failure to follow directions could result in damage to equipment or data IMPORTANT Provides clarifying information or specific instructions NOTE Provides additional information TIP Provides helpful hints and shortcuts Contacting HP 27 6 Documentation feedback HP is committed to providing documentation that meets your needs To help us improve the documentation send any errors suggestions or comments to Documentation Feedback docsfeedback hp com Include the document title and part number v
2. Click on Sign Request Highlight the signed certificate text and copy NOTE Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines in your copy Paste into box below ESKM Certificate aS aaa a aa aaa ae aaa aD aa Daa Da aaa De a aaa aD Daa DDD Saale Dnata ef ee ee 2 aaa a a aa aaa aaa aD aD aaa aD S fe en eo ee ee ee ee a ee ne ee ee ee ee ee ee ee fe iaiia ia a a a aaa eae Ene ee A A A A A gga a a a a a a a a a a a a ee a A iaiia ia a a Dulane Mana a a A alana ae aiia iaa ia a a aa a a a a a a a a a a aD aaa DDD A A A A DD Back Next Finish Cancel 8 The ESKM Information screen displays prerequisites for using the ESKM When the pre requisites have been met click Next 9 In the ESKM Tier Selection screen you can group ESKM devices into tiers so the library will attempt to connect with ESKM devices in the top tier first and then failover to connect with ESKM devices in a lower priority tier if necessary For example you might put ESKM devices in the same data center as the library in Tier 1 with ESKM devices in remote data centers in Tiers 2 and 3 One tier is used by default To add a tier click Add Tier Enter the IP address or fully qualified hostname and port number for up to six ESKM devices in each tier To verity access to the ESKM devices click Connectivity Check When the tier configuration is complete click Next HP Enterprise Secure Key Man
3. Test Server Connectivity The test will check network connectivity and the KMIP login credentials and then display the test results When successful the report will have four green check marks for each contigured server KMIP Server Configuration Server 1 Hostnam EEF Pot 5856 0 0 0 0 Port 5256 0 0 0 0 Port 3455 0 0 0 0 Port 5656 0 0 0 0 Port 5856 0 0 0 0 Port 5336 KMIP Diagnostics 7 Connectivity Certificates Authentication KMIP Query Test Server Connectivity Clear Diagnostic Results It the Authentication and KMIP Query tests fail check the Key Security settings in the ESKM Security gt High Security screen If Disable Non FIPS Algorithms and Key Sizes is checked and the autoloader or library is using a firmware version that generates 1028 bit certiticates these tests will fail Home Security Device Keys amp KMIP Objects Security High Security E Keys High Security Configuration E KMIP Objects me Authorization Policies FIPS Com pl iance Is FIPS Compliant Yes Users amp Groups Local Users amp Groups LDAP High Security Settings Certificates amp CAs Certificat E Disable Creation and Use of Global Keys Trusted CA Lists Local CAs Disable RSA Encryption and Decryption Disable FTP for Certificate Import Backup and Restore Disable Certificate Import through Serial Console Paste 24 Verifying that the encryption key server integration is working To us
4. running the wizard verity that e The library configuration is complete including defining all library partitions e A 2048 bit server certificate for each HP ESKM device in the cluster has been created e The ESKM server certificate has been signed by the Certificate Authority CA you intend to use and has been installed on the ESKM e SSL is enabled on the ESKM KMS server e The HP ESKM Management Console is open and ready for use The ESKM Management Console and library RMI are used together to contigure the library for ESKM e All tape drives are empty e The necessary license has been installed in the library For licensing information and instructions on installing the license see Licensing page 5 Using the ESKM Wizard From the MSL6480 RMI click Encryption gt ESKM Wizard to start the wizard The Wizard Information screen displays information about the wizard If the library configuration is complete click Next 3 The Certificate Authority Information screen displays prerequisites for using the ESKM certificate When the prerequisites are met click Next 4 The Certificate Authority Certificate Entry screen displays instructions for obtaining the certificate for the ESKM server Follow the instructions to copy the certificate from the management console Paste the certificate into the wizard and then click Next Home Security Device Keys amp KMIP Objects Keys m KMIP Objects Authorization P
5. 0 KMIP based key server integration Home Security Device Keys amp KMIP Objects Security Local Users amp Groups Local Users H Keys User and Group Configuration E KMIP Objects a ean Ra Properties Memberships Interoperability Users amp Groups Local Users amp Groups Selected Local User aki Username lt 78 77 dy a Local Groups Password lilo LDAP Confirm Password sia Certificates amp CAs TE Sn User Administration Permission E Certificates Change Password Permission Enable KMIP E Trusted CA Lists E Local CAs Default KMIP Object Group E Known CAs Adwanced Security m High Security E SSL E FIPS Status Server sz atj a le i i ea i baad gt a daf Lime IR5JN O0d 91PirFE sqaJ 9kRmcERmMJESSPw END CERTIFICATE Save Cancel Configuring access to the key servers Configure the KMIP servers in the KMIP Server Configuration pane of the Configuration Security page You can configure a cluster of up to six KMIP servers The autoloader or library will automatically use a different contigured KMIP server if a connection fails Enter the hostname or IPv4 address of a KMIP server in the Server X IP Hostname field The Port must be 5696 unless the KMIP server is already configured to use a different port Click Submit Query Enabling KMIP based encryption Enable KMIP based encryption from the KMIP E
6. Autoloader and MSL2024 MSL4048 and MSL8096 Install the license from the RMI Configuration License Key page Enter the key and then press Submit Identity Configuration eS License Key EOM License Key Refresh Submit 6 Introduction 2 HP Enterprise Secure Key Manager ESKM integration The MSL6480 library supports integration of all versions of the ESKM using the ESKM protocol Integration with the ESKM allows encryption keys and encrypted tapes to be shared with the ESL G3 and other tape libraries that support the ESKM NOTE If you are using ESKM 4 0 with the KMIP protocol see the configuration instructions in KMIP based key server integration page 1 2 With the ESKM Wizard you can configure use of the HP Enterprise Secure Key Management server with the MSL6480 Access the wizard from the Eneryption menu on the RMI which is only available to the security user and requires that the ESKM license has been added from the Configuration gt System gt License Key Handling screen For licensing information see Licensing page 5 NOTE The library only allows one encryption key manager type to be used at a time For example if ESKM is enabled and in use the MSL Encryption Kit cannot also be used for encryption key generation and retrieval For additional information on contiguring ESKM for use with the library see the HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries Betore
7. Certificate Generation Keep Current Certificate l Generate New Certificate Generate a certificate that is later signed for use on library Copy the entire certificate MOTE Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines in your selection When you have copied the certificate click Next Library Certificate Select Certificate MIICvICCAavuCaAGAwe DELMAKGAIUDECHMCSFAxSHTAbBGkghkiGSwOBCQEWDEITIDYO ODBAaHAnY STMRIWEAYDVQQHEWLOYWsvIEFsdGisE zARBGNVEAGICENHbGImb3Ju aWExCzAJBGNVEBAYTAILVIMROWEGYDVQOQDEWtL YS1isMTEta2ipcDCCAsIwDOYJKoZzI hvycNAQEBBQADggE PADCCAQ0CggEBAKSVrogMRZH3dU1xij waVDohON3TyB4j7G2Z 2 JIjsqFJFiONGswWH ITSERDIDSL unfMLEwLEszspCefinghLohydSyfPNDWolQocc boey7T ZalSdUSm32D9fTVq2TwzJHahtCmleNCcyars6 Bttptdtc2Tn4cy amgtBiInod S TOJHORRWI SADDtj Id 1 YH2 SNYiTToz00clogJTO6k25c BBxa0CTiLg3w1lgsLursz Y2rV e k8 SCMEAVPOkcofFrb OubVLIzW4ADZGliyzZ zJC2cze6DNDs2Tz3dEadcLv H A8Yc YL3ViyHhT THOxehockFRyxr Vopishs46suabuyCBhacbtO0CawFAsAaAAMAoG CSqG5 Ib3 DQEBBAUAA4 IBAQAUBT lwOdgzilUemSROHNiYPRyIz LYS90Bi tRat2DS21 rBkpWteKTigthkrcTOpx5U0nibil 14j HoVstbwjypalMATk504kus5kBsfJRNORHt4 WEN YVraibMdshyY EGO AEM hE Saf AFNI in Pn TT aD NEn hSDN Eh Back Next Finish Cancel It you selected Generate New Certificate the Sign Library Certificate screen displays the new certiticate for the library Sign the new library certificate with the certiticate authority as a client certificate paste t
8. HP StoreEver MSL Tape Libraries Encryption Key Server Contiguration Guide HP Part Number QU625 96335 Published Edition 2 Abstract This document includes information on configuring HP StoreEver 1 8 G2 Tape Autoloader and MSL Tape Libraries for supported encryption key servers including the HP Enterprise Secure Key Manager ESKM and KMIP based key servers This document is intended for system administrators experienced with configuring tape libraries and encryption key servers You can always download the most up to date firmware files from hitp www hp com support See the user and service guide for your product for instructions on updating firmware September 2014 Copyright 2014 Hewlett Packard Development Company L P The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Warranty WARRANTY STATEMENT To obtain a copy of the warranty for this product see the warranty information website htto www hp com qo storagewarrant Contents DL BEE pence gps E OE E E E E AE A ore eis 4 Using an encryption key S rver ccccccccsseccccceeeeeee cess eeeeeee ee eeeeeee ssa eeeeee ssa eeeeeesseeeeeeeaaeeeeeeeaaaeee
9. I ee Pay et aeaii Erin bme KGP peepee ity Be ere Erie rey ELIP penanti pairan Ran my KUP hpgy Bee aT DiEP keri Lire Macin EARP C heri Pii irid biper TARF Cher Pete Certticeis EHEHE Chr omeibreme ree PEGN CERTIFICATE REQUEST MiB CATA D r TELMARGA JERANG AvB FARBA ARATE Mihi hat big ra w 7 Mai T ip HOF ecuOMUR BINRZE YFL TTS CISEK EHD CEATFICATE REQUEST E dear mara aE marn RRES E OR wy F Ly ck Ya TRA det oT gE rig ENO CERTE Fn Installing the signed client certificate Install the client certificate in the Configuration Security page Configuring the KMIP feature for the 1 8 G2 Tape Autoloader and other MSL Tape Libraries 19 1 Using a text editor copy the contents of the signed certificate and paste it into the Signed Certificate field Include all of the certificate text including the BEGIN CERTIFICATE and END CERTIFICATE 2 Click Upload Once the autoloader or library has validated the signed certificate it will display the Apply New Certificate Settings button 3 Click Apply New Certificate Settings to save the settings If using ESKM 4 0 you must also copy the client certificate to the ESKM 4 0 client interface 1 In the ESKM 4 0 client interface to Security gt Local Users amp Groups gt Local Users for the user associated with the library 2 Paste the signed client certificate in the Import New KMIP Client Certificate pane and then click Save 2
10. IP Enabled to contigure partitions for use with KMIP and then click Next The Setup Summary screen displays the settings that were collected by the wizard Verity that the settings are correct and that there are no errors in the Done column If you need to modity any settings or fix any issues either click Back to reach the applicable screen or Cancel out of the wizard to fix the issues and return later It the settings are correct and there are no errors click Finish KMIP based key server integration Contiguring the KMIP feature for the 1 8 G2 Tape Autoloader and other MSL Tape Libraries The EBS Matrix lists the compatible KMIP server models the server vendors and links to primary documents those vendors provide Table 3 Enrolling the autoloader or library with a KMIP server Primary documents providing Description of task more detail Comment 1 Install and configure the key servers Server vendor s product Collect the IP address of each documentation server 2 Create a local CA and server Server vendor s product Collect the filename of the CA certificate on the key server documentation certificate a file with a crt extension Set up a new client user account for Creating the client user name Collect the account username and the autoloader or library and password on the server the account password page 12 Install the library license Licensing page 5 re 5 Set or enter the KMIP security Set or en
11. SKM 4 0 server can serve libraries contigured to use the ESKM protocol and libraries configured to use the KMIP protocol at the same time Use the protocol that corresponds with the encryption license for your library For configuration information see HP Enterprise Secure Key Manager ESKM integration page 7 or KMIP based key server integration page 1 2 4 Introduction KMIP based key servers The 1 8 G2 Tape Autoloader and the MSL2024 MSL4048 MSL6480 MSL8048 and MSL8096 Tape Libraries support integration with non HP key servers through the KMIP protocol This requires a KMIP Encryption license for the library For configuration information see KMIP based key server integration page 12 Considerations for using an encryption key server The libraries only support the configuration of one encryption key method at a time For example it the library is contigured to obtain encryption keys from an encryption key server it will not also be able to obtain encryption keys from the HP MSL Encryption Kit nor from a backup application Media compatibility for drives supporting encryption Table 1 Media compatibility ede o oen LTO 4 media encrypted Read Write with fee Write with Read with encryption encryption key ie key key LTO 5 media unencrypted Incompatible Read Write Read Write Read Write LTO 5 media encrypted Incompatible Read Write with Read Write with encryption ce key key LTO 5
12. Tape Libraries 17 Identity Status Operations Support USB MSL Encryption Kit Configuration USE MSL Encryption Kit Configuration not available EMIF needs to be disabled first and a kegout from the RMI and kegin again if Necessary to get access KMIP Encryption Configuration Enter initial KMIP security password Entering the KMIP client credentials In the RMI Configuration Security page enter the KMIP Client User Name and KMIP Client Password that the autoloader or library will use to log in to the key server and then click Submit NOTE This client user name and password must match the username and password on the KMIP server for this library Identity SSS configuration Support a a KMIF Client Credentials KAMIP Client Password m Generating the client certificate request 18 In the KMIP Certificate Import section of the Configuration Security page click Generate Certificate Request The KMIP Client User Name will be used as the certificate name for the certificate request After generating the client certificate follow the instructions in the server vendor s documentation to sign the certificate NOTE If you plan to disable the use the Disable Non FIPS Algorithms and Key Sizes ESKM feature verify that the autoloader or library is using a firmware version that generates 2048 bit certificates Earlier firmware versions generated 1028 bit certificates which are not FIPS compliant The
13. ager ESKM integration ESKM Tier Selection The HP ESKM offers a unique multi tier failover capability When the library attempts to connect it will always try to connect to nodes in a primary tier If unable to establish a connection to a node in the primary tier it will attemptto connect to nodes residing in auxiliary tiers Tiers are generally organized by geographic preference For example nodes residing in the same site as the library are preferred over nodes ataremote site The local nodes would be listed in Tier 1 and nodes atremote sites are listed in Tiers 2 and 3 Only one tier is used by default To add another tier please click the Add Tier button Tier 1 IP Address FQ hostname Port IP Address FQ hostname lin rt Add Tier Remove Tier Connectivity Check Finish 10 The Setup Summary screen displays the settings that were collected by the wizard Verify that the settings are correct and that there are no errors in the Done column If you need to modify setting or address issues either click Back to reach the applicable screen or Cancel out of the wizard to fix the issues and return later If the settings are correct and there are no errors click Finish Setup Summary Flease make sure all settings listed here are correct before submitting the configuration by pressing the Finish button Client Username ca l11 eskm Tier1 Task Info Library Certificate Finished ESKM Certificate Finished Connectivity Ch
14. are using ESKM 4 0 or later with the KMIP protocol follow the instructions in the HP Enterprise Secure Key Manager User Guide to create a client account for he library If you are using a different server consult your server documentation for instructions Log into the SateNet KMIP server and select the Security tab In the Users amp Groups panel select Local Users amp Groups Click Add Enter the user name and password and set the User Administration Permission and Change Password Permission settings and then click Save aot A Help Log Out meeouriby Local Users amp Groups User amp Group Configuration Local Users CAs amp SSL Certificates a SSL Certificates E Trusted CA Lists a Local Cais E Known Cas Advanced Security a High Security a SSL E FIFS Status Server AARAA RARR RRE RRRARRRRARRRE save Cancel 12 KMIP based key server integration Configuring the KMIP feature for the MSL6480 With the Key Management Interoperability Protocol KMIP Wizard you can configure use of KMIP key management servers with the MSL6480 library Access to the wizard from the Encryption menu on the RMI is only available to the security user and requires that the KMIP license has been added trom the Configuration gt System gt License Key Handling screen NOTE The MSL6480 library only allows one encryption key manager type to be used at a time For example if KMIP is enab
15. bDPLmCOSKwHcULNSJF CZPYXN3TS5 S 0WUPptBKSZRobSfaluBPlTLwW4c4u5 maosThEzNoekUzBas DhigiwZ1llaALryJ x1RI4mo0nzd4Phs418i4q01E NXfHeUnkmUrL oaDsj zvNO0yZpSy00017TxcSwlLL pdcjeZno4 rddThy1lpLisvE4215140f2 SNzmhyYOw7WRvyaUSE65KLze7 LnbcssDOWA 4H7FDt 1y1PilTiswY ffgJUCADIY1 z2 16s 2Ndebci2YbuUeusiIPoxrghTkyVnj2d0U05 12 ZnXRBDIWAYSCSOFSz0YtsISFpczZYtixS ecKriszgqg0YNRem4EUCAwEAAaAAMAOG CSqG5Ib3 DOEBBAUAA4 TRAQODGUB61PT Fru JHI3047 Y110RtMpp4FdCxsfikhzocy 3G6 Qj7Cbk1lulL6NTbnsLGwQJ2 9abt sdxtdBAq3SLRsMENLe4ER2tUuvK5i0dzC wLgAZz rETAGre FRA LIC Teh eC eben DoT ea Fan 1 nn SAY ERT oP Next Finish Cancel 10 It you generated a new certificate you must sign the new certificate in the Sign Library Certificate screen Follow the instructions on the screen to sign the certificate in the ESKM web interface and then paste it into the ESKM Certificate pane After pasting the signed certificate click Next Sign Library Certificate Sign your new certificate using the Key Manager Management Console Within the HP ESKM Management Console 1 2 3 5 Click the Security tab and locate the Certificate amp CAs section Select Local CAs Under the Local certificate Authority listthere are a series of buttons Click on Sign request Select Client as the Certificate Purpose and enter the number of days before the certificate expires into the Certificate Duration field Paste the certificate text into the Certificate Request field
16. cryption key server When a key manager is enabled and properly configured tape data will automatically be encrypted with keys delivered from the key manager Tapes are encrypted on a key per tape basis Some key managers support additional options such as having a key per partition Write and append operations The tape drive will request a key when data is written The tape library acting as an intermediary may request the key manager to create a key The library then obtains that key and delivers it to the tape drive The key is identitied by a name which is associated with the media identitier The key is retained in the tape drive until the tape is unloaded Read operations The tape drive will request a key The tape library acting as an intermediary obtains the key identitier requests that key from the key manager and delivers it to the tape drive The key is retained in the tape drive until the tape is unloaded and is used for any remaining read and operations HP Enterprise Secure Key Manager ESKM All ESKM versions support the ESKM encryption protocol which can be used by the MSL6480 and requires an ESKM Encryption license for the library ESKM 4 0 and later versions also support the KMIP protocol which can be used by the 1 8 G2 Tape Autoloader and the MSL2024 MSL4048 MSL6480 MSL8048 and MSL8096 Tape Libraries Accessing the ESKM 4 0 with the KMIP protocol requires a KMIP Encryption license for the library The same E
17. e 2048 bit certificates update the autoloader or library to the current version and retry the test The earliest firmware versions that generate 2048 bit certificates are 1 8 G2 autoloader 4 30 MSL2024 6 20 MSL4048 8 70 MSL8048 and MSL8096 1130 Basic encryption test 1 2 0 ONO Using your backup application load a scratch tape into a drive in a partition contigured for encryption with the key server Rewind and then initialize the tape This will overwrite any previous contents with an encrypted header If all is contigured correctly the backup application will report successful media initialization a Log in to the key managers and confirm that a new key was created Refer to your server documentation for instructions b Log in to other key servers in the cluster and confirm that the key is replicated to each server Using your backup application unload the cartridge to a slot From the key server tind the key that was created in step 2 and temporarily disable the key s ability to be exported See your server documentation for instructions Using your backup application load the same tape into any drive in the partition configured for encryption with a key server Read the header of the tape using a media identification or similar command e The backup application should report a failure because the key cannot be exported but header is encrypted e One of the key server logs should show a reques
18. e library and then check Enable KMIP Configuring the KMIP feature for the MSL6480 13 6 Properties Memberships Interoperabili Selected Local User Username heffer Local Users amp Groups Local Users a Local Groups p Password LE TEELE LDAP User Administration Permission Ef Change Password Permission Ef Enable KMIP Ef Certificates rn Default KMIP Object Group KMIP Group_objects Trusted CA Lists Local CAs Cc us ST California Known CAS Subject L Palo Alto 0 HP Client Certificate rent Lertiticate emailAddress MSL6460 hp com Common Name heffer Not Valid Before Mar 10 21 54 02 2014 GMT Not Valid After Jan 25 27 54 02 2024 GMT Date Created 2014 03 1 1 13 42 41 High Security SoL FIFS Status Server Date Last Modified 2014 03 11 14 54 39 KMIP Client Certificate Contents s 5EGIN CERTIFICATE MIT DezCCAcugawilBagiBR J ANBgkqnkiGSwO0BAGsFADCB1LDELMARGAIVEBRMCVVMNxcz AJOGNVBAQGIAKNPHROWEGYDVOQHEWtGdC 4 oO2 SsbGluczEyHeYGALVJECRHMPSEVSbEVO aS eS ee ee Se ee E A eae Ee eee ed ee Ee ee Tal Verity that the KMIP feature is working See Verifying that the encryption key server integration is working page 23 Using the KMIP Wizard 14 1 2 In the Configuration area click KMIP Wizard in the Encryption menu to start the wizard The Wizard Information screen displays information about the wiza
19. earliest firmware versions that generate 2048 bit certificates are e 1 8 G2 autoloader 4 30 e MSL2024 6 20 e MSL4048 8 70 e MSL8048 and MSL8096 1130 KMIP based key server integration Signing the client certificate on the server NOTE These instructions are for the SafeNet KMIP server If you are using a different server consult your server documentation for instructions 1 2 3 Log into the SateNet KMIP server and select the Security tab In the CAs amp SSL Certificates area select Local CAs Click Sign Request The Sign Certificate Request screen appears Enter the request information and then click Sign Request e Sign with Certificate Authority Verify that the desired Certificate Authority is selected e Certificate Purpose Select Client e Certificate Duration days Enter the desired duration e Certificate Request Paste the certificate request obtained from the autoloader or library RMI See Generating the client certificate request page 18 The result will be the signed client certificate which will be used in Installing the signed client certificate page 19 wae Lija piei Tharp ET ad OR ad Tra C Spady Drive 5 Suan teers Creve 2 Staten Ta Rapady Shoe qf ree totaly Tini adsint Daane Library Tirra EG LEPET per deeply dais G i gai Tes Big Bertie KE oe parades rpi weve ble LG Spidi io br dined Cad bad i Epad hoa mi BAN et
20. eck Finished ESKM Tier Settings Saved Finished store Configuration To System 1 3 KMIP based key server integration The HP StoreEver 1 8 G2 Tape Autoloader and tape libraries support integration with encryption key management servers using the Key Management Interoperability Protocol KMIP standard KMIP is an industry standard protocol for communications between a key management server and an encryption system The KMIP specitication is developed by the KMIP technical committee of the OASIS standards body Organization for the Advancement of Structured Information Standards The KMIP feature allows the tape device to obtain encryption keys from selected KMIP compliant key managers These keys can be used to encrypt data as it is written to tape Up to six key servers can be configured for failover purposes ESKM 4 0 and later versions can be accessed through the KMIP protocol The same ESKM server can serve keys through both the native ESKM and KMIP protocols at the same time To use the KMIP feature the autoloader or library must have access to a KMIP key manager HP only supports KMIP when used with a supported key manager listed in the EBS Matrix located www hp com go ebs For additional information on configuring KMIP servers for use with the autoloader and libraries see the KMIP server documentation Creating the client user name and password on the server NOTE These instructions are for the SafeNet KMIP server If you
21. eees 4 Considerations for using an encryption key Server cccccccseeeeccceceeeeeeeeeeeeseesaeeeeeeeeeeeaeeeeeeeeeeeaaees 5 Media compatibility for drives supporting ENcryption cccccccceecccccceeseeeeeeceeeeeaeeeeeeeeeesseeeeeeeeeeanees 5 ESS VS WG E E EI cone cares etcetera a gece encoun seams ae vaee eee edaceena rescue uiarpeqsaae eeceeeenaesees 5 Installing the encryption license onnnnnnoonnnnssennnnssssnnnsssnnnssseinsssssennsssrressssrerrssssereserrersssreere 6 2 HP Enterprise Secure Key Manager ESKM integration 3 KMIP based key server inteQration cccccceseccccsesceeeeeeeeeeceeseeeeeaeeeeeneeeeaas 12 Creating the client user name and password on the SErVver cccccccceeeseeseceeseeeeeeeesseeeeeeesseeeeeeenaes 12 Configuring the KMIP feature for the MSL6480 ccccccceseeeeccceeesseeeeeceeeeesseeeseeeeeesaeeeeeeeeeeaaees 13 Si ihe TMP VIZO locate ected E E AERE EE aden EE E OEE 14 Configuring the KMIP feature for the 1 8 G2 Tape Autoloader and other MSL Tape Libraries 17 Set or enter the KMIP security POSSWOI ccccccceeeecceeeeeeceeeeeceeeeeeceeseeeeeesaeeeeesaeeeeesaeeeeeeaes 17 Entering the KMIP client credentials cccccccseeccccesseeeeeeeesseeeeeeeeseeeeeeeeaeeeeeeessaeeeeeessaeeeeeees 18 Generating the client certificate reQuest ccccccccccessseeeeeceeessseeeseeeeeesseeeeeeeeeessseeeseeeeeesaeeee ees 18 Signing the client certificate on the SErVe
22. ersion number or the URL when submitting your feedback 28 Documentation feedback
23. et up on the ESKM device follow the instructions in the HP Enterprise Secure Key Manager User Guide to create a client account for the library Enter the client username and password and then click Next ESKM Client Configuration Enter the Enterprise Secure key Manager ESKM Settings Enter the username and password that will be used by the library for authentification while connecting to the ESKM These should be the same as the username and password that were specified on the ESKM management Console for this library Client Username ca l11 eskm Client Password Confirm Password Back Next Finish Cancel 7 The Certificate Generation screen displays the current library certificate if one exists Select whether to keep the current certificate or generate a new one and then click Next Certificate Generation Keep Current Certificate e Generate New Certificate Generate a certificate thatis later signed for use on library Copy the entire certificate NOTE Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines in your selection When you have copied the certificate click Next Library Certificate Select Certificate MIITCyICCAsaUCAGAwe DELMAKGAIUECHMCS FAZATAbRGkghkiGSwOBCOEWDELTIDYO ODBAaHAuY StMRIWEAYDVOQHEWLOYWxvIEFsdG xEZzARBogNVBAgICENhbGlmb3Ju aWExCzAJBGNVBAYTAIVIMROwWE Gg YDYOODEWt YS1sSHTEtZ4NrbpTCcasiIwDOyJRozti hvycNAQEBBQADgGgE PADCCAQ0CggEBAMt kuAiOT
24. he new KMIP certificate in the box and then click Next If using ESKM 4 0 you must also paste the signed certificate in ESKM 4 0 client interface Navigate to Security gt Local Users amp Groups gt Local Users for the user associated with the library and then paste the certificate in the Import New KMIP Client Certificate pane Click Save Configuring the KMIP feature for the MSL6480 15 16 10 T Home Security Device Keys amp KMIP Objects Security Local Users amp Groups Local Users Keys User and Group Configuration E KMIP Objects 2 ee Properties Memberships Interoperability Users amp Groups Local Users amp Groups Selected Local User Username a Local Groups Password LDAP Confirm Password User Administration Permission Certificates Change Password Permission Enable KMIP Trusted CA Lists Local CAs Default KMIP Object Group Known CAs Advanced Security m High Security E SSL E FIPS Status Server ey oan Pig Fabs GE EEE LLmeIR5JN O0dY91P1rE3qaJ 9kRmcERmJE35Pw END CERTIFICATE Save Cancel In the KMIP Server Configuration screen enter the IP address or fully qualitied hostname and port number for up to ten KMIP servers The default port for KMIP is 6596 HP recommends using the detault value To verity access to the KMIP servers click Connectivity Check In the KMIP Partition Enablement screen select KM
25. instructions and additional information Connectivity test The autoloader and library RMIs provide a connectivity test MSL6480 The ESKM connectivity check is on the ESKM Tier Selection screen of the ESKM wizard To start the wizard click ESKM Wizard in the Encryption menu ESKM Tier Selection The HP ESKM offers a unique multi tier failover capability When the library attempts to connect it will always try to connect to nodes in a primary tier If unable to establish a connection to a node in the primary tier it will attempt to connect to nodes residing in auxiliary tiers Tiers are generally organized by geographic preference For example nodes residing in the same site as the library are preferred over nodes ataremote site The local nodes would be listed in Tier 1 and nodes atremote sites are listed in Tiers 2 and 3 Only one tier is used by default To add another tier please click the Add Tier button Tier 1 IP Address FQ hostname Port IP Address FQ hostname Port NODE 1 9000 NODE 4 9000 NODE 000 NODE 45 q000 NODE 3 000 NODE 6 000 Add Tier emio Connectivity Check Back Next Finis Cancel ad The KMIP connectivity check is on the KMIP Server Configuration screen of the KMIP wizard To start the wizard click KMIP Wizard in the Encryption menu Connectivity test 23 Autoloader and other MSL libraries Run the connectivity test trom the Configuration Security page In the KMIP Diagnostics pane click
26. led and in use the MSL Encryption Kit cannot also be used for encryption key generation and retrieval Betore running the wizard verity that The library configuration is complete including defining all library partitions The KMIP server is available on the network and has been contigured for use with this library All tape drives in the library are empty The KMIP server management user interface is open and ready for use The server user interface and library RMI are used together to configure the library for KMIP The KMIP license has been installed in the library For licensing information and instructions on installing the license see Licensing page 5 To configure the KMIP feature l Install and configure the key servers See the vendor s product documentation for details Collect the IP address of each server Create a local CA and server certificate on the key server See the vendor s product documentation for details Collect the filename of the CA certificate a file with a crt extension Set up a new client user account for the library See Creating the client user name and password on the server page 1 2 Collect the account user name and password Use the KMIP Wizard to enroll the library with the KMIP server See Using the KMIP Wizard page 14 If using the ESKM 4 0 server with the KMIP protocol in the ESKM 4 0 user interface navigate to the Properties tab for the user associated with th
27. media unencrypted Incompatible Read Write Read Write Read Write LTO 5 media encrypted Incompatible Read Write with Read Write with encryption ee key a LTO 6 media unencrypted Incompatible Incompatible Read Write LTO 6 media encrypted Incompatible Incompatible Read Write with encryption key Licensing The KMIP and ESKM features require that the applicable license for the library be installed before the feature can be enabled and configured Table 2 KMIP and ESKM encryption licenses ee Joonan ieor MSL6480 D4T76A HP StoreEver MSL6480 KMIP 1 2 Key Manager License DAT 6AAE HP StoreEver MSL6480 KMIP 1 2 Key Manager E License TC469A HP StoreEver MSL6480 ESKM Encryption License TC469AAE HP StoreEver MSL6480 ESKM Encryption E License e 1 8G2Tape TC468A HP StoreEver MSL2024 4048 8096 KMIP License iaulovonces TC468AAE HP StoreEver MSL2024 4048 8096 KMIP E License e MSL2024 Considerations for using an encryption key server 5 Table 2 KMIP and ESKM encryption licenses continued rE CP ioe e MSL4048 e MSL8096 Installing the encryption license The license is installed from the library RMI or with HP Command View for Tape Libraries version 3 7 or later MSL6480 Install the license from the Configuration gt System gt License Key Handling screen Enter the License Key and then click Add License Configuration gt System gt License Key Handling Add License Key License Key Add License
28. ncryption Configuration pane of the Configuration Security page If the library is partitioned into multiple logical libraries encryption can be enabled for one or more logical libraries or partitions Configuring the KMIP feature for the 1 8 G2 Tape Autoloader and other MSL Tape Libraries 21 Log Alerts avel Restore KMIP Encryption Configuration Submit I 22 KMIP based key server integration 4 Verifying that the encryption key server integration is working HP recommends veritying that the encryption process is working before placing the autoloader or library into a production environment This is often called an end to end veritication test The following steps describe how an end to end veritication test can be conducted Connectivity test Verities that the autoloader or library can connect with each of the configured key servers See Connectivity test page 23 Basic encryption test Verifies encryption is working on partitions configured for encryption See Basic encryption test page 25 Failover test Verities keys can be retrieved trom another server if the server currently in use becomes unavailable See Failover test page 25 Some of the steps occur on the key server and HP cannot provide specific details for non HP key servers For the SateNet KMIP server log files can be found on the SafeNet Device gt Log Viewer gt System screen See your server vendor documentation for specific
29. olicies Users amp Groups Local Users amp Groups LDAP Certificates amp CAs E Certificates E Trusted CA Lists E Known CAS Advanced Security m High Security E SSL E FIPS Status Server Security Local CAs Certificate and CA Configuration CA Certificate Information CA Certificate Name Key Size Start Date Expiration BEGIN CERTIFICATE 2046 Jan 26 17 08 31 2014 GMT Jan 25 17 08 31 2024 GMT C ol L Q oU CN email ddress C S L Q ou CN email ddress MHITEnTCCA4Wg4 wil Bag I BADANBgkgqhkiGSwO0BAQsFADCBITELMAEGALUEBRMCVYHx a es i i a a aa M a laa Oml a BRRR nL Lama AcIeLd4BHrX63pj2g 5ywUVBhyVT7X5ihjz2tKIUFKGI z END CERTIFICATE Download sign Request show Signed Certs Back 5 The Library Certificate Information screen displays prerequisites for generating and signing the certificate for the library When you have verified that SSL has been enabled on the ESKM device and that the ESKM management console is open and ready for use click Next 6 In the ESKM Client Configuration screen enter the username and password that the library will use to communicate with the ESKM 8 HP Enterprise Secure Key Manager ESKM integration NOTE This username and password must match the client username and password created on the ESKM server It the username and password have not already been s
30. or without compression while maintaining the full soeed and capacity of the tape drive and media NOTE An LTO 4 or later generation tape drive will not write encrypted data to an LTO 3 or earlier generation tape For additional compatibility information see Media compatibility page 5 Encryption is the process of changing data into a form that cannot be read until it is deciphered with the key used to encrypt the data protecting the data from unauthorized access and use LTO 4 and later generation tape drives use the 256 bit version of the industry standard AES encrypting algorithm to protect your data Your company policy will determine when and how to use encryption For example encryption may be mandatory for company confidential and financial data but not for personal data Company policy will also define how encryption keys should be generated and managed how frequently they should be changed and how passwords are managed Encryption is primarily designed to protect the media once it is offline and to prevent it from being accessed by unauthorized users You will be able to read and append the encrypted media as long as a key server token containing the correct key is installed and the appropriate passwords are available For more information about AES encryption encryption keys and using hardware encryption with your HP Ultrium tape drive see the White Papers at htip h18006 www l hp com storage tapewhitepapers html an en
31. r cccccccccccsseeeeccceeeeseeeececeeeeseeeeeeeeesesseeeseeeeeeaaeeeeees 19 Installing the signed client CertifiCCte ccccccceseeecccceceeeseeeeeeeeesseeeeeeeeeeeseeeeeeeeeessaeeeeeeeeeaaaees 19 Configuring access to the key S rvers cccccsecccccceeesseeeeeeeeeeesseeeeeeeeeesseeeeeeeeeesseeeeseeeeeeaaeeeeees 21 Enabling KMIP based encryption ccccccseccccceeeeeeeeee ese eeeee ease eeeeeeeseeeeeeeaeeeeeeessaeeeeseesaeeeeeees 21 4 Verifying that the encryption key server integration is working 60cccceeee 23 COME cy 16S aena ence cacencennensantaanneouecetue E E E E EE 23 Ba SCI ONON e eei E EA E E ase enna eeeess 25 Faver TOS ea ra E E E E E EE E ENE 25 5 Support and other resOurces ccccccsecccneceeeeceeeeceeeceaceeueceeeeeeneeeaeeeaeeesnes 27 SONIC TICS FI cee etrestcseess nat E E beseneeaee ween derearueaceconeseeswenrenscoo sence 2 Iypogtapnie Convenis secerni Ee a EERE EE E S E R TNS ES NE 27 6 Documentation feedback snn essesnnnnseseennsssennnsssserrsssrrrsssserresssrrrrssrerns 28 Contents 3 1 Introduction Using This document includes information about configuring and using encryption key servers with the 1 8 G2 Tape Autoloader and MSL Tape Libraries with LTO 4 and later generation tape drives The LTO 4 and later generation tape drives include hardware capable of encrypting data while it is being written and decrypting data when reading Hardware encryption can be used with
32. rd If the library configuration is complete and the KMIP server is available on the network click Next The Certificate Authority Information screen displays prerequisites for using the KMIP certificate When the prerequisites are met click Next The Certificate Authority Certificate Entry screen displays instructions for obtaining the certiticate for the KMIP server Follow the instructions to copy the certiticate from the management console For example when using the ESKM 4 0 with KMIP protocol you can find the certificate in the ESKM 4 0 web interface CA Certificate Information screen KMIP based key server integration Paste the certificate into the wizard and then click Next The Library Certificate Information screen displays information about the next wizard steps Click Next In the KMIP Client Configuration screen enter the username and password that the library will use to communicate with the KMIP server and then click Next NOTE This username and password must match the client username and password entered on the KMIP server for this library The Certificate Generation screen displays the current library certificate if one exists To use the current certiticate select Keep Current Certificate and then click Next To generate a new certificate select Generate New Certificate The wizard will generate and display a new library certificate Click Select Certificate to copy the new certificate text and then click Next
33. t for the key and that the request was denied Using the backup application unload the media to a slot From the key server re enable the ability to export the key that was disabled in step 4 Repeat step 5 The command should succeed Unload the media to a slot This concludes the basic encryption test Failover test 1 2 From the basic encryption test step 8 identify the key server that provided the key This is the server that logged the key export From the key server temporarily disable that server s ability to communicate with clients See the server documentation for instructions Repeat step 5 of the basic encryption test The command should succeed with the key provided by a different server You can identify the server that exported the key by inspecting each server s log files Unload the media to a slot It there are more than two key servers continue disabling server client communications and repeating this test until every server has successfully served the key Basic encryption test 25 6 Re enable the ability of each server to communicate with the clients This concludes the failover test 26 Verifying that the encryption key server integration is working 5 Support and other resources Contacting HP For worldwide technical support information see the HP support website htto www hp com support Before contacting HP collect the following information e Product model names and numbers
34. ter the KMIP security password in the RMI password page 17 Enter the KMIP Client Credentials in Entering the KMIP client The user name will also be used to the RMI credentials page 18 generate the client certificate 7 Generate the autoloader or library Generating the client certificate client certificate request page 18 Sign the client certificate Signing the client certificate on the server page 19 Install the signed client certificate in Installing the signed client the RMI certificate page 19 If using ESKM 4 0 also copy the signed certificate to the ESKM 4 0 client Configure the accessible key servers Configuring access to the key Enter the IP addresses from step 1 for the autoloader or library servers page 21 Enable KMIP based encryption for Enabling KMIP based the autoloader or library encryption page 21 12 Verify that the KMIP encryption Verifying that the encryption key feature is working server integration is working page 23 NOTE HP supplies the ESKM server but does not supply other KMIP servers If you are not familiar with configuring KMIP servers please contact your KMIP server vendor Set or enter the KMIP security password In the RMI Configuration Security page enter the KMIP security password which is required for moditying the KMIP configuration Configuring the KMIP feature for the 1 8 G2 Tape Autoloader and other MSL

HP Enterprise Secure Key Manager User's Guide

Contents

Download Pdf Manuals

Related Search

Related Contents