- Oracle Documentation
Contents
1. First KMA Second KMA Hostname IP Address DHCP Hostname IP Address DHCP Description Netmask Netmask LAN O NET 0 Yes 1 Yes O Management No No LAN 1 NET MGT Yes 4 Yes 1 ELOM ILOM No No Q LAN 2 NET 2 Yes 4 Yes 1 Service No No Q LAN 3 NET 3 Yes 1 Yes 1 Aggregated No No Using IPv6 Yes Li No O Yes 4 No O addressing KMA Name Gateway DNS Server Hostname Hostname IP address IP address Security Officer Login Login Passphrase Passphrase Root account Login Login Passphrase Passphrase Passphrase ELOM Passphrase Login Login Passphrase Passphrase Key Split Credentials2 Autonomous Unlocking 3 Keyboard Type 1 Addresses assigned using DHCP must be static The system cannot handle the DHCP server changing the IP addresses once assigned 2 Configuration M of N where M is minimum threshold and N is the size of key split configuration List key split users and passphrases 3 Autonomous Unlocking allows the KMA to enter a fully operational state after a hard or soft reset without requiring the entry of a quorum of passphrases using the OKM Manager This information should not be written down and should be entered by the person to which they belong These entries can be changed in the OKM Manager so it may be desirable to enter something simple during the configuration then change it later using the OKM GUI immediately after th2. Component Version Version Version Version Version Version Version OKM 2 0 2 2 1 2 2 or 2 2 1 2 3 2 4 2 5 2 5 1 Library Management ACSLS 7 1 and 7 1 1 with PUTO701 or 7 2 and 7 3 HSC 6 1 or 6 2 VSM 6 1 or 6 2 includes VTCS and VTSS VTL models 1 0 or 2 0 Tape Drives SL8500 SL3000 Lxxx 9310 9311 SL500 VOP SL150 L FRS_4 70 L FRS_2 30 n a n a L 1373 IBM LTO4 D BBH4 FC D BBH4 FC D BBH4 FC 1 0 14 n a for FC n a for SCSI n a for SCSI D BBH4 SCSI n a for SCSI IBM LTO5 D BBNH FC D BBNH FC D BBNH FC 1 0 16 n a for FC IBM LTO6 L 8 01 L 4 0 L 1483 L 1 80 D CT94 FC D CT94 FC n a for FC n a for FC Legend L Library firmware level D Drive firmware level FC Fibre Channel SPS Special firmware Requires approval n a Not applicable Not supported Revision 04 Chapter 3 Site Preparation 79 Firmware Levels 80 OKM Systems Assurance Guide June 2013 Revision 04 CHAPTER 4 Components This chapter contains descriptions for the components in an Oracle Key Manager encryption solution Supported Configurations The following components can be ordered to support customer requirements and configurations for an Oracle Key Manager encryption solution Key Management Appliance This is a required component for key creation management and assignments When implementing an encryption solution using one of Oracle s StorageTek libraries review the following SL8500 Mod
3. Port2 Port 0 De sw 7 LI L i Port 1 T9840D d Cong i T9840D 1 1 Oracle Service Network 1 IP Space 1 127 18 18 0 23 T10000C 1 1 T10000C B 10x11x L LTO 5 a LJ LTO 5 LJ L 1 L LTO 6 LTO 6 a Ethernet Switch L L L 0 Customer s x Service mma Network i IP 172 18 18 3 Port 1A Port 1A Port 1A T105_075 104 111 10 3 11 2 103 111 Revision 04 Chapter 3 Site Preparation 57 Content Management Content Management Encryption capable tape drives add another element to the design for content management in an SL8500 SL3000 SL500 and SL150 library installation All three libraries have a different design that share similar elements considerations include TABLE 3 3 Content Management Planning m Libraries m Tape Drives Element SL8500 SL3000 SL500 SL150 Drive You may need to order multiple kits or additional Ethernet switches to support all the encryption Quantity capable tape drives in a library m Single 1 to 64 drives m 1 to 56 tape drives m 1 to 18 tape drives m 1 to 20 tape drives m 10 library complex up to 640 drives Encryption m T10000 A B and C m T10000 A Band C m LTO4 5 and6only m LTO 5 and 6 HP Drives m T9840D m T9840D HP IBM Supported m LTO 4 5 and 6 m LTO 4 5 and 6 Non m T10000 A B and C m T10000 A B and C m LTO 2 3 4 5 6 HP m LTO 3 4 5 6 HP encryption m T9840 A B C and D m T9840 C and D IBM Drives m LTO 3 4
4. Secure Information Mangement Audt Event List Backup List oo ion i oe iene User Us born show ster tom Sw 1 2 ff ef ee Role List Site List SNMP Manager List System Dump System Time amp Security Securty Parameter List E Core Security Core Security Public Key Backup Core Security Key Split Credentials Autonomous Unlock Option 2 Local Configuration Lock Unlock KMA Software Upgrade 11 13 2007 2 01 32 PM Connecting a 11 13 2007 2 01 34 PM Connected to 10 80 44 33 Glenfarclas 11 13 2007 2 01 34 PM Retrieve Security Parameters succeeded 11 13 2007 2 01 34 PM Retrieve Operations For Current User succeeded 11 13 2007 2 01 34 PM Session inactivity timeout Dissbled 11 13 2007 2 01 39 PM List Audit Events faled T105_116 The manager is an easy to use graphical user interface that allows users to configure functions of the KMAs depending on the roles that user is assigned see Role Based Operations on page 64 The manager contains System View and Help menus in the upper left corner of the display with toolbar buttons that provide shortcuts to several menu options Revision 04 Chapter 3 Site Preparation 63 Oracle Key Manager Interface Role Based Operations The manager defines and uses the following roles Completing and assigning roles is a customer task service representatives should only advise Auditor Views information about th
5. 9310 library T L Series T SL24 SL48 T Oracle Database Tape Drive Types 1 T10000A tape drive 1 T10000B tape drive How many Q T10000C tape drive A T9840D tape drive 1 HP LTO tape drive Database Type Q IBM LTO tape drive T Standalone KMA Site Location KMA S N KMA Name KMA Firmware Level KMA Number Number of KMAs in Cluster KMA IP Address Service Network IP Oracle Manager IP ELOM ILOM IP IPv6 Li Yes No DR Site 4 Yes 4 No NTP Yes Li No DHCP 3 Yes Ci No Gateway 4 Yes 41 No DNS Si Yes No KMA Location Oracle Manager Location Configuration Types 2 SL8500 library T SL3000 library Q SL500 library Q SL150 library 11 9310 library T L Series T SL24 SL48 Q Oracle Database Tape Drive Types 1 T10000A tape drive 1 T10000B tape drive How many 1 T10000C tape drive 1 T9840D tape drive 1 HP LTO tape drive Database Type 1 IBM LTO tape drive T Standalone 110 OKM Systems Assurance Guide June 2013 Revision 04 Obtaining Support Obtaining Support Technical support is available 24 hours a day seven days a week and begins with a telephone call from you to Oracle Support You will receive immediate attention from qualified personnel who record problem information and respond with the appropriate level of support To contact Oracle about a problem 1 Use the telephone and c
6. 26 OKM Systems Assurance Guide June 2013 Tape Drive Comparisons TABLE 1 7 Tape Drive Comparison Tape Drive Comparisons StorageTek HP IBM Specification T10K A T10K B T10K C T9840D LTO4 LTO5 LTO6 LTO4 LTO5 LTO6 Capacity native 500 GB 1TB 5 TB 75 GB 800 GB 1 5 TB 2 5 TB 800 GB 1 5 TB 2 5 TB Transfer rates 120 120 240 30 120 140 160 120 140 160 native MB s MB s MB s MB s MB s MB s MB s MB s MB s MB s Buffer size 256 MB 256 MB 2 GB 64 MB 256 MB 256 MB 512 MB 256 256 MB 1 GB MB Load Time 16 16 13 1 8 5 19 12 22 15 12 12 seconds Access seconds 46 46 73 5 8 72 60 50 46 60 96 Tape speed m s 2 4 95 2 3 74 5 62 3 4 7 0 7 12 7 0 6 8 Rewind time 90 90 10 13 16 8 106 54 96 78 98 51 106 54 96 78 42 seconds Unload Time 23 23 23 12 22 17 19 22 17 17 seconds Interfaces Fibre Channel 2 amp 4 4 Gb s 4 Gb s 4 Gb s 4 Gb s 8 Gb s 8 Gb s 4 Gb s 8 Gb s 8 Gb s Gb s SCSI SAS n a n a n a n a Ultra n a 6 Gb Ultra n a 6 Gb 320 SAS 320 SAS FICON 2 Gb s 2 Gb s 4 Gb s 2 Gb s Not Supported Not Supported ESCON 2 Gb s 2 Gb s no 2 Gb s Compatibility Availability 290 000 hrs 290 000 hrs 250 000 hrs 250 000 hrs MTBF Tracks 768 1152 3 584 576 896 1280 2176 896 1280 2176 Length usable 855 m 855 m 1 107 m 251 m 820 m 850 m 846 m 820 m 850 m 846 m 2805 ft 2805 8 632 889 ft 2690 ft 2789 ft 2776 ft 2690 2789 ft 2776 f
7. Yes NoU 44 OKM Systems Assurance Guide June 2013 Revision 04 TABLE 3 1 Site Planning Checklist Continued Site Planning Checklist Request ASR or Phone home feature when specific hardware faults occur Question Completed Comments Drive types Q T10000A D T10000B Check current and required firmware D T10000C versions LI T9840D Requires drive tray and Dione card L HP LTO4 Requires drive tray and Belisarius card Q IBM LTO4 O HP LTOS Requires drive tray and Belisarius card Q IBM LTO5 D HP LTO6 Q IBM LTO6 Configurations continued Does the customer need to order more drives Yes No How many tape drives a Tape drive type D T10000A a Interface types 1 T10000B a FC Fibre Channel all tape drives 1 T10000C FI FICON T Series only Q T9840D ES ESCON T9840D UW HP LTO4 SCSI SL500 library and LTO drive only 1 IBMLTO4 Q HP LTO5 Q IBM LTO5 D HP LTO6 D IBM LTO6 Are additional cartridges required Note a Data cartridge Yes Nod All versions of encryption tape drives Cleaning cartridges YesQ Nod use different unique cartridges a VolSafe cartridges Yes No B Re mi a Labels wea Noa LOLS IIO ade m LTOS LTOS cartridges Type m LTO6 LTO6 cartridges All versions of each cartridge type are m Quantity supported for example standard sport VolSafe and WORM Is the customer interested in the Auto Service Yes No See Auto Service Request ASR Featur
8. LTO4 append write to encrypted data Space EOD and write OK encrypted OK encrypted LTO4 append write to encrypted data Read to EOD and write OK encrypted OK encrypted but with prior read key Note 4 If the correct key is available Note 1 single tape Enterprise drives do not allow the mixing of encrypted and non encrypted data on a Note 2 While this scenario allows appending encrypted data behind non encrypted data this has an operational benefit since it allows tapes pre labeled with non encrypted data to be used in an HP LTO drives in the encrypting environment without having to re label them Note 3 In this scenario unlike HP drives IBM drives will error in this scenario Note 4 In this scenario IBM drives will write encrypted data but will use the same key as it used to read the prior encrypted data on tape The drive will not request a new key from the OKM when the write command is issued and this will ignore the Key Expiration Policy set by the OKM Note 5 HP drives will write tapes in non encrypted mode The LTO3 format does not support encryption and this could be considered a security violation since an HP LTO4 LTO5 drives can be made to write non encrypted data simply by inserting a LTO3 cartridge Note 6 IBM drives will report an error if an attempt is made to write LTO3 tapes 30 OKM Systems Assurance Guide June 2013 Revisio
9. Linux Yes Yes Yes Unix Yes Yes Yes 64 bit Support Yes Yes Yes 82 OKM Systems Assurance Guide June 2013 Revision 04 Key Management Appliance Key Management Appliance The current key management appliance is a Sun Fire X4170 M2 server Rack mountable Key Management Appliance KMA order CRYPTO KMA 23 or 597 1095 01 ma If an SCA6000 card is required order 375 3424 06 This card provides FIPS 140 2 level 3 compliance for the encryption keys This server comes with a pre loaded Solaris 10 operating system and special key management system software FIGURE 4 1 Key Management Appliance 4170 Rear Panel T105_032 1 AC Power connectors 2 Serial Management SER MGT RJ 45 serial port 3 Service network NET MGT port 4 Ethernet ports 0 1 2 3 5 USB ports 0 1 6 Video connector VGA FIGURE 4 2 Key Management Appliance 4170 Front Panel T105_031 1 Power OK LED 2 Power button Note CRYPTO 1XTO23UP is an upgrade kit of KMA 1 x to version 2 3 Current version is 2 4 Revision 04 Chapter4 Components 83 SL8500 Modular Library System SL8500 Modular Library System FIGURE 4 3 SL8500 Modular Library System Requirements High level Description A single SL8500 library can store up to m 1 448 to 10 000 tape cartridges m 64 tape drives An SL8500 Library Complex of 10 libraries can store m Up to 100 000 tape cartridges m W
10. 26 Disaster Recovery planning 104 dispatch 111 dock availability 42 drive data for activating tape drives 71 file structure to activate tape drives 74 LTO4 preparation 75 types of 23 dual stack Internet Protocol 21 E EIA 310 D 1992 standards for racks 47 ELOM connection 19 encryption configurations supported 81 hardware kits 4 introduction 1 128 OKM Systems Assurance Guide June 2013 standards 2 tape drives supported 81 82 enrollment work sheet 116 environmental factors and concerns 42 environmental parameters X2100 server 13 X2200 server 14 error free installation 33 Ethernet adapter cards for LTO4 drives 26 Extreme Network Switch configuration 49 Extreme network switch configuration 49 Extreme Networks 48 F Federal Information Processing Standards encryption standard 2 FIPS compliant tape drives 24 FIPS publications list 2 firmware requirements 78 G glossary 119 graphical user interface GUI installation 76 Oracle Key Manager 3 guides related information xi H hardware kits 4 Hardware Security Modules HSM 102 help center 111 HP LTO4 description 26 HSM 102 IBM LTO4 description 26 IEC 60927 standards for racks 47 initial configuration work sheet 71 72 installation site planning checklist 42 Institute of Electrical and Electronics Engineers Revision 04 IEEE standards 2 Integrated Cryptography Service Facility ICSF 97 Intern
11. 8 Optional hard disk drive bay 1 FIGURE 1 9 Key Management Appliance X2100 X2200 Rear Panel 1 Power connector 2 Ethernet connectors 2 Top KMA Management Network LAN 0 Bottom Embedded Lights Out Manager ELOM 3 System Identification LED 4 Fault LED 5 Power LED 6 Ethernet Service Network connections 2 Left Service network LAN 2 Right Aggregated service network LAN 3 T105_065 7 Serial port DB9 RS232 8 PCIe slots 2 Top SCA6000 card not shown Bottom Blank empty 9 VGA connector if using a monitor keyboard for the initial configuration 10 USB 2 0 ports 4 12 OKM Systems Assurance Guide June 2013 Revision 04 Key Management Appliance Sun Fire X2100 M2 Server TABLE 1 2 lists the specifications for the Sun Fire X2100 M2 server TABLE 1 2 Sun Fire X2100 Specifications Specification Processor a One dual core AMD Operton processor m Processor frequencies 2 2 GHz m Up to 1 MB level 2 cache Memory Four DIMM slots up to 4 gigabytes a Unbuffered ECC memory IPMI 2 0 m Service processor standard m embedded Lights Out Manager Mass storage One SATA disk drive PCI Slots Two PCI Express slots PCIe PCle 0 contains the Sun Crypto Accelerator 6000 SCA6000 Networking Four USB 2 0 connectors on the rear panel Two USB 2 0 connectors on the front panel a Two ports Serial port with DB 9 VGA with DB 15 a Four 10 1
12. Date Time Download and provide the customer with a copy of the Yes No Administrator s Guide PN 316195101 Virtual Operator Panel Customer PN 96179 http download oracle com docs cd E24472_01 index html 34 OKM Systems Assurance Guide June 2013 Revision 04 Customer Team Member Contact Sheet Customer Team Member Contact Sheet Complete the following information for the customer team members Name Title Telephone Number FAX Number Cell Phone Pager E mail Address Name Title Telephone Number FAX Number Cell Phone Pager E mail Address Name Title Telephone Number FAX Number Cell Phone Pager E mail Address Name Title Telephone Number FAX Number Cell Phone Pager E mail Address Note Customer representatives may include security officers finance managers IT managers network administrators systems administrators site planning managers and anyone else involved in installations Revision 04 Chapter 2 Systems Assurance 35 Oracle Team Member Contact Sheet Oracle Team Member Contact Sheet Complete the following information for the Oracle team members Name Title Telephone Number FAX Number Cell Phone Pager E mail Address Name Title Telephone Number FAX Number Cell P
13. In the Roles columns m Yes indicates that the role is allowed to perform the operation Quorum indicates that the role is allowed but must belong to a quorum Blank indicates that the role is not allowed to perform the operation 64 OKM Systems Assurance Guide June 2013 Revision 04 Oracle Key Manager Interface TABLE 3 6 System Operations and User Roles Sheet 1 of 5 Roles Security Compliance Backup Quorum Operation Officer Officer Operator Operator Auditor Member Console Log In Yes Yes Yes Yes Yes Yes Set KMA Locale Yes Set KMA IP Address Yes Enable Tech Support Yes Disable Tech Support Yes Yes Enable Primary Administrator Yes Disable Primary Administrator Yes Yes Restart KMA Yes Shutdown KMA Yes Log into Cluster Quorum Set User s Passphrase Yes Reset KMA Yes Zeroize KMA Yes Logout Yes Yes Yes Yes Yes Yes Connect Log In Yes Yes Yes Yes Yes Yes Create Profile Yes Yes Yes Yes Yes Yes Delete Profile Yes Yes Yes Yes Yes Yes Set Config Settings Yes Yes Yes Yes Yes Yes Disconnect Yes Yes Yes Yes Yes Yes Key Split Credentials List Yes Modify Quorum Autonomous Unlock List Yes Modify Quorum Lock Unlock KMA List Status Yes Yes Yes Yes Yes Lock Yes Unlock Quorum Revision 04 Chapter 3 Site Preparation 65 Oracle Key Manager Interface TABLE 3 6 System Operations and
14. Key Groups are used for organizing keys and associating them with a Key Policy Key Groups are also used to enforce access to the key material by the Encryption Agents A SunFire X2100 M2 X2200 M2 or X4170 M2 server preloaded with the OKM software The appliance is a proven dual core processor with a Solaris 10 operating system that delivers policy based key management and key provisioning services A system providing key management The StorageTek system has a component providing key management on behalf of encryption agents Now known as the Oracle Key Manager or OKM A Key Policy provides settings for the cryptoperiods to be applied to keys Each Key Group has a Key Policy and a Key Policy may apply to zero or more Key Groups The encryption and decryption cryptoperiods specified on the policy limit the usage of keys and trigger key life cycle events such as the deactivation or destructions of keys OKM Systems Assurance Guide June 2013 Revision 04 L Linear Tape Open LTO M Media key N network NIST O Operator OKM Cluster Revision 04 A magnetic tape data storage technology The standard form factor of LTO technology goes by the name Ultrium the high capacity implementation of LTO technology LTO Ultrium technology is an open format technology which means users have multiple sources of product and media The open nature of LTO technology also provides a means of enabling com
15. 15PIUA C13 10 250 180 2164 01 NEMA B33F 25 15 JP X333F 25 15 JP N Pwrcord Japan 2 5m PSE6 15 15A C13 15 250 180 2244 01 833J 40 15 X336L Pwrcord N A Asia 4 0m L6 20P 15A C13 15 250 180 2070 01 BI AU 10 309 X332T Pwrcord INTL 4 0m IEC309 IP44 10A C13 10 250 180 2071 01 For use in non Sun Racks B33V 20 15 C14 X333V 20 15 C14 N Pwrcord Jmpr Straight 2 0m C14 15A C13 15 250 180 2442 01 833V 30 15 C14 X333V 30 15 C14 N Pwrcord Jmpr Straight 3 0m C14 15A C13 15 250 180 2443 01 For use in Sun Rack NGR B33W 10 13 X9237 1 A N Pwrcord Jmpr 1 0m C14RA 13A C13 13 250 180 2082 01 14RA oe X9238 1 A N Pwrcord Jmpr 2 5m CI4RA 13A C13 13 250 T80 2085 01 C14RA For use in Sun Rack II Redwood SR JUMP XSR JUMP IMCI3 N Pwrcord Jmpr SR2 1 0m CI4RA 13A C13 13 250 180 2379 01 1MC13 JUMP XSR JUMP 2MC13 N Pwrcord Jmpr SR2 2 0m C14RA 13A C13 13 250 180 2380 01 MC13 94 OKM Systems Assurance Guide June 2013 Revision 04 ATO Bill of Materials ATO Bill of Materials TABLE 4 4 ATO Bill of Materials Part Numbers and Descriptions Order Number Description CRYPTO 2X SL8500 N Sun StorageTek crypto kit for use with SL8500 libraries A 24 port ethernet switch cables and rack mount HW for installation within SL8500 library CRYPTO 2X 9310 Z N Sun StorageTek crypto kit for use with 9310 libraries A 24 port ethernet switch and cables for installation in 9310 plus 16 port ethernet switch and cables for connection to KMA externally R
16. 47 ASR 31 45 assignments customer roles 64 auditor role 64 Auto Service Request 31 Revision 04 backup operator role 64 batch file LTO4 75 behavior LTO 29 Belisarius card description 26 Brocade ICX 6430 switch 48 Brocade ICX 6430 switch configuration configuring the switch 50 port mirroring 52 pre configuration requirements 50 C cabinet specifications for installation 47 cables for required tools 76 call center for support 111 capacity of LTO4 tape drives 26 of T1000 tape drive 25 T9840D tape drive 25 Capacity on Demand 59 CBC MAC standard 2 CCM standard 2 checklists See Also work sheets 42 site planning 42 system assurance 34 Cipher Block Chaining Message Authentication Code 2 cluster definition of 3 Common Criteria Consortium 2 comparisons of tape drives and media 28 127 compatibilities media types 28 compliance operator role 64 concerns for site planning 42 connectivity factors for pre installation 43 content management 58 conversion bills 9310 requirements 89 Counter with CBC MAC 2 Cryptographic Accelerator 3 cryptography 1 customer contact sheet 35 roles 64 satisfaction 33 customer initiated maintenance 111 D data path partition planning 61 Database 101 database considerations 103 Database products 101 delivery dock 42 delivery of the hardware 42 dimensions of KMA X2100 server 13 of KMA X2200 server 14 Dione card description
17. Continued Guideline Descriptions Regulatory Minimum requirements are Safety UL or CSA certification and compliance Electromagnetic Class A certification from agencies such as FCC or BSMI Network Considerations StorageTek engineering recommends that customers supply a managed switch for connecting KMAs to the tape drives on their service network Managed switches would then supply connectivity to the StorageTek supplied unmanaged switches as well as any connectivity to customer supplied routers for wide area service network The following managed switches have been tested and are recommended m 3COM Switch 4500G 24 Port 3CR17761 91 a Extreme Networks Summit X150 24t Switch m Brocade ICX 6430 Switch Other managed switches can be used but engineering only provides configuration guidance on the above listed switches Managed switches are recommended for the following reasons m Improved serviceability through better switch diagnostics and service network trouble shooting Potential for minimizing single points of failure on the service network through use of redundant connections and spanning tree protocol Support for aggregation of the KMA service network interfaces to minimize single point of failure on the KMA s service interface provides an example of a managed switch configuration In this example if either KMA or either managed switch should fail the drives still have a path from which they can c
18. Cord PTO Equivalent Description Amps Voltage Cable B33A 25 10 AR X312F N Pwrcord Argentina 2 5m IRAM2073 10A C13 10 250 180 1999 02 B33A 25 10 AU X386L N Pwrcord Australian 2 5m SA3112 10A C13 10 250 180 1998 02 B33A 25 10 BR X333A 25 10 BR N Pwrcord Brazil 2 5m NBR14136 10A C13 10 250 180 2296 0T G33A 25 10 CH X314L N Pwrcord Swiss 2 5m SEV1011 10A C13 10 250 180 1994 02 B33A 25 10 CN X328L Pwrcord China 2 5m GB2099 10A C13 10 250 180 1982 02 B33A 25 10 DK X383L N Pwrcord Denmark 2 5m DEMKO107 10A C13 10 250 180 1995 02 G33A 25 10 X312L N Pwrcord Euro 2 5m CEE7 VII 10A C13 10 250 180 1993 02 EUR PA 2S TU IL X333A 25 10 IL N Pwrcord Israel 2 5m S1 32 10A C13 10 250 180 2130 02 B33A 25 10 IN X333A 25 10 IN N Pwrcord India 2 5m IS1293 10A C13 10 250 180 2449 01 B33A 25 10 IT X384L N Pwrcord Italian 2 5m CEI23 10A C13 10 250 180 1996 02 B33A 25 10 KR X312G N Pwrcord Korea 2 5m KSC8305 10A C13 10 250 180 1662 03 B33A 25 10 TW X332A Pwrcord Taiwan 2 5m CNS10917 10A C13 10 125 180 2121 02 B33 A 25 10 UK X317L N Pwrcord UK 2 5m BS1363A 10A C13 10 250 180 1997 02 833A 25 10 ZA X333A 25 10 ZA N Pwrcord South Africa 2 5m SANS164 10A C13 10 250 180 2298 01 B33 A 25 15 JP X333A 25 15 JP N Pwrcord Japan 2 5m PSE5 15 15A C13 15 125 180 2243 01 B33 A 25 15 X311L Pwrcord N A Asia 2 5m 5 15P 15A C13 15 125 180 1097 02 RS SoS T WORST WEN Pwrcord Taiwan 2 5M CNS10917 15A C13 15 125 180 2333 01 20 10 Pwrcord N A Asia 2 0m 6
19. Delivery Platform Security White Paper May 2008 and the Optional Firewall When planning for a multi site service network the subnet addressing scheme for the KMA service ports and drives needs to be determined Use of duplicate network addresses must be avoided For example the use of 172 18 18 x networks a common convention need to be avoided KMAs will typically be connected to the customer s network for any of the following reasons a Administrative access to the KMAs using the Oracle Key Manager GUI hosted in the customer network a Cluster replication between KMAs KMA access to the customer s NTP server KMA access to customer s SNMP Managers m Customer access to the KMA s service processor ELOM or ILOM Similarly with Oracle Key Manager s support for a routable multi site service network customer supplied routers and networking equipment will be required to connect the various sites comprising the key management cluster Because of this connectivity into the customer s network SDP security policy dictates that a firewall must be present between the devices connecting to a KMA and the SDP This customer firewall is the firewall attached to Port2 of the SDP appliance in the following diagram The firewall will need to be configured so that SDP can monitor the tape drives in the customer controlled portion of the service network DMZ in the diagram refers to the secure network architecture of SDP that secures the n
20. Fulder lib File Folder tmp File Folder transcripts File Folder Sy ltoVOP 1KB File 3 Ito VOP bat 1KB MS DOE Batch File E rung 1KB File lrungkxx sat 1KB MS DOS Batch File sun OP 1KB File fS sunVOP sat 1KB MS DOE Batch File QE gt Chapter 3 Site Preparation 75 Required Tools Required Tools The required tools to install and initially configure the KMAs are Standard field service tool kit including both standard and Phillips screwdrivers Torx driver and bits and other tools necessary to mount the servers in a rack Serial or null modem cable P N 24100134 with DB 9 connector Adapter P N 10402019 Straight Ethernet cable P N 24100216 10 ft Cross over Ethernet cable P N 24100163 10 ft Service laptop or personal computer Virtual Operator Panel VOP at Version 1 0 11 or higher for T Series tape drives Virtual Operator Panel for HP LTO tape drives at Version 1 0 12 or higher Virtual Operator Panel for IBM LTO tape drives at Version 1 0 14 or higher Virtual Operator Panel for LTOS tape drives at Version 1 0 16 or higher Virtual Operator Panel for LTO6 tape drives at Version 1 0 18 or higher Multi Drive Virtual Operator Panel MD VOP Version 1 1 or higher Supported Platforms and Web Browsers The manager graphical user interface GUI must be installed on either a Windows XP or Solaris platforms Web Browsers The Embedded Lights Out Manager is sensitive to Web browser and Java versions Re
21. Multiple sites wide area network m FIGURE 1 3 Multiple sites with disaster recovery wide area network a FIGURE 1 4 Disaster Recovery Configuration a FIGURE 1 5 Database and Automated Library configuration FIGURE 1 1 Single Site Configuration This example uses a single site with a local area network for the management link The service network for the tape drives shows all of the supported tape drives Agents Agents include T Series T10000 A B and C and T9840D and LTO generations 4 5 and 6 tape drives Oracle Key Manager Ethernet Switch SL3000 Library Revision 04 Chapter 1 Introduction 5 Components FIGURE 1 2 Dual Site Configuration In this example the KMAs are managed over a wide area network All four KMAs belong in the same OKM cluster Oracle Key Manager Site 1 Site 2 rene rene ma Wide Area Network KMA Cluster lt a Ethernet Ethernet aes TT rr Switch Switch T10000C KMA Cluster LTO 5 LTO 5 LTO 6 LTO 6 SL3000 Tape Tape SL3000 Library Drives Drives Library T105_090 Note LTO encryption capable tape drives are not supported in L Series libraries 6 OKM Systems Assurance Guide June 2013 FIGURE 1 3 Multiple Site Configuration Components This example uses two remote sites and a local main site within one OKM cluster The main site contains a partitioned SL8500 library with specific
22. NET 2 c Attach a network cable between the second port in the trunk group and the aggregated service port on the KMA labeled LAN 3 or NET 3 See FIGURE 1 11 on page 19 FIGURE 1 12 on page 20 and TABLE 1 4 on page 18 for information on rear panel connections for the X2100 M2 X2200 M2 and X4170 M2 servers Chapter3 Site Preparation 51 Network Considerations Port Mirroring Mirroring ports can be useful when you want to use a network analyzer in the service network environment Ports can be mirrored on Brocade ICX 6430 switches as follows 1 2 Telnet to the switch management port On this switch select a port that is not part of a trunk for example port 24 is designated as 1 1 24 Access privileged mode on the switch by entering enable will be appended to the prompt indicating you are in privileged mode Enter configuration mode by entering configure terminal you will see config appended to the prompt indicating config mode Configure the mirror port with the command mirror port ethernet 1 1 24 Determine what port traffic you want to monitor for example port 1 designated as 1 1 1 Enter the interface menu for port 1 1 1 by entering interface ethernet 1 1 1 config if e1000 1 1 1 is appended to the prompt indicating you are configuring that port Enter monitor ethernet 1 1 24 both to monitor traffic in both directions on port 24 Enter write to save the configuratio
23. PCle 0 contains the Sun Crypto Accelerator SCA6000 if installed Networking Four USB 2 0 connectors on the rear panel Two USB 2 0 connectors on the front panel VGA with DB 15 connectors Four 10 100 1000 Base T Ethernet ports Dimensions Height 4 34 cm 1 71 in Width 42 5 cm 16 75 in Depth 68 58 cm 27 0 in Weight 16 36 kg 36 1b Environmental Operating temperature 5 C to 35 C 41 F to 95 F Non operating temperature 40 C to 70 C 40 F to 158 F Operating humidity 10 to 90 relative humidity non condensing Non operating humidity Up to 93 relative humidity non condensing Altitude operating Up to 3000 m maximum ambient temperature is degraded by 1 degree C per 300 m above 900 m Altitude non operating Up to 12 000 m Chapter1 Introduction 11 Key Management Appliance Sun Fire X2100 M2 and X2200 M2 Servers FIGURE 1 8 shows a rear view of the Sun Fire X2100 X2200 M2 server FIGURE 1 9 shows a front view of the Sun Fire X2100 X2200 M2 server TABLE 1 2 lists the specifications for the Sun Fire X2100 M2 server TABLE 1 3 lists the specifications for the Sun Fire X2200 M2 server FIGURE 1 8 Key Management Appliance X2100 X2200 Front Panel 1 System identification button LED 2 Fault LED 3 Power OK LED 4 Power button T105_063 5 Optional hard disk drive bay 0 6 USB 2 0 connectors 2 7 CD DVD drive not populated
24. TDE through the pkcs11_kms token should typically take 100 200 milliseconds per KMA access When failovers occur the response time will be a multiple of the number of failover attempts Backup and key transfer operations for Oracle Key Manager are database intensive activities that can impact performance of the Oracle Key Manager database For this reason thought should be given to when and where to perform Oracle Key Manager backups Since Oracle Key Manager backups and key transfer operations are cluster wide they can be performed on KMAs that are not servicing Oracle Database instances Similarly key transfer operations are also cluster wide operations and can be performed on any KMA It is thus recommended to choose a KMA that is not servicing busy Oracle Database instances Disaster Recovery Planning Disaster Recovery planning is a complex topic that is covered in the Oracle Key Manager Disaster Recovery Reference Guide and also in Oracle Database documents Disaster Recovery planning decisions influence the network planning exercise as well The pkcs11 provider s profile area is a new consideration for disaster recovery planning Consider recovery scenarios for this storage area to avoid having to reconfigure a pkcs11_kms token especially when it is shared between nodes of an Oracle RAC Network Planning Oracle Key Manager cluster configuration needs to be planned in accordance with the Oracle Database servers and the enterprise
25. User Roles Sheet 2 of 5 Roles Security Compliance Backup Quorum Operation Officer Officer Operator Operator Auditor Member Site Create Yes List Yes Yes Modify Yes Delete Yes Security Parameters List Yes Yes Yes Yes Yes Modify Yes KMA Create Yes List Yes Yes Modify Yes Delete Yes User Create Yes List Yes Modify Yes Modify Passphrase Yes Delete Yes Role List Yes Key Policy Create Yes List Yes Modify Yes Delete Yes Key Group Create Yes List Yes Yes List Data Units Yes Yes List Agents Yes Yes Modify Yes Delete Yes 66 OKM Systems Assurance Guide June 2013 Revision 04 TABLE 3 6 System Operations and User Roles Sheet 3 of 5 Oracle Key Manager Interface Revision 04 Roles Security Compliance Backup Quorum Operation Officer Officer Operator Operator Auditor Member Agent Create Yes List Yes Yes Modify Yes Modify Passphrase Yes Delete Yes Agent Key Group Assignment List Yes Yes Modify Yes Data Unit Create List Yes Yes Modify Yes Modify Key Group Yes Delete Keys List Data Unit Keys Yes Yes Destroy Yes Compromise Yes Transfer Partners Configure Quorum List Yes Yes Yes Modify Quorum Delete Yes Key Transfer
26. agent a new passphrase m Which means the replacement drive will need to be enrolled using the existing name and a new passphrase 74 OKM Systems Assurance Guide June 2013 Revision 04 LTO Tape Drive Preparation Preparing the Tape Drives No enablement requirements or drive data is required for the LTO tape drives The only preparation is to make sure the customer has the information to assign the IP addresses and Agent names for the tape drives in the OKM manager Note The Virtual Operator Panel must be at m Version 1 0 12 and higher to provide support for the HP LTO tape drives m Version 1 0 14 and higher to provide support for the IBM LTO tape drives To use the VOP for LTO tape drives you need to launch a special file Windows Launch the batch file toVOP bat FIGURE 3 8 shows an example of the VOP 1 0 12 download contents FIGURE 3 8 VOP LTO Files le C Program Files WOP_Seryice Eile Edit View Favorites Tools Help Q Back gt L D Search E Folders m Address E CAProgram Files WOP_Service J E Go Folders Revision 04 Uninstall Information m O Viewpoint VOP_Service bin OD diags fsc ftpTemp icons lib tmp j O transcripts O Western Digital Technologies Windows Media Connect 2 gt Name Size Type bin File Folder Odiags File Folder fsc File Folder OftpTemp File Folder Qicuns File
27. by periods Each group can be from 0 to 255 for example 129 80 180 234 Within these four groups are two identifiers the network address and the host address The first two groups 129 80 identify the network address the second two groups 180 234 identify the host The new generation IPv6 uses a 128 bit value written as eight groups of four hexadecimal characters separated by colons for example 2001 0db8 85a3 0000 0000 8a2e 0370 7334 2001 0db8 85a3 8a2e 0370 7334 means the same as above IPv6 addresses are typically composed of two logical parts a 64 bit network prefix and a 64 bit host address which is either automatically generated or assigned Important The Key Manager supports a dual stack implementation where both protocols are used within the system However not all applications use IPv6 for example Domain Name System DNS therefore IPv4 is still necessary Chapter 1 Introduction 21 Automated Tape Libraries Automated Tape Libraries Because every customer has different needs and requirements Oracle s StorageTek automated tape libraries provides a variety of libraries to meet these customers demands TABLE 1 5 Tape Libraries Tape Libraries L700 L1400 9310 SL24 SL48 SL500 SL3000 SL8500 SL150 Minimum 216 200 2 000 1 1 30 or 200 1 448 30 slots 50 Maximum 1 344 1 344 6 0
28. compliance Note This is a FIPS 140 2 Level 3 hardware security module The manager is a client side software component with a graphical user interface GUI Note The OKM Manager must be installed on a customer provided network attached PC server or workstation running Windows XP Vista 2003 Server 7 2008 Server or running Solaris x86 or Solaris SPARC A command line interface to assist with automation of management tasks such as backup and reporting A full set of KMAs in a system All of the KMAs are aware of each other and replicate information to each other Note There must be a minimum of 2 servers in a cluster Agents are devices for example tape drives that are authenticated with the Key Manager and obtain key material over a secure TLS session Note Agents that are tape drives should not be on public networks A unique ID assigned by the OKM to each individual data cartridge Provide organization for keys and associates them to a Key Policy Key Groups are used by the OKM to enforce access to the key material by the Encryption Agents tape drives or Oracle databases X2100 M2 X2200 M2 X4170 M2 key management appliance have four network connections Management network Embedded or Internal Lights Out Manager ELOM ILOM Service network connection to the drives Additional aggregated service port optional Revision 04 Chapter 1 Introduction 3 Components Note F
29. duplication disclosure modification and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract and to the extent applicable by the terms of the Government contract the additional rights set forth in FAR 52 227 19 Commercial Computer Software License December 2007 Oracle USA Inc 500 Oracle Parkway Redwood City CA 94065 This software or hardware is developed for general use in a variety of information management applications It is not developed or intended for use in any inherently dangerous applications including applications which may create a risk of personal injury If you use this software or hardware in dangerous applications then you shall be responsible to take all appropriate fail safe ackup redundancy and other measures to ensure the safe use Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications Oracle is a registered trademark of Oracle Corporation and or its affiliates Oracle and Java are registered trademarks of Oracle and or its affiliates Other names may be trademarks of their respective owners AMD Opteron the AMD logo and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation All SPARC trademarks are used under license and are trademarks or registere
30. group for development test databases so that isolation is assured Agents in the test database key group would then be blocked by Oracle Key Manager if they attempt to use a master key for a production database Such an attempt would also be flagged in the Oracle Key Manager audit log and may be an indicator of a configuration error that could disrupt a production database TDE also provides isolation of master keys through their key label naming convention In the PKCS 11 specification key labels are not required to be unique Oracle Key Manager enforces label uniqueness so that the scope of the label name space is global for an Oracle Key Manager cluster Should a label conflict occur between different master keys for different database instances the first label created will always be returned If this is not the required behavior then consider using key groups as a means for segregating agents An agent attempting to access a key that shares an identical label belonging to another key group will be denied by Oracle Key Manager This will be caught during a re key operation and the work around will be to re key until another non conflicting label is generated 106 OKM Systems Assurance Guide June 2013 Revision 04 Revision 04 Planning Considerations Key and Data Destruction Considerations Destruction of data to conform to data retention requirements can begin with the destruction of TDE s master keys How and when these keys should b
31. installation 43 process for system assurance 33 62 publications xi Public Key cryptography standards PKCS 102 Q quorum members 64 Index 129 R rackmount installation requirements 92 racks specifications 47 raw keys 3 Real Application Clusters 101 RealTime Growth 59 Recovery Manager 101 related publications documents xi required tools 76 requirements 9310 library 89 firmware 78 for the system assurance process 34 L Series 90 91 PowderHorn 89 rackmount 92 SL150 library 88 SL3000 library 85 SL500 library 87 SL8500 library 84 RETMA rack specifications 47 roles 64 S SCSI tape drive interface 26 security officer role 64 Service Delivery Platform SDP 56 service request 111 site planning checklist 42 SL150 requirements 88 SL24 and SL48 91 SL3000 requirements 85 SL500 requirements 87 SL8500 requirements 84 Small Computer System Interface in tape drives 26 Solaris 10 operating system 3 specifications X2200 server 78 standards for encryption 2 steps for partitioning 62 StorageTek team member contact sheet 36 StorageTek tape drive types 23 Summit switches 48 130 OKM Systems Assurance Guide June 2013 Sun Cryptographic Accelerator SCA 3 SunFire X2100 specifications 13 SunFire X2200 specifications 14 support request 111 supported drive interfaces LTO4 26 survey site preparation 41 solution planning 37 Symmetric encryption 2 system assurance custo
32. into the mode of operation to ensure that repetitive plaintext does not result in repetitive ciphertext Cipher suite a TLS 1 0 Transport layer security a RSA A 2048 bit key encryption algorithm a SHAI A widely used and secure hash algorithm a HMAC Hash message authentication code Hash MAC 2 OKM Systems Assurance Guide June 2013 Components Components The Oracle Key Manager is a device based encryption solution that uses a An appliance server called the Key Management Appliance or KMA m Network connectivity a clean gigabit Ethernet connection m StorageTek automated libraries or Oracle databases m StorageTek tape drives T Series and LTO as the agents for encryption Components for the OKM Version 2 3 and above encryption solution consists of Key Management Appliance KMA SCA6000 card OKM Manager or OKM Manager GUI OKM CLI OKM Cluster Agent Data Unit ID Key Groups Network connections The KMA is a SunFire server such as the X2100 M2 X2200 M2 and X4170 M2 for the hardware platform This server m Runs the key manager application on a specialized pre loaded version of the Solaris 10 operating system m Delivers a policy based key manager and provisioning services m Generates the raw keys for encryption An optional Sun Cryptographic Accelerator SCA6000 card for cryptographic processing and administrative functions is provided for customers that require FIPS
33. mail The file is then loaded into the library using the Storage Library Console SLC RealTime Growth Technology Because the physical and the activated slot capacities are separate the customer has the option of installing physical capacity in advance before they are ready to use these slots The advantage of installing physical capacity in advance is that now scaling the library is non disruptive quick and easy to accomplish For example Whenever building a library configuration there are two basic slot capacity questions you need to answer 1 How many slots does the customer need to use 2 How many cartridge slots does the customer want to physically install Chapter 3 Site Preparation 59 Content Management Partitioning The definition of a partition is to divide into parts or shares Benefits Partitioning a library means the customer can have Multiple libraries from one physical piece of hardware More than one operating system and application manage the library An improvement in the protection or isolation of files An increase in system and library performance An increase in user efficiency Customized fit Partitions may be customized to fit different requirements such as Separating different encryption key groups Isolating clients as service centers Dedicating partitions for special tasks Giving multiple departments organizations and companies access to appropriate sized library resource
34. may be an order or connection dependency Create the aggregation group on the switch before connecting the KMAs service port a If the aggregated IP address IPv4 or IPv6 is not responding reboot the KMA A System Dump using the Management GUI will contain display aggregated port information The information is gathered using dladm commands Extreme Network Switch Configuration To configure aggregated ports on an Extreme Ethernet switch 1 Log in to the switch using telnet 2 Enter the following CLI commands show port sharing enable sharing lt b gt port gt lt b gt grouping lt b gt portlist lt b gt algorithm address based L3_L4 Port specifies the master port for a load sharing group Portlist specifies one or more ports or slots and ports to be grouped to the master port On a stand alone switch this is what is normally supplied can be one or more port numbers May be in the form 1 2 3 4 5 3COM Network Switch Configuration 1 Use a Web browser to connect to the switch IP 2 Select port and then link aggregation from the menu From the subsequent dialog you can use the Create tab to create a new port grouping Revision 04 Chapter 3 Site Preparation 49 Network Considerations Brocade ICX 6430 Switch Configuration Note If you need to install the switch see the Brocade ICX 6430 and ICX 6450 Stackable Switches Hardware Installation Guide at http www foundrynet com services documentation FastIro
35. other KMAs in the cluster a All administrative changes are propagated to all other KMAs in the cluster Encryption Hardware Kits Encryption hardware kits come complete with Ethernet switches cables power distribution units and mounting hardware for connection of the drive types in either a library standalone rack or Oracle database configuration The type of configuration determines how the drives are installed each configuration has its own kit see Chapter 4 Components for more information Refer to the Oracle Key Manager Installation and Service Manual and the individual product installation manuals for specific installation instructions Key Manager Configurations Multiple KMAs two or more must be installed together to create a cluster Clusters of KMAs are able to fully replicate their data to each other KMA Note Cluster size should be strongly considered when designing the system for maximum availability 1 Multiple KMAs Exceptions to this standard configuration must be made with the approval of Encryption Engineering Professional Services and Support Services 2 A Cluster is a group of linked appliances that work together so that in many respects they form a single component 4 OKM Systems Assurance Guide June 2013 Components The following figures show examples of Version 2 x configurations for the key management appliance m FIGURE 1 1 Single site local area network a FIGURE 1 2
36. pkcs11_kms provider for TDE to use All nodes should share the same Oracle Key Manager agent ID for authentication With Oracle RAC the network topology utilizes a public and private network The private network used for Oracle RAC node node traffic may be shared with the Oracle Key Manager service network for better isolation of key retrieval traffic Depending on how this private network is configured this likely precludes agent failover to KMAs outside the private network such as KMAs in a remote site m Oracle RAC Extended Cluster In this configuration KMAs within the Oracle Key Manager cluster should be co located in the network with Oracle RAC nodes so that key retrieval time is minimized m Oracle Exadata Database Machine See the Oracle RAC considerations m Oracle Data Guard All secondary databases access the same Oracle Key Manager cluster used by the primary database Multiple Database Instances When running multiple independent database instances on a host each instance needs to have its own PKCS 11 token configured This amounts to creating an Oracle Key Manager agent for each database instance and having the agent authenticate to Oracle Key Manager via the token This can all be done through use of the kmscfg 1M tool a Oracle RMAN a Oracle Data Pump Revision 04 Appendix B Encryption for Oracle Databases 103 Planning Considerations OKM Performance and Availability Considerations Key retrievals for
37. s disaster recovery strategy The networking options with Oracle Key Manager are very flexible and include multi homed interfaces used by the Oracle Key Manager management and service network m Oracle Key Manager Management Network Each KMA in an Oracle Key Manager cluster contains a front end network interface referred to as the management network This interface is primarily intended for management of the various nodes of the Oracle Key Manager cluster and for KMA peer peer replication of cluster data For optimal cluster replication performance a Gigabit Ethernet network is recommended The service network is recommended for use by agents but the management network may also be used a Oracle Key Manager Service Network The service network is intended for use by agents so that their key retrievals may be isolated from other network traffic There are two Gigabit Ethernet ports on a KMA that are aggregated together for better reliability It is recommended that TDE access be over the Oracle Key Manager service network As briefly mentioned in the overview the service network can be isolated to KMAs and agents within the same site by not defining a gateway to other sites This may be desirable if other sites are too remote For maximum availability though configuring service network gateways to other Oracle Key Manager sites is an option to be considered a Network Time Protocol Configuring Oracle Key Manager system time to use an externa
38. tape drives either directly or through Ethernet switches to create the network NET 3 LAN 3 This is an optional connection with the Oracle Key Manager first introduced in version 2 1 This is the Aggregated Network connection with NET 2 or LAN 2 Aggregation or IEEE 802 1AX 2008 is a networking term that describes the use of multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability Note The ELOM ILOM IP address is most easily configured using a serial connection Connect a DB9 to DB9 serial null modem cable from a laptop PC serial port to the serial port on the server This is a one time connection for the initial configuration The initial setup of a KMA requires a terminal emulator on a laptop or monitor keyboard assembly to access the Service Processor The Service Processor is a remote console function that requires a network connection and IP address to use these functions 18 OKM Systems Assurance Guide June 2013 Network Considerations Key Management Appliance Physical Connections All of the physical connections are from the rear of the KMA See for X2100 M2 and X2200 M2 and FIGURE 1 12 on page 20 for X4170 M2 for rear panel connections TABLE 1 4 on page 18 details the relationship between these connections on an X2100 X2200 M2 or X4170 M2 server Management Network Oracle Key Manager LAN 0 Management Network Servi
39. the Virtual Operator Panel User s Guide Related Information These publications contain the additional information mentioned in this guide Publication Description Part Number Important Safety Information for Hardware Systems 821 1590 10 SunFire X2100 Server Installation Guide 819 6589 xx SunFire X2200 Server Installation Guide 819 6596 xx SunFire X4170 Server Installation Guide 821 0481 xx Embedded Lights Out Manager Administration Guide 819 6588 xx Integrated Lights Out Manager Administration Guide 820 0280 12 110000 Tape Drive Installation Manual 96173 T9x40 Tape Drive Installation Manual 95879 SL8500 Modular Library System Installation Manual 96138 SL3000 Modular Library System Installation Manual 316194201 SL500 Modular Library System Installation Manual 96114 Preface xi Publication Description Part Number L700 1400 Library Installation Manual 95843 9310 PowderHorn Library Installation Manual 9314 Virtual Operator Panel Service 96180 Virtual Operator Panel Customer 96179 Oracle Key Manager Installation and Service Manual 3161949xx Oracle Key Manager Administration Guide 3161951xx Oracle Key Manager Disaster Recovery Guide 3161971xx Storage Regulatory and Safety Compliance Manual 820 5506 xx Oracle Advanced Security Transparent Data Encryption Best Practices July 2011 Whitepaper Using Oracle Key Manager with Advanced Security Transparent D
40. to aggregate physical Ethernet interfaces LAN 2 and LAN 3 into a single virtual interface Additional availability is achieved by aggregating these ports if a failure occurs with either port the other port maintains connectivity Make sure the Ethernet switch ports have the correct configuration For example switch ports should be m Set to auto negotiate settings for duplex should be full duplex m Set to auto negotiate speed settings the KMA ports are capable of gigabit speeds a Using identical speeds such as both set to 100 Mbps auto speed negotiating may work fine 16 OKM Systems Assurance Guide June 2013 Network Considerations FIGURE 1 10 Managed Switch Configuration In this example the service network consists of two customer provided managed switches that are cabled to three unmanaged switches which contains redundant paths that require a spanning tree configuration This example may be easily scaled for larger SL8500 drive configurations by adding additional KMAs switch hardware and tape drives m Managed switches must be enabled for Spanning Tree whenever the cabling includes redundancy m Unmanaged switches have two paths to the managed switches for redundancy m Unmanaged switches are then cabled for connectivity to the tape drives agents m Each unmanaged switch connects 16 drives Cabled in groups of four Ports 1 4 6 9 11 14 and 16 19 m Service Delivery Platform SDP connects to each Managed Swi
41. 00 1000 Base T Ethernet ports Dimensions Height 43 mm 1 7 in Width 425 5mm 16 8 in Depth 550 mm 21 68 in Weight maximum 10 7 kg 23 45 Ib Mounting options 19 inch rackmount kit Compact 1 rack unit 1 75 in Environmental parameters Temperature 5 C to 35 C 41 F to 95 F Relative humidity 27 C 80 F max wet bulb Altitude Up to 3 000 m 9 000 ft Power supply 90 2640 VAC 47 63 Hz One 6 5 Amp non redundant power supply at 345 Watts Heat output is about 850 BTU hour Regulations meets or exceeds the following requirements Acoustic Noise Emissions declared in accordance with ISO 9296 Safety IEC 60950 UL CSA60950 EN60950 CB scheme RFI EMI FCC Class A Part 15 47 CFR EN55022 CISPR 22 EN300 386 v1 31 ICES 003 Immunity EN55024 EN300 386 v1 3 2 Certifications Safety CE Mark GOST GS Mark cULus Mark CB scheme CCC S Mark EMC CE Mark Emissions and Immunity Class A Emissions Levels FCC C Tick MIC CCC GOST BSMI ESTI DOC S Mark Chapter1 Introduction 13 Key Management Appliance Sun Fire X2200 M2 Server TABLE 1 3 lists the specifications for the Sun Fire X2200 M2 server TABLE 1 3 SunFire X2200 Specifications Specification Processor Two Quad core AMD Opteron processors Processor frequencies 2 3Ghz Memory 8 GB of RAM installed as 4 2 GB Dimms IPMI 2 0 m Service processor st
42. 00 24 48 440 to 5 925 10 000 300 slots 575 Complex ACS No No 144 000 No No No No 100 000 No Mixed media Yes Yes Yes No No Yes Yes Yes Yes Pass thru Yes 1 Yes Yes No No No No Yes No ports 1 Maximum 24 40 24 40 80 960 1 2 2 18 56 64 640 20 drives CAP size 20 80 20 80 21 0or 80 Mailslots Mailslots 5 45 26 39 Mailslot Number of 1 4 1 4 4x20 0 1 1 3 1 5 101 2 1 CAPs Interface type SCSI SCSI TCP IP SCSLFC SCSI FC SCSI SCSI TCP IP SCSI FC FC FC SAS SAS FC FC Tape Technology Encryption capable Tape Drives Only T9840D Yes Yes Yes No No No Yes Yes No StorageTek T10000A Yes Yes Yes No No No Yes Yes No StorageTek T10000B Yes Yes Yes No No No Yes Yes No StorageTek T10000C No No No No No No Yes Yes No StorageTek LTO4 HP Yes Yes No Yes Yes Yes Yes Yes No and or IBM LTO5 HP No No No Yes Yes Yes Yes Yes Yes for and or IBM HP no for IBM LTO6 HP No No No Yes Yes Yes for Yes Yes Yes for and or IBM HP no HP no for for IBM IBM 1 Access expansion modules provide bulk cartridge loading capabilities from 234 to 468 cartridges one or two AEMs 22 OKM Systems Assurance Guide June 2013 Revision 04 Tape Drives Tape Drives Well known for its state of the art tape technology StorageTek has numerous years of experience and leadership in tape and tape automation Today StorageTek with its proven technology continues to provide storage solutions for Small to l
43. 00 X2200 Rear Panel 12 Managed Switch Configuration 17 Key Management Appliance Rear Panel Connections X2100 X2200 Servers 19 Key Management Appliance Sun Fire X4170 M2 Rear Panel Connections 20 Managed Switch Configuration Example 53 SDP Connectivity Example 57 User Roles Detail Screen 64 Tape Drive Serial Number VOP 71 Request an Encryption Key Application 72 Encryption File Request for Drive Data 73 Drive Data File Structure 74 VOP LTO Files 75 Key Management Appliance 4170 Rear Panel 83 Key Management Appliance 4170 Front Panel 83 SL8500 Modular Library System Requirements 84 SL3000 Modular Library System Requirements 85 vii FIGURE 4 5 FIGURE 4 6 FIGURE 4 7 FIGURE 4 8 FIGURE 4 9 FIGURE 4 10 FIGURE A 1 FIGURE B 1 SL500 Modular Library System Requirements 87 SL150 Modular Library System Requirements 88 9310 Automated Cartridge System Requirements 89 L Series Library Requirements 90 SL24 Autoloader and SL48 Library Requirements 91 Rackmount Requirements 92 ICSF Site Configuration 98 Oracle Key Manager and Oracle Database Example 101 viii OKM Systems Assurance Guide June 2013 Revision 04 Tables TABLE 1 1 TABLE 1 2 TABLE 1 3 TABLE 1 4 TABLE 1 5 TABLE 1 6 TABLE 1 7 TABLE 1 8 TABLE 1 9 TABLE 1 10 TABLE 2 1 TABLE 2 2 TABLE 3 1 TABLE 3 2 TABLE 3 3 TABLE 3 4 TABLE 3 5 TABLE 3 6 TABLE 3 7 TABLE 3 8 TABLE 3 9 TABLE 4 1 TABLE 4 2 TABLE 4 3 TABLE 4 4 Revision 04 Specif
44. 29S Virtual Operator Panel VOP Version 1 0 14 or higher for LTO4 Version 1 0 16 88 OKM Systems Assurance Guide June 2013 Revision 04 9310 Automated Cartridge System 9310 Automated Cartridge System FIGURE 4 7 9310 Automated Cartridge System Requirements High level Description The 9310 also called PowderHorn can store m From 2 000 up to 6 000 tape cartridges m Up to 4 drive cabinets with space for up to 20 drives per cabinet 80 drives total Operating System Support The 9310 library supports all major operating systems enterprise and open systems Host to Library Interface m TCP IP The 9310 requires additional hardware consisting of Ethernet switches and 19 inch rack Order Number Description CRYPTO 2X 9310 Z N Sun StorageTek crypto kit for use with 9310 libraries A 24 port ethernet switch and cables for installation in 9310 plus 16 port ethernet switch and cables for connection to KMA externally Rack mounting HW 9310 libraries require CRYPTO 2X 9741E N Sun StorageTek crypto kit for use with 9310 libraries A 24 port ethernet switch cables and rack mount HW for installation within 9741E cabinet One required for each additional 9741E cabinet used for crypto RoHS 5 compliant Note Each 9741E cabinet may contain up to 20 tape drives and requires the use of a 24 port Ethernet switch Firmware Levels Firmware Level or Higher Library Prerequisit
45. 3000 Modular Library System FIGURE 4 4 SL3000 Modular Library System Requirements Virtual Operator Panel VOP Version 1 0 14 or higher Version 1 0 16 86 OKM Systems Assurance Guide June 2013 Revision 04 SL500 Modular Library System SL500 Modular Library System FIGURE 4 5 SL500 Modular Library System Requirements High level Description The SL500 library is a self contained fully automated cartridge tape storage system that is scalable and mounts into a standard 483 mm 19 in rack or cabinet The library can consist of 1 to 5 modules one base and up to four expansion modules Because of the scalability the capacity of an SL500 library can store m From 2 tape drives with 530 data cartridge slots m To 18 tape drives with 395 data cartridge slots m A cartridge access port that holds 5 to 45 slots depending on the number of modules With a variety of tape drives and cartridges slots in between Operating System Support The SL500 supports all major operating systems enterprise and open systems Host to Library Interface m Single Ethernet TCP IP 1x m Fibre Channel Supports Partitioning Order Number Note Encryption hardware can be installed in the same rack as the library depending on the number of modules installed Description CRYPTO 2X SL500B N Base module required Crypto kit for use with SL500 library base Ethernet switch and cables for installation with
46. 5 2 5 1 Library Management ACSLS 7 1 and 7 1 1 with PUTO701 or 7 2 and 7 3 HSC 6 1 or 6 2 VSM 6 1 or 6 2 includes VTCS and VTSS VTL models 1 0 or 2 0 Tape Drives SL8500 SL3000 Lxxx 9310 9311 SL500 VOP SL150 T10000A FC L 3 11c L FRS_2 00 L 3 17 03 L 4 4 08 n a 1 0 18 n a D 137113 D 137113 D 137113 D 137113 T10000A L 3 11c L FRS_2 00 L 3 17 03 L 4 4 08 n a 1 0 18 n a FICON D 137114 D 137114 D 137114 D 137114 T10000B FC L 3 98b L FRS_2 00 L 3 17 03 n a n a 1 0 18 n a D 138x07 D 138x07 D 138x07 T10000B L 3 98b L FRS_2 00 L 3 17 03 n a n a 1 0 18 n a FICON D 138x09 D 138x09 D 138x09 T10000C FC L FRS_7 0 0 L FRS_3 0 0 n a n a n a 1 0 18 n a D 1 53 316 D 1 53 316 T10000C L FRS_7 0 0 L FRS_3 0 0 n a n a n a 1 0 18 n a FICON D 1 53 316 D 1 53 316 T9840D FC L 3 98 L FRS_2 00 L 3 17 03 L 4 4 08 n a 1 0 12 n a D 142x07 D 142x07 D 142x07 D 142x07 T9840D L 3 98 L FRS_2 00 L 3 17 03 L 4 4 08 n a 1 0 12 n a FICON amp D 142x07 D 142x07 D 142x07 D 142x07 ESCON L 3 98B L 2 05 n a n a L 1300 HP LTO4 D H64S FC D H64S FC D H64S FC 1 0 12 n a for FC n a for SCSI n a for SCSI D B63S SCSI n a for SCSI HP LTO5 D I5BS FC D I5BS FC D I5BS FC 1 0 16 D Y5BS FC n a for SAS n a for SAS D X5AS SAS D Z55S SAS HP LTO6 D J2AS FC D J2AS FC D J2AS FC 1 0 16 D 22CS FC n a for SAS n a for SAS n a for SAS D 329S SAS 78 OKM Systems Assurance Guide June 2013 Revision 04 TABLE 3 9 Firmware Compatibilities Firmware Levels
47. 5 6 m LTO 3 4 5 6 m SDLT 600 Supported m DLT S4 Interfaces Note The library interface and tape drive interfaces may be different m TCP IP only m TCP IP m Fibre Channel m TCP IP m Fibre Channel m SCSI m Fibre Channel T10000 A B and C FC and FICON T9840D FC FICON ESCON LTO 4 5 and 6 FC only T10000 A B and C FC and FICON T9840D FC FICON ESCON LTO 4 5 and 6 FC only LTO 4 5 6 FC LTO 4 SCSI LTO 5 6 SAS LTO 4 5 6 FC LTO 4 SCSI LTO 5 6 SAS Media All libraries support true mixed media Any Cartridge Any Slot m 110000 Std Sport m 110000 Std Sport m LTO 1 2 3 4 5 6 amp m LTO 3 4 5 6 amp T VolSafe VolSafe T WORM WORM m 9840 Std and VolSafe m 9840 Std and m DLTtape II m LTO 2 3 4 5 6 amp VolSafe m Super DLTtape I amp II T WORM m LTO 2 3 4 5 6 amp m DLTtape III T WORM m Super DLTtape I amp II Partitioning Yes Yes Yes Yes SNMP Yes Yes Yes Yes SDP Yes Yes No Yes Power Yes Yes No Yes Redundancy Operating Enterprise and Open Enterprise and Open Open systems only Open systems only Systems Systems Systems Library m ACSLS m ACSLS m ACSLS m ACSLS Management m HSC m HSC m ISV m HSC m ISV 58 OKM Systems Assurance Guide June 2013 Revision 04 Content Management TABLE 3 3 Content Management Planning FC Fibre Channel ACSLS Automated Cartridge System Library Software FICON IBMs fiber connection HSC Host So
48. 91 Rack Mount 92 Tape Drive Instructions 93 Library Instructions 93 Power Cables 94 ATO Bill of Materials 95 IBM ICSF Integration 97 System Requirements 97 IBM Mainframe 97 OKM 97 Understanding the Solution 98 Site Configurations 99 Key Stores and Master Key Mode 99 IBM Mainframe 99 Updating Information 99 Encryption for Oracle Databases 101 Contents v vi Transparent Data Encryption Overview 102 PKCS 11 Providers 102 Planning Considerations 103 Oracle Database Considerations 103 OKM Performance and Availability Considerations 104 Work Sheets 109 Site Log 110 Obtaining Support 111 Initial Configuration Work Sheet 113 User Roles Work Sheet 114 Drive Work Sheet 115 Agent Enrollment Work Sheet 116 Glossary 119 Index 1 OKM Systems Assurance Guide June 2013 Revision 04 Figures FIGURE 1 1 FIGURE 1 2 FIGURE 1 3 FIGURE 1 4 FIGURE 1 5 FIGURE 1 6 FIGURE 1 7 FIGURE 1 8 FIGURE 1 9 FIGURE 1 10 FIGURE 1 11 FIGURE 1 12 FIGURE 3 1 FIGURE 3 2 FIGURE 3 3 FIGURE 3 4 FIGURE 3 5 FIGURE 3 6 FIGURE 3 7 FIGURE 3 8 FIGURE 4 1 FIGURE 4 2 FIGURE 4 3 FIGURE 4 4 Revision 04 Single Site Configuration 5 Dual Site Configuration 6 Multiple Site Configuration 7 Disaster Recovery Configuration 8 Database Example 9 Key Management Appliance X4170 Rear Panel 10 Key Management Appliance X4170 Front Panel 10 Key Management Appliance X2100 X2200 Front Panel 12 Key Management Appliance X21
49. Keys List Yes Update Yes Transfer Partner Key Group Assignments List Yes Yes Modify Yes Backup Create Yes List Yes Yes Yes Yes List Backups amp Destroyed Keys Yes Yes Chapter 3 Site Preparation 67 Oracle Key Manager Interface TABLE 3 6 System Operations and User Roles Sheet 4 of 5 Roles Security Compliance Backup Quorum Operation Officer Officer Operator Operator Auditor Member Restore Quorum Confirm Destruction Yes Core Security Backup Create Yes SNMP Manager Create Yes List Yes Yes Modify Yes Delete Yes Audit Event View Yes Yes Yes Yes Yes View Agent History Yes Yes View Data Unit History Yes Yes View Data Unit Key History Yes Yes System Dump Create Yes Yes System Time List Yes Yes Yes Yes Yes Modify Yes NTP Server List Yes Yes Yes Yes Yes Modify Yes Software Version List Yes Yes Yes Yes Yes Upgrade Yes Network Configuration Display Yes Yes Yes Yes Yes Pending Quorum Operation Approve Quorum Delete Yes Auto Service Request Display Yes Yes 68 OKM Systems Assurance Guide June 2013 Revision 04 Oracle Key Manager Interface TABLE 3 6 System Operations and User Roles Sheet 5 of 5 Enable Yes Disable Yes Preview Audit Data Yes Yes Revision 04 Chapter 3 Site Preparation 69
50. Manager Wide Area Network Site 1 Site 2 KMA Cluster KMA Cluster KMA 3 KMA 4 B e0 2 3 JS FRS CBI O ben 2 3 Free Ethernet 2222 Switch LE eee ee eee eee hi CORRE eee eee eee eee eee SL3000 SL3000 Library Library ssssass Service secs Network T105_073 8 OKM Systems Assurance Guide June 2013 Components FIGURE 1 5 Database Example In this example four KMAs in a cluster are supporting both Automated Tape Libraries and an Oracle database with Advanced Security Transparent Data Encryption TDE solution V OKM Management GUI Site 1 Site 2 Wide Area Network KMA Cluster Ethernet III Switch LA SL3000 Library T105_077 Oracle Key Manager is now certified with Oracle Advanced Security Transparent Data Encryption This means that the same encryption technology used in Oracle StorageTek tape drives is now available for managing encryption keys for Oracle 11g databases See Appendix B Encryption for Oracle Databases for more information Revision 04 Chapter 1 Introduction 9 Key Management Appliance Key Management Appliance There are three types of servers for the Key Management Appliance KMA m Sun Fire X2100 M2 servers original m Sun Fire X2200 M2 servers upgrade m Sun Fire X4170 M2 servers current All three servers are functionally equivalent Notes m Subsequent releases of the OKM appl
51. Oracle Key Manager Systems Assurance Guide Ss R SUN Part Number E24530 04 June 2 Oracle Key Manager Systems Assurance Guide E24530 04 Revision 04 Copyright 2008 2013 Oracle and or its affiliates All rights reserved This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws Except as expressly permitted in your license agreement or allowed by law you may not use copy reproduce translate broadcast modify license transmit distribute exhibit perform publish or display any art in any form or by any means Reverse engineering disassembly or decompilation of this software unless required by law or interoperability is prohibited The information contained herein is subject to change without notice and is not warranted to be error free If you find any errors please report them to us in writing If this is software or related software documentation that is delivered to the U S Government or anyone licensing it on behalf of the U S Government the following notice is applicable U S GOVERNMENT RIGHTS Programs software databases and related documentation and technical data delivered to U S Government customers are commercial computer software or commercial technical data pursuant to the applicable Federal Acquisition Regulation and agency specific supplemental regulations As such the use
52. Oracle Key Manager Interface TABLE 3 7 User Roles Work Sheet User ID Description Passphrase Confidential password Roles Security Officer Compliance Officer Operator Backup Operator Auditor Quorum Member Note The Passphrase should not be recorded here for security reasons This column is provided as a reminder that as User IDs are entered the person with that ID will be required to enter a passphrase 70 OKM Systems Assurance Guide June 2013 Revision 04 Preparing the Tape Drives Preparing the Tape Drives The tape drives should be installed and tested in their appropriate configuration before adding the encryption capability to them Each drive type has its own requirements T Series Drive Data Preparation To obtain the drive data for each T Series 110000 and T9840 tape drive 1 Using the Virtual Operator Panel connect to each tape drive and record the last eight digits of the tape drive serial number a Select File gt Connect to Drive a Select Retrieve View Drive Data Manufacturing FIGURE 3 4 Tape Drive Serial Number VOP View Current Drive Settings E x a Network Rfid Statistics version Encrypt Fibre Idsnmp Logging il Parameter Definition Parameter Value Manufacturer name STK Manufacturer plant 02 gt SCSI world wide name S0 01 04 F0 00 93 c8 0b Port4 world wi
53. Revision 04 Revision 04 Content Management Disaster Recovery Disaster recovery is a subset of a larger process known as business continuity planning BCP which should include replacing hardware re establishing networks resuming applications and restoring data Disaster recovery is the process policies and procedures that relate to preparing for recovery or continuation of business critical information to an organization after a natural or human induced disaster This includes m Recovery Point Objective RPO The point in time to recover data as defined by a business continuity plan This is generally a definition of what the business determines is an acceptable loss in a disaster situation This could be in hours days or even weeks m Recovery Time Objective RTO The duration of time that a business process must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity This could be minutes when using a combined service network The OKM uses a cluster design that requires at least two key management appliances This design helps reduce the risk of disrupting business continuity Clustering KMAs allows for replication of database entries and workload balancing In the unlikely event that a component should fail it can be easily replaced and restored to operation An OKM can span multiple geographically separated sites This highly re
54. SL3000 library offers customers the benefits of m Scalability in storage capacity from 200 to 5800 slots m Performance from 1 to 56 tape drives m Heterogeneous attachments using standard interfaces Ethernet and Fibre Channel m Multiple library management software options Order Number oe T105_119 Operating System Support The SL3000 supports all major operating systems enterprise and open systems Host to Library Interface m Single Ethernet TCP IP 1x m Dual TCP IP optional feature 2x m Fibre Channel dual port optional feature 2x Supports Partitioning Description m SL3000 Kit 1 XSL3000 ETHRNTI N m SL3000 Kit 2 XSL3000 ETHRNT2 N m SL3000 Kit 3 XSL3000 ETHRNT3 N m SL3000 Kit 4 XSL3000 ETHRNT4 N The SL3000 uses four different part numbers for Ethernet switches and cables to 1 to 56 tape drives Note The SL3000 has limited internal rack space Depending on the number of drives customers may need to order an external rack Firmware Levels Library FRS_2 0 2 FRS_2 30 FRS_2 8x StreamLine Library Console FRS_4 0 Tape Drives a T10000A 1 37 113 or higher m T10000B 1 38 x07 or higher a T10000C 1 53 316 or higher a T9840D 1 42 104 or higher m HP LTO4 H64S Fibre Channel m HP LTOS I5BS Fibre Channel a HP LTO6 J2AS Fibre Channel m IBM LTO4 BBH4 Fibre Channel m IBM LTO5 BBNH Fibre Channel a IBM LTO6 CT94 Fibre Channel Revision 04 Chapter4 Components 85 SL
55. Site Name a KMAID KMA Name a KMA Version Helps determine FIPS support for supported tape drives The following dynamic properties are also provided to tape drives when they issue a discover cluster request Responding indicates if the KMA is responding on the network Locked indicates if the KMA is currently locked The tape drives periodically retrieve this information as part of a tape operation not when the tape drive is idle and always request it as part of enrollment and whenever the drive is IPLed The KMA that receives the discover cluster request provides this information for each KMA that is accessible over the service network This is where the network planning and configuration exercise becomes important Load Balancing During normal tape drive operations the drives use their local table of cluster information to select a KMA for key retrieval The drives use an algorithm to pick a random KMA from the cluster of KMAs within m the same site as the drive and m that are unlocked and responding 54 OKM Systems Assurance Guide June 2013 Revision 04 Revision 04 Network Routing Configuration If all KMAs within a site are either locked or not responding then the tape drive attempts to access a KMA from another site Presumably this is a remote site with a network response time that may be higher than other the KMAs within the same site as the tape drive What is important is that the KMAs from other site
56. The ability for tape drives to failover to remote sites can improve drive reliability and availability when local KMAs are down or slow to respond such as timeout situations because of heavy workloads Note Providing the ability to failover to remote sites is something that needs to be planned for and should involve customer network engineers For drives on the service network a route must be configured between sites and the KMA console network menu option should be used The common mistake to avoid is configuring a default route provides an example for a Multi Site Routed Service Network Chapter 3 Site Preparation 55 Service Delivery Platform Service Delivery Platform The Service Delivery Platform SDP is a support solution for StorageTek s libraries and tape drives T Series only that consists of a smart appliance and a dedicated network The SDP appliance can be configured to use the Dynamic Host Configuration Protocol DHCP to automate the assignment of IP addresses for device connections Optionally the SDP can be used as the DHCP server for the KMAs service network IP address Oracle Key Manager and the SDP Beginning with new deployments of SDP and the Oracle Key Manager the configuration was changed to strengthen security The SDP product team recommends a firewall between the KMAs switches and tape drives on the service network because of the connectivity of KMAs to the customer s network Refer to the Service
57. XSL3000 ETHRNT3 N StorageTek SL3000 X Option Ethernet Switch for Tape Drives Includes cable harness for 8 drives Supports 3rd Drive Array in BM or DEM Needed for SDP and Encryption Includes Power Cable and Switch Harness A C XSL3000 ETHRNT4 N StorageTek SL3000 X Option 8 Drive Ethernet Cable Harness Requires XSL3000 ETHRNT4 Z Supports 4th Drive Array in DEM Needed for SDP and Encryption Includes Power Cable Includes Ethernet Switch Harness C C Note SL3000 released it s own kits for encryption There are 4 parts I think the cabling is just different but not sure How many and which depends on the number of encryption ready drives to be supported CRYPTO 2X RACK Z N Sun StorageTek 16 port ethernet switches and rack mounting HW for use with the Oracle Key Manager in redundancy configuration For rackmount tape Additional switch option CRYPTO X 24PT Z N Sun StorageTek 24PT ethernet switch No mounting HW or cables Revision 04 Chapter4 Components 95 ATO Bill of Materials 96 OKM Systems Assurance Guide June 2013 Revision 04 APPENDIX IBM ICSF Integration This appendix provides an overview about the IBM Integrated Cryptography Service Facility ICSF For more information refer to Oracle Key Manager ICSF Integration Guide PN 31619810x a Oracle Key Manager Administration Guide PN 31619510x System Requirements Both the IBM mainframe and the OKM Cluster ha
58. ack mounting HW CRYPTO 2X 9741E N Sun StorageTek crypto kit for use with 9310 libraries A 24 port ethernet switch cables and rack mount HW for installation within 9741E cabinet One required for each additional 9741E cabinet used for crypto RoHS 5 compliant CRYPTO 2X L7 14 N Sun StorageTek crypto kit for use with L180 700 1400 libraries A 16 port ethernet switch cables and mounting HW for installation within L series libraries CRYPTO 2X SL500X N expansion module Sun StorageTek crypto kit for use with SL500 library expansion Ethernet cables for installation within SL500 library CRYPTO 2X SL500B N base module Sun StorageTek crypto kit for use with SL500 library base Ethernet switch and cables for installation within SL500 library Note An encryption capable SL500 requires one base library accessory kit CRYPTO 2X SL500B N In addition one expansion module accessory kit CRYPTO 2X SL500X N for each Drive Expansion Module is required XSL3000 ETHRNT1 N StorageTek SL3000 X Option Ethernet Switch for Tape Drives Includes cable harness for 8 drives Supports 1st Drive Array in BM or DEM Needed for SDP and Encryption Includes Power Cable Includes Ethernet Switch Harness XSL3000 ETHRNT2 N StorageTek SL3000 X Option 8 Drive Ethernet Cable Harness Requires XSL3000 ETHRNT1 Z Supports 2nd Drive Array in BM or DEM Needed for SDP and Encryption Includes Power Cable and Switch Harness B C
59. al number folder is the drive data file for that specific tape drive FIGURE 3 7 Drive Data File Structure M C Documents and Settings oggdl Desktop crypto_drys 1234 File Edit View Favorites Tools Help ae Q Back v gt z D E9 Search Folders Ea Address CADocuments and Re drvs 1234 a gt E Go E Name Size Type Desktop Al E drive data tet 1KB Tex Document a My Documents E Y My Computer amp My Network Places Recycle Bin O crypto_drvs O 1234 1235 1236 1237 1238 1239 gt When activating the tape drives the VOP requests a download location 4 Complete the Work Sheets to help with the activation and enrollment of the tape drives What you need to know before beginning a What is the drive number serial or system and IP address a What are the Agent IDs and Passphrases a Is this drive going to use tokens Version 1 x to get media keys OKT Or use the appliance KMA Version 2 x to get the encryption keys Does the customer want this drive to remain in encryption mode Or do they want the ability to switch encryption on and off 5 Make copies of this page as necessary Notes m Agent names IDs cannot be changed however an agent can be deleted and re enrolled with a different name a If you replace the agent you can reuse the name however passphrases can only be used once you will need to give the
60. all 800 525 0369 inside the United States or a Contact any of Sun s worldwide offices to discuss support solutions for your organization You can find address and telephone number information at http www oracle com us corporate index htm or http www oracle com us support index html 2 Describe the problem to the call taker The call taker will ask several questions then a Route your call to the appropriate level of support or a Dispatch a service representative If you have the following information when you place a service call the process will be much easier Complete as much information as possible if known Account name Site location number Contact name Telephone number Equipment model number Device addresses IP Addresses Error Codes D KMA Appliance D OKM Manager GUI D SL8500 library D SL3000 library D SL500 library 1 SL150 library I Oracle Database D 9310 library D L700 1400 library LI SL24 and SL48 LI Standalone I Network switch D T10000A tape drive D T10000B tape drive Di T10000C tape drive D T9840D tape drive D HP LTO drive Q IBM LTO drive Urgency of problem Revision 04 Appendix C Work Sheets 111 Obtaining Support Problem description 112 OKM Systems Assurance Guide June 2013 Revision 04 Initial Configuration Work Sheet Initial Configuration Work Sheet
61. ances KMAs are needed a The maximum number of KMAs is 20 m The minimum OKM size is 2 a The recommendation is at least 2 assuming sites are geographically dispersed The exception to this standard configuration single node site must be made with the approval of Encryption Engineering Professional Services and Support Services How many What type of encryption hardware kits are needed How many encryption hardware kits are needed How many SL8500 SL3000 SL500 SL150 9310 9741E L Series Rackmount OCCO O How many and of what type of encryption capable tape drives are needed How many T10000A T10000B T10000C T9840D HP LTO 4 5 or 6 IBM LTO 4 5 or 6 0O O O O O Are external standalone Racks required Type LJ Yes How many Identify customer requirements and expectations Revision 04 Chapter 2 Systems Assurance 37 Configuration Planning The following pages provide space to help sketch a drawing of the configuration 38 OKM Systems Assurance Guide June 2013 Revision 04 Configuration Planning Revision 04 Chapter 2 Systems Assurance 39 Configuration Planning 40 OKM Systems Assurance Guide June 2013 Revision 04 CHAPTER 3 Site Preparation Revision 04 Use this chapter and checklists to prepare for the installation Site Planning Checklist There are a few things to be aware of to install encryption hardware into a suppor
62. andard m embedded Lights Out Manager Mass storage One SATA disk drive 250 GB capacity PCI Slots Two PCI Express slots PCIe PCle 0 contains the Sun Crypto Accelerator 6000 SCA6000 Networking Four USB 2 0 connectors on the rear panel Two USB 2 0 connectors on the front panel a Two ports Serial port with DB 9 VGA with DB 15 Four 10 100 1000 Base T Ethernet ports Dimensions Height 43 mm 1 69 in Width 425 5 mm 16 75 in Depth 633 7 mm 25 in Weight 1 6 kg 24 64 Ib Mounting options 19 inch rackmount kit Compact 1 rack unit 1 75 in Environmental parameters Temperature 5 C to 35 C 41 F to 95 F Relative humidity 27 C 80 F max wet bulb Altitude Up to 3 000 m 9 000 ft Power supply 100 240 VAC 47 63 Hz One 8 Amps non redundant power supply at 500 Watts Heat output is about 850 BTU hour Regulations meets or exceeds the following requirements Safety CE CB Scheme UL CSA CCC BSMI AR S GOST R EMC CE FCC VCCI ICES BSMI CCC MIC C Tick AR S GOST R Other RoHS compliant labeled per WEEE Waste Electrical and Electronics Equipment Directive 2002 95 EC 14 OKM Systems Assurance Guide June 2013 Network Considerations Network Considerations Oracle recommends that customers supply a managed switch for connecting KMAs to the tape drives on private service networks Managed switches then would supply connec
63. arge businesses and organizations Enterprise and client server platforms Stand alone and automated tape environments You can choose from the following tape drive models StorageTek T10000A StorageTek T10000B StorageTek T10000C StorageTek T9840 Model D only Hewlett Packard HP Linear Tape Open LTO Generations 4 5 and 6 International Business Machines IBM Linear Tape Open LTO Generations 4 5 and 6 Chapter 1 Introduction 23 Tape Drives FIPS Compliant Tape Drives Beginning with Version 2 1 and the latest tape drive firmware the following drives are FIPS3 compliant TABLE 1 6 FIPS 140 2 Compliant Tape Drives Tape Drive FIPS 140 2 Level T10000A 1 T10000B 2 T10000C 1 T9840D 1 LTO4 HP and IBM No plans for FIPS LTOS5 HP and IBM No plans for FIPS LTO6 HP No plans for FIPS LTO drives may be FIPS validated in its basic form but not necessarily in specific encryption applications FIPS 140 2 levels of security for the above tape drives includes Levels 1 and 2 Level 1 The basic level with production grade requirements Level 2 Adds requirements for physical tamper evidence and role based authentication Built on a validated operating platform This selection provides a higher level of security for the KMAs and tape drives 3 FIPS 140 2 is a U S government computer security standard used to accredit cryptographic modules Federal Information Proces
64. ata Encryption TDE Whitepaper Access to Oracle Support Oracle customers have access to electronic support through My Oracle Support For information visit http www oracle com support contact html or visit http www oracle com accessibility support html if you are hearing impaired xii OKM Systems Assurance Guide June 2013 Summary of Changes EC Number Date Revision Description EC000227 February 2008 A Initial release EC000496 May 2008 B Refer to this revision for the list of changes included T9840D tape drives EC000594 June 2008 BA Refer to this revision for the list of changes included HP LTO 4 tape drives EC001009 February 2009 BB Refer to this revision for the list of changes included X2200 server FIPS compliant IPv6 T10000B EC001402 November 2009 BC Refer to this revision for the list of changes KMS 2 2 IBM LTO4 IBM ICSF April 2010 C Refer to this revision for the list of changes Oracle branding updated marketing order numbers November 2010 D Refer to this revision for the list of changes Product Name Change support for a new server 4170 a new tape drive LTO5 and new platforms SL24 and SL48 June 2011 E a Added information about the Auto Service Request ASR feature July 2011 01 a Updated to an Oracle part number E24530 Revision 01 a Added information about the T10000C tape drive a Included engineering comments updates R
65. ath such as cgi smcgcsf m File containing the client user certificate exported and transferred off of the mainframe a File containing the client private key exported and transferred off of the mainframe Password that was used when the client private key was created m File containing the Root CA certificate exported and transferred off of the mainframe Appendix A IBMICSF Integration 99 Key Stores and Master Key Mode The administrator of an Oracle Key Manager enters this information as the Master Key Provider settings in the Security Parameters panel of the OKM Manager GUI After the administrator saves these settings the OKM cluster begins to issue requests to the Proxy on the IBM mainframe The client user certificate and the client private key might appear in the same file when they are exported from the IBM mainframe If so then the administrator should specify the same file in the OKM Certificate File Name and OKM Private Key File Name fields in the Master Key Provider settings 100 OKM Systems Assurance Guide June 2013 Revision 04 APPENDIX B Encryption for Oracle Databases Note For more information refer to the two white papers 1 Using Oracle Key Manager with Advanced Security Transparent Data Encryption and 2 Oracle s Advanced Security Transparent Data Encryption Best Practices and the OKM Administrator s Guide Transparent Data Encryption TDE wi
66. ational Standard Organization ISO encryption standard 2 Internet Protocol supported versions 21 ISO IEC standards 2 J Java versions 76 K Key Groups 3 Key Management Appliance definition 3 order numbers 83 specifications 10 KMA See Key Management Appliance 3 L Layer 2 broadcast switches 15 48 libraries 9310 PowderHorn 89 L Series 90 91 SL150 88 SL3000 85 SL500 87 SL8500 84 library content management 58 requirements for installation 81 system assurance 62 Linear Tape Open LTO 26 L Series description 90 L Series installation requirements 90 91 L Series libraries 90 91 LTO4 content management 59 interface types 26 media 26 mainframe options ICSF 97 managed switches 15 48 manuals xi Revision 04 media comparison 28 introduction 26 Monitor Drive tab 75 N National Institute of Standards and Technology NIST standards 2 National Security Agency NSA standards 2 O OKM cluster definition 3 OKM Manager GUI definition 3 installation 76 operator role 64 Oracle Database 11gR2 101 Oracle Key Manager components 3 configurations 5 Oracle Wallet 102 P partitioning 60 partner contact sheet 36 passphrases 64 PC Key request form 71 philosophy for content management 59 Phone Home 31 PKCS 102 planning for encryption 1 meetings for system assurance 34 site planning checklist 41 PowderHorn library 89 power factors planning for
67. brary Drives Drives Library T105_117 98 OKM Systems Assurance Guide June 2013 Revision 04 Revision 04 Key Stores and Master Key Mode Site Configurations The cluster periodically issues requests to the IBM mainframe to create new master keys referred to as application keys in ICSF The KMAs then use these new master keys to derive new tape encryption keys Note The mainframe where Common Cryptographic Architecture CCA ICSF resides Key Stores and Master Key Mode In version 2 x the KMAs generate their own keys using their Cryptographic Accelerator SCA6000 cards Some customers may prefer to have the KMAs use master keys that are created and stored in an external key store contained in an IBM mainframe Version 2 2 introduces a Master Key Mode feature When this feature is enabled the OKM derives tape encryption keys from a set of master keys The master keys are created and stored in an external key store Full disaster recovery is possible with just the tapes the master keys and factory default equipment IBM Mainframe Various steps are required to configure a z OS system to be used as an external key store for an OKM cluster Updating Information After the IBM mainframe has been configured the z OS systems programmer must provide the following information to the administrator of an OKM Host name or IP address of the mainframe m Port number such as 9889 m Web application p
68. ce Representative T9840D T10000A T10000B T10000C Enr Service Network Agents Tape Drives Ethernet Switch Service Network USB Keyboard optional LAN 2 LAN 3 LTO4 En HP LTO5 IBM poms Service Network Aggregate Network Key Management Appliance KMA Lai Le Monitor optional T105_071 FIGURE 1 11 Key Management Appliance Rear Panel Connections X2100 X2200 Servers Note Each Ethernet connection blue line requires an IP address Revision 04 Chapter 1 Introduction 19 Network Considerations Service Network Agents Tape Drives Management Network HP T10000A Oea IBM E Service Network Oracle Key Manager Ethernet Switch NET 2 Service Network NET 3 Aggregate Network Key Management Appliance KMA UOR Network Service Representative USB Keyboard optional Monitor optional T105_072 FIGURE 1 12 Key Management Appliance Sun Fire X4170 M2 Rear Panel Connections Note Each Ethernet connection blue line requires an IP address 20 OKM Systems Assurance Guide June 2013 Revision 04 Network Considerations Internet Protocol Versions Enhancements made to OKM 2 1 included support for the newest implementation of the Internet Protocol Suite or IP The current version IPv4 uses a 32 bit number written as four groups of three numbers separated
69. computer system that system administrators can use to monitor system health and manage the system Internet Protocol IP A protocol used to route data from its source to its destination in an Internet environment Revision 04 Glossary 121 Internet Protocol address IPv4 IPv6 Key Group Key Management Appliance KMA Key Management System 122 KMS Key Policy A four byte value that identifies a device and makes it accessible through a network The format of an IP address is a 32 bit numeric address written as four numbers separated by periods Each number can be from 0 to 255 For example 129 80 145 23 could be an IP address Also known as TCP IP address The next generation uses a 128 bit value written as eight groups of four hexadecimal characters separated by colons For example 2001 0db8 85a3 0000 0000 8a2e 0370 7334 A key in this context is a symmetric data encryption key Agents can request new key material for encrypting data corresponding to one or more Data Units A key belongs to a single Key Group so that only Agents associated with the Key Group can access the key Keys have encryption and decryption cryptoperiods that are dictated by the Key Policy associated with the Key Group of the particular key The type of key that is its length and algorithm is specified by the Encryption Agent A random string of bits generated by the key management system entered from the keyboard or purchased
70. cryption It starts when the key is first assigned to the drive A data policy defines a set of encryption related parameters such as the encryption and decryption crypto periods for keys Data units are abstract entities within the OKM that represent storage objects associated with OKM policies and encryption keys For tape drives a data unit is a tape cartridge Revision 04 E Encryption The translation of data into a secret code Encryption is one of the most effective ways to achieve data security To read an encrypted file you must have access to a special key or password that enables you to decipher it FIPS Federal Information Processions Standards The National Institute of Standards and Technology NIST is a non regulatory federal agency within the U S Commerce Department s Technology Administration and Laboratories which develops and promotes standards and technology including Computer Security Division and Resource Center CSRC m Federal Information Processing Standards FIPS m For more information visit http www nist gov GUI Graphical User Interface H Hash Message Authentication Code HMAC In cryptography a keyed Hash Message Authentication Code or HMAC is a type of message authentication code MAC calculated using a cryptographic hash function in combination with a secret key I Intelligent Platform Management Interface IPMI IPMI defines a set of common interfaces to a
71. d trademarks of SPARC International Inc UNIX is a registered trademark licensed through X Open Company Ltd This software or hardware and documentation may provide access to or information on content products and services from third parties Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third party content products and services Oracle Corporation and its affiliates will not be responsible for any loss costs or damages incurred due to your access to or use of third party content products or services Contents Preface xi Related Information xi Access to Oracle Support xii 1 Introduction 1 Planning for Encryption 1 Encryption Standards 2 Components 3 Encryption Hardware Kits 4 Key Manager Configurations 4 Key Management Appliance 10 Sun Fire X4170 M2 Server 10 X4170 M2 Component Specifications 11 Sun Fire X2100 M2 and X2200 M2 Servers 12 Sun Fire X2100 M2 Server 13 Sun Fire X2200 M2 Server 14 Network Considerations 15 Management Network 15 Service Processor Network 15 KMA Service Port Aggregation 16 Key Management Appliance Physical Connections 19 Internet Protocol Versions 21 Automated Tape Libraries 22 Tape Drives 23 FIPS Compliant Tape Drives 24 About the StorageTek T10000 Tape Drive 25 About the StorageTek T9840D Tape Drive 25 Revision 04 iii About the LTO Tape Drives 26 Tape Drive Comparisons 27 StorageTek T Series Ta
72. data retention requirements for the data protected by the TDE master key Typically this value will be some number of years corresponding to the enterprise policy for data retention for example a seven year retention period for US tax records The rate at which new keys are generated should not be a concern with TDE as re key operations will likely be infrequent If this becomes a concern then consider lengthening the encryption period on the key policy and re keying less frequently The Oracle Key Manager key pool size configuration parameter can also be increased to have the KMAs maintain a larger pool of available keys Multiple key policies may be defined for use with different types of databases as needs dictate Key Access Control Through Key Groups It may be necessary to control access to keys managed by the Oracle Key Manager when multiple database instances or multiple agents are accessing the Oracle Key Manager cluster for various purposes All Oracle Key Manager agents are assigned to at least one key group a default key group assignment is required which authorizes them to have access to the keys within those groups The agent s default key group is the only key group within which a pkcs11_kms provider s agent will create keys Consider using multiple key groups when master keys do not need to be shared across database instances or hosts An example might be to use a key group for production database instances and another key
73. de name 50 01 04 F0 00 93 c8 0c Porth world wide name S0 01 04 f0 00 93 c8 0d Network mac address 00 10 4f 07 6d 27 Drive model number T10000 T105_113 2 Use the Work Sheets to build information about the tape drives You will find this information helpful during the installation activation and enrollment process for the tape drives agents Note Step 3 and Step 4 are not required for T10000C drives running firmware version 1 57 30x and higher 3 Request an Encryption Key File a Log in to the Applications Web site at https crcapplications us oracle com keyswebapp b Select Request an Encryption key Revision 04 Chapter3 Site Preparation 71 Preparing the Tape Drives FIGURE 3 5 Request an Encryption Key Application Welcome to CRC Applications CRC Applications Applications Overview Activation Passwords Obtain Activation Passwords for Request an Encryption key file download Encryption key GetKey GetKey application to obtain the key for IEY Access is Restricted You must be an employee complete the encryption training courses and include the name of the employee on the Request Encryption Key list 4 Complete the Encryption Request form a First name last name and e mail address are automatically included b Provide a site ID and order number c Select the tape drive type T10000A T10000B T10000C or T9840D d Complete the serial number for the selected tape dri
74. duces the risk of a disaster destroying the entire cluster Clustering KMAs allows for replication of database entries and workload balancing Although unlikely that an entire cluster needs to be recreated most of the key data can be recovered by recreating the OKM 2 x environment from a recent database backup While designing an encryption and archive strategy an important design guideline is to make sure that critical data generated at any site is replicated and vaulted off site Many companies employ the services of a third party disaster recovery DR site to allow them to restart their business operations as quickly as possible Refer to Disaster Recovery Reference Guide PN 31619710x for more information Planning the Data Path When planning for partitions you also need to be aware of the location quantity type and need for the tape drives and media In addition an understanding about how to logically group and install the tape drives and locate the media for the different hosts control data sets interface types and partitions is necessary When planing for partitions m Make sure the tape drive interface supports that operating system a Open system platforms do not support ESCON or FICON interfaces a Not all mainframes support Fibre Channel interfaces or LTO tape drives m Make sure the media types match the application Install tape drives that use the same media types in the same partition a Make sure there are eno
75. e on page 31 and the Administration Guide for more information Notes Revision 04 Chapter 3 Site Preparation 45 Site Planning Checklist TABLE 3 1 Site Planning Checklist Continued Question Completed Comments Configurations Tape Drives and Media 46 OKM Systems Assurance Guide June 2013 Revision 04 Rack Specifications Rack Specifications The KMAs can be installed in standard RETMA 19 inch four post racks or cabinets Note Two post racks are not supported The slide rails are compatible for a wide range of racks with the following standards a Horizontal opening and unit vertical pitch conforming to ANSI EIA 310 D 1992 or IEC 60927 standards m Distance between front and rear mounting planes between 610 mm and 915 mm 24 in to 36 in m Clearance depth to a front cabinet door must be at least 25 4 mm 1 in m Clearance depth to a rear cabinet door at least 800 mm 31 5 in to incorporate cable management or 700 mm 27 5 in without cable management m Clearance width between structural supports and cable troughs and between front and rear mounting planes is at least 456 mm 18 in SL8500 Rack Guidelines An SL8500 library can have up to 4 optional accessory racks PN XSL8500 RACK Z If the customer wants power redundancy a minimum of 2 racks are required Each rack can hold up to 6 units called Us of equipment such as the key managem
76. e Cluster a Backup Operator Performs backups Compliance Officer Manages key policies and key groups Determines which Agents and Transfer Partners can use key groups Operator Manages Agents Data Units and Keys Quorum Member Views and approves pending quorum operations a Security Officer Full authority to view modify create and delete Sites KMAs Users and Transfer Partners IEY Note Each person or user may fulfill one or more of these roles FIGURE 3 3 shows an example of the Users Detail screen Use TABLE 3 7 on page 70 to help prepare for the assignments FIGURE 3 3 User Roles Detail Screen x 1 Enter a User ID ea Passphrase Between 1 and 64 characters uem ff 2 Provide a description Between 1 and 64 characters Description Roles Tl Auditor J Backup Operator J Compliance Officer 3 Click the Passphrase tab and Enter a Passphrase twice Passphrases must use I Operator 8 to 64 characters J Security Officer 3 of 4 classes I Quorum Member upper case lower case numbers and symbols a do not include the users name The KMA verifies that the requesting user has permission to execute an operation based on the user s roles Unavailable operations typically indicate the wrong role There are four basic operations a user role can have Create Delete Modify and View TABLE 3 6 on page 65 shows the system entities and functions that each user role can perform
77. e KMA is configured Revision 04 Appendix C Work Sheets 113 User Roles Work Sheet User ID User Roles Work Sheet Description Passphrase kk Confidential password Roles Security Officer Compliance Officer Operator Backup Operator Auditor Quorum Member Note The Passphrase should not be recorded here for security reasons This column is provided as a reminder that as User IDs are entered the person with that ID will be required to enter a passphrase 114 OKM Systems Assurance Guide June 2013 Revision 04 Drive Work Sheet Drive Work Sheet Site Name Site Number SDP IP Address File Pathname Location Drive Type Crypto Serial Serial Number Number DMOD 6 hexadecimal Last 8 digits characters Drive IP Address Location 1 2 3 4 5 6 7 8 9 0 1 2 B 4 6 6 L 8 D 2 Revision 04 Appendix C Work Sheets 115 Agent Enrollment Work Sheet Agent Enrollment Work Sheet KMA __ KMA ___ Hostname Hostname KMA IP KMA IP Address Address Drive Drive IP Drive Address Type Address Agent ID Passphrase Token
78. e destroyed is an important planning item Oracle Key Manager provides for this and also for tracking the Oracle Key Manager backups which include these keys Management of Oracle Key Manager backups is both a Disaster Recovery planning item and key destruction planning item Appendix B Encryption for Oracle Databases 107 Planning Considerations 108 OKM Systems Assurance Guide June 2013 Revision 04 APPENDIX C Work Sheets The following pages contain work sheets that can help prepare for the installation of a Oracle encryption solution These work sheets include m Site Log a Obtaining Support Make several copies and give them to the customer a Explain how to use them a Initial Configuration Work Sheet m User Roles Work Sheet a Drive Work Sheet tape drives or database a Agent Enrollment Work Sheet Make copies as necessary Revision 04 109 Site Log Site Log Account Name KMA Site Location KMA S N KMA Name KMA Firmware Level KMA Number Number of KMAs in Cluster KMA IP Address Service Network IP Oracle Manager IP ELOM ILOM IP IPv6 Li Yes 2 No DR Site 4 Yes 4 No NTP Yes Li No DHCP 3 Yes Ci No Gateway 4 Yes 41 No DNS Si Yes 1 No KMA Location Oracle Manager Location Configuration Types 1 SL8500 library T SL3000 library T SL500 library Q SL150 library
79. e pkcs11_kms provider is installed separately and then configured for use with Oracle Database The pkcs11_kms provider interacts with Oracle Key Manager for key creation and key retrieval operations Encryption and decryption functions are performed in the database and not by Oracle Key Manager PKCS 11 consumer applications such as TDE identify key objects using a label that they define TDE generates this label during creation of a master key The pkcs11_kms provider passes this label along to Oracle Key Manager where it is maintained as meta data on the data unit In Oracle Key Manager keys are associated with data units and for the pkcs11_kms provider this relationship is always 1 1 Each time a new master key is created a data unit with the key s label is created along with the corresponding key object 102 OKM Systems Assurance Guide June 2013 Revision 04 Planning Considerations Planning Considerations Careful thought should be given to planning the solution The next few sections highlight some of the primary considerations to address in the planning phase Oracle Database Considerations Oracle Key Manager works with any of the following Oracle Database configurations m Single Instance Oracle RAC One Node m Oracle Database High Availability Architectures m Oracle RAC Oracle Database with Oracle Real Application Clusters is certified with Oracle Key Manager Each node of the Oracle RAC system needs to have a configured
80. ent appliances and the Ethernet switches Each rack has a six connector power distribution unit PDU that provides power and two cooling fans that provides additional air flow Table 3 2 lists the rack guidelines TABLE 3 2 SL8500 Accessory Rack Guidelines Guideline Descriptions Rack numbering Rack numbering is top down from 1 to 4 Rack 1 is on the top Rack 4 is on the bottom Rack mounting Components must be able to function in a vertical orientation Dimensional Rack module depth is 72 cm 28 in restrictions Recommended safe length is 66 cm 26 in Equipment weight The accessory rack itself is mounted on slides rated for 80 kg 175 Ib The recommended safe load is 64 kg 140 Ib The KMA is 10 7 kg 23 45 Ib the Ethernet switch is 1 5 kg 3 1 Ib Power consumption Per rack module is 4 Amps maximum Per outlet strip is 200 240 VAC 50 60 Hz The KMA is 185 W the Ethernet Switch is 20 W Power cord Power plug to connect to the rack PDU is IEC320 C13 shrouded male plug Minimum cord length is component plus 46 cm 18 in for a service loop Thermal requirements Maximum power dissipation is 880 watts 3 000 Btu hr per rack module Revision 04 1 RETMA Radio Electronics Television Manufacturers Association 2 U stands for rack units One unit is equal to 4 4 cm 1 75 in Chapter 3 Site Preparation 47 Network Considerations TABLE 3 2 SL8500 Accessory Rack Guidelines
81. es The 9310 requires upgrades to support the T10000 tape drive Feature Codes 93T1 LSM upgrade firmware and hardware 93T1 LMU upgrade firmware only XT10 Hardware kit upgrade 9741E cabinet Library Firmware minimum 9311 4 4 06 9330 TCP IP 2 1 02 code 9330 3270 1 9 73 code Tape Drives m T10000A m T10000B m T9840D 1 34 208 or higher 1 38 x07 or higher 1 42 104 or higher Virtual Operator Panel VOP Version 1 0 11 or higher Version 1 0 16 Revision 04 Chapter4 Components 89 L Series Libraries L Series Libraries Note The L Series libraries L700 and L1400 do not support LTO tape drives for the Oracle Key Manager encryption solution FIGURE 4 8 L Series Library Requirements High level Description L700 and L1400 libraries support two models m Single frame libraries can hold From 678 tape cartridges and Up to 12 tape drives m Dual frame libraries holds From 1 344 tape cartridges and Up to 24 tape drives Operating System Support Supports open system platforms such as UNIX Windows NT Novel and Linux Host to Library Interface LVD or HVD SCSI m Fibre Channel option The L700e L1400M libraries have internal rack space for the encryption hardware Order Number Description CRYPTO 2X L7 14 N Sun StorageTek crypto kit for use with L180 700 1400 libraries A 16 port ethernet switch cables and mounting HW for in
82. etwork Considerations 5 Use ssh to access the management IP address of the switch to launch its CLI Configure a trunk group for each KMA that should include aggregated service ports Brocade config show trunk Brocade config trunk ethernet Brocade config trunk ethernet 1 1 1 to 1 1 2 Brocade config trunk ethernet 1 1 3 to 1 1 4 lt etc for each KMA that should include aggregated service ports port IDs as shown in Step 4 gt Brocade config write memory Brocade config trunk deploy Note In this example the ports had been put into VLAN 1 as indicated by the leading 1 in the trunk commands If no VLAN was created on the ports then the trunk commands should not have the leading 1 For example Brocade config trunk ethernet 1 1 to 1 2 6 In the web interface navigate to Configuration gt Trunk and view the trunks that you just defined in the CLI 7 Attach network cables between the pairs of ports on the switch to the service and aggregated service ports on each KMA that should contain aggregated service ports Port IDs shown in Step 6 are associated with physical ports on the switch To do this a Inspect the switch and identify the physical ports that are associated with the trunk groups that you created in Step 5 and viewed in Step 6 b For each KMA attach a network cable between the first port in the trunk group and the service port on the KMA labeled LAN 2 or
83. etwork traffic between the SDP onset unit and the Oracle network This firewall effectively partitions the service network in two the Oracle controlled service network and the customer controlled service network The Service Delivery Platform Security White Paper May 2008 describes this network as the Service Network interface The Oracle Service Network interface is the connection between the SDP site unit and storage devices this is the Port1 connection in the diagram The Customer Network interface is the connection between SDP and Oracle storage devices 56 OKM Systems Assurance Guide June 2013 Revision 04 Service Delivery Platform connected to the customer operations center LAN that is attached to the customer network Port 2 in the diagram These devices include the tape drives and switches connected to the KMAs The customer firewall prevents this connection from having access to the customer s network and only to the devices that SDP can monitor Oracle service personnel still need to service equipment in both partitions of the service network and coordinate with SDP engineers for planning and configuration FIGURE 3 2 SDP Connectivity Example Oracle SDP Application Customer Servers Workstation Customer Oracle SDI Management Network Router 129 80 224 14 nagement Network Site 1 Customer Manageme Customer Firewall Ethernet Switch Ethernet Switch Customer IPS
84. evision 04 xiii EC Number Date Revision Description October 2011 02 Revision 02 a Updated to support Release 2 5 a Added information about databases in Appendix B Encryption for Oracle Databases January 2013 03 Revision 03 a Added information about the SL150 library June 2013 04 Revision 04 m Added Brocade ICX 6430 Switch configuration procedures xiv OKM Systems Assurance Guide June 2013 CHAPTER 1 Introduction Encryption is based on the science of cryptography which is one of the most effective ways to achieve data security today To read an encrypted file you must have access to the key that will enable you to decipher the file This chapter introduces you to Oracle s Key Manager OKM and the components for encryption Revision 04 Planning for Encryption Are your customer accounts concerned with Data security Data protection and sensitive information Government regulations and retention m Data security is a major concern for IT professionals today what happens if and when data falls into the wrong hands m Access to sensitive data can happen when it is a Sent over networks a Written on disk or tape a Stored in archives m Your customers may also be required to take measures to protect their data because of government regulations or contractual obligations with business partners A number of regulations require organizations to encr
85. ey Policy Considerations All TDE master keys are AES 256 bits and generated by Oracle Key Manager KMAs may contain a Sun Crypto Accelerator 6000 PCIe Card a FIPS 140 2 Level 3 certified HSM When KMAs have this Hardware Security Module then their keys are created by the HSM Otherwise cryptographic operations utilize the Solaris Crypto Framework s software token provider The key lifecycle is the primary configuration item with respect to key policy planning decisions The periods chosen for the operational phase of the key s lifecycle should be chosen based upon data retention needs and the frequency with which TDE master keys will be re keyed Note The TDE s DDL supports specification of various key sizes for the master key as does the schema encryption dialogs within Oracle Enterprise Manager Only AES 256 bit keys can be used with Oracle Key Manager Appendix B Encryption for Oracle Databases 105 Planning Considerations The key policy encryption period defines the length of time for the key to be used in the protect and process encrypt and decrypt state of the lifecycle This period should correspond to the time period for use of the master key before it should be re keyed for example maximum one year for PCI The key policy cryptoperiod is the remaining time allotted for use of the master key to decrypt data during the process only decrypt only state of the key lifecycle The length of this period should conform to the
86. f just 8 seconds This drive obtains its high performance by using a unique dual hub cartridge design with midpoint load technology This enables fast access and reduces latency by positioning the read write head in the middle of the tape A technology employed by Oracle to encrypt database content TDE offers encryption at a column table and tablespace level A cryptographic protocol that provide secure communications on the Internet for such things as web browsing e mail Internet faxing instant messaging and other data transfers To erase electronically stored data cryptographic keys and Critical Security Parameters by altering or deleting the contents of the data storage to prevent recovery of the data Glossary 125 126 OKM Systems Assurance Guide June 2013 Revision 04 Index Numerics 1400 installation requirements 90 91 3000 installation requirements 85 3COM network switch configuration 49 3COM Switch 48 500 installation requirements 87 88 700 installation requirements 90 91 8500 installation requirements 84 9310 installation requirements 89 9741e Drive Cabinet 89 A AC power factors and concerns 43 accessory racks SL8500 47 adapter card types of 26 Advanced Encryption Standard AES 2 Agents definition 3 aggregated service port 48 aggregated network configuration 3COM network switch 49 Brocade ICX 6430 switch 50 Extreme network switch 49 alley limitations 42 ANSI standards
87. fer to http docs oracle com cd E19121 01 sf x2100m2 819 6588 14 index html for more information and Web browsers TABLE 3 8 lists the supported operating systems and Web browsers TABLE 3 8 Operating Systems and Web Browsers Java Runtime Environment m Microsoft Windows Vista m Mozilla Firefox 1 0 m Windows 7 and 2008 server Client OS Supports these Web browsers Including Java Web Start m Microsoft Windows XP a Internet Explorer 6 0 and later JRE 1 5 Microsoft Windows 2003 Mozilla 1 7 5 or later Java 5 0 Update 7 or later a Solaris 10 a Solaris Sparc a SUSE Linux 9 2 Red Hat Linux 3 0 and 40 m Mozilla 1 7 5 or later JRE 1 5 a Mozilla Firefox 1 0 Java 5 0 Update 7 or later Solaris 9 Mozilla 1 7 5 JRE 1 5 Java 5 0 Update 7 or later 76 OKM Systems Assurance Guide June 2013 Revision 04 Supported Platforms and Web Browsers TABLE 3 8 Operating Systems and Web Browsers Continued You can download the Java 1 5 runtime environment at http java com The current version of the ELOM guide is located at http dlc sun com Revision 04 Chapter 3 Site Preparation 77 Firmware Levels Firmware Levels The minimum firmware requirements include TABLE 3 9 Firmware Compatibilities Component Version Version Version Version Version Version Version OKM 2 0 2 2 1 2 2 or 2 2 1 2 3 24 2
88. ftware Component SNMP Simple Network Management ISV Independent Software Vendor Symantec Legato TSM Protocol SDP Service Delivery Platform Important Only LTO4 media LTO4 and LTO4 WORM are encryption capable on the LTO4 tape drives P y yp P P Revision 04 When planning for content the most important aspect is to evaluate content tape drives and data cartridges with respect to the physical structure of the library These libraries provide several ways to accommodate growing data storage needs m Addition of library modules to the front to the left or right or up and down m Capacity on Demand a Activation of slots without service representative involvement a Requires the installation of slots or modules up front m Flexible partitions m Ease to re allocate resources as needs change Real Time Growth m Disaster recovery scenario s Capacity on Demand Capacity on Demand is a non disruptive optional feature that allows the customer to add capacity to the library using previously installed yet inactive slots The installed physical capacity is separate from the activated capacity The advantage of Capacity on Demand is that the customer only buys the storage that they need and not all the storage that is installed Activated capacity can be purchased in multiple increments When a customer purchases a hardware activation key to use more physical storage an encrypted key file is sent through e
89. h current write key 28 OKM Systems Assurance Guide June 2013 LTO Tape Drives Notes Both HP and IBM LTO tape drives are m Specified to interchange with un encrypted data cartridges from other tape drives that comply to the LTO U 28 U 316 and U 416 specifications Capable of interchanging encrypted data cartridges provided the correct encryption key is available Future compatibility In the future LTO drives will be capable of Tape Drive Comparisons a Reading and writing tapes from the current generation m Reading and writing tapes from one earlier generation a Reading tapes from two earlier generations Note Encryption is only supported with LTO4 and LTO5 Data Cartridges on LTO4 and LTOS tape drives To avoid problems these drives will not write in normal or native modes once the drive is enabled for encryption LTO Encryption Behavior When LTO encryption is controlled by the Oracle Key Manager the LTO drives can behave differently from StorageTek T Series drives There can also be slight differences between the HP and IBM drives from each other These differences arise from specific aspects of the IBM and HP drive architecture TABLE 1 10 lists the various scenarios and how HP and IBM drives behave TABLE 1 10 LTO4 Encryption Behavior LTO4 Drive Performance HP Implementation IBM Implementation Not Enrolled for Encryption Read LTO4 non encrypted data OK non encrypted OK
90. hone Pager E mail Address Name Title Telephone Number FAX Number Cell Phone Pager E mail Address Name Title Telephone Number FAX Number Cell Phone Pager E mail Address Note Representatives may include marketing sales and account representative systems engineers SEs Professional Services PS installation coordinators and trained services personnel 36 OKM Systems Assurance Guide June 2013 Revision 04 Configuration Planning Configuration Planning Complete the following checklist and make a conceptual drawing to help with the installation Provide this information and drawing to the installers Use this checklist for each Key Manager the customer is considering This checklist is geared towards planning a single Oracle Key Manager system with up to 20 OKMs TABLE 2 2 Solution Planning Checklist Question Selection Comments Quantity What type of configuration does the customer want Notes a The maximum number of sites with KMAs is 20 It is possible to have sites without KMAs connected across a customer supplied wide area network a Also the 20 site limit is within a single cluster The customer may choose to have multiple clusters however KMAs in one clusters are unaware of KMaAs in other clusters How many D Single site D Multiple sites D Disaster recovery site How many appli
91. iance may use different server hardware but are guaranteed to be interoperable with other deployed KMAs a An OKM may consist of a mix of Sun Fire X2100s X2200s and X4170s as systems are upgraded scaled or as replacements to failed units Sun Fire X4170 M2 Server FIGURE 1 6 shows a rear view of the Sun Fire X4170 M2 server FIGURE 1 7 shows a front view of the Sun Fire X4170 M2 server TABLE 1 1 lists the specifications for the Sun Fire X4170 M2 server FIGURE 1 6 Key Management Appliance X4170 Rear Panel T105_032 1 AC Power connectors 2 Serial Management SER MGT RJ 45 serial port 3 Service Processor NET MGT port 4 Ethernet ports 0 1 2 3 from left to right these ports are labeled Net0 thru Net3 5 USB ports 0 1 6 Video connector VGA FIGURE 1 7 Key Management Appliance X4170 Front Panel i en om a m ef T105_031 1 Power OK LED 2 Power button 10 OKM Systems Assurance Guide June 2013 Key Management Appliance X4170 M2 Component Specifications TABLE 1 1 lists the specifications for the Sun Fire X4170 M2 server TABLE 1 1 Specifications Specification Processor One quad core 2 4 GHz Memory 1x4GB DDR3 DIMMs Management Software Service processor standard Integrated Lights Out Manager ILOM Mass storage One SATA disk drive PCI Slots Two PCI Express slots PCle
92. ications 11 Sun Fire X2100 Specifications 13 SunFire X2200 Specifications 14 KMA Network Connections 18 Tape Libraries 22 FIPS 140 2 Compliant Tape Drives 24 Tape Drive Comparison 27 T Series Tape Drive Media Compatibilities 28 T Series Tape Drive and Media Support 28 LTO4 Encryption Behavior 29 System Assurance Task Checklist 34 Solution Planning Checklist 37 Site Planning Checklist 42 SL8500 Accessory Rack Guidelines 47 Content Management Planning 58 Steps and Tasks for Partitioning 62 Manager Display 63 System Operations and User Roles 65 User Roles Work Sheet 70 Operating Systems and Web Browsers 76 Firmware Compatibilities 78 Database Selections 82 Tape Drive Ordering Instructions 93 Library Ordering Instructions 93 ATO Bill of Materials Part Numbers and Descriptions 95 x OKM Systems Assurance Guide June 2013 Revision 04 Preface Revision 04 This guide is intended for service representatives customers partners and anyone responsible for planning the installation of the Oracle Key Manager OKM encryption solution Note The customer must have a copy of the Oracle Key Manager Administration Guide and the Virtual Operator Panel User s Guide to complete the installation Make sure these guides are available to the customer at the time of the installation Go to http docs oracle com cd E26076_02 index html for the OKM Administration Guide and http docs oracle com cd E37055_01 index html for
93. in SL500 library In addition one expansion module kit CRYPTO 2X SL500X N for each Drive Expansion Module is required CRYPTO 2X SL500X N Expansion module optional crypto kit for use with SL500 library expansion Ethernet cables for installation within SL500 library Up to 4 additional expansion modules may be added Note The SL500 is a rack installed library m With 3 or fewer expansion modules encryption hardware can be installed in the same rack Firmware Levels Library 115 1300 116 1373 i17 139x i18 1407 Tape Drives m HP LTO4 m HP LTOS m HP LTO6 m IBM LTO4 m IBM LTO5 H64S Fibre Channel SCSI B57S I5BS Fibre Channel SCSI X5AS J2AS Fibre Channel BBH4 Fibre Channel SCSI BBNH Virtual Operator Panel VOP Version 1 0 14 or higher for LTO4 Version 1 0 16 Revision 04 Chapter4 Components 87 SL150 Modular Library System SL150 Modular Library System FIGURE 4 6 SL150 Modular Library System Requirements High level Description The SL150 Modular Tape Library System is a 3U 5 25 inches to 21U 36 75 inches rack mounted modular automated tape library It offers storage capacity of 30 to 300 Linear Tape Open LTO cartridges from 1 to 20 half height LTO5 Fibre Channel FC or Serial Attached SCSI SAS tape drives and a bridged drive FC or SAS control path The robot control is a SCSI Medium Changer device that appears as LUN 1 ona tape d
94. ith 640 tape drives Operating System Support The SL8500 supports all major operating systems enterprise and open systems Host to Library Interface m Single Ethernet TCP IP 1x m Dual TCP IP optional feature 2x m Multi host optional feature 4x This library supports Partitioning with up to 4 partitions using the rail boundaries Order Number Description CRYPTO 2X SL8500 N Sun StorageTek crypto kit for use with SL8500 libraries A 24 port ethernet switch cables and rack mount HW for installation within SL8500 library XSL8500 ETHRNT Z PUE Ethernet card switch PN 419951602 Firmware Levels Library FRS_3 72 FRS_3 98 or higher is recommended and to support LTO4 FRS_4 70 current FRS_6 02 redundant electronics feature StreamLine Library Console FRS_4 00 Tape Drives a T10000A 1 34 208 or higher m T10000B 1 38 x07 or higher a T10000C 1 53 316 or higher m T9840D 1 42 104 or higher m HP LTO4 H64S Fibre Channel m HP LTOS I5BS Fibre Channel a HP LTO6 J2AS Fibre Channel m IBM LTO4 BBH4 Fibre Channel m IBM LTO5 BBNH Fibre Channel m IBM LTO6 CT94 Fibre Channel Virtual Operator Panel VOP Version 1 0 14 or higher to support LTO4 Version 1 0 16 current 84 OKM Systems Assurance Guide June 2013 Revision 04 SL3000 Modular Library System SL3000 Modular Library System FIGURE 4 4 SL3000 Modular Library System Requirements High level Description The
95. key groups that provides backup facilities for all the KMAs 1 6 and media within the entire OKM cluster ARAAAA SARERA Ethernet assas 225288 SR BREST 035 Customer Key Management Network aS J KMA Cluster Remote Site Remote Site Key Group 2 Key Group 3 Engieering Manufacturing Switch Customer Key Management Network Ethernet aasan SARA T10000C LTOS LTOG Tape Drives aS Oracle Key Oracle Key Manager Manager Main Site Key Group 1 Marketing amp Sales fear cipro e a Oracle Key z Manager KMA Cluster KMA 1 i FI en HAE Service Delivery Platform Re Ethernet PET TT Ethernet Switch BSMRRRRRS AAAA DEEE pr Partition 1 T9840D T9840D Partition 2 ET EE Key Group 1 T10000C T10000C Key Groups 1 2 3 Marketing amp Sales Ld Backups LTO 5 LTOS LTO 6 LTO6 pe Drives pe Drives Partitioned SL8500 Library T105_091 Revision 04 Chapter 1 Introduction 7 Components FIGURE 1 4 Disaster Recovery Configuration In this example there are two wide area networks one for management and one for service a The OKM communicates with all four KMAs in the cluster a The service network consists of two interface ports LAN 2 and LAN 3 The KMA aggregates LAN2 with LAN 3 into an aggregated service port a The service wide area network allows any KMA at either site to communicate with the agents Oracle Key
96. l NTP server is highly recommended 104 OKM Systems Assurance Guide June 2013 Revision 04 Revision 04 Planning Considerations Key Management Planning Key management planning must address the key lifecycle and security policies of the enterprise These considerations will naturally lead to discussions on data retention Pre Operational Phase The keying material is not yet available for normal cryptographic operations Keys may not yet be generated or may be in the pre activation state System or enterprise attributes are established during this phase as well Operational Phase The keying material is available and in normal use Keys are in the active state Keys may be designated as protect only process only or protect and process Oracle Key Manager supports the protect and process encrypt or decrypt and process only decrypt only sub states of the active state Post Operational Phase The keying material is no longer in normal use but access to the keying material is possible and the keying material may be used for process only decrypt only in certain circumstances Keys are in the deactivated or compromised states Destroyed Phase Keys are no longer available All records of their existence may have been deleted Keys are in the destroyed or destroyed compromised states Although the keys themselves are destroyed the key attributes for example key name type cryptoperiod and usage period may be retained K
97. lespace encryption a The first tier is a master encryption key used to encrypt m The second tier table or tablespace data encryption keys are stored within the database TDE stores the master encryption key in an external security module Oracle Wallet or HSM Storing the master key in an HSM is a recommended security practice and is crucial to maintaining the highest level of security from various threats Use of the Oracle Key Manager for the secure storage of the TDE master encryption keys is recommended Lost keys mean lost data so a key management system such as Oracle Key Manager OKM is highly recommended With TDE configured to use an OKM the master encryption key is created by the OKM and safely protected OKM protects keys through replication multiple copies across the cluster and through backups of the Oracle Key Manager itself PKCS 11 Providers Public Key cryptography standards PKCS define a platform independent standard A PKCS 11 provider is available for Oracle Solaris and Oracle Linux and has been certified to interface TDE with Oracle Key Manager This provider is called pkcs11_kms TDE can be configured to utilize the pkcs11_kms provider through its built in support for Hardware Security Modules HSMs The Oracle Solaris pkcs11_kms provider is a configurable component of the Solaris Cryptographic Framework and conforms to the standard Oracle Solaris services for administering PKCS 11 providers For Linux th
98. mer contact sheet 35 planning meeting 34 process 33 process overview 33 62 StorageTek contact sheet 36 T T10000 tape drive capacity 25 description 124 overview 25 T9840 tape drive description 125 overview 25 T9840D tape drive capacity 25 tape drive and media comparisons 28 tape drive comparison 27 tape drives LTO4 26 supported types 23 T10000 25 T9840 25 work sheet 115 tasks for partitioning 62 team members planning 62 technical support 111 tools 76 Transparent Data Encryption 101 Transparent Data Encryption TDE 102 T Series tape drives T10000 25 T9840 25 U Ultra 320 interfaces for LTO4 drives 26 units Revision 04 rack measurements 47 user roles 64 User Roles Work Sheet 70 V virtual LANs VLANs 48 Virtual Operator Panel for tape drives 71 versions 76 VLANs 15 W Wallet 102 Web browsers supported versions 76 work sheets enrollment 116 initial configuration 71 72 KMA See Also checklists 109 tape drives 115 Write Once Read Many WORM 26 Revision 04 Index 131 132 OKM Systems Assurance Guide June 2013 Revision 04
99. mper resistance and identity based authentication Requires additional physical or logical separations Level 4 Makes the physical security requirements more stringent and requires robustness against environmental attacks National Institute of Standards and Technology NIST AES standard defining a cryptographic cipher using the Rijndael symmetric block cipher algorithm NIST 800 57 Part 1 Recommendations for Key Management Institute of Electrical and Electronics Engineers IEEE 1619 working groups 1619 1 Standard for Tape Encryption complete 1619 2 Standard for Disk Encryption in process 1619 3 Standard for Key Management in process Common Criteria CC an International Consortium sponsored by the National Security Agency NSA that sets requirements for IT security International Standard Organization ISO IEC 1779 Security Techniques CCM AES 256 encryption CCM Counter with CBC MAC is a mode of encryption that provides for both a strong form of privacy security and efficient authentication CBC MAC Cipher Block Chaining Message Authentication Code a message integrity method in which each block of plain text is encrypted with a cipher AES Advanced Encryption Standard a block cipher encryption algorithm that uses both cryptographic techniques Counter mode and CBC MAC CCM Symmetric encryption uses one key to both encrypt and decrypt data Nonce a non repeating number that is incorporated
100. n 04 Auto Service Request ASR Feature Auto Service Request ASR Feature Auto Service Request ASR is a Phone Home feature of Oracle Premier Support for Systems and Oracle Sun Limited Warranty that is designed to automatically request Oracle service when specific hardware faults occur ASR is designed to resolve problems more quickly by eliminating the need to initiate contact with Oracle services for hardware failures reducing both the number of phone calls needed and overall phone time required ASR also simplifies support operations by utilizing electronic diagnostic data ASR is easy to install and deploy is completely controlled by you to ensure security To enable ASR see Auto Service Request in the Administration Guide for Release 2 4 Note You must have Security Officer role access to enable this feature Chapter1 Introduction 31 Auto Service Request ASR Feature 32 OKM Systems Assurance Guide June 2013 CHAPTER Systems Assurance Revision 04 This chapter contains information about the systems assurance process The system assurance process is the exchange of information among team members to ensure that no aspects of the sale order installation and implementation for the Oracle Key Manager are overlooked This process promotes an error free installation and contributes to the overall customer satisfaction The system assurance team members customer and Oracle StorageTek representatives en
101. n changes 52 OKM Systems Assurance Guide June 2013 Revision 04 Network Considerations In FIGURE 3 1 the service network consists of two customer provided managed switches that are cabled to three unmanaged switches which contains redundant paths that require a spanning tree configuration This example may be easily scaled for larger SL8500 drive configurations by adding additional KMAs switch hardware and tape drives a Managed switches must be enabled for Spanning Tree whenever the cabling includes redundancy a Unmanaged switches have two paths to the managed switches for redundancy a Unmanaged switches are then cabled for connectivity to the tape drives agents a Each unmanaged switch connects 16 drives Cabled in groups of four Ports 1 4 6 9 11 14 and 16 19 m Service Delivery Platform SDP connects to each Managed Switch at Port 1 see the Service Delivery Platform on page 56 FIGURE 3 1 Managed Switch Configuration Example Customer Network Oracle Key Manager Customer Network Oracle Key Speri o Manager GUI To OKM _ Network GUI Key Management Appliance LANO A LAN1 _ LAN2 LAN 3 LAN 0 LAN 2 Service Aggregate Managed Switch 24 l l I l I I l I l l l l l I l l I I l I l l l Unmanaged Switch I l l I l I l I I Data Unit Storage T105_107 Revision 04 Chapter 3 Site Preparation 53 Network Ro
102. nMerge current ICX64 30 6450_07400a_InstallGuide pdf Pre configuration Requirements Before you configure the switch follow steps 1 4 in the Brocade ICX 6430 and ICX 6450 Web Configuration QuickStart Guide to attach a PC to the switch and assign an IP address to the management port using its Command Line Interface CLI Follow the ICX 6430 instructions in step 3 You can access this guide at http www foundrynet com services documentation FastIronMerge current ICX64 30 6450_07400_QuickStartGuide pdf Configuring the Brocade Switch Configure the Brocade switch to use the Rapid Spanning Tree Protocol RSTP which was standardized by IEEE 802 1W After you perform the following steps refer to the Brocade ICX 6430 and ICX 6450 Web Configuration QuickStart Guide for additional information about configuring Brocade ICX 6430 switches 1 Start a web browser and connect to the switch at the IP address you established in the pre configuration requirements above Enable RSTP as shown in the following steps 2 Navigate to Configuration gt System a Ensure that Spanning Tree is enabled b Click Clock to set the system clock 3 Navigate to Configuration gt VLAN a Set the VLAN IP address b Click Add Port VLAN c Ensure that Spanning Tree is Disabled and 802 1W is Enabled 4 Navigate to Configuration gt RSTP and view the Ethernet ports 50 OKM Systems Assurance Guide June 2013 Revision 04 Revision 04 N
103. non encrypted Read LTO4 encrypted data Error Error Write LTO4 from BOT OK non encrypted OK non encrypted Read LTO3 tape OK non encrypted OK non encrypted LTO4 append write to non encrypted data Space EOD and write OK non encrypted OK non encrypted LTO4 append write to non encrypted data Read to EOD and write OK non encrypted OK non encrypted LTO4 append write to encrypted data Space EOD and write OK non encrypted Note 1 OK non encrypted Note 1 LTO4 append write to encrypted data Read to EOD and write Error Error Revision 04 Chapter1 Introduction 29 Tape Drive Comparisons TABLE 1 10 LTO4 Encryption Behavior Continued LTO4 Drive Performance HP Implementation IBM Implementation Enrolled for Encryption Read LTO4 non encrypted data OK non encrypted OK non encrypted Read LTO4 encrypted data OK encrypted OK encrypted Write LTO4 from BOT OK encrypted OK encrypted LTO4 append write to encrypted data OK encrypted OK encrypted Write LTO3 tape OK non encrypted Note 5 Error Note 6 Read LTO3 tape OK non encrypted OK non encrypted LTO4 append write to non encrypted data Space EOD and write OK encrypted Note 2 Error Note 3 LTO4 append write to non encrypted data Read to EOD and write OK encrypted Note2 Error Note 3
104. ommunicate with the other KMA KMA Service Port Aggregation It is possible to aggregate physical Ethernet interfaces LAN 2 and LAN 3 into a single virtual interface Additional availability is achieved by aggregating these ports if a failure occurs with either port the other port maintains connectivity Make sure the Ethernet switch ports have the correct configuration For example Switch ports should be m Set to auto negotiate settings for duplex should be full duplex m Set to auto negotiate speed settings the KMA ports are capable of gigabit speeds a Using identical speeds such as both set to 100 Mbps auto speed negotiating may work fine 48 OKM Systems Assurance Guide June 2013 Revision 04 Network Considerations Aggregated Service Network Switch Configuration To provide redundancy in case of a service network interface failure the LAN 2 port may now be aggregated with the LAN 3 port To use the port aggregation feature you need to configure the switches for link aggregation The Solaris port selection policy on the KMA is address based Here is some information about the service port aggregation that may be needed to configure the switch Ports are aggregated manually meaning they do not use LACP m Ports are full duplex auto may work fine Switch ports used for aggregation groups must be identical speed for example both ports are set to 100 Mbps auto speed negotiating may work fine Notes a There
105. on Guide or X4170 ILOM Supplement Guides for information Have you and the customer completed a a Cable plan Yes No a Do the agents have private network Yes No Configuration drawing Yes No A drawing can help determine the number of and length of the cables required Have you determined the type and number of Yes No Note Ethernet cables required m Ethernet cables are shipped with kits Customer supplied m Lengths are dependant on the OKM to the network location of the switches and devices a Encryption Network to the KMAs LAN 0 a ELOM ILOM monitoring LAN 1 E ie el e dE m Service network to agents LAN 2 amp 3 y Supplied in the encryption kits a Switch to tape drives Configurations Does the customer have adequate rack space Yes No See Rack Specifications on page 47 to hold the KMAs and Ethernet switches What type of support configurations does the Configuration Encryption capable Drives customer want or need Li SL8500 T Series amp LTO drives D SL3000 T Series amp LTO drives T Existing configuration D SL500 LTO only LY SL150 T Series only except for T10000C T New configuration D 9310 9741e T Series only except for T10000C D L Series LTO only Q SL24 48 T Series only D Rackmount Does the customer have existing tape drives Yes Noll See Chapter 4 Components for they want to upgrade to encryption capable x options conversion bills Are these drives already installed in a library
106. or additional security and to isolate LAN traffic the customer may want to consider using Virtual Local Area Networks VLANs when connecting to the management network VLANs are broadcast domains that exist within a defined set of switches Ports on these switches can be grouped together to provide a logical network to provide the services traditionally created by traditional routers in network configurations Important Key management appliances should be installed in pairs as shown in the configuration drawings FIGURE 1 1 through FIGURE 1 4 Some key points include a Multiple KMAs are clustered on a dedicated private local or wide area network m The servers in a OKM Cluster provide data replication so there is redundancy This allows each key management appliance to serve as backups to others a Tape drives and Oracle databases called Agents must remain connected to the network in the event an encryption key is needed a Any KMA in the cluster can service any tape drive on the network provided there is an Ethernet connection between the two a KMaAs and agents can be logically group to create a site where agents preference KMAs within the site to which they are assigned m By default Agents are serviced by the local KMAs if available m Any KMA can be used for administration functions m All changes to any KMA are replicated to all other KMAs in the cluster a New keys generated at any site are replicated to all
107. or the LTO drives to connect to and interface with the Oracle Key Manager Each vendor has their own unique version of an adapter card a HP LTO4 Dione card external a HP LTO5 LTO6 Embedded no adapter card required m IBM Belisarius card external With this connection the LTO drives are capable of communicating with the OKM to transfer encryption keys over the secure network Note Currently the LTO drives can only use one encryption key at a time During a read operation if another encryption key is found on the tape the adapter card requests the key directly from the OKM LTO6 tape drives use a 2 5 TB data cartridge LTOS a 1 5 TB data cartridge and LTO4 tape drives use an 800 GB data cartridge All are compatible with other vendor cartridges and other generations of LTO tape drives These drives perform the following functions m Reads Writes LTO6 cartridges in Ultrium 6 format including WORM m Reads Writes LTOS cartridges in Ultrium 5 format including WORM m Reads Writes LTO4 cartridges in Ultrium 4 format including WORM LTO 6 LTO5 and LTO4 tape drives also support Write Once Read Many WORM secure media This non erasable non rewritable media complies with regulations such as HIPAA Sarbanes Oxley and SEC 17A 4 LTO drives come with a Fibre Channel interface FC in either a single or dual port configuration The HP LTO tape drives also supports m Ultra 320 Small Computer System Interface SCSI
108. patibility between different vendors offerings Encrypts and decrypts customer data on a tape cartridge An arrangement of nodes and branches that connects data processing devices to one another through software and hardware links to facilitate information interchange National Institute of Standards and Technology A user role responsible for managing the day to day operations of the system A set of one or more interconnected KMAs All the KMAs in a Cluster should have identical information This will not be the case only when an KMA is down or when a newly created piece of information has not yet propagated through all KMAs in the OKM Cluster An action taken on any KMA in the Cluster will eventually propagate to all KMAs in the OKM Cluster Glossary 123 PKCS R Read key Rijndael algorithm RSA S Secure Hash Algorithms SHA Security Officer Security Policy Site T T10000 tape drive Refers to a group of public key cryptography standards devised and published by RSA Security as in PKCS 11 which defines a platform independent API to cryptographic tokens This is a media key that is used when reading data from a tape An algorithm selected by the U S National Institute of Standards and Technology NIST for the Advanced Encryption Standard AES Pronounced rain dahl the algorithm was designed by two Belgian cryptologists Vincent Rijmen and Joan Daemen whose surnames are reflec
109. pe Drives 28 LTO Tape Drives 29 LTO Encryption Behavior 29 Auto Service Request ASR Feature 31 Systems Assurance 33 Planning Meetings 34 Customer Team Member Contact Sheet 35 Oracle Team Member Contact Sheet 36 Configuration Planning 37 Site Preparation 41 Site Planning Checklist 42 Rack Specifications 47 SL8500 Rack Guidelines 47 Network Considerations 48 KMA Service Port Aggregation 48 Aggregated Service Network Switch Configuration 49 Cluster Discovery Load Balancing and Failover 54 KMA Routing Configuration and Discovery 55 Service Delivery Platform 56 Oracle Key Manager and the SDP 56 Content Management 58 Capacity on Demand 59 RealTime Growth Technology 59 Partitioning 60 Disaster Recovery 61 Planning the Data Path 61 Planning Tasks 62 Oracle Key Manager Interface 63 Role Based Operations 64 Preparing the Tape Drives 71 T Series Drive Data Preparation 71 iv OKM Systems Assurance Guide June 2013 Revision 04 Revision 04 Create a Drive Data File Structure 74 LTO Tape Drive Preparation 75 Required Tools 76 Supported Platforms and Web Browsers 76 Firmware Levels 78 Components 81 Supported Configurations 81 Supported Tape Drives 81 Supported Databases 82 Key Management Appliance 83 SL8500 Modular Library System 84 SL3000 Modular Library System 85 SL500 Modular Library System 87 SL150 Modular Library System 88 9310 Automated Cartridge System 89 L Series Libraries 90 SL24 Autoloader and SL48 Library
110. r Virtual Operator Panel VOP Version 1 0 11 or higher 92 OKM Systems Assurance Guide June 2013 Revision 04 Tape Drive Instructions Tape Drive Instructions See the specific tape drive Systems Assurance Guides for information TABLE 4 2 Tape Drive Ordering Instructions Publication Description Part Number T10000 Tape Drive Systems Assurance Guide E20715 03 T9x40 Tape Drive Systems Assurance Guide E28189 01 Service Delivery Platform Systems Assurance Guide 11042004 Library Instructions See the specific library Systems Assurance Guides for information TABLE 4 3 Library Ordering Instructions Publication Description Part Number SL8500 Modular Library Systems Assurance Guide E24254 06 SL3000 Modular Library Systems Assurance Guide E20876 05 SL500 Modular Library Systems Assurance Guide E21060 05 L700 1400 Library Ordering and Configuration Guide MT9112N L180 Library Ordering and Configuration Guide MT9112N 9310 PowderHorn Library Systems Assurance Guide ML6500R Revision 04 Chapter4 Components 93 Power Cables Power Cables For more information and additional part numbers go to http scss280r1 singapore sun com handbook_internal Devices AC_Power ACPO WER_AC_Power_Cords html ATO Power
111. reliable network between the OKM KMAs network for the agents tape drives Does this customer support IPv6 Yes No implementations Does the customer intend on using Managed Yes No Cable considerations are impacted by switches for LANs 2 and 3 the decision to use a managed switch and the corresponding topology of the service network Is a Wide Area Service Network being Yes Nod Designing the service network across a considered WAN to remote sites adds additional failover capability to the agents and can facilitate disaster recovery scenarios Does the customer want to aggregate the Yes Nod Requires additional cables and service ports LAN 2 and LAN 3 compatible port configuration on a customer supplied managed switch Does the customer plan to use a private Yes Nol Removes contention for the tape drives Revision 04 Chapter 3 Site Preparation 43 Site Planning Checklist TABLE 3 1 Site Planning Checklist Continued Question Completed Comments Connectivity continued Will there be a Service Delivery Platform Yes No See SDP on page 56 for information SDP installed at this site Will the customer be monitoring the OKM Yes No SNMP v3 recommended using SNMP SNMP v2 supported Are there considerations for monitoring of Yes No Refer to the SunFire X2100 2200 ELOM ELOM ILOM using the LAN 1 port Administrati
112. rive The minimum configuration consists of a 3U 5 25 inches base module designated Module 1 containing the front control panel one robotic hand a mailslot with four slots a power supply and one tape drive with options to add a second drive tray a second power supply or both It stores up to 30 tapes in two removable 15 slot magazines one on the left side and the other on the right side You can designate up to three reserved slots in the base module left magazine for storing cleaning or diagnostic tapes Operating System Support The SL150 supports all major operating systems enterprise and open systems Host to Library Interface m Single Ethernet TCP IP 1x m Fibre Channel SAS Supports Partitioning Order Number aD L207_130 1 Base module Module 1 2 Expansion module 3 Left cartridge magazine 4 Right cartridge magazine 5 Front control panel 6 Mailslot Note Encryption hardware can be installed in the same rack as the library depending on the number of modules installed Description CRYPTO 2X SL500B N Base module required Crypto kit for use with SL150 library base Ethernet switch and cables for installation within SL150 library CABLE10187033 Z N Ethernet cable 8 foot CAT5e for each drive in the expansion module Firmware Levels Library 1 80 Tape Drives m HP LTOS m HP LTO6 Y5BS Fibre Channel SAS Z55S 22CS Fibre Channel SAS 3
113. rovide SCSI SAS and FC interfaces for flexible integration into any storage environment Order Number Description SL24 Autoloader se T105_114 Native capacity of 36 TB with a StorageTek LTOS tape drives SL48 Library E E 3y E T105_115 Native capacity of 72 TB with a StorageTek LTO5 tape drives LTO ENCRYPT ACTIVE LTO5 encryption capable tape drives Firmware Levels Library minimum m SL24 autoloader D 90 3 00e m SL48 library G 20 3 00e Encryption capable Tape Drives m HP LTO5 I2DS m HP LTO6 A232 Virtual Operator Panel VOP Version 1 0 16 for the LTOS tape drives MD VOP 1 x Revision 04 Chapter4 Components 91 Rack Mount Rack Mount FIGURE 4 10 Rackmount Requirements The StorageTek rack can hold up to 12 manual mount tape drives in 6 trays This figure shows the T10000 rack module m The top A operator panel works with the drive on the left m The bottom B operator panel works with the drive on the right When only one drive is installed it must be installed on the left Recommendation The customer should purchase a Sun Rack II cabinet with this configuration RARE Order Number Description CRYPTO 2X RACK Z N StorageTek rack mount kit Include 16 port switch and cabling Firmware Levels Tape Drives m T10000A 1 34 208 or higher m T10000B 1 38 x07 or higher m T10000C 1 53 316 or higher m T9840D 142 104 or highe
114. s Tip When using encryption capable tape drives partitions can add an additional layer to data security Customers can assign partitions that limit the access to the tape drives and data cartridges Ideally you would want to set up partitions that allow for future Allowing room for growth allows the customer to activate slots within a partition using Capacity on Demand This is the easiest and least disruptive growth path 1 Install extra physical capacity 2 Define partitions large enough to accommodate future growth 3 Adjust the library capacity to meet current demands Essential guidelines for understanding partitions are 60 OKM Systems Clear communication between the system programmers network administrators library software representatives and administrators and service representatives Knowing what partitions exist their boundaries and who has access to the specific partitions that are configured Setting up a partition requires some important considerations a Slots and tape drives are allocated to a specific partition and cannot be shared across other partitions a Partition users must anticipate how much storage is needed for their resident data cartridges and the amount of free slots required for both current use and potential growth Remember Each partition acts as an independent library a One partition will not recognize another partition within the library Assurance Guide June 2013
115. s Permanent Set FIPS 1 Yes D Yes Nol Yes No No QU 2 Yes 1 Yes Nol Yes OU No No QU 3 Yes O Yes No Yes No No QU 4 Yes Yes Nol Yes OU No Nol 5 Yes O Yes NoU Yes OU No No QU 6 Yes d Yes No Yes No Nol 7 Yes 1 Yes Nol Yes UO No No QU 8 Yes d Yes No Yes No No QU 9 Yes d Yes Nod Yes No Nol 10 Yes D Yes Nol Yes No No QU 11 Yes Yes Nol Yes OU No No QU 12 Yes Yes Nol Yes No Nol 13 Yes D Yes l Nol Yesu No Nol 14 Yes D Yes Nol Yes OU No No QU 15 Yes 1 Yes Nol Yes No No QU 16 Yes D Yes Nol Yes UO No No QU 17 Yes Yes Nol Yes UO No Nod 116 OKM Systems Assurance Guide June 2013 Revision 04 Agent Enrollment Work Sheet KMA __ KMA __ Hostname Hostname KMA IP KMA IP Address Address 18 Yes D Yes Nol Yes OU No No 19 Yes 1 Yes Nol Yes No No 20 Yes 1 Yes Nol Yesu No No Revision 04 Appendix C Work Sheets 117 Agent Enrollment Work Sheet 118 OKM Systems Assurance Guide June 2013 Revision 04 Glossary This glossary defines terms and abbreviations used in this publication A Advanced Encryption Standard AES Agent Agent Library Audit Log Auditor Autonomous Unlock B Backup File Backup Key File Backup Operator Revision 04 A FIPS approved NIST cryptographic standard used to protect electronic data Various t
116. s can be reached by the tape drive or the attempt to retrieve keys will timeout forcing a failover Failover Whenever a tape drive s attempt to communicate with a KMA fails the drive tries to select another KMA for failover Tape drives attempt a failover up to three 3 times before giving up and returning an error to the host tape application For each failover attempt a similar selection algorithm is used for failovers as for Load Balancing Consequently the drive s information about the cluster state is used again and may even be refreshed if it is time to refresh the information about the cluster Sometimes a drive chooses a non responding KMA during a failover attempt if all other KMAs are non responding This is not ideal but because information about the cluster may be stale there is a chance that a KMA has come back online and will respond Whenever the drive discovers a new response state for a KMA it updates the cluster information to mark a KMA as responding or not responding however the case may be KMA Routing Configuration and Discovery The routing configuration of a KMA has an effect on responses to tape drive discovery requests Mistakes in the routing configuration can lead to erroneous cluster information being provided to tape drives This could cause drives to attempt communication with KMAs that they cannot reach over the network Customers need to consider the network topology they want for their tape drives
117. sed data For a variety of operating system platforms a Enterprise mainframes z OS and OS 390 a Open system platforms Windows UNIX and Linux Revision 04 4 Capacity To get an idea of the capacity of a terabyte consider the common megabyte MB Just over thousand megabytes equals one gigabyte and just over one million megabytes equals a terabyte 1 024 megabytes 1 gigabyte 1 024 gigabytes 1 terabyte 1 048 576 1 024 megabytes 1 terabyte Chapter 1 Introduction 25 Tape Drives About the LTO Tape Drives Overview Encryption Capable Media Native capacity Interfaces Linear Tape Open LTO tape drives are a high performance high capacity data storage device that is designed for backup and restore applications in both enterprise mainframe and open systems environments Both HP and IBM offer an Ultrium series of linear tape open products LTO4 LTO5 and LTO6 Note Currently the LTO4 LTO5 and LTO6 tape drives are capable of supporting tape or device based encryption Both the HP and IBM LTO drives support write encryption and read decryption when integrated into a secure encryption system such as Oracle s Key Manager Key management is essential to ensure that what is written on tape can be read in the future Being able to manage the Keys to Encryption requires a special custom designed Ethernet adapter card mounted inside the drive tray This adapter card provides a means f
118. sing Standards are publicly announced standards and guidelines developed by the United States Federal government Many FIPS standards are modified versions of standards used in the wider community ANSI NIST IEEE ISO etc 24 OKM Systems Assurance Guide June 2013 Tape Drives About the StorageTek T10000 Tape Drive The StorageTek T10000 tape drives are modular high performance tape drives designed for high capacity storage There are three models of the T10000 that support encryption T10000A 1T10000B m 1T10000C Dimensions The tape drive is m 8 89 cm 3 5 in high m 14 6 cm 5 75 in wide m 42 5 cm 16 75 in deep Capacity m T10000A 500 gigabytes GB of uncompressed data T10000B 1 terabyte TB of uncompressed datat a T10000C 5 terabyte TB of uncompressed data About the StorageTek T9840D Tape Drive The StorageTek T9840D tape drive is a small high performance access centric tape drive that has an average access time of just 8 seconds This drive obtains its high performance by using a unique dual hub cartridge design with midpoint load technology This enables fast access and reduces latency by positioning the read write head in the middle of the tape There are four models of the T9840 however only the T9840D supports encryption Dimensions The tape drive is m 8 25 cm 3 25 in high mw 14 6 cm 5 75 in wide m 38 1 cm 15 in deep Capacity T9840D 75 gigabytes GB of uncompres
119. site Yes No Are there special requirements to dispose of or recycle packing material Pallets plastic and cardboard Yes No Environmental Planning Does the site meet the environmental requirements for temperature humidity and cooling Yes No See Key Management Appliance for the appliance specifications 42 OKM Systems Assurance Guide June 2013 Revision 04 TABLE 3 1 Site Planning Checklist Continued Site Planning Checklist representatives locally to install and maintain the encryption equipment Question Completed Comments Power Requirements Does the intended site meet the power YesO No See Key Management Appliance for the requirements appliance specifications KMA 90 to 132 VAC 180 to 264 VAC 57 to 63 Hz 47 to 53 Hz 2 3 to 4 6 Amps Maximum continuous power is 150 W Has the customer identified the circuit Yes No breakers locations and ratings Does the customer want redundant power Yes Nol Check for updated model and part options numbers If so an additional APC power switch is Part number 419951602 required to create an uninterrupted power configuration Are there any power cable routing Yes Noll See Power Cables for more information requirements and concerns Personnel Are there trained qualified Oracle Yes No Names Ethernet switches and tape drives Connectivity Cabling is very important to establish a
120. stallation within L series libraries Firmware Levels Firmware Level or Higher Library minimum m L700e L1400 3 17 03 or higher Tape Drives m T10000A m T10000B m T9840D 1 34 208 or higher 1 37 113 or higher 1 42 x07 or higher Virtual Operator Panel VOP Version 1 0 14 or higher Version 1 0 16 90 OKM Systems Assurance Guide June 2013 Revision 04 SL24 Autoloader and SL48 Library SL24 Autoloader and SL48 Library Note The SL24 and SL48 libraries do not support T Series tape drives for the Oracle Key Manager encryption solution FIGURE 4 9 SL24 Autoloader and SL48 Library Requirements High level Description Oracle s StorageTek SL24 tape autoloader provides high capacity automated backup and recovery in a space efficient highly manageable product With one drive this autoloader includes two removable 12 slot magazines with one mail slot dedicated to import and export of data cartridges Oracle s StorageTek SL48 tape library can meet the data storage demands including unattended backup archiving and disaster recovery The SL48 tape library is a 4 U form factor product With one drive this library includes four removable 12 slot magazines with three mail slots dedicated to the import and export of data cartridges Operating System Support Supports a broad variety of servers operating systems and ISV packages Host to Library Interface Both products p
121. sure that all aspects of the process are planned carefully and performed efficiently This process begins when the customer accepts the sales proposal At this time a representative schedules the system assurance planning meetings 33 Planning Meetings Planning Meetings The purpose of the system assurance planning meetings is to m Introduce the customer to Oracle s encryption products m Explain the system assurance process and establish the team m Identify and define the customer requirements a Identify any additional items needed such as cables tokens and switches Prepare for the installation and implementation m Schedule and track the entire process TABLE 2 1 System Assurance Task Checklist Task Completed Introduce the team members to the customer Yes No Complete the Team Member Contact sheets Make copies as necessary Explain the encryption solutions to the customer Yes Nol See Chapter 1 Introduction for topics and information Use Chapter 2 Systems Assurance to help define the customer Yes No requirements Complete the Team Member Contact sheets Yes Nol Review and complete Chapter 3 Site Preparation Yes Nol Comments Review and identify User Roles Work Sheet Yes Nol Comments Review Chapter 4 Components Yes No Comments Review Supported Configurations Yes Nol Comments Determine the installation schedule Yes No
122. t ft ft ft VolSafe WORM yes yes yes yes yes yes yes yes yes yes Revision 04 For your information the following tables provide tape drive and media comparisons Chapter 1 Introduction 27 Tape Drive Comparisons StorageTek T Series Tape Drives TABLE 1 8 shows the media compatibilities for the T Series T10000 and T9840 drives m Encryption capable T Series tape drives Non encryption T Series tape drives TABLE 1 8 T Series Tape Drive Media Compatibilities Enrolled for Not Enrolled Task Encryption for Encryption Write new data encrypted Yes No Write new data not encrypted No Yes Read encrypted data with key available Yes No Read non encrypted data Yes Yes Append non encrypted data to encrypted tape No No TABLE 1 9 shows a comparison between a Encryption enabled and non encrypted tape drives m Encrypted and non encrypted media TABLE 1 9 T Series Tape Drive and Media Support Tape Drive Types Media Types Non encrypted Tapes Encrypted Tapes Standard drive non encrypted Fully compatible m Read write and append m Not capable of reading writing to or appending to this tape m Can re write from the beginning of tape BOT Encryption capable drive Read capability only Not capable of appending to this tape m Can re write from the beginning of tape BOT m Fully compatible m Read with correct keys a Write wit
123. t a backup site m SE PS Determine network configurations LAN WAN aggregation m Svc Rep LJ 6 Media m Verify the distribution of cartridges and required tape drives are m Customer available and ready m Operators D 7 Library m Install and configure a library if necessary m Svc Rep D 8 Activation m Activate the required features m Customer Library m Administrators Tape drives m Svc Rep LI 9 Partitions m Create partitions m Customer m Administrators m Operators D 10 Hosts Momentarily stop all host activity if currently connected m Customer LJ 11 Use Instruct the customer how to m Customer m Use and manage the library m SE PS m Use the OKM GUI m Svc Rep 1 12 Reference Make sure the customer has access to the appropriate documents m Customer m SE PS m Svc Rep m SE Systems engineer m PS Professional services representative m Service Customer services representative Svc Rep m Customer System administrators network administrators system programmers operators 62 OKM Systems Assurance Guide June 2013 Revision 04 Oracle Key Manager Interface Oracle Key Manager Interface The manager graphical user interface GUI consists of a three paned display 1 On the left is a navigational pane or tree 2 In the center is an operations detail pane for the appropriate selection on the left 3 On the bottom is a session events pane TABLE 3 5 Manager Display KMS Manager ini xj
124. tch at Port 1 Oracle Key Manager LAN 0 CRETE CEE CRETE LAN 1 ELOM LAN 2 Service LAN 3 Aggregate Managed Switch C asarre ss LAN 2 Service LAN 3 Aggregate fines ASE Managed Switch Service Network Unmanaged Switch Unmanaged Switch sAgent sAgent Tape Drives Tape Drives Tape Drives T105_118 Revision 04 Chapter 1 Introduction 17 Network Considerations Each key management appliance has four network connections These include m Management network for the X4170 M2 appliance m Service Processor either ELOM or ILOM network m Service network Aggregated service network The network ports are labeled differently between the X4170 M2 and X2100 X2100 M2 servers TABLE 1 4 KMA Network Connections X2100 M2 X4170 M2 X2200 M2 Description NET 0 LAN 0 This is a required connection This network is called the Management Network and connects to the Oracle Key Manager OKM graphical user interface GUI to the KMAs in the cluster This network can be local remote or a combination of both Note Customers are expected to provide the management network NET MGT LAN 1 This is the network connection for the Service Processor the ILOM for an X4170 M2 server or the ELOM for an X2100 M2 or X2200 M2 server NET 2 LAN 2 This is normally a required connection for the tape drives This network is called the Service Network and connects to the
125. ted configuration such as Rack Specifications Service Delivery Platform Content Management a Capacity on Demand a RealTime Growth Technology a Partitioning Planning the Data Path a Planning Tasks Required Tools Supported Platforms and Web Browsers Firmware Levels Role Based Operations 41 Site Planning Checklist Site Planning Checklist Use the following checklist to ensure that the customer is ready to receive the Key Management System and to ensure that you are ready to start the installation TABLE 3 1 Site Planning Checklist Question Completed Comments Delivery and Handling Important The Oracle Key Manager and appliances are considered secure items Follow the customers security guidelines during delivery and installation Does the customer have a delivery dock If no where will the equipment be delivered If a delivery dock is available what are the hours of operation Yes No Are there street or alley limitations that might hinder delivery Yes No Will authorized personnel be available to handle and accept the delivery Yes No Is the delivery location close to the computer room where the equipment will be installed Yes No Is an elevator available to move the equipment to the appropriate floors Yes No Is there a staging area where the equipment can be placed close to the installation
126. ted in the cipher s name In cryptography RSA is an algorithm for public key cryptography created by Ron Rivest Adi Shamir and Leonard Adleman at MIT The letters RSA are the initials of their surnames Secure Hash Algorithms are cryptographic hash functions designed by the National Security Agency NSA and published by the NIST as a U S Federal Information Processing Standard A user role that manages security settings users sites and Transfer Partners A rigorous statement of the sensitivity of organizational data various subjects that can potentially access that data and the rules under which that access is managed and controlled A site is an attribute of each OKM and Encryption Agent that indicates network proximity or locality When Encryption Agents connect to the OKM Cluster there is a bias towards establishing communication with KMAs in the same site as the Encryption Agent The T10000 tape drive is a small modular high performance tape drive designed for high capacity storage of data T10000A stores up to 500 gigabytes GB of uncompressed data T10000B stores up to 1 terabyte TB of uncompressed data 124 OKM Systems Assurance Guide June 2013 Revision 04 T9840D tape drive Transparent Data Encryption TDE Transport Layer Security TLS Revision 04 Z Zeroize The T9840D tape drive is a small modular is a small high performance access centric tape drive that has an average access time o
127. th an Oracle Key Manager is an optimal one stop Oracle solution for reliable management of Oracle Database master keys Oracle Key Manager OKM is now certified with Oracle Advanced Security Transparent Data Encryption This means that the same encryption technology used with Oracle StorageTek tape drives is now available for managing encryption keys for an Oracle Database 11gR2 including Oracle Database products Oracle Real Application Clusters Oracle RAC Oracle Data Guard Oracle Exadata Database Machine Oracle Recovery Manager RMAN Oracle Data Pump FIGURE B 1 Oracle Key Manager and Oracle Database Example E SDO Lay Oracle Database ASO TDE Revision 04 101 Transparent Data Encryption Overview Transparent Data Encryption Overview Transparent Data Encryption TDE provides the services used for encrypting and decrypting sensitive database information either at the column level or the tablespace level The Oracle Key Manager and Transparent Data Encryption solution provides enterprise class key management for the Transparent Data Encryption universal master keys This solution allows the keys to be managed outside of the database Policy based key management using Oracle Key Manager OKM provides a robust and flexible solution for managing Transparent Data Encryption master keys Transparent Data Encryption TDE provides encryption services using a two tiered key approach for both TDE column and tab
128. tivity to the supplied unmanaged tape drive switches as well as any connectivity to customer supplied routers for wide area service network The following managed switches have been tested and are recommended by engineering m 3COM Switch 4500G 24 Port 3CR17761 91 m Extreme Networks Summit X150 24t Switch Other managed switches can be used however there is only configuration guidance on the above listed switches Managed switches are recommended for the following reasons m Improved serviceability through better switch diagnostics and service network trouble shooting Potential for minimizing single points of failure on the service network through use of redundant connections and spanning tree protocol Support for aggreation of the KMA service network interfaces to minimize single point of failure on the KMA s service interface FIGURE 1 10 on page 17 provides an example of a managed switch configuration In this example if either KMA or either managed switch should fail the drives still have a path from which they can communicate with the other KMA Management Network The OKM network should use a clean gigabit Ethernet connection for optimal replication and performance Service Processor Network The Service Processor Network ELOM or ILOM should have spanning tree turned off or disabled Revision 04 Chapter1 Introduction 15 Network Considerations KMA Service Port Aggregation Beginning with OKM 2 1 it is possible
129. ugh scratch cartridges and free slots to support the application and workload Chapter 3 Site Preparation 61 Content Management Planning Tasks One essential message for content management and partitioning is planning Items to plan for include TABLE 3 4 Steps and Tasks for Partitioning Encryption m Complete an encryption survey PS m Select the type of tape drive interface and library configuration m Select location m Ensure there is adequate media y Item Task Responsibility 4 1 Team Create a Team m Customer When planning for content data and partitions use a process m Administrators similar to that of the system assurance process which is the m Operators exchange of information among team members to ensure all aspects of the implementation are planned carefully and m SE PS performed efficiently Team members should include m Svc Rep representatives from both the customer T 2 Codes Review the software and firmware requirements m Customer Update as required m SE PS m Svc Rep D 3 Planning m Define the customer expectations m Customer m Complete the assessment m Administrators m Identify the configurations m SE PS m Complete the planning diagrams include network planning m Svc Rep m Service Delivery Platform SDP m Customer m SE PS m Svc Rep Disaster m Develop a business continuity and disaster recovery plan m Customer Recovery Selec
130. ular Library System SL3000 Modular Library System SL500 Modular Library System SL150 Modular Library System 9310 Automated Cartridge System L Series Libraries SL24 Autoloader and SL48 Library Rack Mount Revision 04 Supported Tape Drives Customers have a choice in the type of tape drive they want to use for encryption m T10000A T10000B and or T10000C m T9840D a HP LTO4 and or LTOS and or LTO6 m IBM LTO4 and or LTOS5 and or LTO6 See Firmware Levels for the supported tape drive firmware versions PP P 81 Supported Databases Supported Databases When implementing an encryption solution using one of Oracle s databases review the following Interfaces with Transparent Data Encryption TDE suite in Oracle Database 11gR2 Oracle Database products Oracle Real Application Clusters Oracle RAC Oracle Data Guard Oracle Exadata Database Machine Oracle Recovery Manager RMAN Oracle Data Pump All editions are built using the same common code base which means your database applications can easily scale from small single processor servers to clusters of multi processor servers Compare the following features TABLE 4 1 Database Selections Key Feature Summary Standard Edition One Standard Edition Enterprise Edition Maximum Sockets 2 4 No Limit RAM OS Max OS Max OS Max Database size No Limit No Limit No Limit Windows Yes Yes Yes
131. uting Configuration Network Routing Configuration The following information is useful for customers and Oracle service representatives when setting up and installing multi site clusters Initially it is not advisable to begin with a multi site network topology for the tape drives A simple strategy may be best Do not configure service network routes between sites so drives are restricted to just local KMAs within their site After gaining confidence with the system the service network configuration can be extended to other sites using the KMA console menu option for networking NOTE Even without a multi site routed service network use of default gateway settings can affect failover performance Understanding the following information is important for configuring the KMA network Cluster Discovery Load Balancing and Failover The cluster provides tape drives with a capability to select KMAs for retrieval of key material To maximize the performance of tape drives with a robust highly available network is essential The topology of the network is an important planning and configuration task The following is some information about how a tape drive utilizes the services of the cluster for retrieval of keys Discovery Tape drives agents utilize the discovery service of the KMAs to maintain knowledge about the cluster This information includes the following properties for each KMA IP address both IPv4 and IPv6 addresses m
132. ve e Add any optional remarks and click Request Key File After submitting the Encryption File Request you will be prompted to download the file This file contains the drive data you need to enable and enroll the drive 72 OKM Systems Assurance Guide June 2013 Revision 04 Preparing the Tape Drives FIGURE 3 6 Encryption File Request for Drive Data Encryption Request Enter the following information First Name Last Name SunlD Email Address Site Id Family serial numbers start with CaseVorkOrder 1 T10000A 5310 xxxxxxxx T10000B 5720 xxxxxxxx Driver Family SelectOne 1w T10000C 5760 xxxxxxxx gt T9840D 5700 xxxxxxxx T100004 T100008 T10000C T9840D Serial Number When selecting the drive family type the first four numbers of the serial number are automatically filled in Optional Remarks Request Key File Ey 5 Continue with this process until you obtain all the drive data files for each tape drive you are going to enable Revision 04 Chapter 3 Site Preparation 73 Preparing the Tape Drives Create a Drive Data File Structure When enabling multiple drives it is best to create a file structure where each tape drive has its own folder For example 1 FIGURE 3 7 uses a top level folder name of crypto_drvs placed on the Desktop This is only for grouping of the other folders 2 Under crypto_drvs are the folders for each tape drive using the serial numbers 3 In each seri
133. ve system requirements for this solution IBM Mainframe The IBM z OS mainframe must be running ICSF HCR 7740 or higher With the Enterprise Library Software ELS 7 0 or Nearline Control Software NCS 6 2 along with any associated PTFs A Cryptographic Express2 coprocessor CEX2C card must also be installed on the IBM mainframe OKM The OKM must be running Version 2 2 or higher Revision 04 1 ICSF is a software component of z OS providing cryptographic support either in its own software routines or through access to external cryptographic hardware such as the Oracle Key Manager 97 Understanding the Solution Understanding the Solution The IBM Integrated Cryptography Service Facility ICSF is an encryption solution where the external key store resides in an IBM mainframe and is accessed using a TLS XML protocol This protocol is supported in the IBM mainframe with the keys stored in a Token Data Set in the IBM Integrated Cryptography Service Facility FIGURE A 1 shows a typical configuration FIGURE A 1 ICSF Site Configuration IBM Mainframe Integrated Cryptography Service Facility Oracle Key Manager Site 1 Site 2 Wide Area Network KMA Cluster KMA Cluster KMA 1 KMA4 ae Me OO Sit ee or ee KO Shes SE i Ethernet ah Switch Ethernet gosses anaana Switch LAS T9840D a T10000C LTO 5 LTO 6 SL8500 Tape Tape SL3000 Li
134. y Cryptoperiods D Data Policy Data Unit 120 OKM Systems Assurance Guide June 2013 Beginning of Tape A Certificate is a digitally signed document that serves to validate the holder s authorization and name A Certificate Authority registers end users issues their certificates and can also create CAs below them Within he Oracle Key Manager the KMAs themselves act as the certificate authority to issue certificates to users agents and other KMAs A Cluster is a set of Key Management Appliances that are grouped together into a single system to enhance fault tolerance availability and scalability A user role that manages the flow of data through your organization and can define and deploy data contexts Key Groups and rules that determine how data is protected and ultimately destroyed Key Policies A Crypto Accelerator is a hardware device a card that can be used to increase the rate of data encryption decryption thereby improving system performance in high demand conditions An encryption capable tape drive that has had the encryption feature turned on A tape drive that has the ability to turn on device encryption and become encryption capable The art of protecting information by transforming it encrypting into an unreadable format called cipher text Only those who possess a special key can decipher decrypt the message into its original form The length of time in which a key can be used for en
135. ypes of encryption agents can be created to interact with the OKM for creating and obtaining keying material The StorageTek T10000 models A and B T9840D and the HP LTO4 tape drives are types of encryption agents when enabled for encrypting The Agent Library is used by an Agent to retrieve key material from an Oracle Key Manager OKM The OKM Cluster maintains a log of all auditable event occurring throughout the system Agents may contribute entries to this log for auditable events A user role that can view system audit trails Audit List events and KMA security parameters When autonomous unlock is enabled a quorum of Security Officers is required to unlock a locked KMA When disabled the KMA can be unlocked by any Security Officer The file created during the backup process that contains all the information needed to restore a KMA Encrypted with a key generated specifically for the backup The key is contained in the corresponding backup key file A file generated during the backup process containing the key used to encrypt the backup file This file is encrypted using the system master key The master key is extracted from the core security backup file using a quorum of the key split credentials A user role that is responsible for securing and storing data and keys 119 BOT C Certificate Certificate Authority CA Cluster Compliance Officer Crypto Accelerator Crypto active Crypto ready Cryptograph
136. ypt their data Encryption can occur during three points in the life of the data When data is m Created host based Transported appliance based m Stored device based Oracle offers device based implementations for a data at rest encryption solution This offering provides an excellent solution for mixed environments with a variety of operating system types both enterprise and open systems platforms Choosing device based encryption is the least disruptive to an existing system infrastructure because the encryption functionality is built directly in to the tape drive so there is no need to maintain special software specifically for encrypted data Encryption Standards Encryption Standards Oracle s encryption solutions are based on the most current advanced industry standards and functionality including Federal Information Processing Standards a FIPS PUB 140 2 Security Requirements for Cryptographic Modules a FIPS PUB 46 3 Data Encryption Standard a FIPS PUB 171 Key Management FIPS are standards and guidelines adopted and declared under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 FIPS defines four levels of security Level 1 The basic level with production grade requirements Level 2 Adds requirements for physical tamper evidence and role based authentication Built on a validated operating platform Level 3 Adds requirements for physical ta
Download Pdf Manuals
Related Search