KSM 2.0: Installation and Service Guide
Contents
1. Before Beginning Before Beginning 1 The tape drives should be installed and tested in their appropriate configuration before adding the encryption capability to them 2 To enable and enroll the tape drives requires multiple steps and the collaboration between the service representative and the customer to complete Responsibility Steps Customer 1 Create Agent IDs and passphrases in the KMAs Service Representative 1 Request the PC Keys from the Web site Service Representative 2 Download the PC Keys to the tape drives 3 License the tape drives Customer 2 Enroll the tape drives 3 Assign the tape drives to a Key Group m The service representatives will need to create a file on a laptop and use the Virtual Operator Panel VOP to transfer the PC Keys to license the tape drives Record the information in TABLE 3 2 on page 33 m The customer will need to use the Virtual Operator Panel to provide an Agent ID and Passphrase to enroll the tape drives on the key management appliance KMA a Gather and record the enrollment data in TABLE 3 3 on page 34 m Make copies as necessary Required Tools The required tools to obtain the drive data license and enroll the tape drives is m Straight Ethernet cable 10 ft PN 24100216 if connecting to an Ethernet switch m Cross over Ethernet cable 10 ft PN 24100163 if connecting directly to the drives m Service l2. Using the Virtual Operator Panel The procedure to enable and enroll an LTO4 tape drive differ from the T Series drives With the VOP at Version 1 0 12 and higher support for the HP LTO4 tape drive is provided through the Dione Card on page 49 which serves as a serial to Ethernet translation device for the tape drive FIGURE 4 3 shows an example of the VOP Display FIGURE 4 3 Virtual Operator Panel Display FAL 10 4 Virtual Operator Panel Version 1 0 11 10 on om Bonne Wioaded NEser ce MEncrypt amp Sun microsystems nitor Drive Configure Drive Diagnose Drive Dione Version KIWA Agert Version 1 Connect Tab 2 Monitor Drive Tab 3 Configure Drive Tab 4 Diagnose Drive Tab 5 Drive status indicators colors a Online Offline a Loaded a Service a Encrypt Encryption indicator 316194903 Revision BA The VOP application uses an Ethernet connection to communicate with the tape drives m Point to point using a cross over cable m Networked using a switch and standard straight Ethernet cables For the initial configuration use a secure point to point connection and the default IP address 10 0 0 1 Because all tape drives use the same default IP address connecting them to a switch for the initial configuration will cause problems unless you power the drives on and configure them one by one Chapter 4 HP LTO4 Tape Drives 51 Using the Virtual Ope
3. L1 T10000A tape drive L1 T10000B tape drive 1 T9840D tape drive L1 LTO4 tape drive Location Location KMA Site Location KMA S N KMA Name KMA Firmware Level KMA IP Address Service Network IP KMS Manager IP ELOM IP NTP L1 Yes L1 No DHCP C Yes No Gateway 3 Yes 4 No DNS 3 Yes 1 No KMA Number Number of KMAs in Cluster KMA Location KMS Manager Location Configuration Types OU SL8500 library T SL3000 library T SL500 library 1 9310 library 21 L700 1400 library 1 L180 library Tape Drive Types L1 T10000A tape drive L1 T10000B tape drive 1 T9840D tape drive 1 LTO4 tape drive Location 316194903 Revision BA Location Chapter6 Service 75 Obtaining Support Obtaining Support Technical support is available 24 hours a day seven days a week and begins with a telephone call from you to Sun Microsystems StorageTek Support You will receive immediate attention from qualified personnel who record problem information and respond with the appropriate level of support To contact Sun Microsystems StorageTek Support about a problem 1 Use the telephone and call a 800 525 0369 inside the United States or a Contact any of Sun s worldwide offices to discuss support solutions for your organization You can find address and telephone number information at http www sun com worldwide 2 Des
4. 1 uS FIOM uoneinSuuoDO eru 316194903 Revision BA User Roles Work Sheet aserydssed e 1 1u 0 pasmnbai aq IM GI 18U1 YIM uosI d y Jaya are SAI Jas se PY JapuTUal e se poprAoJd st uumgoo sty suose 1 Kinos 1oJj a19u p pio3 1 aq jou p nous serudssed au 930N soupny 1ole1 do dnyoeg 1ole1 do 1991JJO aoueljdwoy 1991JJO Ayanses sajoy psomssed jenuepiuo2 oseJudsseg uonduosog 19u101 n 7 322US JOM Sa os 1SN Z Y 318VL 1 uS FIOM SeTOY 19s ai 41esn Revision BA 316194903 94 KMS 2 0 Installation and Service Manual June 2008 Tape Drives Work Sheet N o 2 e M e uw L e i gt T qc je m o o L UuOne2o sseJppy di eAug s1ojoeJeuo jeuroepexeu 9 sip 9 1se1 Jequinw enas o1d 19 d L AuGq GOING JequinwN jeues uone2o eureuued l 4 SseJppv di das oAnejuosa1dos o rA125 322US JOM ANA ede Y 318VL 1 uS JOM Saq ade Appendix A Work Sheets 95 316194903 Revision BA Drive Enrollment Work Sheet CON DSA C
5. 3 LTO 4 Virtual Operator Panel Version 1 0 11 14 on 10 0 0 1 Ema O w 86 gt 57 7 Monitor Drive Configure Drive Diagnose Drive Set Offline Enroll m Change Enrollment Settings Passphrase again Change IP Settings IP Address fooot Netmask 255 255 2550 Gateway booo r Commit Cancel WMOnline DJEncrypt microsystems m m 6 Click Commit and respond Yes to the set drive offline pop up if still online The commit process takes about 30 seconds to complete 7 Click on the Diagnose Drive tab to observe the commit process FIGURE 4 7 Commit Passed 2008 2008 2008 2008 2008 2008 2008 2008 Monitor Drive Configure Drive Diagnose Drive Connecting to 10 0 0 1 VOP LOGGED IH to Drive Connection to 10 0 0 1 Commit Parameter Operation START Commit Parameter Operation PASSED Network Connection to Drive Has Been VOP LOGGED IN to Drive Connection to 10 0 0 1 54 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Using the Virtual Operator Panel During the commit process the tape drive goes offline then IPLs to save the new settings to the Dione card When the drive comes back online it is now using the new IP address For the service representative 8 To continue with the configuration and to enroll the tape drive you must connect the drive to the KMS network The KMS must be able to communicate with t
6. SU N THE NETWORK IS THE COMPUTER 2006 Sun Microsystems Inc All rights reserved Sun Sun Microsystems and the Sun logo are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries
7. What is the drive number serial or system and IP address What are the Agent IDs and Passphrases a Is this drive going to use tokens KMS Version 1 x to get media keys OKT Or use the appliance KMA Version 2 x to get the encryption keys Does the customer want this drive to remain in encryption mode Or do they want the ability to switch encryption on and off 5 Make copies of this page as necessary Notes m Agent names IDs cannot be changed however an agent can be deleted and re enrolled it with a different name m If you replace the agent you can reuse the name however passphrases can only be used once you will need to give the agent a new passphrase m Which means the replacement drive will need to be enrolled using the existing name and a new passphrase 38 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 License and Enroll the Tape Drives License and Enroll the Tape Drives Once the drive data is downloaded for all the tape drives use the Virtual Operator Panel VOP to license and enable encryption on the tape drives IEY The following procedures assume you and the customer know how to connect to and use the VOP on the T10000 tape drives If not refer to the Virtual Operator Panel documentation for help The following procedure requires both the m Service representative To download the drive data PC Key and the m Customer To enroll the Agent ID and Pass
8. d Work Sheets This information can help promote an error free installation and contribute to the overall customer satisfaction Administrator Guide AN Make sure you download and give the customer copies of the Crypto Key Management System Administrator Guide PN 3161951xx The customer requires this guide to complete the configuration assign roles and perform daily tasks and functions This guide and all KMS Version 2 0 documentation can be downloaded from http docs sun com app docs 316194903 Revision BA 1 Before Beginning Before Beginning Before beginning survey the installation site and make sure there is Sufficient space to install and maintain the servers Trained representatives to install the equipment More than one person might be required to install equipment into the rack or to remove equipment from the rack Consider the total weight when you place equipment into the rack To prevent an unbalanced situation Load equipment in a rack from the bottom to the top Install the heaviest equipment on the bottom and the lightest on the top a Install an anti tilt bar to provide additional stability Failure to do so might cause an unstable condition Adequate cooling for the servers Ensure that the temperature in the rack does not exceed the maximum ambient rated temperatures for all of the equipment installed in the rack Ensure that there is adequate cooling to support all o
9. have up to four drive cabinets that contain up to 20 drives per cabinet 80 drives total This section contains information to install the encryption hardware in a 9741e Drive Cabinet for a 9310 library Because the 9310 library and the 9741e Drive Cabinet have no additional rack space an external rack is required to install the encryption hardware Use a customer provide rack or an external rack kit See External Rack Installations on page 62 FIGURE 5 7 9310 PowderHorn Library T105 004 The encryption hardware kits are m CRYPTO 2X 9310 Z for the first 9741e Drive Cabinet m CRYPTO 2X 9741E Z for each additional drive cabinet Verify that all components are available External Rack Installation The 9310 and 9741e Drive cabinet will require an external rack See External Rack Installations on page 62 for more information 316194903 Revision BA Chapter 5 Encryption Hardware Kits 65 9310 Library and 9741e Drive Cabinet Drive Cabinet Ethernet Switch FIGURE 5 8 Drive Cabinet Ethernet Switch Installation T105 018 T105_021 Ethernet switch and mounting shelf Callouts 1 Mounting bracket 2 Screws 3 Ethernet switch The Ethernet switch is installed in the l
10. the service representative may want to license all drives before the customer enrolls them Depending on the number of tape drives this can take time to license and enroll all the drives called Agents 40 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 License and Enroll the Tape Drives Enroll the Tape Drives For the service representative 1 After the drive reboots on the VOP main screen a Take the drive offline Pull down the Configure menu a Select Drive Data The Configure Drive Parameters screen appears notice the License button is gone Configure Drive Parameters For the customer 2 Select if this drive is going to use tokens Yes 2 using tokens KMS Version 1 x No UJ not using tokens KMA Version 2 x 3 Select if this drive is going a permanently encrypting tape drive Yes LJ permanent No LJ switchable 4 Enter both the Agent ID Pass Phrase KMS IP address of the appliance 316194903 Revision BA Chapter 3 T Series Tape Drives 41 License and Enroll the Tape Drives 5 Click on the Commit button The tape drive will reboot EB 110000 Virtual Operator Panel Operations Retrieve Configure Diagnost Drive Name jute microsystems Connection In Progress Start Update Drive Parameters Enrolling jute in KMS 010 080 044 057 AUDIT CLIENT GET ROOT CA CERTIFICATE SUCCESS AUDIT CLIENT GET CERTIFICATE SOAP ERRO
11. 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Customer LTO4 Work Sheet slo s o o o T oseJudsseg SseJppv di VIN eureujsoH vINM qi u y SsaJppy dl eAug sseJppy aAuq sseJppv di VIN eureujsoH VINM 19 US FIOM LPA 3u2ur o1u4 POLI 3 18V L 1 uS FIOM POIT 19euro3sn Revision BA 316194903 48 ANTS 2 0 Installation and Service Manual June 2008 Dione Card Dione Card The Dione card pronounced D O nee is a custom design that provides an Ethernet interface for the HP LTO4 tape drive With this interface the HP LTO4 tape drive can m Encrypt and decrypt data using the Sun StorageTek Crypto Key Management System KMS Version 2 0 m Configure and enroll LTO4 tape drives using the Virtual Operator Panel VOP Version 1 0 12 or higher Basically the Dione card is a translation device between the serial interface on the tape drive and the secure Ethernet port for use with the KMS Each drive tray has its own unique configuration depending on the space in the open area of the drive tray FIGURE 4 1 shows an example of a Dione card which consists of Dione card Ethernet connector RJ 45 Power connection inline with the tape drive power Communications connection to the tape drive Reset switch on the drive tray rear panel a a m Green Status
12. 25 2008 Start Drive Communications Loopback 1 Tue Apr 15 11 27 27 2008 End Drive Communications Loopback Tes Clear Transcript Run LED Diag Get Log Load Firmware 316194903 Revision BA Chapter6 Service 87 HP LTO4 Tape Drives Get Log If a Dione card or connection is consistently having problems engineering may request you retrieve a log of events from the Dione card 1 Click Get Log 2 Create and select a location for the file Once the file has transferred the operation is complete FIGURE 6 11 Run LED Diag B LTO 4 virtual Operator Panel Version 1 0 11 14 on 10 0 0 4 Offline D x Connect oo04 WC AYO JEncrypt microsystems Monitor Drive Configure Drive Diagnose Drive Tue Apr 15 11 28 26 2008 Begin Get Log Operation to C Progran Tue Apr 15 11 28 29 2008 Get Log Operation Complete Clear Transcript Run LED Diag i Load Firmware RUN Loopback Test Load Dione Card Firmware To load new Dione card firmware 1 Obtain the firmware and place it in a directory file easy to locate 2 Click on Load Firmware A dialog box opens requesting the location of the firmware 3 Navigate to that location and load the files Note there are two files to download bin and hdr 88 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 HP LTO4 Tape Drives Removal and Replacement of the Dione Card Encr
13. 3 2 FIGURE 3 3 FIGURE 3 4 FIGURE 3 5 FIGURE 4 1 FIGURE 4 2 FIGURE 4 3 FIGURE 4 4 FIGURE 4 5 FIGURE 4 6 FIGURE 4 7 FIGURE 4 8 FIGURE 5 1 FIGURE 5 2 FIGURE 5 3 Key Management Appliance Front Panel 5 Key Management Appliance Rear Panel 5 embedded Lights Out Manager Login Screen 10 Power Control 11 Power Control 12 ELOM Password Reset 27 KMA Replacement Joining a Existing Cluster 29 KMA Replacement Joining a Existing Cluster 29 Tape Drive Serial Number VOP 36 Request an Encryption Key Application 36 Encryption File Request for Drive Data 37 Encryption File Request for Drive Data 37 Drive Data File Structure 38 Dione Card Components 49 LTO4 Tape Drive in Drive Tray SL8500 50 Virtual Operator Panel Display 51 VOP Files and LTO Batch File 52 LTO VOP Connect Screen 53 Configure Drive 54 Commit Passed 54 Enroll the LTO4 Tape Drive 55 SL8500 Accessory Rack Guidelines 58 SL8500 Capabilities with Encryption 59 T10000 Drive Tray 61 316194903 Revision BA ix FIGURE 5 4 FIGURE 5 5 FIGURE 5 6 FIGURE 5 7 FIGURE 5 8 FIGURE 5 9 FIGURE 5 10 FIGURE 5 11 FIGURE 5 12 FIGURE 5 13 FIGURE 5 14 FIGURE 5 15 FIGURE 6 1 FIGURE 6 2 FIGURE 6 3 FIGURE 6 4 FIGURE 6 5 FIGURE 6 6 FIGURE 6 7 FIGURE 6 8 FIGURE 6 9 FIGURE 6 10 FIGURE 6 11 FIGURE 6 12 FIGURE B 1 x KMS 2 0 Installation and Service Manual June 2008 External Rack Installation 62 SL3000 Library 63 SL500 Library 64 9310 PowderHorn Li
14. 96180 Virtual Operator Panel Customer Version 1 0 11 StorageTek 96179 If the manuals are not on hand go to the Product Documentation Web site at http docs sfbay sun com app docs 82 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 T Series Tape Drives Switch Encryption On and Off With Version 2 0 the customer is capable of selecting which version and configuration to permanently encrypt or not and to switch encryption on and otff per tape drive During tape drive enrollment the customer can choose if they want the tape drives to have the capability of switching between encryption capable and non encryption If the customer selected No for Permanently Encrypting they can switch the tape drives to non encryption at a later date This is very beneficial and extremely cost effective for disaster recovery sites that provide their customers with a choice of encryption and non encryption To turn encryption off FIGURE 6 6 Switch Encryption On and Off Configure Drive Parameters r re mmp Logana eod 1 Using the Virtual Operator Panel connect to the desired tape drive 2 Select Drive Operations Reset Drive Reply Yes to the Are You Sure dialog box The drive must be in the RESET state to turn encryption off 3 For the Turn encryption off Parameter Value click Yes 4 Click Commit The tape drive will reboot a
15. Installation Configure the ELOM IP Address To initially configure the ELOM IP address for LAN 1 1 Using TABLE 2 1 and FIGURE 2 2 connect all cables as required Note Wait until instructed to connect the power cable TABLE 2 3 KMA LAN Connections LAN 0 Callout 2 top connector is required This network is called the management network and connects to the Key Management System KMS graphical user interface GUI and is used for encryption key management This connection is also used to replicate information between KMAs in a KMS Cluster All KMAs in a KMS Cluster must be connected to each other s LAN 0 interface The gateway supplied during the QuickStart program should be reachable using the LAN 0 connection LAN 1 Callout 2 bottom connector is optional This connection is called the NET MGT ELOM and provides a network connection for the embedded Lights Out Manager LAN 2 Callout 6 left connector is optional This network is called the service network and the connection goes to the Service Delivery Platform SDP f installed Tape drives connect to this network through Ethernet switches in the accessory kits purchased with the KMAs LAN 3 Callout 6 right connector is reserved and requires no connection Connect a null modem serial cable to the DB 9 connector callout 7 Connect the other end to a laptop PC serial port A connection to the LAN 1 NET MGT interface
16. SDP 15 Sun Customer Resource Center CRC xvi Partners Web site xvi Web site xvi Sun Crypto Accelerator 6000 6 Sun Fire X2100 Specifications 6 support 76 92 switch encryption off on 83 system assurance 1 system dump 81 system upgrade 79 T T10000 rack kit 71 tape drives 9741e cabinet 65 checklist 33 47 default IP address 39 drive tray 61 LED status 35 50 license 39 rackmount 71 work sheet 95 tasks for partitioning 94 technical support 76 92 temperature 6 tokens 84 tools 2 trace dump 81 U unenroll 55 upgrade firmware 79 USB connectors 5 use roles work sheet 94 user IDs 22 V VGA connector 5 Virtual Operator Panel 85 Virtual Operator Panel See VOP VOP 85 enroll tape drives 41 license tape drives 40 switch off encryption 83 tokens 84 Revision BA 316194903 W Web browser supported versions 9 Web sites xvi weight 6 width 6 wizard QuickStart program 15 work sheets 91 enrollment 96 initial configuration 36 93 preparation 1 user roles 94 works sheets tape drives 95 316194903 Revision BA Index 105 106 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 USA Phone 1 650 960 1300 or 1 800 555 9SUN Web sun com Qo SUN SS microsystems ARGENTINA 5411 4317 5636 AUSTRALIA 1 800 550 786 AUSTRIA 43 1 601 26 0 BALKANS 301 6188 111 BE
17. de contr le des exportations et peut tre soumis la r glementation en vigueur dans d autres pays dans le domaine des exportations et importations Les utilisations ou utilisateurs finaux pour des armes nucl aires des missiles des armes biologiques et chimiques ou du nucl aire maritime directement ou indirectement sont strictement interdites Les exportations ou reexportations vers les pays sous embargo am ricain ou vers des entit s figurant sur les listes d exclusion d exportation am ricaines y compris mais de mani re non exhaustive la liste de personnes qui font objet d un ordre de ne pas participer d une facon directe ou indirecte aux exportations des produits ou des services qui sont r gis par la l gislation am ricaine en mati re de contr le des exportations et la liste de ressortissants sp cifiquement d sign s sont rigoureusement interdites L utilisation de pi ces d tach es ou d unit s centrales de remplacement est limit e aux r parations ou l change standard d unit s centrales pour les produits export s conform ment la l gislation am ricaine en mati re d exportation Sauf autorisation par les autorit s des Etats Unis l utilisation d unit s centrales pour proc der des mises jour de produits est rigoureusement interdite LA DOCUMENTATION EST FOURNIE EN L ETAT ET TOUTES AUTRES CONDITIONS DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES DANS LA MESURE AUTORISEE PAR LA L
18. location not determined yet onto a laptop Refer to the instructions or Release Notes that come with the new firmware 2 From the KMS Manager GUI select System Management Local Configuration Software Upgrade FIGURE 6 3 System Upgrade 2 Key Groups Key Group List Agent Assignment Bulld212 Release Build Nov 01 2007 07 25 True Buld212 Release Build Nov 01 2007 07 25 False System Management Audit Event List Activate KMA list User List Software Upgrade Role List Ste List SNMP Manager List System Duno E Security Security Parameter List Core Securty Core Security Public Bacup Core Securi Upload and Apply Key Spit Credertiak Autonomous Unlock Local Configuration Lock Unlock KMA System Time Software Upgrade 2007 11 08 14 55 29 KMS Manager started 2007 11 08 14 55 35 Connecting 2007 11 08 14 55 36 Connected to 10 80 44 33 Glenfarclas 2007 11 08 14 55 36 Retrieve Security Parameters succeeded 2007 11 08 14 55 36 Retrieve Operations For Current User succeeded 2007 11 08 14 55 36 Session inactivity timeout Disabled 2007 11 08 14 55 42 List Software Versions succeeded gt p gt 3 Click the Browse button to bring up a Choose File dialog 4 Navigate to the new file select it and click OK 5 Click the Upload and Apply button This begins the upload process When the upload and apply is complete the new version will show up in the ver
19. screen is the Manager Screen If the server has just been connected to power and it has not been powered on it will not have completed a system boot 5 Check the power status by clicking on the System Monitoring tab The power status is shown in the table 6 If the Power Status shows power off Click on the Remote Control tab to the far right of the upper row of tabs 7 Click on the Remote Power Control tab in the second row of tabs 8 In the Select Action drop down choose Power On and click the Save button The KMA will begin powering up This will take a few minutes however you can continue with the KMA configuration FIGURE 2 4 Power Control Sun embedded Lights Out Manager Redirection Remote Power Control Hotkey Setup Power Control 316194903 Revision BA Chapter 2 Key Management Appliances 11 Installation 9 Click on the Remote Control tab in the first row of tabs 10 Click on the Redirection tab in the second row of tabs 11 Click on the Launch Redirection button This launches the remote console screen in a new window FIGURE 2 5 Power Control Sun embedded Lights Out Manager Redirection Remote Power Control Hotkey Setup Launch Redirection Launch Redirection Manage the host server remotely by redirecting the system console to your local machine 12 KMS 2 0 Ins
20. sun com register For more information about Sun StorageTek products got to http sunsolve sun com handbook pub validateUser do target STK STK index Partners Site The Sun StorageTek Partners site is a Web site for partners with a StorageTek Partner Agreement This site provides information about products services customer support upcoming events training programs and sales tools to support StorageTek Partners Access to this site beyond the Partners Login page is restricted On the Partners Login page employees and current partners who do not have access can request a login ID and password and prospective partners can apply to become StorageTek resellers The URL for partners with a Sun Partner Agreement is http www sun com partners xvi KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 CHAPTER Introduction This chapter contains information about the planning that should have taken place the required tools and what to do before beginning the installation Planning Planning and the use of the Systems Assurance Guide should have occurred before any equipment arrives on site The system assurance process is the exchange of information among team members to ensure that no aspects of the sale order installation and implementation are overlooked Information from this guide includes LJ Installation planning checklist J Conceptual drawings J Site preparation checklist
21. total configuration of five modules by adding up to four optional drive and cartridge expansion modules shown to the right A customer configuration that includes an SL500 library plus the encryption hardware would be m One base module m Up to three expansion modules m Encryption hardware If a fourth expansion module is installed and external rack will be required for the encryption hardware There are elements that you need to consider to design for content management and encryption in an SL500 library Some considerations include m Because the SL500 library is a rack installed library there may be limited space to install the additional hardware an external rack may be required to install the encryption hardware m The SL500 supports From 1 to 18 tape drives Partitioning Open Systems platforms The encryption hardware kits are mg CRYPTO 2X SL500B Z for the base module Only LTO type tape drives HP LTO4 encryption capable SCSI direct attachments to the tape drives mg CRYPTO 2X SL500X Z one for each drive expansion module Verify that all components are available 64 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 9310 Library and 9741e Drive Cabinet 9310 Library and 9741e Drive Cabinet The 9310 PowderHorn automated cartridge system ACS is an enterprise class library that offers up to 6 000 data cartridges Each library storage module LSM can
22. 07 10 36 36 AM Connected to 10 80 44 33 Glenfardas rameters succeeded 316194903 Revision BA Appendix B Migration Instructions 99 Instructions 100 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Index Numerics 10000 rack kit 71 1400 library kit 69 180 library kit 70 3000 library kit 63 500 library kit 64 700 library kit 69 8500 library kit 58 9310 library kit 65 9741e drive cabinet kit 65 A accessory racks 60 adapter serial cable 2 adding to a cluster 28 77 users 22 administrator guide download site 1 agents assign 23 configure 24 enroll 23 altitude 6 amber LED 35 APC switch 62 assign agents 23 auditors 22 autonomous unlocking preference 19 backup 25 core security 26 operators 22 restore from 80 batch file 52 316194903 Revision BA before beginning 2 buttons 5 C cabinet 9741e 65 specifications 7 cable adapter 2 call center 76 92 checklists configuration 21 enrollment 34 48 preparation 1 tape drives 33 47 cluster adding to 28 77 how to create 17 compliance officers 22 conceptual drawings 1 configuration checklist 21 configure agents 24 Configure Drive tab 53 connectors 5 core security backup 26 create a cluster 17 creating users 22 cross over cable 2 Customer Resource Center CRC xvi customer satisfaction 1 customer initiated maintenance 76 92 cycling LE
23. 2 During this time if you press the Reset switch the green encryption LED will flash 3 Click EXIT LED Diag to end this test FIGURE 6 9 Run LED Diag LTO 4 Virtual Operator Panel Version 1 0 11 14 on 10 0 04 n x Comnet 10 0 0 4 P rin Connect 0 0 JEmpty Service AYI JEncrynt microsystems Monitor Drive Configure Drive Diagnose Drive 15 11 14 32 2008 Connecting to 10 0 0 4 Tue Apr 15 11 14 34 2008 VOP LOGGED IH to Drive Tue Apr 15 11 14 34 2008 Connection to 10 0 0 4 Tue Apr 15 11 24 32 2008 Enter LED Diagnotic Mode Clear Transcript EXIT LED Diag Get Log Load Firmware RUN Loopback Test The green LED is on when you power on the LTO4 tape drive for 30 seconds as the Dione card performs an initial program load IPL After 30 seconds the LED goes out and stays out until the tape drive is in an encryption capable mode tape loaded key available encrypting or decrypting 86 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 HP LTO4 Tape Drives Run Loopback Test To run the Loopback diagnostic test 1 Click on Run Loopback Test 2 Observe the display as the test starts and ends FIGURE 6 10 Run LED Diag LTO 4 Virtual Operator Panel Version 1 0 11 14 on 10 00 4 ni x Offline Connect jooo EN fo WEE AY LjEncrypt microsystems Monitor Drive Configure Drive Diagnose Drive Tue Apr 15 11 27
24. 2 1 is an example for the front of the appliance m FIGURE 2 2 is an example for the rear of the appliance Note The rear of the appliance is where all of the cable connections are made FIGURE 2 1 Key Management Appliance Front Panel 1 System identification button LED 5 USB 2 0 connectors 2 2 Fault LED 6 CD DVD drive not available 3 Power OK LED 7 Hard drives one only 4 Power button FIGURE 2 2 Key Management Appliance Rear Panel 1 Power connector 6 Serial port ELOM connection 2 Ethernet connectors 2 7 PCIe slots Top Web browser LAN 0 Top SCA6000 random number generator Bottom embedded Lights Out Manager ELOM Bottom Blank empty 3 Fault LED 8 VGA connector if using a monitor and keyboard 4 Power LED for the initial configuration 5 Ethernet connections 2 9 USB 2 0 ports 4 Left SDP connection LAN 2 Right Reserved LAN 3 Note The ELOM IP address is most easily configured using a serial connection callout 6 by connecting a DB9 to DB9 serial null modem cable from a PC serial port to the serial port on the server This is a one time connection and one time configuration requirement 316194903 Revision BA Chapter 2 Key Management Appliances 5 Overview Specifications TABLE 2 2 lists the specifications for the SunFire X2100 server TABLE 2 2 Sun Fire X2100 Specifications Processor m One dual core AMD Operton processor m Processor frequ
25. 39 J Java supported versions 9 join a cluster 17 K key groups 23 Key Management Appliance See KMA key migration 97 key policies 23 key split credentials how to create 18 keyboard 10 keyboard entry 15 KMA autonomous unlocking 19 backups 25 clusters how to create join 17 Revision BA 316194903 dimensions 6 front view 5 initial backup 25 initial configuration settings 4 installation tips 14 IP address range 15 key split credentials 18 QuickStart 13 rear view 5 Security Officer set up 19 specifications 6 system upgrade 79 time settings 20 tips 14 KMA ID 53 KMS Manager installation 21 network connection 8 L L1400 library 69 L180 library 70 L700 library 69 LAN connections 8 LED diagnostic test 86 LED for encryption 35 LEDs 5 35 LEDs tape drive status 35 50 license tape drives 39 lights 35 local area network connections 8 Loopback diagnostic test 87 L Series library 68 management network LAN Connection 8 manual organization xiii manuals xiv mass storage 6 memory 6 migrate keys 97 monitor 10 monitor connector 5 Monitor Drive tab 51 85 mounting options 6 316194903 Revision BA N null modem cable 2 O on off switch encryption 83 on off switch power 5 operators 22 organization of this manual xiii overview Dione card 49 VOP 85 P panel views 5 part numbers tools 2 Partner Agreement xvi Part
26. 8500 Modular Library System Installation Manual StorageTek 96138 SL3000 Modular Library System Installation Manual StorageTek 316194201 SL500 Modular Library System Installation Manual StorageTek 96114 L700 1400 Library Installation Manual StorageTek 95843 L180 Library Installation Manual StorageTek 95896 9310 PowderHorn Library Installation Manual StorageTek 9314 If the manuals are not on hand go to the Product Documentation Web site at http docs sun com app docs The information in this chapter includes m SL8500 Library on page 58 m External Rack Installations on page 62 m SL3000 Library on page 63 m SL500 Library on page 64 m 9310 Library and 9741e Drive Cabinet on page 65 m L Series Libraries on page 68 m Rackmount on page 71 316194903 Revision BA 57 SL8500 Library SL8500 Library Encryption capable tape drives adds another element to the design for content management in an SL8500 library installation Some considerations include m You may need to order multiple kits or additional Ethernet switches to support all of the encryption capable tape drives in an SL8500 library or a library complex A single SL8500 library can support up to 64 tape drives in 4 groups of 16 drives a An SL8500 Library Complex with multiple libraries joined together using pass thru ports can have a capacity of several hundred tape drives m The SL8500 can provide AC and DC power redundancy with the proper f
27. Account Log 75 Obtaining Support 76 Obtaining Support 92 Initial Configuration Settings Customer 93 User Roles Work Sheet Customer 94 Tape Drive Work Sheet Service Representative 95 Enrollment Data Work Sheet Customer 96 316194903 Revision BA xi xii KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Preface This installation and service manual is intended for Sun StorageTek service representatives qualified partners and customers doing the installation and initial configuration of the Crypto Key Management System Version 2 0 The installation is a Multi Step process that requires collaboration between the installers and the customer to complete Organization This guide has the following organization Chapter Use this chapter to Chapter 1 Introduction Prepare for the installation Chapter 2 Key Management Appliances Install the Crypto Key Management Appliance KMA a Sun Fire X2100M2 server Chapter 3 T Series Tape Drives m License the T Series Tape Drives m Enroll the T Series Tape Drives Chapter 4 HP LTO4 Tape Drives Obtain information about the HP LTO4 tape drives including the Dione card Virtual Operator Panel and how to enable and enroll the LTO4 tape drives to support encryption using the KMS 2 0 Chapter 5 Encryption Hardware Kits Install the additional encryption hardware in supported con
28. After completing the QuickStart the KMA will be locked You must reconnect to the new KMA you may need to do a refresh to unlock it 28 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Add KMAs to the Cluster Run the QuickStart Wizard 1 You must now run the QuickStart program on the KMA you just created so that they can join the Cluster See for information a Remember to select Option 2 to Join an Existing Cluster The KMA being added checks the firmware version against the existing versions in the cluster If it is not compatible the new KMA displays an error and gives the user the option of upgrading or downgrading FIGURE 2 7 KMA Replacement Joining a Existing Cluster Video Quay HotKey Storage Control L w r G G m Joining cluster Initialization failed This KMA i inconpatible with the cluster Perform a software upgrade or downgrade y n 2 If the user selects Yes then the KMA being added a Grabs the code from the existing KMA in the cluster a Downloads the code for its own and a Installs the code This process takes about 25 to 30 minutes to complete FIGURE 2 8 KMA Replacement Joining a Existing Cluster Upgrade Downgrade KH Software from Cluster Press Ctrl c to abort Maiting for server to bundle upgrade file Bundle of cluster software conpliete Uploading upgrade file tep Z of 6 Upload upgrade file complete Verifyin
29. Create button The Create KMA dialog box is displayed with the General tab active 3 Complete the following parameters a KMA Name Type a value that uniquely identifies the KMA in a cluster This value can be between 1 and 64 inclusive characters Description Type A value that uniquely describes the KMA This value can be between 1 and 64 inclusive characters a Site ID Click the down arrow and select the site to which the KMA belongs This field is optional 4 Open the Passphrase tab 5 Enter the Passphrase and Confirm the Passphrase Enter from 8 to 64 characters The default value is 8 characters The KMA record is added to the database and displayed in the KMA List screen 6 You must now run the QuickStart program on the KMA you just created so that they can join the Cluster See QuickStart Program on page 13 for information Remember to select Option 2 to Join an Existing Cluster The KMA being replaced or added checks the firmware version against the existing versions in the cluster If it is not compatible the new KMA displays an error and gives the user the option of upgrading or downgrading FIGURE 6 1 KMA Replacement Joining a Existing Cluster Video Quay HotKey Storage Control r z E G Joining cluster Initialization failed This KMA is incompatible with the cluster Perform a oftware upgrade or downgrade y n 316194903 Revision BA Chapter6 Service 77 Repl
30. Ds 35 D default IP address 53 depth 6 DHCP 72 101 dimensions KMA 6 Dione card 49 components 49 loading firmware 88 disable encryption 83 dispatch 76 92 drawings 1 drive data 36 drive file structure 38 drive tray example 50 61 dump system 81 Dynamic Host Configuration Protocol 72 E ELOM change password 27 commands 9 how to start 9 IP address 8 log in 10 network connection 8 9 power control 11 QuickStart 13 redirection 12 remote control 12 start 9 embedded Lights Out Manager See ELOM encryption indicator 51 85 encryption LED 35 enroll 55 enroll agents 23 enrollment checklist 34 48 work sheet 96 environmental parameters 6 error free installation 1 Ethernet cable 2 Ethernet connectors 5 external rack installation 62 F Fault LED 5 Federal Information Processing Standards Publications xiv field replaceable units 74 firmware upgrade 79 front panel 5 102 KMS 2 0 Installation and Service Manual June 2008 G Get Log 88 graphical user interface 8 green LED 35 GUI installation 21 LAN connection 8 guides xiv H hardware kits 57 heat output 6 height 6 help center 76 92 HP LTO specifications 50 HyperTerminal session 8 indicators tape drive 35 initial configuration work sheet 4 36 93 initial settings 18 installation planning checklist 1 IP addresses ELOM 8 initial set up 15 KMS Manager 16 SDP 72 tape drives
31. LED on the drive tray rear panel FIGURE 4 1 Dione Card Components 1 Dione card 3 Reset switch L204_871 6 Inline power connection 2 Ethernet connection RJ 45 7 Tape drive power connection 8 Tape drive communications connection 4 Green status LED 9 Reset switch connection 2 wires 5 LED connection 2 wires l This assembly is installed in the encryption capable HP LTO4 tape drives 316194903 Revision BA Chapter 4 HP LTO4 Tape Drives 49 Dione Card Tape Drive LEDs Each encryption capable LTO4 tape drive has an LED status light on the rear of the drive and or drive tray FIGURE 4 2 shows an example of an LTO4 tape drive mounted in a drive tray FIGURE 4 2 LTO4 Tape Drive in Drive Tray SL8500 419827701 DOM 11 21 07 ASSEMBLED IN MEXICO Pe 10 PWR power indicator green 11 FAULT Fault indicator red 12 MAINT Recessed button that resets the Dione card 13 The green LED is ON during the Dione card IPL and when an encryption decryption key is present during drive operation 14 PORT A Fibre Channel interface port 15 PORT B Not used 16 RJ 45 connector This port is auto sensing to 10 Mbps 100 Mbps data rates and used to m Configure the network a Enroll the agent on the KMS m Upgrade Dione card firmware 50 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Using the Virtual Operator Panel
32. LGIUM 32 2 704 89 83 BRAZIL 55 11 51872100 BRUNEI 65 216 8333 CANADA 1 800 422 8020 GENERAL 416 964 2001 LEARNING MANAGEMENT SYSTEM SALES TORONTO CHILE 562 372 4500 CotoMBIA 571 629 2323 CZECH REPUBLIC 420 2 33009311 DENMARK 45 4556 5040 EGYPT 00 202 570 9442 FINLAND 358 9 525 561 FRANCE 33 1 41 33 17 17 GERMANY 49 89 460 08 2788 GREECE 30 01 6188101 HONG KONG 852 2877 7077 HUNGARY 361 202 4415 INDIA 91 80 229 8989 INDONESIA 65 216 8333 IRELAND 353 1 668 4377 ISRAEL 972 9 9710500 ITALY 39 02 9259511 JAPAN 81 3 5779 1820 Korea 82 2 3453 6602 MALAYSIA 603 2116 1887 MIDDLE EAST 00 9714 3366333 Maico 525 261 0344 NETHERLANDS 31 33 4515200 NEW ZEALAND 0800 786 338 NoRTH WEST AFRICA 00 9714 3366333 Norway From Norway 47 22023950 To Norway 47 23369650 PAKISTAN 00 9714 3366333 PEOPLE s REPUBLIC or CHINA 8610 6803 5588 PHILIPPINES 632 885 7867 POLAND 48 22 8747848 PoRTUGAL 351 21 413 4000 RUSSIA 7 095 935 8411 SAUDI ARABIA 00 9714 3366333 SINGAPORE 65 216 8300 SOUTH AFRICA 27 11 256 6300 SPAIN 34 902 210 412 SRI LANKA 65 2168333 SWEDEN 46 8 631 22 00 SWITZERLAND 41 1 908 90 50 GERMAN 41 22 999 0444 FRENCH TAIWAN 886 2 25185735 THAILAND 662 344 6855 TURKEY 90 212 335 22 00 UNITED KINGDOM 44 1276 416 520 UNITED STATES 1 800 422 8020 VENEZUELA 582 905 3800 VIETNAM 65 216 8333 WORLDWIDE HEADQUARTERS 1 650 960 1300
33. MA a Sun Fire X2100M2 server Overview The initial setup of a KMA uses a console connection that can be done using a m Monitor and keyboard directly connected to the KMA or m Laptop with the embedded Lights Out Manager ELOM The ELOM remote console function requires a network connection labeled ELOM Network in the diagram on page 5 The ELOM s IP address must be configured as described later in this document in order to use the remote console function lt Servers must be installed in pairs called a cluster Clusters perform backups of each appliance therefore no external hard drives are required Each key management appliance has the capability of four network connections that may be used These connections are mg LAN 0 Management network mg LAN 1 embedded Lights Out Manager ELOM network mg LAN 2 Service network m LAN 3 Reserved Each of these connections if made requires an IP address hostname TABLE 2 1 on page 4 provides space to record these connections and initial customer settings This information is necessary to m Configure the ELOM IP Address on page 8 m Run QuickStart Program on page 13 Note The customer does not need to record the actual passphrases this just serves as a reminder of the upcoming requirements 316194903 Revision BA 3 p m3uguoo st YW ey Jaye po1erpeurur N5 SPY 04 Sursn 197e H Sueup u u uonmezm3uuoo y Suump o durrs Suruj uu
34. Management System Manager to each KMA and the Ethernet switch 6 Connect the Ethernet cables from the switch to the tape drives Note Because the Ethernet switch was previously installed in this configuration the KMAs are installed above the switch 316194903 Revision BA Chapter 5 Encryption Hardware Kits 69 L Series Libraries L180 Library Encryption Hardware The L180 libraries have an internal 6 unit rack area accessible from behind the right front door of the library FIGURE 5 12 L Series Libraries Callouts 1 Ethernet connections 2 KMAs 2 3 Ethernet Switch 4 Ethernet to Drive cables 5 Tape Drives 6 PDU To install the encryption hardware in the L180 internal rack area 1 Install the equipment in this order KMAs on top a Ethernet switch above the PDUs a PDU on the bottom of the rack area 2 Connect the PDU power cables to the customer s power source 3 Connect the power cords Important See Chapter 2 Key Management Appliances and Configure the ELOM IP Address on page 8 before you plug power cables into the KMAs 4 Connect an Ethernet cable from the dedicated customer network with access to the KMS Manager to each KMA and the Ethernet switch 5 Connect the Ether
35. Manager using either m Network connection LAN 1 NET MGT ELOM interface suggested or m Keyboard and monitor attached to the KMAs alternate method 316194903 Revision BA Chapter 2 Key Management Appliances 9 Installation RS Alternate Method Using FIGURE 2 2 on page 5 as a reference the alternate method to using the network connection is to use a monitor connected to the VGA connector callout 8 and keyboard connected to one of the USB ports in callout 9 An accessory kit is available XCRYPTO KEYBD MONZ Monitor Keyboard and rack mount accessory kit or part number 315496601 Then follow the same procedure as the network connection Using a Network Connection 1 Using another workstation on the network launch a Web browser 2 Connect to the KMA ELOM using the IP Address or hostname of LAN 1 NET MGT the address just configured Note Because the certificate in the ELOM will not match the assigned name or IP you will receive one or more warnings from your web browser 3 Click OK or Yes to bypass these warnings Once past the warnings you will receive the ELOM login prompt FIGURE 2 3 embedded Lights Out Manager Login Screen Sun embedded Lights Out Manager http Username fi Password Login Reset 10 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Installation 4 Log in using Userid root Password changeme The next
36. OI APPLICABLE Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE A L APTITUDE A UNE UTILISATION PARTICULIERE OU A L ABSENCE DE CONTREFACON We welcome your feedback Use the OpinionLab feedback system on the documentation Web site or Send your comments to Sun Learning Services Sun Microsystems Inc 500 Eldorado Blvd Mailstop UBRM06 307 Broomfield CO 80021 6307 USA Please include the publication name part number and edition number in your correspondence if they are available This will expedite our response 5 cx Adobe PostScript Summary of Changes EC Number Date Revision Description EC000227 February 2008 A Initial release EC000496 May 2008 B Refer to this revision for the list of changes included T9840D tape drives EC000594 June 2008 BA This revision includes m Change of the document short name from KMA to KMS 2 0 in the page footer a Information about the HP LTO4 encryption capable tape drive a New Chapter 4 HP LTO4 Tape Drives causing the other chapters to increase in number Chapter 5 Encryption Hardware Kits and Chapter 6 Service m Add service elements for the HP LTO4 tape drive and Dione card Note Change bars are included in this revision 316194903 Revision BA iv KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Contents Summary of Changes iii Contents v Figures
37. ON DS9X 0c CON SAK CON say 6L DON D 9A DON OSA 8L MON 0S3 OON OSA ZL MON OS CON OSA OL MON OS DON OSA GL OON 0S DON DS9X vi CON DOSA CON DS9X eb CON OSA DON OSA Ol MON 0S3 DON OSA LL MON 0S3 DON OSA OL MON 0S3 OON OSA 6 CON DOSA CON say 8 OON 0S OON OSA Z DON D 9A DON OSA 9 DON ms ODON OSH S MON 0S3 DON OSA r MON OS DON OSA CON OSA DON OSA DON OSA DON OSA L lu ueguu q X SWA suexor seiudsseq qi1u 6v ssolppy di 9Aug d L eAug ssoJppy aAug sseJppv di VIN eureu1soH VINM sseJppv di VIN eureujsoH YNWA 19UI0 80n7 199US YOM Leq wor p vy 318V L 1 uS FIOM uapou MANA Revision BA 316194903 96 KMS 2 0 Installation and Service Manual June 2008 APPENDIX B Migration Instructions This appendix contains instructions to migrate keys m From a Key Management Station Version 1 x m To a Key Management System Version 2 0 system Prerequisites A file of key data exported from a KMS 1 2 or later version database This can be on any media such as a CD Rom memory stick or external hard drive Note The Key Management Appliance KMA does not have a functioning CD or DVD drive If exporting keys make sure there is a system PC or workstation available that can connect to the Encryption Management Network the KMS Manager and the Key Management Appliances Input File Format A KMS 1 x file containing exported keys
38. ON MSA 6 CON TSA MON MSA 8 MON Sen MON MSA P DL oN TSA MON SA 9 CON TSA MON MSA S MON ser MON MSA v DON TSA MON MSA MON Sen MON MSA MON Sen MON MSA L lu ueuu q XL SWA su yoL seiudsseq al 1u 6v SS 1IpDpV dl 9Aug ssoJppy aAug sseJppyv dl VINM SS IDDV dl VIA 9WeUISOH VINM 9WPUISOH VIN P S FIOM LPA Powy 3 18V 1 uS FIOM Jeuto snz Revision BA 316194903 34 KMS 2 0 Installation and Service Manual June 2008 Tape Drive LEDs Tape Drive LEDs Each encryption capable tape drive has an LED status light on the rear of the drive and or drive tray TABLE 3 4 Tape Drive Encryption LED Encryption Status LED Green u Solid Safe encryption is not enabled a Flashing Reset encryption was enabled now it needs keys Amber orange a Solid Needs media keys install the OKT s Flashing Needs device keys install the EKT This also indicates a IP address mismatch on the token drive network Red a Solid Armed ready to encrypt s Flashing Encrypting reading and writing in encrypted mode Cycling The LED is cycling through all colors This indicates the tape drive is zeroed unusable and must be returned Encryption LED T105 011 1 Encryption LED 2 Ethernet Port Note Where there is no cartridge in the tape drive the drive has no encryption keys stored in memory 316194903 Revision BA Chapter 3 T Series Tape Drives 35 Obtain t
39. Phrase License the Tape Drives For the service representative 1 Configure and connect the laptop with the drive data file structure to the Tape drive network using an Ethernet cable and switch using the assigned IP addresses for the drives Tape drive using a cross over Ethernet cable using the default IP address 10 0 0 1 2 Launch VOP and connect to a specific tape drive 3 On the VOP main screen a Take the drive offline Pull down the Configure menu a Select Drive Data f 110000 Virtual Operator Panel File Drive Operations Retrieve Configure Diagnostics Help Drive Name z jute microsystems Tape drive is ON LINE 9 33 AM Nov 5 2007 Tape Cartridge is UNLOADED 9 33 AM Nov 5 2007 Connection to jute 9 33 AM Nov 5 2007 VOP LOGGED IN to Drive 9 33 MM Nov 5 2007 Set OFF LINE Operation Started 9 33 AM Nov 5 2007 Tape drive is OFF LINE 316194903 Revision BA Chapter 3 T Series Tape Drives 39 License and Enroll the Tape Drives 4 Press the License button and a File Open screen appears Configure Drive Parameters 000 000 000 000 5 Navigate to the drive data file structure and select the folder for that tape drive The drive validates the license number a If it is not correct licensing will fail and VOP will show an error message If the license number is correct the drive will reboot Depending on the number of tape drives to license
40. Press Ctrl c to abort e E 6 Enter Autonomous Unlocking Preference dam Autonomous Unlocking is DISABLED it is necessary to N UNLOCK the KMA using a quorum of Key Split Credentials EACH TIME the KMA starts before normal operation of the system can continue Agents may NOT register Data Units with or retrieve Data Unit Keys from a locked KMA When Autonomous Unlocking is ENABLED the KMA will automatically enter the UNLOCKED state each time the KMA starts allowing it to immediately service Agent requests Do you wish to enable Autonomous Unlocking y n y Me 2 316194903 Revision BA Chapter 2 Key Management Appliances 19 QuickStart Program 7 Set Time Information KMAs in a Cluster must keep their clocks synchronized Internally all KMAs use UTC time coordinated universal time If the customer prefers there is an option in the KMS Manager that allows date and times to be adjusted to local time when displayed ugs in a Cluster must keep their clocks synchronized Specify an ie NTP server if one is available in your network Otherwise specify the date and time to which the local clock should be set Please enter the NTP Server Hostname or IP Address optional ntp example com Press Enter to continue Initializing new cluster New KMS cluster has been created Press Enter to continue Key Management System Version Build 321 KMA initialization complete You may
41. R SoapFaultCode SOAP ENV Client SoapFault jute commit FAILED Could not get profile from KMS Start Update Drive Parameters Enrolling jute in KMS 010 080 044 057 AUDIT CLIENT GET ROOT C CERTIFICATE SUCCESS AUDIT CLIENT GET CERTIFICATE SUCCESS AUDIT CLIENT SAVE CLUSTER INFORMATION SUCCEEDED Successfully enrolled jute commit SUCCESS Configuration data saved The Configuration menu Drive Settings screen shows the drive is licensed enrolled and needs media keys View Current Drive Settings x l Missing Network Rfid Statistics l Version Fibre Idsnmp Keyid Logging Parameter Definition Parameter Value Crypto Serial Number OO0000F2 Crypto Serial Number CSN Device zeroed No Device reset No Encryption active Yes Encryption active Yes Licensed Yes Licensed Yes Use tokens No Use tokens No Permanently encrypting no Permanently encrypting No switchable AgentID Enroll jute Agent ID jute KMS IP address Enroll 010 080 044 057 KMA IP address 10 80 44 57 Active media keys No Needs keys Key Load Number 0 Number of media keys 0 Need mediakeys Yes Revd media keys No 42 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 License and Enroll the Tape Drives The VOP main screen now shows that the drive is Online and that the Media will be encrypted Red LED by the Media icon EB 110000 Virtual Operato
42. SS amp SUN microsystems Sun StorageTek Crypto Key Management System Version 2 0 Installation and Service Manual Part Number 316194903 Revision BA 4 SUN microsystems Crypto Key Management System Version 2 0 Installation and Service Manual Sun Microsystems Inc www sun com Part Number 316194903 June 2008 Revision BA Copyright 2008 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A Allrights reserved Sun Microsystems Inc has intellectual property rights relating to technology embodied in the product that is described in this document In particular and without limitation these intellectual property rights may include one or more of the U S patents listed at http www sun com patents and one or more additional patents or pending patent applications in the U S and in other countries THIS PRODUCT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SUN MICROSYSTEMS INC USE DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR EXPRESS WRITTEN PERMISSION OFSUN MICROSYSTEMS INC Use is subject to license terms This distribution may include materials developed by third parties This distribution may include materials developed by third parties Parts of the product may be derived from Berkeley BSD systems licensed from the University of California UNIX is a registered trademark in the U S and in other countries exclusively licensed through X Open Comp
43. Site Preparation Pre sales Systems Assurance Guide Installation amp Service Installation amp Service Manual User Operation Administrator Guide Online Help Online Help Legend AE Account executive sales and marketing SE Systems engineer PS Professional services TS Technical specialists NSSE T3 Support Frontline and Backline SR Service representative CSE Documentation Content and Purpose This table contains an overview of the Crypto Key Management System documentation intended audience general content and purpose TABLE P 2 Documentation Content and Purpose Document Audience General Content Purpose Systems Assurance m Marketing amp Sales m Product description m Pre Sales Guide m Systems Engineers m Dimensions m Site Planning PN 316194801 m Installation Coordinators m Weights amp measures m Product introduction m Professional Services m Configurations m Readiness m Technical Specialists m Capacities m Service Representatives m Site preparation m Customer m Models and features m Order numbers Installation and Service Manual PN 316194901 m Installation Coordinators m Technical Specialists m Service Representatives Installation m Procedures m Checklists m Configurations Installation Configuration embedded Lights Out Manager ELOM Service m QuickStart m Fault isolation m Removal Replacement Adm
44. User List amp Security Security Parameter List R Core Serimity v 2007 09 27 23 24 58 List Agents succeeded A 2007 09 27 23 24 59 List Agents succeeded E 2007 09 27 23 24 59 List Key Groups for Agent succeeded 2007 09 27 23 24 59 List Key Groups succeeded 2007 09 27 23 25 14 List Key Groups for Agent succeeded 2007 09 27 23 25 14 List Key Groups succeeded 2007 09 27 23 25 20 Remove Agent from Key Groups succeeded v k ul k GQA 316194903 Revision BA Chapter 3 T Series Tape Drives 43 License and Enroll the Tape Drives 44 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 CHAPTER 4 HP LTO4 Tape Drives Currently the Key Management Station Version 2 0 supports these tape drives TABLE 4 1 Tape Drive Encryption LED Tape Drives Interfaces Support Firmware Configuration Notes T10000A m Fibre Channel 1 37 108 For specific information see mg FICON 1 37 114 Chapter 3 T Series Tape Drives T9840D s FICON 1 42 104 m ESCON HP LTO4 m Fibre Channel H45S FC Supported in the m SCSI B44S SCSI m SL8500 library m SL3000 library m SL500 library m L Series libraries The SL500 is the only library that supports LTO4 drives with a SCSI interface is Important Because the HP LTO4 and T Series drives and processes are different see Chapter 3 T Series Tape Drives to license and enable the T S
45. acing or Adding a New KMA 7 If the user selects Yes then the KMA being added a Grabs the code from the existing KMA in the cluster a Downloads the code for its own and a Installs the code This process takes about 25 to 30 minutes to complete FIGURE 6 2 KMA Replacement Joining a Existing Cluster Video Quaity Hot Key Storage Control o WoW r EUS Upgrade Downgrade KH Software fron Cluster Press Ctrl c to abort Maiting for server to bundle upgrade file Bundle of cluster oftware complete Uploading upgrade file tep Z of 6 Upload upgrade file complete Verifying upgrade file step J of 6 Uerifu upgrade file conplete Installing software tep 4 of 6 Installation complete Verifying software compatibility step 5 of 6 Verify compatibility conplete Activating new oftware tep b of Db Activation ce onplete This does not take effect until after a reboot Activation requires a reboot OK to reboot ty nl 8 Once this process completes the User needs to reboot the KMA 9 After the KMA comes back online from the reboot you need to continue with the QuickStart program 10 Check that the new KMA is in service select System Management r gt KMA List 78 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 System Upgrade System Upgrade To upgrade the KMA firmware refer to the KMS Administrator Guide and 1 Download the new firmware from
46. al Operator Panel For the customer 13 In the KMS Manager assign the tape drives agents to the Key Groups KMS Manager fa D fe System View Help x t Connect Disconnect Help Secure Information Management Key Groups Assignment to Agents Key Policy List amp Key Groups Agents Allowed Key Groups Disallowed Key Groups Key Group List m Agent Assignment Agenti Agents Agent List Key Group Assignment Data Unit List Backup List System Management x Audit Event List KMA List in ust Role List Site List SNMP Manager List System Dump amp Security Security Parameter List RA Core Senrity uma 2007 09 27 23 24 58 List Agents succeeded a 2007 09 27 23 24 59 List Agents succeeded 2007 09 27 23 24 59 List Key Groups for Agent succeeded 2007 09 27 23 24 59 List Key Groups succeeded 2007 09 27 23 25 14 List Key Groups for Agent succeeded 2007 09 27 23 25 14 List Key Groups succeeded 2007 09 27 23 25 20 Remove Agent from Key Groups succeeded v v JL u 56 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 CHAPTER 5 Encryption Hardware Kits This chapter contains information and instructions for the additional hardware kits 3 For specific instructions about how to install the selected configuration refer to T10000 Tape Drive Installation Manual StorageTek 96173 SL
47. any Ltd Sun Sun Microsystems the Sun logo Solaris Sun StorageTek Crypto Key Management Station StorageTek and the StorageTek logo are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries Products covered by and information contained in this service manual are controlled by U S Export Control laws and may be subject to the export or import laws in other countries Nuclear missile chemical biological weapons or nuclear maritime end uses or end users whether direct or indirect are strictly prohibited Export or reexport to countries subject to U S embargo or to entities identified on U S export exclusion lists including but not limited to the denied persons and specially designated nationals lists is strictly prohibited Use of any spare or replacement CPUs is limited to repair or one for one replacement of CPUs in products exported in compliance with U S export laws Use of CPUs as product upgrades unless authorized by the U S Government is strictly prohibited DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID Copyright 2008 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 Etats Unis Tous droits r serv s Sun Micro
48. aptop or personal computer m Virtual Operator Panel Version 1 0 11 or higher service and customer versions lt Remember the Service Delivery Platform SDP does not support the LTO4 drives You may need to make adjustments to the network addresses if mixing tape drives on the same KMA and or SDP network LAN 2 32 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Service Representative Work Sheet e N o 2 e M e T uw L e s x gt gt T T slo s o S o o L uoneoo sseJppyv di eAug sjejoegeuo jeuroepexeu 9 suBip g 1se1 Jequinw lenas oydAug aona 4equnn jeues uipuuled l 4 SS 1ppV dl das P S FIOM LPA ANA 2 318VL JBIUS FIOM AD101u s 1d q Id1AIIS Revision BA 316194903 33 KMS 2 0 Installation and Service Manual June 2008 Customer Work Sheet CON PSA CON MsxA 0c CON TSA CMON m SAA 6L CON m sA CON m SAA 8L MON ser MON MSA Zh CON TSA MON MSA OL CON TSA MON MSA GL MON ser MON TSA vl CON TSA MON MSA el MON ser MON MSA ek MON ser MON MSA bh CON TSA MON MSA OL CON TSA M
49. aximum volume per 6U rack module is 241 scfm standard cubic feet per minute at 0 inches of water static pressure to a minimum of 0 scfm at 0 60 inches of water static pressure depending upon the devices and equipment installed blocking the fan air flow Regulatory compliance Minimum requirements are Safety UL or CSA certification and Electromagnetic Class A certification from agencies such as FCC or BSMI Important When planning to install encryption hardware in an accessory rack remember a Two of the racks 2 and 4 receive power from the primary N 1 AC power grid a The other two racks 1 and 3 require the 2N power configuration 1 RETMA Radio Electronics Television Manufacturers Association 2 U stands for rack units One unit is equal to 4 4 cm 1 75 in 60 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 SL8500 Library Encryption Hardware To install the encryption hardware in an accessory rack 1 Attach the mounting brackets to the KMAs and Ethernet switches Hardware is provided with each unit and in the hardware kit 2 Install the rack module rails and slides 3 Install the a Ethernet switch to the right of the bay connections facing out a KMA to the left of the Ethernet switch connections facing out a If installing power distribution units place them next to the rack power units 4 Using FIGURE 5 2 on page 59 as an example a Connect t
50. brary 58 SL8500 Accessory Racks 60 Encryption Hardware 61 Drive Tray 61 External Rack Installations 62 SL3000 Library 63 SL500 Library 64 9310 Library and 9741e Drive Cabinet 65 External Rack Installation 65 Drive Cabinet Ethernet Switch 66 Cable Routing 67 L Series Libraries 68 L Series Library Rack Space 68 L700 L1400 Library Encryption Hardware 69 L180 Library Encryption Hardware 70 Rackmount 71 Service Delivery Platform 72 6 Service 73 Field Replaceable Units 74 Account Log 75 Obtaining Support 76 Replacing or Adding a New KMA 77 System Upgrade 79 Restore From Backup 80 System Dump 81 T Series Tape Drives 82 Switch Encryption On and Off 83 KMS Version 1 x Support 84 HP LTO4 Tape Drives 85 Diagnose Drive Tab 86 Run LED Diagnostic Test 86 Run Loopback Test 87 Get Log 88 Load Dione Card Firmware 88 316194903 Revision BA Contents vii viii Removal and Replacement of the Dione Card 89 Removal 89 Replacement 90 Work Sheets 91 Obtaining Support 92 Initial Configuration Work Sheet 93 User Roles Work Sheet 94 Tape Drives Work Sheet 95 Drive Enrollment Work Sheet 96 Migration Instructions 97 Prerequisites 97 Basic Steps 98 Description 98 Stage1 98 Stage2 98 Stage3 98 Instructions 99 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Figures FIGURE 2 1 FIGURE 2 2 FIGURE 2 3 FIGURE 2 4 FIGURE 2 5 FIGURE 2 6 FIGURE 2 7 FIGURE 2 8 FIGURE 3 1 FIGURE
51. brary 65 Drive Cabinet Ethernet Switch Installation 66 External Rack and Ethernet Cabling 67 L Series Libraries 68 L Series Libraries 69 L Series Libraries 70 Rackmount Assembly 71 Rackmount Instructions 71 Systems Delivery Platform 72 KMA Replacement Joining a Existing Cluster 77 KMA Replacement Joining a Existing Cluster 78 System Upgrade 79 Restore Backup 80 System Dump 81 Switch Encryption On and Off 83 Switch Encryption On and Off 84 Virtual Operator Panel Display 85 Run LED Diag 86 Run LED Diag 87 Run LED Diag 88 Dione Card and Connectors 89 Import Keys 99 Revision BA 316194903 Tables TABLE P 1 TABLE P 2 TABLE 2 1 TABLE 2 2 TABLE 2 3 TABLE 2 4 TABLE 2 5 TABLE 3 1 TABLE 3 2 TABLE 3 3 TABLE 3 4 TABLE 4 1 TABLE 4 2 TABLE 4 3 TABLE 5 1 TABLE 5 2 TABLE 6 1 TABLE 6 2 TABLE 6 3 TABLE 6 4 TABLE 0 1 TABLE A 1 TABLE A 2 TABLE A 3 TABLE A 4 Documentation and Audience Map xv Documentation Content and Purpose xv Initial Configuration Settings 4 Sun Fire X2100 Specifications 6 KMA LAN Connections 8 Compatible Web Browser and Java Versions 9 Initial Configuration Checklist 21 Tape DriveSupport 31 Drive Data Work Sheet 33 Enrollment Data Work Sheet 34 Tape Drive Encryption LED 35 Tape Drive Encryption LED 45 LTO4 Drive Data Work Sheet 47 LTO4 Enrollment Data Work Sheet 48 SL8500 Accessory Rack Guidelines 60 SL3000 Module Types 63 FRUListing 74 Keyboard Monitor Kit 74 KMA
52. cribe the problem to the call taker The call taker will ask several questions then Route your call to the appropriate level of support Or Dispatch a service representative If you have the following information when you place a service call the process will be much easier Complete as much information as possible if known TABLE 6 4 Obtaining Support Account name Site location number Contact name Telephone number Equipment model number H KMA Appliance T SL500 library l T10000A tape drive 11 KMS Manager GUI J 9310 library 1 T10000B tape drive T SL8500 library 1 L Series libraries 1 T9840D tape drive A SL3000 library 4 Standalone 1 HP LTO4 tape drive 1 Network Device address Urgency of problem or Error Code Fault symptom code FSC Problem description 76 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Replacing or Adding a New KMA Replacing or Adding a New KMA m When replacing a replacement KMA or adding another KMA to the cluster some initial steps are required using the KMS Manager GUI m Then during the QuickStart program for the next KMA select 2 Join Existing Cluster m After that the QuickStart program for the new KMA prompts for the Passphrase and IP address of that existing cluster To replace or add a KMA 1 Log in to the KMS manager 2 Select System Management KMA List r gt
53. cy of problem or Error Code Fault symptom code FSC Problem description 92 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Initial Configuration Work Sheet pen gguoo st WI 2u1 Jaye po1erpeurur 5 SPY 9u1 Sursn 1972 31 e8ueq u u uonengguoo ay Suunp oe durrs Suruj uuos 191uo 0 e qeursop aq Aew y os 3eue SWA 9u1 ur peSueup aq uo senue s ul Suo eq Asay qorqA 0 uosied ay Aq pa1ojue aq pimous pue umop u l uA aq JOU p nous uoneurojur SIUI 198euvejA SWYN ey Sursn sose1udssed jo umonb e jo ruo ay Suumbo jnoujra S JJOS 10 prey e Jaye 91ejs euonededo qnj e 191u2 0 VWN 04 SMOTTL Sup oopu snowouomy zZ peuSrsse oaouo sassaippe qI ay Surgueupo Jaarias JOHA Y ejpueu 1ouueo urajs s au ne1s aq 1snur JOHA Suisn peu rsse sassaippy T 910N d L p1eoq ay z Buyon snowouo ny sjenuoepaJ Ids Aey aseiydssed OTA oseiudssed 1unooaoe 1ooti aseiudssed raseiudssed ui6o1 ui6o1 J90INO Ayunoes SS9Jppe dl SS8Jppe dl uueulsoH uueulsoH JoAJ0S SNG Aemoye5 SweN VIAM p A4 s t NVI TON D 9A ON D 9A 931AJ9S Z NVI CONT S9A ON D S9A WOTl3 7LNVT1 CON P S9A ON P S8A yuawabeuey 0 NYI L dOHa Xseunew SSeJppy dl weusoH L dOHa Xseunew SSeJppy di weusoH Appendix A Work Sheets 93 1 urojsno sSuni1 s uonem3S3ruoo PIU Y 318VL
54. e Key Split Quorum Authentication dialog box appears The quorum must type their user names and passphrases to authenticate the operation 5 Click on the OK button A progress display of the restore is indicated 80 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 System Dump System Dump A system dump is a user invoke operation that results in a snapshot of all relevant data collected into a single file You may be asked to provide a system dump to aide engineering in the analysis of a problem Note A system dump does not contain any keys or key material To obtain a system dump 1 From the KMS Manager GUL select System Management r gt System Dump 2 Provide a system dump file location and name 3 Click on the Start button FIGURE 6 5 System Dump KMS Manager Ei Core Security Core Security P 316194903 Revision BA Chapter6 Service 81 T Series Tape Drives T Series Tape Drives lt For specific information about how to service the T10000 and T9840 tape drives refer to T10000 Tape Drioe Installation Manual StorageTek 96173 T10000 Service Manual StorageTek 96175 Virtual Operator Panel Service StorageTek 96180 Virtual Operator Panel Customer StorageTek 96179 T9x40 Tape Drive Installation Manual StorageTek 95879 T9x40 Service Manual StorageTek 95740 Virtual Operator Panel Service Version 1 0 11 StorageTek
55. e drives Depending on the number of tape drives you may need more than one Ethernet switch Each tape drive needs an Ethernet connection More than one Ethernet switch can also be used to provide redundancy Kit CRYPTO 20U Z is a half high rack This external rack is m 20 units high approximately 3 ft m 19 inches wide Power redundancy APC Switch PN XSL8500 AC SW Z Callouts 1 Service Network KMA to drives 2 KMS Manager and the Management Network To install the encryption hardware in an external rack 1 Attach the mounting brackets to the KMAs Ethernet switches and PDUs Hardware is provided with each unit and in the hardware kit Install the rack module rails and slides Install the equipment in this order PDU on the bottom of the rack a KMAs above the PDUs a Ethernet switch on the top of the rack Using FIGURE 5 4 as an example connect the following cables a PDU power cords to the customer branch circuits for redundancy a Internal equipment power cords to the PDU a Ethernet cables from the Management Network to the KMAs a Ethernet cables from the KMAs to the switch From the switch to the tape drives 62 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 SL3000 Library SL3000 Library This section contains information to install the encryption hardware in an SL3000 library FIGURE 5 5 SL3000 Library The SL3000 library mai
56. eatures m The SL8500 library contains internal accessory racks to install the key management appliances KMAs and additional hardware These racks are an optional feature and if the customer wants power redundancy a minimum of two racks is required m The SL8500 supports all versions of the encryption capable tape drives within the same library or library complex m The SL8500 supports partitioning with up to four partitions using rail boundaries m The SL8500 supports multiple operating systems with multiple host connections See FIGURE 5 2 on page 59 as an example This section contains information to install the encryption hardware in an SL8500 library FIGURE 5 1 SL8500 Accessory Rack Guidelines OSun T105_003 The SL8500 library encryption hardware kit is CRYPTO 2X SL8500 Z Verify that all components are available Note For power redundancy APC Switches PN XSL8500 AC SW Z are required Make sure these are available if the customer has ordered the power redundancy feature Also if installing this in the internal racks a 2N power configuration is required 58 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 FIGURE 5 2 SL8500 Capabilities with Encryption SL8500 Library Tape Drives Detail A Rack 1 Rack 2 Power From Rack 2 APC Detail B Fibre Channel Switch Power From Rack 1 Ethernet Switch Rack 2 Rack 3 N 1 PDU 2N PDU S
57. edata WordPad olx File Edit View Insert Format Help D SI al elel 8 O3B90866E66E1404C596F 2062858633 5F 43 5BB43302583 AFDB4B121A6CBZCGESZ 000160 02531002001232 316194903 Revision BA Chapter 3 T Series Tape Drives 37 Obtain the Drive Data Create a Drive Data File Structure When enabling multiple drives it is best to create a file structure where each tape drive has its own folder For example 1 FIGURE 3 5 uses a top level folder name of crypto_drvs placed on the Desktop This is only for grouping of the other folders 2 Under crypto_drvs are the folders for each tape drive using the serial numbers 3 In each serial number folder is the drive data file for that specific tape drive FIGURE 3 5 Drive Data File Structure gt Inl xj Eile Edit View Favorites Tools Help ay Back 3 wi Search Folders m Address CADocuments and a A drvs 1234 all gt EJ Go Folders Name Size Type Desktop 4 E drive data b 1KB Text Document O My Documents Y My Computer My Network Places g Recycle Bin O crypto_drvs 1234 1235 1236 e 1237 1238 1239 gt When licensing the tape drives the VOP requests a download location m m 4 Complete TABLE 3 3 on page 34 to help with the licensing and enrollment of the tape drives What you need to know before beginning
58. ement network uses an IP address range of 129 80 123 xxx The exact prompts shown may differ from this example cR to QuickStart Press Enter to continue Set Keyboard Layout The QuickStart program will guide you through the necessary steps for configuring the KMA You may enter Ctrl c at any time to abort however it is necessary to successfully complete all steps in this initialization program to enable the KMA 1 4 7 10 13 16 19 22 25 28 31 Xs Press Ctrl c to abort Albanian Bulgarian Dutch German Japanese type6 Malta UK Portuguese Slovenian Swedish Taiwanese UK English Press Enter to continue Available keyboard layouts 2 5 8 11 14 17 20 23 26 29 32 You may change the keyboard layout here Belarusian Croatian Finnish Icelandic Japanese Malta US Russian Slovakian Swiss French TurkishQ US English The current layout is US English Please enter the number for the keyboard layout 32 The keyboard layout has been applied successfully Belgian Danish 9 French 12 Italian 15 Korean 18 Norwegian 21 Serbia And Montenegro 24 Spanish 27 Swiss German 30 TurkishF P 316194903 Revision BA Chapter 2 Key Management Appliances 15 QuickStart Program 1 Set the KMA IP addresses Note It may take one or two minutes for these IP address settings to take effect le
59. encies 2 2 GHz m Up to 1 MB level 2 cache Memory a Four DIMM slots up to 4 gigabytes m Unbuffered ECC memory IPMI 2 0 m Service processor standard m embedded Lights Out Manager Mass storage One SATA disk drive PCI Slots Two PCI Express slots PCle PCle 0 contains the Sun Crypto Accelerator 6000 SCA6000 Networking m Four USB 2 0 connectors on the rear panel m Two USB 2 0 connectors on the front panel m Two ports Serial port with DB 9 VGA with DB 15 connectors m Four 10 100 1000 Base T Ethernet ports Dimensions Height 43 mm 1 7 in Width 425 5mm 16 8 in Depth 633 7 mm 25 in Weight maximum 10 7 kg 23 45 Ib Mounting options 19 inch rackmount kit Compact 1 rack unit 1 75 in form factor Environmental parameters Temperature 5 C to 35 C 41 F to 95 F Relative humidity 27 C 80 F max wet bulb Altitude Up to 3 000 m 9 000 ft Power supply One 6 5 Amps at 345 Watts Heat output is about 850 BTU hour Regulations meets or exceeds the following requirements Acoustic Noise Emissions declared in accordance with ISO 9296 Safety IEC 60950 UL CSA60950 EN60950 CB scheme RFI EMI FCC Class A Part 15 47 CFR EN55022 CISPR 22 EN300 386 v1 31 ICES 003 Immunity EN55024 EN300 386 v1 3 2 Certifications Safety CE Mark GOST GS Mark cULus Mark CB scheme CCC S Mark EMC CE Mark Emissions and Immunity Class A Emissio
60. equires some steps inside the existing cluster using the KMS Manager GUI m Then during the QuickStart program for the next KMA select 2 Join Existing Cluster m After that the QuickStart program prompts for the Passphrase and IP address of that existing cluster To create and add another KMA to the cluster 1 Log in to the KMS manager 2 Select System Management r gt KMA List Create button The Create KMA dialog box is displayed with the General tab active 3 Complete the following parameters KMA Name Type a value that uniquely identifies the KMA in a cluster This value can be between 1 and 64 inclusive characters Description Type A value that uniquely describes the KMA This value can be between 1 and 64 inclusive characters a Site ID Click the down arrow and select the site to which the KMA belongs This field is optional Open the Passphrase tab Enter the Passphrase Enter from 8 to 64 characters The default value is 8 characters Confirm Passphrase Retype the same value that you entered in the Passphrase field The KMA record is added to the database and the entry is displayed in the KMA List screen Add all other KMAs belonging to the Cluster N Oo OF A oo 9 You must now run the QuickStart program on the KMA s you just created so that they can join the Cluster See QuickStart Program on page 13 for information Remember to select Option 2 to Join an Existing Cluster 10
61. eries tape drives This chapter contains information for the Hewlett Packard LTO4 tape drives including m Dione Card on page 49 m Tape Drive LEDs on page 50 m Using the Virtual Operator Panel on page 51 m Enabling Encryption on page 53 For specific information about how to install the tape drives in the appropriate configuration refer to the manuals listed in the Preface on page xiii If the manuals are not on hand go to the Product Documentation Web site at http docs sfbay sun com app docs 316194903 Revision BA 45 Before Beginning Before Beginning 1 The tape drives should be installed and tested in their appropriate configuration before adding the encryption capability to them 2 To enable and enroll the tape drives requires multiple steps and the collaboration between the service representative and the customer to complete Responsibility Steps Customer 1 Create Agent IDs and passphrases in the KMAs Service Representative 1 Configure the initial and network connections Service Representative 2 Enable the LTO4 drives for encryption Customer 4 Enroll the tape drives 6 Assign the tape drives to a Key Group m The service representatives will need to create a file on a laptop and use the Virtual Operator Panel VOP to transfer the PC Keys to license the tape drives Record the information in TABLE 4 2 on page 47 m The customer w
62. f the equipment in the rack Proper power connections and ground If installing the servers to support power redundancy make sure there are two separate branch circuits available Should a power supply or circuit fail the other server can continue operations until the problem is fixed If removing power from the servers the other rack equipment is not affected Required Tools The required tools to install and initially configure the server are Standard field service tool kit including both standard and Phillips screwdrivers Torx driver and bits and side cutters tools necessary to mount the servers in a rack Serial or null modem cable PN 24100134 with DB 9 connector Adapter PN 10402019 Straight Ethernet cable PN 24100216 10 ft Cross over Ethernet cable PN 24100163 10 ft Service laptop or personal computer Virtual Operator Panel Version 1 0 11 or higher service and customer versions Unpack and Inventory the Contents To begin the installation unpack and inventory the contents which includes Sun Fire X2100 server Server accessory kit Rack mount kits Power cables Tape drives Additional encryption hardware kits Make sure there is no physical damage or loose parts 2 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 CHAPTER 2 Key Management Appliances This chapter describes how to install and initially configure the Crypto Key Management Appliance K
63. f the manuals are not on hand go to the Product Documentation Web site at http docs sfbay sun com app docs The Sun StorageTek Virtual Operator Panel VOP is a computer based application that provides a graphical user interface GUI to these tape drives lt With the VOP at Version 1 0 12 and higher support for the HP LTO4 tape drive is provided through the Dione card which serves as a serial to Ethernet translation device for the tape drive FIGURE 6 8 shows an example of the VOP Display FIGURE 6 8 Virtual Operator Panel Display Bro 4 Virtual Operator Panel Version 1 0 11 10 on online l jj 0 0 0 HLoaded WService WEncrypt Mo ritor Drive Configure Drive Diagnose Drive rive Type Media Type IP Address Netenask Gateway KMA Agent ID KMA IP Address Dione Version KIWA Agert Version misi amp Sun microsystems 1 Connect Tab 5 Drive status indicators colors 2 Monitor Drive Tab a Online Offline 3 Configure Drive Tab m Loaded 4 Diagnose Drive Tab m Service a Encrypt Encryption indicator 316194903 Revision BA Chapter6 Service 85 HP LTO4 Tape Drives Diagnose Drive Tab The Dione card and the VOP Diagnose Drive tab allow you to perform limit tests get logs for engineering review and to load Dione card firmware Run LED Diagnostic Test To run the LED diagnostic test 1 Click on Run LED Diag The display changes the button to EXIT LED Diag
64. figurations Chapter 6 Service This chapter contains procedures to help maintain the Key Management System Version 2 0 and tape drives Appendix A Work Sheets Help prepare for the installation by completing the work sheets Appendix B Migration Instructions Migrate keys m From a Version 1 x KMS m To a Version 2 0 KMA 316194903 Revision BA xiii Related Information Related Information These publications contain the additional information mentioned in this guide Publication Description Part Number Important Safety Information for Sun Hardware Systems Sun 816 7190 10 Sun SunFire X2100 Server Installation Guide Sun 819 6589 10 These publications are for Sun StorageTek personnel or authorized third parties who install StorageTek brand tape and library products Publication Description Part Number T10000 Tape Drive Installation Manual StorageTek 96173 T10000 Service Manual StorageTek 96175 Virtual Operator Panel Service StorageTek 96180 Virtual Operator Panel Customer StorageTek 96179 T9x40 Tape Drive Installation Manual StorageTek 95879 T9x40 Service Manual StorageTek 95740 SL8500 Modular Library System Installation Manual StorageTek 96138 SL3000 Modular Library System Installation Manual StorageTek 3161942xx SL500 Modular Library System Installation Manual StorageTek 96114 L700 1400 Librar
65. g T105_013 1 Ethernet switches 24 port in drive cabinets 4 External Rack Installations 2 9741e Drive Cabinets 5 Ethernet switch 16 port in rack 3 Ethernet cabling 6 9310 PowderHorn library 316194903 Revision BA Chapter 5 Encryption Hardware Kits 67 L Series Libraries L Series Libraries The Sun StorageTek L Series libraries offer low end enterprise class and mid range automated tape solutions that fit a variety of customer needs This section contains information to install the encryption hardware in an L Series library FIGURE 5 10 L Series Libraries T105_005 The encryption hardware kit is mg CRYPTO 2X L7 14 Z Ethernet switch and cables Verify that all components are available L Series Library Rack Space The L Series libraries come equipped with internal rack space that can be used to install the encryption hardware Cooling considerations should be made based upon the power dissipation within the rack space as well as the external library room ambient conditions Additional cooling is recommended for high power dissipation components such as multi processor servers however additional cooling it should not be required for the encryption hardware kits 68 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 L Series Libraries L700 L1400 Library Encryption Hardware The L700 and L1400 libraries have an internal 13 unit rack a
66. g upgrade file step 3 of 6 Verify upgrade file conplete Installing software tep 4 of 6 Installation complete Verifying software compatibility Verify compatibility conplete Activating new software step 6 of 6 Activation ec onplete This doe not take effect until after a reboot Activation requires a reboot OK to reboot uZn 316194903 Revision BA Chapter 2 Key Management Appliances 29 Add KMAs to the Cluster 3 Once this process completes the User needs to reboot the KMA 4 After the KMA comes back online from the reboot you need to continue with the QuickStart program 5 Check that the new KMA is in service select System Management r gt KMA List Once all the KMAs are in the KMA List go to m Configuration Checklist on page 21 to continue with the initial configuration This is a list of user tasks that the must customer perform The checklist is provided to assist the service representative and customer as they go through the initial configuration Make sure the KMS Administrator Guide is available for use m Chapter 3 T Series Tape Drives to license and enroll the T10000 and T9840 tape drives This chapter requires both service representative and user tasks to complete m Chapter 4 HP LTO4 Tape Drives to enable and enroll the HP LTO4 tape drives This chapter requires both service representative and user tasks to complete m Chapter 5 Encryption Hardware Kits t
67. he Drive Data Obtain the Drive Data To obtain the drive data for each tape drive 1 Using the Virtual Operator Panel connect to each tape drive and record the last eight digits of the tape drive serial number a Select File gt Connect to Drive a Select Retrieve View Drive Data r gt Manufacturing FIGURE 3 1 Tape Drive Serial Number VOP x Encrypt Fibre Idsnmp Logging a 1 Parameter Definition Parameter Value Manufacturer name STK Manufacturer plant 02 Serial number 531002001144 SCSI world wide name 50 01 04 f0 00 93 c8 0b Port4 world wide name 50 01 04 F0 00 93 c8 0c PortB world wide name 50 01 04 f0 00 93 c8 0d Network mac address 00 10 4f 07 6d 27 Drive model number T10000 x 2 Use TABLE 3 2 on page 33 to build information about the tape drives You will find this information helpful during the installation licensing and enrollment process for the tape drives agents 3 Request an Encryption Key File a Log in to the Applications Web site at http crcapplications keyswebapp b Select Request an Encryption key FIGURE 3 2 Request an Encryption Key Application Welcome to CRC Applications CRC Applications Applications Overview Activation Passwords Obtain Acpvation Passwords for Request an Encryption key Erxrypoon key file download GetKey GetiKey applicabon to obtain the key for lt Access is Limited You must be a Sun employee have comp
68. he power cords Important See Chapter 2 Key Management Appliances and Configure the ELOM IP Address on page 8 before you plug power cables into the KMAs b Connect the Ethernet cables from the dedicated customer network with access to the Key Management System KMS to each KMA and the Ethernet switches c Connect the Ethernet cables from the switch to the tape drives Drive Tray The drive tray for the T10000 in an SL8500 library provides m Dual port interface connections m Ethernet connection m Drive status indicators a Status activity Maint Maintenance switch Crypt Encryption capability PWR Power Fault FIGURE 5 3 T10000 Drive Tray O O O O O O O CX ORG bx o O80 O Q O zi 316194903 Revision BA Chapter 5 Encryption Hardware Kits 61 External Rack Installations External Rack Installations FIGURE 5 4 External Rack Installation a o erme BBBBBBBBBBBB B a BBOBBBH 2 B o o BS er kma H I KMS Manager Web Browser Branch Circuit 1 awas pill JN k Branch Circuit 2 Power Tape Drives Because some configurations may have limited rack space an external rack is available to install the encryption hardware Note The 9310 9741e Drive Cabinets will require an external rack installation Tap
69. he tape drive to complete the enrollment process Note The Agent must be already created with a passphrase assigned in the KMS before enrolling the drive If you were to Unenroll the Agent for example To turn encryption off then re enroll the agent to turn encryption back on the passphrase must be re entered or the agent recreated in the KMS before re enrollment 9 Enter the new IP address in the connection window and click Connect 10 0 0 5 for this example FIGURE 4 8 Enroll the LTO4 Tape Drive B LTO 4 virtual Operator Panel Version 1 0 11 14 on 10 0 0 1 Connect 0 0 Empty Asenvice UN DJEncrypt microsystems Monitor Drive Configure Drive Diagnose Drive Set Offline Enroll IPL Change Enrollment Settings KMA Agent ID KMA2 KMA IP Address 10 0 0 12 Passphrase eee Passphrase again pee Change IP Settings IP Address 0005 0o c o c r Netmask 255 255 2550 0 r Gateway nooo r Commit Cancel 10 Select the Configure Drive tab The new settings are shown in the display 11 Click Enroll 12 Click on the Diagnose Drive tab to observe the enroll process a The enroll process takes about 40 seconds to complete a When the enrollment is complete the button now indicates Unenroll a You would use this button to unenroll the tape drive which would turn encryption off 316194903 Revision BA Chapter 4 HP LTO4 Tape Drives 55 Using the Virtu
70. ill need to use the Virtual Operator Panel to provide an Agent ID and Passphrase to enroll the tape drives on the key management appliance KMA Gather and record the enrollment data in TABLE 4 3 on page 48 m Make copies as necessary Required Tools The required tools to obtain the drive data license and enroll the tape drives is m Straight Ethernet cable 10 ft PN 24100216 if connecting to an Ethernet switch m Cross over Ethernet cable 10 ft PN 24100163 if connecting directly to the drives m Service laptop or personal computer Virtual Operator Panel Version 1 0 12 or higher service and customer versions Important m Remember the Service Delivery Platform SDP does not support the LTO4 drives You may need to make adjustments to the network addresses if mixing tape drives on the same KMA and or SDP network LAN 2 m With this Ethernet connection you cannot perform the same or similar functions with this tape drive that you can with the T Series drives such as downloading tape drive code and running tape drive diagnostics 46 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Service Representative LTO4 Work Sheet Location Service Representative LTO4 Work Sheet Drive IP Address TABLE 4 2 LTO4 Drive Data Work Sheet Serial Number 10 11 12 13 14 15 16 K o T w Q 47 KNT
71. imilar to Detail B Similar to Detail A L This example shows an SL8500 library with m 4 internal accessory racks installed m 2N power for both AC and DC redundancy m 4 partitions using rail boundaries m Encryption Tape Drives a T10000 models A and B m T9840D a HP LTO4 m Racks 2 and 3 contain a 2 KMAs encryption appliances a 2 APCs power distribution units m 2 Ethernet switches encryption and SDP m Racks 1 and 4 contain m 2 Ethernet switches encryption and SDP a 2 Fibre Channel switches for the Data Paths to the tape drives cabling not shown Notes APC American Power Conversion PDU power distribution units To show the connections cable routing is exaggerated Tape drive interfaces are fiber optic Fibre Channel 2 Gb and 4 Gb rates 316194903 Revision BA Chapter 5 Encryption Hardware Kits 59 SL8500 Library SL8500 Accessory Racks The SL8500 library provides space where up to four standard RETMA 19 inch racks can be installed These racks are oriented so the components mount vertically instead of horizontally Each rack can hold up to 6 units called Us of equipment such as the key management appliances and the 24 port Ethernet switches Each rack has a six connector power distribution unit PDU that provides AC power and two cooling fans that provides additional air flow for the equipment in the rack Because of the nu
72. inistrator Guide m Customer m Introduction m Usage PN 316195101 m Technical Specialists m Operator Roles m Support m Service Representatives m How to m KMS Manager GUI 316194903 Revision BA Preface xv Additional Information Additional Information Sun Microsystems Inc Sun offers several methods to obtain additional information Sun s External Web Site Sun s external Web site provides marketing product event corporate and service information The external Web site is accessible to anyone with a Web browser and an Internet connection The URL for the external Web site is http www sun com The URL for StorageTek brand specific information is http www sun com storagetek Documentation and Download Web Sites Web sites that enable customers members and employees to search for technical documentation downloads patches features and articles include m Documentation http docs sun com app docs customers m Documentation http docs sfbay sun com app docs internal m Sun Partner Exchange https spe sun com spx control Login partners Firmware and graphical user interface download sites m Sun Download Center http www sun com download index jsp customers m Uniform Software Repository http dlrequest sfbay sun com 88 usr login internal If your customer does not already have a Sun Online Account they will need to register For a new account go to https reg
73. initial configuration Be patient It may take one or two minutes for the IP address settings to take effect The Key Management Systems Manager GUI graphical user interfaces uses a customer created network and IP address this is called the Management Network The KMS manager interfaces with the KMAs using this interface a The KMAs interface with the tape drives using the Service Network in general using the Ethernet switches from the accessory kits The IP address range for the KMASs use 172 18 18 2 through 172 18 18 59 a If a Service Delivery Platform is installed that IP address is 172 18 18 1 The default tape drive IP address is 10 0 0 1 Use a simple set up to start When entering information such as the key split size split threshold and quorum keep it simple and use initial values such as 1 of 1 Once the structure of the KMAs and the KMS Cluster are complete this information can be changed to the production values at a later time using the KMS manager This can help with and speed up the installation and configuration of the Key Management System For example All users may not be available at the same time to enter in their IDs and Passphrases The userids and passphrases should be enter by the appropriate person to keep them secure they can also be changed later after the QuickStart program The user names are arbitrary however use the conventions defined by security polices or practices The length of
74. is required to initially configure the servers using the QuickStart program Start a HyperTerminal session on the laptop Verify the default settings are a 8 bits No Parity and 1 stop bit a 9600 baud rate a Disable both hardware CTS RTS and software KON XOFF flow control Connect the server to the power source FIGURE 2 2 callout 1 Do not power on the server The ELOM starts as soon as power is connected even if the server is powered off The boot process can be observed if connected with the HyperTerminal session Once the boot completes the ELOM login prompt will be displayed a Press Enter a few times to get the ELOM login prompt b Log in using Userid root Password changeme 8 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Installation 6 Using TABLE 2 1 on page 4 as a reference configure the ELOM IP address Note These commands are case sensitive Enter set SP AgentInfo DhcpConfigured disable set SP AgentInfo IpAddress ipaddress set SP AgentInfo NetMask netmask set SP AgentInfo Gateway gateway reset An informational command you can use is show SP SystemInfo CtrlInfo 7 Log off of the ELOM and exit m If you are going to use the network connection LAN 1 NET MGT ELOM disconnect and remove the serial cable recommended m The alternative to using the network connection to the ELOM is to use a keyboard and monitor connec
75. ite The following information is needed before beginning the QuickStart program lt The customer may want to keep the User IDs Passphrases and Key Split Credentials defined during the QuickStart program secret Use TABLE 2 1 on page 4 to help record and use this information 1 Type of keyboard attached to the KMA select from list 2 Hostname IP address and netmask for the management network LAN 0 and service network LAN 2 if connected DHCP can be used for both if desired 3 The gateway should be accessible through the management network connection This address is required if there is a router between the KMA and the KMS Manager 4 DNS server IP address if desired optional 5 Key split credentials including the total number of splits threshold number of splits plus the userid and passphrase for each of the splits We recommend keeping this simple a This information cannot be recovered from the system if it is lost a Backups cannot be restored without this information a Loss of this information will result in unrecoverable data 6 Autonomous unlocking selection If yes the KMA will automatically unlock after a reboot a If no the KMA will remain locked until manually unlocked Unlocking requires a quorum 316194903 Revision BA Chapter 2 Key Management Appliances 13 QuickStart Program Tips and Notes Knowing the following tips and notes will help during the QuickStart program and
76. ive fails replace the tape drive using the drive service manual m Ethernet switch If an Ethernet switch fails replace the switch TABLE 6 1 FRU Listing Vendor Part Number Description Sun KMA 2 0 3154936 Z CRYPTO KMA 2 Z FRU KEY MANAGEMENT APPLIANCE 3 Com 16 port Switch 260800489 CRYPTO X 16PT ETHERNET SWITCH 3C16470 16 Port RJ 45 10B T 100B TX 3 Com 24 port Switch 0800492 CRYPTO X 24PT ETHERNET SWITCH 3C16471 24 Port RJ 45 10B T 100B TX 74 KMS 2 0 Installation and Service Manual June 2008 A Keyboard and Monitor is available and consists of these part numbers TABLE 6 2 Keyboard Monitor Kit 315497101 Monitor Keyboard Rack Mount US 315497201 Slide Kit Monitor Keyboard Rack Mount 315497301 Cable Monitor Rack Mount 315497401 Cable keyboard rack mount Revision BA 316194903 Account Log TABLE 6 3 KMA Account Log Account Name Account Log KMA Site Location KMA S N KMA Name KMA Firmware Level KMA IP Address Service Network IP KMS Manager IP ELOM IP NTP L1 Yes L1 No DHCP C Yes C No Gateway 3 Yes 4 No DNS 3 Yes 1 No KMA Number Number of KMAs in Cluster KMA Location KMS Manager Location Configuration Types 2 SL8500 library T SL3000 library T SL500 library 1 9310 library 1 L700 1400 library 1 L180 library Tape Drive Types
77. ivery Platform SDP is a support solution for Sun StorageTek libraries and tape drives that consists of a smart appliance and dedicated network The Key Management Appliance includes a specific Ethernet connection LAN 2 port for connection to this network The SDP appliance uses the Dynamic Host Configuration Protocol DHCP to automate the assignment of IP addresses for device connections When incorporating the KMAs into an SDP network it is best to use the established addresses provided by the SDP the IP address range is 172 18 18 xxx Note The SDP does not support the HP LTO4 tape drives FIGURE 5 15 shows an example of an SDP network with connection to a KMA cluster FIGURE 5 15 Systems Delivery Platform Key Management Station GUI In this figure the KMS Manager interfaces with the KMAs using a customer created network and IP addresses of 129 80 123 xxx Each KMA connects to this network using LAN 0 Cluster KMA 1 LAN 2 Connections 172 18 18 xxx Service Deliver Platform 8888888588 Ed Ethernet Switch T10000 T10000 T10000 The KMA interfaces with the tape drives using the Service Network SDP IP addresses 172 18 18 1 Each KMA connects to this network using LAN 2 The IP address range is 172 18 18 2 through 172 18 18 59 The tape drives connect to the Service Network using an assigned IP address from the SDP The SDP will likely come with an E
78. ix Tables xi Preface xiii Organization xiii Related Information xiv Documentation Map xv Documentation Content and Purpose xv Additional Information xvi Sun s External Web Site xvi Documentation and Download Web Sites xvi Partners Site xvi 1 Introduction 1 Planning 1 Administrator Guide 1 Before Beginning 2 Required Tools 2 Unpack and Inventory the Contents 2 2 Key Management Appliances 3 Overview 3 Front and Rear Views 5 Specifications 6 316194903 Revision BA KMS 2 0 Installation and Service Manual June 2008 Installation 7 Configure the ELOM IP Address 8 Start the embedded Lights Out Manager 9 Alternate Method 10 Using a Network Connection 10 QuickStart Program 13 Tips and Notes 14 QuickStart Wizard 15 Configuration Checklist 21 Change the ELOM Password 27 Add KMAs to the Cluster 28 Run the QuickStart Wizard 29 T Series Tape Drives 31 Before Beginning 32 Required Tools 32 Service Representative Work Sheet 33 Customer Work Sheet 34 Tape Drive LEDs 35 Obtain the Drive Data 36 Create a Drive Data File Structure 38 License and Enroll the Tape Drives 39 License the Tape Drives 39 Enroll the Tape Drives 41 HP LTO4 Tape Drives 45 Before Beginning 46 Required Tools 46 Service Representative LTO4 Work Sheet 47 Customer LTO4 Work Sheet 48 Dione Card 49 Tape Drive LEDs 50 Using the Virtual Operator Panel 51 Enabling Encryption 53 Encryption Hardware Kits 57 Revision BA 316194903 SL8500 Li
79. leted the training courses and have your name included on the list to access this link 36 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Obtain the Drive Data 4 Complete the Encryption Request form a First name last name and e mail address are automatically included b Provide a site ID and order number c Select the tape drive type T10000A T10000B or T9840D d Complete the serial number for the selected tape drive e Add any optional remarks and click Request Key File After submitting the Encryption File Request you will be prompted to download the file This file contains the drive data you need to enable and enroll the drive FIGURE 3 3 Encryption File Request for Drive Data Encryption Request FirstName C T LastName swo EmelAddess Cid Sted CaseWokOrderat Driver Family Serial Number Family serial numbers start with T10000A 5310 xxxxxxxx T10000B 5720 xxxxxxxx T9840D 5700 xxxxxxxx Optional Remarks When you select the drive family type k Cc these are automatically filled in 5 Continue with this process until you obtain all the drive data files for each tape drive you are going to enable If you open the drive data file using WordPad for example you can see and verify the drive serial number PCKey and crypto serial number CSN FIGURE 3 4 Encryption File Request for Drive Data i driv
80. ment Security r gt Core Security r gt Backup Core Security 2 Choose a file and click Start Using the default name is recommended but any directory can be selected This creates a Core Security Backup file on the system where the KMS Manager is being used 3 Navigate to the backup list from the Main Screen select Secure Information Management Backup List Backup Second Step Second step of the backup is to 1 Login using a Backup Operator role 2 Click the Create Backup button 3 Choose files for the two outputs 4 Use of the defaults for filenames is recommended but these can be placed in any desired directory 5 Click Start Create Backup Backup File Name H KMS Backup BackupID DateTime dat Backup Wrapping Key File Name H VKMS Backup Key BackupID DateTime xml Note Now the system will show a Ready Keys 1000 a Generated Keys 0 Note The frequency for performing backups depends on the number of tape mounts and key usage how fast are the keys being used Each KMA starts with 1000 keys as mounts occur the keys are used The systems tracks key usage and adjusts the supply of keys As a best practices backups should be taken weekly however again this all depends on key usage 26 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Change the ELOM Password Change the ELOM Password For security at some poi
81. merous types of equipment Sun StorageTek cannot mandate what the customer installs in these racks therefore certain guidelines should be followed Table 5 1 lists these guidelines TABLE 5 1 SL8500 Accessory Rack Guidelines Guideline Descriptions Rack numbering Rack numbering is top down from 1 to 4 Rack 1 is on the top Rack 4 is on the bottom Rack mounting Components must be able to function in a vertical orientation Heavy components such as Fibre Channel switches must have threaded holes in the sides to attach rack slides Light weight components such as the Ethernet switches may be mounted with a bracket Dimensional restrictions Rack module depth is 72 cm 28 in Recommended safe length is 66 cm 26 in Equipment weight The accessory rack itself is mounted on slides rated for 80 kg 175 Ib The recommended safe load is 64 kg 140 Ib The KMA is 10 7 kg 23 45 Ib the Ethernet switch is 1 5 kg 3 1 Ib Power consumption Per rack module is 4 Amps maximum Per outlet strip is 200 240 VAC 50 to 60 Hz The KMA is 185 W the Ethernet Switch is 20 W Power cord Power plug to connect to the rack PDU is IEC320 C13 shrouded male plug Minimum cord length is component plus 46 cm 18 in for a service loop Thermal requirements Maximum power dissipation is 880 watts 3 000 Btu hr per rack module Air flow Generally from non port end to port end of component M
82. n this shortcut to launch this application 52 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Using the Virtual Operator Panel Enabling Encryption Before beginning make sure the customer has the assigned IP addresses and Agent names for the tape drives available and defined in the KMS manager For the service representative To start the VOP for the LTO4 1 Configure and connect a laptop to an LTO4 tape drive For example use a cross over cable and connect directly to a tape drive 2 Start the executable file ltoVOP file or bat to start the application 3 Enter the default IP address 10 0 0 1 and click Connect FIGURE 4 5 LTO VOP Connect Screen B LTO 4 Virtual Operator Panel Version 1 0 11 140n10 0 0 1 Mi E Connect 10 0 0 1 Empty Senice UN JEncrypt microsystems Monitor Drive Configure Drive Diagnose Drive Drive Type LTO4 Drive ID HU17450LY7 Media Type IP Address 10 0 0 1 Netmask 255 255 255 0 Gateway 0 0 0 0 KMA Agent ID KMA IP Address Dione Version version 1 177 KMA Agent Version Build283 4 Set the drive offline For the customer 5 Select the Configure Drive tab and enter the required information FIGURE 4 6 KMA ID IP Address and Passphrase 316194903 Revision BA Chapter 4 HP LTO4 Tape Drives 53 Using the Virtual Operator Panel FIGURE 4 6 Configure Drive KMA Agent ID KMA IP Address Passphrase
83. nces 23 Configuration Checklist TABLE 2 5 Initial Configuration Checklist V Task Guidelines KMS Manager TEK System View Help X Connect Disconnect Help E Secure Information Management Key Groups Assignment to Agents Key Policy List E Key Groups Agents Allowed Key Groups Disallowed Key Groups Key Group List Un Agent Assignment z Agents Agent List Key Group Assignment Data Unit List Backup List zJ System Management Audit Event List KMA List Role List Site List SNMP Manager List System Dump B Security Security Parameter List gt Core Security lt Configure the Agent 1 Set the IP address of the drive 2 Provide the Drive ID Passphrase and the IP address of one of the KMA s in the cluster The details are device specific 3 Once this process has been successfully completed the agent will show as enrolled in the agent details screen Agent Details General Passphrase Agent ID Description Site ID Enabled Default Key Group ID Failed Login Attempts Enrolled 24 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Configuration Checklist TABLE 2 5 Initial Configuration Checklist V Task Guidelines d Preform the Initial Backup This is a 2 step process that creates three files a C
84. nd be non encrypting You can turn encryption back on from the Configuration menu 316194903 Revision BA Chapter6 Service 83 T Series Tape Drives KMS Version 1 x Support With Version 2 0 the customer is capable of selecting which version of the KMS to support Version 2 0 or Version 1 x During tape drive enrollment the customer can choose if they want the tape drives to support KMS Version 1 x and the use of Tokens to transfer the encryption keys FIGURE 6 7 Switch Encryption On and Off 1 Using the Virtual Operator Panel Configure Drive Parameters connect to the desired tape drive 2 Select Configure r gt Drive Data 3 For the Use tokens Parameter Value click Yes 4 Click Commit 84 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 HP LTO4 Tape Drives HP LTO4 Tape Drives lt For specific information about how to service the HP LTO4 tape drives refer to SL8500 Modular Library System Installation Manual StorageTek 96138 SL3000 Modular Library System Installation Manual StorageTek 3161942xx SL500 Modular Library System Installation Manual StorageTek 96114 L700 1400 Library Installation Manual StorageTek 95843 L180 Library Installation Manual StorageTek 95896 Virtual Operator Panel Service version 1 0 12 StorageTek 96180 Virtual Operator Panel Customer version 1 0 12 StorageTek 96179 I
85. nent Click on one of these options and then click OK This is a normal message Create a KMA Cluster 1 Click on the Connect button in the upper left corner 2 Click on New Cluster Profile x User ID b gt O Connect Passphrase Cancel CuteNme d iE z Member KMAs o A Delete Cluster Profile Refresh KMAs 3 Enter a name for the cluster 4 Enter the IP address or hostname or any KMA in the cluster 5 Click OK 1 Log in as the Security Officer m Use the Security Officer login from the QuickStart program m Enter the cluster name created above The Main GUI screen is displayed 316194903 Revision BA Chapter 2 Key Management Appliances 21 Configuration Checklist TABLE 2 5 Initial Configuration Checklist V Task Guidelines a Create additional users From the Main Screen in the left pane 1 Select System Management r gt User List 2 Click Create and complete the necessary information 3 Click Save User Details Description Roles v Auditor v Backup Operator v Compliance Officer v Operator v Security Officer Enabled l Failed Login Attempts User IDs and Passphrases will be needed for the following roles If all users are not available at the time of this initial configuration they can add their names and passphrases afterwards However do not create a Core Security Backup u
86. ners Web site xvi parts 74 Passphrase 53 PC Key request form 36 PCIe 6 PCI Express slots 6 permanently encrypting 83 planning for encryption 1 popup blockers disable 10 PowderHorn library 65 power button 5 ELOM 11 LED 5 supply 6 power redundancy SL8500 58 switch 62 preparation checklist 1 processor 6 programs embedded Lights Out Manager 8 QuickStart 13 wizard 15 publications xiv Q QuickStart 13 quorum 18 Index 103 R rack installation 62 rack space L Series libraries 68 rack specifications 7 rackmounted tape drives 71 rear panel 5 red LED 35 redirection ELOM 12 related publications documents xiv relative humidity 6 remote control ELOM 12 removal and replacement procedures 89 required tools 2 resellers xvi restore a cluster 17 from backup 80 S SATA disk drive 6 SCA6000 6 SDP 32 46 72 Security Officer initial settings 19 security officers 22 serial cable 2 serial port connector 5 service 76 92 Service Delivery Platform 32 46 72 service network LAN connection 8 SL3000 library 63 SL500 library 64 SL8500 library 58 cabling example 59 power redundancy 58 racks 60 software upgrade 79 spares 74 specifications KMA 6 rack 7 split threshold 18 steps for partitioning 94 StorageTek Customer Resource Center CRC xvi Partners site xvi Web site xvi 104 KMS 2 0 Installation and Service Manual June 2008 subnet mask
87. net cables between the switch and the tape drives 6 Connect the Ethernet cables between the switch and the KMAs Note Because the Ethernet switch was previously installed in this configuration the KMAs are installed above the switch 70 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Rackmount Rackmount This section contains information to install the encryption hardware for rack mounted tape drives FIGURE 5 13 Rackmount Assembly T105_006 The encryption hardware kits CRYPTO 2X RACK Z includes m Rack mounting hardware m Ethernet switch and cables Verify that all components are available To install the encryption hardware FIGURE 5 14 Rackmount Instructions T105_007 Locate the Ethernet switch 1 Locate the mounting brackets and screws 2 Place the switch and the KMAs on a flat surface 3 Install the mounting brackets on each side 4 Install the Ethernet switch in the rack space Cabling 1 Connect the Ethernet switch to a power source 2 Connect the Ethernet cables between the switch and the tape drives 3 Connect the Ethernet cables between the switch and the KMAs Callouts 1 T10000 encryption capable tape drives 2 Key management appliances 2 KMAs 3 Ethernet switch 16 port 316194903 Revision BA Chapter 5 Encryption Hardware Kits 71 Service Delivery Platform Service Delivery Platform The Service Del
88. now connect to the KMA via the KMS Manager in order to continue with KMS configuration Press Enter to exit Key Management System Version Build 321 KMA 1 Please enter your User Name M 20 KMS 2 0 Installation and Service Manual June 2008 8 Install the KMS Manager Revision BA 316194903 Configuration Checklist Configuration Checklist The following is a list of tasks the customer or user would do to configure and use the Sun Crypto Key Management System Version 2 0 They are listed here as a checklist to assist the user with the initial configuration and familiarization of the KMS Manager Make sure the customer or user has a copy of the Crypto Key Management System Administration Guide PN 316195101 for specific information and instructions about how to configure the KMA Cluster TABLE 2 5 Initial Configuration Checklist V Task Guidelines Install the KMS Manager In order to continue with KMA setup the KMS Manager GUI must be installed Currently only Windows XP Solaris 10 Update 3x86 and Update 4x86 versions are supported Windows Vista and Solaris 9 are not supported Initially the KMS Manager will be blank until there is a KMA Cluster in which to connect Note The first time trying to connect you may get a message stating that the Web Site Certified By Unknown Authority and offer selections to choose from Select either Accept Temporary or Accept Perma
89. ns Levels FCC C Tick MIC CCC GOST BSMI ESTI DOC S Mark 6 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Installation Installation Install the servers in a standard 483 mm 19 in rack The rack contains units of measurement called rack units Us that equal 44 5 mm 1 75 in Become familiar with the rack and look to see how the rack units patterns are separated The top cover of the server contains instructions to install the servers in a four post rack or cabinet two post racks are not compatible The slide rails are compatible with a wide range of racks meets the following standards and requires Horizontal opening and unit vertical pitch conforming to ANSI EIA 310 D 1992 or IEC 60927 standards Distance between front and rear mounting planes between 610 mm and 915 mm 24 in to 36 in Clearance depth to a front cabinet door must be at least 25 4 mm 1 in Clearance depth to a rear cabinet door at least 800 mm 31 5 in to incorporate cable management or 700 mm 27 5 in without cable management Clearance width between structural supports and cable troughs and between front and rear mounting planes is at least 456 mm 18 in Refer to the Sun Fire X2100 Server Installation Guide for additional information This guide is included with the server accessory kit 1 Install both servers in the rack 316194903 Revision BA Chapter 2 Key Management Appliances 7
90. nt the customer needs to change the ELOM password ELOM provides functionality that can be used to perform a network boot of the KMA This functionality could be exploited and provide access to key material on the KMA hard drive Because of this potential the user should change and secure the root password of the ELOM A good time to do this is after completing the QuickStart program To change the ELOM password Access the ELOM network LAN 1 Select User Management User Account to bring up the account list Click on the Change Password on the root user name Enter the Old Password the default is changeme QU F GQ N e Enter a new Password and Confirm the password 6 Click Submit FIGURE 2 6 ELOM Password Reset System Information System Monitoring Configuration User Management Remote Control Maintenance User Account ADS Configuration Privilege Status root Administrator Enabled Change Password Add User Manage User Account Old Password Password Confirm Submit Reset 316194903 Revision BA Chapter 2 Key Management Appliances 27 Add KMAs to the Cluster Add KMAs to the Cluster lt Servers must be installed in pairs called a cluster Clusters perform backups of each appliance therefore no external hard drives are required m Adding another KMA to the first one created above r
91. ntains the fundamentals of a modular design using four types of modules two of them that can have tape drives TABLE 5 2 SL3000 Module Types Capacit Quantity ad Module Type Per Library Slots Tape Drives Base Module required One only 205 or more 24 Drive Expansion Module One only 153 or more 32 increases drive and cartridge capacity Left of Base Cartridge Expansion Module Variable 438 or more increases cartridge capacity Parking Expansion Module Two only 620 for both dual robotics requirement optional 1 Slots Minimum capacity listed 2 Tape Drives Maximum capacity listed From 1 to 56 There are elements that you need to consider to design for content management and encryption in an SL3000 library Some considerations include m Because the SL3000 library has limited rack space an external rack may be required to install the encryption hardware m The SL3000 supports all versions of the encryption capable tape drives The SL3000 supports partitioning m The SL3000 supports multiple operating systems with multiple host connections 316194903 Revision BA Chapter 5 Encryption Hardware Kits 63 SL500 Library SL500 Library This section contains information to install the encryption hardware for an SL500 library FIGURE 5 6 SL500 Library The SL500 library is a rack installed modular design that consists of one required base module shown above To a
92. ntil this has been completed Auditors Names Backup Operators Names Compliance Officers Names Operators Names Security Officers Names 22 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Configuration Checklist TABLE 2 5 Initial Configuration Checklist V Task Guidelines d Create Key Policies and Key Group Configurations You need to create at least m One key policy m One key group Then m Assign the key group to the key policy Enroll Agents This is a two step process m One Step is performed at the KMS Manager a Use TABLE 3 3 on page 34 to record the information a Agent ID and passphrase a IP address At the KMS Manager navigate to the agent list Secure Information Management Agents Agent List Create Agent General passphrase Agent ID Agenti Description Site ID Please Select a Site m The other Step is performed at the tape drives a Use TABLE 3 2 on page 33 record the information a Drive serial number a IP address a Location Assign Agents to the Key Groups At the KMS Manager navigate to Secure Information Management Agents r gt Key Group Assignment 1 Click the Agent in the list to display its key group permissions 2 Select the key group 3 Click Default Key Group button to move this to the key group 316194903 Revision BA Chapter 2 Key Management Applia
93. o install the additional hardware in the customer select solution This chapter requires just the service representative to install the additional hardware such as Ethernet switches and cables 30 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 CHAPTER 3 T Series Tape Drives Currently the Key Management Station Version 2 0 supports these tape drives TABLE 3 1 Tape Drive Support Tape Drives Interfaces Support Firmware Configuration Notes T10000A m Fibre Channel 1 37 108 Supported in the a FICON 1 37 114 m SL8500 library T9840D FICON 142 104 BE tae a ESCON a eries aries HP LTO4 m Fibre Channel H45S FC For specific information see a SCSI B44S SCSI Chapter 4 HP LTO4 Tape Drives lt Important Because the T Series and the HP LTO4 drives and processes are different see Chapter 4 HP LTO4 Tape Drives to enable and enroll the LTO4 tape drives This chapter contains information for the T Series tape drives and how to m Obtain the Drive Data PC Key m License the Tape Drives m Enroll the Tape Drives called Agents on the Key Management Appliances For specific information about how to install the tape drives in the appropriate configuration refer to the manuals listed in the Preface on page xiii If the manuals are not on hand go to the Product Documentation Web site at http docs sfbay sun com app docs 316194903 Revision BA 31
94. ore Security file a Backup Key file a Backup file The steps to perform a backup are not necessary for a multi KMA cluster They certainly can be done but they are not required Before keys can be created and delivered backups must be performed to ensure they are protected When the KMA is first brought up it begins generating keys Initially 1000 keys To verify this from the Main Screen in the left pane 1 Select System Management gt KMA List 2 Double click on the KMA or click the Details button a Ready Keys should be 0 a Generated Keys should be 1000 Later on in the process this will change reverse KMA Details General Passphrase KMA ID KMA Name Description Site ID Management Network Address 10 80 44 31 Service Network Address 192 168 1 31 Version Build 172 Failed Login Attempts 0 E Responding True Response Time 0 milliseconds Replication Lag Size 0 Ready Keys Generated Keys Key Pool Ready Enrolled 316194903 Revision BA Chapter 2 Key Management Appliances 25 Configuration Checklist TABLE 2 5 Initial Configuration Checklist V Task Guidelines a Backup First Step The initial Backup is a two step process First step of the backup is to create a Core Security Backup 1 As the Security Officer select System Manage
95. os 191uo o1 qezts p aq Aeut y os A198euejA SWA 24 ur peSueu aq ued s rnu s L Suo eq u1 YOTYM 03 uoszed ay Aq p 1z lu aq pl nous pue uAop u l uA aq 1ou poys uonvuroJur siu 1e8euejq SWX 24 Sursn sose1udssed Jo umuonb v Jo Aqua ay Suumboz 1nouA 1 9s31 JOS 10 prey e Jaye aye s euonei do Any e 1 1u 01 WY 9u1 sAo e Sur opur snowouomy z pousisse adu0 s ss rppe J ey Surgueup I 4AI S JODHA Y 9Tpueu jouued urojss ay nejs eq 1snur JODHA Sursn pausisse sosso1ppy T 910N SI aed uo Jsi eu ees ed pueogqhey z Buyon snowouo ny sjenuopoJ2 yids Aey esejudsseg esejiudsseg ui 01 uiBo eseiudssedg W013 eseJudsseg eseJudsseg ose1udsseg ui601 ui 01 unooae 100H eseuudsseg aseiydssed ui 01 ui 01 192140 1unoes SSeJppe d SS9Jppe dl eueujsoH eureujsoH JoAJ9S SNG Aemayesy 9UIEN VINM peAJeseH NVI D ON D S8A C ON D S84 93lAJeS Z NVI D ON P S8A C oN O SA INO13 L NVI C ON D S9A C ON D S3A juswebeuew 0 NYT L dOHG Xseunew SS9Jppy di 9ureujsoH L dOHG Xseunew SSeJppy di 9uieu soH VINM puoo s VIAM 15414 Overview sSunjeg uoyemsyuop enr z 318V ey 28ed uo uie180aq 318192105 9u1 YM sn 107 UOL Wozu p1o2a1 03 adeds saptaoid z WIS VI Revision BA 316194903 4 KMS 2 0 Installation and Service Manual June 2008 Overview Front and Rear Views m FIGURE
96. ower right corner of the drive cabinet These switches are ready to use unmanaged auto negotiating switches that require no configurations To install the Ethernet switch 1 Release the door latches on the 9741e cabinet and open the door 2 Using one screw install the mounting shelf in the drive cabinet This screw mounts in the lower portion of the shelf to the floor of the drive cabinet 3 Install the mounting brackets on the switch 4 Install the switch in the mounting shelf 5 Connect one end of the Ethernet cables to the T10000 encryption capable tape drives 6 Connect the other end of the cables to the switch 7 Connect the ferrite bead to the Ethernet cable between the cutout in the drive column wall and the cutout in the cabinet floor 8 Route and connect this Ethernet cable from the 24 port switch in the drive cabinet to the 16 port switch in the standalone rack 9 Close and latch the cabinet door 9741E Drive Cabinet Callouts 1 Tape drives up to 20 drives per cabinet 2 Ethernet cabling to each encryption capable drive 3 Ethernet switch 24 port one per drive cabinet 4 Ferrite bead 66 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 9310 Library and 9741e Drive Cabinet Cable Routing Route and connect one Ethernet cable from the 24 port switch in the drive cabinet to the 16 port switch in the standalone rack FIGURE 5 9 External Rack and Ethernet Cablin
97. r Panel File Drive Operations Retrieve Configure Diagnostics Help Drive Name jute L SUN microsystems View Drive Parameters View Drive Parameters OFF LINE Operation Started drive is OFF LINE _ t Update Drive Parameters Enrolling jute im KMS 010 080 044 057 2007 AUDIT CLIENT GET ROOT CA CERTIFICATE SUCCESS 2007 AUDIT CLIENT GET CERTIFICATE SOAP ERROR SoapPaultCode SOAP ENV Client SoapFault 2007 jute commit FAILED Could not get profile from KMS 2007 Start Update Drive Parameters 2007 Enrolling jute in KMS 010 080 044 057 2007 AUDIT CLIENT GET ROOT C CERTIFICATE SUCCESS 2007 AUDIT CLIENT GET CERTIFICATE SUCCESS 2007 AUDIT CLIENT SAVE CLUSTER INFORMATION SUCCEEDED 2007 Successfully enrolled 2007 jute commit SUCCESS Configuration data saved 2007 Tape drive is ON LINE 2007 Tape Cartridge is UNLOADED 2007 Connection to jute 2007 VOP LOGGED IM to Drive 2007 AUDIT CLIENT SAVE CLUSTER INFORMATION SUCCEEDED 2007 Start View Drive Parameters 2007 End View Drive Parameters 6 In the KMS Manager assign the tape drives agents to the Key Groups KMS Manager ai x prm S X 1 Connect Disconnect Help amp Secure Information Management Key Groups Assignment to Agents Key Policy List amp Key Groups Agents Allowed Key Groups Disallowed Key Groups Key Group List Agent Assignment Agenti amp Agents KeyGoup1 1 f
98. r the Key Split Threshold 1 Please enter the Key Split User Name 1 userl Passphrases must be at least 8 characters and at most 64 characters in length Passphrases must not contain the User s User Name Passphrases must contain characters from 3 of 4 character classes uppercase lowercase numeric other Please enter Key Split Passphrase 1 x Please re enter Key Split Passphrase 1 x Press Enter to continue Press Ctrl c to abort A 2 18 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 QuickStart Program 5 Enter Initial Security Officer User Credentials The user names are arbitrary however use the conventions defined by security polices or practices we Initial Security Officer User is the first User that can IDE to the KMA via the KMS Manager This User can subsequently create additional Users and administer the system Please enter a Security Officer User Name SecOfficer A Passphrase is used to authenticate to the KMA when a connection is made via the KMS Manager Passphrases must be at least 8 characters and at most 64 characters in length Passphrases must not contain the User s User Name Passphrases must contain characters from 3 of 4 character classes uppercase lowercase numeric other Please enter the Security Officer Passphrase Please re enter the Security Officer Passphrase Press Enter to continue
99. rator Panel The following procedures assume you and the customer know how to connect to and i use the VOP on the T10000 tape drives Connecting to and using the VOP for an LTO4 tape drive is very similar Refer to the Virtual Operator Panel documentation for help To use VOP for LTO4 tape drives you need to launch a special file either Windows Launch the batch file ItoVOP bat or m Solaris Linux Launch the ItoVOP file above the batch file These special files are included in the zip file from the VOP 1 2 12 download FIGURE 4 4 VOP Files and LTO Batch File File Edit View Favorites Tools Help a Back gt Q gt Search Folders m Address le C Program FileswOP_ Service Go Folders x Name Size Type 8 n af Cabin File Folder I e Uninstall Information diegs File Folder amp Viewpoint asc File Folder so VOP_Service ftp Temp File Folder bin icons File Folder O diags lib File Folder fsc tmp File Folder ttpTemp transcripts File Folder Q3 icons o BitovoP 1KB File lib ItevOP bat 1KB MS DOS Batch File et rung 1KB File P x mi lun bat 1KB MS DOS Batch File transcripts f sunVOP 1KB File amp Western Digital Technologies F sun VOP bat 1KB MS DOS Batch File D Windows Media Connect 4 4 zd gt TIP You may want to create a shortcut on the desktop that links to the ItoVOP executable file Then click o
100. rea accessible from behind the right front door or the left rear door of the library The encryption hardware can be installed from either the front or the rear however a rear installation offers more space for cabling Rack area requirements m Total maximum weight in this location cannot exceed 136 kg 300 Ib m Power cable space is provided in the cutout area of the rear door m Ventilation openings in the rear of the cabinet must have at least 100 mm 4 in clearance for proper air flow FIGURE 5 11 L Series Libraries Callouts 1 KMAs 2 2 Ethernet switch 3 PDU 4 Ethernet to Drive cables 0000000000000000000 To install the encryption hardware in the L700 L1400 internal rack area 1 Attach the mounting brackets to the KMAs Ethernet switch and PDU Hardware is provided with each unit and in the hardware kit 2 Install the rack module rails and slides 3 Install the equipment in this order KMAs on top a Ethernet switch above the PDUs a PDU on the bottom of the rack area 4 Connect the power cords Important See Chapter 2 Key Management Appliances and Configure the ELOM IP Address on page 8 before you plug power cables into the KMAs 5 Connect the Ethernet cables from the dedicated customer network with access to the Key
101. ry 316194903 Revision BA 91 Obtaining Support Obtaining Support Technical support is available 24 hours a day seven days a week and begins with a telephone call from you to Sun Microsystems StorageTek Support You will receive immediate attention from qualified personnel who record problem information and respond with the appropriate level of support To contact Sun Microsystems StorageTek Support about a problem 1 Use the telephone and call a 800 525 0369 inside the United States or a Contact any of Sun s worldwide offices to discuss support solutions for your organization You can find address and telephone number information at http www sun com worldwide 2 Describe the problem to the call taker The call taker will ask several questions then Route your call to the appropriate level of support Or Dispatch a service representative If you have the following information when you place a service call the process will be much easier Complete as much information as possible if known TABLE 0 1 Obtaining Support Account name Site location number Contact name Telephone number Equipment model number 3 KMA Appliance l SL500 library 4 T10000A tape drive 11 KMS Manager GUI J 9310 library 11 T10000B tape drive 11 SL8500 library 11 L700 1400 library T9840D tape drive A SL3000 library A L180 library 1 LTO4 tape drive Network Device address Urgen
102. s Make sure you follow the proper precautions m Use care not to damage the thin glass cable attached to J5 This cable is fragile and easily damaged To replace the Dione card 1 Obtain the encryption card and remove it from its wrapper Align the card on the plate and insert the T10 mounting screws 2 3 4 Connect P5 and P6 to the card Plug in the following cables in this order m Signal connector from the card to the rear of the drive a Drive power from rear of the drive m Power jumper 5 Insert the card and plate into its position and fasten it with one T10 screw 6 Position the HBD card back into place Z 8 9 Re connect the cables to the HBD card Insert the drive and fasten it to the tray with four T10 screws Replace the top cover plate and fasten it with two T10 screws 10 Insert the drive tray into its slot in the array 11 Reconnect the cables to the rear of the drive 90 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 APPENDIX Work Sheets The following pages contain work sheets that can help prepare for the installation of a Sun StorageTek encryption solution These work sheets include m Obtaining Support on page 92 m Initial Configuration Work Sheet on page 93 m User Roles Work Sheet on page 94 m Tape Drives Work Sheet on page 95 m Drive Enrollment Work Sheet on page 96 Make copies as necessa
103. s name should N 3 Configure the Cluster this KMA join an existing Cluster You can also restore a backup to this KMA or change the KMA Version Please choose one of the following 1 Create New Cluster 2 Join Existing Cluster 3 Restore Cluster from Backup Please enter your choice 1 oes New Cluster 316194903 Revision BA Chapter 2 Key Management Appliances 17 ae can now use this KMA to create a new Cluster or you can have N QuickStart Program 4 Enter Key Split Credentials Notes The key split size and split threshold be changed at a later time using the KMS manager This allows a setting for 1 of 1 a The userids and passphrases should be enter by the appropriate person to keep them secure or they can also be changed later after the QuickStart program 4m Key Split credentials are used to wrap splits of the Core UN Security Key Material which protects Data Unit Keys When Autonomous Unlocking is not enabled a quorum of Key Splits must be entered in order to unlock the KMA and allow access to Data Unit Keys A Key Split credential consisting of a unique User Name and Passphrase is required for each Key Split The Key Split Size is the total number of splits that will be generated This number must be greater than 0 and can be at most 10 Please enter the Key Split Size 1 The Key Split Threshold is the number of Key Splits required to obtain a quorum Please ente
104. s static IP Address configuration must be set in order for the TD to communicate with other KMAs Agents or Users in your system Please enter the Management Network Hostname KMSmgr Do you want to use DHCP to configure the Management Network interface y n n Please enter the Management Network IP Address 129 80 123 32 Please enter the Management Network Subnet Mask 255 255 254 0 Please enter the Service Network Hostname SDP Do you want to use DHCP to configure the Service Network interface y n n Please enter the Service Network IP Address 172 18 18 1 Please enter the Service Network Subnet Mask 255 255 254 0 Please enter the Gateway IP Address optional but necessary if this KMA is to communicate with an entity on a different IP Subnet 129 80 123 254 Please enter the Primary DNS Server IP Address optional 129 80 0 4 Please enter the DNS Domain my customer com Applying network settings Done The Network Configuration has been updated Press Enter to continue Press Ctrl c to abort Es P 16 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 QuickStart Program 2 Initialize the KMA not be the same as the KMA Name for any other KMA in your cluster It also should not be the same as any User Names or Agent IDs in your system Please enter the KMA Name KMA 1 Press Enter to continue S The KMA Name is a unique identifier for your KMA Thi
105. sion list 6 Select the new version and click the Activate button The system will now reboot and start the new version Note Most upgrades are going to require a new version of the KMS Manager GUI Download and install the new GUI version You will need to reconnect to the system using the new version of the GUI 316194903 Revision BA Chapter6 Service 79 Restore From Backup Restore From Backup lt Restoring the system from a backup requires the use of a quorum Make sure the required number of users are available The quorum must enter their user names and passphrases to authenticate the operation Note Backup files are created and restored on the KMA To restore the system from a backup refer to the KMS Administrator Guide and 1 Select Secure Information Management t gt Backup List This allows you to view the history and details of the backup files To identify the restore you want to use double click the Backup entry The Backup Details dialog box is displayed for review 2 From the Backup List screen highlight the Backup you want to restore from 3 Click on the Restore button The Restore Backup dialog box is displayed FIGURE 6 4 Restore Backup Restore Backup j x Backup File Name x Browse Backup Wrapping Key File Name x Browse Core Security Backup File Name Browse Close 4 Click on the Start button When the upload completes th
106. systems Inc d tient les droits de propri t intellectuels relatifs la technologie incorpor e dans le produit qui est d crit dans ce document En particulier et ce sans limitation ces droits de propri t intellectuelle peuvent inclure un ou plus des brevets am ricains list s l adresse http www sun com patents et un ou les brevets suppl mentaires ou les applications de brevet en attente aux Etats Unis et dans les autres pays CEPRODUIT CONTIENT DES INFORMATIONS CONFIDENTIELLES ET DES SECRETS COMMERCIAUX DE SUN MICROSYSTEMS INC SON UTILISATION SA DIVULGATION ET SA REPRODUCTION SONT INTERDITES SANS L AUTORISATION EXPRESSE ECRITE ET PREALABLE DE SUN MICROSYSTEMS INC L utilisation est soumise aux termes de la Licence Cette distribution peut comprendre des composants d velopp s par des tierces parties Cette distribution peut comprendre des composants d velopp s par des tierces parties Des parties de ce produit pourront tre d riv es des syst mes Berkeley BSD licenci s par l Universit de Californie UNIX est une marque d pos e aux Etats Unis et dans d autres pays et licenci e exclusivement par X Open Company Ltd Sun Sun Microsystems le logo Sun Solaris Sun StorageTek Crypto Key Management Station StorageTek et le logo StorageTek sont des marques de fabrique ou des marques d pos es de Sun Microsystems Inc aux Etats Unis et dans d autres pays Ce produit est soumis la l gislation am ricaine en mati re
107. tallation and Service Manual June 2008 Revision BA 316194903 QuickStart Program QuickStart Program When a new Key Management Appliance with the factory default settings is powered on for the first time a Configuration Menu called QuickStart is automatically executed QuickStart collects the initial minimal configuration required to initialize the KMA lt Because of critical security parameters that are established by the QuickStart program only a Security Officer or qualified representative should execute this program Once the QuickStart program has been successfully completed it cannot be re executed The only way to access this program again is to use the KMA reset command Note A reset is performed by typing reset at the ELOM prompt after the set SP Agent commands are complete and the DHCP and network address settings have been entered Also at any point during the QuickStart program entering Ctrl C will abort the program clearing the settings and requires you to restart the program Use the Crypto Key Management System Administration Guide PN 316195101 for specific information and instructions about the QuickStart program and Wizard This guide provides configuration and administration information for the Sun Crypto Key Management System software This guide is intended for storage administrators system programmers and operators responsible for configuring and maintaining the KMS software at their s
108. ted to a USB port keyboard and the VGA port monitor Note The serial connection to the ELOM cannot be used for the QuickStart program Note The ELOM is sensitive to Web browser and Java versions The following is a list of supported versions TABLE 2 4 Compatible Web Browser and Java Versions Java Runtime Environment Client OS Including Java Web Start Web Browsers a Microsoft Windows XP JRE 1 5 m Internet Explorer 6 0 and later m Microsoft Windows 2003 Java 5 0 Update 7 or later Mozilla 1 7 5 or later m Microsoft Windows Vista m Red Hat Linux 3 0 and 4 0 m Solaris 9 m Solaris 10 m Solaris Sparc m SUSE Linux 9 2 m Mozilla Firefox 1 0 m Mozilla 1 7 5 or later m Mozilla Firefox 1 0 m Mozilla 1 7 5 You can download the Java 1 5 runtime environment at http java com The current version of the ELOM guide is located at http dlc sun com Start the embedded Lights Out Manager The embedded Lights Out Manager ELOM contains a separate processor from the main server As soon as power is applied plugged in and after a one or two minute boot period ELOM provides a remote connection to the console allowing you to perform server functions such as the QuickStart program Note This manual has some basic ELOM commands to configure the server Refer to the embedded Lights Out Manager Administration Guide for more information Connect to the KMA through the embedded Lights Out
109. the Key ID is not unique the Key Value is checked against the KMS 2 0 Keystore for that Key ID m Ifa key exists in the KMS 2 0 database with the same Key ID and Key Value that Key ID is noted and processing continues When importing the keys has completed the number of duplicate keys is returned m Ifa key exists in the KMS 2 0 database with the same Key ID but a different Key Value then the operation is aborted and an error is returned immediately on the assumption that the KMS 1 2 file may be corrupt Stage 2 The list of keys are processed wrapping and adding the Key Value to the Keystore and the Key data to the database Any errors in this stage result in the termination and proceed directly to Stage 3 Stage 3 This stage is only performed if there were any errors in Stage 2 This stage removes the Key Values from the Keystore and rolls back the transaction to insert the Key data into the database In addition an error message is returned to the GUI 98 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Instructions Instructions 1 Mount the media containing the exported keys 2 From the KMS Manager select Import 1 0 Keys 3 Enter the Key Group ID that these keys will be associated with 4 Enter the path and file name for the key file The status will be displayed upon completion FIGURE B 1 Import Keys KMS Manager 11 30 2007 10 36 35 AM Connecting 11 30 20
110. the passphrases can be changed in the KMS Manager The default is eight characters using three of the four styles Small case UPPER case numbers and special characters KMAs in a Cluster must keep their clocks synchronized Internally all KMAs use UTC time coordinated universal time If the customer prefers there is an option in the KMS Manager that allows date and times to be adjusted to local time when displayed When the customer is not using an NTP server the clocks on the KMAs may drift As a best practices customers can check and re sync the clocks at least once a year N Important Do not perform a Core Security Backup when using simple settings Wait until all user s have entered their credentials passphrases production settings and quorum details before creating a Core Security Backup for the first time 14 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 QuickStart Wizard The following section shows examples of the QuickStart program for configuring the first KMA in a KMS Cluster m Response areas are shown in bold m The KMA names use KMA x where x is a number for that KMA x of x m The KMA IP address range is 172 18 18 x the default network for the SDP The SDP site unit is 172 18 18 1 KMAs share addresses 172 18 18 2 through 59 m The subnet mask for SDP is 255 255 254 0 QuickStart Program m The KMS management network uses a hostname of KMSmgr m The KMS manag
111. thernet switch that connects to the KMA service network for example The default tape drive IP address is 10 0 0 1 and must be changed in any connection scheme Note The SDP polls the tape drives about every 6 minutes To improve performance you may want to change this parameter to 20 to 30 minutes Dv For more information go to http csa wiki central sun com display SDP 72 KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 CHAPTER 6 Service This chapter describes the service tasks for the components in the Key Management System Version 2 0 which includes Field Replaceable Units on page 74 Account Log on page 75 Obtaining Support on page 76 Replacing or Adding a New KMA on page 77 System Upgrade on page 79 Restore From Backup on page 80 System Dump on page 81 m T Series Tape Drives on page 82 a Switch Encryption On and Off on page 83 a KMS Version 1 x Support on page 84 m HP LTO4 Tape Drives on page 85 a Diagnose Drive Tab on page 86 a Removal and Replacement of the Dione Card on page 89 316194903 Revision BA 73 Field Replaceable Units Field Replaceable Units Currently the only field replaceable units FRUs are the m Key Management Appliance KMA PN 3154936 Z If the KMA fails replace the entire server and for security reasons scrap onsite m Tape drive Agents If a tape dr
112. will have the following format Key ID gt lt Key Value gt lt Descriptions Where m Key ID A 64 character hexadecimal value that uniquely identifies each key m Key Value A 64 character hexadecimal value that is the cypher value of the key m Description An optional word or sentence used to describe each key T10000 A tape drive firmware must be at 1 37 108 or higher to support KMS Version 2 0 To upgrade the firmware in a T10000 tape drive refer to T10000 Service Manual StorageTek 96175 Virtual Operator Panel Service StorageTek 96180 316194903 Revision BA 97 Description Basic Steps J Export Keys from 1 0 KMS J Do not create any new keys in 1 0 system after this Note Keys are cleartext protect them appropriately B Import Keys into 2 0 KMS Cluster 2 Upgrade Drive firmware Q Enroll drives with KMS Version 2 0 Cluster J Agent configuration and VOP a Drives begin using KMS Version 2 0 Ensure that tapes written in 2 0 drives do not get loaded into 1 0 drives Description The process is performed in three stage Stage 1 The entire file is read and each line checked to ensure that the Key ID and Key Value are the appropriate length and format The first 4 characters of the Key ID are stripped off as the KMS 2 0 Key ID is 30 bytes rather than the 32 bytes in the KMS 1 2 format In addition the Key ID is checked against the KMS 2 0 database to ensure it is unique m If
113. y Installation Manual StorageTek 95843 L180 Library Installation Manual StorageTek 95896 9310 PowderHorn Library Installation Manual StorageTek 9314 These publications are related to the key management system Publication Description Part Number Crypto Key Management System Assurance Guide StorageTek 3161948xx Crypto Key Management System Administrator Guide StorageTek 3161951xx When planning to support data encryption the following documents are available to help identify and define encryption m Federal Information Processing Standards Publication FIPS PUB 46 3 Data Encryption Standard m Federal Information Processing Standards Publication FIPS PUB 140 2 Security Requirements for Cryptographic Modules m Federal Information Processing Standards Publication FIPS PUB 171 Key Management m National Institute of Standards and Technology NIST Publication 800 57 Recommendation for Key Management Parts 1 and 2 m International Standard Organization ISO IEC 1779 Security Techniques Code of Practice for Information Security Management xiv KMS 2 0 Installation and Service Manual June 2008 Revision BA 316194903 Documentation Map Related Information This table shows the specific documents for the Crypto Key Management System and the audience that document is intended for TABLE P 1 Documentation and Audience Map Task Purpose Documentation amp Audience AE SE PS TS T3 SR Partner OEM Customer
114. yption capable HP LTO 4 tape drives contain an Ethernet card which is a field replaceable unit FRU Depending on the library each drive tray contains the card in a different location however the removal and replacement procedures are similar FIGURE 6 12 Dione Card and Connectors L205_116 1 Dione card 5 Drive power jumper 2 Ethernet connector 6 Power connector to drive 3 P5 7 P6 4 Signal connector Removal The following procedure basically describes how to remove and replace a Dione card 1 Follow the procedures for taking the drive offline 2 Follow the procedures for removing the drive from the library 3 Place the drive and drive tray on a suitable work surface Caution Potential ESD damage The encryption card contains ESD sensitive components Make sure you follow proper ESD precautions 4 Remove the two T9 screws from the top cover and remove the cover 5 Remove the connectors from the HBD card 6 Remove the four T10 screws that attach the drive to the tray 7 Remove the T10 screw that attaches the encryption card 8 Pull out the drive part way to gain access to the cables and connectors 316194903 Revision BA Chapter6 Service 89 HP LTO4 Tape Drives 9 Remove the cable connectors in this order m Ethernet cable p5 P6 Power cable Signal cable 10 Remove the four T10 screws that fasten the card to its plate Replacement Caution m ESD sensitive component
Download Pdf Manuals
Related Search