Users Guide

ManualsBrandsDell ManualsComputer HardwarePowerVault ML6000

Dell

™

PowerVault

™

Encryption Key Manager

ΓU

Summary of content (120 pages)

PAGE 1
Dell™ PowerVault™ Encryption Key Manager ΓU
PAGE 2
PAGE 3
Dell™ PowerVault™ Encryption Key Manager ΓU
PAGE 5
² . . . . . . . . . . . . . . . . . v ϕ . . . . . . . . . . . . . . . . . vii eÑ . . . . . . . . . . . . . . . . ix ÷≤ . . . . . . A ∩H . . . . D MM Wⁿ N . . . . . . ÷X . . . . . . Linux ΩT . . . . . Microsoft Windows ΩT uWΣ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix ix ix ix . x . x . x . x ²\¬HUí . . . . . . . . . . . xi p Dell . . . . . . . . . . . . . .
PAGE 6
Audit.handler.file.name . . . . . Audit.handler.file.multithreads . . . Audit.handler.file.threadlifespan . . f O²μí . . . . . . . . Encryption Key Manager ñ f I f O² . . . . . . . f ≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7-3 7-4 7-4 7-4 7-5 7-6 ² B. Encryption Key Manager t m e . . . . . . . . . . . . . . B-1 Encryption Key Manager °A tm e CLI ß tm e . . . . . . . . . . . . B-1 . B-8 ² C. ú D . . . . . . . . . . C-1 N . . . .
PAGE 7
1-1. 1-2. 1-3. 2-1. 2-2. 2-3. 2-4. 2-5. 2-6. 3-1. 3-2. Encryption Key Manager Dn ≤ [K h M≈ z Γ iα mC Q ∩ [K≈ [K . . . . . . . . LTO 4 LTO 5 a≈ [KgJ@ n D. . . . . . . . . . . . . . . LTO 4 LTO 5 a≈ [K¬ @ n D. . . . . . . . . . . . . . . Backup Critical Files °í . . . . . . . μ@°A tm . . . . . . . . . . Γí°A @ tm . . . . . . . . . ΓítmúP °A s P m Choose Destination Location °í . . . . No JVM ] w] . . . . . 1-2 1-4 1-6 2-4 2-5 2-6 2-7 2-8 2-8 3-3 3-3 3-3. 3-4. 3-5. 3-6. 3-7. 3-8. 3-9.
PAGE 8
vi Dell Encryption Key Mgr ΓU
PAGE 9
ϕ 1. 1-1. 2-1. 2-2. 6-1. LΩD . . . . . . . . . . ix [K≈ Kn . . . . . . . . . . . 1-6 Linux ≥ nΘ D . . . . . . . . 2-2 Windows ≥ nΘ D . . . . . . . 2-3 Encryption Key Manager °i 6-5 7-1. 7-2. 8-1. Encryption Key Manager gJf f O ² ¼ . . . . . . . . . . . . . 7-4 f O² ¼] f ≤ . . . . . . 7-6 meta Ω d ΘXμí . . . . . . . .
PAGE 10
viii Dell Encryption Key Mgr ΓU
PAGE 11
eÑ ÷≤ ΓU]tw M @ Dell™ Encryption Key Manager n ΩT ⁿ Cª]A÷ ≤UCU º M{ G v π [K\α LTO 4 M LTO 5 a≈ v [K≈ v A ∩H A ≤td½nΩ ºw M ≈ xsΘ w z AH b@ ⌠ ñ≤ U]wM @ Encryption Key Manager °A H Cª ]¬ xs mM ⌠⌠ Ω C D MM Wⁿ LΩD pUG ϕ 1. LΩD D Θ Θμr r Nϕ ÷r t ApⁿOW B WBX W B⌠ W M ∩ \αϕ∩ C Ñe d B ⁿw σrH t π Ω TAHÑerΘe{C Θ Θμr r Nϕz ú C [ ] ϕ ∩ { } bμíMykí ñAAϕ@≈z MμC C uN∩ Mμñ | ½ ϕ z÷U ΣC qñ∩ }C N N ϕ {íB mBt Ω iα lC
PAGE 12
÷X \UCX AH o ΩTG v Getting Started with the Dell™ PowerVault™ TL2000 and TL4000 Tape Librariesú w ΩTC v Dell™ PowerVault™ TL2000 Tape Library and TL4000 Tape Library SCSI Reference ú SCSI μ ⁿΣ SCSI ⁿO qT≤wC Linux ΩT Red Hat ΩT UC URL P Red Hat Linux® t ÷G v http://www.redhat.com SuSE ΩT UC URL P SuSE Linux t ÷G v http://www.suse.com Microsoft Windows ΩT UC URL s Microsoft® Windows® t ÷ΩTG v http://www.microsoft.com uWΣ yX http://support.dell.
PAGE 13
²\¬HUí p Dell ⁿΩa ßA 800-WWW-DELL (800-999-3355)C : pGzS @ ñ u⌠ ⌠⌠vsuAziHb fo B cμBbμ Dell ú ¼²WΣ p ΩTC Dell ú uWH q Σ PA Co Σ A ΩaMú ºAí≈ A iαS bz b a ú CYnw∩PΓB NΣ ßA Dp DellA iμUC @G 1. yX http://support.dell.comC 2. b ∩ Ωa/a U \αϕñ∩ z Ωa a C 3. ÷@U ¬Σ p C 4. z n∩ Aϕ A 5.
PAGE 14
xii Dell Encryption Key Mgr ΓU
PAGE 15
1 a[Kº[ bvºEP ⌠ ñAΩ O Σñ@ Ω Cb o w N ¬ i @ AJαO@Ω B εΩ s τ Ω uΩ ASα Ω i AOu² n CΩ [KKO MΣñh D uπCDell Encryption Key Manager]q{b}lA Encryption Key Manager F[K@ C LTO 4 LTO 5 a≈]bgJ ⌠≤ LTO 4 LTO 5 Ω dX [KΩ C o s \α xs Ω sWFcT w IAú ] b°A W⌡μ[K a B Bz¿ Ay¿ α CA]ú nΣIM ] O C a≈[K MΦ T Dn ¿G [K a≈ LTO 4 M LTO 5 a≈ú zL{íw \ 2-2 ynwΘ DzAH o a≈ [H C ΩTC [K≈ z [K]Abs≥ UhW h ≈ Co ≈ ú B @B ε ΘA H w F[K a≈ @ ⌠ úPCí {íα≈⌡μ≈ zC∩≤ S o {í n {íE [K ⌠ A
PAGE 16
í o ∩ A ²O 2-1 2 , yW Encryption Key Manager ⌠ zAΣ O 4-1 4 , ytm Encryption Key ManagerzA yßb ² B ñ Mtm∩ í C a≈ϕμ Encryption Key Manager Q a≈ϕμ l ªΣ a≈C a≈ϕμ Otm ⁿwFΣ mºúisΦ Gi CziH ≤ª mH Xz DC KeyGroups.xml o KXO@ ]t [K≈ s W AH C ≈ s º ÷ [K≈ OWC 1-1.
PAGE 17
½n Encryption Key Manager D≈°A tmΩTG z²N Dell Encryption Key Manager {í ≈ ECC O ΘANΩ ≥ó I C pC Encryption Key Manager ⌡μnDú [K≈ No ≈ LTO 4 M LTO 5 a≈ \αCb Encryption Key Manager Bz íA ][K í ≈ Ω Obt O ΘñC NA≈ Ω L a e Aϕ a≈A α≈ ] K gbdXW Ω CpG ≤Y ]Ay¿≈ Ω ]t O Θ lAB ≈ Ω O NΩ gJdXñAh gJo dX Ω NLk ]ΘßLk K C @ Aϕ @ IiT Oú o o Ω CúLApGN Encryption Key Manager ≈ ≤ X (ECC) O ΘAbt O Θ ≈ Ω iα lA] y¿Ω ≥óCo o íp ≈ újA²∩≤N ½n {í]p Encryption Key Manager ≈ A@ ECC O ΘC
PAGE 18
1-2. [K h M≈ z Γ iα mC {íh {í] O≤≈ z{í l axsΘ Ω eC í z a[KzAHA Σ {íC \y { awh axsΘ Ap Dell PowerVault TL2000/TL4000 M ML6000 tCC{N awt ΣñCí a≈ í C {í z a[K ϕ⌡μ {í @ ⌠ wgα≈ú M z[K hM≈ Ao Φk A Cⁿw≤ [K hOzL {í wq C hM≈ qL {íhM[K a≈ºí Ω ⌠ C[KO {íP [Kº a≈ ¼ GAt M awh ú n∩ C ≤ {í z[K≈ A] A {íΦk gJM[K Auα gª P {íQ {í z [KΦk ¬ C {í z a[Kú nA]ú Encryption Key ManagerC i z[K C {í pUG v CommVault Galaxy 7.
PAGE 19
\ a ≈nΘ {íσ≤AH p≤ z[K hM≈ C aw z a[K No A ≤ LTO 4 M LTO 5 a≈ ΦkA ≤ Dell™ PowerVault™ TL2000 awBDell™ PowerVault™ TL4000 aw Dell™ PowerVault™ ML6000 awC ≈ ú M z Encryption Key Manager ⌡μAªO@ Java {íAbs aw D≈W⌡μ Java {íC h εM≈ b aw a≈ ºí Ozq A] A∩ {í ÑA[K]Ozq C ÷≤[K≈ [K≈ OM Ω V M ú H≈ rΩC[K≈ OQ FTO C ≈ O @PLkw ]p tΓk C o Φí c ≈ V °A[KsX } ]NV°CIBM M T10 Γ [KΦkúQ 256 AES tΓ k≈ [KΩ C256 AES OⁿΩF e {M [K Aª ⁿT úP ≈ ° C256 ≈ O AES e\ °≈ C Encryption Key M
PAGE 20
ΣL {í [K≈ Bz b {í z a[KñA [K Ω e LTO 4 M LTO 5 a≈AB Q {íú ∩ DK α½ KσAMßAgJ añCDK ú xsb a X ⌠≤ mCbgnw[K ºßADK ±b {íα≈s mA p°A Ω wAHK¬ C LTO 4 M LTO 5 a≈iHQ Yosemite ]A ≤ Dell PowerVault TL2000 M TL4000 aw BCommVault M Symantec Backup Exec º {í iμ {í z [KC t A LTO 4 M LTO 5 a≈]i T10 ⁿO {í ⌡μ[KCT10 ⁿO {í ú ∩ 256 AES ≈ CT10 iHC aX h @ DKA iHN[KΩ M XΩ g P aXñCϕ {íN a X[K Aª Q {í Mw Φk ∩ ú @ DKA Nª e a ≈Co ≈ ú HD∩ }≈ iμ Aú xsb aXñCbw[K Ω g aºßADK ±b
PAGE 21
2 W Encryption Key Manager ⌠ o@ bú @ ΩT ≤UzP AXz D Encryption Key Manager t mCϕzW p≤]w[Kªñ A q\h] C [K]w@ @² b a≈ [K\αºeA Uz Xo DC XSw nwΘ DCUC ∩Mμi ≤ Encryption Key Manager ]w@ b a[KºeAEncryption Key Manager ²tmnBb⌡μñA αP[K a ≈qTCw a≈ Aú@wn⌡μ Encryption Key ManagerA²ª b⌡μñA α⌡μ[KC v Mw @ Encryption Key Manager °A t ¡xC v p nA °A @ t C] v w Java L¡ε h C] \ 2-2 ynwΘ DzC \ 2-2 ynwΘ DzC v Encryption Key Manager JARC] \ 3-1 yUⁿ s Key Manager ISO Imagez
PAGE 22
aw z a[K@ 1. w Ms LTO 4 M LTO 5 a≈C v ≤s aw Θ]TL2000BTL4000BML6000Ap support.dell.comC n C yX http:// – Dell™ PowerVault™ TL2000 aw n C Θ = 5.xxC – Dell™ PowerVault™ TL4000 aw n C Θ = 5.xxC – Dell ™ PowerVault ™ ML6000 aw tC n C Θ O = 415G.xxxC v p nA ≤s a≈ ΘC n C Θ O 77B5C 2. LTO 4 M LTO 5 a≈M aw aw z a[K] awΩTAH o Ω C \z Dell v sW Encryption Key Manager °A IP } 3. Q awE \α τ Encryption Key Manager ⌠ M[Ktm] \z Dell awΩTAH o Ω C nwΘ D : u UCU¡x IBM Ja
PAGE 23
a≈ b LTO 4 M LTO 5 a≈Φ A Tw ΘO si h yX http://support.dell.comC C÷≤ Θ≤sA Windows MΦ ≤ @ t Windows Server 2003B2008 M 2008 R2 Dell Encryption Key Manager n Encryption Key Manager C O 2.1A mΘ O 20070914 HßAH UC IBM Runtime Environment º@G ϕ 2-2. Windows ≥ nΘ D @ t IBM Runtime Environment Windows 2003 v IBM® 64-bit Runtime Environment for WindowsAAMD64/EM64T [cA Java 2 Technology Edition 5.0 SR5 v IBM 32-bit Runtime Environment for WindowsAJava 2 Technology Edition 5.
PAGE 24
[K≈ LTO 4 M LTO 5 a≈ Dell Encryption Key Manager ΣΣ a≈úQ ∩ 256 AES ≈ [KΩ Co DDí z A o ≈ M ÷ C b LTO aX LTO 4 LTO 5 a≈W⌡μ[K@ AEncryption Key Manager u 256 AES∩ Ω ≈ C ϕ LTO 4 LTO 5 nD≈ AEncryption Key Manager ⁿw a≈ O WCpG ⁿw⌠≤OW a≈AK symmetricKeySet tm e ⁿwº≈ s B≈ OWMμ ≈ OWd≥ñ OWCϕ a≈ SwOWAK H ⌠ ΦíAqΣLΩΘñ∩ OWAHí ¡ ≈ C ∩ OW ÷p≤≈ xswñw²ⁿJ ∩ uΩ ≈ (DK)vCEncryption Key Manager No DK] F a≈α≈ K úP≈ e LTO 4 LTO 5 a≈AHKNΩ [KCo DK úH XΦízL TCP/IP ΘC ∩ OW ]
PAGE 25
6. Encryption Key Manager N DK M DKi e a≈ 7. a≈N DK }AN[K Ω M DKi gJ añ 2-2 π p≤Bz[K¬ @ ≈ C 4 5 DK 6 Key Manager 3 DKi Alias 1 ଩ညᔬ 2 ߜᢒ ᓽԆ৲ ᆄளᐠ ߒਿ 2-2. LTO 4 LTO 5 a≈ [K¬ @ nD 1. a≈¼ ¬ nDAN DKi e Encryption Key Manager 2. Encryption Key Manager τ a≈ϕμñ a m 3. Encryption Key Manager N DKi α½¿OWAAq≈ xswú ∩ DK 4. Encryption Key Manager N DK P a≈α≈ K ≈ @ 5. Encryption Key Manager N DK e a≈ 6.
PAGE 26
Cϕ≈ xswΩ F ≤Az ≈@ CEncryption Key Manager ú ∩≈ xswΩ CúFzM ≤º A≈ xswOLΣL ≤A] Ab ≤≈ xswºßA Φiμ sC Q GUI ≈ 1. pG GUI A } ªG Windows ² c:\ekm\guiA ÷@U LaunchEKMGui.bat Linux ¡x ² /var/ekm/gui MßΘJ . ./LaunchEKMGui.sh 2. b Encryption Key Manager GUI ¬ ² ñA∩ Backup Critical FilesC ñAΘJ ≈Ω ⌠ ( 2-3)C a14m0241 3. bπ ∩ 2-3. Backup Critical Files °í 4. ÷@U Backup FilesC 5.
PAGE 27
Proxy AziHNªⁿVΓ ≈ z{íCpG@ ≈ z{í]GLk Az m] aw N N ≈ z{íC t Az]iHNΓ Encryption Key Manager O PBCb n o ½n\ αAD ½nA@Φ Oª Nα≈ ≈½nΩ At@Φ ]b≤ª ó Γ \αi a@ K≤ñ C \ 4-2 yNΓí≈ z{í°A Ω PB zC : PB ú]A≈ xswCª HΓ Φí sC Encryption Key Manager °A tm Encryption Key Manager iHw bμ@°A h½°A WCUCd π @ Γ ≈ z{í tmA²z awiαe\≤h z{ítmC μ@°A tm μ@°A tm]p 2-4 O ÷ Encryption Key Manager tmCúLA ≤ F Aú Cbo tmñA a≈ú αμ@≈ z{í° A AS ⌠≤ ≈CpG°A ÷¼AKLk ≈ xswBtm B KeyGroups.
PAGE 28
ΦkA α s ΣL≈ xswñC≈ xswM≈ s XML HΓ Φí sC \ 4-2 yNΓí≈ z{í°A Ω PB zAH o ΩTC 2-5. Γí°A @ tm tm: Γí Encryption Key Manager °A iH @P ≈ xswM a≈ ϕμABπ úP Γ tm A bU XML ñA] OwqΓ úP ≈ s C @ DOCí°A Bz@ a≈ ≈ PCo oCí≈ z{í°A α≈ v @ eCbo ¼ tmñ]p 2-6 Ab≈ z{í°A ºíAu a≈ϕμ PB C] \ 4-2 yNΓí≈ z{í°A Ω PB zAH o ΩTC ⁿw sync.type = drivetab]úⁿw config all AH ε∩gtm C : °A tmLk í C 2-6.
PAGE 29
pGz Encryption Key Manager n Ω ]tm B a≈ϕμB ≈ s XML AH ≈ xsw {μ AzKα≈H @ ≈ z {í @ b DR x C] OϕAzú Q Encryption Key Manager [Ko A] S α≈B@ ≈ z{íAKLkNª K Cp Gz DR x úP≤Dn x a≈Atm M a≈ϕμ ]t DR x TΩTC ≈ @ [K a q : b o ± ⌠≤ ºßAiNH⌠ d ß po zñ (CA)AHτ o Ao@I ½nCpGzH⌠o CAAKiHH⌠o Ct ApG b Θñⁿ w O@A ]α≈o τ Co ΦíYo Lkτ ípAiα} P uñíH (Man-in-the-Middle)v≡ C @ LTO 4 M LTO 5 a pGn@ LTO 4 LTO 5 aW [KΩ A aW [KΩ ∩ ≈ ] ú ΣL A L α≈¬ aCpGn
PAGE 30
2-10 Dell Encryption Key Mgr ΓU
PAGE 31
3 w Encryption Key Manager M≈ xsw Encryption Key Manager ≤ IBM Java Ω ≈ w [cA n IBM Software Developer Kit for Linux H IBM Runtime Environment for Windows] \ 2-2 ynwΘ Dz C ϕ @ t A { G v yb Linux Ww Encryption Key Managerz v 3-2 yb Windows Ww Encryption Key Managerz pGúTwz Encryption Key Manager O s AyUⁿ s Key Manager ISO Imagez iDzp≤P O s i C z o s Encryption Key ManagerA] ªiα ]tb Java w [cñC yX http:// support.dell.
PAGE 32
v Java 6 SR 5]64 ≤s 2. N Java linux rpm ±bY u@ ²ñG mordor:~ #/tape/Encryption/java/1.6.0# pwd /tape/Encryption/java/1.6.0 mordor:~ #/tape/Encryption/java/1.6.0# ls ibm-java-i386-jre-6.0-5.0.i386.rpm 3. w rpm M≤G mordor:~ #rpm -ivh -nodeps ibm-java-i386-jre-6.0-5.0.i386.rpm o N m≤ /opt/ibm/java-i386-60/ ²ñG mordor:~ #/opt/ibm/java-i386-60/jre # ls .systemPrefs bin javaws lib 4. H w º Java JAVA_HOMEBCLASSPATH M bin n /etc/profile.
PAGE 33
a14m0257 3-1. Choose Destination Location °í ÷ NextC a14m0232 5. o } @ °íA zO nHo Java Runtime Environment w] t JVM ( 3-2)C 3-2. No JVM ] w] ÷@U NoC 6.
PAGE 34
a14m0258 3-3. Start Copying Files °í ÷ NextC 7. ¼A°íⁿXw i C 8. o } Browser Registration °íC∩ ft Encryption Key Manager s² C÷ NextC 9. InstallShield Wizard Complete °í} ºßA÷@U FinishC w nºßAziH} @ ROú r d w Java G C:\WinEKM>C:\"Program Files"\IBM\Java60\jre\bin\java -version java version "1.6.0" Java(TM) SE Runtime Environment (build pwi3260sr5-20090529_04(SR5)) IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Windows Server 2003 x86-32 j9vmwi3223-20090 519_35743 (JIT enabled, AOT enabled) ...
PAGE 35
pGn []w PATH]∩ Encryption Key Manager 2.1 ÑO n A s W Java bin ² π⌠ PATH ñCo π⌠ q pUG C:\Program Files\IBM\Java60\jre\bin pGnb Microsoft Windows 2003B2008 M 2008 R2 ñ []w PATHA ⌡ μUC @G : qⁿOμ]w PATH LkB@C a. qu}lv\αϕñA∩ ]wAA∩ εxC b. ÷ΓUt C c. ÷@UiÑ C d. ÷@U⌠ C e. ut vMμ ΣX Path A ÷@UsΦC f. N IBM JVM ⌠ sW Path }YC w]w ²O C:\PROGRA~1\IBM\Java60\jre\binC ½n Gb⌠ íJ ANªP⌠ Mμñ ΣL ² j} C g.
PAGE 36
3. b yEKM Server Configurationz ( 3-4) nμ ]HP ϕ ñ ΘJΩ C FΦKAí μ w ± C ÷@U⌠≤Ω μ k oí C÷ NextC a14m0247 : ≈ xswKX]wnºßA [H ≤AúDw X{ }Co KX ¿ XAHKX{⌠≤w }CpGn ≤≈ xswKXAz Q keytool ⁿO O ≤o ≈ xswñ C KXC \ 3-11 y ≤≈ xswKXzC 3-4.
PAGE 37
v pGb Encryption Key Manager lw íAEncryption Key Manager w A ² Encryption Key Manager ² b ²]p x:\ekm CR ú ²AA½s}lw C v pGbsWs ≈ s F Encryption Key ManagerA εz Encryption Key Manager °A AH s ≈≈ xsw]o bz x:\ekm\gui\backupfiles Ω ¿ñ z ≈ xsw C NA ≈ Wt Θ M íWO]p 2007_11_19_16_38_31_EKMKeys.jck C s x:\ekm\gui ²ºßA úΘ M íWOC ½s Encryption Key Manager °A AsW²e ≈ s C a14m0243 4.
PAGE 38
a14m0251 3-6. Backup Critical Files °í τ ⌠ AA÷@U BackupCo bI Dell Encryption Key Manager °A C ϕb yBackup Critical Filesz °íñ ≤ Encryption Key Manager °A tm ≈ ACϕ÷@U OKAEncryption Key Manager ú ú @ ≈ C u nC NOs Aú xsb c:/ekm/gui/BackupFlies ²ñCC We ú [Θ M íC±ΦíA2007 11 δ 26 ΘU 2 I 58 46 ϕ ≈ @ AW }Yú t UCΘ M íWOG “2007_11_26_14_58_46_FileNameCú ∩g ≈ C 6. b GUI ² ñA∩ °A α ° T{ Encryption Key Manager °A w C pGnsW≈ { ≈ xswñA \ 3-14 yQ GUI wq≈ s M ≈ zC p≤Σ T D≈ IP }G
PAGE 39
p≤ O EKM SSL ≡ 1. Q ⁿOμ Encryption Key Manager °A C v b Windows WAcd c:\ekm Hiμ v b Linux ¡xWA ² ²A ÷@U startServer.bat /var/ekmA ΘJ startServer.sh v \ 5-1 y B½sπzM ε≈ z{í°A zAH o ΩTC 2. Q ⁿOμ CLI ß C v b Windows WAcd c:\ekm Hiμ v b Linux ¡xWA v ² ²A ÷@U startClient.bat /var/ekmA ΘJ startClient.sh \ 5-5 yⁿOμ ß zAH o ΩTC 3.
PAGE 40
xsw⌠ ñAz i≤Vh Ω @WS RWD AHKbΩ ºí Θ≈ A @Σ WS C ú ≈ MOWºßA≤s KeyManagerConfig.properties ñ symmetricKeySet e ⁿws OWBOWd≥A ≈ s GroupIDB xs∩ ≈ WAH ≈ s wq b WC] \ 3-13 y M z≈ s zAH o Ω C u ∩ symmetricKeySet ñ ⁿW ≈ iμτ ] d{ OW Aϕ jpMtΓk ∩ ≈ CpGo eⁿwFL ≈ A≈ z{íKú Ao @ºf O²C t Akeytool {í]ú b≈ xswºí JM XΩ ≈ CHUOU @ º[CziHoX keytool -ekmhelp π UCU Q [\ ≈ z {í ÷ C sΦtm e pGn ≤ KeyManagerConfig.properties ClientKeyManagerConfig.properties A ⌡μUC @G 1.
PAGE 41
-genseckey [-v] [-protected] [-alias | aliasrange ] [-keypass ] [-keyalg ] [-keysize ] [-keystore ] [-storepass ] [-storetype ] [-providerName ] [-providerClass [-providerArg ] ...
PAGE 42
keytool -keypasswd -keypass old_passwd -new new_passwd -alias alias -keystore keystorename -storetype keystoretype z] sΦ KeyManagerConfig.
PAGE 43
±ΦíAⁿw key1-a ú q KEY000000000000000001 KEY00000000000000000A @tCOWCⁿw xyz01-FF aliasrange ú XYZ000000000000000001 XYZ0000000000000000FF -exportfile XΩ ≈ Aⁿw xsΩ ≈ C -keyalias ⁿw≈ xswñA [K Ω ≈ }≈ OWC TwNN J∩ ]Ω ≈ ≈ xswt ∩ pK≈ C JCEKS ≈ xsw LTO 4 M LTO 5 [Kºd OWM∩ ≈ ]w -aliasrange ∩ Is KeyToolC NAz UCΦíAN≈ tΓk (-keyalg) ⁿw AESAN≈ jp (–keysize) ⁿw 256G /bin/keytool –genseckey –v –aliasrange AES01-FF –keyalg AES –keysize 256 –keypass password -storetype jceks –keystore
PAGE 44
pGn m≈ s Az Nªwqb KeyGroups.xml ñCpGzϕ 3-5 yQ GUI tm B≈ xswM zñ { Ahwb EKM Configuration ⁿwo mCpGOΓ tm AK UCΦíAbtm e ñⁿw KeyGroups.xml mG config.keygroup.xml.file = FILE:KeyGroups.xml pG ⁿwo Aw]μ O Encryption Key Manager mu@ ²ñ KeyGroups.xml CpGo úsbAK KeyGroups.xml CHß Encryption Key Manager °A Anative_stderr.log iα X{UCTºG [Fatal Error] :-1:-1: Premature end of file.CoOσR KeyGroups.
PAGE 45
a14m0248 3-7. ≈ s (Create a Group of Keys) 4. ΘJs≈ s W B≈ OWn r U Submit ChangesC AH s N]t ≈ C÷@ pGn ≤w]≈ s A ⌡μUC @G 1. b GUI ¬ ² ñA∩ Administration CommandsC 2.
PAGE 46
a14m0244 3-8. ≤w]gJ≈ s (Change Default Write Key Group) 3. qk Group List ñA∩ s w]≈ s C 4. b°í Aτ {μ s w]≈ s A ÷@U Submit ChangesC pGnNSw≈ s ⁿú Sw a≈A ⌡μUC @G 1. b GUI ¬ ² ñA∩ Administration CommandsC 2.
PAGE 47
a14m0246 3-9. Ns ⁿú a≈ (Assign Group to Drive) 3. q Drive List ñA∩ a≈C 4. q Group List ñA∩ ≈ s C 5. b°í Aτ a≈M≈ s A ÷@U Submit ChangesC pGnq a≈ϕμñRú a≈A ⌡μUC @G 1. b GUI ¬ ² ñA∩ Administration CommandsC 2.
PAGE 48
a14m0245 3-10. Rú a≈ (Delete Drive) 3. q Drive List ñA∩ a≈C 4. b°í Aτ a≈W A ÷@U Submit ChangesC Q CLI ⁿO wq≈ s Encryption Key Manager ≈ s S i²zN≈ C w Mtmn Encryption Key Manager {í]≈ xswMú ≈ AEncryption Key Manager °A ]w ºßA Q ß nJ°A A ϕ UCBJG 1. ⌡μ createkeygroup ⁿOC o ⁿO b KeyGroups.xml ñ l≈ s ½≤Co @u⌡μ@ C ykGcreatekeygroup -password password -password [K KeyGroups.xml ñº≈ xswKXAHKß [H KXC ≈ xsw [K≈ s ≈ A≈ s ≈ S [KC O ≈ s OWKXC] AKeyGroups.
PAGE 49
ykGaddkeygroup -groupID groupname -groupID b KeyGroup.xml ñA Os @ groupnameC d G addkeygroup -groupID keygroup1 3. ⌡μ addkeygroupalias ⁿOC o ⁿO ñC ≈ xsw{ ≈ OW sOWAHKsW Sw≈ s ID ykGaddkeygroupalias -alias aliasname -groupID groupname -alias ≈ s aliasnameCo O π ≈ W A]NOíAKey00 key000000000000000000C ΘJ -groupID b KeyGroup.xml ñA Os @ groupnameC d G addkeygroupalias -alias key000000000000000000 -groupID keygroup1 : o CLI ⁿO AC uαsW@ ≈ CC sW ≈ s ñ O≈ Aú ⌡μo ⁿOC 4.
PAGE 50
pGnⁿw@ ≈ s @ a≈ wqOW w] A Ntm symmetrickeySet e] n º≈ s GroupIDC pA e symmetricKeySet = keygroup1 GroupID X KeyGroup.
PAGE 51
4 tm Encryption Key Manager Q GUI tm Encryption Key Manager tm e μ ΦkOϕ 3-5 yQ GUI tm B≈ xsw M zñ { Dell Encryption Key Manager GUICpGwo≥ AzKw Ftm Aú n⌠≤ΣLtmCpGzQn ΣL Encryption Key Manager t m∩ AUCΩTiα C tmªñ KeyManagerConfig.properties ñ í tm]wú Fz D C ≤s a≈ϕμ Encryption Key Manager btm (drive.
PAGE 52
NΓí≈ z{í°A Ω PB ziHNΓí Encryption Key Manager °A a≈ϕμMtm e PB Cz iHQ CLI ß sync ⁿO Γ ¿o @ A b KeyManagerConfig.properties ñ]w e ¿C oΓ PB Φkúú Bz≈ xsw ≈ s XML Cª í sC u b KeyManagerConfig.properties ñ sync.ipaddress A PB \αC \y PB zC HΓ Φ eⁿwF IP } Γ PB Γ Φk]A⌡μ CLI ß sync ⁿOCykpUG sync {-all | -config | -drivetab} -ipaddr ip_addr :sslport [-merge | -rewrite] o ⁿO Ntm e a≈ϕμΩT] Γ Aq ] e °A e –ipaddr ⁿw a] ¼ °A C ¼ Encryption Key Manager °A w Bb⌡μñC
PAGE 53
sync.ipaddress = backupekm.server.ibm.com:1443 pG ⁿwo eA ⁿwú TAK PB C sync.action X ½g ¼ °A ñ { Ω C pUGmerge]w] M rewriteCPB tm e@ P½gC sync.timeinhours Ω e WvCo OHπ ⁿw] C ííj}l≤°A º A]NOíAb°A ⌡μFⁿw ºßAKiμPB Cw] O 24C sync.
PAGE 54
d. TransportListener.ssl.keystore.name - ⁿwBJ 1 ⌠ M WC º≈ xsw e. TransportListener.ssl.truststore.name - ⁿwBJ 1 º≈ xsw ⌠ M WC f. Admin.ssl.keystore.name - ⁿwBJ 1 º≈ xsw ⌠ M WC g. Admin.ssl.truststore.name - ⁿwBJ 1 º≈ xsw ⌠ M WC h. config.keystore.file - ⁿwBJ 1 º≈ xsw ⌠ M WC i. drive.acceptUnknownDrives - ⁿw true falseC true i²s Encryption Key Manager s a≈ sW a≈ϕμñC w] O falseC 5. UC∩ KX iHsWA]iH ñCpG b KeyManagerConfig.
PAGE 55
10. pGzbBJ 4(i) ⁿw drive.acceptUnknownDrives = falseA b # ú º UAΘJUCⁿO tm a≈G adddrive -drivename drive_name -recl cert_name -rec2 cert_name pG # adddrive -drivename 000001365054 -rec1 key1c1 -rec2 key1c2 ß # listdrives -drivename 000001365054 o Entry Key: SerialNumber = 000001365054 Entry Key: AliasTwo = key1c2 Entry Key: AliasOne = key1c1 Deleted : false Updated : true TimeStamp : Sun Jul 03 17:34:44 MST 2007 11.
PAGE 56
4-6 Dell Encryption Key Mgr ΓU
PAGE 57
5 z Encryption Key Manager B½sπzM ε≈ z{í°A Encryption Key Manager °A iH e÷ Φí M εC ½sπz°A Encryption Key Manager NO Θ ≈ xsw{μ eB a≈ϕμ tmΩT X O ñAANª ½sⁿJO ΘñCbQ CLI ß iμFo ≤ ⌠≤ ≤ºßAoX½sπz C÷M Encryption Key Manager °A ÷¼ xso ≤A²oX°A ½sπziH εt l q ñ y¿o ≤≥óC q Dell Encryption Key Manager GUI Encryption Key Manager °A G 1. pG GUI A } ªG Windows ² c:\ekm\guiA ÷@U LaunchEKMGui.bat Linux ¡x ² /var/ekm/gui MßΘJ . ./LaunchEKMGui.sh 2.
PAGE 58
a14m0250 5-2. Login °í b User Name ñAΘJ EKMAdminC lKXO changeMECnJºßAziHQ chgpasswd ⁿO ≤KXC \ 5-8 ychgpasswdzC : v Dell Encryption Key Manager GUI iαLkπ D≈ IP } {μ GUI Γ ¡εA y¿°A α ° Lkπ Encryption Key Manager D≈ IP }G v {μ {íLkδ IPv6CpGD≈tmF IPV6 }AEncryption Key Manager {íNLkπ IP }C v pG Encryption Key Manager {íOw b Linux t ñA {í π D≈ }A úOΩ @ ñ IP ≡C pGn D≈t Ω IP }A s ⌠⌠tm MΣ IP ≡ }Cb Windows t ñA} @ ⁿO°íAΘJ ipconfigCpGO LinuxA ΘJ isconfigC 6.
PAGE 59
ú { ÷¼{ C±ΦíAb Linux t WAΘJ kill -SIGTERM pid kill -15 pidC bROú r ºUA M ε≈ z{í°A pGnq⌠≤ⁿO°í Shell Encryption Key Manager °A A ΘJG java com.ibm.keymanager.EKMLaunch KeymanagerConfig.
PAGE 60
: b⌠ íJ ANªP⌠ Mμñ ΣL ² jC g. ÷@UTwC 4. Tww πwq Encryption Key Manager °A tm e ñ ⌠ Co W O KeyManagerConfig.propertiesA b C:\ekm\gui ²ñC ñ UC ⌠ ú d ≤sAHTOª π⌠ ] pA c:\ekm\gui\ EKMKeys.jckA ú gui\EKMKeys.jck C \UCd AHA b w]w [c Ap≤ ≤⌠ C o O w]w M≈ xswW Aª ⁿV Hb KeyManagerConfig.properties ñΣ o C eM π⌠ Czi config.keygroup.xml.file ⌠ ∩¿GFILE:C:/ekm/gui/keygroups/KeyGroups.xml Admin.ssl.keystore.name ⌠ ∩¿GC:/ekm/gui/EKMKeys.jck TransportListener.ssl.truststore.
PAGE 61
pGnN Encryption Key Manager w ¿@ uWindows A vA oXG LaunchEKMService.exe -i config file 7. Q WzⁿOw nA ºßAEKMServer X{bA εxñAziHQ uA εxv M ε Encryption Key ManagerC : b @ o uWindows A v Az Q εxAHΓ Φí ªC ⁿOμ ß Encryption Key Manager °A ºßAziHQ ß Ab oX CLI ⁿOCpGnoX CLI ⁿOAz ² CLI ß C O CLI ß tm ñ Server.authMechanism eⁿw ft / ß O≈ε C ϕo ] EKM ACLI ß Q user/password @ EKMAdmin/ changeME nJ°A C]chgpasswd ⁿOiH ≤o KXC \ 5-8 ychgpasswdzC Server.
PAGE 62
v b 64 AMD64 Linux ⌠ ñAN LocalOS-setup/linux-x86_64/ libjaasauth.so s java_home/jre/bin/ ²A∩≤⌡μ 1.6 JVM 64 Linux Kernel ÑAΣñ java_home q O java_install_path/IBMJava-x86_6460C pGO Windows ¡xAKú no C w ¿ºßAziH Encryption Key Manager °A C{bAEncryption Key Manager ß iHQ OS ¼ /KX nJC NAu α≈nJ°A H V°A úμⁿO IDAi ⌡μ°A A ID τπ W /root v¡C Dell ú CΘ http://support.dell.
PAGE 63
Manager °A b 10 ºßA÷¼P º ß qT SocketCºßA ZO ΘJⁿOAú ß ⌠CpGnⁿw ° Encryption Key Manager °A - ß Socket O íA ∩ KeyManagerConfig.properties ñ TransportListener.ssl.timeout eC ⁿO pGnb ñV≈ z{í°A úμ@σⁿOA t noXºⁿO Ap clifile Co ñ @ ⁿO O login ⁿOA] ß n JA α⌡μ⌠≤ⁿOC±ΦíAclifile iαt UCⁿOG login -ekmuser EKMAdmin -ekmpassword changeME listdrives ºßApGn⌡μo ⁿO A CLI ß G java com.ibm.keymanager.admin.
PAGE 64
adddrive -drivename drivename [ -rec1 alias] [-rec2 alias][-symrec alias] -drivename drivename ⁿw nsWº ≈ 12 C : z b 10 esWΓ sAHF 12 C -rec1 ⁿw a≈ OW] ≈ C -rec2 ⁿw a≈ G OW] ≈ C -symrec ⁿw a≈ OW]∩ ≈ OW ≈ s W C d G adddrive -drivename 000123456789 -rec1 alias1 -rec2 alias2 addkeygroup Q u≈ s XMLvñ @ us IDv ≈ s Ω C addkeygroup -groupID groupname -groupID O KeyGroup XML ñs @ groupnameC d G addkeygroup -groupID keygroup1 addkeygroupalias ≈ xsw{ ≈ OW sOWAHKsW Sw≈ s I
PAGE 65
createkeygroup b KeyGroup.xml ñA l≈ s ½≤Cun⌡μ@ C createkeygroup -password password -password [K KeyGroups.xml ñ ≈ xswKXAHKΘß passwordC≈ xsw [K≈ s ≈ A≈ s ≈ S [KC O ≈ s OW KXC] AKeyGroups.
PAGE 66
export N a≈ϕμ Encryption Key Manager °A tm X ⁿw URLC export {-drivetab|-config} -url urlname -drivetab X a≈ϕμC -config X Encryption Key Manager °A tm C -url urlname ⁿwNgJ mC d G export -drivetab -url FILE:///keymanager/data/export.
PAGE 67
-keysym CXⁿw≈ xswñ ∩ ≈ C -alias alias ⁿwMμM Sw C -verbose|-v π @ h ΩTC d G list -v CX≈ xswñ C list -alias mycert -v CX mycert OW i Ω ]pG config.keystore.file ≈ xswt o OW C listcerts CX config.keystore.file eⁿW ≈ xsw ]t C listcerts [-alias alias -verbose |-v] -alias alias ⁿwMμM Sw C -verbose|-v π @ h ΩTC d G listcerts -alias alias1 -v listconfig CXO Θ Encryption Key Manager °A tm eA M KeyManagerConfig.
PAGE 68
-ekmuser b userID ñⁿw EKMadmin localOS ID Ao H O ¼ úP] \ 5-5 y O CLI ß z C -ekmpassword ID KXC d G login -ekmuser EKMAdmin -ekmpassword changeME logout nX{μ CPÑ ⁿOO logoffCu bw ß Ñq@ Ao ⁿO C d G logout modconfig ∩ Encryption Key Manager °A tm eCPÑ ⁿOO modifyconfigC e KeyManagerConfig.
PAGE 69
refresh i Encryption Key Manager H s tm C ½sπzú Bf M a≈ϕμ d G refresh refreshks ½sπz≈ xswCpGb Encryption Key Manager °A ⌡μ Aw ∩L config.keystore.file ⁿw ≈ xswA Q o ⁿO ½sⁿJo ≈ xs wC ub n o ⁿOA] ª C αC d G refreshks status π ≈ z{í°A Ow w εC d G status stopekm ε Encryption Key Manager °A C d G stopekm sync HoXⁿO ≈ z{í°A tm e a≈ϕμΩT] Γ ú]Ab PB t@í Encryption Key Manager °A tm e a≈ϕμΩT ] Γ ú]Ab C : oΓ PB Φkúú Bz≈ xsw KeyGroups.
PAGE 70
-rewrite HsΩ N{μΩ C d G sync -drivetab -ipaddr remoteekm.ibm.
PAGE 71
6 DP ziH Encryption Key Manager O ≤Bh ≤ ≤ ú C do ½n A Encryption Key Manager °A D b Encryption Key Manager Lk AiH dT P D ]C v native_stdout.log M native_stderr.log – ≤ Encryption Key Manager °A ObI Bz{ ñ⌡μA] AS D xiHπ ª @δ TºM TºCo Tº Oⁿ oΓ ñC – pG Encryption Key Manager °A e t debug.output.file bú Θx P ²ñ oΓ C eAK – pG Encryption Key Manager °A e út debug.output.
PAGE 72
CLI ß EKM °A ºí qT Diμú EKM CLI ß EKM °A ºí qTAOzL°A ß tm e ñ TransportListener.ssl.port e ⁿw ≡ iμ A ⁿ SSL O@C UCO ß Lks D BJC EKM °A X iα ]CΣñ]Ap≤P D ≤ v EKM °A ⌡μA] ß S qT ∩HC 1. bⁿO°íñUF netstat –an ⁿOA T{ TransportListener.ssl.port TransportListener.tcp.port eb EKM °A e ñ ⁿw ≡O π X C pG π o ≡ANϕ °A úb⌡μñ v EKM CLI ß e ñ TransportListener.ssl.host b TD≈WC e ⁿV EKM °A 1. EKM CLI ß e ñATransportListener.ssl.
PAGE 73
Windows w]⌠ O C:/Program Files/IBM/KeyManagerServer/ Linux ¡x w]⌠ O /opt/ibm/KeyManagerServer/ 2. ½sΘJⁿO KMSAdminCmdAB J KeyManagerConfig.properties π⌠ C \u ² BAEncryption Key Manager tm e vAH o ΩTC EKM °A WC tm ≥ Cz btm ñAⁿw XML meta Ω Audit.metadata.file.name C pGn≤ o DA sW Audit.metadata.file.name KeyManagerConfig.properties tm ñC e Lk EKM.MykeysCt Σú ⁿw C 1. ϕ KeyManagerConfig.properties ñ ≈ xsw X{o TºC ⁿV{ AK 2. pGn≤ o DA Tw KeyManagerConfig.
PAGE 74
Lk EKMC≈ xswμíL C 1. ϕ e ñ ≈ xsw C º@ⁿwF ≈ xsw ¼ AKiαX{o 2. pG e ñ ≈ xsw úⁿV P AEncryption Key Manager Q config.keystore.type @ ≈ xsw ≈ xsw ¼C 3. ϕ e ñS Sw≈ xsw ¼ ¼ jceksC Lk °A C Ñ ⌡μⁿ AEncryption Key Manager ] Aúb⌡μñC o o \hiα ]G 1. KeyManagerConfig.properties ñ UCΓ ⁿV P ≡G TransportListener.ssl.port TransportListener.tcp.port C Θ Ñ ú tm¿Q ¡ ≡ ÑC 2. oΓ Σñ@ tm ≡Aw ≈ z{í°A P≈ W ⌡μ t@ A ñC ΣXS ΣLA b ≡AQ o ≡ tm≈ z{í°A C 3.
PAGE 75
Encryption Key Manager °i o@ wq Encryption Key Manager °iABb a≈P Ω ñ TºC ª q g¼X FSCCo≈ϕμ]t XBó ní H ≤ @C \u ² BAw]tm vAH oⁿwú e ÷ΩTC ϕ 6-1. Encryption Key Manager °i X í @ EE02 [K¬ Tºó G DriverErrorNotifyParameterErrorGu¼ úϕ ASC M ASCQCASC M ASCQ ú Xu≈ /≈ α½/≈ v@ Cv a≈nDúΣ @CTwz ⌡μ O s Encryption Key Manager] \ 3-1 yUⁿ s Key Manager ISO ImagezHP O s C d a ≈ Proxy °A Θ A n AN ª ≤s¿ s C b≈ z{í° A W ú l C ½ D ¼ ú ΘxCpG DA \ X u ²\¬v
PAGE 76
ϕ 6-1. Encryption Key Manager °i ( ≥) í X 6-6 @ EE25 [Ktm DGo C EE29 [K¬ Tºó G L EE2B [K¬ Tºó G í GuDSK út Twz ⌡μ O s Encryption Key A Lkτ DSK ñ Cv Manager] \ 3-1 yUⁿ s Key Manager ISO ImagezHP O s C d a≈ Proxy °A Θ A n ANª ≤s¿ s C b≈ z{í°A W ú l C ½ D ¼ ú ΘxCpG DA \ X u ²\¬v@ ñ up Dellv AH o N≤U ÷ΩTC EE2C [K¬ Tºó G QueryDSKParameterErrorGuq mσR QueryDSKMessage o CDw dsk p Dw tⁿCv Dell Encryption Key Mgr ΓU P a≈ϕμ ÷ pGb KeyMa
PAGE 77
ϕ 6-1. Encryption Key Manager °i ( ≥) í X @ EE2D [K¬ Tºó GTº ¼L Encryption Key Manager ¼ T ºA ¼ ú p≤Bz TºCTwz ⌡ μ O s Encryption Key Manager] \ 3-1 yUⁿ s Key Manager ISO ImagezHP O s C b≈ z{í°A W ú C ½ D ¼ ú ΘxCpG DA \ X u ²\¬v@ ñ up Dellv AH o N≤U ÷ΩTC EE2E [K¬ Tºó G q a≈ Proxy °A ¼ Tºút ¼CTwz ⌡μ O s Encryption Key Manager] \ 3-1 yUⁿ s Key Manager ISO ImagezH P O s C b≈ z{í° A W ú C ½ D ¼ ú ΘxCpG DA \ X u ²\¬v@ ñ up De
PAGE 78
ϕ 6-1. Encryption Key Manager °i ( ≥) í X EF01 @ [Ktm DGu tm a≈Cv P Encryption Key Manager qT a≈ úb a≈ϕμñCpGb KeyManagerConfig.properties ñú F config.drivetable.file.urlA Two TC ⌡μ listdrives ⁿO d a≈O bMμñCpGúbA H T a≈Ω TAQ adddrive ⁿO Γ tm a≈A Q modconfig ⁿOAN ″drive.acceptUnknownDrives″ e] trueC ú l AA½ @ CpG DA \ X e y ²\¬z@ ñ yp Dellz AH o N≤U ÷ΩTC Tº Encryption Key Manager iHú UCTºAo Tº π b zD xñC ⁿwtm σr Configuration file not specified: fied when starting EKM.
PAGE 79
@ ⌡μ listdrives ⁿOAHA a≈O wtm Encryption Key ManagerCpG a≈wsbAziHQ moddrive ⁿO ≤ a≈tmC ⌡μ helpAH o ΩTC LkOsΘx σr Failed to archive the log file. í Lk½sRWΘx C @ d \iv oí a≈W íC LkRútm σr “modconfig” command failed. í LkQ modconfig ⁿO Rú Encryption Key Manager tmC @ Q help dⁿOykATwú TC df ΘxAH o ΩTC LkRú a≈ σr “deldrive” command failed.
PAGE 80
í Lk J a≈ϕμ tm C t Encryption Key Manager °A C @ Twⁿw URL sbABπ ¬ \ivC Q help dⁿOykC Tw TAA½ @ C Lk ∩tm σr “modconfig” command failed. í LkQ modconfig ⁿO ∩ Encryption Key Manager tmC @ Q help dⁿOykATwú TC df ΘxAH o ΩTC WúαO σr File name was not supplied for audit log file. í Q Encryption Key Manager tm m C e ú f W Co O n t t {í εC @ T{bú Encryption Key Manager Audit.handler.file.
PAGE 81
t Encryption Key Manager C @ ⁿw r Audit.handler.file.sizeAA ½s Encryption Key ManagerC S nPB Ω σr No data can be found to be synchronized with “sync”. í sync ⁿOLk O⌠≤nPB Ω C @ T{ú tm sbABtm Q config.drivetable.file.url tmF T a≈ ϕμC Q help dykAA½ sync ⁿOC L ΘJ σr Invalid input parameters for the CLI. í SwⁿOykiαú TC @ TwΘJ ⁿO TC Q help dⁿOykC Twú TAA½ @ C tm ñ SSL ≡ L σr Invalid SSL port number specified in the EKM configuration file.
PAGE 82
@ Encryption Key Manager A btm TransportListener.ssl.port ñⁿw ≡ AA ½s C e tm ñ TCP ≡ L σr Invalid TCP port number specified in the EKM configuration file. í tm ú TCP ≡ úO XC t Encryption Key Manager C @ Encryption Key Manager A btm TransportListener.tcp.port ñⁿw ≡ AA ½s Cw] TCP ≡ O 3801C e btm ñⁿw SSL ≡ σr SSL port number is not configured in the properties file.
PAGE 83
t Encryption Key Manager C @ b TransportListener.tcp.port eñⁿw ≡ AA tion Key ManagerCw] TCP ≡ O 3801C ½s Encryp- °A Lk σr EKM server failed to start. í o tm DAEncryption Key Manager °A Lk C @ dú ºtm ñ C d ΘxAH o ΩTC PBó σr “sync” command failed.
PAGE 84
@ d wf M ² \ivAA ½s Encryption Key ManagerC LkⁿJ z≈ xsw σr Keystore for Admin cannot be loaded. í LkⁿJú Encryption Key Manager z≈ xswCbhx°A ⌠ ñA z≈ xswOb Encryption Key Manager °A ºíA iμ°A qTC t Encryption Key Manager C @ dtm ]wC Tw Encryption Key Manager tm ñ admin.keystore.fileB admin.keystore.provider M admin.keystore.type e T] \u ² Bv B ≈ xsw sbAB ¬ vC TwQ admin.keystore.
PAGE 85
í LkⁿJú Encryption Key Manager Θ≈ xswCbhx°A ⌠ ñA Θ≈ xswOb Encryption Key Manager °A ºíA iμ ß qTC t Encryption Key Manager C @ dtm ]wC Tw Encryption Key Manager tm ñ transport.keystore.fileBtransport.keystore.provider M transport.keystore.type e TB≈ xsw sbAB ¬ vC TwQ transport.keystore.password eA bⁿOμΘJA ú z≈ xsw KX TCºßAA ½s Encryption Key ManagerC úⁿΣ @ σr User entered action for the CLI which is not supported for EKM.
PAGE 86
6-16 Dell Encryption Key Mgr ΓU
PAGE 87
7 f O² : í f O²μí úQ° {í]p Co O² μíbúP ºíAiα úPC Fw Y nσRf O² ípA í Fo μíC f º[ b Encryption Key Manager nDBz íAo U if ≤ Af lt Nσrf O²g @ ñCf lt gJ@ ñ] ²M Wú iHtm Co jp]iHtmCH O²gJ Ab jp F itm jpºßA ÷¼ A {μ íWO ½sRWAA} t@ Ao O² g s ñC] Af O² πΘΘx ¿X itmj p Aª W jpWXitmjpº íWO ⁿwC pGn επΘf Θx ΩTq]≤V L≤ejAWX t i íAziH { Script {í ° tmºf ²/Ω ¿/xs ñ Cϕ ÷¼B íWO RW A s eAA [ n ° s≥Θx mAºßA[HMúCb⌡μ A p K ú ≤ Encryption Key Manage
PAGE 88
d o tm d WμpUG Audit.event.types=all t@ d pUG Audit.event.types=authentication;runtime;resource_management Audit.event.outcome yk Audit.event.outcome={outcome[;outcome]} ⁿX ≤O] @ ¿\B@ ú¿\ o A OΓ ú f C ⁿw success Oⁿ]@ ¿\ o ≤C ⁿw failure Oⁿ]@ ú¿\ o ≤C d o tm d WμpUG Audit.event.outcome=failure pGn ¿\Mú¿\Γ ípG Audit.event.outcome=success;failure Audit.eventQueue.max yk Audit.eventQueue.max=number_events ]wOdbO Cw] OsC ΘεC ≤½≤ W¡CoO@ ∩ A² d Audit.eventQueue.
PAGE 89
d N ²] /var/ekm/ekm1/auditG Audit.handler.file.directory=/var/ekm/ekm1/audit Audit.handler.file.size yk Audit.handler.file.size=sizeInKiloBytes o ⁿXF ÷¼f AgJsf jp¡εC NA Gf Ω jp iαWXo X A] ObWXjp¡εºß÷ ¼C d pGnN jpW¡]¿j 2 MBA ΘJG Audit.handler.file.size=2000 Audit.handler.file.name yk Audit.handler.file.name=fileName Q o ⁿwbⁿwf ² ≥ª WAHKb @ ≥ªW C NAo uα]t≥ WA úO Θx πW bo W ß[W gJ í ∩ C f Θx A π⌠ W Cf Fe{o@IA ]Q Audit.handler.file.name ] ekm.
PAGE 90
d N≥ªW ] true d pUG Audit.handler.file.multithreads=true Audit.handler.file.threadlifespan yk Audit.handler.file.threadlifespan=timeInSeconds o ⁿw F gf Θx A⌡μⁿw n ° íCbMú Bz{ íAo i ⌡μⁿbD ºeA ¿ª @ CpGI ⌡μ ⁿ b threadlifespan t í ¿ª u@AbiμMúBz A N⌡μⁿ C d pGnN⌡μⁿ gf Θx n w í] 10 ϕA ⁿwG Audit.handler.file.
PAGE 91
ϕ 7-1.
PAGE 92
resource=resource action=action user=user ] NAub i ΩTº A X{ message M user C uΩ zv ≤ o O² μípUG Resource management event:[ timestamp=timestamp event source=source outcome=outcome event type=SECURITY_MGMT_RESOURCE message=message action=action user=user resource=resource ] NAub i ΩTº A X{ message C utm zv ≤ o O² μípUG Configuration management event:[ timestamp=timestamp event source=source outcome=outcome event type=SECURITY_MGMT_CONFIG message=message action=action command type=type user=user
PAGE 93
ϕ 7-2.
PAGE 94
ϕ 7-2. f O² ¼] f ≤ ( ≥) f ≤ Xtm Ao f O² ¼ listconfig ⁿO¿\ 7-8 Dell Encryption Key Mgr ΓU configuration_management configuration_management
PAGE 95
8 meta Ω z tm Encryption Key Manager XML A o α≈ n¿ [ KΩ ½nΩTAH Nªg añCiQ d o AHπ OW ≈ C L íA]iQ OW d o AHπ o ≈ /OW ÷ C : pGz tm meta Ω AEncryption Key Manager Kú C ⌡μ[KBz{ AEncryption Key Manager ¼ UCΩ G v a≈ v a≈ WorldWideName v Θ v ≈ OW 1 v ≈ OW 2 v DKi v VolSer ¼ Ω FSw¡ε A g XML ñCw]¡εO 100 ºO²AziHb Encryption Key Manager e (KeyManagerConfig.
PAGE 96
cert1 - keyAlias2 Tue Feb 20 09:18:07 CST 2007 - Θ GLTO 4 M LTO 5 a≈u O²AB O² DKiC d meta Ω XML Q EKMDataParser uπ d meta Ω Co uπQ uσ≤½≤ ¼ (DOM)v N σR XML ALkq Encryption Key Manager ⁿOμ ⌡μC ª IsΦípUG java com.ibm.keymanager.tools.EKMDataParser -filename full_path_to_metadata_file {-volser volser | -keyalias alias} metadata_path oO KeyManagerConfig.properties Audit.metadata.file.
PAGE 97
at at at at at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) javax.xml.parsers.DocumentBuilder.parse(Unknown Source) com.ibm.keymanager.tools.EKMDataParser.a(EKMDataParser.java:136) com.ibm.keymanager.tools.EKMDataParser.a(EKMDataParser.java:26) com.ibm.keymanager.tools.EKMDataParser.main(EKMDataParser.java:93) pGo o A ]b≤≥ XML ⌠ CziH Encryption Key Manager meta Ω A EKMDataParser α≈½sσR C 1. Encryption Key Manager meta Ω ≈ C 2. sΦ Encryption Key Manager meta Ω C 3.
PAGE 98
8-4 Dell Encryption Key Mgr ΓU
PAGE 99
² A. d d n{í Script i: Od≈ xsw Ω Ñ ½nAúe °CϕLks ≈ xsw Az]LkN[K a KC N≈ xswM KXΩTxs C Linux ¡x HUOi²zbI ñA w≥ Φí EKM d ScriptCo≈ Script EKM H zL Script J≈ xswKX keystore_passwordC o ΦíA Kú nN≈ xswKX±b EKM tm ñC] \UC Co Script ]tUC eG java com.ibm.keymanager.KMSAdminCmd KeyManagerConfig.
PAGE 100
TransportListener.ssl.ciphersuites = JSSE_ALL TransportListener.ssl.clientauthentication = 0 TransportListener.ssl.keystore.name = /keymanager/testkeys TransportListener.ssl.keystore.type = jceks TransportListener.ssl.port = 443 TransportListener.ssl.protocols = SSL_TLS TransportListener.ssl.truststore.name = /keymanager/testkeys TransportListener.ssl.truststore.type = jceks TransportListener.tcp.port = 3801 oO@ d EKM e A ≈ xsw úⁿVúP ≈ xswC Θ O≤W @ d e C Admin.ssl.keystore.
PAGE 101
² B. Encryption Key Manager tm e Encryption Key Manager nΓ tm e GEncryption Key Manager °A @ A CLI ß @ CoΓ úH Java.util.Properties tⁿ íiμBz σRA ∩ eμíPWμI Sw¡εG v tm eOHCμ@ ΦíO²C w e μ C v ]t μ e ApKXÑAú nAb ñC v ≈ xswKX ° úoWL 127 r C v μ μi e @í≈C ziHqUC⌠} EKMServicesandSamples Uⁿd tm support.dell.comC e Ghttp:// Encryption Key Manager °A tm e UCU c¿F Encryption Key Manager °A tm (KeyManagerConfig.
PAGE 102
Admin.ssl.keystore.type = value ≈ xsw ¼C n ∩ C w] jceks Admin.ssl.protocols = value w qT≤wC n ∩ C SSL_TLS | SSL | TLS w] SSL_TLS Admin.ssl.timeout = value ⁿw Socket Ñ read() h[ºßAKYX SocketTimeoutExceptionC n ∩ C H μ ⁿwC0 ϕ LO w] 1 Admin.ssl.truststore.name = value oO d°A ú Secure Sockets ß º Secure Sockets Server H⌠ Ω w W C n ∩ Cu ≤ sync ⁿOCw] O config.keystore.file e C Admin.ssl.truststore.type = value ≈ xsw ¼C n ∩ C w] jceks Audit.event.
PAGE 103
| audit management | authorization terminate | configuration management | resource management | noneCiHⁿwh AHr I jC w] all Audit.handler.file.directory = ../audit ±m Audit.handler.file.name ² n ∩ C C Audit.handler.file.multithreads = value ⁿwf Bz íO ú O⌡μⁿ Bzf O²C n ∩ C true | false w] true Audit.handler.file.name = kms_audit.log NOⁿf WC n OC Audit.handler.file.size = 100 Audit.Handler.file.name b}l∩gºeAN¿° jp C n ∩ C 0 - ? ]H KB μ ⁿwC w] 100 Audit.
PAGE 104
config.drivetable.file.url = FILE:../filedrive.table t B Ñ a≈ ÷ΩT C n OC config.keygroup.xml.file = value ⁿw≈ s xs OOW XML W C n ∩ C config.keystore.file = value ⁿwn ≈ xswC n OC config.keystore.password = password s config.keystore.file KXⁿwº Ao e ¿ XAHú¬ w { A e o q¿W ¡ N¿W ’config.keystore.password.obfuscated’ sq¿C n ∩ CpG ú Ab Encryption Key Manager º A ú zΘJC config.keystore.provider = IBMJCE n ∩ C config.keystore.
PAGE 105
w - o ]wP drive.default.alias1 ]w@ AKiHsWs Encryption Key Manager a≈ABú n z τ o sWNα≈B @C \ 3 u ≤s a≈ϕμvAH o ΩTC fips = value p ΩTs w (FIPS)C \ 2 up ΩTs w (FIPS) 140-2 N vAH o ΩTC n ∩ C on | off w] off maximum.threads = 200 Encryption Key Manager α n ⌡μⁿ W¡C ∩ C Server.authMechanism = value ⁿw ft / ß O≈εCϕo ] EKM ACLI ß Q usr/passwd @ EKMAdmin/changeME nJ°A C ]chgpasswd ⁿOiH ≤o KXC ϕo ⁿw LocalOS A ∩ b ≤ @ t n² iμ ß OC] KeyManagerConfig.
PAGE 106
w] EKM Server.password = value í eCúsΦC symmetricKeySet = {GroupID | keyAliasList [, keyAliasList,]} ⁿwn≤ LTO 4 LTO 5 a≈ ∩ ≈ OW ≈ s C n ∩ C A ≤ LTO 4 LTO 5 aXC ⁿw@ GroupIDAⁿw@ h keyAliasListC GroupID ⁿw@ ≈ s W AHK ∩ ≈ MμAH @ ⁿw a≈OW w] C GroupID X KeyGroup.xml ñ{ ≈ s IDC hAK KeyManageExceptionCpGⁿwFh GroupIDA] KeyManagerExceptionCbⁿw GroupID ºßACϕq KeyGroups.
PAGE 107
°A IP }GSSL ≡ sync.timeinhours = value ⁿwÑ h p ºßAKP Encryption Key Manager PB C n ∩ C Hp μ ⁿwC w] 24 sync.type = value ⁿwn PB Ω C n ∩ C config | drivetab | all w] drivetab TransportListener.ssl.ciphersuites = JSSE_ALL Encryption Key Manager °A ºí qT KX XCKX Xí Ω e KXtΓk H μ½qT≤w Transport Layer Security (TLS) M Secure Socket Layer (SSL)C n ∩ C - IBMJSSE2 Σ ⌠≤KX XC TransportListener.ssl.
PAGE 108
n OC ≡ Ap 443Co X CLI ß tm TransportListener.ssl.port eC e ñ TransportListener.ssl.protocols = SSL_TLS w qT≤w n ∩ C SSL_TLS]w] | SSL | TLS TransportListener.ssl.timeout = 10 ⁿw Socket Ñ read() h[ºßAKYX SocketTimeoutExceptionC n ∩ C H μ ⁿwC w] 1 TransportListener.ssl.truststore.name = value τ ΣL ß P°A ¡ º }≈ Mw ºΩ wW C pG TransportListener.ssl.
PAGE 109
X Xí Ω e KXtΓk H μ½qT≤w Transport Layer Security (TLS) M Secure Socket Layer (SSL)C n ∩ C o X Encryption Key Manager °A e KeyManagerConfig.properties ñⁿw TransportListener.ssl.ciphersuites C TransportListener.ssl.host = value Encryption Key Manager CLI ß O Encryption Key Manager °A C n ∩ C IP } D≈W w] localhost d TransportListener.ssl.host = 9.24.136.444 TransportListener.ssl.host = ekmsvr02 : b KeyManagerConfig.properties ñAú o eC TransportListener.ssl.keystore.
PAGE 110
n ∩ C w] jceks C ziHq http://support.dell.
PAGE 111
² C. ú D iH {í¼≈ zP aw zº[K Y X H úiHC ϕ {í z [K Ab awh WA[KOzq CP aAϕ aw z [K A { bΣLh ]Ozq CU [K zΦ kO¼ C∩≤ aw z [KA {íú niμ⌠≤∩ C biαú a[K KnD C t WAEncryption Key Manager O n w nBb⌡μñH ϕ aw z [K Aú a≈gJnD t ú@wO⌡μ Encryption Key Manager t Cú²p AbC s [K a≈ t WA]ú@wn ⌡μñ Encryption Key Manager Ω C pG J ″drive.acceptUnknownDrives = True″ A O btm ñ J ″config.drivetable.file.url = FILE:/filename″ H @ ⁿw config.drivetable.file.urlCªO a≈ΩT b mCpGz] w drive.
PAGE 112
C-2 Dell Encryption Key Mgr ΓU
PAGE 113
N σ GDellBDell xM PowerVaultA Dell Inc. CMicrosoft M Windows hO Microsoft Corporation U C σ≤ñ ΣL W iαO x W ΩΘ Σú W CDell Inc.
PAGE 114
D-2 Dell Encryption Key Mgr ΓU
PAGE 115
Wⁿ Wⁿ wq X ΣL ÷X ñ SϕⁿJBYg r yC (certificate label). label)vC xsw (certificate store). (keystore)vC }≈ (public key). oOD∩ ≈ ºñ @ ≈ Aq [KC Encryption Key Manager ²Q }≈ ]O@ AES Ω ≈ AANª xs aXC ¡ \u≈ (key \u≈ xsw A AES. iÑ[K (Advanced Encryption Standard) r yCoOⁿΩF [K ⌠KXC D [K (encryption). oOⁿNΩ α½¿KXCΩ [ KM K n≈ C[Kú O@ εúπ ≈ H nΘ s Ω C DK. Ω ≈ (Data Key) r yCoO [KΩ rΩC C E OW (alias). \u≈ (key label)vC pK≈ (private key
PAGE 116
E-2 Dell Encryption Key Mgr ΓU
PAGE 117
HñσrA σrA S ϕ º CC tm ( ≥) a° x W °A 2-7 tm Encryption Key Manager 2-8 pK/ }≈ 2-9 Encryption Key Manager e f e]w sΦ eK f B-1 N 3-10 D-1 ≈ LTO ∩ D≈ IP } ≈ xswKX 3-11 ≈ xsw Encryption Key Manager GUI ú∩ [K 1-5 }≈ 1-5 í[KΩ ≈ 1-5 pK≈ 1-5 ≈ 1-5 ≈ [K≈ 1-5 ≈ e f @ a 2-9 Wⁿ E-1 w Linux (Intel) w Mtm 4-1 [K 6-5 M Wⁿ E-1 N°A PB 3-1 eC f °A tm 2-7 Pt@í°A PB 4-2 6-5 3-5 4-2 ⁿOμ 5-7 5-5 ⁿOμ 5-5 M ε °A 5-1 eQ f W 2-1 W q [K 2-1 Tº 6
PAGE 118
f ( ≥) E 7-1 Audit.eventQueue.max Audit.event.outcome Audit.event.types Encryption Key Manager 7-2 W 2-1 Encryption Key Manager °i 7-2 7-1 Audit.handler.file.directory 7-2 Audit.handler.file.multithreads 7-3 Audit.handler.file.name 7-3 Audit.handler.file.size 7-3 Audit.handler.file.threadlifespan º[ F FIPS 140-2 2-9 7-4 7-1 J I 7-4 7-5 JCEKS eQ f 2-3 K Encryption Key Manager °i 6-5 eQC f KeyManagerConfig.
PAGE 119
PAGE 120