HP StoreEver MSL Tape Libraries Encryption Key Server Configuration Guide Abstract This document includes information on configuring HP StoreEver 1/8 G2 Tape Autoloader and MSL Tape Libraries for supported encryption key servers, including the HP Enterprise Secure Key Manager (ESKM) and KMIP-based key servers. This document is intended for system administrators experienced with configuring tape libraries and encryption key servers. You can always download the most up-to-date firmware files from http://www.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents 1 Introduction...............................................................................................4 Using an encryption key server...................................................................................................4 Considerations for using an encryption key server.........................................................................5 Media compatibility for drives supporting encryption.....................................................................5 Licensing.....
1 Introduction This document includes information about configuring and using encryption key servers with the 1/8 G2 Tape Autoloader and MSL Tape Libraries with LTO-4 and later generation tape drives. The LTO-4 and later generation tape drives include hardware capable of encrypting data while it is being written, and decrypting data when reading. Hardware encryption can be used with or without compression while maintaining the full speed and capacity of the tape drive and media.
KMIP-based key servers The 1/8 G2 Tape Autoloader and the MSL2024, MSL4048, MSL6480, MSL8048, and MSL8096 Tape Libraries support integration with non-HP key servers through the KMIP protocol. This requires a KMIP Encryption license for the library. For configuration information, see “KMIP-based key server integration” (page 12). Considerations for using an encryption key server The libraries only support the configuration of one encryption key method at a time.
Table 2 KMIP and ESKM encryption licenses (continued) Libraries Part number License name • MSL4048 • MSL8096 Installing the encryption license The license is installed from the library RMI or with HP Command View for Tape Libraries version 3.7 or later. MSL6480 Install the license from the Configuration > System > License Key Handling screen. Enter the License Key and then click Add License Autoloader and MSL2024, MSL4048, and MSL8096 Install the license from the RMI Configuration: License Key page.
2 HP Enterprise Secure Key Manager (ESKM) integration The MSL6480 library supports integration of all versions of the ESKM using the ESKM protocol. Integration with the ESKM allows encryption keys and encrypted tapes to be shared with the ESL G3 and other tape libraries that support the ESKM. NOTE: If you are using ESKM 4.0 with the KMIP protocol, see the configuration instructions in “KMIP-based key server integration” (page 12).
5. 6. 8 The Library Certificate Information screen displays prerequisites for generating and signing the certificate for the library. When you have verified that SSL has been enabled on the ESKM device and that the ESKM management console is open and ready for use, click Next. In the ESKM Client Configuration screen enter the username and password that the library will use to communicate with the ESKM.
NOTE: This username and password must match the client username and password created on the ESKM server. If the username and password have not already been set up on the ESKM device, follow the instructions in the HP Enterprise Secure Key Manager User Guide to create a client account for the library. Enter the client username and password, and then click Next. 7. The Certificate Generation screen displays the current library certificate, if one exists.
If you generated a new certificate, you must sign the new certificate in the Sign Library Certificate screen. Follow the instructions on the screen to sign the certificate in the ESKM web interface and then paste it into the ESKM Certificate pane. After pasting the signed certificate, click Next. 8. 9. The ESKM Information screen displays prerequisites for using the ESKM. When the pre-requisites have been met, click Next.
10. The Setup Summary screen displays the settings that were collected by the wizard. Verify that the settings are correct and that there are no errors in the Done column. If you need to modify setting or address issues, either click Back to reach the applicable screen or Cancel out of the wizard to fix the issues and return later. If the settings are correct and there are no errors, click Finish.
3 KMIP-based key server integration The HP StoreEver 1/8 G2 Tape Autoloader and tape libraries support integration with encryption key management servers using the Key Management Interoperability Protocol (KMIP) standard. KMIP is an industry standard protocol for communications between a key management server and an encryption system. The KMIP specification is developed by the KMIP technical committee of the OASIS standards body (Organization for the Advancement of Structured Information Standards).
Configuring the KMIP feature for the MSL6480 With the Key Management Interoperability Protocol (KMIP) Wizard you can configure use of KMIP key management servers with the MSL6480 library. Access to the wizard from the Encryption menu on the RMI is only available to the security user and requires that the KMIP license has been added from the Configuration > System > License Key Handling screen. NOTE: The MSL6480 library only allows one encryption key manager type to be used at a time.
6. Verify that the KMIP feature is working. See “Verifying that the encryption key server integration is working” (page 23). Using the KMIP Wizard 1. 2. 3. 4. 14 In the Configuration area, click KMIP Wizard in the Encryption menu to start the wizard. The Wizard Information screen displays information about the wizard. If the library configuration is complete and the KMIP server is available on the network, click Next.
Paste the certificate into the wizard and then click Next. 5. 6. The Library Certificate Information screen displays information about the next wizard steps. Click Next. In the KMIP Client Configuration screen, enter the username and password that the library will use to communicate with the KMIP server and then click Next. NOTE: This username and password must match the client username and password entered on the KMIP server for this library. 7.
9. In the KMIP Server Configuration screen, enter the IP address or fully-qualified hostname and port number for up to ten KMIP servers. The default port for KMIP is 6596. HP recommends using the default value. To verify access to the KMIP servers, click Connectivity Check. 10. In the KMIP Partition Enablement screen, select KMIP Enabled to configure partitions for use with KMIP, and then click Next. 11. The Setup Summary screen displays the settings that were collected by the wizard.
Configuring the KMIP feature for the 1/8 G2 Tape Autoloader and other MSL Tape Libraries The EBS Matrix lists the compatible KMIP server models, the server vendors, and links to primary documents those vendors provide. Table 3 Enrolling the autoloader or library with a KMIP server Primary documents providing more detail Step Description of task 1 Install and configure the key servers. Server vendor’s product documentation Collect the IP address of each server.
Entering the KMIP client credentials In the RMI Configuration: Security page, enter the KMIP Client User Name and KMIP Client Password that the autoloader or library will use to log in to the key server, and then click Submit. NOTE: This client user name and password must match the username and password on the KMIP server for this library. Generating the client certificate request In the KMIP Certificate Import section of the Configuration: Security page click Generate Certificate Request.
Signing the client certificate on the server NOTE: These instructions are for the SafeNet KMIP server. If you are using a different server, consult your server documentation for instructions. 1. 2. 3. Log into the SafeNet KMIP server and select the Security tab. In the CAs & SSL Certificates area select Local CAs. Click Sign Request. The Sign Certificate Request screen appears. 4. Enter the request information and then click Sign Request.
1. 2. Using a text editor, copy the contents of the signed certificate and paste it into the Signed Certificate field. Include all of the certificate text, including the ---BEGIN CERTIFICATE--and ---END CERTIFICATE---. Click Upload. Once the autoloader or library has validated the signed certificate, it will display the Apply New Certificate Settings button. 3. Click Apply New Certificate Settings to save the settings. If using ESKM 4.0, you must also copy the client certificate to the ESKM 4.
Configuring access to the key servers Configure the KMIP servers in the KMIP Server Configuration pane of the Configuration: Security page. You can configure a cluster of up to six KMIP servers. The autoloader or library will automatically use a different configured KMIP server if a connection fails. Enter the hostname or IPv4 address of a KMIP server in the Server X IP/Hostname field. The Port must be 5696 unless the KMIP server is already configured to use a different port. Click Submit Query.
KMIP-based key server integration
4 Verifying that the encryption key server integration is working HP recommends verifying that the encryption process is working before placing the autoloader or library into a production environment. This is often called an end-to-end verification test. The following steps describe how an end-to-end verification test can be conducted. Connectivity test: Verifies that the autoloader or library can connect with each of the configured key servers. See “Connectivity test” (page 23).
Autoloader and other MSL libraries Run the connectivity test from the Configuration: Security page. In the KMIP Diagnostics pane, click Test Server Connectivity. The test will check network connectivity and the KMIP login credentials and then display the test results. When successful, the report will have four green check marks for each configured server. If the Authentication and KMIP Query tests fail, check the Key Security settings in the ESKM Security > High Security screen.
To use 2048-bit certificates, update the autoloader or library to the current version and retry the test. The earliest firmware versions that generate 2048-bit certificates are: • 1/8 G2 autoloader: 4.30 • MSL2024: 6.20 • MSL4048: 8.70 • MSL8048 and MSL8096: 1130 Basic encryption test 1. 2. Using your backup application, load a scratch tape into a drive in a partition configured for encryption with the key server. Rewind and then initialize the tape.
6. Re-enable the ability of each server to communicate with the clients. This concludes the failover test.
5 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
6 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
