Manualshelf

BackBox H4.00 Tape Encryption Option

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
21222324252627282930
Configuration
25 BackBox H4.00 Tape Encryption
o Be able to access key owned by VTC group member
o Be able to delete key owned by VTC group member (if key deletion
automation will be enable for SCRATCH media)
ESKM Note: If Key manager server type is ESKM and VTC Client are not
intent to be used in collaboration with VLE, a local group named BackPak
should be created and VTC’s username added to it. If VTC Client are intent to
be used in interoperability with VLE for tape, VTC’s username should be
added to same local group than CLIM (normally local group NonStop.)
VTC configuration
VT Controller digital certificate generation activity (for each VTC identify by
Security Authority user role)
o Generate a private key (normally a RSA key) for the Key Manager
communication channel according enterprise security policy (Ex: key
length 1024 or 2048, passphrase, etc…)
o Generate a certificate request with certificate fields set according
enterprise security policy and Key Manager server specificity (Ex:
username need to be specify in the Common Name field or in another
specific certificate field, Client IP address, etc…)
o Submit the request certificate to be signed by the Key Manager server
local Certificate Authority (by KM Administrator role)
o Install the signed certificate file (must be named ClientCert.pem),
the private key file (must be named ClientKey.pem) and the Local CA
certificate (must be named CACert.pem) to authenticate the Key
Manager server into a specific folders on the local disk of the VT
Controller. Access to the 3 files and the folder should be restricted to
only the Security Authority user and VTC services (LOCAL SERVICE
account).
Note: The 3 files must be in PEM format
o Keep and saved (will be required for BackBox configuration):
The key manager VTC username
The key manager VTC username password
The ClientKey.pem passphrase
The 3 files folder location
Generate RSA key and Certificate request
Here a cook-book example that can be adapted to the Key Manager server
requirement and the enterprise security policies.
It will used openSSL to generated a 1024 bits RSA key and a certificate request with
a username in the Common Name field as Key Manager ESKM requirement.
1- Download and install an openSSL distribution package
2- From a command console