HP StoreEver 1/8 G2 Tape Autoloader and MSL Tape Libraries User and Service Guide Addendum Abstract This document is an addendum to the HP StoreEver 1/8 G2 Tape Autoloader User and Service Guide (part number AK377-96024) and HP StoreEver MSL2024, MSL4048, MSL8048, and MSL8096 Tape Libraries User and Service Guide (part number AK378-96059). This addendum provides information about features added to the autoloader and libraries since the user and service guides were updated, including KMIP integration.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents 1 Introduction...............................................................................................4 Encryption kit key creation policy................................................................................................4 2 Using a KMIP-based key server....................................................................5 Key managers..........................................................................................................................5 Operation.............
1 Introduction This document includes information about features added to the autoloader or library after the user guide was published. These features include: • Change to the HP 1/8 G2 and MSL Tape Libraries Encryption Kit encryption key creation policy. See “Encryption kit key creation policy” (page 4). • KMIP-based key server integration. See “Using a KMIP-based key server” (page 5). NOTE: All USB storage devices used with the autoloader or library should be FAT-32 format.
2 Using a KMIP-based key server The autoloader and libraries now support integration with encryption key management servers using the Key Management Interoperability Protocol (KMIP) standard. KMIP is an industry standard protocol for communications between a key management server and an encryption system. The KMIP specification is developed by the KMIP technical committee of the OASIS standards body (Organization for the Advancement of Structured Information Standards).
Table 1 Enrolling the autoloader or library with a KMIP server (continued) Primary documents providing more detail Step Description of task 4 Install the HP StoreEver MSL2024/4048/8096 KMIP license. “Installing the KMIP encryption license” (page 7) 5 Set or enter the KMIP security password in the RMI. “Set or enter the KMIP security password” (page 7) 6 Enter the KMIP Client Credentials in “Entering the KMIP client the RMI.
Installing the KMIP encryption license The KMIP feature requires a license key. Install the HP StoreEver MSL2024/4048/8096 KMIP license from the RMI Configuration: License Key page. Enter the key and then press Submit. The license can also be installed with HP Command View for Tape Libraries version 3.7 or later. Set or enter the KMIP security password In the RMI Configuration: Security page, enter the KMIP security password, which is required for modifying the KMIP configuration.
Entering the KMIP client credentials In the RMI Configuration: Security page, enter the KMIP Client User Name and KMIP Client Password that the autoloader or library will use to log in to the key server, and then click Submit. Generating the client certificate request In the KMIP Certificate Import section of the Configuration: Security page click Generate Certificate Request. The KMIP Client User Name will be used as the certificate name for the certificate request.
4. Enter the request information and then click Sign Request. • Sign with Certificate Authority — Verify that the desired Certificate Authority is selected. • Certificate Purpose — Select Client. • Certificate Duration (days) — Enter the desired duration. • Certificate Request — Paste the certificate request obtained from the autoloader or library RMI. See “Generating the client certificate request” (page 8).
Basic encryption test: Verifies encryption is working on partitions configured for encryption. See “Basic encryption test” (page 10). Failover test: Verifies keys can be retrieved from another server if the server currently in use becomes unavailable. See “Failover test” (page 11). Some of the steps occur on the KMIP server and HP cannot provide specific details. For the SafeNet KMIP server, log files can be found on the SafeNet Device > Log Viewer > System screen.
4. From the KMIP server find the key that was created in step 2 and temporarily disable the key’s ability to be exported. See your server documentation for instructions. 5. 6. 7. 8. 9. Using your backup application, load the same tape into any drive in the partition configured for KMIP encryption. Read the header of the tape using a media identification or similar command. • The backup application should report a failure because the key cannot be exported but header is encrypted.
3 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
4 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.