HP StoreEver MSL Tape Libraries Encryption Key Server Configuration Guide Abstract This document includes information on configuring HP StoreEver 1/8 G2 Tape Autoloader and MSL Tape Libraries for supported encryption key servers, including the HP Enterprise Secure Key Manager (ESKM) and KMIP-based key servers. This document is intended for system administrators experienced with configuring tape libraries and encryption key servers. You can always download the most up-to-date firmware files from http://www.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents 1 Introduction...............................................................................................4 Using an encryption key server...................................................................................................4 Considerations for using an encryption key server.........................................................................5 Media compatibility for drives supporting encryption.....................................................................5 Licensing.....
1 Introduction This document includes information about configuring and using encryption key servers with the 1/8 G2 Tape Autoloader and MSL Tape Libraries with LTO-4 and later generation tape drives. The LTO-4 and later generation tape drives include hardware capable of encrypting data while it is being written, and decrypting data when reading. Hardware encryption can be used with or without compression while maintaining the full speed and capacity of the tape drive and media.
KMIP-based key servers The 1/8 G2 Tape Autoloader and the MSL2024, MSL4048, MSL6480, MSL8048, and MSL8096 Tape Libraries support integration with non-HP key servers through the KMIP protocol. This requires a KMIP Encryption license for the library. For configuration information, see “KMIP-based key server integration” (page 12). Considerations for using an encryption key server The libraries only support the configuration of one encryption key method at a time.
Table 2 KMIP and ESKM encryption licenses (continued) Libraries Part number License name • MSL4048 • MSL8096 Installing the encryption license The license is installed from the library RMI or with HP Command View for Tape Libraries version 3.7 or later. MSL6480 Install the license from the Configuration > System > License Key Handling screen. Enter the License Key and then click Add License Autoloader and MSL2024, MSL4048, and MSL8096 Install the license from the RMI Configuration: License Key page.
2 HP Enterprise Secure Key Manager (ESKM) integration The MSL6480 library supports integration of all versions of the ESKM using the ESKM protocol. Integration with the ESKM allows encryption keys and encrypted tapes to be shared with the ESL G3 and other tape libraries that support the ESKM. NOTE: If you are using ESKM 4.0 with the KMIP protocol, see the configuration instructions in “KMIP-based key server integration” (page 12).
5. 6. 8 The Library Certificate Information screen displays prerequisites for generating and signing the certificate for the library. When you have verified that SSL has been enabled on the ESKM device and that the ESKM management console is open and ready for use, click Next. In the ESKM Client Configuration screen enter the username and password that the library will use to communicate with the ESKM.
NOTE: This username and password must match the client username and password created on the ESKM server. If the username and password have not already been set up on the ESKM device, follow the instructions in the HP Enterprise Secure Key Manager User Guide to create a client account for the library. Enter the client username and password, and then click Next. 7. The Certificate Generation screen displays the current library certificate, if one exists.
If you generated a new certificate, you must sign the new certificate in the Sign Library Certificate screen. Follow the instructions on the screen to sign the certificate in the ESKM web interface and then paste it into the ESKM Certificate pane. After pasting the signed certificate, click Next. 8. 9. The ESKM Information screen displays prerequisites for using the ESKM. When the pre-requisites have been met, click Next.
10. The Setup Summary screen displays the settings that were collected by the wizard. Verify that the settings are correct and that there are no errors in the Done column. If you need to modify setting or address issues, either click Back to reach the applicable screen or Cancel out of the wizard to fix the issues and return later. If the settings are correct and there are no errors, click Finish.
3 KMIP-based key server integration The HP StoreEver 1/8 G2 Tape Autoloader and tape libraries support integration with encryption key management servers using the Key Management Interoperability Protocol (KMIP) standard. KMIP is an industry standard protocol for communications between a key management server and an encryption system. The KMIP specification is developed by the KMIP technical committee of the OASIS standards body (Organization for the Advancement of Structured Information Standards).
Configuring the KMIP feature for the MSL6480 With the Key Management Interoperability Protocol (KMIP) Wizard you can configure use of KMIP key management servers with the MSL6480 library. Access to the wizard from the Encryption menu on the RMI is only available to the security user and requires that the KMIP license has been added from the Configuration > System > License Key Handling screen. NOTE: The MSL6480 library only allows one encryption key manager type to be used at a time.
6. Verify that the KMIP feature is working. See “Verifying that the encryption key server integration is working” (page 22). Using the KMIP Wizard 1. 2. 3. 4. 14 In the Configuration area, click KMIP Wizard in the Encryption menu to start the wizard. The Wizard Information screen displays information about the wizard. If the library configuration is complete and the KMIP server is available on the network, click Next.
Paste the certificate into the wizard and then click Next. 5. 6. The Library Certificate Information screen displays information about the next wizard steps. Click Next. In the KMIP Client Configuration screen, enter the username and password that the library will use to communicate with the KMIP server and then click Next. NOTE: This username and password must match the client username and password entered on the KMIP server for this library. 7.
9. In the KMIP Server Configuration screen, enter the IP address or fully-qualified hostname and port number for up to ten KMIP servers. The default port for KMIP is 6596. HP recommends using the default value. To verify access to the KMIP servers, click Connectivity Check. 10. In the KMIP Partition Enablement screen, select KMIP Enabled to configure partitions for use with KMIP, and then click Next. 11. The Setup Summary screen displays the settings that were collected by the wizard.
Configuring the KMIP feature for the 1/8 G2 Tape Autoloader and other MSL Tape Libraries The EBS Matrix lists the compatible KMIP server models, the server vendors, and links to primary documents those vendors provide. Table 3 Enrolling the autoloader or library with a KMIP server Primary documents providing more detail Step Description of task 1 Install and configure the key servers. Server vendor’s product documentation Collect the IP address of each server.
Entering the KMIP client credentials In the RMI Configuration: Security page, enter the KMIP Client User Name and KMIP Client Password that the autoloader or library will use to log in to the key server, and then click Submit. NOTE: This client user name and password must match the username and password on the KMIP server for this library. Generating the client certificate request In the KMIP Certificate Import section of the Configuration: Security page click Generate Certificate Request.
4. Enter the request information and then click Sign Request. • Sign with Certificate Authority — Verify that the desired Certificate Authority is selected. • Certificate Purpose — Select Client. • Certificate Duration (days) — Enter the desired duration. • Certificate Request — Paste the certificate request obtained from the autoloader or library RMI. See “Generating the client certificate request” (page 18).
2. Paste the signed client certificate in the Import New KMIP Client Certificate pane and then click Save. Configuring access to the key servers Configure the KMIP servers in the KMIP Server Configuration pane of the Configuration: Security page. You can configure a cluster of up to six KMIP servers. The autoloader or library will automatically use a different configured KMIP server if a connection fails. Enter the hostname or IPv4 address of a KMIP server in the Server X IP/Hostname field.
Enabling KMIP-based encryption Enable KMIP-based encryption from the KMIP Encryption Configuration pane of the Configuration: Security page. If the library is partitioned into multiple logical libraries, encryption can be enabled for one or more logical libraries or partitions.
4 Verifying that the encryption key server integration is working HP recommends verifying that the encryption process is working before placing the autoloader or library into a production environment. This is often called an end-to-end verification test. The following steps describe how an end-to-end verification test can be conducted. Connectivity test: Verifies that the autoloader or library can connect with each of the configured key servers. See “Connectivity test” (page 22).
Autoloader and other MSL libraries Run the connectivity test from the Configuration: Security page. In the KMIP Diagnostics pane, click Test Server Connectivity. The test will check network connectivity and the KMIP login credentials and then display the test results. When successful, the report will have four green check marks for each configured server. Basic encryption test 1. 2.
5. 6. 7. 8. 9. Using your backup application, load the same tape into any drive in the partition configured for encryption with a key server. Read the header of the tape using a media identification or similar command. • The backup application should report a failure because the key cannot be exported but header is encrypted. • One of the key server logs should show a request for the key and that the request was denied. Using the backup application, unload the media to a slot.
5 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
6 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.