Virtual TapeServer 6.04.03 Operations and Administration Guide
Using SecureVTS | 77
Prerequisites for configuration
Before you begin, you may want to gather the following information to expedite the
configuration process:
• Username and password of a VTS user account that belongs to the Administration group.
• If multiple VTS servers are installed, gather the following:
• Hostname or IP address, username, and password of the VTS server that will be
configured as the key generator, which will generate keys when virtual tapes and
pools need to be encrypted and decrypted.
• Hostname or IP address, port, username, and password for configuring a backup host
that will be used by the key generator to store a backup of the key database; this host
must support the Secure Copy (SCP) protocol, through the use of the scp or scp2
program.
Adding a key server
A key server is embedded in every VTS server and, by default, each VTS server is configured
to generate keys. This type of key server is referred to as a “key generator”. When a key is
generated, the key ID is stored with the encrypted virtual tape and the key is stored in a key
database on the key generator. If a key generator is reconfigured to no longer generate keys, it
is then referred to as a “non-key generator”. The key database remains on the non-key
generator but that server no longer creates keys. When a virtual tape needs to be decrypted,
VTS retrieves the encryption key from the key server that generated the key. If the key
generator was reconfigured as a non-key generator, VTS must still have access to that key
server.
If there are multiple VTS servers in your environment, it is recommended that you designate
only one server as the key generator. You must add the key generator to each VTS server in
your environment. Then, you must reconfigure the localhost entry on all other servers as a
non-key generator so that each VTS server can continue to access its key database. (You can
remove a key generator if it was never used to create keys.) See
Using SecureVTS in a multi-
server environment on page 75 for an example.
Any time a key is stored in the key database, the database is backed up locally and on a
backup host, which must be configured in a separate step (see
Adding a key database backup
host on page 78). In general, the key database (and its backup) remains small, typically
around 10MB when storing thousands of keys.
Note You cannot modify a key server after it is added. To change the settings, you must
delete the key server and then add it again, specifying the correct parameters. See
Deleting a key server on page 85 for instructions on deleting a key server.
Requires Administration group membership
To add a key server
1. Click SecureVTS Setup on the navigation pane.
2. If necessary, log in using an account that is a member of the Administration group. Click
the Log In button at the top of the page and enter a username and password.