Virtual TapeServer 6.04.04 for NonStop Servers Operations and Administration Guide

Using SecureVTS | 57

Prerequisites for configuration

Before you begin, you may want to gather the following information to expedite the

configuration process:

• Username and password of a VTS user account that belongs to the Administration group.

• If multiple VTS servers are installed, gather the following:

• Hostname or IP address, username, and password of the VTS server that will be

configured as the key generator, which will generate keys when virtual tapes and

pools need to be encrypted and decrypted.

• Hostname or IP address, port, username, and password for configuring a backup host

that will be used by the key generator to store a backup of the key database; this host

must support the Secure Copy (SCP) protocol, through the use of the scp or scp2

program.

Adding a key server

A key server is embedded in every VTS server and, by default, each VTS server is configured

to generate keys. This type of key server is referred to as a “key generator”. When a key is

generated, the key ID is stored with the encrypted virtual tape and the key is stored in a key

database on the key generator. If a key generator is reconfigured to no longer generate keys, it

is then referred to as a “non-key generator”. The key database remains on the non-key

generator but that server no longer creates keys. When a virtual tape needs to be decrypted,

VTS retrieves the encryption key from the key server that generated the key. If the key

generator was reconfigured as a non-key generator, VTS must still have access to that key

server.

If there are multiple VTS servers in your environment, it is recommended that you designate

only one server as the key generator. You must add the key generator to each VTS server in

your environment. Then, you must reconfigure the localhost entry on all other servers as a

non-key generator so that each VTS server can continue to access its key database. (You can

remove a key generator if it was never used to create keys.) See

Using SecureVTS in a multi-

server environment on page 55 for an example.

Any time a key is stored in the key database, the database is backed up locally and on a

backup host, which must be configured in a separate step (see

Adding a key database backup

host on page 58). In general, the key database (and its backup) remains small, typically

around 10MB when storing thousands of keys.

Note You cannot modify a key server after it is added. To change the settings, you must

delete the key server and then add it again, specifying the correct parameters. See

Deleting a key server on page 65 for instructions on deleting a key server.

Requires Administration group membership

To add a key server

1. Click SecureVTS Setup on the navigation pane.

2. If necessary, log in using an account that is a member of the Administration group. Click

the Log In button at the top of the page and enter a username and password.