HP StoreOnce VSA Backup System User Guide (TC458-96025)

ManualsBrandsHP ManualsStorageHP StoreOnce 6500 120TB Backup Couplet for Existing Racks

141

142

143

144

145

146

147

148

149

150

to expand the three subnets for the additional couplet. Remember that VLANs require one IP address

per node and physical data LANs require two IP addresses per node.

# net add ipaddr <newconfig> subnet1 172.168.7.29,172.168.7.30,172.168.7.31,172.168.7.32

# net add ipaddr <newconfig> subnet_vlan1 10.168.8.29,10.168.8.30

# net add ipaddr <newconfig> subnet2 192.168.6.15,192.168.6.16

To add Data in Flight Encryption

IP packets have no in-built security measures, which means that access to the network enables

packet content to be viewed and, because there is no verification, there is no indication whether

a packet has been viewed or the content modified. IPsec is an OSI layer 3 protocol that provides

encryption and mutual verification at the IP address level. The IPsec protocol is supported for data

subnet encryption on all StoreOnce models running StoreOnce software version 3.11.0 or later.

Data in Flight Encryption uses the IPsec protocol to support data encryption at subnet level. It

requires you to pair the IP addresses of the media server and the subnet that you have configured

on the StoreOnce Backup system and to create a rule that ensures the pair communicate uniquely

with each other based on a password that you configure within the rule. Configuration on the

StoreOnce Backup system is via a single StoreOnce CLI command, net add encryption. It

cannot be configured as part of the wizard. But this is only one half of the configuration. You must

also configure IPsec on the media server that forms the other part of the pair.

License requirements

If you wish to use the IPsec feature, you must first install the Security Pack license .

Configuring the client

The IPsec pair and rule must be configured on both the client media server and the StoreOnce

Backup appliance. See the HP StoreOnce Backup system Linux and UNIX Configuration guide for

information about configuring Linux media servers. Configuration of Windows media servers is

via Windows local security policy. (This will be described in more detail in the next edition of this

guide.) For full details of which operating systems are supported go to http://www.hp.com/ebs.

Configuring the StoreOnce Backup system

IMPORTANT: If you subsequently change network configuration. you must re-apply the IPsec

encryption.

The syntax for the StoreOnce CLI command is:

net add encryption myconfig mysubnet ipAddr clientip passPhrase mypassword

In the following example, we have created a copy of the configuration called config_with_ipsec

that adds encryption to subnet_2. The IP address is the client’s IP address and the passphrase

must match the passphrase that has been configured on the client.

# net add encryption config_with_ipsec subnet_2 ipaddr 172.18.198.101 passphrase katedave

Command Successful

NOTE: You still need to validate and activate the configuration to make encryption active on the

subnet.

The subnet configuration now shows the client IP address in the Encryption Links field.

----------------------

Network: subnet2

----------------------

IP Addresses: 172.168.6.11,172.168.6.12,172.168.6.13,172.168.6.14

Net Mask: 255.255.255.0

Domain Name: nearline.local

Gateway: 172.168.6.1

Default Network: yes

Net Usage: mgmt

Worked example 149