Sun StorageTekTM Crypto Key Management System HP LTO4 Encryption-Capable Tape Drives Technical Brief Part Number: 316196601 Revision: A
Crypto Key Management System Version 2.0 HP LTO4 Tape Drive Technical Brief Sun Microsystems, Inc. www.sun.
Copyright © 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document.In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S.
Contents Preface v Organization v Related Information v Additional Information 1. Introduction Drive Tray 1 2 Specifications 3 Compatibility Order Numbers 2. Dione Card vi 5 6 7 Firmware Requirements 7 Dione Card Components 8 Connecting to the Dione Card KMS Operations Key Lifecycle 10 10 Media RFID Chips Media Types 12 12 Removal and Replacement Removal 3.
Using VOP 19 Start VOP 20 Diagnose Drive Tab 23 Run LED Diagnostic Test Run Loopback Test Get Log 24 25 Load Firmware iv 23 25 KMS: LTO4 Technical Brief • June 2008 Revision: A • 316196601
Preface This technical brief is intended for Sun StorageTekTM representatives, customers, and anyone responsible for planning the installation of the Crypto Key Management System (KMS) encryption solution.
Preface Additional Information Sun Microsystems, Inc. (Sun) offers several methods to obtain additional information. Sun’s External Web Site Sun’s external Web site provides marketing, product, event, corporate, and service information. The external Web site is accessible to anyone with a Web browser and an Internet connection. The URL for the external Web site is: http://www.sun.com The URL for StorageTek™ brand-specific information is: http://www.sun.
CHAPTER 1 Introduction Overview The Hewlett Packard (HP) LTO4 is the fourth-generation of Ultrium, Linear Tape-Open tape drives. This generation offers more capacity and increased performance than earlier versions of LTO tape drives. Encryption Capable The Hewlett Packard LTO4 is the first, non-StorageTek T-Series tape drive to support the Crypto Key Management System Version 2.0.
Drive Tray Installing this tape drive in one of Sun StorageTek’s automated tape configurations offers customers with an even wider choice of tape-based storage solutions. ■ Server compatibility: Fibre Channel and SCSI models on popular (qualified) platforms from vendors such as Sun, HP, IBM, and Dell. ■ Software compatibility: Support for an extensive list of software applications such as ACSLS, HP, CA, VERITAS, Legato, Tivoli, and many more.
Specifications Specifications TABLE 1-1 provides a comparison of tape drive specifications. TABLE 1-1 Tape Drive Specifications LTO2 LTO3 LTO4 Height 8.25 cm (3.25 in.) 8.25 cm (3.25 in.) 8.25 cm (3.25 in.) Width 14.6 cm (5.75 in.) 14.6 cm (5.75 in.) 14.6 cm (5.75 in.) Length (depth) 21.38 cm (8.4 in.) 21.38 cm (8.4 in.) 21.38 cm (8.4 in.) 2.1 kg (4.6 lb) 2.24 kg (4.94 lb) 2.24 kg (4.94 lb) 200 GB 400 GB 800 GB 30 MB/s 80 MB/s 120 MB/s 13.7 to 35.
Specifications TABLE 1-2 provides a comparison of media specifications. TABLE 1-2 Media Specifications Specification LTO 2 Tape Base film LTO 3 LTO 4 PEN (Poly-Ethylene-Naphthalate) Tape length 609m 680m 820m Tape length used for data 580m 648m 783m Tape width 12.65 mm 12.65 mm 12.65 mm Tape dimensional stability 1200 ppm 1200 ppm 900 ppm Maximum tape speed 7.29 m/s Rewind speed 7.00 m/s Durability 1,000,000 passes Cartridge Width 105.4±0.30 mm Depth 102.0±0.
Specifications Compatibility HP LTO Ultrium 4 drives are specified to interchange with un-encrypted data cartridges from other tape drives that comply to the LTO U-28, U-316 and U-416 specifications: Future compatibility: In the future, HP LTO Ultrium drives will be capable of: ■ ■ ■ Reading and writing tapes from the current generation Reading and writing tapes from one earlier generation Reading tapes from two earlier generations HP LTO Ultrium drives will always maintain write and read compatibility w
Order Numbers Order Numbers License Keys FIGURE 1-2 License Keys LTO4 Encryption Key Marketing Number Description Bundled X-HP-LTO4-EKEY-B One required per encryption enabled drive. Bundled with the drive at time of sale. After market X-HP-LTO4-EKEY-A One required per encryption enabled drive. After market for drives previously purchased.
CHAPTER 2 Dione Card The Dione card—pronounced (D - O - nee)—is a custom design that provides an Ethernet interface for the HP LTO4 tape drive. With this interface, the HP LTO4 tape drive can: ■ Encrypt and decrypt data using the Sun StorageTek Crypto Key Management System (KMS), Version 2.0 and above ■ Configure and enroll the tape drive using the Virtual Operator Panel (VOP), Version 1.0.
Dione Card Components Dione Card Components The Dione card installs in the open area of the drive trays behind the tape drives. Library drive trays that support this card are the: ■ ■ ■ ■ SL8500 SL3000 SL500 L-Series Each drive tray has its own unique configuration depending on the space in the open area of the drive tray.
Dione Card Components Connecting to the Dione Card FIGURE 2-2 shows two ways to connect to the Dione card: ■ ■ Point-to-point using a crossover cable Network using a switch or hub and standard (straight-through) Ethernet cables Note – The default IP address of the Dione card is 10.0.0.1. This address is the same as the T-Series tape drives. Because of this, the initial connection to the Dione card and LTO4 tape drive should be with a crossover cable to set a new IP address.
KMS Operations KMS Operations When the tape drive is powered-on, the Dione card communicates to the drive over the serial port to take control of drive encryption and decryption. HP LTO4 tape drives have the capability of storing one (1) key while encrypting or decrypting data. Therefore; it is essential that these drives stay connected to the KMS network for communications. Failover and load balancing will also occur between the KMAs in the system (KMS).
KMS Operations FIGURE 2-3 Key Lifecycle A potential issue: That LTO4 drive firmware will not request a write key in the following scenario: Read, Space, Write-Filemark, Write. The drive will use the same key obtained for the Read command to encrypt the data provided for the Write command. The state of this key may be inappropriate for writing due to the policy associated with the drive (an expired key). Work-Around: Assign the drive’s Key Group having a key policy with a long encryption period.
KMS Operations At release, the functionality to set a key in a compromised state is not present. This is a low impact issue due to the system assigning unique encryption keys for each tape cartridge. It is rare that a compromised key scenario would ever be encountered. If it was it would only impact future writes to a single tape cartridge. This functionality will be implemented in the next drive firmware update. Media RFID Chips Use FIGURE 2-4 to connect the bulleted terms with the KMS Manager.
KMS Operations FIGURE 2-4 provides an example of a KMS Manager display screen using the elements from and HP LTO4 drive. FIGURE 2-4 KMS Manager Data Unit List 1 2 3 4 1. Data Unit ID (data cartridge) 2. External Tag (volume serial number) 3. Description (LTO4 or LTO4WORM) 4.
Removal and Replacement Removal and Replacement Encryption-capable HP LTO 4 tape drives contain an Ethernet card, which is a field replaceable unit (FRU). Depending on the library, each drive tray contains the card in a different location; however, the removal and replacement procedures are similar.
Removal and Replacement 3. Place the drive and drive tray on a suitable work surface. Caution: Potential ESD damage: The encryption card contains ESD-sensitive components. Make sure you follow proper ESD precautions. 4. Remove the two T9 screws from the top cover and remove the cover. 5. Remove the connectors from the HBD card. 6. Remove the four T10 screws that attach the drive to the tray. 7. Remove the T10 screw that attaches the encryption card. 8.
Removal and Replacement 16 KMS: LTO4 Technical Brief • June 2008 Revision: A • 316196601
CHAPTER 3 Virtual Operator Panel The Sun StorageTek Virtual Operator Panel (VOP) is a computer-based application that provides a graphical user interface (GUI) to these tape drives: ■ ■ ■ T10000A T10000B T9840D With the VOP at Version 1.0.12 and higher, support for the HP LTO4 tape drive is provided through the “Dione Card” on page 7—which serves as a serial to Ethernet translation device for the tape drive. FIGURE 3-1 shows an example of the VOP Display.
The VOP application uses an Ethernet connection to communicate with the tape drives, either: ■ ■ Point-to-point, using a cross-over cable Networked, using a switch and standard—straight—Ethernet cables This Ethernet interface provides communication with the tape drives and allows: ■ ■ Customer operators to: ■ Select and monitor drive status indicators ■ View, load, and configure drive settings ■ Enroll and un-enroll agents (tape drives) for use with the KMS Services representatives to: ■ View, delete, l
Using VOP Using VOP There are two versions of VOP: 1) Customer and 2) Service. Refer to the VOP documentation for information about how to download and install these applications. TABLE 3-1 is an example of these versions. TABLE 3-1 VOP Versions, Files, Documents, and Download Sites Version Document Files Posted File Size Customer 96179 VOP_CUST_REL_1.0.12.zip 05/28/2008 21:30 6055192 General_Instructions_Download 05/28/2008 21:42 47104 Document.
Using VOP Start VOP Important: ■ Remember, the Service Delivery Platform (SDP) does not support the LTO4 drives. You may need to make adjustments to the network addresses if mixing tape drives on the same KMA and/or SDP network (LAN 2). ■ With this Ethernet connection, you cannot perform the same or similar functions with this tape drive that you can with the T-Series drives, such as downloading tape drive code and running tape drive diagnostics.
Using VOP 5. Select the Configure Drive tab and enter the required information. You will need customer input for the KMA ID, IP Address, and Passphrase. FIGURE 3-4 Configure Drive 6. Click Commit and respond “Yes” to the set drive offline pop-up (if still online). The commit process takes about 30 seconds to complete. 7. Click on the Diagnose Drive tab to observe the commit process.
Using VOP During the commit process, the tape drive goes offline then IPLs to save the new settings to the Dione card. Important: When the drive comes back online, it is now using the new IP address. 8. To continue with the configuration and to “enroll” the tape drive, you must connect the drive to the KMS network. The KMS must be able to communicate with the tape drive to complete the enrollment process.
Diagnose Drive Tab Diagnose Drive Tab The Dione card and the VOP Diagnose Drive tab allow you to perform limit tests, get logs for engineering review, and to load Dione card firmware. Run LED Diagnostic Test To run the LED diagnostic test: 1. Click on Run LED Diag. The display changes the button to EXIT LED Diag. 2. During this time, if you press the Reset switch, the green encryption LED will flash. 3. Click EXIT LED Diag to end this test.
Diagnose Drive Tab Run Loopback Test To run the Loopback diagnostic test: 1. Click on Run Loopback Test. 2. Observe the display as the test starts and ends.
Diagnose Drive Tab Get Log If a Dione card or connection is consistently having problems, engineering may request you retrieve a log of events from the Dione card. 1. Click Get Log. 2. Create and select a location for the file. Once the file has transferred, the operation is complete. FIGURE 3-9 Run LED Diag Load Firmware To load new Dione card firmware: Obtain the firmware and place it in a directory file easy to locate. Click on Load Firmware. A dialog box opens requesting the location of the firmware.
Diagnose Drive Tab 26 KMS: LTO4 Technical Brief • June 2008 Revision: A • 316196601
Index B firmware requirements, 7 batch file, 19 G C Get Log, 25 guides, v cartridge memory, 12 comparisons LTO tape drives, 3 media, 4 compatibility, media, 5 compliance regulations, 2 Configure Drive tab, 21 connecting to a Dione card, 9 conversion bills, 6 D Data Unit, 12 default IP address, 9, 20 Dione card, 7 components, 8 connections to, 9 default IP address, 9 green LED, 9 loading firmware, 25 reset switch, 9 Download Center, vi drive tray example, 2 E encryption indicator, 17 enroll, 22 Exter
overview, 1 specifications, 3 LTO4 interfaces, 1 reset switch, 9 RFID chip, media, 12 S M manual organization, v manuals, v media encryption-capability, 5 introduction, 1 RFID chip, 12 Mid-range class, 2 Monitor Drive tab, 17 SCSI interfaces, 1 SDP, 20 Service Delivery Platform, 20 specifications, 3 StorageTek Partners site, vi Web site, vi Sun Partners Web site, vi Web site, vi N NIST 800-57 guidelines, 10 T tape drive specifications, 3 O operating systems, VOP, 18 order numbers, 6 organization, v o
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN Web sun.
