NonStop Volume Level Encryption Guide

Transcription

1 NonStop Volume Level Encryption Guide Part Number: Published: August 2016 Edition: L15.02, J06.09, H06.20, and all subsequent L-, J-, and H-series RVUs

2 Copyright 2012, 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website. Acknowledgments Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries. Microsoft and Windows are trademarks of the Microsoft group of companies. Java and Oracle are registered trademarks of Oracle and/or its affiliates. Intel, Pentium, and Celeron are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Motif, OSF/1, UNIX, X/Open, and the "X" device are registered trademarks, and IT DialTone and The Open Group are trademarks of The Open Group in the U.S. and other countries. Open Software Foundation, OSF, the OSF logo, OSF/1, OSF/Motif, and Motif are trademarks of the Open Software Foundation, Inc. OSF MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THE OSF MATERIAL PROVIDED HEREIN, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. OSF shall not be liable for errors contained herein or for incidental consequential damages in connection with the furnishing, performance, or use of this material. 1990, 1991, 1992, 1993 Open Software Foundation, Inc. The OSF documentation and the OSF software to which it relates are derived in part from materials supplied by the following: 1987, 1988, 1989 Carnegie-Mellon University. 1989, 1990, 1991 Digital Equipment Corporation. 1985, 1988, 1989, 1990 Encore Computer Corporation Free Software Foundation, Inc. 1987, 1988, 1989, 1990, 1991 Hewlett-Packard Company. 1985, 1987, 1988, 1989, 1990, 1991, 1992 International Business Machines Corporation. 1988, 1989 Massachusetts Institute of Technology. 1988, 1989, 1990 Mentat Inc Microsoft Corporation. 1987, 1988, 1989, 1990, 1991, 1992 SecureWare, Inc. 1990, 1991 Siemens Nixdorf Informationssysteme AG. 1986, 1989, 1996, 1997 Sun Microsystems, Inc. 1989, 1990, 1991 Transarc Corporation.OSF software and documentation are based in part on the Fourth Berkeley Software Distribution under license from The Regents of the University of California. OSF acknowledges the following individuals and institutions for their role in its development: Kenneth C.R.C. Arnold, Gregory S. Couch, Conrad C. Huang, Ed James, Symmetric Computer Systems, Robert Elz. 1980, 1981, 1982, 1983, 1985, 1986, 1987, 1988, 1989 Regents of the University of California.

3 Contents About This Document...5 Supported Release Version Updates (RVUs)...5 Intended Audience...5 New and Changed Information...5 New and Changed Information in the Edition...5 New and Changed Information in the R Edition...5 New and Changed Information in the Edition...5 New and Changed Information in Previous Editions...6 Publishing History Overview...7 Encryption...7 Encryption principles...7 Encryption techniques...7 Encryption management...8 HPE NonStop I/O Essentials...8 Supported systems and devices...8 System requirements and planning...8 Encryption in a system...9 Licensing...10 Moving an ESKM device and its license to another system Installation...12 Installation overview...12 Installation steps Installing Storage CLIMs Installing the NonStop host license Verifying that SAFEGUARD is running Configuring a Safeguard security group Configuring storage CLIM eth1 (enterprise LAN) Installing the ESKM appliances Performing pre-enrollment tasks Registering the CLIMs Verifying the connection between the CLIMs and the key managers Backing up the configuration files Backing up the Key Managers Encrypting data on storage devices...43 Encrypting data on disk drives...43 Encrypting disk data with CLIM key rotation...43 Encrypting disk data with REVIVE key rotation...47 Changing encrypted disk keys...49 Moving disk drives...50 Decrypting a disk...50 Replacing disk hardware...50 Encrypting data on tape drives...51 Encrypting tape data...51 Changing tape drive keys...51 Moving tape drives...52 Temporarily turning off encryption...52 Clearing tape drive encryption...52 Replacing tape drive hardware...52 Contents 3

4 4 Maintenance...53 Security...53 License...53 ESKM license...53 SCF commands...53 STATUS SUBSYS $ZZSTO...53 STATUS CLIM, ENCRYPTION...53 STATUS CLIM, KEYMANAGER...54 STATUS CLIM, KEYCHANGE...54 STATUS DISK, ENCRYPTION...55 STATUS DISK, ENCRYPTION, DETAIL...55 STATUS TAPE, ENCRYPTION...55 Troubleshooting...56 Fallback...57 Adding CLIMs Support and other resources...58 Accessing Hewlett Packard Enterprise Support...58 Accessing updates...58 Websites...59 Customer self repair...59 Remote support...59 Documentation feedback...59 A Encryption background...60 Glossary of terms used in this manual...61 Index Contents

5 About This Document This document describes how to install and maintain volume level encryption provided by Storage CLIMs and the HPE Enterprise Secure Key Manager. Supported Release Version Updates (RVUs) This manual supports L15.02, J06.09, H06.20, and all subsequent L-, J-, and H-series RVUs, until otherwise indicated in a replacement publication. Intended Audience This manual is intended for service personnel who will install Storage CLIMs, and for security encryption administrators at customer sites who will maintain encryption on these devices. Security encryption administrators are expected to understand security concepts and best practices. New and Changed Information New and Changed Information in the Edition Added L-series systems. Added a flow chart to Installation overview (page 12) showing the steps to set up encryption. Corrected numbering of installation steps. New and Changed Information in the R Edition Updated Hewlett Packard Enterprise references. New and Changed Information in the Edition Updated Supported systems and devices (page 8) to state that only DL385 G5 CLIMs and later support encryption. Updated Installation overview (page 12) with the CLIM software version required for ESKM 3.0 Updated 3. Verifying that SAFEGUARD is running (page 14) to point users to the Safeguard Administrator s Manual rather than provide syntax for configuring Safeguard. Changed references to LTO-5 to add LTO-6. Updated Encrypting data on tape drives (page 51) to show supported tape media. Updated Encrypting data on tape drives (page 51) to include new KEYNAMEPERDRIVE encryption option, described in the SCF Reference Manual for the Storage Subsystem. Supported Release Version Updates (RVUs) 5

6 New and Changed Information in Previous Editions New and Changed Information in the Edition Changed references to LTO-4 to add LTO-5. Updated Encrypting data on tape drives (page 51) to show supported tape media. New and Changed Information in the Edition Chapter 2: Installation (page 12): Added information about FIPS certification to Encryption (page 7). New and Changed Information in the Chapter 2: Installation (page 12): Added Moving an ESKM device and its license to another system (page 10). Updated 6. Installing the ESKM appliances (page 14) with additional details. Updated Creating a signed NSSuser client certificate with a PC (page 27) to correct syntax. Chapter 3: Encrypting data on storage devices (page 43) Updated Encrypting data on disk drives (page 43) with additional information. Updated Encrypting data on tape drives (page 51)with additional information. Added Moving disk drives (page 50). Added Moving tape drives (page 52). Added Temporarily turning off encryption (page 52). Chapter 4: Maintenance (page 53) Publishing History Updated License (page 53) to indicate that the file must be binary. Part Number R Product Version N.A. N.A. N.A. N.A. Publication Date August 2016 November 2015 November 2010 November

7 1 Overview Encryption Encryption on storage devices protects sensitive customer data from theft and helps customers comply with regulations like HIPAA and the Payment Card Industry (PCI) Data Security Standard. Volume level encryption provides system-integrated volume level encryption for storage devices connected to Integrity NonStop NS Series systems or NonStop Integrity BladeSystems that use a Storage CLIM. Data-at-rest on disks and tape drives is encrypted using IEEE 1619 (disk) and IEEE (tape) industry standard algorithms. Encryption uses keys generated and stored by the Enterprise Secure Key Manager (ESKM). The encryption module of the volume level encryption product achieved FIPS Level 1 certification by the United States National Institute of Standards and Technology (NIST) in September of This means that an independent lab has tested the encryption module customers use with this product and found that it meets all the requirements of FIPS for a software product. Encryption principles Keys generated by the key manager protect storage data. Keys are as valuable an asset as the data they protect, and they must be protected for the life of the data. If a key is lost or destroyed, the data is effectively lost because it cannot be accessed. Follow these practices: Customer security officers, not system administrators, should manage keys and system security Keys should be protected by ESKM disk mirroring, backups, and distribution over multiple nodes so that they can be recovered in case of catastrophic failure CAUTION: There are no system back doors for recovering data if passwords or keys are lost. If keys are destroyed or lost, the data is lost. Hewlett Packard Enterprise recommends that all ESKM backup and redundancy mechanisms should be fully used, and that alternate security officers should be trained and enrolled to manage the ESKM cluster and to perform recovery operations if needed. For more details about encryption, see Appendix A: Encryption background (page 60). Encryption techniques Volume level encryption provides data-at-rest encryption for entire disk or tape volumes, instead of files or columns. The system processes and transmits data in clear (unencrypted) text. Volume level encryption does not secure data while it is in transit to or from storage media. Customers must still configure their environment and applications in such a way as to control data access to sensitive information when data is in use on the NonStop system. Data comes from ServerNet in the clear and is placed in CLIM memory. It is encrypted and then transferred to the disk using the SAS or Fibre Channel HBA. Volume level encryption uses symmetric block encryption, also called block cipher, which uses a single key for encryption and decryption. This product uses these algorithms: Disks: CBC-AES (key size 256) or XTS-AES (key size 256) CBC-AES must be used for FIPS mode XTS-AES follows the IEEE 1619 spec Tapes: GCM-AES (key size 256) Encryption 7

8 Encryption management The CLIM is managed with a combination of OSM, the CLIMCMD tool, I/O Essentials, and an integrated Lights Out Management (ilo) interface. For details, see these manuals: NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual NonStop CLuster I/O Module (CLIM) Installation and Configuration Guide (H06.16+, J06.04+) NonStop CLuster I/O Module (CLIM) Installation and Configuration Guide (L15.02+) Encrypted disks and drives are managed with the SCF storage subsystem. For descriptions of disk and tape attributes and commands to manage them, see the SCF Reference Manual for the Storage Subsystem. The ESKM is managed with the ESKM Management Console. For details, see the Enterprise Secure Key Manager Users Guide. HPE NonStop I/O Essentials NonStop I/O Essentials is a plug-in to HPE Systems Insight Manager (SIM). SIM is an infrastructure management tool for Hewlett Packard Enterprise systems that runs on the system console. The NonStop I/O Essentials plug-in provides a graphical user interface alternative to the command-line interfaces of the CLIMCMD tool and SCF. For more information about using NonStop I/O Essentials, see the NonStop I/O Essentials Installation and Quick Start Guide. Supported systems and devices Volume level encryption is supported on these systems: NonStop X (L-series) NonStop Integrity BladeSystems (J-series) NonStop Integrity NS16000 series servers (H-series) NonStop Integrity NS2000 series servers (H-series) Only DL385 G5 and later generation Storage CLIMs support encryption. Encryption is not available for S-series or other platforms that do not support the Storage CLIM. Encryption is supported on these devices: SAS disk drives Enterprise Storage Servers LTO-4, LTO-5 and LTO-6 tape drives encryption may be applied per-drive or per-media For disks, the CLIM performs encryption using keys generated by the key manager. Encryption is compatible with the Write Cache Enable feature. For tapes, the LTO-4, LTO-5, or LTO-6 tape drive performs encryption. Storage CLIMs with encryption support connections to Secure VTS (Virtual Tape Server) tapes. VTS performs encryption. Volume level encryption is not compatible with the NetApp DataFort product. System requirements and planning This hardware is required to support encryption: Any NonStop NS-series, NonStop BladeSystem, or NonStop X system with Storage CLIMs and an NSVLE encryption license Storage CLIM Key manager (ESKM) 8 Overview

9 NonStop disks to be encrypted are not required to be mirrored, but mirroring is strongly advised, for fault tolerance. The CLIM is a ProLiant class server that can connect to Integrity NonStop BladeSystem or NS-series system to support connections to storage devices or to the network. The Storage CLIM provides fibre channel and SCSI attached storage (SAS) connectivity to storage devices. It supports only the Hewlett Packard Enterprise documented applications and interfaces. For information about the CLIM, see the appropriate generation of the HPE ProLiant DL385 Server Maintenance and Service Guide. The minimum CLIM software version for ESKM 3.0 and later is T0867AAH J06.12 / H06.23 / L The ESKM is based on ProLiant server technology. It generates, stores, and serves keys to CLIMs. It automatically replicates keys across clusters, can perform backup and restore of the key database, and provides a local Certificate Authority (CA) used to create client certificates for strong TLS authentication of CLIMs to the key manager. Key managers are installed in pairs or larger clusters for high availability. The key manager device may be installed anywhere (in the same or in another datacenter) but must be network-accessible to Storage CLIMs. The encryption Storage CLIM connects to key managers using its second LAN port (eth1). Encryption in a system Communication between a NonStop system and Storage CLIMs is done with a combination of ServerNet and the maintenance LAN. Users enter SCF commands to enable or disable encryption on a particular device and to set up encryption parameters. The second Ethernet port (eth1) on the CLIM is connected directly to the Enterprise LAN so that Storage CLIMs can communicate with the key manager. Figure 1: System Connections shows how system components are connected in a system. Encryption in a system 9

10 Figure 1 System Connections Licensing 1 NonStop processors 2 System console 3 ServerNet 4 CLIMs 5 Maintenance LAN 6 Key managers 7 Enterprise LAN Enable encryption with a license available from Hewlett Packard Enterprise, installed on the NonStop system. Licensing is described in License (page 53). Enrolling CLIMs as ESKM clients also requires that sufficient client licenses in the ESKM cluster are available. ESKM Client Licensing and license installation are described in the Enterprise Secure Key Manager Installation and Replacement Guide, on the CD shipped with the device. Moving an ESKM device and its license to another system 10 Overview Licensing on the NonStop system is done on a per-system basis. However, the license on the ESKM depends on the number of CLIMs. If you move Volume Level Encryption from one system to another, for instance from a development system to a production system, you may not have enough ESKM licenses for the CLIMs. Suppose that you install encryption on a system. You register the CLIMs on that system with available licenses on the ESKM (each CLIM/ESKM user pair uses one license.) Later, you want to install encryption on a different system, and move the Volume Level Encryption solution and

11 its license to that system. To have enough ESKM licenses for the new CLIMs/ESKM users, you must get rid of the CLIM/ESKM user pairs on the ESKM for the original system, then create users on the new one. You cannot delete a user that owns keys. You must first delete all keys that belong to that user or transfer them to another user. Once you have transferred or deleted all the keys owned by that user, delete the user. Then the ESKM license is available again. CAUTION: Hewlett Packard Enterprise recommends that you change the ownership of each key instead of deleting them, because if you delete a key you still need, or if you delete the wrong key, that data is permanently lost. Delete keys only if you are absolutely sure that you do not need them, and exercise caution to delete the right key. Follow this procedure: 1. Determine the user to be moved to another system. 2. Determine the keys owned by that user. 3. Change the ownership of each key, or if you are sure that you do not need a key, delete it. 4. Once the user does not own any keys, delete the user. For information about key ownership and user management, see the Enterprise Secure Key Manager Users Guide. Moving an ESKM device and its license to another system 11

12 2 Installation Installation overview To use NonStop Volume Level Encryption, you must install the ESKM and establish ESKM/CLIM connectivity over the enterprise LAN. ESKM/CLIM interactions must be able to be authenticated through certificates and encrypted through SSL, so that the CLIM can securely receive keys from the ESKM. The appropriate security officers must be enabled to control volume encryption from the NonStop system. NOTE: The minimum CLIM software version for ESKM 3.0 and later is T0867AAH J06.12 / H06.23 / L Verify the CLIM software version and update it if necessary before registering CLIMs with the ESKM. Installation tasks: Configure connectivity Configure an ESKM cluster (if not already done) Create a certificate authority on the ESKM if one does not exist Have the ESKM certificate authority created server certificates for each ESKM Have the CLIM create a client certificate for each CLIM Have the ESKM certificate authority (CA) sign the client certificates Install the signed client certificates on the CLIMs Create and populate an encryption group in Safeguard Installation is done by a service provider and a customer security officer. The service provider: Installs and configures the CLIM Installs the key manager Configures LAN connection Backs up the CLIM configuration The security officer: Installs the license Configures SAFEGUARD and creates the security group Configures the connection between the CLIM and the key manager Configures devices to be encrypted Performs data encryption procedures To prepare for installation, have this information available: CLIM names for the client certificates Correct port numbers This flow chart shows the installation steps: 12 Installation

13 Installation steps To install this product, follow these steps: 1. Installing Storage CLIMs (page 13) 2. Installing the NonStop host license (page 14) 3. Verifying that SAFEGUARD is running (page 14) 4. Configuring a Safeguard security group (page 14) 5. Configuring storage CLIM eth1 (enterprise LAN) (page 14) 6. Installing the ESKM appliances (page 14) 7. Performing pre-enrollment tasks (page 17) 8. Registering the CLIMs (page 41) 9. Verifying the connection between the CLIMs and the key managers (page 42) 10. Backing up the configuration files (page 42) 11. Backing up the Key Managers (page 42) 1. Installing Storage CLIMs If the system does not have Storage CLIMs, follow the procedures in the NonStop CLuster I/O Module (CLIM) Installation and Configuration Guide (H06.16+, J06.04+) or NonStop CLuster I/O Installation steps 13

14 Module (CLIM) Installation and Configuration Guide (L15.02+) to install, connect, and configure them. The CLIM should be in the STARTED state. 2. Installing the NonStop host license 1. Obtain the encryption license file by ing 2. Install the file in $SYSTEM.ZLICENSE.NSVLE. 3. Change the filecode to 407. For details about the license, see License (page 53). 3. Verifying that SAFEGUARD is running If SAFEGUARD is not running, you must configure it as a generic process. See the Safeguard Administrator s Manual for syntax. 4. Configuring a Safeguard security group The customer security officer creates a group to administer security whose members will be the only users allowed to perform security tasks. The members must be in the SUPER group. 1. Start SAFECOM. 2. Create the SECURITY-ENCRYPTION-ADMIN group by entering: ADD GROUP SECURITY-ENCRYPTION-ADMIN, NUMBER ALTER GROUP NUMBER 65536, MEMBER SUPER.officer 3. Verify the group by entering the SAFECOM INFO command: =info group number 65536,detail GROUP NAME NUMBER OWNER LAST-MODIFIED SECURITY-ENCRYPTION-ADMIN ,255 13MAY09, 13:02 CREATION-TIME = 24FEB09, 9:57 CREATOR-USER-NAME = SUPER.SUPER CREATOR-USER-TYPE = USER (255,255) CREATOR-NODENUMBER = 27 AUTO-DELETE = OFF DESCRIPTION = MEMBER = SUPER.ROGERP MEMBER = SUPER.SUPER = 4. (Optional) Create other members. Group membership takes effect at the next logon. 5. Configuring storage CLIM eth1 (enterprise LAN) As the service provider, use CLIMCMD to configure eth1 (the enterprise LAN) on the CLIM: climconfig interface -add eth1 climconfig ip -add eth1 -ipaddress netmask climconfig route -add eth1 -default -gateway ifstart eth1 IP addresses and route options are customer-dependent. See the NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual for details. 6. Installing the ESKM appliances 14 Installation The service provider installs the ESKM device and uses the ESKM Management Console to configure it. See the Enterprise Secure Key Manager Installation and Replacement Guide for details. This manual is on the CD shipped with the device. As part of the installation process, you may need to install an ESKM license pack. A client license is required for each user device (Storage CLIM) that will be created on the ESKM. Contact Hewlett Packard Enterprise support to obtain it with sent by Atalla Support. See the Enterprise

15 Secure Key Manager Users Guide for additional guidance on installing the license file (on the CD shipped with the device). If the number of created users exceeds the number of available licenses, a warning is displayed in the ESKM GUI and the error is logged. If the license warning appears after 8. Registering the CLIMs (page 41), you must obtain additional licenses from Hewlett Packard Enterprise. To configure and manage the ESKM, use the Administrator Authentication screen to log into the Management Console with a username and password. NOTE: If you are using Internet Explorer, TLS 1.0 must be enabled. From Internet Explorer, select Tools Internet Options Advanced. Under Security check to see that TLS 1.0 is checked, and check it if it is not. Set up the Key Manager: On the High Security Configuration page, enable FIPS mode. On the KMS Server Settings page, select Allow Key and Policy Configuration Operations and Allow Key Export. Enable SSL with client certificate authentication. Use the default ports. Use the same name for all server certificates in the cluster. For the first node only, perform these tasks: 1. Start the ESKM appliance 2. Configure the ESKM appliance 3. Configure the first ESKM appliance a. If you did not do so during the ESKM installation, create a local certificate authority (CA) and use it to sign the server certificate. This example uses name NSVLECA: 1) Log into the Secure Key Manager GUI as admin. Login name is case-sensitive. 2) On the Security tab, select Local CAs. 3) To create a local certificate authority, enter this information: Installation steps 15

16 NOTE: The Secure Key Manager screen may not look exactly like this one. 4) Click Create. You can use the local CA to sign both server and client certificates. Download this CA to the NonStop system. If a customer wants to use their own CA, they can import a known CA. See the Enterprise Secure Key Manager Users Guide for details. b. Set up the local Certificate Authority 1) Create the ESKM server certificate 2) Enable SSL on the Key Management System (KMS) Server 4. Establish a cluster a. Create the cluster b. Download the cluster key For all other ESKM nodes, perform these tasks: 1. Start the appliance 2. Configure the appliance 16 Installation

17 3. Add additional ESKM appliances to the cluster 4. Create and install the ESKM Server Certificate For one node, create the NSSuser (NonStop setup user) login with User Administration Permission and Change Password Permission selected. For all nodes, back up the configuration. See the Enterprise Secure Key Manager Users Guide for details. 7. Performing pre-enrollment tasks Before you can enroll the CLIMs as ESKM clients, perform these pre-enrollment tasks: A. Creating ESKM server certificates on each ESKM appliance (page 17) B. Signing the server certificate request NSVLEServerCertificate with the local CA NSVLECA (page 19) C. Setting FIPS-compliant mode (page 23) D. Setting KMS server settings (page 23) E. Verifying KMS server authentication settings (page 25) F. Creating the NSSuser local user and setting security (page 25) G. Creating a client certificate request for the NSSuser local user (page 26) H. Adding local CA, other local CAs, and known CAs to the key manager trusted CA list (page 39) I. Verifying connection between the NonStop system and the Key Manager (page 41) After you have performed these tasks, go on to 8. Registering the CLIMs (page 41). A. Creating ESKM server certificates on each ESKM appliance Create a server certificate for each Key Manager. a. Log on to the Secure Key Manager GUI as admin. Login name is case-sensitive. b. On the Security tab, select Certificates. c. Enter the information to create a certificate. Installation steps 17

18 NOTE: The Secure Key Manager screen may not look exactly like this one. d. Click Create Certificate Request. e. In the Certificate List, select the radio button NSVLESERVERCERTIFICATE and click the name to open it: 18 Installation

19 f. Select and copy the text from----begin CERTIFICATE REQUEST through ----END CERTIFICATE REQUEST----. g. To exit this screen, click Back. B. Signing the server certificate request NSVLEServerCertificate with the local CA NSVLECA Perform this step for each Key Manager. a. On the Security tab, select Local CAs. b. In the Local Certificate Authority List, select the radio button for NSVLECA and click Sign Request: c. Paste the certificate request into the Certificate Request box. For Certificate Purpose, select Server: Installation steps 19

20 20 Installation d. Click Sign Request. e. Select and copy the certificate text from ----BEGIN CERTIFICATE---- to -----END CERTIFICATE----:

21 f. On the Security tab, select Certificates. In the Certificate list, select the radio button for NSVLESERVERCERTIFICATE and click its name to open it. g. Select Install Certificate: Installation steps 21

22 22 Installation h. Paste the signed certificate into the Certificate Response box and click Save to save the server certificate.

23 C. Setting FIPS-compliant mode a. On the Security tab, select High Security. b. Select Set FIPS Compliant: For details about FIPS compliance and the ESKM, see the Enterprise Secure Key Manager Users Guide. D. Setting KMS server settings a. On the Device tab, select KMS Server. b. Select NSVLESERVERCERTIFICATE from the Server Certificate drop-down list: Installation steps 23

24 c. Make sure that all other KMS server settings are set as follows: Port Use SSL Server Certificate Connection Timeout (sec) Allow Key and Policy Configuration Operations Allow Key Export lists the correct port on which the KMS Server is listening for client requests. The default port is 9000; however, you can use any available port. is checked lists the server certificate is 3600 is checked is checked Click Edit and change the settings, if necessary. d. Click Save. 24 Installation

25 For details about the KMS server, see the Enterprise Secure Key Manager Users Guide. E. Verifying KMS server authentication settings a. On the Device tab, select KMS Server. b. On the KMS Server Authentication Settings screen, select Edit and verify that the settings are as follows: User Directory Password Authentication Client Certificate Authentication Trusted CA List Profile Username Field in Client Certificate Require Client Certificate to Contain Source IP is Local is Required is Used for SSL session and username. is the Trusted CA list profile that contains the Local CA that will be used to sign the client certificates. is CN (Common Name). When the client certificates are created, this field must contain the client (CLIM) user name. HP recommends that you choose the most secure option. Customers who provide their own signed certificates must include the CLIM' user name in their certificate, so they must know the CLIM user names before creating the signed certificate. is not selected c. Click Save. F. Creating the NSSuser local user and setting security NOTE: The NSSuser is a temporary user which you should delete, for security reasons, as soon as the enrollment process is completed. As long as the NSSuser local user exists, it will consume a client license. Until you delete it, you may receive warnings that the number of licences has been exceeded. During the installation and enrollment process, you may ignore these warnings. They are a reminder to delete this user when enrollment is complete. a. On the Security tab, select Local Users & Groups. b. Under Local Users, select Add: Installation steps 25

26 c. Add the NSSuser name and password, and select all permissions. The user name must be NSSuser. This password will only be used in the Register CLIMs with Key Managers guided procedure in 8. Registering the CLIMs (page 41). d. Click Save. G. Creating a client certificate request for the NSSuser local user You cannot create the certificate request for the NSSuser with the key manager. The key manager does not allow the private key of the created key pair that corresponds to the certificate request to be exported. Use OpenSSL to create the NSSuser client certificate request one of these ways: Creating a signed NSSuser client certificate with a PC (page 27) Creating a signed NSSuser client certificate with CLIMCMD (page 32) 26 Installation

27 Creating a signed NSSuser client certificate with a PC If you have a PC that has OpenSSL installed, with access to a NonStop TACL session and the Key Manager s Web Browser interface, you can use it to create the NSSuser private key, NSSuser signed certificate, and NSSuser passphrase files for NonStop. These examples that follow were created using this version of OpenSSL: c:\>openssl version OpenSSL 0.9.8j 07 Jan 2009 c:\> a. Create an empty temporary directory on the PC: C:\> mkdir zencrypt Change the directory to that empty temporary directory: C:\>cd zencrypt b. Use OpenSSL to create a NSSuser private key and a NSSuser client certificate request. You will be prompted to enter a passphrase. To protect the private key, choose a strong passphrase. You can fill in the other information any way you see fit. However, the Common Name must be NSSuser. C:\zencrypt>openssl req -newkey rsa:2048 -keyout client.key -out client.csr The system responds, prompting you to enter various fields. User responses are shown in bold: Loading 'screen' into random state - done Generating a 2048 bit RSA private key writing new private key to 'client.key' Enter PEM pass phrase:passphrase Verifying - Enter PEM pass phrase:passphrase You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Cupertino Organization Name (eg, company) [Internet Widgits Pty Ltd]:HP Organizational Unit Name (eg, section) []:NonStop Common Name (eg, YOUR name) []:NSSuser Address []:My .Id@hp.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. C:\zencrypt> c. Use OpenSSL to convert the NSSuser private key into a PEM formatted private key. You will be prompted to enter the passphrase that you used to create the private key: C:\zencrypt>openssl rsa -in client.key -text -out client.key.pem Enter pass phrase for client.key:passphrase writing RSA key d. Use OpenSSL to convert the PEM formatted NSSuser private key into a DER formatted private key. You will be prompted to enter the passphrase that you used to create the private key: C:\zencrypt>openssl pkcs8 -topk8 -in client.key.pem -outform DER -out client.key.der Enter Encryption Password:passphrase Installation steps 27

28 Verifying - Enter Encryption Password:passphrase Loading 'screen' into random state - done c:\zencrypt> e. To display the client certificate request, use the cat command: C:\zencrypt>cat client.csr -----BEGIN CERTIFICATE REQUEST----- MIICwzCCAasCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH EwlDdXBlcnRpbm8xCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxEDAOBgNVBAMT B05TU3VzZXIxITAfBgkqhkiG9w0BCQEWEm1hcmMucGFsb21hQGhwLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmb7qDVMatrKRN8NIepS9f51Waw fjtliooc/u3ke7uk2nk207rm6elvgwznomrwfcsbpqnxhuptaaobu5c0wcw6tiap 2F36wYb8Zlq8q51pDwa/tUktkmlBWn4aNZJZCL5mIN6u5Jiz+TfHMkLHc1cVxjfm 82B6dKip49CePTI5UT4ayBoOQj0NdGtWeQYWhhFJfSu5w6EjHavCANCzl57kHpgO ItykW8lrFgM8H57sQ/csBbDVU/fsNiXBnlpxTtq4PvyZvhbcKsfbgXK1zqV/SlEu IgUDfKbU4IuV09Sh6SKORRDRd03NOiSsXfeZGKOo3m87+7ViNzaln93JiF8CAwEA AaAAMA0GCSqGSIb3DQEBBQUAA4IBAQC0f2yAr8EMo50izNCNskaRRlEQACB275Wd Zu7iq69t2oiSGdnhF2Qx59wJHfR+/QB9TJdnplVpXfp3U7ZmZBKnZEsnw3jHjTYf vlzueawybljn2jfuvl8lldbyrumvm7nazmgpsgfhpeev8avbewshjva3ubpqc92n 9aqqJhxXYCORWQkPdTzRbsCDMemWRILYet0I8smKk0+bp/1p3uEFAOwyYu2Uz4ie Vx9jtGN3YoS4fm42QCXQxuLsCIzmEw33Kwae/njyxJML3YWl8Ar3zfPjbBvR77/0 3f2cvZoUl0ktKSw9BEOVllLkVil/9EkttGZ6djJPQkCDjMAoDFqa -----END CERTIFICATE REQUEST----- C:\zencrypt> f. Select and copy the client certificate request text from -----BEGIN CERTIFICATE REQUEST----- through -----END CERTIFICATE REQUEST g. Sign the NSSuser client certificate request with the local CA NSVLECA: 1) Log onto the Enterprise Secure Key Manager GUI as admin. On the Security tab, select Local CAs. 2) Select the trusted local CA NSVLECA and click Sign Request: h. Select Client as Certificate Purpose. Paste the copied certificate request into the box. 28 Installation

29 i. Click Sign Request. The Key Manager signs the NSSuser client certificate request with the NSVLECA Local CA and displays the NSSuser signed client certificate: Installation steps 29

30 j. Click Download at the bottom of the NSSuser signed client certificate. When the system asks if you want to open or save the signed.cer file, select Save. k. Save the NSSuser signed client certificate in the C:\zencrypt directory on your PC and name the saved file client.signed. When the download completes, click the Close button. NOTE: Windows appends.cer to the end of the specified filename so the actual signed certificate is saved on the PC as client.signed.cer. l. Use the OpenSSL command to convert the PEM formatted NSSuser client signed certificate that you saved to the PC in Step K to a DER formatted client signed certificate: C:\zencrypt> openssl x509 -inform PEM -in client.signed.cer -outform DER -out client.signed.der C:\zencrypt> 30 Installation

31 m. In your temporary directory, create a file called nssupass.txt. Type the NSSuser passphrase that you entered in Step 2 into this file, then save and close the file. (Do not enter the password for the NSSuser local user; it is used only in the Register CLIMs with Key Managers guided procedure in 8. Registering the CLIMs (page 41).) n. Verify that the directory has these files: C:\zencrypt> dir Volume in drive C is PC COE Volume Serial Number is D0BC-6439 Directory of C:\zencrypt 09/17/ :16 PM <DIR>. 09/17/ :16 PM <DIR>.. 09/17/ :00 PM 1,033 client.csr 09/17/ :00 PM 1,751 client.key 09/17/ :00 PM 1,261 client.key.der 09/17/ :00 PM 5,684 client.key.pem 09/17/ :08 PM 1,313 client.signed.cer 09/17/ :11 PM 928 client.signed.der 09/17/ :16 PM 11 nssupass.txt 7 File(s) 11,981 bytes 2 Dir(s) 426,107,215,872 bytes free C:\zencrypt> o. FTP the NSSuser passphrase file (NSSUPASS), the DER formatted NSSuser private key file (NSSUKEY), and the DER formatted NSSuser signed client certificate (NSSUCERT) to the $SYSTEM.ZENCRYPT subvolume on the NonStop system: C:\zencrypt>ftp osm8.caclab.cac.cpqcorp.net Connected to osm8.caclab.cac.cpqcorp.net. 220 OSM8.caclab.cac.cpqcorp.net FTP SERVER T9552J01 (Version J01 TANDEM 10JUL200 9) ready. User (osm8.caclab.cac.cpqcorp.net:(none)): super.super 331 Password required for SUPER.SUPER. Password: 230 User SUPER.SUPER logged in. GUARDIAN API enabled ftp> ftp> cd $system.zencrypt 250 CWD command successful. ftp> ftp> put nssupass.txt nssupass 200 PORT command successful. 150 Opening data connection for nssupass ( ,62449d). 226 Transfer complete. ftp: 11 bytes sent in 0.03Seconds 0.42Kbytes/sec. ftp> ftp> binary 200 Type set to I. ftp> ftp> put client.key.der nssukey,0 200 PORT command successful. 150 Opening data connection for nssukey ( ,62452d). 226 Binary Transfer complete. ftp: 1261 bytes sent in 0.00Seconds Kbytes/sec. ftp> put client.signed.der nssucert,0 200 PORT command successful. 150 Opening data connection for nssucert ( ,63991d). 226 Binary Transfer complete. ftp: 933 bytes sent in 0.00Seconds Kbytes/sec. ftp> ftp> quit 221 Goodbye. p. Delete the temporary files in the C:\zencrypt directory and the directory itself: C:\zencrypt> del * C:\zencrypt\*, Are you sure (Y/N)? y Installation steps 31

32 C:\zencrypt>cd.. C:\> rmdir zencrypt q. Log onto the NonStop system as SUPER.SUPER, volume to $SYSTEM.ZENCRYPT, and FUP SECURE the files in the ZENCRYPT subvolume that you transferred. Using % as the secure-option sets the file security to "CCCC" and sets the CLEARONPURGE option to ON. When these files are purged the data in the file will be physically deallocated by overwriting the file space with blank data. $SYSTEM.ZENCRYPT 25> fup secure zencrypt.*, % $SYSTEM.ZENCRYPT 26> fileinfo zencrypt.* $SYSTEM.ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUCERT JAN :24 255,255 CCCC NSSUKEY JAN :24 255,255 CCCC NSSUPASS JAN :24 255,255 CCCC $SYSTEM.ZENCRYPT 27> Now the NonStop system has these files: NSSuser passphrase file (NSSUPASS) NSSuser private key file (NSSUKEY NSSuser signed client certificate (NSSUCERT Go on to H. Adding local CA, other local CAs, and known CAs to the key manager trusted CA list (page 39). Creating a signed NSSuser client certificate with CLIMCMD a. Log on to a TACL prompt as SUPER.SUPER on the system where you are creating the NSSuser files. Use the VOLUME command to create the $SYSTEM.ZENCRYPTsubvolume: $SYSTEM STARTUP 2> VOLUME $SYSTEM.ZENCRYPT $SYSTEM ZENCRYPT 3> $SYSTEM ZENCRYPT 3> fileinfo * No files match \OSM8.$SYSTEM.ZENCRYPT.* $SYSTEM ZENCRYPT 4> b. Use the CLIMCMD mkdir command to create a temporary directory on the CLIM. You can use any CLIM on the system. This example uses a Storage CLIM named C and a temporary directory zencrypt : $SYSTEM ZENCRYPT 4> climcmd c mkdir /tmp/zencrypt/ comforte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Termination Info: 0 $SYSTEM ZENCRYPT 5> 32 Installation

33 c. Use the CLIMCMD OpenSSL command to create a NSSuser private key and a NSSuser client certificate request. You will be prompted to enter a passphrase. To protect the private key, choose a strong passphrase. You can fill in the other information any way you see fit. However, the Common Name must be NSSuser. Enter this command, all on one line: $SYSTEM ZENCRYPT 5> climcmd c openssl req -newkey rsa:2048 -keyout /tmp/zencrypt/client.key -out /tmp/zencrypt/client.csr The system responds, prompting you to enter various fields. Responses are shown in bold: comforte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Generating a 2048 bit RSA private key Enter PEM pass phrase:passphrase Verifying - Enter PEM pass phrase:passphrase You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Cupertino Organization Name (eg, company) [Internet Widgits Pty Ltd]:HP Organizational Unit Name (eg, section) []:NonStop Common Name (eg, YOUR name) []:NSSuser Address []:My .Id@hpe.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. Termination Info: writing new private key to '/tmp/zencrypt/client.key' Enter PEM pass phrase:passphrase Verifying - Enter PEM pass phrase:passphrase You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Cupertino Organization Name (eg, company) [Internet Widgits Pty Ltd]:HP Organizational Unit Name (eg, section) []:NonStop Common Name (eg, YOUR name) []:NSSuser Address []:My .Id@hp.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. Termination Info: 0 $SYSTEM ZENCRYPT 6> d. Use the CLIMCMD OpenSSL command to convert the NSSuser private key into a PEM formatted private key. You will be prompted to enter the passphrase that you used to create the private key. Enter this command, all on one line: Installation steps 33

34 $SYSTEM ZENCRYPT 6> climcmd c openssl rsa -in /tmp/zencrypt/client.key -text -out /tmp/zencrypt/client.key.pem comforte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Enter pass phrase for /tmp/zencrypt/client.key:passphrase writing RSA key Termination Info: 0 $SYSTEM ZENCRYPT 7> e. Use the CLIMCMD OpenSSL command to convert the PEM formatted NSSuser private key into a DER formatted private key. You will be asked to enter the passphrase that you used to create the private key. Enter this command, all on one line: $SYSTEM ZENCRYPT 7> climcmd c openssl pkcs8 -topk8 -in /tmp/zencrypt/client.key.pem -outform DER -out /tmp/zencrypt/client.key.der comforte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Enter Encryption Password: passphrase Verifying - Enter Encryption Password: passphrase Termination Info: 0 $SYSTEM ZENCRYPT 8> f. To display the client certificate request, use the CLIMCMD cat command: $SYSTEM ZENCRYPT 8> climcmd c cat /tmp/zencrypt/client.csr The system responds: comforte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b -----BEGIN CERTIFICATE REQUEST----- MIICwzCCAasCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH EwlDdXBlcnRpbm8xCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxEDAOBgNVBAMT B05TU3VzZXIxITAfBgkqhkiG9w0BCQEWEm1hcmMucGFsb21hQGhwLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKLFhBMpa0PyyPTMpG8DGqJn97GH l/xgvdojy6jihblau9/f6z7lmlibtdci3axcbux+0t3xnqv2ea+woevy/ddkngdh hhgi/q2drix23kzctfgk2gvty/cfrpyagbazxyzpxqjrfadau2n/gjrgafygx49n WRJ9+dy2+HKUxsRKUFYQ8aZt2B/ySfqLwttAELm+nCqYgYl2HA+JYluLBI7F7ntX ZqQQvlvf0eX7oflnHIlZTDgF0LXhUkpoprCrN7VJr/SMjOKQmtUa2wszEKOxbTr1 6beoDMRA3Xp5luCGVtG9Ez/QuBAjVhMfUDFvfnq0P4C6FnataajjH7w4PNsCAwEA AaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAWroF7LGsW2PpAoX3smbtQQEyV1nQusFyb s7ktcb6vaykantn8u0ejz88gx+b3ncsmohhh5nyea2omg50cozsrft4hofzch+mn n5renssv9gv0m/8vlwn/cnlpfa4zg2hphmt91o1vgm1iahvlbyiezeydobrrjy+c TJesDbYp78lkv9J+fWPfvyd3DSLJmjUZHDmgCmO42n0AmXcilk79WEe/a/WMXRid e9sk3uhafo3in5hcjd3sp5cdqjt00sawyfx0dcj7pta0zpxpe/h4b11fober4d/m hnf8epsbbte5z/pxydy5uf4nbltqefd/ghqi5xrp0ksswm0pbzou -----END CERTIFICATE REQUEST----- Termination Info: 0 $SYSTEM ZENCRYPT 9> g. Select and copy the client certificate request text from -----BEGIN CERTIFICATE REQUEST----- through -----END CERTIFICATE REQUEST h. Sign the NSSuser client certificate request with the local CA NSVLECA: 1) Log onto the Secure Key Manager GUI as admin. On the Security tab, select Local CAs. 2) Select the trusted local CA NSVLECA and click Sign Request: 34 Installation

35 i. Select Client as Certificate Purpose. Paste the copied certificate request into the box. Installation steps 35

36 j. Click Sign Request. The Key Manager signs the NSSuser client certificate request with the NSVLECA Local CA and displays the NSSuser signed client certificate: k. Select and copy the NSSuser client signed certificate text from -----BEGIN CERTIFICATE----- through -----END CERTIFICATE l. Go back to the TACL prompt and use TEDIT to create a file on the NonStop system called SIGNCERT: $SYSTEM ZENCRYPT 9> tedit SIGNCERT $SYSTEM.ZENCRYPT.SIGNCERT doesn't exist. OK to create? Respond Y or N: y m. Paste the NSSuser signed client certificate into the SIGNCERT edit file. 36 Installation

37 Save and close the file. The NSSuser signed client certificate is now on the NonStop system. $SYSTEM ZENCRYPT 10> fileinfo * $SYSTEM.ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt SIGNCERT SEP :19 255,255 NUNU n. In the same subvolume, use TEDIT to create a file called NSSUPASS. Type the NSSuser passphrase that you entered in Step C into this file, then save and close the file. (Do not enter the password for the NSSuser local user; it is used only in the Register CLIMs with Key Managers guided procedure in 8. Registering the CLIMs (page 41).) The NSSuser passphrase is now on the NonStop system: $SYSTEM ZENCRYPT 12> fileinfo * $SYSTEM.ZENCRYT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUPASS SEP :21 255,255 NUNU SIGNCERT SEP :19 255,255 NUNU o. Use the SCF INFO CLIM $ZZCIP.clim-name, DETAIL command to get the Maintenance Interface IP address of the CLIM: $SYSTEM ZENCRYPT 14> scf info clim $zzcip.c100231, detail SCF - T9082H01 - (04DEC06) (15NOV06) - 09/21/ :02:28 System \OSM8 (C) 1986 Tandem (C) 2006 Hewlett Packard Development Company, L.P. CIP Detailed Info CLIM \OSM8.$ZZCIP.C Mode... STORAGE Configured Location... Group 100, Module 2, Slot 3, Port 1 ConnPts... 2 X1 Location... Group 100, Module 2, Slot 3, Port 1 Y1 Location... Group 100, Module 3, Slot 3, Port 1 SvNet ID x000E08C6 X2 Location... Group 100, Module 2, Slot 3, Port 2 Y2 Location... Group 100, Module 3, Slot 3, Port 2 SvNet ID x000E09C6 Maintenance Interface IP Total Errors = 0 Total Warnings = 0 Installation steps 37

38 p. Use SFTP to transfer the SIGNCERT file to the Maintenance Interface IP Address of the CLIM. Once connected to the CLIM, put the SIGNCERT file into the CLIM s /tmp/zencrypt directory: $SYSTEM ZENCRYPT 15> sftp -S $zssp0 root@ comforte SFTP client version T9999H06_10Jul2009_comForte_SFTP_0086 Connecting to via SSH2 process $zssp0... sftp> put signcert /tmp/zencrypt/client.signed Uploading signcert to /tmp/zencrypt/client.signed Filename BytesNow % Bytes/s Remaining signcert 0 0% 0.0KB --: Filename BytesNow % Bytes/s TimeSpent signcert % 0.0KB 00: bytes transferred in 0 seconds ( 0.0KB/s) sftp> sftp> quit q. Use the CLIMCMD OpenSSL command to convert the PEM formatted NSSuser client signed certificate that you SFTPed to the CLIM in Step p to a DER formatted client signed certificate: $SYSTEM ZENCRYPT 16> climcmd c openssl x509 -inform PEM -in /tmp/zencrypt/client.signed -outform DER -out /tmp/zencrypt/client.signed.der comforte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Termination Info: 0 $SYSTEM ZENCRYPT 17> r. Use SFTP to transfer the DER formatted NSSuser client signed certificate and the DER formatted NSSuser client private key back to the NonStop system. Use binary transfer mode: $SYSTEM ZENCRYPT 17> sftp -S $zssp0 root@ comforte SFTP client version T9999H06_10Jul2009_comForte_SFTP_0086 Connecting to via SSH2 process $zssp0... sftp> binary File transfermode is now binary sftp> get /tmp/zencrypt/client.signed.der nssucert,0 Fetching /tmp/zencrypt/client.signed.der to nssucert, Filename BytesNow % Bytes/s Remaining /tmp/zencrypt/client.signed.der 0 0% 0.0KB --: Filename BytesNow % Bytes/s TimeSpent /tmp/zencrypt/client.signed.der % 0.0KB 00: bytes transferred in 0 seconds ( 0.0KB/s) sftp> sftp> get /tmp/zencrypt/client.key.der nssukey,0 Fetching /tmp/zencrypt/client.key.der to nssukey, Filename BytesNow % Bytes/s Remaining /tmp/zencrypt/client.key.der 0 0% 0.0KB --: Filename BytesNow % Bytes/s TimeSpent /tmp/zencrypt/client.key.der % 0.0KB 00: bytes transferred in 0 seconds ( 0.0KB/s) sftp> sftp> quit s. Verify that the NonStop temporary subvolume contains the DER formatted NSSuser signed certificate, the DER formatted NSSuser private key, the NSSuser passphrase file, and the signed certificate file: 38 Installation

39 $SYSTEM ZENCRYPT 18> fileinfo * $SYSTEM.ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUCERT SEP :32 255,255 NUNU NSSUKEY SEP :32 255,255 NUNU NSSUPASS SEP :21 255,255 NUNU SIGNCERT SEP :19 255,255 NUNU t. Secure these files as CCCC : $SYSTEM ZENCRYPT 19> fup secure *, CCCC $SYSTEM ZENCRYPT 20> $SYSTEM ZENCRYPT 20> fileinfo * $SYSTEM.ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUCERT SEP :32 255,255 CCCC NSSUKEY SEP :32 255,255 CCCC NSSUPASS SEP :21 255,255 CCCC SIGNCERT SEP :19 255,255 CCCC $SYSTEM ZENCRYPT 21> u. Use the CLIMCMD rm command to delete the files on the temporary directory on the CLIM: $SYSTEM ZENCRYPT 23> climcmd c rm -rf /tmp/zencrypt/ comforte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Termination Info: 0 $SYSTEM ZENCRYPT 24> The signed NSSuser client certificate has been created. Go on to H. Adding local CA, other local CAs, and known CAs to the key manager trusted CA list (page 39). H. Adding local CA, other local CAs, and known CAs to the key manager trusted CA list The trusted CA list is the list of CAs that the key manager can use to verify a client certificate. Add any known CAs that you have installed to the Trusted CA List profile, along with the local CAs created to be used to sign the CLIM client certificates. a. On the Security tab, select Trusted CA Lists. b. Select the radio button for the profile name Default: c. Select Properties for the Trusted Certificate Authority List d. Select Edit for the Trusted Certificate Authority List: Installation steps 39

40 e. Find the desired local CA on the Available CAs list and the imported CAs (if any) and add it to the Trusted CAs list, using the Add button: f. Click Save. 40 Installation