HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries

HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries Abstract This document provides information about configuring the HP Enterprise Secure Key Manager (ESKM) for use with HP tape libraries. This book is intended for security officers, system administrators, and IT personnel responsible for operating and maintaining ESKM for use with HP tape libraries. HP Part Number: QN998-96121 Published: September 2013 Edition: 3rd

Copyright 2011, 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Warranty http://www.hp.com/go/storagewarranty

Contents 1 Prerequisites and Planning...4 Network Ports...4 Library Partitioning...4 Determining the Appropriate Key Generation Policies...5 HP Tape Library Hardware and Firmware Requirements...6 ESKM Tiers...6 ESKM Pre-installation Checklists...7 2 Creating ESKM Client Accounts...11 3 Enrolling HP Tape Libraries with the ESKM...15 Enrolling ESL E-Series and EML E-Series Libraries...15 Verifying Connectivity from the Library to ESKM...34 Enrolling ESL G3 Libraries...35 Enrolling MSL6480 Libraries...44 4 Verifying Proper Configuration of the ESKM and Tape Libraries...46 Test 1: Verify that Tape Backups are Encrypted...46 Test Summary...46 Prerequisites...46 Pre-test Configuration Steps...47 Test Steps...47 Issues...48 Test 2: Verify that Each ESKM Node Supports Tape Library Operations after Failure of a Single Node...48 Test Summary...48 Prerequisites...48 Pre-test Configuration Steps...48 Test Steps...49 Issues...49 Example Verification...49 5 Support and Other Resources...56 Contacting HP...56 Typographic Conventions...56 Documentation feedback...56 Index...57 Contents 3

1 Prerequisites and Planning The following must be installed before configuring ESKM to use HP tape libraries: All ESKM nodes, configured in a cluster Server-side licenses, if necessary Tape libraries, must be operational and have firmware installed which supports ESKM Client-side licenses for the library's encryption feature Before configuring ESKM to use HP tape libraries: Have the pre-installation checklist from the ESKM Installation and Configuration Guide available. Create the ESKM client accounts for each HP tape library. See Creating ESKM Client Accounts (page 11). The following sections will help you choose the configuration options and key generation policies that are appropriate for your system. Network Ports Network connectivity must be provided between the nodes of the ESKM cluster, the tape libraries, and the Command View management software (if used). If firewalls exist between any of those components, then ports must be opened to allow this traffic. All ports are TCP ports. See Table 1 (page 4) for the ports that are used. Table 1 SKM or ESKM Network Ports Port number 22 161 9000 9081 9001 9443 Purpose SSH login to SKM or ESKM SNMP from SKM or ESKM ETLA login to SKM or ESKM FIPS status server from SKM or ESKM SKM or ESKM networking Web login to SKM or ESKM Library Partitioning Determine what portion of your backups will be encrypted and provision sufficient LTO4 or later generation drives to meet those requirements. If some of the LTO4 or later generation tape drives in a library will be used for encryption and others will not, then the library must be partitioned before the client account on the ESKM can be created. Each partition must have a separate key generation policy that will apply to all LTO4 or later generation drives in that partition. For example, if you have eight LTO4 or later generation drives but only want two of them to be used for encryption, partition the library so that one partition contains two LTO4 or later generation drives and the other partition contains the remaining six drives. If a library is not partitioned, then all LTO4 or later generation drives will be used for encryption after the ESKM has been configured. The number of libraries and LTO4 or later generation tape drives dedicated to encrypting backup data will depend on your business needs. NOTE: Partitioning the library is not part of the ESKM installation service. However, if there will be both encrypting and non-encrypting drives in the same tape library, it is necessary to partition the library. Any partitioning steps must be complete before the ESKM is installed. Consult the users guide for your tape library for instructions on library partitioning. 4 Prerequisites and Planning

Planning steps: Have a list of libraries to be enrolled with the ESKM. For each library, have a list of LTO4 or later generation drives that will be used for encryption. If there are also LTO4 or later generation drives in the libraries that will have different encryption policies, ensure a partition is configured for each policy before the ESKM installation occurs. Determining the Appropriate Key Generation Policies Key generation policies allow the security officer (SO) or ESKM administrator to centrally control and audit how encryption is performed. These policies provide a crisp, unambiguous definition of when encryption is and is not performed. This supports the SO s broader ability to provide specific, auditable security policies for the data center. Each partition in the library must have a key generation policy. Each partition may have a different key generation policy, depending on the business needs. If the library is not partitioned, then all LTO4 or later generation drives in the library have the same policy. Consider partitioning the library if any of the following are true: If your business needs require more than one key generation policy for a single library, the library must be partitioned before setting up the ESKM client account for that library. If the library contains a mixture both encrypting and non-encrypting tape drive technologies, HP recommends creating separate partitions for each drive type. Only LTO4 and later generation drives can be configured for encryption. For more information on partitioning HP tape libraries, see the user guide for your HP tape library. The HP ESKM and HP tape libraries support the following key generation policies: Key per tape (KT) Each LTO4 or later generation tape in the partition (or library) is encrypted with a different key. Also, a new key is created each time that tape is overwritten from the beginning. Key names are associated with a unique media ID for that cartridge. All data written on the tape is encrypted with the same key, even if data is appended to the media later. HP recommends using the KT policy. Key per partition, or key per library (KP) All LTO4 or later generation tapes in the partition (or library) use copies of one key. However, each copy has a unique key name. Key names are associated with a unique ID associated with the tape cartridge. All data written on the tape is encrypted with the same key, even if data is appended to the media later. The key remains in effect until the ESKM administrator or SO changes it. No encryption (NE) All LTO4 or later generation drives in the partition (or library, if the library is not partitioned) will always read and write without any encryption. These drives are not configured to read encrypted data from other partitions, either. Furthermore, backup and archive software using the tape drives cannot enable encryption on the tape drives. Externally managed (EM) Similar to the No Encryption (NE) policy except keys are allowed from backup and archive software. However, like NE, the HP tape library and ESKM do not provide or manage these keys. Currently, only the ESL G3 tape library supports the EM policy. NOTE: Non-encrypted tapes can always be read regardless of the policy in effect. LTO4 or later generation drives in an encrypting partition managed by ESKM (KT or KP) will only write encrypted data. Planning step: For each library being enrolled with the ESKM, list the desired key generation policy for each partition. If the library is not partitioned, list the key generation policy to be applied to the entire library. Determining the Appropriate Key Generation Policies 5

Using the library GUI or CVTL, determine the serial number of each partition in the library. The serial numbers are part of each partition's key-generation policy. Every partition must have a separate key generation policy even if all the policies are the same or if a policy is No Encryption. HP Tape Library Hardware and Firmware Requirements ESKM Tiers Earlier versions of CVTL and library firmware only support the HP Secure Key Manager (SKM). More recent versions will support both SKM and ESKM. If necessary, update CVTL and/or library firmware to a version with ESKM support. Planning step: For each HP tape library connected to the ESKM, ensure that the library firmware has ESKM support prior to beginning ESKM installation. If necessary, upgrade the firmware. The following are the minimum HP tape library firmware versions required to support ESKM: EML E-Series tape library: 1407 Command View TL: 2.7.00 Interface Manager: I270 LTO4 tape drive: H58S LTO5 tape drive: I3AS LTO6 tape drive: J2AS ESL E-Series tape library: 7.6 Command View TL: 2.7.00 Interface Manager: I270 LTO4 tape drive: H58W LTO5 tape drive: I3BW ESL G3 library firmware: 620H.GS07101 Command View TL: 2.8.00 LTO4 tape drive: H63W LTO5 tape drive: I3FW LTO6 tape drive: J2AW MSL6480 library firmware: 3.90 Command View TL: 2.8.00 LTO4 and later generation drives: all supported firmware versions Each tape library can communicate with the ESKM server cluster via up to 18 different IP addresses. If the library cannot communicate with one of the ESKM IP addresses, it will failover to the next on the list. These 18 addresses are provided in three tiers of six addresses each. The purpose of tiering is to control the order used during failover. For example, there may be four ESKM nodes in the cluster, two in the Americas, one in Europe, and one in Asia. For a library in the Americas, the first tier would contain the two ESKMs in the Americas. Failover will try to use those units first. The second tier may be the node in Europe, and the third tier may be the node in Asia. This will direct the failover in a way which prefers nearer units over more distant units. 6 Prerequisites and Planning

ESKM Pre-installation Checklists Prepare to install and use the ESKM system by recording the following information. If any information is missing, it will delay or prevent complete configuration and functioning of the ESKM system and the library's data encryption feature. You will need the serial number of the HP tape library to be enrolled as an ESKM client. If the library is partitioned, you will need the serial number of each partition. To locate the serial numbers: ESL E-Series and EML E-Series libraries The library serial number is available from Command View TL. Select and manage the library to be enrolled. Click the Identity tab. The library serial number is shown at the bottom of the screen. Partition serial numbers are also available from Command View TL. Select and manage the library to be enrolled. Click the Configuration tab. In the left-hand section of the window, click Partitioning. The library partitions are shown in the Partitioning section of the window to the right. For each partition, right-click the name of the partition and select Properties. The partition serial number is shown near the top of the Properties window. ESL G3 libraries Log into the library as Security user. All of the library partitions are shown in the Managed Views window. Select each partition; the partition serial number is shown in the System Information box above the Managed Views. MSL6480 libraries Log into the library as the security or administrator user. All of the library partitions are shown in the Status > Partition Map > Configuration Status screen. ESKM Pre-installation Checklists 7

Table 2 HP Tape Library 1 Device Information Library Information Library model Library firmware ETLA 2.7 or higher ESL G3 620H.GS07101 or higher MSL6480 3.90 or higher Library clock is set, or NTP enabled? Client licenses installed? IP address of the library or Command View Security User username and password, for Command View TL or ESL G3 Library's ESKM client account name available? Library's ESKM client account password available? Partition 1 s/n and Policy (for example, US12345678, KT) Partition 2 s/n and Policy Partition 3 s/n and Policy Partition 4 s/n and Policy Partition 5 s/n and Policy ESKM Information ESKM admin username and password available? ESKM Key Sharing Group name is available? ESKM node 1 IP address ESKM node 1 tier ESKM node 2 IP address ESKM node 2 tier ESKM manageability port (default: 9443) ESKM KMS server port (default: 9000) Backup Software Access Backup servers & application IP address Backup server username and password Scratch LTO4/5 media available? Table 3 HP Tape Library 2 Device Information Library Information Library model Library firmware ETLA 2.7 or higher ESL G3 620H.GS07101 or higher MSL6480 3.90 or higher 8 Prerequisites and Planning

Table 3 HP Tape Library 2 Device Information (continued) Library Information Library clock is set, or NTP enabled? Client licenses installed? IP address of the library or Command View Security User username and password, for Command View TL or ESL G3 Library's ESKM client account name available? Library's ESKM client account password available? Partition 1 s/n and Policy (for example, US12345678, KT) Partition 2 s/n and Policy Partition 3 s/n and Policy Partition 4 s/n and Policy Partition 5 s/n and Policy ESKM Information ESKM admin username and password available? ESKM Key Sharing Group name is available? ESKM node 1 IP address ESKM node 1 tier ESKM node 2 IP address ESKM node 2 tier ESKM manageability port (default: 9443) ESKM KMS server port (default: 9000) Backup Software Access Backup servers & application IP address Backup server username and password Scratch LTO4/5 media available? Table 4 HP Tape Library 3 Device Information Library Information Library model Library firmware ETLA 2.7 or higher ESL G3 620H.GS07101 or higher MSL6480 3.90 or higher Library clock is set, or NTP enabled? Client licenses installed? IP address of the library or Command View Security User username and password, for Command View TL or ESL G3 ESKM Pre-installation Checklists 9

Table 4 HP Tape Library 3 Device Information (continued) Library Information Library's ESKM client account name available? Library's ESKM client account password available? Partition 1 s/n and Policy (for example, US12345678, KT) Partition 2 s/n and Policy Partition 3 s/n and Policy Partition 4 s/n and Policy Partition 5 s/n and Policy ESKM Information ESKM admin username and password available? ESKM Key Sharing Group name is available? ESKM node 1 IP address ESKM node 1 tier ESKM node 2 IP address ESKM node 2 tier ESKM manageability port (default: 9443) ESKM KMS server port (default: 9000) Backup Software Access Backup servers & application IP address Backup server username and password Scratch LTO4/5 media available? 10 Prerequisites and Planning

2 Creating ESKM Client Accounts In this section, an ESKM client account will be created for each tape library and then each tape library will be configured to obtain keys from the ESKM. The process is the same for all HP tape libraries that support ESKM. NOTE: A client-side license is required on most HP tape libraries that support ESKM. Ensure that all HP tape libraries which will use the ESKM are in green status before setting up their client accounts. The HP tape libraries must have LTO4 or later generation tape drives installed, and the library and its components must have firmware versions that support the ESKM key manager. Instructions for obtaining and updating firmware can be found in the library's user and service guide. In the following steps, key generation policies are assigned per library partition or per physical library if there are no partitions. TIP: For ESL E-Series and EML E-Series libraries, if you have Command View TL open in a separate browser window you can copy and paste the serial numbers from Command View to the ESKM console. Procedure 1 1. Complete the pre-installation checklists and have them available. See ESKM Pre-installation Checklists. 2. In an internet browser, login as the administrator to open the ESKM Cluster: https://eskm-05.example.com:9443/ 3. Click the Security tab. 4. In the navigation column, select Local Users & Groups. 5. Click Add to create a user. 6. Enter the user name and password in the empty fields. User name: can be any value but must be unique for each HP tape library. Password: cannot be a dictionary word, must be eight or more characters, must contain both alpha and numeric characters, and must begin with a letter. Passwords are case-sensitive. 7. Unselect the following check boxes: User Administration Permission Change Password Permission 11

8. Select the newly created user and click the Custom Attributes tab. 9. Click Add. 12 Creating ESKM Client Accounts

10. Enter the following: a. Attribute name: KeyGenPolicy b. Attribute value (one of the following per partition): <Partition Serial Number><space><KP><space><partition master key> <Partition Serial Number><space><KT> <Partition Serial Number><space><NE> <Partition Serial Number><space><EM> Currently, only the ESL G3 tape library supports the EM policy. KP is Key per Partition, KT is Key per Tape, NE is No Encryption, and EM is Externally Managed. IMPORTANT: Every library partition must have a key generation policy. When entering policies for ESL G3 libraries, be sure to include a policy for the AMP partition; HP recommends using the NE policy. c. Click Save. 11. For partitions using the KP policy, select the Security tab. For all other policies, skip to Step 16. 12. In the navigation column, select Keys. 13. Click Create Key. 14. Enter the following information: Key Name (for example, im25key1) Owner Username: user created in the previous steps (FCLib01) Algorithm: AES-256 Deletable: checked Exportable: checked Versioned Key Bytes: unchecked Copy Group Permissions From: None (the default) 13

15. Click Create. 16. Create a key sharing group so HP tape libraries can share keys. IMPORTANT: When keys are created, they are automatically accessible to all the libraries in that key sharing group. Encrypted media may be exported from one library in a key sharing group and imported to another tape library for decryption. You may have additional groups for more complex sharing requirements. Therefore, HP strongly recommends creating a key sharing group even if you only have one tape library. Key sharing only applies to keys that are created after the group is created, so it is important to create the key sharing group prior to creating keys. a. Select the Security tab. b. In the Users & LDAP menu, select Local Users & Groups. c. Under User & Group Configuration scroll to the Local Groups section. d. Click Add. e. Type the name of the group in the edit field. For example, MainDataCenter. f. Select the name of the new group. g. Under User List, click Add. h. Type the username of the library client to be added to the group, or use the down arrow to select the library name from the displayed list. i. Click Save. 17. Repeat this procedure for each library to be enrolled in the ESKM. 14 Creating ESKM Client Accounts

3 Enrolling HP Tape Libraries with the ESKM Each of the HP tape libraries selected for encryption must be enrolled with the ESKM. Using the Key Management Setup Wizard, you establish a secure communication link between the library and the ESKM by setting up the certificate authority and certificates on the library, entering the user name and password that the library uses to log on to the ESKM, and entering the IP addresses of the ESKM appliances. The wizard will verify the connectivity to the ESKMs after all the data has been provided, and it will retrieve the key generation policies. NOTE: The ESKM installation and client enrollment service will only include enrollment for the specific libraries in the installation scope of work. The ESKM installation does not include configuring the HP tape libraries for backups, connecting them to the SAN, partitioning them, or updating their firmware to support configuring the library for backups or encryption. Enrolling ESL E-Series and EML E-Series Libraries To enroll ESL E-Series and EML E-Series libraries with the ESKM: 1. As the Security user, manage the library using Command View TL. 2. Select the Configuration tab. 3. From the navigation pane, select Key Management. 4. Under Actions, select Launch Key Manager Setup Wizard. The Welcome page opens. 5. Click Next; this opens the Key Management Setup Wizard Options screen. Enrolling ESL E-Series and EML E-Series Libraries 15

6. During the first time encryption, Select Key Manager Type should be selected. Verify the selection. 7. Click Next; this opens the Key Manager Selection screen. 16 Enrolling HP Tape Libraries with the ESKM

8. Verify that HP Enterprise Secure Key Manager is selected. 9. Click Next; this opens the Certificate Authority Information page which describes the prerequisites for getting CA certificates. Enrolling ESL E-Series and EML E-Series Libraries 17

10. Click Next; this opens the Certificate Authority Selection screen. 11. Verify that HP Enterprise Secure Key Manager (ESKM) Local Authority (default) is selected. NOTE: In some circumstances, the customer may require a different CA than the one on the ESKM. If this occurs, select Third-Party Certificate Authority, and ask the customer to display the CA certificate so it can be pasted into the following screens. 12. Click Next; this opens the Retrieve the Local Certificate Authority Certificate screen. 18 Enrolling HP Tape Libraries with the ESKM

13. Click Next; this opens the Certificate Authority Certificate Entry screen which contains an empty box in which to paste the certificate. 14. Go to the ESKM cluster. 15. Select the Security tab. 16. In the navigation column, select Local CAs to open the Local Certificate Authority List. 17. Select the appropriate CA name to open the certificate. Enrolling ESL E-Series and EML E-Series Libraries 19

18. Copy the CA certificate from the bottom of the screen. Select all the characters from BEGIN CERTIFICATE through END CERTIFICATE, including the dashes. Then right-click and select Copy. Return to the Certificate Authority Certificate Entry screen of the Command View (Step 13). 19. Right-click within the Certificate Authority Certificate Entry box and select Paste. 20 Enrolling HP Tape Libraries with the ESKM

20. Click Next; this opens the Library Certificate Information screen. The certificate is not yet created. NOTE: The ESKM refers to the library certificate as a Client Certificate. Enrolling ESL E-Series and EML E-Series Libraries 21

21. Click Next to create the library certificate. 22 Enrolling HP Tape Libraries with the ESKM

22. Once the certificate has successfully been imported, click Next to view and copy the certificate. Enrolling ESL E-Series and EML E-Series Libraries 23

23. Copy the certificate. Select all the characters from BEGIN CERTIFICATE through END CERTIFICATE, including the dashes. Right-click and select Copy, or click Copy Certificate. 24. Click Next. 25. Read the instructions on the screen, then click Next. 24 Enrolling HP Tape Libraries with the ESKM

26. Return to the ESKM cluster. Enrolling ESL E-Series and EML E-Series Libraries 25

27. Click Sign Request. 28. Select the Certificate Purpose as Client and enter the appropriate Certification Duration. Unless your organization has specific policies otherwise, HP recommends selecting the default duration. 26 Enrolling HP Tape Libraries with the ESKM

29. Paste the copied certificate from the Prepare to Sign your Library Certificate screen (Step 23) into the Sign Certificate Request screen of the ESKM cluster. 30. Click Sign Request. 31. Copy the generated client certificate that has been signed by the CA. 32. Return to the Command View TL GUI. Enrolling ESL E-Series and EML E-Series Libraries 27

33. Paste the copied CA certificate from the ESKM cluster into the Signed Certificate Entry box. 28 Enrolling HP Tape Libraries with the ESKM

34. Click Next to open the HP Enterprise Secure Key Manager Iinformation screen. Enrolling ESL E-Series and EML E-Series Libraries 29

35. Click Next; this opens the ESKM Configuration screen. 30 Enrolling HP Tape Libraries with the ESKM

36. Enter the appropriate details as follows: Library Username the case-sensitive username created in the ESKM cluster (Step 6 in Creating ESKM Client Accounts), in this example FCLib01. Password the password created in the ESKM cluster (Step 6 in Creating ESKM Client Accounts). Confirm Password again, the password created in the ESKM cluster. 37. Click Next; this opens the Tier configuration screen. Enrolling ESL E-Series and EML E-Series Libraries 31

38. Enter the ESKM cluster IP addresses in the Tier 1 screen. You may also use fully qualified DNS names. 39. If tiering is used, select the Add another tier box. Then enter the IP addresses into the Tier 2 and Tier 3 address fields. 40. Click Next; this opens the Key Manager Setup Summary confirmation screen. 32 Enrolling HP Tape Libraries with the ESKM

41. Verify that the appropriate data is entered in each Tier. The IP addresses should match those you entered in Step 38 and Step 39. 42. Click Next. Enrolling ESL E-Series and EML E-Series Libraries 33

43. Click Finish. 44. A confirmation box opens; click OK. This completes the update and verification operation and the ESKM enrollment process. Proceed to Verifying Proper Configuration of the ESKM and Tape Libraries (page 46). Verifying Connectivity from the Library to ESKM This step is optional but useful when troubleshooting or updating policies on the ESKM. While this example is specific to ETLA, the ESL G3 has a similar feature. To verify connectivity from the library to the ESKM: 1. In the Launcher window, click the Library Selection tab. A list of the current libraries appears. 2. Double-click the library for which to verify connectivity. 3. Log in as the security user. 4. Click the Configuration tab. 5. In the left panel, select Key Management. NOTE: The Key Management command will only appear if you have Advanced Secure Manager and LTO4 or later generation tape drives installed in your library. (To verify if LTO4 or later generation drives are installed, navigate to the Library window, click the Status tab, then in the left panel, click Advanced LTO Drives). 34 Enrolling HP Tape Libraries with the ESKM

6. Select Actions Launch Key Management Setup Wizard. The welcome screen appears. 7. Read the information on the screen, and click Next. Page 1 of the wizard appears. 8. Select Verify Key Manager Connectivity, and click Next. 9. Verify that the configuration is correct, then click Next. 10. When the Update and Verification Operation Complete dialog box appears, read whether the operation completed successfully or not, then click OK. Enrolling ESL G3 Libraries 1. If you are using Command View TL, select the library name under the Managed Views. 2. Log onto the library as the Security user. 3. Go to Setup Encryption Key Management Setup Wizard. Enrolling ESL G3 Libraries 35

The Welcome page opens. 4. Click Next; this opens the Key Management Setup Wizard Options screen. 36 Enrolling HP Tape Libraries with the ESKM

5. During the first time encryption, Select Key Manager Type should be enabled and everything else is disabled by default. Verify the selection. 6. Click Next; this opens the Key Manager Selection screen. 7. Verify that HP Enterprise Secure Key Manager is selected by default. 8. Click Next; this opens the Certificate Authority Information page which describes the prerequisites for getting CA certificates. 9. Click Next; this opens the Certificate Authority Selection screen. Enrolling ESL G3 Libraries 37

10. Verify that HP Enterprise Secure Key Manager (ESKM) Local Authority (default) is selected. NOTE: In some circumstances, the customer may require a different CA than the one on the ESKM. If this occurs, select Third-Party Certificate Authority, and ask the customer to display the CA certificate so it can be pasted into the following screens. 11. Click Next; this opens the Retrieve the Local Certificate Authority Certificate screen. 12. Click Next; this opens the Certificate Authority Certificate Entry screen. 13. Go to the ESKM cluster. 14. Select the Security tab. 15. In the navigation column, select Local CAs to open the Local Certificate Authority List. 16. Select the appropriate CA name. 38 Enrolling HP Tape Libraries with the ESKM

17. Copy the CA certificate from the bottom of the screen. Select all the characters from BEGIN CERTIFICATE through END CERTIFICATE, including the dashes. Then right-click and select Copy. Return to the Certificate Authority Certificate Entry screen of the ESL G3 library (Step 12). 18. Paste the CA certificate in Certificate Authority Certificate Entry box. Enrolling ESL G3 Libraries 39

19. Click Next; this opens the Library Certificate Information screen. NOTE: The ESKM refers to the library certificate as a Client Certificate. 20. Click Next; this opens the Prepare to Sign your Library Certificate screen. 21. Copy the certificate. Select all the characters from BEGIN CERTIFICATE through END CERTIFICATE, including the dashes. Then right-click and select Copy. 22. Click Next; this opens the Sign your Library Certificate screen. 23. Click Next. 24. Return to the ESKM cluster. 40 Enrolling HP Tape Libraries with the ESKM

25. Click Sign Request. 26. Paste the copied certificate from the Prepare to Sign your Library Certificate screen (Step 21) into the Sign Certificate Request screen of the ESKM cluster. 27. Select the Certificate Purpose as Client and enter the appropriate Certification Duration. Unless your organization has specific policies otherwise, HP recommends selecting the default duration. 28. Click Sign Request. Enrolling ESL G3 Libraries 41

29. Copy the generated client certificate that has been signed by the CA. 30. Return to the ESL G3 library GUI. 31. Paste the copied CA certificate information in the Signed Certificate Entry box. 32. Click Next; this opens the HP Enterprise Secure Key Manager Information screen. 33. Click Next; this opens the ESKM Configuration screen. 34. Enter the appropriate details as follows: Library Username the case-sensitive username created in the ESKM cluster (Step 6 in Creating ESKM Client Accounts), in this example FCLib01. Password the password created in the ESKM cluster (Step 6 in Creating ESKM Client Accounts). Confirm Password again, the password created in the ESKM cluster. 42 Enrolling HP Tape Libraries with the ESKM

35. Click Next; this opens the Tier configuration screen. 36. Enter the appropriate Node Address in the Tier 1 screen. 37. If tiering is used, select the Add another tier box. Then enter the IP addresses into the Tier 2 and Tier 3 address fields. 38. Click Next; this opens the Key Manager Setup Summary confirmation screen. Enrolling ESL G3 Libraries 43

39. Verify that the appropriate data is entered in each Tier. 40. Click Finish. 41. A confirmation box opens; click Yes; this opens the Key Management Setup Summary. This completes the enrollment process. The remaining steps are to confirm a successful enrollment. Proceed to Verifying Proper Configuration of the ESKM and Tape Libraries (page 46). 42. Click Close to exit the wizard. 43. Go to Library Monitor Key Management. 44. Verify the ESKM Server Information. Enrolling MSL6480 Libraries 1. Log into the library remote management interface (RMI) as the security user. 2. Verify that library configuration is complete, including defining all library partitions. 3. Navigate to the Configuration > System > License Key Handling screen and verify that the ESKM license has been added. 44 Enrolling HP Tape Libraries with the ESKM

Table 5 MSL6480 ESKM licenses Part number TC469A TC469AAE Description HP StoreEver MSL6480 ESKM Encryption License HP StoreEver MSL6480 ESKM Encryption E-License 4. Click Encryption ESKM Wizard to start the wizard. 5. The Wizard Information screen displays information about the wizard. If the library configuration is complete, click Next. 6. The Certificate Authority Information screen displays prerequisites for using the ESKM certificate. When the prerequisites are met, click Next. 7. The Certificate Authority Certificate Entry screen displays instructions for obtaining the certificate for the ESKM server. Follow the instructions to copy the certificate from the management console. Paste the certificate into the wizard and then click Next. 8. The Library Certificate Information screen displays prerequisites for generating and signing the certificate for the library. When you have verified that SSL has been enabled on the ESKM device and that the ESKM management console is open and ready for use, click Next. 9. In the ESKM Client Configuration screen enter the username and password that the library will use to communicate with the ESKM. If the username and password have not already been set up on the ESKM device, follow the instructions in Creating ESKM Client Accounts (page 11) to create a client account for the library. Enter the client username and password, and then click Next. 10. The Certificate Generation screen displays the current library certificate, if one exists. Select whether to keep the current certificate or generate a new one and then click Next. 11. In the ESKM Tier Selection screen you can group ESKM devices into tiers so the library will attempt to connect with ESKM devices in the top tier first, and then failover to connect with ESKM devices in a lower priority tier if necessary. For example, you might put ESKM devices in the same data center as the library in Tier 1 with ESKM devices in remote data centers in Tiers 2 and 3. One tier is used by default. To add a tier, click Add Tier. Enter the IP address or fully-qualified hostname and port number for up to six ESKM devices in each tier. To verify access to the ESKM devices, click Connectivity Check. When the tier configuration is complete, click Next. 12. The Setup Summary screen displays the settings that were collected by the wizard. Verify that the settings are correct and that there are no errors in the Done column. If you need to modify setting or address issues, either click Back to reach the applicable screen or Cancel out of the wizard to fix the issues and return later. If the settings are correct and there are no errors, click Finish. 13. To check the connectivity to the ESKM devices, from the Status > Security screen click Connectivity Check and verify that no errors are returned. Enrolling MSL6480 Libraries 45

4 Verifying Proper Configuration of the ESKM and Tape Libraries This section describes the configuration and execution of a test suite which verifies the ESKM cluster is operational. It can be performed on-site after all the ESKM and library configuration steps are completed. These verification steps are the same for all HP tape libraries. Test 1 will encrypt data to a scratch tape, then attempt to read that data in a non-encrypting configuration. The failure to read data will verify that encryption has occurred. Test 2 will force the HP tape library client to use a specific node of the ESKM cluster when obtaining an encryption key. The test will be repeated for each node in the installation, to confirm that each ESKM node is available and functional. Test 1: Verify that Tape Backups are Encrypted Test Summary Prerequisites Repeat this test for each library enrolled with the ESKM. This test is comprised of the following steps: 1. Load a tape cartridge into a drive, and create an encryption key by writing encrypted data to the tape. Then unload the cartridge. Demonstrate that the key has been replicated to each of the ESKM nodes. 2. The ability to export that key will be temporarily disabled. 3. Re-load the encrypted tape, and read it. Then unload the cartridge. The read operation will fail, demonstrating that the tape is encrypted. 4. The key export property will be re-enabled. 5. Load the encrypted tape, and read it. Then unload the cartridge. The read operation will succeed, demonstrating that the policy has been successfully re-enabled, and the system is ready for production. Demonstrate that key retrieval was logged in the ESKM activity log. Successful installation of all ESKM nodes. Successfully added all ESKM nodes to the cluster. Successfully completed all HP tape library pre-installation steps. Hardware updates, firmware updates, and partitioning (if required). Encryption feature client-side license is installed. Successfully completed enrollment of all HP tape libraries with the ESKM cluster. Customer s backup administrator is present. At least 1 scratch tape is present in each library. If the library is partitioned, identify the partition containing that cartridge. Customer has a console to access their ISV backup software. Customer has a console available to view the ESKM GUI. 46 Verifying Proper Configuration of the ESKM and Tape Libraries

Pre-test Configuration Steps Test Steps 1. Installer. Using a separate browser window for each ESKM node, log into each of the ESKM nodes via it s web GUI. Go to the Device Tab, select Log Viewer from the Logs and Statistics pane, select Activity. From Show last number of lines, select All. Click Display Log. 2. Customer. Login to the ISV software and ensure it can access the LTO4 or LTO5 tape drives to be used in this test. 1. Customer. Using the ISV console, load the scratch tape into an LTO4 or LTO5 drive in a partition or library with an encrypting policy (a partition or library having a KT or KP policy). Now format, or initialize, the tape using the ISV software. Optionally, write a few records to the tape. The actual operations will depend on the ISV software being used. But the intent is to initialize the tape and write a few records which can be restored later. The initialization process may be sufficient, if it writes records which may be later retrieved (timestamps, etc). Now, using the ISV software, read the records from tape. This demonstrates the encrypted data is readable. a. Installer. Using the ESKM browser windows, demonstrate that the Activity Log of one ESKM contains a new entry showing a key was created. In each of the other nodes GUI, go to the Security tab. In the Keys window, demonstrate that the key has been replicated to those nodes. Return to the Activity Log viewer after verifying the replication. NOTE: If the policy is KP (Key per Partition), the log will record a KeyClone operation instead of a KeyGen operation. b. Customer. Using the ISV console, unload the media to a library slot. 2. Installer. Temporarily disable the Export property for the key created in the previous step. In one of the ESKM GUIs, select Security tab. In the Keys and Policy Configuration pane, select the key created in the previous step. On the Key Properties pane, click Edit, uncheck the Exportable property, and click Save. Return to the Activity Log display. In each of the other ESKM GUIs, demonstrate to the customer that the property change was replicated by viewing the key Exportable property in the key list. The checkbox will be un-checked. Return to the Activity Log display. 3. Customer. Using the ISV console, load the scratch tape into an LTO4 or LTO5 drive in the same partition. Using a different drive is possible, to further demonstrate how all drives in the partition have the same policy. But, using the same drive is sufficient for this test. Read the records which were earlier written to the tape. This operation will fail, since the key export has been temporarily disabled. Unload the tape. Note the error message that is displayed. This will be the error message this ISV uses when encrypted tapes are placed in non-encrypting drives. In many cases, these messages indicate a write-protect error. 4. Installer. Re-enable the key export property, using the operations in step 2. Verify the property change is replicated to each node, by viewing the export property of the key at each of the ESKM nodes. 5. Customer. Using the ISV, load the tape into an LTO4 or LTO5 drive in the same partition. Read the records which were earlier written to the tape. This operation will succeed. Unload the tape. Installer. Using the Activity Log viewers, demonstrate to the customer that one of the ESKM nodes has now logged a key export. This concludes ESKM verification test 1. Test 1: Verify that Tape Backups are Encrypted 47

Issues If issues are found: No currently known failure modes. Any failures in this test would have been detected in the connectivity test, during library enrollment. Re-run the connectivity test in the CVTL Wizard. The most likely cause of failure of the connectivity test is an incorrectly entered, or missing, KeyGenPolicy. See step 12 in the installation poster. Test 2: Verify that Each ESKM Node Supports Tape Library Operations after Failure of a Single Node Test Summary Prerequisites This test will force the HP tape library client to use a specific node of the ESKM cluster when obtaining an encryption key. The test will be repeated for each node in the installation, to confirm that each node is available and functional. 1. Temporarily configure the ESKM cluster so only 1 ESKM node can export keys, using the ESKM GUI. 2. Load an encrypted tape, and read it. Unload the cartridge. The read operation will be successful. 3. Repeat steps 1 and 2, enabling a different ESKM in the cluster. The read operation will be successful. 4. The read operation will be successful. Successful installation of all ESKM nodes. Successfully added all ESKM nodes to the cluster. Successfully completed all HP tape library pre-installation steps. Hardware updates, firmware updates, and partitioning (if required). Secure Manager is licensed, and configured to allow access to the backup hosts. Successfully completed enrollment of all HP tape libraries with the ESKM cluster. Successfully completed Test 1. Customer s backup administrator is present. At least 1 scratch tape is present in each library. If the library is partitioned, identify the partition containing that cartridge. Customer has a console to access their ISV backup software. Customer has a console available to view the ESKM GUI. Pre-test Configuration Steps 1. Installer. Using a separate browser window for each ESKM node, log into each of the ESKM nodes via it s web GUI. Go to the Device Tab, select Log Viewer from the Logs and Statistics pane, select Activity. From Show last number of lines, select All. Click Display Log. 2. Customer. Login to the ISV software and ensure it can access the LTO4 or LTO5 tape drives to be used in this test. 48 Verifying Proper Configuration of the ESKM and Tape Libraries

Test Steps 1. Installer. Using ESKM GUIs, disable the KMS server on all ESKM nodes except one. From the Device tab, select Maintenance, Services. In the Services List, select KMS Server, and click Stop. Click Refresh, and verify the Status of the KMS Server is Stopped. 2. Customer. Using the ISV software, load the tape which was initialized and written in Test 1 into an LTO4 or LTO5 drive. Read the data. Then unload the cartridge. a. The read operation will be successful. This demonstrates that the key was available on the single node, the path to that node is operational, and the library client s certificates and credentials at that node are in order. b. Repeat step 2 for each library enrolled with the ESKM cluster. This verifies each library can communicate with that ESKM node. 3. Installer. Referring to step 1, re-start the KMS server on the ESKM node. 4. Repeat steps 1 3 for each ESKM in the cluster. This concludes ESKM verification test 2. Issues If the test fails for one node, the most likely cause is the server certificate on that node. Review the steps in the install poster regarding the server certificate (step 9b). Each node has it s own server certificate, but these certificates a) must have the same name, and b) must all be signed by the same CA. Example Verification The following screen shots provide an example using HP Data Protector. ISV Begins the Backup Policy ISV is Writing Data Example Verification 49

ESKM Activity Log Shows Key Generation for MINIME Second ESKM Node System Log Shows the Key was Replicated ESKM Key Page Shows New Key for MINIME ISV Success of the Backup and Unload of Media 50 Verifying Proper Configuration of the ESKM and Tape Libraries

ISV Begins Restore of Backup ISV Successful in Restore of Backup and Unload of Media Example Verification 51

ESKM Activity Log Shows Success Exporting Key for MINIME Unchecking the Export Setting of Key ISV Begins Restore of Backup after Disabling Key Export ISV Failed to Restore the Backup and Media was Unloaded 52 Verifying Proper Configuration of the ESKM and Tape Libraries

ISV Log/activity Shows Error that Key Not Available ESKM Activity Log Shows Error Getting Key for MINIME Re-enabling Key Export Setting Example Verification 53

Disabling KMS Server on ESKM Node that is Creating the Keys ISV Begins Restore of Backup ISV Successful in Restore of Backup and Unload of Media 54 Verifying Proper Configuration of the ESKM and Tape Libraries

ESKM Activity Log from Other Node Shows Success Exporting Key for MINIME Re-enabling First Node KMS Server Example Verification 55

5 Support and Other Resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers Technical support registration number (if applicable) Product serial numbers Error messages Operating system type and revision level Detailed questions Typographic Conventions Table 6 Document Conventions Convention Blue text: Table 6 (page 56) Blue, underlined text: http://www.hp.com Element Cross-reference links and e-mail addresses Website addresses Bold text Keys that are pressed Text typed into a GUI element, such as a box GUI elements that are clicked or selected, such as menu and list items, buttons, tabs, and check boxes Italic text Text emphasis Monospace text File and directory names System output Code Commands, their arguments, and argument values Monospace, italic text Code variables Command variables Monospace, bold text Emphasized monospace text IMPORTANT: Provides clarifying information or specific instructions. NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. Documentation feedback HP welcomes your feedback. To make comments and suggestions about product documentation, please send a message to storagedocsfeedback@hp.com. All submissions become the property of HP. 56 Support and Other Resources

Index C client accounts ESKM, 11 connectivity verifying on key manager, 34 contacting HP, 56 conventions document, 56 creating ESKM client accounts, 11 D determing key generation policies, 5 document conventions, 56 documentation providing feedback on, 56 E EM see externally managed EML E-Series enrolling, 15 requirements, 6 enrolling EML E-Series, 15 ESL E-Series, 15 ESL G3, 35 MSL6480, 44 enrolling libraries with the ESKM, 15 Enterprise Secure Key Manager see ESKM ESKM client accounts, 11 enrolling tape libraries, 15 pre-installation checklists, 7 testing, 46 tiers, 6 verifying configuration, 46 ESKM configuration prerequisites, 4 ESL E-Series enrolling, 15 requirements, 6 ESL G3 enrolling, 35 requirements, 6 externally managed, 5 H help obtaining, 56 HP technical support, 56 HP Data Protector example of verification, 49 K key generation policies, 5 externally managed, 5 key per partition, 5 key per tape, 5 no ecryption, 5 Key Management command, 34 key manager enroll library, 15 verify library connectivity, 34 key per library see key per partition key per partition, 5 key per tape, 5 KP see key per partition KT see key per tape L Launch Key Management Setup Wizard command, 35 library connectivity, 34 enroll with a key manager, 15 partitioning, 4 login ESKM, 4 SKM, 4 LTO4 drives key generation policies, 5 partitioning, 4 LTO5 drives key generation policies, 5 partitioning, 4 LTO6 drives partitioning, 4 M minimum requirements tape library firmware, 6 tape library hardware, 6 MSL6480 enrolling, 44 requirements, 6 N NE see no ecryption network ports, 4 ESKM, 4 SKM, 4 no ecryption, 5 P partitioning LTO4 drives, 4 LTO5 drives, 4 LTO6 drives, 4 partitioning the library, 4 57

policies key generation, 5 ports ESKM, 4 SKM, 4 pre-installation checklists for ESKM, 7 prerequisites configuring ESKM, 4 S Secure Key Manager see SKM T tape libraries enrolling, 15 testing, 46 verifying configuration, 46 tape library firmware requirements, 6 requirements, 6 technical support HP, 56 tests verification, 46 tiers, 6 typographic conventions, 56 V verification test 1 issues, 48 pre-test configuration, 47 prerequisites, 46 steps, 47 summary, 46 verification test 2 issues, 49 pre-test configuration, 48 prerequisites, 48 steps, 49 summary, 48 verification tests, 46 verifying configuration example, 49 tape libraries, 46 test 1, 46 test 2, 48 58 Index