Encryption Key Management
file:///T|/htdocs/stor-sys/ML6000/en/html/ch04_ekm.htm[9/17/2012 1:49:43 PM]
and secondary EKM Port numbers in the overrides section match the SSL port numbers set on the EKM servers.
The default SSL port number is 443.
Note: Keys are always encrypted before being sent from the EKM server to a tape drive, whether SSL is
enabled or not. Enabling SSL provides additional security.
Note: Restriction on EKM servers used for overrides: If you are using primary and secondary servers for
overrides, the following restriction applies. (If you are not using a secondary server, there are no restrictions.)
Restriction: A given primary server and secondary server must be "paired" and cannot be used in different
combinations. For example:
• You can have Server1 as primary and Server2 as secondary for any or all partitions.
• If Server1 is primary and Server2 is secondary on one partition, then in any other partition that you use
Server1, Server1 can only be primary and it must be "paired" with Server2 as secondary. You cannot have
Server1 as primary and Server3 as secondary on another partition.
• You cannot have Server1 be both primary on PartitionA and secondary on PartitionB.
• You cannot have Server2 be both secondary on PartitionA and primary on PartitionB.
If you use overrides, make sure that you install Dell EKM on all the servers you specify. Then run EKM Path Diagnostics
on each tape drive in every partition configured for EKM to make sure that each tape drive can communicate with and
receive keys from the specified EKM server. For more information, see EKM Path Diagnostics.
5 Click Apply.
6 Save the library configuration (see Saving the Library Configuration).
Step 6: Run EKM Path Diagnostics
Perform EKM Path Diagnostics as described in EKM Path Diagnostics.
EKM Path Diagnostics
The EKM Path Diagnostics consists of a series of short tests to validate whether the key servers are running, connected, and
able to serve keys as required.
Run the Manual EKM Path Diagnostics any time you change the key server settings or library encryption settings, and when
you replace a tape drive. It is recommended that you test each drive that communicates with key manager servers.
The diagnostics consists of the following tests:
Note: The tape drive used for the test must be unloaded, ready, and online in order to run any of the tests.
• Ping — Verifies the Ethernet communication link between the library and the key servers. If the partition in which the
selected tape drive resides uses EKM server overrides, then the override IP addresses are tested (see Setup >
Encryption > Partition Configuration). If the partition does not use overrides, the default system IP addresses are
tested (see Setup > Encryption > System Configuration).
• Drive — Verifies the tape drive's path in the library (communication from library to tape drive sled and from tape
drive sled to tape drive). The tape drive must be unloaded, ready, and online in order to run this test. If this test fails,
the Path and Config tests are not performed.
• Path — Verifies that EKM services are running on the key servers.
Note: This test cannot run if the Drive test fails.
• Config — Verifies that the key servers are capable of serving encryption keys.
Note: This test cannot run if the Drive test fails.
If any of the tests fail, try the following resolutions and run the test again to make sure it passes:
• Ping Test Failure — Verify that the key server host is running and accessible from the network to which the
library is connected.
To Next Page
Loading...
