Security for Encryption Support
Encryption support in the TS3500 Tape Library and 3592 tape controllers (models
C07, C06 and J70) allow system-managed tape encryption on IBM System z
platforms. An IBM service representative installs routers between the internal LAN
network, which is connected to the controllers, and the customer's LAN network.
The router provides access to the customer's key manager. Network traffic through
this router is outbound only. The Network Address Translation (NAT) function in
the router prevents externally-initiated connections to any internal components.
Port information for firewall environments
Table 19 shows the only ports that are required to be opened on the firewall for
environments where the tape configuration is separated from the LAN-attached
hosts and/or Web clients by a firewall. All other ports may be closed.
Table 19. Port Information for firewall environments
Function Port
Direction (from
library) Protocol
Library Operations 3494 Bi-directional TCP/IP
TotalStorage
®
Specialist 80 Inbound TCP/IP
SNMP Traps 161/162 Bi-directional UDP/IP
Encryption key manager 1443 Outbound SSL
Encryption key manager 3801 Outbound TCP/IP
Note: The TS3000 System Console uses the following ports: HTTPS: Port 443;
HTTP: Port 80; and DNS: Port 53.
Port information communications can be initiated either by the tape library or by
the host. Typically, the library only initiates a connection when responding to the
host; however, in the case of unsolicited messages such as statistics notifications
and operator interventions, the library initiates a connection through port 3494. If
the library manager needs to make a connection to the host, it chooses a temporary
port and uses that port to make an outbound connection to a 3494 listening port
on the host. When the host has a message to deliver to the library manager, it
chooses its own ephemeral port by which to make an outbound connection to
listening port 3494 on the library manager. The connection is only maintained for
the duration required to pass a single message, and then it is disabled.
Table 19 describes the minimum level of connectivity required to perform library
operations. Other ports that could be opened up on the firewall, but are not
necessary in order to have full functionality include:
v The standard HTTP port, 80, allows inbound communication to the library from
the IBM System Storage Tape Library Specialist (IBM's Enterprise Storage
Resource Management solution).
v Ports 161 and 162, which are the standard ports for sending SNMP traps. The
tape library can be configured to send traps to SNMP target machines in the
case of operator interventions, if you want to do that. In this case the firewall
needs to allow outbound connections from the library from its port 161 to port
162 on the listening SNMP target machine.
66 IBM System Storage TS3500 Tape Library with ALMS: Introduction and Planning Guide
To Next Page
Need help?
General
