Dell Encryption Key Manager Owner's Manual

0 (0)

Dell Encryption Key Manager 3.0

Deployment Guide

Notes, Cautions, and Warnings

NOTE: A NOTE indicates important information that helps you make better use of your computer.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

Trademarks used in this text: Dell™, the Dell logo, Dell Boomi™, Dell Precision™ , OptiPlex™, Latitude™, PowerEdge™, PowerVault™, PowerConnect™, OpenManage™, EqualLogic™, Compellent™, KACE™, FlexAddress™, Force10™ and Vostro™ are trademarks of Dell Inc. Intel®, Pentium®, Xeon®, Core® and Celeron® are registered trademarks of Intel Corporation in the U.S. and other countries. AMD® is a registered trademark and AMD Opteron™, AMD Phenom™ and AMD Sempron™ are trademarks of Advanced Micro Devices, Inc. Microsoft®, Windows®, Windows Server®, Internet Explorer®, MS-DOS®, Windows Vista® and Active Directory® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Red Hat® and Red Hat®

Enterprise Linux® are registered trademarks of Red Hat, Inc. in the United States and/or other countries. Novell® and SUSE® are registered trademarks of Novell Inc. in the United States and other countries. Oracle® is a registered trademark of Oracle Corporation and/or its affiliates. Citrix®, Xen®, XenServer® and XenMotion® are either registered trademarks or trademarks of Citrix Systems, Inc. in the United States and/or other countries. VMware®, Virtual SMP®, vMotion®, vCenter® and vSphere® are registered trademarks or trademarks of VMware, Inc. in the United States or other countries. IBM® is a registered trademark of International Business Machines Corporation.

2011 – 12

Rev. A00

Contents

Notes, Cautions, and Warnings...................................................................................................	2
1 Overview.......................................................................................................................................	5
Hardware and Software Requirements....................................................................................................................	5
Server Hardware Requirements........................................................................................................................	5
Browser Requirements......................................................................................................................................	6
Operating System Requirements........................................................................................................................	6
2 Installing EKM 3.0........................................................................................................................	7
Preparing for the Installation of EKM 3.0 in Microsoft Windows.............................................................................	7
Preparing for the Installation of EKM 3.0 in Red Hat Enterprise Linux.....................................................................	8
Preparing for the Installation of EKM 3.0 in SUSE Linux Enterprise Server.............................................................	8
Performing the EKM 3.0 Installation Procedure.......................................................................................................	9
3 Setting up Primary and Secondary EKM 3.0 Servers..........................................................	13
Installing EKM 3.0 on the Primary Server...............................................................................................................	13
Using EKM 3.0 on the Primary Server.....................................................................................................................	13
Installing EKM 3.0 on the Secondary Server..........................................................................................................	13
Using EKM 3.0 on the Secondary Server................................................................................................................	14
Uninstalling EKM 3.0 from the Primary and Secondary Servers............................................................................	14
4 Performing Backups and Restoring from a Backup............................................................	15
Creating a Backup of the Keystore.........................................................................................................................	15
Restoring from a Backup........................................................................................................................................	16
5 Using EKM 3.0............................................................................................................................	17
Logging into the Encryption Key Manager 3.0 Portal.............................................................................................	17
Creating a Master Keystore....................................................................................................................................	18
Enabling the Firewall in the EKM 3.0 Server...........................................................................................................	18
Configuring EKM 3.0 to Accept Devices that Contact EKM 3.0 for Keys................................................................	19
Creating a Device Group.........................................................................................................................................	19
Creating Key Groups for a Device Group................................................................................................................	20
Adding a Device to a Device Group........................................................................................................................	21
Adding and Deleting Keys to and from Key Groups................................................................................................	21
Deleting Key Groups...............................................................................................................................................	22
Verifying the Server Certificate..............................................................................................................................	23
Viewing the Server Certificate Details.............................................................................................................	23
Logging onto the WebSphere Server.....................................................................................................................	23

Starting and Stopping the EKM 3.0 Server in Windows ........................................................................................	24
Starting and Stopping the EKM 3.0 Server in Linux................................................................................................	24
6 Migration and Merge................................................................................................................	25
Migrating an Encryption Key Manager (EKM) 2.X Version during the EKM 3.0 Installation..................................	27
EKM 2.X to EKM 3.0 Migration Procedure........................................................................................................	27
Merging Encryption Key Manager (EKM) 2.X into EKM 3.0 after Installing EKM 3.0..............................................	29
Merge Tool Prerequisites.................................................................................................................................	31
EKM 2.X to EKM 3.0 Merge Procedure.............................................................................................................	31
Verifying the EKM 2.X to EKM 3.0 Merge or Migration....................................................................................	35
Merge Failure...................................................................................................................................................	36
Merging Additional EKM 2.X Versions into EKM 3.0........................................................................................	36
Deleting the ekmcert Certificate, Keys, and Key Groups, and Renaming Devices..........................................	37
7 Uninstalling EKM 3.0.................................................................................................................	43
Uninstalling EKM 3.0 in Windows...........................................................................................................................	43
Uninstalling EKM 3.0 in Linux..................................................................................................................................	44
8 Troubleshooting.........................................................................................................................	45
Contacting Dell.......................................................................................................................................................	45
System Prerequisite Checks...................................................................................................................................	47
Error Codes.............................................................................................................................................................	49
Windows Reference Files.......................................................................................................................................	51
Linux Reference Files..............................................................................................................................................	53
Manually Uninstalling EKM 3.0...............................................................................................................................	55
Manually Uninstalling EKM 3.0 in Windows.....................................................................................................	55
Manually Uninstalling EKM 3.0 in Linux...........................................................................................................	56
Reinstalling EKM 3.0...............................................................................................................................................	57
Frequently Asked Questions...................................................................................................................................	57
Known Issues and Their Resolutions.....................................................................................................................	60
Installing the compat-libstdc++ Library..................................................................................................................	63

Overview

Dell Encryption Key Manager (EKM) 3.0 is an encryption utility that secures the data stored on LTO tape cartridges by managing encryption keys for Dell tape automation solutions, including the ML and TL PowerVault series. EKM 3.0 manages the lifecycle of tape encryption keys, including generation, distribution, administration, and deletion.

This guide describes how to install, configure, and perform basic operations in Dell Encryption Key Manager 3.0 (EKM 3.0). Dell recommends reading this document before you install EKM 3.0.

This guide includes information on:

•Hardware and software requirements for EKM 3.0

•Installing and uninstalling EKM 3.0 on Windows and Linux platforms

•Configuring EKM 3.0

•Basic operations in EKM 3.0

•Migrating EKM 2.X during the EKM 3.0 installation and merging EKM 2.X into a configured EKM 3.0 installation

•Frequently asked questions, troubleshooting information, common errors messages, and support contact information

NOTE: EKM 3.0 is based on IBM Tivoli Key Lifecycle Manager (TKLM) V2 FixPack 2, but has been customized to support Dell tape library environments by selecting the relevant subset of TKLM features for tape.

For EKM 3.0 usage information not covered in this guide, refer to the TKLM documentation, which includes the following:

•IBM Tivoli Key Manager 2.0 Quick Start Guide

•IBM Tivoli Key Manager 2.0 Installation and Configuration Guide

•IBM Tivoli Key Manager 2.0 Product Overview/Scenario Guide

For information on how to access the TKLM documentation, see the Documentation and Reference Materials section of the ReadThisFirst.txt file on the EKM 3.0 installation media.

Some screens and functionality covered in the IBM TKLM documentation are not enabled in Dell EKM 3.0. EKM 3.0 contains only the subset of features needed to support Dell PowerVault tape libraries.

NOTE: For recommended use and configuration of Dell EKM 3.0, refer to the Best Practices section of the ReadThisFirst.txt file on the EKM 3.0 installation media.

NOTE: For the latest information including feature enhancements and bug fixes, refer to the Release Notes at: support.dell.com/manuals. Navigate to Software → Systems Management → Dell Encryption Key Manager .

Hardware and Software Requirements

Server Hardware Requirements

The minimum hardware requirements for the Key Management Server (the hardware in which EKM 3.0 will be installed) are:

•CPU: 2.3 GHz

•Memory: 4 GB ECC memory

•Available disk storage (for EKM 3.0 installation and typical key storage): 5 GB

NOTE: If the system on which you are installing EKM 3.0 has 24 or more CPUs, refer to the EKM 3.0 Release Notes for details on how to update EKM 3.0 after completing the installation. To access the EKM 3.0 Release Notes, go to support.dell.com/manuals, then navigate to Software → Systems Management → Dell Encryption Key Manager.

Browser Requirements

EKM 3.0 supports the following browsers:

•Microsoft Internet Explorer, Version 7.0

•Microsoft Internet Explorer, Version 8.0, Compatibility View mode

•Firefox Version 3.0.x (EKM 3.0 does not support Firefox Version 3.5 and above.)

NOTE: JavaScript must be enabled in order for all EKM 3.0 features to function. Refer to your browser's documentation for instructions on enabling JavaScript.

Operating System Requirements

EKM 3.0 supports the following operating systems:

•Windows Server 2003 R2 with Service Pack 2, 32and 64-bit, Standard and Enterprise Editions

•Windows Server 2008 with Service Pack 2, 32and 64-bit, Standard and Enterprise Editions

•Windows Server 2008 R2, Standard and Enterprise Editions

•Red Hat Enterprise Linux (RHEL) 4.X, Advanced Server (AS), 32-bit

•Red Hat Enterprise Linux (RHEL) 5.X, 32and 64-bit

•SUSE Linux Enterprise Server (SLES) 10 with Service Pack 4, 64-bit

•SUSE Linux Enterprise Server (SLES) 11 with Service Pack 1, 64-bit

NOTE: EKM 3.0 does not support VMware or Microsoft Hyper-V Server.

NOTE: For information on the requirements and limitations of setting up a primary/secondary server configuration, refer to Setting up Primary and Secondary EKM 3.0 Servers.

NOTE: EKM 3.0 performs system prerequisite checks before the installation. For more information, refer to System Prerequisite Checks.

Installing EKM 3.0

This chapter describes how to install EKM 3.0 on Windows and Linux.

NOTE: If you are currently using EKM 2.X, Dell recommends maintaining your current infrastructure (servers, operating systems, tape libraries, etc. under EKM 2.X protection), unless you are experiencing problems.

EKM 3.0 does not support virtual machines as hosts. If you are using a virtual machine as your EKM 2.X host, you must stay with EKM 2.X or migrate to a physical server.

NOTE: If you are planning to migrate your EKM 2.X into EKM 3.0, refer to Migrating an Encryption Key Manager (EKM) 2.X Version during the EKM 3.0 Installation before you begin the EKM 3.0 installation.

NOTE: Dell recommends that you install EKM 3.0 on a dedicated physical server that is not used for any other services. This will ensure that EKM 3.0's performance and response time is not affected by any other applications running on the same physical server.

CAUTION: EKM 3.0 only supports installation directly from the EKM 3.0 media. Do not copy the EKM 3.0 media's contents to your hard disk.

NOTE: The procedures in this chapter require system administrator-level knowledge.

Preparing for the Installation of EKM 3.0 in Microsoft Windows

This chapter describes the pre-installation steps for Dell Encryption Key Manager 3.0 in Microsoft Windows.

NOTE: The installation procedure takes approximately 45 minutes. Do not turn off the system until the installation completes.

NOTE: You must be logged in as Administrator in order to install EKM 3.0.

NOTE: If you do not want to use a complex password for the database, disable the Password must meet complexity requirements setting in the operating system before inserting the EKM 3.0 installation media.

1.Insert the EKM 3.0 for Microsoft Windows installation disk into the system on which you want to install EKM 3.0.

2.If your system is set to autorun when a DVD is inserted, wait for a moment for the installer to appear. If your system is not set to autorun, navigate to the DVD drive and double-click the DVD drive or install.exe at the root of the DVD drive.

The EKM 3.0 installation wizard Welcome screen appears.

NOTE: If you want to install EKM 3.0 over a network share, do not use a path of the format: \\<ip_address> \EKM_3.0_share. Instead, map the share to a drive letter. In Windows Explorer, use Tools → Map Network Drive to make the install path <shared_drive_letter>:\<EKM_3.0_media>.

Continue to Performing the EKM 3.0 Installation Procedure.

Preparing for the Installation of EKM 3.0 in Red Hat Enterprise Linux

This chapter describes the pre-installation steps for Dell Encryption Key Manager 3.0 in Red Hat Enterprise Linux.

NOTE: The installation procedure takes approximately 45 minutes. Do not turn off the system until the installation completes.

To prepare for the installation of EKM 3.0, perform the following steps:

1.Insert the EKM 3.0 installation disk appropriate to your operating system into the system on which you want to install EKM 3.0.

2.If your system is set to autorun when a DVD is inserted, wait for a moment for the installer to appear. If your system is not set to autorun, open a terminal with root access and navigate to the folder where the EKM 3.0 DVD is mounted. Type ./autorun.sh and press Enter.

NOTE: If SELinux is installed and enabled, disable it before starting the installation. Refer to System Prerequisite Checks.

NOTE: Red Hat operating systems often have the noexec bit set to disable execution of any binaries on the mounted file systems. If the noexec bit on the mounted DVD ROM is set to disable, then the EKM 3.0 installer will not be launched from the DVD. To launch the EKM 3.0 installer from the DVD, perform the following steps:

a)Open a terminal session with root access.

b)Unmount the EKM 3.0 DVD.

c)Remount the EKM 3.0 DVD as read-only with noexec disabled by issuing the following commands:

mkdir /media/dellmedia

mount /dev/<EKM 3.0 device><space>/media/dellmedia cd /media/dellmedia

d)To execute the installer, type ./autorun.sh and press Enter.

The EKM 3.0 installation wizard Welcome screen appears.

Continue to Performing the EKM 3.0 Installation Procedure.

Preparing for the Installation of EKM 3.0 in SUSE Linux Enterprise Server

This chapter describes the pre-installation steps for Dell Encryption Key Manager 3.0 in SUSE Linux Enterprise Server (SLES).

NOTE: The installation procedure takes approximately 45 minutes. Do not turn off the system until the installation completes.

To prepare for the installation of EKM 3.0, perform the following steps:

1.Insert the appropriate EKM 3.0 installation disk for your operating system into the machine on which you want to install EKM 3.0.

2.If your system is set to autorun when a DVD is inserted, wait for a moment for the installer to appear. If your system is not set up to autorun, open a terminal with root access and navigate to the folder where the EKM 3.0 DVD is mounted. Type ./autorun.sh and press Enter.

The EKM 3.0 installation wizard Welcome screen appears.

NOTE: If SELinux is installed and enabled, disable it before starting the installation.

3.Open port 50000. To do this, perform the following steps:

a)Navigate to Computer → Places → File System .

b)Double-click etc.

c)Double-click Services.

d)In the Services file, change 50000/tcp and 50000/udp to 50100/tcp and 50100/udp.

e)Click Save.

Continue to Performing the EKM 3.0 Installation Procedure.

Performing the EKM 3.0 Installation Procedure

This chapter describes how to install EKM 3.0.

NOTE: The installation procedure takes approximately 45 minutes. Do not turn off the system until the installation completes.

NOTE: If you are installing EKM 3.0 on a server that will be used as a secondary EKM 3.0 server, the passwords must be the same passwords that you used for the primary EKM 3.0 server's installation.

1.On the EKM 3.0 installation wizard Welcome screen, click Next. The License Agreement screen appears.

2.Select the radio button to accept the terms of the license agreement.

3.Click Next.

NOTE: The EKM 3.0 installer runs system prerequisite checks. The installer verifies that the system meets the minimum requirements and configures EKM 3.0 for your system.

If an error message displays, refer to System Prerequisite Checks.

The Reuse Installation Profile screen appears.

4.If you are installing EKM 3.0 for the first time, leave the Reuse an EKM 3.0 installation profile check box unchecked.

If you are reinstalling EKM 3.0 or are installing EKM 3.0 on the secondary server and want to use an installation profile you saved from a previous installation, perform the following steps:

a)Select the Reuse an EKM 3.0 installation profile check box. Selecting the check box activates the File Location field.

b)Click Choose and navigate to the installation profile that was created when you previously configured and installed EKM 3.0 (for example, E:\EKM_config.txt in Windows, or /tmp/ekm_config in Linux).

You can use a removable drive or a network share to transfer the installation profile from the location where you saved it.

NOTE: The installation profile populates all of the input fields, with the exception of the passwords, in the installation GUI with the same information that you used in a previous installation. If you are using an installation profile, you must re-enter all passwords.

NOTE: If you are installing EKM 3.0 on a secondary server, you must reuse the primary EKM 3.0 server's installation profile to ensure that the input parameters are the same.

5.Click Next.

The Database screen appears. In this screen, you create the EKM DB2 database administrator account.

NOTE: This screen and the next two screens each create a different account. Make a note of all user names and passwords that you create for these accounts.

6.The Database Location field defaults to a set location. Dell recommends that you keep the default location. This is the location where the installer will install the EKM 3.0 DB2 software.

7.In the Database User Name field, enter a user name that conforms to these criteria:

–Can only include lowercase letters (a–z), numbers (0–9), and the underscore character ( _ )

–Cannot be longer than eight characters

–Cannot begin with “ibm,” “sys,” “sql,” or a number

–Cannot begin or end with an underscore character (_)

–Cannot be a DB2–reserved word (for example, “users,” “admins,” “guests,” “public,” and “local”) or an SQL-reserved word

–Cannot be a user name of an existing user on the system

This is the ID for the EKM 3.0 DB2 database administrator account. EKM 3.0 creates a local user account on your system with this user name.

8.In the Database Password field, enter a password for the EKM DB2 database administrator account. In the Confirm Database Password field, retype the password.

NOTE: All passwords are case-sensitive.

NOTE: Dell recommends the use of strong passwords for all EKM 3.0 user accounts.

9.In the Database Data Drive field, enter the database drive location. This is the location where the EKM 3.0 DB2 data will be stored. In Windows, enter a drive letter and colon (:). In Linux, enter a folder location, for example, /home/ ekmdb2.

10.In the Database Name field, enter a name for the EKM 3.0 DB2 database.

11.The Database Port field defaults to 50010 in Windows and 50000 in Linux.

All ports used by EKM 3.0 and set during the EKM 3.0 installation process are preset with the recommended port addresses. Dell strongly recommends that you use these recommended port adresseses. If you plan to use a secondary server and you change a port address when installing EKM 3.0, the port address must be the same for the primary and secondary EKM 3.0 servers.

NOTE: All ports used during the installation process must be open in order to install EKM 3.0. Verify that they are open:

To verify that the ports are open in Windows,

a.Navigate to: <root>:\Windows\System32\drivers\etc\.

b.Open the Services text file.

c.Review the file and confirm that the port number that you want to use in the Database Port field is available. If the port is available, it will not be listed.

To verify that the ports are open in Linux,

a.Open the /etc/services file.

b.Review the file and confirm that the port number that you want to use in the Database Port field is available. If the port is available, it will not be listed.

12.Click Next.

The EKM Administrator screen appears. In this screen, you create the EKM 3.0 Administrator (superuser) account. This account is used for creating new users and new groups and assigning their permissions.

13.In the Administrator Username field, enter an EKM 3.0 administrator user name. (This can be any name except tklmadmin.)

14.In the Password field, enter a password for the EKM 3.0 Administrator account. In the Confirm Password field, retype the password.

15.Click Next.

The Encryption Manager screen appears. In this screen, you create the EKM 3.0 Encryption Manager (TKLMAdmin) account. This is the regular user account. It is used for daily key management. The TKLMAdmin Username field is pre-populated with tklmadmin. This is the required EKM Encryption Manager name.

16.In the TKLMAdmin Password field, enter a password for the EKM 3.0 Encryption Manager account. In the TKLMAdmin Confirm Password field, retype the password.

17. The EKM Port defaults to 16310 in Windows and Linux. This is the recommended port. Click Next.

NOTE: If the port provided is used by a different service, then the EKM 3.0 installer will prompt you to select a different port. Use the netstat command to determine the ports that are being used, then select a port that is available. Record the port number. You will use this port to access the EKM 3.0 portal.

The Migration screen appears. This screen is used to migrate from EKM 2.X to EKM 3.0.

If you have an EKM 2.X version that you want to migrate to EKM 3.0, you must migrate it now. Refer to Migrating an Encryption Key Manager (EKM) 2.X Version during the EKM 3.0 Installation.

NOTE: You can only migrate an EKM 2.X version that has been used to create keys. If you do not have an EKM 2.X version to migrate into EKM 3.0,

a)Leave the Migrate from EKM 2.X to EKM 3.0 check box unchecked and click Next. A verification pop-up window appears.

b)If you have chosen not to migrate an EKM 2.X version, click Yes in the pop-up window confirming that you are not migrating an EKM 2.X version.

The Configuration Summary screen appears.

18.In the Configuration Summary screen, select the Save profile check box. The File Directory field becomes active.

NOTE: Dell recommends that you save the installation profile in case EKM 3.0 must be reinstalled in a disaster recovery situation. A saved installation profile is required to create a secondary EKM 3.0 server.

NOTE: Dell recommends that you use a removable drive as the location. If using a removable drive, you must insert the drive before clicking Next. The removable drive must remain inserted until the installation completes. Optionally, you can save the file to a location on the local drive and copy the file to the removable drive later.

NOTE: The path you enter in this field must include a file name. Do not enter a folder name only. The file path up until the folder name must exist, but the file name used for the installation profile must not exist.

19.In the File Directory field, enter the location and file name of the installation profile you are creating or click Choose and select a location, then enter a file name.

This is the location in which you want the installation profile to be saved and the name in which you want it to be saved.

EKM 3.0 saves the installation profile upon completion of the EKM 3.0 installation. If you are using a primary/ secondary server configuration, you must use the primary EKM 3.0 server's installation profile during the installation of the secondary EKM 3.0 server to auto-populate the installation input fields.

Optionally, if you are reinstalling on the same server and want to use the same fields, you can use this installation profile to auto-populate the installation input fields.

NOTE: Dell recommends that you capture or print the Configuration Summary screen for later reference.

20.In the Configuration Summary screen, click Next. The Installation Summary screen appears.

21.Review the information on the Installation Summary screen.

22.Click Install.

NOTE: The software install time is approximately 45 minutes. Do not turn off the system until the installation completes.

NOTE: If you are planning to set up a secondary EKM 3.0 server, do not install EKM 3.0 on the secondary server until the primary server's EKM 3.0 installation is complete.

23. When the installation is complete, click Done.

NOTE: If you migrated an EKM 2.X version into the newly-installed EKM 3.0, then Dell strongly recommends that you create a backup of EKM 3.0 to ensure the new keys are not lost. Refer to Creating a Backup of the Keystore.

NOTE: If you are reinstalling EKM 3.0 and the installation fails due to an incomplete uninstall, perform the uninstall manually. Refer to Manually Uninstalling EKM 3.0 in Windows.

Setting up Primary and Secondary EKM 3.0 Servers

This chapter describes how to install, use, and uninstall EKM 3.0 on the primary and secondary servers.

CAUTION: To prevent possible data loss due to an EKM 3.0 server failure, Dell recommends using a primary and secondary EKM 3.0 server setup. This configuration provides redundancy in the event that the primary EKM 3.0 server is down or unavailable.

NOTE: You cannot have a primary EKM 3.0 and a secondary EKM 2.X server or vice versa.

Installing EKM 3.0 on the Primary Server

During the installation of EKM 3.0 on the primary server, you must select the option to save the installation profile. When the installation of EKM 3.0 on the primary server is complete, copy the saved installation profile to a removable drive or a server share. Refer to Installing EKM 3.0.

Using EKM 3.0 on the Primary Server

The primary EKM 3.0 server is where you perform all tasks for the management of encryption keys. By default, the primary EKM 3.0 server is set to Automatically accept all new device requests for communication. Refer to Configuring EKM 3.0 to Accept Devices that Contact EKM 3.0 for Keys for details on how to view or configure this setting. Dell recommends regularly backing up the primary EKM 3.0 server. Refer to Performing Backups and Restoring from a Backup.

If the primary EKM 3.0 server must be replaced for any reason, install EKM 3.0 on a new physical server using the installation profile from the original primary EKM 3.0 installation. Restore the new primary EKM 3.0 server with the latest backup, then update all devices to communicate with the new primary EKM 3.0 server for their key requests. Refer to your tape library's user's guide for details on how to change the IP address of the EKM 3.0 server used for key requests. To locate the tape library's user guide, see the Documentation and Reference Materials section of the ReadThisFirst.txt file on the EKM 3.0 installation media.

Installing EKM 3.0 on the Secondary Server

NOTE: Do not install EKM 3.0 on the secondary server until the primary server's EKM 3.0 installation is complete.

The system on which EKM 3.0 is installed as a secondary server must have the same version of the operating system that is installed on the primary EKM 3.0 server. EKM 3.0 does not support mixed operating systems between the primary and secondary servers.

Install EKM 3.0 on the secondary server using the procedures in Installing EKM 3.0. Use the installation profile that you saved when you installed EKM 3.0 on the primary server. You must manually enter the same passwords you used when you installed EKM 3.0 on the primary server.

Using EKM 3.0 on the Secondary Server

The secondary EKM 3.0 server is used for redundancy in the event that the primary EKM 3.0 server is down or unavailable.

Use the backup created on the primary EKM 3.0 server to perform the restore operation on the secondary EKM 3.0 server periodically in order to keep the primary and secondary EKM 3.0 servers synchronized. Refer to Performing Backups and Restoring from a Backup.

By default, the secondary EKM 3.0 server is also set to Automatically accept all new device requests for communication. Dell recommends changing this setting to Only accept manually added devices for communication after every restore operation. This prevents the secondary EKM 3.0 server from serving keys to new devices that are not added to the primary EKM 3.0 server. Refer to Configuring EKM 3.0 to Accept Devices that Contact EKM 3.0 for Keys for details on how to view or configure this setting.

If the primary EKM 3.0 server is temporarily down or unavailable, you must perform the restore operation on the secondary EKM 3.0 server using the last backup created on the primary EKM 3.0 server.

NOTE: When the primary EKM 3.0 server is down or unavailable and the secondary EKM 3.0 server is used to support key requests from devices, Dell recommends that you do not perform any management or operational tasks on the secondary EKM 3.0 server.

Uninstalling EKM 3.0 from the Primary and Secondary Servers

For the procedure to uninstall EKM 3.0 from the primary and secondary servers, refer to Uninstalling EKM 3.0.

Performing Backups and Restoring from a Backup

You can perform a backup at any time. Performing a backup creates a backup file that contains the keystore, which contains devices and keys.

Backups do not contain device groups, users, or user groups. The DB2 database contains these. You can restore from a backup at any time.

NOTE: If keys are not backed up, they will not be served. If keys are not available to be served, encrypted backup jobs will fail.

Creating a Backup of the Keystore

This chapter describes how to back up the keystore.

1.Log into the EKM 3.0 portal. Refer to Logging into the Encryption Key Manager 3.0 Portal. The Welcome to Dell Encryption Key Manager screen appears.

2.In the navigation pane, navigate to Dell Encryption Key Manager → Backup and Restore . The Backup and Restore screen appears.

3.Click Browse next to the Backup repository location field and navigate to the folder where you want to save the backup file (for example, C:\EKM_Backup in Windows, or /root/EKM_Backup in Linux).

NOTE: The folder must exist prior to starting the backup or the backup will fail. If you want to use a new folder, create it before you attempt to create a backup.

4.Click Select in the Browse Directory pop-up window to return to the Backup and Restore screen.

5.Click Create Backup.

The Create Backup screen appears.

6.In the Create password field, create a password for the backup. This password must not be less than six characters.

NOTE: Dell recommends the use of strong passwords for all EKM 3.0 related activities.

7.In the Retype Password field, re-enter the password.

8.(Optional) In the Backup description field, enter a description for the backup file. If you do not enter a description, a default description is added to the backup file.

NOTE: On some browser versions, the default description field is not editable. For more information, refer to Known Issues and Their Resolutions.

9.Click Create Backup.

A confirmation pop-up window appears.

10.In the confirmation pop-up window, click OK. The backup process runs.

NOTE: Do not use the system while a backup process is running. If the contents of EKM 3.0 are greyed-out for a long period of time, click the web browser’s refresh button.

11.When the backup file has been created, an Information pop-up window appears, confirming that the file was successfully created. In the pop-up window, click OK. The backup file you created displays in the table on the Backup and Restore screen.

12.Click Return home at the bottom of the screen.

The Welcome to Dell Encryption Key Manager screen appears.

Restoring from a Backup

You can restore from a backup. You can use a backup to create secondary key servers as well as to recreate the EKM 3.0 server in a disaster recovery situation.

CAUTION: Only perform a restore from a backup that was created on the same system or another EKM 3.0 server that was installed using the same installation profile. You cannot restore from a backup that was created on a different system using different installation details.

1.Log into the EKM 3.0 portal. Refer to Logging into the Encryption Key Manager 3.0 Portal. The Welcome to Dell Encryption Key Manager screen appears.

2.In the navigation pane, navigate to Dell Encryption Key Manager → Backup and Restore . The Backup and Restore screen appears.

3.Select the backup from which you want to restore.

4.Click Restore From Backup at the top of the table. The Restore From Backup subwindow appears.

5.Enter the password for the backup file.

6.Click Restore Backup.

A confirmation pop-up window appears.

CAUTION: Any keys created after you created the backup will be lost along with access to any data encrypted with the keys. Lost or deleted keys cannot be recovered by any means.

7.In the confirmation pop-up window, click OK.

8.After restoring from the backup, you must manually stop and start the EKM 3.0 server. Refer to Starting and Stopping the EKM 3.0 Server in Windows or Starting and Stopping the EKM 3.0 Server in Linux.

Using EKM 3.0

This chapter describes some basic EKM 3.0 operations.

For EKM 3.0 usage information not covered in this guide, refer to the TKLM documentation, which includes the following:

•IBM Tivoli Key Manager 2.0 Quick Start Guide

•IBM Tivoli Key Manager 2.0 Installation and Configuration Guide

•IBM Tivoli Key Manager 2.0 Product Overview/Scenario Guide

For information on how to access the TKLM documentation, see the Documentation and Reference Materials section of the ReadThisFirst.txt file on the EKM 3.0 installation media.

Some screens and functionality covered in the IBM TKLM documentation are not enabled in Dell EKM 3.0. EKM 3.0 contains only the subset of features needed to support Dell PowerVault tape libraries.

Logging into the Encryption Key Manager 3.0 Portal

To log into the Encryption Key Manager 3.0 portal, perform the following steps:

1.Open a browser and enter the following URL to open the EKM 3.0 portal: http://<EKM 3.0_server_IP_address>:<EKM_3.0_port_number>

NOTE: The port number specified is the one you provided during the EKM 3.0 installation. The default is 16310. If you do not know the port number, refer to the following:

In Windows	Refer to the value of the WC_defaulthost property in the following file: <root>:\Dell
	\EKM\profiles\TIPProfile\properties\portdef.props.
In Linux	Refer to the value of the WC_defaulthost property in the following file: /opt/dell/ekm/
	profiles/TIPProfile/properties/portdef.props.

NOTE: If an error message displays stating that the page cannot be found, the EKM 3.0 service might not be running. Refer to Starting and Stopping the EKM 3.0 Server in Windows or Starting and Stopping the EKM 3.0 Server in Linux.

The EKM 3.0 login window appears.

2.Log into EKM 3.0 using the EKM 3.0 Encryption Manager user name (tklmadmin) and the EKM 3.0 Encryption Manager password provided during the EKM 3.0 installation.

The Welcome to Dell Encryption Key Manager screen appears.

Creating a Master Keystore

This chapter describes how to create the master keystore. The first time you log into EKM 3.0, you must create the master keystore.

NOTE: If you migrated an EKM 2.X keystore during the EKM 3.0 installation, a keystore is already created, and this procedure will not apply.

NOTE: At a later point, if you want to create additional keys and/or key groups, refer to Creating Key Groups for the Device Group.

To create the master keystore, perform the following steps.

1.In the Welcome to Dell Encryption Key Manager screen, click click here to create the master keystore. The Keystore screen appears.

2.Keep the default values for Keystore type, Keystore path, and Keystore name.

The default values are: Keystore type: JCEKS, and Keystore name: defaultKeyStore. The default value for the Keystore path in Windows is: <root>:\Dell\EKM\products\tklm\keystore. The default value for the Keystore path in Linux is: /opt/dell/ekm/products/tklm/keystore.

3.In the Password field, create a password for the default keystore. This password must not be less than six characters.

4.In the Retype Password field, re-enter the password.

5.Click OK.

The Keystore screen confirms that the keystore was created successfully.

6.Create a backup of the keystore. Refer to Performing Backups and Restoring from a Backup.

Enabling the Firewall in the EKM 3.0 Server

NOTE: Refer to your operating system's documentation for instructions on how to configure your firewall.

EKM 3.0 communicates with the tape library over the network. If the firewall is enabled on the system on which EKM 3.0 is installed and the required ports have not been opened, communication between EKM 3.0 and the tape library will fail. If you must enable the firewall on the system on which EKM 3.0 is installed, then perform the following steps to enable communication between EKM 3.0 and the tape library:

NOTE: These are the default ports used by EKM 3.0. If your tape library is configured to use different ports, ensure that you use those port numbers in the firewall settings and in the EKM 3.0 configuration.

NOTE: If you use a primary/secondary server configuration for EKM 3.0, then repeat this procedure for the secondary server.

1.Open the following ports for the corresponding protocols:

–TCP: 3801

–SSL: 443

2.If your firewall is configured only to allow specific IP addresses and/or subnet masks to communicate with the above ports, ensure that the tape library's IP address and/or subnet mask are included in the list of allowed IP addresses and/or subnet masks.

To access the tape library network configuration, log into the tape library remote management unit (RMU) and locate the network settings. For more information, refer to the tape library's user's guide. To locate the tape library's user's guide, see the Documentation and Reference Materials section of the ReadThisFirst.txt file on the EKM 3.0 installation media.

3.If at a later point you want to change the port settings for communication between EKM 3.0 and the tape library, ensure that the ports are changed within the tape library's settings, EKM 3.0, and the firewall of the system on which EKM 3.0 is installed.

Configuring EKM 3.0 to Accept Devices that Contact EKM 3.0 for Keys

This chapter describes how to configure the behavior of EKM 3.0 to handle devices that attempt to connect to EKM 3.0 to request keys. Refer to your device's user's guide for details on how to connect to EKM 3.0 for key requests.

1.Log into the EKM 3.0 portal. Refer to Logging into the Encryption Key Manager 3.0 Portal. The Welcome to Dell Encryption Key Manager screen appears.

2.In the navigation pane, navigate to Dell Encryption Key Manager → Key and Device Management. The Key and Device Management screen appears.

3.In the Manage keys and devices drop-down menu, select LTO and click Go.

NOTE: Refer to TKLM documentation for more details on these settings. For information on how to access the TKLM documentation, see the Documentation and Reference Materials section of the ReadThisFirst.txt file on the EKM 3.0 installation media.

4.In the drop-down menu at the bottom of the table, select one of the following:

Automatically	Keys will automatically be served to new devices. This is the default setting for EKM 3.0.
accept all new	Dell recommends that you keep this setting for the primary EKM 3.0 server, but not for a
device requests	secondary server if you have configured one.
for
communication
Only accept	Keys will not be served to devices unless the devices are added manually. If you are
manually added	configuring the secondary EKM 3.0 server, Dell recommends that you use this setting so
devices for	that the secondary EKM 3.0 server does not automatically serve keys to new devices.
communication
Hold new device	Devices that contact EKM 3.0 will be added to a pending list.
requests pending
my approval

Creating a Device Group

This procedure creates a device group. If are using a default device group, skip this section.

Device groups are used to manage keys that are served to one or more devices. Dell recommends that you use device groups in order to manage a subset of your devices based on your organization's needs.

To create a new device group, perform the following steps:

1.Log into the EKM 3.0 portal. Refer to Logging into the Encryption Key Manager 3.0 Portal. The Welcome to Dell Encryption Key Manager screen appears.

2.In the navigation pane, navigate to Dell Encryption Key Manager → Advanced Configuration → Device Group. The Manage Device Groups screen appears.

3.Click Create at the top of the table.

The Create Device Group subwindow appears.

+ 44 hidden pages