Page 1
FUJITSU Storage
ETERNUS LT260 Tape Library
Key Management Function Option
User's Guide
P3AG-1192-02ENZ0
Page 2
This page is intentionally left blank.
Page 3
Fujitsu would like to thank you for purchasing our Key Management Function Option for the FUJITSU Storage
ETERNUS LT260 tape library (hereinafter referred to as "LT260").
This manual describes the setup methods and the operation procedures that are required to use the Key
Management Function Option as well as notes and other information.
For information on handling the tape libraries (hereinafter referred to as "tape library", "library", or "device"),
refer to the respective tape library user's guides. For information on console messages and commands of the
backup software used, refer to the manual provided with the backup software.
Acknowledgments
• LTO, Linear Tape-Open, and Ultrium are registered trademarks of Hewlett-Packard Development Company,
IBM Corporation and Quantum Corporation.
• Oracle and Java are registered trademarks of Oracle and/or its affiliates.
• Internet Explorer is a trademark or registered trademark of Microsoft Corporation in the United States and
other countries.
• The company names and product names mentioned in this document are registered trademarks or
trademarks of their respective companies.
Preface
Second Edition
January 2016
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
3
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 4
Organization
This manual is composed of the following four chapters and an appendix:
● Chapter 1 Overview
This chapter provides a functional overview of the Key Management Function Option.
● Chapter 2 Setup and Operation Procedures
This chapter explains the setup and operation procedures of the key management function.
● Chapter 3 Setup Methods for Different Operations
This chapter explains the setup methods for different operations.
About This Manual
● Chapter 4 Considerations
This chapter provides notes on the Key Management Function Option.
Additional information on "Appendix A Logs Related to the Key Management Function" is provided as an
appendix.
4
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 5
About This Manual
CAUTION
Warning Notations
Before using the Key Management Function Option, carefully read the contents of this manual to ensure the
safe use of this product. Follow the directions in this manual correctly in order to prevent injury to the user
and/or material damage. After reading, store this manual in a safe place for quick reference.
Warning signs are shown throughout this manual in order to prevent injury to the user and/or material
damage. Carefully check the written descriptions indicated by these signs when reading this manual.
To ensure the safe use of this product, the following symbol (caution symbol) as well as related information is
provided.
This symbol indicates the possibility of personal injury or material damage when
this product is not used properly.
This marks indicates instructions for general use.
Symbols Used in This Manual
• In this manual, a button or menu that is referred to is indicated as, for example, [OK].
• The following marks are used in this manual.
This symbol indicates important points to note when using this product.
This mark indicates additional information regarding things such as convenient
functions and procedures while performing operations and settings with this
product.
5
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 6
Table of Contents
Chapter 1 Overview 11
1.1 Overview of the Data Encryption Function of LTO Ultrium Tape Drives .............................. 11
1.2 Features of the Data Encryption Function of LTO Ultrium Tape Drives ............................... 11
1.3 Functional Overview of the Key Management Function Option ......................................... 12
1.4 Features of the Key Management Function Option ........................................................... 13
1.5 Types of Keys .................................................................................................................... 14
1.5.1 Master Key ..................................................................................................................................................... 14
1.5.2 Encryption Key ...............................................................................................................................................15
1.5.3 Management of Key Information and Encryption Setting Information ..........................................................16
1.6 Operational Examples ....................................................................................................... 16
1.6.1 Data Sharing between Centers ...................................................................................................................... 16
1.6.2 Encryption of Data Cartridges Stored at an External Location ........................................................................ 17
1.6.3 Encryption of Each Logical Library (or Partition) ............................................................................................ 18
1.6.4 Interoperation among LT-series models ........................................................................................................19
1.7 Security Functions ............................................................................................................. 20
1.7.1 Security Account ............................................................................................................................................20
1.7.2 Network Security ............................................................................................................................................ 20
1.7.3 Security-Related Logs ....................................................................................................................................20
Chapter 2 Setup and Operation Procedures 21
2.1 Basic Setup .......................................................................................................................21
2.1.1 Setting the Key Management Function License ............................................................................................. 22
2.1.2 Setting the Key Management Function ......................................................................................................... 23
2.1.3 Setting the Master Key ..................................................................................................................................33
2.1.4 Encryption Key Export and Import Functions .................................................................................................43
2.2 Backing Up the Setting Information .................................................................................. 56
2.3 Checking the Setting Information ..................................................................................... 57
2.3.1 Setting Information of the Key Management Function .................................................................................. 57
2.3.2 Setting Information of the Key Management Function for the Partition ........................................................ 58
2.3.3 Setting Information of the Key Management Function for the Drive ............................................................. 59
2.3.4 Encryption Setting Information of the Data Cartridge .................................................................................... 60
6
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 7
Table of Contents
Chapter 3 Setup Methods for Different Operations 64
3.1 Sharing Data among Multiple Tape Libraries .................................................................... 64
3.2 Storing Data Cartridges at External Locations ................................................................... 66
Chapter 4 Considerations 70
4.1 Troubleshooting ................................................................................................................ 70
4.2 Sense Keys Related to the Key Management Function ...................................................... 72
4.3 Reuse of Data Cartridges ................................................................................................... 72
4.4 Connectivity with Backup Software ...................................................................................73
4.5 Purchasing a License ........................................................................................................73
4.6 Changing the System Firmware ........................................................................................ 73
Appendix A Logs Related to the Key Management Function 74
A.1 How to Download Logs Related to the Key Management Function.................................... 74
A.2 Checking the Contents of the Logs Related to the Key Management Function ..................74
7
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 8
List of Figures
Figure 1.1 How the Key Management Function Option works...................................................................................... 12
Figure 1.2 Automatic generation of encryption keys.................................................................................................... 15
Figure 1.3 Data cartridge sharing using one master key .............................................................................................. 16
Figure 1.4 External storage of data cartridges.............................................................................................................. 17
Figure 1.5 Encryption of each logical library................................................................................................................. 18
Figure 1.6 Interoperation among LT-series models...................................................................................................... 19
Figure 2.1 Basic setup procedure ................................................................................................................................. 21
Figure 2.2 Login screen for the security administrator account .................................................................................... 23
Figure 2.3 Screen for changing the security administrator password ........................................................................... 24
Figure 2.4 Logging in to the remote panel................................................................................................................... 25
Figure 2.5 Initial value of SSL (disabled)...................................................................................................................... 26
Figure 2.6 SSL setting (enabled) .................................................................................................................................. 26
Figure 2.7 Confirming the SSL setting change.............................................................................................................. 27
Figure 2.8 Logging out of the remote panel................................................................................................................. 27
Figure 2.9 Logging in to the security administrator account ........................................................................................ 28
Figure 2.10 Setting the key management function........................................................................................................ 29
Figure 2.11 Setting the key management function (to enable) ..................................................................................... 30
Figure 2.12 Confirming the key management function setting...................................................................................... 30
Figure 2.13 Selecting the key management function..................................................................................................... 31
Figure 2.14 Example of enabling the key management function................................................................................... 32
Figure 2.15 Example of disabling the key management function .................................................................................. 32
Figure 2.16 Setting the master key ................................................................................................................................ 34
Figure 2.17 Confirmation screen for the master key setting........................................................................................... 35
Figure 2.18 Setting a password for the master key......................................................................................................... 36
Figure 2.19 Exporting the master key ............................................................................................................................ 37
Figure 2.20 Saving the master key to export.................................................................................................................. 38
Figure 2.21 Importing the master key............................................................................................................................ 39
Figure 2.22 Confirmation screen for importing the master key ...................................................................................... 40
Figure 2.23 Status of importing the master key ............................................................................................................. 40
Figure 2.24 Deleting the master key .............................................................................................................................. 41
Figure 2.25 Confirmation screen for deleting the master key......................................................................................... 42
Figure 2.26 Encryption key password settings................................................................................................................ 44
Figure 2.27 Selecting the partition to export the target data cartridges ........................................................................ 45
Figure 2.28 Selecting the data cartridges that are to be exported ................................................................................. 46
Figure 2.29 Removing the export target data cartridges................................................................................................ 47
Figure 2.30 Exporting the encryption key ...................................................................................................................... 48
Figure 2.31 Saving the encryption key to export ............................................................................................................ 49
Figure 2.32 Importing the encryption key ...................................................................................................................... 50
Figure 2.33 Confirmation screen for importing the encryption key ................................................................................ 51
Figure 2.34 Progress status screen for importing the encryption key ............................................................................. 51
Figure 2.35 Selecting the partition where the deletion target encryption key exists...................................................... 52
Figure 2.36 Selecting data cartridges with deletion target encryption keys ................................................................... 53
Figure 2.37 Excluding data cartridges with deletion target encryption keys .................................................................. 54
Figure 2.38 Selecting imported encryption keys that are to be deleted ......................................................................... 54
Figure 2.39 Deleting the imported encryption keys ....................................................................................................... 55
Figure 2.40 Deletion confirmation of the imported encryption key................................................................................ 55
Figure 2.41 Confirmation screen if an attempt at restoring the settings file for the library configuration is
performed ................................................................................................................................................... 56
8
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 9
List of Figures
Figure 2.42 [Status > Security > Security Encryption Status] screen................................................................................ 57
Figure 2.43 [Status > Security > Partition Encryption Status] screen .............................................................................. 58
Figure 2.44 [Status > Security > Drive Encryption Status] screen.................................................................................... 59
Figure 2.45 [Status > Cartridge Inventory > List View] screen......................................................................................... 60
Figure 2.46 [Status > Cartridge Inventory > List View (detailed)] screen........................................................................ 61
Figure 2.47 [Status > Cartridge Inventory > Graphical View] screen ............................................................................... 63
9
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 10
List of Tables
Table 4.1 Troubleshooting .......................................................................................................................................... 70
Table 4.2 Sense keys................................................................................................................................................... 72
Table A.1 Events related to the key management function......................................................................................... 77
10
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 11
Chapter 1
Overview
1.1 Overview of the Data Encryption Function of LTO Ultrium Tape Drives
LTO Ultrium tape drives that are installed in the LT260 tape library have the function to write data to data
cartridges (*2) with AES (*1) (256 bit) .
With this function, data is assigned an arbitrary key when written to a data cartridge (*2), and the data can
be read only if the same key is assigned again at the data read time.
The function can thus prevent leakage of information on the tape cartridge, even if the tape cartridge is left
unattended when taken out or is missing, because its data cannot be read without the key.
Also, the tape cartridge can be disposed of without deleting the data.
*1: Advanced Encryption Standard (AES): Encryption system authorized by the National Institute of Standards and
Technology (NIST)
*2: The data encryption function is incompatible with Ultrium3 or earlier generation data cartridges.
1.2 Features of the Data Encryption Function of LTO Ultrium Tape Drives
The data encryption function of LTO Ultrium tape drives has the following features:
• The function conforms to the high security requirements specified in FIPS 140-2 (*1).
• A key can be delivered through the host interface and the interface between a library and tape drive.
• The encryption logic is implemented by hardware, which means that encryption has less effect on read-
write performance.
*1: FIPS 140-2 defines the U.S. government's security requirements for cryptographic modules used for data.
11
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 12
Chapter 1 Overview
Key Management Function Option
Encryption setting
(When the encryption
settings are applied)
Tape library
Key management
database
Backup server
Plain text
Encrypted data
LTO Ultrium
tape drive
Encryption key
Master key
Remote panel
1.3 Functional Overview of the Key Management Function Option
1.3 Functional Overview of the Key Management Function
Option
The Key Management Function Option allows the use of the encryption function provided by Ultrium tape
drives to manage encryption keys on the tape library.
Figure 1.1
Figure 1.1 How the Key Management Function Option works
shows how the Key Management Function Option works.
The Key Management Function Option applies the encryption settings from the remote panel to the tape
library and assigns one key called the master key. The encryption key that is automatically generated for each
data cartridge by the tape library is based on the master key, and this information is stored in a database in
the tape library.
During a data backup from a backup server, the tape library automatically assigns an encryption key to the
specified data cartridge, encrypts the data (plaintext), and saves the data. The encryption process is
performed transparently during this time.
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
12
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 13
Chapter 1 Overview
1.4 Features of the Key Management Function Option
The following tape drives and tape cartridges are required to use the Key Management Function Option:
• LTO Ultrium5 (G5) or later tape drives
• LTO Ultrium4 (G4) or later tape cartridges
For other required optional products, refer to "FUJITSU Storage ETERNUS LT260 Tape Library Product List". For
more details about tape cartridges, refer to "A.1 Ultrium Tape Cartridge" in "FUJITSU Storage ETERNUS LT260
Tape Library User’s Guide -Installation & Operation-".
To use the key management function, purchasing the Key Management Function Option is required.
1.4 Features of the Key Management Function Option
The Key Management Function Option has the following features:
• It enables easy construction of a secure backup system that is independent of the OS and backup software,
since the tape library will automatically handle encryption. (*1)
• Because encryption keys are set for the tape library from a Web browser terminal, the library manager
alone can ensure the security of the library, with no need for a backup operator to intervene.
• One master key is set for each tape library, and encryption keys based on the master key are automatically
assigned to all data cartridges in the tape library. Thus, the library manager need not manage any of the
encryption keys of the data cartridges. (*2)
• Setting the same master key as the common master key for the ETERNUS LT220, LT230, LT250, LT260,
LT270, and LT270 S2 (*3) will facilitate the use of encrypted tape cartridge data among all these tape
libraries.
• To share data among multiple tape libraries, Fujitsu recommends operation with a common master key. In
the event of a disaster, a data cartridge stored at an external location may need to be read with a tape
library having a different master key. This different tape library can read the data on the data cartridge
only if the encryption key had been exported in advance using the encryption key export or import
function (*4).
*1: The Key Management Function Option cannot be used together with the encryption function of backup software.
*2: For information on master keys, refer to "1.5.1
"1.5.2
Encryption Key" (page 15).
*3: The ETERNUS LT20, LT20 S2, LT40, LT40 S2, LT60, LT60 S2, LT200, and LT210 do not support the key management
function. The ETERNUS LT220, LT230, LT250, and LT270 have been discontinued.
*4: For information on the encryption key export or import function, refer to "2.1.4 Encryption Key Export and Import
Functions" (page 43).
Master Key" (page 14). For information on encryption keys, refer to
13
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 14
Chapter 1 Overview
1.5 Types of Keys
1.5 Types of Keys
The Key Management Function Option uses two types of keys for encryption: the master key that must have
been set for each LT260 tape library, and the encryption key assigned to each tape cartridge in the tape
library.
This section describes these keys.
1.5.1 Master Key
A master key is set for each tape library.
The tape library must have a master key set in order for the Key Management Function Option to work.
The functions of a master key are listed below.
• The encryption key for a data cartridge is automatically generated from a master key. (*1)
• The same master key can be set for multiple tape libraries. This function enables these multiple tape
libraries to share data cartridges containing encrypted data.
• The tape library manager can make the settings to set a master key.
• In a logical library (or partition) configuration, a master key can also be assigned for reach logical library
(or partition).
*1: Since automatically generated master keys are managed only by the tape library, their values are invisible to users.
The two methods of creating a master key are as follows: automatic generation using the tape library and
manual creation using arbitrary characters.
For automatic generation with a tape library, each tape library automatically generates a master key based
on data unique to the tape library. For this reason, other tape libraries cannot generate the same master key.
Once a master key is created, the master key can no longer be decrypted even by a maintenance engineer.
Although the master key is stored redundantly in the database of the tape library, it may be lost in the rare
event that the tape library fails. The encrypted data can no longer be read in such a case. Therefore, after
setting the master key, be sure to export it (to a binary file) and keep it in a safe place.
For information on setting a master key, refer to "2.1.3 Setting the Master Key" (page 33).
For information on exporting the master key, refer to "2.1.3.2 Exporting the Master Key" (page 35)
.
14
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 15
Chapter 1 Overview
1.5 Types of Keys
1.5.2 Encryption Key
An encryption key is assigned to each data cartridge.
Different data cartridges never have the same encryption key because the tape library automatically
generates an encryption key based on the master key and data unique to each data cartridge.
If different tape libraries have the same master key and same data unique to the data cartridge, the libraries
will generate the same encryption key for the cartridge.
Only one encryption key is assigned to each data cartridge.
During normal operations, because the tape library performs the encryption key operations, the user is not
involved.
The encryption key export or import function can be used to export or import only an encryption key (a
password and encrypted binary file) for data sharing between tape libraries with different master keys.
However, note that if the encryption key is lost, the data can no longer be restored.
To share data among tape libraries, Fujitsu recommends operation with a common master key.
• An encryption key is generated and assigned when a data write process is performed to the data
cartridge.
• For information on the encryption key export or import function, refer to "2.1.4 Encryption Key Export and
Import Functions" (page 43).
Figure 1.2 Automatic generation of encryption keys
Operator
Database for key management
Tape cartridge
Encryption 0
Encryption 1
Encryption 2
Specific information of
the tape cartridge
Setting
Master key
Automatic generation
Encryption
key 0
Encryption
key 1
Encryption
key 2
Non-
encryption
15
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 16
Chapter 1 Overview
1.6 Operational Examples
1.5.3 Management of Key Information and Encryption Setting Information
Although key information and encryption setting information are stored in a redundant manner in the tape
library, encryption keys may be lost in the rare event that the tape library fails. The encrypted data saved on
data cartridges can no longer be decrypted in such a case. Therefore, after registering a master key or setting
an encryption key for a data cartridge, be sure to export the encryption key and keep it in a safe place.
For information on exporting a master key, refer to "2.1.3.2 Exporting the Master Key" (page 35)
information on backing up encryption setting information, refer to "2.2 Backing Up the Setting Information"
(page 56).
1.6 Operational Examples
It is not necessary to make any change to existing operations in order to use data encryption using the Key
Management Function Option.
This section describes operational examples of sharing data on encrypted data cartridges among multiple
tape libraries and external storage of encrypted data cartridges.
1.6.1 Data Sharing between Centers
Setting the same master key for multiple tape libraries installed in the same center or separate centers
enables these libraries to share data cartridges with encryption keys hidden from view.
Figure 1.3 Data cartridge sharing using one master key
. For
Backup-center
Primary-site
Master key A
Master key A
Transported only the cartridges
16
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 17
Chapter 1 Overview
Secondary-site
Master key A
Encryption key
Primary-site
Encryption key
Master key A
1.6 Operational Examples
1.6.2 Encryption of Data Cartridges Stored at an External Location
For disaster recovery, encrypted data cartridges can be stored at an external location and, when needed,
brought back to read the data on them. Even if a data cartridge in storage is lost or stolen, the encryption can
prevent data leakage.
Once a data cartridge in storage is inserted into its original tape library or one with the same master key, the
data can be read from the library without setting the key again.
Once encryption keys are exported, even if the tape library becomes unavailable such as in the event of a
disaster, data on the data cartridge can be read by importing the encryption key to a tape library with a different master key.
Figure 1.4 External storage of data cartridges
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
17
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 18
Chapter 1 Overview
Master key
: Encryption
: Non-Encryption
Lib #3
Lib #2
Lib #1
Master key
1.6 Operational Examples
1.6.3 Encryption of Each Logical Library (or Partition)
In a logical library (or partition) configuration, the master key can be assigned individually to each logical
library (or partition).
Figure 1.5 Encryption of each logical library
18
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 19
Chapter 1 Overview
1.6 Operational Examples
1.6.4 Interoperation among LT-series models
The ETERNUS LT220, LT230, LT250, LT260, LT270, and LT270 S2 tape libraries (hereinafter referred to as "LTseries") share compatible master keys and encryption keys, so keys and encrypted data cartridges can be
shared among these LT series.
Setting a common master key for these tape libraries facilitates data sharing and data migration between the
tape libraries.
The Key Management Function Option does not support interoperability with the tape libraries, encryption
devices, software encryption functions, and other related hardware or software manufactured by other
companies.
Figure 1.6 Interoperation among LT-series models
LT270 (*1)
LT260
LT270 S2
LT250 (*1)
LT230 (*1)
LT220 (*1)
*1: Sales of the ETERNUS LT220, LT230, LT250, and LT270 tape libraries have been discontinued.
19
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 20
Chapter 1 Overview
1.7 Security Functions
1.7 Security Functions
This section describes the security functions that are used for the Key Management Function Option.
1.7.1 Security Account
The security account is used from the remote panel for operations and settings related to the key
management function.
To log in to the remote panel, the security administrator account, "security", is used for operations and
settings of the key management function.
The security administrator logs in with this dedicated account to make all the relevant settings. Anyone who
logs in with another account cannot modify the settings of the key management function.
For information on how to log in with the security account, refer to "2.1.2.2 Logging in to the Remote Panel"
(page 25).
1.7.2 Network Security
The protocol for the connection to the remote panel via a LAN can be set to "https," which encrypts the data
that is the transmitted information.
For information on the https setting, refer to "2.1.2.3 Enabling SSL" (page 26)
1.7.3 Security-Related Logs
A history of key management function operations or settings is automatically recorded in a log. This enables
the tracking of unauthorized access and operations.
For information on the storage and contents of the security-related logs, refer to "Appendix A
the Key Management Function" (page 74).
.
Logs Related to
20
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 21
Chapter 2
CAUTION
Do
Setup and Operation Procedures
This chapter explains the settings that are related to the key management function.
The setup and operations for each function are performed from the operator panel or the remote panel. For
details about the setup and operations, refer to "FUJITSU Storage ETERNUS LT260 Tape Library User's Guide
-Panel Operation-".
• Perform the setup while the tape library is not in operation. Otherwise, data
may be lost.
2.1 Basic Setup
This section provides the procedure for the basic setup of the key management function.
Figure 2.1 Basic setup procedure
Registering the license key
•
"2.1.1 Setting the Key Management Function License" (page 22)
Enabling the key management function
•
"2.1.2 Setting the Key Management Function" (page 23)
21
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 22
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
Setting the master key
•
"2.1.3 Setting the Master Key" (page 33)
Exporting and importing the encryption key
•
"2.1.4 Encryption Key Export and Import Functions" (page 43)
Exporting the master key
"2.1.3.2 Exporting the Master Key" (page 35)
•
Complete
2.1.1 Setting the Key Management Function License
Once the license key on the license sheet that is provided with the Key Management Function Option is
entered, the key management function can be set.
Ask a maintenance engineer to perform this setting.
• If the tape library and the Key Management Function Option are purchased together, the license is
already set and does not need to be set again.
• The license key for the Key Management Function Option cannot be used with a tape library that has a
different serial number. Since the license sheet that has the license key may be required for maintenance
work, be sure to keep it in a safe place.
22
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 23
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
2.1.2 Setting the Key Management Function
This setting enables or disables the key management function.
For logical library (or partition) configurations, the setting can be performed separately for each logical library
(or partition).
To set the key management function, a security administrator account must be used to log in to the remote
panel.
2.1.2.1 Changing the Initial Password of the Security Administrator Account
To log in to the remote panel with a security administrator account, the initial password of the account must
be changed from the operator panel in advance.
The security administrator has the following account name and initial password.
User (account name) security (alphabetical characters)
Password (initial password) security (alphabetical characters)
1 Select the "security" administrator account on the operator panel, enter "security" as the
initial password, and click the [Login] button.
Figure 2.2 Login screen for the security administrator account
The screen changes to the [Configuration > User Account] screen.
23
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 24
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
2 Select [security] for [Select User].
3 Enter a new password in both boxes.
The password must be specified within 8 to 16 characters. Uppercase and lowercase alphanumeric
characters and special characters can be used.
4 After entering the password, click [Submit] to confirm the password.
Figure 2.3 Screen for changing the security administrator password
5 Click [Logout] to log out of the operator panel.
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Keep the security administrator password in a safe place because even a maintenance engineer
cannot change the password.
24
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 25
Chapter 2 Setup and Operation Procedures
Procedure
End of procedure
2.1 Basic Setup
2.1.2.2 Logging in to the Remote Panel
This section provides the procedure for enabling the key management function.
To set the key management function, a security administrator account must be used to log in to the remote
panel.
When connecting the remote panel, use Internet Explorer 9 or later.
To log in to the remote panel with a security administrator account, the initial password of the account must
be changed from the operator panel in advance. For details, refer to "2.1.2.1
the Security Administrator Account" (page 23).
Changing the Initial Password of
1 Enter "http://(IP address of the tape library)" in the address bar on the web browser to
access the remote panel.
2 Select [security] from the [User] pull-down menu.
3 For [Password], enter the security administrator account password that was set in "2.1.2.1
Changing the Initial Password of the Security Administrator Account" (page 23) and click
[Login].
Figure 2.4 Logging in to the remote panel
25
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 26
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
2.1.2.3 Enabling SSL
Before the key management function is used, Secure Socket Layer (SSL) must be enabled to access the remote
panel securely.
When SSL is enabled, https must be used to connect to the remote panel.
SSL is disabled by default.
1 Move to the [Configuration > Web Management] screen.
Figure 2.5 Initial value of SSL (disabled)
2 Select the [SSL (Secure Socket Layer)] checkbox to enable SSL.
3 Click [Submit] to update the setting.
Figure 2.6 SSL setting (enabled)
26
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 27
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
4 When the SSL confirmation screen for the change appears, click [OK].
Figure 2.7 Confirming the SSL setting change
5 To update the changed SSL setting, log out of the remote panel.
Figure 2.8 Logging out of the remote panel
After SSL is enabled, the method for connecting to the remote panel changes.
For the connection method, refer to "2.1.2.4
(page 28).
Connecting to the Remote Panel after Enabling SSL"
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
27
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 28
Chapter 2 Setup and Operation Procedures
Procedure
End of procedure
2.1 Basic Setup
2.1.2.4 Connecting to the Remote Panel after Enabling SSL
The method for connecting to the remote panel after SSL is enabled is provided below.
1 Enter "https://(IP address of the tape library)" in the address bar on the web browser.
2 Any attempt to connect to a web service that is not registered as an approved site causes a
security certificate warning to appear.
3 Click [Continue to this website (not recommended)].
The remote panel is connected while SSL is enabled.
"Certificate Error" is displayed in the login screen. This does not cause any problems to the remote panel
operations.
4 Select [security] from the [User] pull-down menu.
5 For [Password], enter the security administrator account password that was set in "2.1.2.1
Changing the Initial Password of the Security Administrator Account" (page 23) and click
[Login].
Figure 2.9 Logging in to the security administrator account
28
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 29
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
2.1.2.5 Enabling and Disabling the Key Management Function
This setting enables or disables the key management function.
In logical library (or partition) configurations, encryption is enabled or disabled for each logical library (or
partition).
• Even when this setting is performed, data that is already written in a data cartridge is not encrypted.
After deleting existing data and enabling the key management function, write the data to the data
cartridge again.
• To perform this setting, the key management function license must be set in advance. For details, refer to
"2.1.1
Setting the Key Management Function License" (page 22).
• When changing the logical library (or partition) configuration or when changing the setting to enable or
disable the key management function, back up the encryption key in advance.
1 Move to the [Configuration > Encryption] screen.
Figure 2.10 Setting the key management function
2 Select [LT Library Encryption (Licensed)].
29
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 30
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
3 Click [Submit].
Figure 2.11 Setting the key management function (to enable)
4 On the confirmation screen, click [Yes] to confirm the setting.
Figure 2.12 Confirming the key management function setting
The key management function is enabled by default.
30
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 31
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
5 For logical library (or partition) configurations, enable or disable the key management
function for each logical library (or partition).
5-1 Click [LT Encryption].
Figure 2.13 Selecting the key management function
5-2 Select whether to enable or disable the key management function for each logical library (or
partition).
Select the checkbox when enabling the key management function.
The key management function is enabled by default.
• When the logical library (or partition) configuration is changed in the [Configuration >
Partition] screen, the key management function for the changed logical library (or partition) is
enabled by default.
• When the key management function for the tape library is disabled, data encryption depends
on the backup software setting.
31
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 32
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
5-3 Click [Submit] to update the setting.
Figure 2.14 Example of enabling the key management function
Figure 2.15 Example of disabling the key management function
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
32
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 33
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
2.1.3 Setting the Master Key
This section provides the procedure for setting a master key in the tape library to use the key management
function.
If a master key is already set, the old master key is overwritten with a new master key. Data that was
encrypted using the old master key cannot be read. Back up the old master key in advance so that the master
key can be changed back to the old master key to read the data as required. In addition, by exporting and
importing the encryption key for the required data cartridge, changing back the master key is not required
even if the master key is changed. For details about backing up the master key, refer to "2.1.3.2
the Master Key" (page 35).
2.1.3.1 Setting the Master Key
This section provides the procedure for setting a master key in the partition where the key management
function is enabled.
Exporting
1 Move to the [Configuration > Encryption > LT Encryption] screen.
2 Select [Master Keys] > [Set Manual Key] on the center pane.
3 Enter a new master key in both boxes.
The master key must be specified within 8 to 16 characters. Uppercase and lowercase alphanumeric
characters and special characters can be used.
4 Select the partition where the master key is to be set.
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the drop down
list.
33
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 34
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
5 Click [Submit].
Figure 2.16 Setting the master key
34
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 35
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
6 On the confirmation screen, click [Yes] to confirm the setting.
If a master key is already set, the old master key is overwritten with a new master key. Data that was
encrypted using the old master key cannot be read. For details about backing up the master key, refer
to "2.1.3.2
Figure 2.17 Confirmation screen for the master key setting
Exporting the Master Key" (page 35).
2.1.3.2 Exporting the Master Key
The purposes for exporting the master key are as follows.
• Backing up the master key
By exporting the generated master key, backups are saved externally.
• Sharing the master key with other tape libraries
When the encrypted data is shared between multiple tape libraries, the master key is shared by importing
the exported master key to other tape libraries.
For the LT260, if a maintenance part must be replaced due to a failure, the master key and encryption keys
may need to be exported and imported by the user.
When exported, the master key is created as a binary file that is protected by a password. There is no risk of
decrypting the master key.
If a master key is not set and the imported master key does not exist, a master key is automatically created
when the data is first written to the data cartridge in each partition.
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
35
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 36
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
1 Move to the [Configuration > Encryption > LT Encryption] screen.
2 Select [Master Keys] > [Export Key] on the center pane.
3 Enter the password in both boxes.
The password must be specified within 8 to 16 characters. Uppercase and lowercase alphanumeric
characters and special characters can be used.
The password is required to import the master key. Keep the password in a safe place.
Figure 2.18 Setting a password for the master key
36
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 37
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
4 Click [Export] for the partition where the master key that is to be exported exists.
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the partition list.
Only a single master key can be exported at a time. When exporting the master keys of multiple
partitions, repeat the procedure from Step 4
key is not set.
Figure 2.19 Exporting the master key
and onward. Partitions cannot be selected if the master
37
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 38
Chapter 2 Setup and Operation Procedures
End of procedure
Procedure
2.1 Basic Setup
5 Specify the destination to which the master key is exported.
The operation for saving the master key differs depending on the OS.
The default file name for the exported master key is determined by the
"ID_x_MasterKey_yymmdd_xxxxxxxxxx.key" format. The file size is 128 bytes.
Figure 2.20 Saving the master key to export
2.1.3.3 Importing the Master Key
If the master key is already set, the old master key is overwritten with a new master key. Data that was
encrypted using the old master key cannot be read. Back up the old master key in advance so that the master
key can be changed back to the old master key to read the data as required. In addition, by exporting and
importing the encryption key for the required data cartridge, changing back the master key is not required
even if the master key is changed. For details about backing up the master key, refer to "2.1.3.2
the Master Key" (page 35).
1 Move to the [Configuration > Encryption > LT Encryption] screen.
2 Select [Master Keys] > [Import Key] on the center pane.
3 Select the master key file to be imported.
Exporting
38
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 39
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
4 Select the destination partition where the master key is to be imported.
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the drop down
list.
5 Enter the password that was set when the master key was exported.
For details, refer to "2.1.3.2 Exporting the Master Key" (page 35).
6 Click [Submit].
Figure 2.21 Importing the master key
39
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 40
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
7 On the confirmation screen, click [Yes] to import the master key.
Figure 2.22 Confirmation screen for importing the master key
If the "Master Key was successfully imported" message disappears, the master key has been imported.
Figure 2.23 Status of importing the master key
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
40
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 41
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
2.1.3.4 Deleting the Master Key
This function can delete any unnecessary master key.
1 Move to the [Configuration > Encryption > LT Encryption] screen.
2 Select [Master Keys] > [Delete Key] on the center pane.
3 Click [Delete] for the partition where the master key that is to be deleted exists.
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the partition list.
Only a single master key can be deleted at a time. When deleting the master keys of multiple
partitions, repeat the procedure from Step 3
Figure 2.24 Deleting the master key
and onward.
41
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 42
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
4 On the confirmation screen, click [Yes] to delete the master key.
• If the master key is deleted, data that was encrypted using the deleted master key cannot be read.
For details about backing up the master key, refer to "2.1.3.2
• Deleted master keys cannot be restored even by a maintenance engineer or the manufacturing
plant. Carefully consider whether to delete the master key.
Figure 2.25 Confirmation screen for deleting the master key
Exporting the Master Key" (page 35).
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
42
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 43
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
2.1.4 Encryption Key Export and Import Functions
• An encryption key file that is created by exporting encryption keys from multiple data cartridges at the
same time can only be imported to the LT260. To import the encryption keys that were exported from the
LT260 to tape libraries that support a key management function (*1) different from the LT260, export
one encryption key per data cartridge.
• Regardless of the number of selected data cartridges, only one encryption key file is created when
encryption keys are exported from multiple data cartridges.
*1: ETERNUS LT220, LT230, LT250, LT270, and LT270 S2
• An encryption key is generated and assigned when a data write process is performed to the data
cartridge.
• For the LT260, if a maintenance part must be replaced due to a failure, the master key and encryption
keys may need to be exported and imported by the user.
2.1.4.1 Exporting the Encryption Key
1 Move to the [Configuration > Encryption > LT Encryption] screen.
2 Select [Encryption Keys] > [Export Key] on the center pane.
43
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 44
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
3 Enter the password in both boxes.
The password must be specified within 8 to 16 characters. Uppercase and lowercase alphanumeric
characters and special characters can be used.
The password is required to import the encryption key. Keep the password in a safe place.
Figure 2.26 Encryption key password settings
44
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 45
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
4 Select the partition where the data cartridges to export the encryption keys are stored.
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the drop down
list.
Figure 2.27 Selecting the partition to export the target data cartridges
45
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 46
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
5 Select the data cartridges to export the encryption keys.
The color of the selected data cartridges changes. Click [] to move the data cartridge to a dedicated
field for storing export target data cartridges. Multiple data cartridges can be moved at the same time.
Figure 2.28 Selecting the data cartridges that are to be exported
46
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 47
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
To remove the data cartridges from the export target field, select the relevant data cartridge. The color
of the selected data cartridge changes. Click [] to remove the selected data cartridge.
Figure 2.29 Removing the export target data cartridges
47
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 48
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
6 Click [Export] to export the encryption keys from the selected data cartridges.
Figure 2.30 Exporting the encryption key
48
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 49
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
7 Specify the destination to which the encryption key is exported.
The operation for saving the encryption key differs depending on the OS.
The default file name for the exported encryption key is determined by the
"ID_x_EncryptionKey_yymmdd_xxxxxxxxxx.key" format. The file size is 128 bytes.
Figure 2.31 Saving the encryption key to export
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
49
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 50
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
2.1.4.2 Importing the Encryption Key
• To use an encrypted data cartridge brought in from outside in the LT260 with a different master key,
import the encryption key for that data cartridge before mounting in the LT260. If the encryption key was
not imported, data writing is not allowed.
• If the encrypted data cartridge brought in from the outside is mounted in the LT260 with a different mas-
ter key before the encryption key has been imported, a new encryption key may be assigned to the data
cartridge. The new encryption key can be overwritten by importing the encryption key that was exported
in advance.
1 Move to the [Configuration > Encryption > LT Encryption] screen.
2 Select [Encryption Keys] > [Import Key] on the center pane.
3 Select the encryption key file that is to be imported.
4 Select the partition where the encryption key is to be imported.
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the drop down
list.
5 Enter the password that was set when the encryption key was exported.
For details about the password, refer to "2.1.4.1 Exporting the Encryption Key" (page 43).
6 Click [Submit].
Figure 2.32 Importing the encryption key
50
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 51
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
7 When a confirmation screen appears, click [Yes] to import the encryption key.
Figure 2.33 Confirmation screen for importing the encryption key
If the "Encryption key/s were successfully imported" message disappears, the encryption key has been
imported.
Figure 2.34 Progress status screen for importing the encryption key
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
51
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 52
Chapter 2 Setup and Operation Procedures
Procedure
2.1 Basic Setup
2.1.4.3 Deleting the Encryption Key
This function deletes the imported encryption key. Use this function to delete the unnecessary encryption key
after using the encrypted data cartridge that was brought in from outside.
This function is used to delete the imported encryption key that is used for encrypted data cartridges that
were brought in from the outside. Note that this function cannot be used for deleting encryption keys that
are automatically assigned to the data cartridge from the tape library.
1 Move to the [Configuration > Encryption > LT Encryption] screen.
2 Select [Encryption keys] from the menu.
3 Select [Delete Encryption Key/s] from the menu.
4 Select the partition that stores the data cartridge for deleting the encryption key.
If no logical libraries (or partitions) are configured, only "Partition_1" is displayed in the drop down
list.
Figure 2.35 Selecting the partition where the deletion target encryption key exists
52
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 53
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
5 Select the data cartridge that corresponds to the deletion target encryption key.
The color of the selected data cartridge changes. Click [] to move the data cartridge to a dedicated
field for storing deletion target data cartridges. Multiple data cartridges can be moved at the same
time.
In this screen, only the data cartridges with an imported encryption key are displayed.
Figure 2.36 Selecting data cartridges with deletion target encryption keys
53
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 54
Chapter 2 Setup and Operation Procedures
2.1 Basic Setup
To exclude a data cartridge from the deletion target field, select the target data cartridge and click [].
Figure 2.37 Excluding data cartridges with deletion target encryption keys
6 Click [Delete].
Figure 2.38 Selecting imported encryption keys that are to be deleted
54
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 55
Chapter 2 Setup and Operation Procedures
End of procedure
2.1 Basic Setup
7 When a confirmation screen appears, click [Yes] to delete the imported encryption key.
Figure 2.39 Deleting the imported encryption keys
Information of the data cartridge disappears. The deletion of the imported encryption keys is complete.
Figure 2.40 Deletion confirmation of the imported encryption key
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
55
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 56
Chapter 2 Setup and Operation Procedures
2.2 Backing Up the Setting Information
2.2 Backing Up the Setting Information
For the LT260, by saving the library configuration settings as a file, the saved settings can be restored in the
tape library.
For the procedure to back up the setting information, refer to "Saving the library configuration to a file" of
"2.5.2 Saving, Restoring and Resetting the Library Configuration" in "FUJITSU Storage ETERNUS LT260 Tape
Library User's Guide -Panel Operation-".
While the Key Management Function Option is being used, if the file that is saved with the library configuration settings is restored to the tape library, the master key and encryption keys must be saved externally (or
exported) in advance.
If an attempt at restoring the settings file for the library configuration in the tape library is performed, a confirmation screen to delete the master key and encryption keys is displayed on the operator panel and the
remote panel (refer to "Figure 2.41
If the [Yes] button on this confirmation screen is clicked, the master key and encryption keys that are saved in
the LT260 tape library are all automatically deleted.
At this point, if the master key and encryption keys have not been exported, click the [No] button. After the
master key and encryption key are exported respectively, restore the setting file for the library configuration
in the tape library again. After the settings file for the library configuration is restored, import the exported
master key and encryption keys if necessary.
").
Figure 2.41 Confirmation screen if an attempt at restoring the settings file for the library configuration is
performed
For the LT260, backing up only the information related to the encryption key management function from the
setting information is not available. The setting information for libraries related to the encryption key management function is stored with other configurations not related to the encryption key management function such as configurations for libraries and operations.
56
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 57
Chapter 2 Setup and Operation Procedures
Procedure
End of procedure
2.3 Checking the Setting Information
2.3 Checking the Setting Information
This section explains how to check the setting information of the key management function.
2.3.1 Setting Information of the Key Management Function
To check whether the key management function is enabled, follow the procedure below.
1 Log in to the remote panel.
2 Move to the [Status > Security] screen.
In [Security Encryption Status], if "Enabled" is displayed for [LT Encryption], the key
management function is enabled.
Figure 2.42 [Status > Security > Security Encryption Status] screen
57
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 58
Chapter 2 Setup and Operation Procedures
Procedure
End of procedure
2.3 Checking the Setting Information
2.3.2 Setting Information of the Key Management Function for the Partition
To check the setting information of the key management function for each partition, follow the procedure
below.
1 Log in to the remote panel.
2 Move to the [Status > Security] screen.
In [Partition Encryption Status] > [Partitions], if "LT Encryption" is displayed for [Encryption
Configuration], the key management function is enabled. If "Controlled by Backup Application" is displayed for [Encryption Configuration], the key management function is disabled,
and the key management function follows the backup software setting.
Figure 2.43 [Status > Security > Partition Encryption Status] screen
58
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 59
Chapter 2 Setup and Operation Procedures
Procedure
End of procedure
2.3 Checking the Setting Information
2.3.3 Setting Information of the Key Management Function for the Drive
To check the setting information of the key management function for each drive, follow the procedure below.
1 Log in to the remote panel.
2 Move to the [Status > Security] screen.
In [Drive Encryption Status], if "Enabled" is displayed for [Encryption], the key management
function of the drive is enabled. If "Disabled" is displayed for [Encryption], the key management function is disabled, and the key management function follows the backup software
setting.
Figure 2.44 [Status > Security > Drive Encryption Status] screen
59
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 60
Chapter 2 Setup and Operation Procedures
Procedure
2.3 Checking the Setting Information
2.3.4 Encryption Setting Information of the Data Cartridge
Check the encryption setting information of the data cartridge in the tape library.
Use either of the following methods to check.
• Using the inventory list
• Using the inventory graphical view
2.3.4.1 Using the Inventory List
To use the inventory list to check the encryption setting information of the data cartridge, follow the procedure below.
1 Log in to the remote panel.
2 Move to the [Status > Cartridge Inventory > List View] screen.
Figure 2.45 [Status > Cartridge Inventory > List View] screen
60
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 61
Chapter 2 Setup and Operation Procedures
2.3 Checking the Setting Information
3 Click the data cartridge that is to be checked.
Additional information is displayed. The encryption setting information of the data cartridge can be
checked by viewing [Encryption] and [LT Encryption Key].
• Encryption
- Not Encrypted
An encryption key is assigned, but there is no encrypted data.
- Encrypted
An encryption key is assigned and encrypted data exists.
- N/A
An encryption key is not assigned.
• LT Encryption Key
- Auto
An automatically generated encryption key is used.
- Import
An imported encryption key is used.
- N/A
An encryption key is not assigned.
Figure 2.46 [Status > Cartridge Inventory > List View (detailed)] screen
61
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 62
Chapter 2 Setup and Operation Procedures
End of procedure
Procedure
2.3 Checking the Setting Information
For Ultrium3 or earlier data cartridges, all the items above are displayed as "N/A".
2.3.4.2 Using the Inventory Graphical View
To use the inventory graphical view to check the encryption setting information of the data cartridge, follow
the procedure below.
1 Log in to the remote panel.
2 Move to the [Status > Cartridge Inventory > Graphical View] screen.
3 Move the mouse over the data cartridge that is to be checked.
Detailed information is displayed. The encryption setting information of the data cartridge can be
checked by viewing [Encryption] and [LT Encryption Key].
• Encryption
- Not Encrypted
An encryption key is assigned, but there is no encrypted data.
- Encrypted
An encryption key is assigned and encrypted data exists.
- N/A
An encryption key is not assigned.
• LT Encryption Key
- Auto
An automatically generated encryption key is used.
- Import
An imported encryption key is used.
- N/A
An encryption key is not assigned.
62
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 63
Chapter 2 Setup and Operation Procedures
End of procedure
2.3 Checking the Setting Information
Figure 2.47 [Status > Cartridge Inventory > Graphical View] screen
For Ultrium3 or earlier data cartridges, all the items above are displayed as "N/A".
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
63
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 64
Chapter 3
Procedure
Management console
Tape library 01 Tape library 02 Tape library 03
Setup Methods for Different Operations
This chapter explains the setup procedures in examples of general operations with the key management
function.
3.1 Sharing Data among Multiple Tape Libraries
This section explains a general setup procedure for assigning the same master key to multiple tape libraries
to share data cartridges (data) among them.
Make appropriate settings by following the procedure below.
1 Set the license key of the Key Management Function Option of each tape library.
One Key Management Function Option is required for each tape library.
2 Assign a master key for the main tape library.
For information on how to set the master key, refer to "2.1.3 Setting the Master Key" (page 33).
64
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 65
Chapter 3 Setup Methods for Different Operations
Management console
Tape library 01 Tape library 02 Tape library 03
3.1 Sharing Data among Multiple Tape Libraries
3 Export the set master key to the management console.
For information on how to export the master key, refer to "2.1.3.2 Exporting the Master Key" (page 35).
Tape library 01 Tape library 02 Tape library 03
4 Import the exported master key to the other tape libraries.
For information on how to import a master key, refer to "2.1.3.3 Importing the Master Key" (page 38).
For information on how to import a master key to the ETERNUS LT250, LT270, and LT270 S2, refer to
"FUJITSU Storage ETERNUS LT250/LT270/LT270 S2 Tape Library Key Management Function Option User's
Guide".
Management console
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
65
Page 66
Chapter 3 Setup Methods for Different Operations
End of procedure
Procedure
Management console
Tape library 01 Tape library 02 Tape library 03
3.2 Storing Data Cartridges at External Locations
5 The above setup enables the tape libraries assigned the same master key to share data
cartridges without any special settings and operations.
3.2 Storing Data Cartridges at External Locations
For disaster recovery, encrypted data cartridges can be stored externally, such as at an external warehouse,
and, when needed, brought back to read the data on them.
Make appropriate settings by following the procedure below.
1 Set the license key of the Key Management Function Option of each tape library.
2 Assign a master key for the main tape library.
For information on how to set the master key, refer to "2.1.3 Setting the Master Key" (page 33).
3 Export the set master key to the management console.
For information on how to export the master key, refer to "2.1.3.2 Exporting the Master Key" (page 35).
66
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 67
Chapter 3 Setup Methods for Different Operations
3.2 Storing Data Cartridges at External Locations
4 Import the master key to the other tape libraries that will share data, so that the tape
libraries have a common master key.
The encryption key export or import function can be used to export the encryption keys of a stored
data cartridge, so that a tape library with a different master key can use the data cartridge after
importing the encryption key. However, if the encryption key is deleted or lost by mistake, the data
can no longer be read. Therefore, Fujitsu recommends that the same master key be set for the tape
libraries sharing data. For information on the encryption key export or import function, refer to "2.1.4
Encryption Key Export and Import Functions" (page 43).
Primary-site
Master key A
Secondary-site
Master key A
67
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 68
Chapter 3 Setup Methods for Different Operations
3.2 Storing Data Cartridges at External Locations
5 Eject the data cartridges for external storage.
For information on how to eject a data cartridge, refer to "3.3 Loading and Ejecting Cartridges" in
"FUJITSU Storage ETERNUS LT260 Tape Library User’s Guide -Installation & Operation-".
Primary-site
Master key A
68
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 69
Chapter 3 Setup Methods for Different Operations
End of procedure
Primary-site
Secondary-site
Master key A
Master key A
3.2 Storing Data Cartridges at External Locations
6 To use the data cartridges that were placed in external storage in case of disaster, insert
these cartridges into a tape library that has the same master key as the previous tape
library.
The data cartridges can be used without modification by using a tape library that has the same master
key.
• To use the data cartridge in a tape library with a different master key, import its exported
encryption key before inserting the data cartridge into the tape library.
• For information on how to import an encryption key, refer to "2.1.4.2
Key" (page 50). For information on how to insert a data cartridge, refer to "3.3 Loading and
Ejecting Cartridges" in "FUJITSU Storage ETERNUS LT260 Tape Library User’s Guide -Installation &
Operation-".
Importing the Encryption
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
69
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 70
Chapter 4
Refer
Refer
Refer
Refer
Considerations
4.1 Troubleshooting
If any problem occurs with the key management function, check for the problem in Table 4.1, and review the
usage and settings.
Table 4.1 Troubleshooting
Problem Cause Corrective action
Encryption failed. Possible causes are:
1. Data was not recorded with an
Ultrium5 or later tape drive.
2. An Ultrium3 or earlier data
cartridge was used.
3. The appropriate settings for
encryption have not been made.
Confirm that:
1. The data was recorded with an Ultrium5 or
later tape drive.
2. No Ultrium1, Ultrium2, or Ultrium3 data
cartridge was used.
3. Appropriate settings for encryption have
been made.
An encryption key could
not be exported.
When the remote panel
was used to log in with the
security account, the following error message
appeared and the login
failed.
"The default Security user
password must be
modified via the OCP."
The menu for the [Configuration > Encryption > LT
Encryption] screen could
not be displayed.
The encryption key has not been
assigned to a data cartridge.
The initial password of the security
account may not have been changed.
An account other than the security
account may have been used to log in.
"2.3.4 Encryption Setting Information of the
Data Cartridge" (page 60)
An encryption key is generated and assigned
when a data write process is performed to the
data cartridge.
"2.3.4 Encryption Setting Information of the
Data Cartridge" (page 60)
Change the initial password of the security
administrator account using the operator
panel.
"2.1.2.1 Changing the Initial Password of the
Security Administrator Account" (page 23)
Log in with the security account.
"2.1.2.2 Logging in to the Remote Panel"
(page 25)
70
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 71
Chapter 4 Considerations
Refer
Refer
4.1 Troubleshooting
The following error message appeared on the
[Configuration > Encryption > LT Encryption]
screen.
"Import Export functionality is only available using
secure HTTPS connection."
The following message
appeared on the [Configuration of Encryption]
screen and the key management function cannot
be enabled or disabled.
"Note: Encryption configuration changes cannot be
made while media is
loaded in any drive."
The following message
appeared on the [Configuration of Encryption]
screen and the key management function cannot
be enabled or disabled.
"NOTE: Partition contains
drives which do not support Encryption."
Problem Cause Corrective action
Instead of an https connection, an http
connection may have been used to log
in.
Enable [SSL Secure Socket Layer] by selecting
the checkbox on the [Configuration > Web
Management] screen. After that, log out and
then log back in using https.
• "2.1.2.3 Enabling SSL" (page 26)
• "2.1.2.4 Connecting to the Remote Panel
after Enabling SSL" (page 28)
The tape cartridge may have been
loaded in the tape drive.
Check whether the tape cartridge is loaded in
the tape drive.
If the tape cartridge is loaded, move it from
the tape drive to the slot.
• "2.7.1 Moving Media" in "FUJITSU Storage
ETERNUS LT260 Tape Library User’s Guide Panel Operation-"
• "2.8.2 Using Inventory Lists" in "FUJITSU
Storage ETERNUS LT260 Tape Library
User’s Guide -Panel Operation-"
The drive firmware version may be old.
The drive firmware versions that support the Key Management Function
Option are as follows:
Update the drive firmware to the latest version.
Ask a maintenance engineer to update the
drive firmware.
• LT26AFHE, LT26AFHL (LTO G5 HH
FC): V01L06(Y67B) and later
• LT26AFJE, LT26AFJL (LTO G6 HH
FC): V01L03(23AB) and later
• LT26ASHE, LT26ASHL (LTO G5 HH
SAS): V01L05(Z67B) and later
• LT26ASJE, LT26ASJL (LTO G6 HH
SAS): V01L03(33AB) and later
All firmware versions for the following
models support the Key Management
Function Option.
LT26BSKE, LT26BFKE, LT26BSME,
LT26BFME, LT26BSKL, LT26BFKL,
LT26BSML, LT26BFML
71
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 72
Chapter 4 Considerations
4.2 Sense Keys Related to the Key Management Function
4.2 Sense Keys Related to the Key Management Function
The following table lists the sense keys displayed on the server for the occurrence of an error related to the key
management function.
Table 4.2 Sense keys
Sense
Key
7 74 0 Security error A drive or tape library may be faulty.
7 74 1 Unable to decrypt data A drive or tape library may be faulty.
7 74 2 Unencrypted data encountered while
7 74 3 Incorrect data encryption key The encryption key of the data cartridge is
7 74 4 Cryptographic integrity validation
7 74 5 Key-associated data descriptors
7 74 8 Digital signature validation failure A drive or tape library may be faulty.
7 74 9 Encryption mode mismatch on read A drive or tape library may be faulty.
7 74 a Encrypted block not raw read
7 74 b Incorrect encryption parameters A drive or tape library may be faulty.
5 74 21 Data encryption configuration
7 74 80 KAD changed A setting error of the encryption parameters exists.
asc ascq Error information Cause
A drive or tape library may be faulty.
Decrypting
probably different from the imported encryption
key.
A drive or tape library may be faulty.
failed
A drive or tape library may be faulty.
changed
A drive or tape library may be faulty.
enabled
The settings cannot be changed because the
prevented
encryption function is enabled in the tape library.
Check the setting information.
A drive, tape library, or media may be faulty.
4.3 Reuse of Data Cartridges
To reuse an encrypted data cartridge, use backup software to erase the data.
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
72
Page 73
Chapter 4 Considerations
4.4 Connectivity with Backup Software
4.4 Connectivity with Backup Software
On a system using the key management function, Fujitsu recommends using verified backup software.
If unverified backup software is used, encryption may not work normally. For more information, contact your
sales representative.
If your backup software supports the encryption function of Ultrium5 or later tape drives, be sure to disable
the encryption function of the backup software as necessary.
4.5 Purchasing a License
To issue a license for using the Key Management Function Option, the serial number of the tape library is
required. If the LT260 has already been purchased, provide the serial number of the tape library to your sales
representative to obtain this license.
If the Key Management Function Option is purchased with the tape library, no action is necessary because the
license has already been set.
4.6 Changing the System Firmware
The following operations are required to downgrade the system firmware from version 6.70 or later (for the
LT260 in which the Key Management Function Option is being used) to version 6.56 or earlier (for which the
Key Management Function Option is not supported).
• Deleting the master key
• Deleting the encryption key
• Disabling the key management function
Since the encrypted data cannot be read after the master key and the encryption key are deleted, be sure to
export the master key and the encryption key in advance and keep them in a safe place.
73
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 74
Appendix A
Logs Related to the Key Management Function
A history of key management function operations or settings is automatically recorded in a log. This enables
the tracking of unauthorized access and other operations.
The log related to the key management function is saved with the logs for the library settings and operations
not related to the key management function.
A.1 How to Download Logs Related to the Key Management
Function
Downloading only the log related to the key management function is not possible. Note that the log related
to the key management function is saved with the logs for the library settings and operations not related to
the key management function.
For information on how to download logs, refer to "2.6.6 Downloading Log and Trace Files" in "FUJITSU Storage
ETERNUS LT260 Tape Library User’s Guide -Panel Operation-".
A.2 Checking the Contents of the Logs Related to the Key
Management Function
Download the log and trace files (compressed files in the tgz format) according to "A.1 How to Download Logs
Related to the Key Management Function" (page 74) and decompress the files. The following files are then
extracted in the "syslog-
(1) conflog.txt
(2) details.bin
(3) infolog.txt
(4) servicelog.txt
(5) system.log
(6) ticketlog.txt
hostname-library (system) firmware version_date_time
" folder.
For events related to the key management function that are recorded in each file, refer to "Table A.1
related to the key management function" (page 77)".
74
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Events
Page 75
Appendix A Logs Related to the Key Management Function
A.2 Checking the Contents of the Logs Related to the Key Management Function
(1) conflog.txt
This file records the changes of the library configuration and settings.
The contents are recorded in the "EVENT:
event code - message
For events related to the key management function, refer to "Table A.1
management function" (page 77).
Example:
-------- EVENT: 8053 - LT Encryption encryption keys exported to key file -------Message: EXPORT_LT_DATA_KEYS
Time: 08/27/2015 04:51:04 PM
-------- Details ------- PHYSICAL_PART: 1
PARTITION_NAME: Partition_0
KEY_COUNT: 1
SYS_COMPONENT: SYSTEM
PHY_NUM: 1
(2)details.bin
This file records the detailed information of the library in the binary format.
The contents cannot be viewed.
" format.
Events related to the key
(3)infolog.txt
This file records the library warnings.
The contents are recorded in the "EVENT:
For events related to the key management function, refer to "Table A.1
event code - message
" format.
Events related to the key
management function" (page 77).
Example:
-------- EVENT: 9059 - LT encryption Key retrieved by tape drive -------Message: ENCR_KEY_REQUEST
Time: 09/03/2015 10:36:29 AM
-------- Details ------- KEY_CREATE: FALSE
SYS_COMPONENT: SYSTEM
PHY_NUM: 1
(4)servicelog.txt
This file records information that is required for maintenance.
Example:
-------- TYPE: SERVICE -------Message: SINGULAR_TICKET
Time: 08/24/2015 07:22:51 PM
-------- Details ------- ERRORCODE: Drive status monitoring failed (DRIVE_STATUS_FAILED)
SEVERITY: WARNING
SYS_COMPONENT: DRIVE
PHY_NUM: 1 (19)
------------------------ ERRORCODE: ADT SCSI command check condition not retryable
(DRIVE_SCSI_CMD_CHECK_CONDITION)
CDB_DATA: 8C 00 00 00 00 00 00 00 04 08 00 00 00 0A 00
SENSE_DATA: 03 11 12
FIELD_POINTER: CD 0, SKSV 0, FP 11458 (2CC2)
75
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 76
Appendix A Logs Related to the Key Management Function
A.2 Checking the Contents of the Logs Related to the Key Management Function
(5)system.log
This file records the library configuration, the status, and the settings.
The contents that are displayed in the Status menu and the encryption setting information are recorded.
Example:
Service Dump from: 09/03/2015 10:41:36 AM
-----------------------------------------
Library Information:
-------------------Vendor : FUJITSU Product ID : ETERNUS LT260
Serial Number : LTDEC42202KN Firmware Revision : 6.62
Firmware Build Date : 08-24-2015 Firmware Checksum : 253C
…………
…………
LT Encryption:
---------------
Master Keys:
----------- Partition |FW Rev |Product ID |Src. Library SN |Src. Library Name |UTC created |Origin
----------+------------+----------------+--------------------+--------------------+--------------------+------------------- 1 |6.62 |LT260 |LTDEC42202KN |Partition_0 |1440660684 |Auto
Encryption Keys:
--------------- Partition |Media Manuf. |Media SN |Barcode Label |FW Rev |Product ID |Origin
-----------+--------------------------+------------------------+--------------------+--------------------+--------------------+-------------------
Licenses:
--------License: 65NHBTTL5CQSJP1
Description: LT Library Encryption
Status: active
Expiration: never
(6)ticketlog.txt
This file records the library error information.
The contents are recorded in the "Event
For events related to the key management function, refer to "Table A.1
event code - message
" format.
Events related to the key
management function" (page 77).
Example:
-------- Event 4059 - Drive is included to an encrypting partition but is not supporting encryption -------Ticket-No: 76
Time: 08/27/2015 02:26:41 PM
State: Resolved
Closed: No
Severity: WARNING
Component: DRIVE
Component-Id: 21
-------------- DETAILS ------------- ERRORCODE_2: Drive configuration failed (DRIVE_CONFIG_FAILED)
SEVERITY_2: WARNING
SYS_COMPONENT_2: DRIVE
PHY_NUM_2: 3 (21)
------------------------ ERRORCODE: Drive is not supporting encryption (DRIVE_NO_ENCRYPTION)
76
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 77
Appendix A Logs Related to the Key Management Function
A.2 Checking the Contents of the Logs Related to the Key Management Function
Table A.1 Events related to the key management function
Event
code
4055 Encryption configuration failed Configuration of the encryption setting failed.
4059 Drive configuration failed because it does not
support encryption
4114 LT Library encryption not licensed The license for the Key Management Function
8048 LT Encryption master key created The master key was generated by a manual setting
8049 LT Encryption master key deleted The master key was deleted.
8050 LT Encryption master key exported to key file The master key was exported to the library as a file.
8051 LT Encryption master key imported from key file The master key was imported to the library as a file.
8052 LT Encryption master key changed The master key was changed by a manual setting or
8053 LT Encryption encryption keys exported to key file The encryption keys were exported to the library as a
8054 LT Encryption encryption keys imported from key
file
8055 LT Encryption encryption keys deleted The encryption keys were deleted.
9059 LT encryption Key retrieved by tape drive The tape drive received the encryption key.
Message Meaning
The tape drive does not support the encryption function.
Option is not set.
or by automatic generation.
the import process.
file.
The encryption keys were imported to the library as
a file.
77
FUJITSU Storage ETERNUS LT260 Tape Library Key Management Function Option User’s Guide
Copyright 2016 FUJITSU LIMITED P3AG-1192-02ENZ0
Page 78
FUJITSU Storage ETERNUS LT260 Tape Library
Key Management Function Option
User's Guide
P3AG-1192-02ENZ0
Date of issuance: January 2016
Issuance responsibility: FUJITSU LIMITED
• The content of this manual is subject to change without notice.
• This manual was prepared with the utmost attention to detail.
However, Fujitsu shall assume no responsibility for any operational problems as the result of
errors, omissions, or the use of information in this manual.
• Fujitsu assumes no liability for damages to third party copyrights or other rights arising from
the use of any information in this manual.
• The content of this manual may not be reproduced or distributed in part or in its entirety
without prior permission from Fujitsu.
Page 79
Loading...