HP StorageWorks XP Data Integrity Check XP Software User Manual

HP XP P9000 DKA Encryption User Guide

Abstract
This guide describes and provides instructions for using the HP XP P9000 DKA Encryption License Key software to configure and perform HP DKA Encryption License Key operations. The intended audience is a storage system administrator or authorized service provider with independent knowledge of HP XP P9000 disk arrays and the HP Remote Web Console.
HP Part Number: AV400-96578 Published: July 2013 Edition: Tenth
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Export Requirements
You may not export or re-export this document or any copy or adaptation in violation of export laws or regulations.
Without limiting the foregoing, this document may not be exported, re-exported, transferred or downloaded to or within (or to a national resident of) countries under U.S. economic embargo, including Cuba, Iran, North Korea, Sudan, and Syria. This list is subject to change.
This document may not be exported, re-exported, transferred, or downloaded to persons or entities listed on the U.S. Department of Commerce Denied Persons List, Entity List of proliferation concern or on any U.S. Treasury Department Designated Nationals exclusion list, or to parties directly or indirectly involved in the development or production of nuclear, chemical, biological weapons, or in missile technology programs as specified in the U.S. Export Administration Regulations (15 CFR 744).
Revision History
DescriptionDateEdition
Applies to microcode version 70-01-01-00/00 or later.October 2010First
Applies to microcode version 70-01-24-00/00 or later.November 2010Second
Applies to microcode version 70-01-62-00/00 or later.January 2011Third
Applies to microcode version 70-02-01-00/00 or later.May 2011Fourth
Applies to microcode version 70-02-5x-00/00 or laterSeptember 2011Fifth
Applies to microcode version 70-03-00-00/00 or later.November 2011Sixth
Applies to microcode version 70-03-00-xx/xx or later.April 2012Seventh
Applies to microcode version 70-03-00-xx/xx or later.August 2012Eighth
Applies to microcode version 70-03-00-xx/xx or later.November 2012Ninth
Applies to microcode version 70-06-00-00/00 or later.July 2013Tenth

Contents

1 DKA Encryption Overview...........................................................................6
DKA Encryption benefits............................................................................................................6
DKA Encryption support specifications.........................................................................................6
Primary and secondary data encryption license keys.....................................................................6
KMIP key management server support.........................................................................................7
Data encryption at the parity-group level workflow........................................................................7
Data encryption on existing data workflow..............................................................................7
Disable encrypted data workflow................................................................................................7
Change data encryption license key workflow..............................................................................8
Migration practices with encryption........................................................................................8
Audit logging of encryption events..............................................................................................8
Encryption states and protection.................................................................................................8
Interoperability with other software applications............................................................................9
2 DKA Encryption Installation........................................................................10
DKA Encryption installation workflow........................................................................................10
System requirements................................................................................................................10
Enabling the DKA Encryption feature.........................................................................................10
Assigning users to user groups.................................................................................................11
3 Key Management Server Connections.........................................................12
Key management server requirements........................................................................................12
Root and client certificates...................................................................................................12
Root certificate on the key management server..................................................................12
Client certificate password..............................................................................................12
Preparing the client certificate workflow................................................................................13
Private key file creation workflow.....................................................................................13
Creating a private SSL key file........................................................................................13
Creating a public SSL key file.........................................................................................13
Converting the client certificate to the PKCS#12 format.......................................................14
Configuring the connection settings to the key management server.......................................14
Key management server settings workflow..................................................................................14
Viewing the key management server connection settings.........................................................15
Configuring the connection settings to the key management server...........................................15
4 Managing data encryption license keys.......................................................17
Data encryption license key creation workflow............................................................................17
Creating data encryption license keys...................................................................................17
Back up secondary data encryption license key workflow........................................................17
Backing up keys as a file................................................................................................18
Backing up keys to a key management server...................................................................18
Enable data encryption at the parity-group level workflow............................................................19
Enabling data encryption at the parity-group level..................................................................19
Disable data encryption at the parity-group level workflow...........................................................20
Blocking LDEVs at the parity-group level................................................................................20
Disabling data encryption at the parity-group level.................................................................21
LDEV encryption formatting at the parity-group level...............................................................21
Unblocking LDEVs at the parity-group level............................................................................22
Moving unencrypted data to an encrypted environment workflow..................................................22
Data encryption license key restoration workflow........................................................................22
Blocking LDEVs using a file.................................................................................................23
Blocking LDEVs on the key management server......................................................................23
Restoring keys from a file....................................................................................................23
Contents 3
Restoring keys from a key management server........................................................................24
Viewing backup data encryption license keys.............................................................................24
Data encryption license key change management workflow.........................................................24
Data encryption license key deletion workflow............................................................................25
Deleting data encryption license keys...................................................................................25
Deleting backup data encryption license keys from the server...................................................26
Exporting encryption license key table information......................................................................26
5 Troubleshooting........................................................................................27
Encryption events in the audit log..............................................................................................27
DKA Encryption processes that the audit log records...............................................................27
Problems and solutions............................................................................................................27
6 Support and other resources......................................................................29
Contacting HP........................................................................................................................29
Subscription service............................................................................................................29
Documentation feedback....................................................................................................29
Related information.................................................................................................................29
HP websites......................................................................................................................29
Conventions for storage capacity values....................................................................................30
Typographic conventions.........................................................................................................30
A Conventions............................................................................................32
Business Copy, Business Copy Z, and Snapshot volumes..............................................................32
B DKA Encryption GUI Reference...................................................................33
Top window when selecting Encryption Keys..............................................................................33
Summary section...............................................................................................................33
Encryption Keys tab............................................................................................................34
View Key Management Server Properties window.......................................................................34
Key Management Server Properties table..............................................................................35
Setup Key Management Server wizard......................................................................................35
Setup Key Management Server window................................................................................36
Confirm window................................................................................................................37
Create Keys wizard.................................................................................................................38
Create Keys window..........................................................................................................38
Selected Keys table on Create Keys window.....................................................................38
Confirm window................................................................................................................38
Selected Keys table on Confirm window...........................................................................39
Edit Password Policy wizard......................................................................................................39
Edit Password Policy window...............................................................................................39
Confirm window................................................................................................................40
Backup Keys to File wizard.......................................................................................................41
Backup Keys to File window................................................................................................41
Confirm window................................................................................................................42
Backup Keys to Server wizard...................................................................................................43
Backup Keys to Server window............................................................................................43
Confirm window................................................................................................................44
Restore Keys from file wizard....................................................................................................44
Restore Keys from File window.............................................................................................44
Confirm window................................................................................................................45
Restore Keys from Server wizard...............................................................................................46
Restore Keys from Server window.........................................................................................46
Confirm window................................................................................................................46
Delete Keys wizard.................................................................................................................47
Delete Keys window...........................................................................................................47
Confirm window................................................................................................................48
4 Contents
Delete Backup Keys on Server window......................................................................................48
View Backup Keys on Server window........................................................................................49
Backup Keys table..............................................................................................................50
Edit Encryption wizard.............................................................................................................50
Edit Encryption window......................................................................................................51
Available Parity Groups table.........................................................................................51
Selected Parity Groups table...........................................................................................52
Confirm window................................................................................................................53
Selected Parity Groups table...........................................................................................54
Glossary....................................................................................................55
Index.........................................................................................................56
Contents 5

1 DKA Encryption Overview

To guarantee the security of the data, use the DKA Encryption (EDKA) feature to store encrypted data in an LDEV and encrypt them. The EDKA feature provides redundant backup and restore capabilities to ensure data availability.

DKA Encryption benefits

Encrypting data can prevent information loss or leaks if a disk drive is physically removed from the system. Failure, loss, or theft are the most common reasons for information loss.
The following lists the benefits of using the EDKA feature:
Hardware-based AES 256 encryption in XTS mode for open and mainframe systems.
You can apply encryption to some or all of the internal drives without throughput or latency
impacts for data I/O and little to no disruption to existing applications and infrastructure.
Simplified and integrated key management that does note require specialized key management
infrastructure.
Data-center friendliness. The EDKA feature:
Uses little additional power (equivalent of one 25 watt light bulb).
Produces negligible amounts of additional heat.
Does not require additional rack space.

DKA Encryption support specifications

The following table lists the DKA feature’s support specifications.
specifications
encrypt
Emulation type
Creating data encryption license keysManaging data
encryption license keys
Scope of data encryption license keys
SpecificationItem
Advanced Encryption Standard (AES) 256 bit.Encryption algorithmHardware
XTS mode.Encryption mode
Open, mainframe, multiplatformVolume typeLDEVs that you can
All emulation types including OPEN-V and 3390-x.
Internal LDEVs only.Internal/external LDEVs
Supported. Requires data migration.LDEV with existing data
Use Remote Web Console (RWC) to create the data encryption license key.
Use RWC to delete data encryption license keys.Deleting data encryption license keys
32 data encryption license keys per storage system.
Parity group.Unit of encryption/decryption
Backup/Restore functionality
Redundant (P-VOL and S-VOL) backup/restore copies.

Primary and secondary data encryption license keys

The P9500 storage system uses the EDKA feature to set up the data encryption license keys to encrypt and decrypt data.
6 DKA Encryption Overview
You can use the EDKA feature to back up data encryption license keys. The P9500 storage system automatically creates a primary backup of the data encryption license key, and stores this backup on each MP package.
You can create a secondary backup data encryption license key. The secondary backup is required to restore the key if the primary backup is unavailable.
For more information about backing up secondary data encryption license keys, see “Back up
secondary data encryption license key workflow” (page 17).

KMIP key management server support

Using the P9500 storage system, you can create backup and restore data encryption license keys on a key management server that supports Key Management Interoperability Protocol (KMIP).
For more information about backing up data encryption license keys to a key management server, see “Backing up keys to a key management server” (page 18).

Data encryption at the parity-group level workflow

The EDKA feature provides data encryption at the parity-group level. Use the following process to set up for data encryption and enable data encryption on the parity group:
1. Back up a secondary data encryption license key.
For more information about backing up secondary keys, see “Back up secondary data
encryption license key workflow” (page 17).
2. Enable data encryption at the parity-group level.
For more information about enabling data encryption at the parity-group level, see “Enabling
data encryption at the parity-group level” (page 19).
3. Format the logical devices (LDEVs) in the parity group.
For more information about formatting LDEVs at the parity-group level, see “LDEV encryption
formatting at the parity-group level” (page 21).

Data encryption on existing data workflow

Data encryption on existing data goes through the following process:
1. A new parity group is created.
For more information about creating parity groups, see the HP XP P9000 Provisioning for Mainframe Systems User Guide.
2. Data encryption on the parity group is enabled.
For more information about enabling data encryption at the parity-group level, see “Enable
data encryption at the parity-group level workflow” (page 19).
3. The LDEVs in the encrypted parity group are formatted.
For more information about formatting LDEVs in the encrypted parity group, see “LDEV
encryption formatting at the parity-group level” (page 21).
4. The existing data is migrated to the new LDEVs in the encrypted parity group.
For more information about migrating existing data to the new LDEVs in the encrypted parity group, see “Moving unencrypted data to an encrypted environment workflow” (page 22).
For more information about how to move unencrypted data to an encrypted environment, see
“Moving unencrypted data to an encrypted environment workflow” (page 22).

Disable encrypted data workflow

Disabling encryption goes through the following process:
KMIP key management server support 7
1. Data in the parity group is backed up.
2. Data encryption at the parity-group level is disabled.
3. The LDEVs in the parity group are formatted.
4. The LDEVs are unblocked.
For more information about disabling encryption, see “Disabling data encryption at the parity-group
level” (page 21).

Change data encryption license key workflow

You must migrate data to encrypt data with a different data encryption license key on the P9500 storage system.
For more information about migration practices with encryption, see “Migration practices with
encryption” (page 8).
Changing encryption license keys goes through the following process:
1. A new parity group is created.
2. Encryption is enabled with a new data encryption license key.
3. The LDEVs in the encrypted parity group are formatted.
4. The source data is migrated to the new target LDEVs in the encrypted parity group.
5. The data is encrypted with the new data encryption license key on the P9500 storage system.

Migration practices with encryption

Migrate encrypted source data by encrypting the target LDEV. Migrate data on a per-LDEV basis. As a best practice, match encrypted areas with other encrypted areas. Do not mix encrypted and unencrypted areas.
NOTE: When migrating an encrypted LUSE LDEV, migrate all LDEVs within the LUSE volume so
that you do not have encrypted and non-encrypted areas.
For more information about encrypting an LDEV, see “Enable data encryption at the parity-group
level workflow” (page 19).

Audit logging of encryption events

The P9500 storage system Audit Log feature provides audit logging of events that happen in the system. The audit log records events related to data encryption and data encryption license keys.
For more information about audit logging, audit log events, and the Audit Log feature, see the HP XP P9000 Remote Web Console User Guide and the HP XP P9000 Audit Log User Guide.

Encryption states and protection

Match the encryption states of the primary (P-VOL) and secondary (S-VOL), pool (pool-VOL), journal, or virtual volume (V-VOL). The encryption states must match to copy data or differential data and to protect the data. If the state of the P-VOL is “Encrypt”, then the state of all other LDEVs referenced by or associated with the P-VOL should also be “Encrypt”.
This practice also applies to migration situations. For more information about migration and encryption, see “Migration practices with encryption”
(page 8).
8 DKA Encryption Overview

Interoperability with other software applications

Use the following table to determine the interoperability of software applications with data encryption.
Interoperability notesSoftware application
Encrypt the P-VOL and S-VOLs to ensure data security.Business Copy, Continuous Access Synchronous, Compatible FlashCopy, and Compatible XRC
Snapshot and Fast Snap
Continuous Access Journal
Thin Provisioning, Smart Tiers, Thin Provisioning Z, and Smart Tiers Z
Flex Copy XP
Match the encryption states of the P-VOL and pool-VOL. If the P-VOL is
encrypted, encrypt all of the pool-VOLs. If the data pool contains
non-encrypted pool-VOL, the differential data of the P-VOL is not encrypted.
Match the encryption states of a P-VOL and S-VOL. If you encrypt the P-VOL
only, the data copied on the S-VOL is not encrypted is not protected.
When you encrypt a P-VOL or S-VOL, use a journal to which only encrypted
LDEVs are registered as journal volumes. If the encryption states of the P-VOL,
S-VOL, and journal volumes do not match, the journal data in the P-VOL is
not encrypted, and the security of the data cannot be guaranteed.
Encrypt all LDEVs to ensure all areas are encrypted.LUN Expansion (LUSE)
For more information about LUSE LDEVs and migration practices, see
“Migration practices with encryption” (page 8).
When enabling encryption for data written to a data pool with a V-VOL, use
a data pool that consists of encrypted volumes.
Encrypt the source LDEV and the target LDEV. The encryption states of the
source and target LDEVs must match for the EDKA feature to encrypt and
guarantee the security of the data on the target LDEV.
Interoperability with other software applications 9

2 DKA Encryption Installation

This chapter discusses how to install the EDKA feature.

DKA Encryption installation workflow

Use the following workflow to install the EDKA feature:
1. Ensure your system meets the system requirements.
For more information about the system requirements, see “System requirements” (page 10).
2. Ensure your product suite interoperates the way you want it to with the EDKA feature.
3. Enable the EDKA feature.
For more information about enabling the EDKA feature, see “Enabling the DKA Encryption
feature” (page 10).
4. Assign the Security Administrator (View & Modify) role to the administrator who creates, backs
up, and restores data encryption license keys. For more information about assigning roles, see “Assigning users to user groups” (page 11).

System requirements

The following table lists the system requirements for using the EDKA feature.
P9500 storage system
Remote Web Console
P9500 storage system (Web server)
Data volumes
RequirementItem
Microcode 70-01-0x and later.
Microcode 70-04-0x and later if you backup and restore data
encryption license keys on a key management server.
DKA Encryption software license.
Virtual LVI/LUN Manager software.
Security Administrator (View & Modify) role to enable or disable data
encryption and to back up or restore keys. For more information about enabling data encryption, see “Enabling
the DKA Encryption feature” (page 10).
For more information about disabling data encryption, see “Disable
encrypted data workflow” (page 7).
To connect to the key management server by specifying the host name instead of IP address, you need the DNS server settings. For P9500 storage system configuration, give your service representative the IP address of the DNS server.
All open-systems and mainframe host platforms are supported.Host platforms
All volume types and emulations are supported: open-systems, mainframe, and multiplatform.
Supported volumes: Internal

Enabling the DKA Encryption feature

Enable the EDKA feature in Remote Web Console.
1. Log onto RWC.
2. Type the software license key.
10 DKA Encryption Installation

Assigning users to user groups

Assign administrator privileges to users in RWC by adding the users to a user group. A user’s membership to a user group determines the user’s level of permission. You change these
permissions by changing the user’s membership to a user group. A user can belong to multiple user groups.
You must have Security Administrator (View & Modify) role to assign or change a user’s role.
1. In RWC, in the resource tree, click Administration > User Groups.
2. In the User Groups tab, select the administrator user group to which to add the user and then click Add Users.
3. In the Add User dialog box, select the user and then click Add.
4. Click Finish.
5. In the Confirm window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type a name or description for this task.
Select Go to tasks window for status to open the Tasks window.
The user is added as a member to the administrator user group.
Assigning users to user groups 11

3 Key Management Server Connections

You can use an optional key management server with P9500 storage systems. This chapter provides information on how to set up the key management server.

Key management server requirements

If you are using a key management server, it must meet the following requirements:
Protocol: Key Management Interoperability Protocol 1.0 (KMIP1.0)
Software: SafeNet KeySecure k460 6.1.0
Certificates:
Root certificate of the key management server (X.509)
Client certificate in PKCS#12 format

Root and client certificates

Root and client certificates are required to connect to KMIP servers and to ensure that the network access is good. You upload the certificates to the P9500 storage system.
To access the key management server, the client certificate must be current and not have expired. For more information about the client certificate password in PKCS#12 format:
Contact the key management server administrator.
See “Client certificate password” (page 12).
To get copies of the root and client certificates, contact the key management server administrator. For more information about uploading the client certificates, see “Converting the client certificate
to the PKCS#12 format” (page 14).
Root certificate on the key management server
If you use SafeNet KeySecure on the key management server, create and put the root certificate on the server.
For more information about SafeNet KeySecure, see the SafeNet KeySecure k460 6.1.0 documentation.
The root certificate of the key management server must be in X.509 format.
Client certificate password
The password is a string of characters that can be zero up to 128 characters in length. Valid characters are:
Numbers (0 to 9)
Upper case (A-Z)
Lower case (a-z)
Symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
For more information about converting the client certificate to PKCS#12 format, see “Converting
the client certificate to the PKCS#12 format” (page 14).
For more information about client certificates, see “Root and client certificates” (page 12).
12 Key Management Server Connections

Preparing the client certificate workflow

Use the following process to prepare the client certificate, which includes setting the client certificate expiration date and password:
1. Download and install openssl.exe from http://www.openssl.org/ to the C:\openssl
folder.
2. Create the key file. You can create the following types of key files:
Private key file.
For more information about creating a private key file, see “Creating a private SSL key
file” (page 13).
Public key file.
For more information about creating a public key file, see “Creating a public SSL key
file” (page 13).
3. Convert the client certificate to PKCS#12 format.
For more information about converting the client certificate, see “Converting the client certificate
to the PKCS#12 format” (page 14).
4. Upload the root and client certificates to the P9500 storage system.
For more information uploading the root and client certificate, see “Converting the client
certificate to the PKCS#12 format” (page 14).
Private key file creation workflow
(Windows Vista) Prepare private and public SSL key files to use with the EDKA feature.
1. If the read-only attribute is set, release it from the c:\key folder.
2. Create the private key file.
For more information about creating a private key file, see “Creating a private SSL key file”
(page 13).
3. Create the public key file.
For more information about creating public key files, see “Creating a public SSL key file”
(page 13).
Creating a private SSL key file
Create a private SSL key file to use with the EDKA feature. A private key file has the extension (.key).
1. Open a command prompt.
2. Move the current directory to the folder where you have saved the key file (for example, c:\ key).
3. From a command prompt, run the following command:
c:\key > c:\openssl\bin\openssl genrsa -out server.key 1024
Creating a public SSL key file
Create a public SSL key file to use with the EDKA feature. A public key file has the extension (.csr).
1. Open a command prompt.
2. Move the current directory to the folder where you have saved the key file (for example, c:\ key).
3. From a command prompt, run the following command:
c:\key > c:\openssl req -sha256 -new -key server.key -config c:\openssl\bin\openssl.cfg -out server.csr
Key management server requirements 13
4. Complete the following information:
Country Name (two-letter code)
Email Address
(Optional) Challenge password
(Optional) Common name - To obtain a signed and trusted certificate, ensure that the
server name is the same as the host name of the storage device.
State or Province Name
Locality Name
Organization Name
Organization Unit Name
Common Name
5. Send the public key to the Certificate Authority (CA) of the key management server, and request that the CA issue a signed certificate. Use the signed certificate as the client certificate.
For more information, see the SafeNet KeySecure k460 6.1.0 documentation.
Converting the client certificate to the PKCS#12 format
Convert the client certificate to the PKCS#12 format, which includes uploading the client certificate in the PKCS#12 format to the 200 Storage Virtualization System (P9500 storage system).
1. From an open command prompt, change the current directory to the folder where you want to save the client certificate in the PKCS#12 format.
2. Move the private SSL key file (.key) and the client certificate to the folder in the current directory, and run the command.
The following is an example for an output folder of c:\key, private key file (client.key), and a client certificate file (client.crt:
C:\key>c:\openssl\bin\openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
3. Upload the client certificate in the PKCS#12 format to the P9500 storage system and type the client certificate password.
For more information about uploading the client certificate, see “Converting the client certificate
to the PKCS#12 format” (page 14).
Configuring the connection settings to the key management server
Configure the connection settings to the key management server, which includes uploading the root certificate of the key management server and the client certificate in the PKCS#12 format to the P9500 storage system.
1. On the menu bar, click Settings > Environmental Setting > View Key Management Server Properties.
2. In the View Key Management Server Properties window, click Setup Key Management Server. If you have not set the connection to the key management server, a message is displayed.
Click OK.
3. In the Setup Key Management Server window, upload the root certificate of the key management server and the client certificate in the PKCS#12 format to the P9500 storage system.

Key management server settings workflow

To use a key management server, you must configure the connection and network settings.
14 Key Management Server Connections
For more information about the appropriate connection settings, contact the key management server administrator. For more information about the network settings, contact your network administrator.
Backing up connection settings to the key management server does not back up the client certificate. Use the following process to back up the connection settings to the key management server:
NOTE: When you back up the connection settings to the key management server, the system
does not back up the client certificate. Make sure that you back up a copy of the connection settings to the key management server and save a copy of the client certificate separately.
1. Ensure the client and root certificates are uploaded to the key management server. If the
certificates are not uploaded:
Contact the key management server administrator.
See “Converting the client certificate to the PKCS#12 format” (page 14).
2. Configure the connection settings to the key management server.
For more information about configuring these settings, see “Configuring the connection settings
to the key management server” (page 14).
3. Back up the connection settings to the key management server.
For more information about the tasks related to backing up the connection settings, see your corporate security policy.
4. Confirm that you can connect to the key management server.
5. Check with the key management server administrator, then save a back up copy of the client
certificate.
6. Save a copy of the configuration files.
For more information on how to save a configuration file, see the HP XP P9000 Remote Web Console User Guide.

Viewing the key management server connection settings

To view the key management server connection settings:
1. On the menu bar, click Settings > Environmental Setting > View Key Management Server Properties.
2. In the View Key Management Server Properties window, view the connection settings.

Configuring the connection settings to the key management server

Configure the connection settings to the key management server to set up the key management server and to back up the data encryption license keys to the key management server.
To connect to the key management server by host name instead of IP address, send the IP address of the DNS server to your service representative and request that the service representative configure the P9500 storage system.
If the key management server is unavailable after you complete this task, the settings may be incorrect. Contact the server or network administrator.
1. View the key management server connection settings.
2. In the View Key Management Server Properties window, click Setup Key Management Server.
3. In the displayed message, if you have not set the connection to the key management server, click OK.
Key management server settings workflow 15
4. In the Setup Key Management Server window, complete the following:
Specify the options to connect to the key management server.
If the key management server is already in use, click Check to test the connection.
Otherwise, click Finish. Error messages appear if the server configuration test fails.
5. In the Confirm window, to backup data encryption license keys to the key management server, click Next. Otherwise, complete the following and then click Apply:
Confirm the settings.
For Task Name, type a name or description for this task.
Select Go to tasks window for status to open the Tasks window.
The connection to the key management server is set up.
16 Key Management Server Connections

4 Managing data encryption license keys

This chapter provides information on how to manage data encryption license keys. Managing the keys includes ensuring availability of keys and accessibility to the encrypted or decrypted data. Manage data encryption license keys using the EDKA feature in the P9500 storage system.
You must have the Security Administrator (View & Modify) role to manage data encryption license keys.

Data encryption license key creation workflow

Create a data encryption license key to use with the EDKA feature. Use the following process to create a data encryption license key:
1. Create the data encryption license key or group of keys.
For more information about creating keys, see “Creating data encryption license keys”
(page 17).
2. Back up a secondary data encryption license key.
Schedule regular backups of all of your data encryption license keys at the same time one time every week to ensure data availability.
For more information about backing up secondary keys, see “Back up secondary data
encryption license key workflow” (page 17).

Creating data encryption license keys

If you need to change a data encryption license key, create a new data encryption license key. You can create up to 32 data encryption license keys per storage system. Keep at least two keys unused at all times so that you can change an existing key.
1. In the Administration tree, click Encryption Keys.
2. In the top window, click the Encryption Keys tab.
3. In the Encryption Keys table, select an unused key ID to use as the new data encryption license
key and then complete one of the following:
Click Create Keys.
Click Settings > Security > Encryption Keys > Create Keys.
4. In the Create Keys window of the Create Keys wizard, click Finish.
5. In the Confirm window of the Create Keys wizard, complete the following and then click Apply:
Confirm the settings.
For Task Name, type the task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
The new data encryption license key is created.

Back up secondary data encryption license key workflow

The P9500 storage system automatically creates a primary backup of the data encryption license key. Back up a secondary data encryption license key.
CAUTION: Securely store the secondary backup data encryption license key. Include this process
in your corporate security policy. If the primary data encryption license key becomes unavailable and a secondary backup data
encryption license key does not exists, the system cannot decrypt encrypted data.
Data encryption license key creation workflow 17
You must have the Security Administrator (View & Modify) role to back up secondary data encryption license keys.
Use the following process to back up the secondary data encryption license key:
1. Confirm that RWC is not processing other tasks. You cannot back up the keys while RWC is
processing other tasks.
2. Use one of the following methods to back up a secondary data encryption license key:
Back up the secondary data encryption license key as a file on the RWC computer.
For more information about backing up secondary data encryption license keys as files, see “Backing up keys as a file” (page 18).
Back up data encryption license key to a key management server.
For more information about backing up keys on key management servers, see “Backing
up keys to a key management server” (page 18).
Backing up keys as a file
Back up a secondary data encryption license keys as a file on the RWC computer. Back up the file and the password since the file and password are not automatically backed up.
1. In the Administration tree, click Encryption Keys.
2. In the top window, click the Encryption Keys tab.
3. In the Encryption Keys table, select the key ID for the data encryption license key you want to back up and complete one of the following:
Click Settings > Security > Encryption Keys > Backup Keys to File.
Click Backup Keys > To File.
4. In the Backup Keys to File window, complete the following and then click Finish:
For Password, type the key restoration password.
Case sensitive: Yes
For Re-enter Password, retype the password.
5. In the Confirm window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type a task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
6. In the message that appears, click OK.
7. Select the location to which to save the backup file, and then type the backup file name using the extension .ekf.
8. Click Save. The data encryption license key is backed up as a file on the RWC computer.
Backing up keys to a key management server
Back up data encryption license keys to a key management server. The data encryption license keys that you back up to a key management server are managed with the client certificate. You can backup up to 256 data encryption license keys to a key management server.
When you back up to a key management server, the server uses another data encryption license key to encrypt the original keys. Both keys reside on the server.
1. In the Administration tree, click Encryption Keys.
2. In the top window, click the Encryption Keys tab.
18 Managing data encryption license keys
3. In the Encryption Keys table, select the key ID for the data encryption license key you want to
back up to a key management server and then complete one of the following:
Click Settings > Security > Encryption Keys > Backup Keys to Server.
Click Backup Keys > To Server.
Click Backup Keys to Server.
4. (Optional) In the Backup Keys to Server window, for Description, type a description and then click Finish.
5. In the Confirm window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type the task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
A secondary backup data encryption license keys is saved.

Enable data encryption at the parity-group level workflow

Enable data encryption for the LDEV at the parity-group level to protect the data. Use the following process to enable data encryption on parity groups:
1. Back up the secondary data encryption license key.
For more information about backing up data in the parity group, see “Back up secondary
data encryption license key workflow” (page 17).
2. Block the LDEVs at the parity-group level. Do one of the following:
Block the LDEV using a file on the RWC computer.
For more information about blocking LDEVs using a file, see “Blocking LDEVs using a file”
(page 23).
Block the LDEV on the key management server.
For more information about blocking LDEVs on the key management server, see “Blocking
LDEVs on the key management server” (page 23).
3. Enable data encryption at the parity-group level.
For more information about enabling data encryption on parity groups, see “Enabling data
encryption at the parity-group level” (page 19).
4. Format the LDEVs at the parity-group level.
For more information about formatting LDEVs in the parity group, see “LDEV encryption
formatting at the parity-group level” (page 21).

Enabling data encryption at the parity-group level

Enable data encryption at the parity-group level. The Security Administrator (View & Modify) role is required to enable encryption.
1. In the Storage Systems tree, click Parity Groups. In the tree that is shown, Internal or External is displayed.
2. To select an internal LDEV, select Internal. Otherwise, click the Parity Groups tab.
3. In the Parity Groups table, select a specific parity group on which you want to enable encryption and then click Actions > Parity Group > Edit Encryption.
NOTE: If you do not select a specific parity group, data encryption is enabled on all of the
parity groups in the list.
Enable data encryption at the parity-group level workflow 19
4. In the Edit Encryption window of the Edit Encryption wizard, complete the following and then click Add:
For Available Groups, select the parity group for which you want to enable data
encryption.
For Encryption Key, select the key ID of which to enable data encryption or select Disable
to disable data encryption at the parity-group level.
For Format Type, select the format type.
Values: Quick Format, Normal Format, or No Format Default: Quick Format
The parity group you selected from the Available Parity Groups table is added to the Selected Parity Groups list.
5. Click Finish.
6. In the Confirm window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type the task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
7. In the message that appears, click OK. Data encryption is enabled on the parity group.

Disable data encryption at the parity-group level workflow

Disable encryption, or decrypt data, at the parity-group level. Use the following process to disable data encryption at the parity-group level:
1. Back up the secondary data encryption license key.
For more information about backing up a secondary key, see “Back up secondary data
encryption license key workflow” (page 17).
2. Block the LDEV at the parity-group level.
For more information about blocking LDEVs, see “Blocking LDEVs at the parity-group level”
(page 20).
3. Disable data encryption at the parity-group level.
For more information about disabling data encryption, see “Disabling data encryption at the
parity-group level” (page 21).
4. Format the LDEVs in the parity group for encryption.
For more information about formatting LDEVs, see “LDEV encryption formatting at the
parity-group level” (page 21).
5. Unblock the LDEVs.
For more information about unblocking LDEVs, see “Unblocking LDEVs at the parity-group
level” (page 22).

Blocking LDEVs at the parity-group level

Block the LDEVs at the parity-group level so that you can disable data encryption and format LDEVs. Blocked LDEVs in the parity group have a status of “Blocked”.
NOTE: You cannot write to a blocked LDEV.
1. From the RWC main window, click Explorer > Storage System > volume (resource).
20 Managing data encryption license keys
2. On the LDEVs tab, complete one of the following and then click Block LDEVs:
For Parity Group, select the parity group to which the LDEV is associated.
For Logical Device, select the LDEV you want to block.
3. In the confirmation message that appears, click Apply.
The LDEV is blocked.

Disabling data encryption at the parity-group level

Disable data encryption at the parity-group level to perform (normal) formatting options on encrypted data, such as writing to or overwriting an LDEV. You must have Security Administrator (View & Modify) role to disable encryption.
1. In the Storage Systems tree, click Parity Groups. In the tree, Internal or External is displayed.
2. To select an internal LDEV, select Internal. Otherwise, select the Parity Groups tab.
3. On the Encryption Keys tab, select the name for the parity group name you want to disable encryption and then complete one of the following:
Click Actions > Parity Group > Edit Encryption.
Click More Actions > Edit Encryption.
4. In the Edit Encryption window, complete the following and then click Add:
For Available Parity Groups, choose the parity group on which you want to disable data
encryption.
For Encryption Key, select Disable.
For Format Type, choose the format type.
The parity group you selected from the Available Parity Groups list is added to the Selected Parity Groups list.
NOTE: If an LDEV is listed in the Selected Parity Groups list, format the LDEVs.
For more information about formatting LDEVs, see “LDEV encryption formatting at the
parity-group level” (page 21).
The format type in the Selected Parity Groups list changes to No Format regardless of the status of for format type.
5. In the ________ window, click Finish.
6. In the Confirm window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type the task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
7. In the confirmation message that appears asking whether to apply the setting to the storage system, click OK.
Encryption is disabled for the parity group.

LDEV encryption formatting at the parity-group level

Write zero data to the entire area of all drives in the parity group or overwrite an LDEV. This process is also referred to as encryption formatting.
Disable data encryption at the parity-group level workflow 21

Unblocking LDEVs at the parity-group level

Unblock LDEVs at the parity-group level to protect the data after you format an LDEV at the parity-group level. Unblocked LDEVs in the parity group have a status of “Unblocked”.
1. From the RWC main window, click Explorer > Storage System > volume (resource).
2. On the LDEVs tab, complete the following and then click Unblock LDEVs:
For Parity Group, select the parity group to which the LDEV is associated.
For Logical Device, select the LDEV you want to unblock.
3. In the confirmation message that appears, click Apply.
The LDEV is unblocked.

Moving unencrypted data to an encrypted environment workflow

Migrate existing data to the new LDEVs in the encrypted parity group. If you are migrating existing unencrypted data to an environment with encryption, the process
includes the following additional steps:
1. Move the unencrypted data from the P9500 storage system to another storage system.
For more information about moving unencrypted data, contact HP Technical Support.
2. Create a new parity group.
For more information about creating parity groups, see HP XP P9000 Provisioning for Mainframe Systems User Guide.
3. Enable data encryption on the parity group.
For more information about enabling data encryption on parity groups, see “Enabling data
encryption at the parity-group level” (page 19).
4. Format the LDEVs in the encrypted parity group.
For more information about formatting LDEVs, see “LDEV encryption formatting at the
parity-group level” (page 21).
5. Migrate the existing data to the new LDEVs in the encrypted parity group.
For more information about migration practices with encryption, see “Migration practices with
encryption” (page 8).
For more information about data migration services, contact HP Technical Support.

Data encryption license key restoration workflow

Restore a data encryption license key from the primary or secondary backup copy when all the LDEVs belonging to an encrypted parity group are blocked or if an existing data encryption license key becomes unavailable or you cannot use it. For example, a system failure occurred.
The system automatically restores data encryption license keys from the primary backup. You must have Security Administrator (View & Modify) role to restore the data encryption license key from a secondary backup data encryption license key.
Use the following process to restore a data encryption license key:
22 Managing data encryption license keys
1. Block the LDEVs associated to the encrypted parity group. Do one of the following:
Block the LDEV using a file on the RWC computer.
For more information about blocking LDEVs using a file, see “Blocking LDEVs using a file”
(page 23).
Block the LDEV on the key management server.
For more information about blocking LDEVs on the key management server, see “Blocking
LDEVs on the key management server” (page 23).
2. Restore an data encryption license key from a primary or secondary backup copy. Do one of
the following:
Restore the data encryption license keys from a file backed up on the RWC computer.
For more information about restoring keys from a file, see “Restoring keys from a file”
(page 23).
Restoring data encryption license keys from the key management server.
For more information about restoring keys from the key management server, see “Restoring
keys from a key management server” (page 24).

Blocking LDEVs using a file

Block LDEVs at the parity-group level from a file on the RWC computer.
1. From the RWC main window, click Explorer > Storage System > volume (resource).
2. On the LDEVs tab, complete one of the following and then click Block LDEVs:
For Parity Group, select the parity group to which the LDEV is associated.
For Logical Device, select the LDEV you want to block.
3. In the confirmation message that appears, click Apply. The LDEV is blocked.

Blocking LDEVs on the key management server

Block LDEVs at the parity-group level from the key management server.
1. From the RWC main window, click Explorer > Storage System > volume (resource).
2. On the LDEVs tab, complete one of the following and then click Block LDEVs:
For Parity Group, select the parity group associated to the LDEV you want to block.
For Logical Device, select the LDEV you want to block.
3. In the confirmation message that appears, click Apply. The LDEVs is blocked.

Restoring keys from a file

Restore the data encryption license keys from a file backed up on the RWC computer.
1. In the Administration tree, click Encryption Keys.
2. In the top window, click the Encryption Keys tab.
3. Complete one of the following:
Click Settings > Security > Encryption Keys > Restore Keys from File.
Click Restore Keys > From File.
4. In the Restore Keys from File window, click Browse and then click OK.
5. In the ___________ window, select the backup file and click Open.
Data encryption license key restoration workflow 23
6. In the Restore Keys from File window, complete the following item and then click Finish:
For File Name, shows the name of the selected file.
View-only: Yes
For Password, type the password for the data encryption license key that you typed when
you backed up the selected data encryption license key.
7. In the Confirm window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type the task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
The data encryption license key is restored.

Restoring keys from a key management server

Restore a data encryption license key from the key management server. You can restore up to 32 data encryption license keys at a time.
The client certificate is required to restore backed up data encryption license keys from a key management server.
CAUTION: If you do not have the client certificate, and the system administrator replaces the
P9500 storage system due to a failure, you cannot restore the backed up data encryption license keys.
1. In the Administration tree, click Encryption Keys.
2. In the top window, click the Encryption Keys tab and complete one of the following:
Click Settings > Security > Encryption Keys > Restore Keys from Server.
Click Restore Keys > From Server.
Click Restore Keys from Server.
3. In the Restore Keys from Server window, select the data encryption license key you want to restore and then click Finish.
4. In the Confirm window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type a task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
The backup data encryption license key is restored.

Viewing backup data encryption license keys

View a list of the data encryption license keys that you have backed up on the key management server, which are shown in a list in the View Backup Keys on Server window.
1. In the Administration tree, click Encryption Keys.
2. In the top window, on the right side of the window, click View Backup Keys on Server. The View Backup Keys on Server window opens.

Data encryption license key change management workflow

Encrypt data with a different data encryption license key. Use the following process to change the data encryption license key:
24 Managing data encryption license keys
1. Create a new parity group.
For more information about creating parity groups, see _________.
2. Enable encryption with the new data encryption license key.
For more information about enabling data encryption at the parity-group level, see “Enabling
data encryption at the parity-group level” (page 19).
3. Format the LDEVs in the encrypted parity group.
For more information about formatting LDEVs in the encrypted parity groups, see “LDEV
encryption formatting at the parity-group level” (page 21).
4. Migrate the existing data to the new LDEVs in the encrypted parity group.
For more information about data migration services, contact HP Technical Support. For more information about migration practices with encryption, see “Migration practices with
encryption” (page 8).
5. Encrypt the data with the new data encryption license key on the P9500 storage system.

Data encryption license key deletion workflow

Delete a data encryption license key from a file on the RWC computer or from a key management server.
Use the following process to delete a data encryption license key:
1. Back up the secondary data encryption license key.
For more information about backing up secondary data encryption license keys, see “Back
up secondary data encryption license key workflow” (page 17).
2. Ensure the key is not allocated to the parity group.
For more information about checking the key allocation, see “Creating data encryption license
keys” (page 17).
3. Delete the data encryption license key using one of the following methods:
Delete the key from a file on the RWC computer. For more information about deleting keys from the RWC computer, see “Deleting data
encryption license keys” (page 25).
Delete the backup key from the key management server. For more information about deleting backup keys from a key management server, see
“Deleting backup data encryption license keys from the server” (page 26).

Deleting data encryption license keys

Delete data encryption license keys from a file on the RWC computer. You cannot delete data encryption license keys that you have not created or keys that are allocated
to the parity group.
1. In the Administration tree, click Encryption Keys.
2. In the top window, click the Encryption Keys tab.
3. From the Encryption Keys table, select the key ID for the data encryption license key you want
to delete and then complete one of the following:
Click Settings > Security > Encryption Keys > Delete Keys.
Click More Actions > Delete Keys.
4. In the Delete Keys window, click Finish.
Data encryption license key deletion workflow 25
5. In the Confirm window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type a task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
The data encryption license key is deleted from the file on the RWC computer.
6. In the message that appears asking whether to apply the setting to the storage system, click
OK.

Deleting backup data encryption license keys from the server

Delete a backup data encryption license key from the key management server.
CAUTION: Before deleting a primary or secondary backup data encryption license key from the
key management server, ensure that you have backed up another data encryption license key.
1. View the backup data encryption license keys on the key management server.
2. In the View Backup Keys on Server window, select the key ID for the backup data encryption
license key you want to delete and then complete one of the following:
Click Settings > Security > Encryption Keys > Delete Keys.
Click Delete Backup Keys on Server.
Click More Actions > Delete Keys.
3. In the Delete Backup Keys on Server window, complete the following and then click Apply:
Confirm the settings.
For Task Name, type the task name.
(Optional) Select Go to tasks window for status to open the Tasks window.
4. In the message that appears asking whether to apply the setting to the storage system, click
OK. The system deletes the backup data encryption license key.

Exporting encryption license key table information

You can output encryption license key table information.
1. In the Administration tree, click Encryption Keys.
2. In the top window, click the Encryption Keys tab.
3. From the Encryption Keys table, select the key ID for the data encryption license key information
you want to output and then complete one of the following:
Click Settings > Security > Encryption Keys > Export.
Click More Actions > Export.
26 Managing data encryption license keys

5 Troubleshooting

Common problems using EDKA include connection problems, license problems, and administrator permission problems. Managing or changing encryption settings is not possible if you cannot connect, write to, or run the storage system.

Encryption events in the audit log

The P9500 storage system audit log records events related to the EDKA feature, including data encryption and EDKA processes. You can export an audit log that contains encryption events in near real-time to an external syslog server.
For more information about the audit log and how to export log events, see the HP XP P9000 Remote Web Console User Guide and the HP XP P9000 Audit Log User Guide.

DKA Encryption processes that the audit log records

The audit log recrds all of the tasks that you do using the EDKA feature. The tasks are recorded as audit log notations.
The following table lists the audit log notations and their meaning.
MeaningLog notation
The system created a backup of a data encryption license key.Backup Keys
The system created a backup of a data encryption license key to a file.Backup Keys to File
The system created a backup of a data encryption license key to a key management server.Backup Keys to Serv
The system created one or more data encryption license keys.Create Keys
The system deleted one or more data encryption license keys.Delete Keys
The system deleted one or more data encryption license keys on a key management server.Delete Keys on Serv
The system enabled or disabled encryption at the parity group level.Edit Encryption
The system restored one or more data encryption license keys.Restore Keys
The system restored one or more data encryption license keys from a file.Restore Keys fr File
The system restored one or more data encryption license keys from a key management server.Restore Keys fr Serv
The system set up a key management server.Setup Key Mng Serv

Problems and solutions

For troubleshooting information about the P9500 storage system, see the HP XP P9000 Owner Guide.
For troubleshooting information about RWC, see the HP XP P9000 Remote Web Console User Guide and HP XP P9000 Remote Web Console Messages.
Encryption events in the audit log 27
The following table lists common problems and solutions for encryption features.
ActionProblem
Make sure that:Cannot use the EDKA feature to back up or restore a key.
The DKA Encryption software license is valid and
installed.
You have the Security Administrator (View & Modify)
role.
If you backup and restore data encryption license keys
with a key management server, the connection to the key management server is available.
Make sure that:Cannot create or delete data encryption license keys.
The DKA Encryption software license is valid and
installed.
You have the Security Administrator (View & Modify)
role.
Make sure that:Cannot enable encryption for a parity group.
The DKA Encryption software license is valid and
installed.
All LDEVs in the parity group are in the blocked status.
Cannot disable encryption for a parity group.
Server configuration test failed.
Make sure that all LDEVs in the parity group are in the blocked status.
Make sure that:Cannot restore a data encryption license key.
The DKA Encryption software license is valid and
installed.
You have the Security Administrator (View & Modify)
role.
If you backup and restore data encryption license keys
with a key management server, the connection to the key management server is available.
Check the following key management server connection settings:
Host name
Port number
Client certificate file
Root certificate file
If the communication failure is due to the length of time to connect to the server, try changing these settings:
Timeout
Retry interval
Number of retries
28 Troubleshooting

6 Support and other resources

Contacting HP

For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
Product model names and numbers
Technical support registration number (if applicable)
Product serial numbers
Error messages
Operating system type and revision level
Detailed questions

Subscription service

HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/e-updates
After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources.

Documentation feedback

HP welcomes your feedback. To make comments and suggestions about product documentation, please send a message to
storagedocsfeedback@hp.com. Include the document title and manufacturing part number. All
submissions become the property of HP.

Related information

The following documents [and websites] provide related information:
HP XP P9000 Performance for Open and Mainframe Systems User Guide
HP XP P9000 Owner Guide
HP XP P9000 Remote Web Console Messages
HP XP P9000 Remote Web Console User Guide
You can find these documents on the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
In the Storage section, click Disk Storage Systems for hardware or Storage Software for software, and then select your product.

HP websites

For additional information, see the following HP websites:
http://www.hp.com
http://www.hp.com/go/storage
http://www.hp.com/service_locator
Contacting HP 29
http://www.hp.com/support/manuals
http://www.hp.com/support/downloads
http://www.hp.com/storage/whitepapers

Conventions for storage capacity values

HP XP P9000 disk arrays use the following values to calculate physical storage capacity values (hard disk drives):
1 KB (kilobyte) = 1,000 bytes
1 MB (megabyte) = 1,0002bytes
1 GB (gigabyte) = 1,0003bytes
1 TB (terabyte) = 1,0004bytes
1 PB (petabyte) = 1,0005bytes
1 EB (exabyte) = 1,0006bytes
HP XP P9000 disk arrays use the following values to calculate logical storage capacity values (logical devices):
1 KB (kilobyte) = 1,024 bytes
1 MB (megabyte) = 1,0242bytes
1 GB (gigabyte) = 1,0243bytes
1 TB (terabyte) = 1,0244bytes
1 PB (petabyte) = 1,0245bytes
1 EB (exabyte) = 1,0246bytes

Typographic conventions

Table 1 Document conventions
Bold text
Monospace text
ElementConvention
Cross-reference linksBlue text: Table 1 (page 30)
email addressesBlue, bold, underlined text
Website addressesBlue, underlined text: http://www.hp.com
Keys that are pressed
Text typed into a GUI element, such as a box
GUI elements that are clicked or selected, such as menu
and list items, buttons, tabs, and check boxes
Text emphasisItalic text
File and directory names
System output
Code
Commands, their arguments, and argument values
Monospace, italic text
30 Support and other resources
Code variables
Command variables
Emphasized monospace textMonospace, bold text
WARNING! Indicates that failure to follow directions could result in bodily harm or death.
CAUTION: Indicates that failure to follow directions could result in damage to equipment or data.
IMPORTANT: Provides clarifying information or specific instructions.
NOTE: Provides additional information.
TIP: Provides helpful hints and shortcuts.
Typographic conventions 31

A Conventions

This appendix describes phrases in this manual that correspond to phrases in the Remote Web Console windows and messages.

Business Copy, Business Copy Z, and Snapshot volumes

Business Copy, Business Copy Z, and Snapshot volumes displayed in the Remote Web Console windows and messages differ between Remote Web Console main windows and secondary windows. The differences are shown below.
Table 2 Volumes displayed in the window and messages
Copied volumesOriginal volumesWindow
Secondary VolumePrimary VolumeRemote Web Console main window
S-VOLP-VOLRemote Web Console secondary
window
For details on the Remote Web Console main window and secondary window, see the HP XP P9000 Remote Web Console User Guide.
T-VOLS-VOL
32 Conventions

B DKA Encryption GUI Reference

This chapter includes descriptions of encryption-related RWC windows and dialog boxes for the EDKA feature.
For more information about other RWC windows and dialog boxes, see the HP XP P9000 Remote Web Console User Guide.

Top window when selecting Encryption Keys

Use the top window to create data encryption license keys. Clicking Encryption Keys in the Administration tree opens this window.
The following figure shows the top window.
The top window includes the following section and tab:
“Summary section” (page 33)
“Encryption Keys tab” (page 34)

Summary section

Use the Summary section to view details about the number of data encryption license keys and to open the View Backup Keys on Server window.
The following table lists descriptions of the items in the Summary section.
DescriptionItem
Shows the number of data encryption license keys:Number of Encryption Keys
Internal: Number of data encryption license keys for internal LDEVs.
External: Number of data encryption license keys for external LDEVs.
Opens the View Backup Keys on Server window.View Backup Keys on Server button
Top window when selecting Encryption Keys 33

Encryption Keys tab

Use the Encryption Keys tab to view a list of the data encryption license key details and to select an unused data encryption license key to create.
The following table lists descriptions of the items in table on the Encryption Keys tab.
DescriptionItem
The IDs of data encryption license keys.Key ID
Last Update Date
The date and time the data encryption license key was created or was last updated.
The data encryption license key types.Type If the key ID is 0 to 31, the label Internal is displayed.
The number of times that a data encryption license key is created.Number of Creations
The number of times that a backup of a data encryption license key is created.Number of Backups
Shows whether the data encryption license key is used.Used
Click to open the Create Keys window.Create Keys button
Select To File to open the Backup Keys to File window.Backup Keys drop-down list Select To Server to open the Backup Keys to Server window.
Select From File to open the Restore Keys from File window.Restore Keys drop-down list Select From Server to open the Restore Keys from Server window.
Select Delete Keys from the list to delete a selected data encryption license key.More Actions drop-down list Select Export from the list to open the window for outputting table information.

View Key Management Server Properties window

Use the View Key Management Server Properties window to view key management server properties. The following figure shows the View Key Management Server Properties window.
34 DKA Encryption GUI Reference

Key Management Server Properties table

The following table lists descriptions of the items in the Key Management Server Properties table.
DescriptionItem
The key management server.Key Management Server Values:
Enable - shows that a key management server is used.
Disable -shows that a key management server is not used.
The host name of the key management server.Host Name
The port number of the key management server.Port Number
Timeout (sec.)
Retry Interval (sec.)
Number of Retries
Shows the time (in seconds) until the connection attempt to the key management server times out.
Shows the time (in seconds) to wait before initiating a connection to the key management server.
Shows the number of times to initiate a connection to the key management server.
Opens the Setup Key Management Server window.Setup Key Management Server

Setup Key Management Server wizard

Use the Setup Key Management Server wizard to set up the key management server. The Setup Key Management Server wizard includes the following windows:
Setup Key Management Server window
Confirm window
Setup Key Management Server wizard 35

Setup Key Management Server window

The following figure shows the Setup Key Management Server window.
The following table lists descriptions of the items in the Setup Key Management Server window of the Setup Key Management Server wizard.
DescriptionItem
Select whether to use the key management server:Key Management Server
Enable: (default) key management server is used.
Disable: key management server is not used.
The host name of the key management server:Host Name
Identifier: Type the identifier of the host.
IPv4: Type the IPv4 address of the host.
IPv6: Type the IPv6 address of the host.
The port number of the key management server.Port Number Values: 1 to 65535 Default: 5696
Timeout (sec.)
Client Certificate File Name
The time until the connection attempt to the key management server times out.
Values: 1 to 120 Default: 10
The interval to retry the connection to the key management server.Retry Interval (sec.) Values: 1 to 60 Default: 1
The number of times to retry the connection to the key management server.Number of Retries Values: 1 to 50 Default: 3
Shows the name of the client certificate file. Click Browse and select the client certificate file to connect to the key management server.
Shows a list of the client certificate file from which you can choose.Browse For more information about the client certificate file, contact the server or
network administrator.
The password for the client certificate.Password Character limits: 0 to 128 Valid characters:
Numbers (0 to 9)
Upper case (A-Z)
Lower case (a-z)
Symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
Root Certificate File Name
36 DKA Encryption GUI Reference
Type the password again for confirmation.Re-enter Password
Displays the name of the selected file. Select the root certificate file for connecting to the key management server. Click Browse and select the file.
Select the root certificate file. The form of the client certificate is X.509.Browse
DescriptionItem
For more information about the root certificate file, contact the server administrator or the network administrator.
Server Configuration Test
Check

Confirm window

The following figure shows the Confirm window in the Setup Key Management Server wizard.
Click Check to start a server connection test for the key management server based on the specified settings.
Start a server connection test for the key management server based on the specified settings.
Shows the result of the server connection test for the key management server.Result
The following table lists descriptions of the items on the Confirm window.
DescriptionItem
Shows whether the key management server is used.Key Management Server
Enable: key management server is used.
Disable: key management server is not used.
The host name of the key management server.Host Name
The port number of the key management server.Port Number
Timeout (sec.)
Number of Retries
Client Certificate File Name
Shows the time until the connection attempt to the key management server times out.
Shows the interval to retry the connection to the key management server.Retry Interval (sec.)
Shows the number of times to retry the connection to the key management server.
Shows the name of the client certificate file used to connect to the key management server.
Setup Key Management Server wizard 37

Create Keys wizard

Use the Create Keys wizard to create keys and to backup keys to the key management server. This wizard includes the following windows:
Create Keys window
Confirm window

Create Keys window

Use the Create Keys window to create a data encryption license key. This window includes the
Selected Keys table.
DescriptionItem
Shows the password for the client certificate as ****** (six asterisks).Password
Shows the root certificate file for connecting to the key management server.Root Certificate File Name
Selected Keys table on Create Keys window
The following table lists descriptions of the items in the Selected Keys table on the Create Keys window.
DescriptionItem
The identifiers for the data encryption license keys.Key ID
The data encryption license key types.Type If the Key ID is 0 to 31, the label Internal is displayed.
Click to create the data encryption license key.Finish
Click to continue to add a task name to the data encryption license key.Next

Confirm window

The following figure shows the Confirm window in the Create Keys wizard.
38 DKA Encryption GUI Reference
Selected Keys table on Confirm window
The following table lists descriptions of the items in the Selected Keys table on the Confirm window.

Edit Password Policy wizard

Use the Edit Password Policy wizard to edit the password policy for backup keys. This wizard includes the following windows:
Edit Password Policy window
Confirm window

Edit Password Policy window

The following image shows the Edit Password Policy window.
DescriptionItem
The identifiers for the backup data encryption license keys.Key ID
The data encryption license key types.Type If the Key ID is 0 to 31, the label Internal is displayed.
Edit Password Policy wizard 39
The following table lists descriptions of the items on the Edit Password Policy window.
DescriptionItem
Numeric Characters (0-9)
Uppercase Characters (A-Z)
Lowercase Characters (a-z)
The minimum number of numeric characters that should be used for this password.
Values: 0 to 255 Default: 0
The minimum number of alphabetical upper case characters that should be used for this password.
Values: 0 to 255 Default: 0
The minimum number of alphabetical lower case characters that should be used for this password.
Values: 0 to 255 Default: 0
The minimum number of symbols that should be used for this password.Symbols Values: 0 to 255 Default: 0
The minimum number of characters for this password.Total Values: 6 to 255 Default: 6

Confirm window

Use the Confirm window in the Edit Password Policy wizard to confirm the changes to the password policy.
The following figure shows the Confirm window.
40 DKA Encryption GUI Reference
The following table lists descriptions of the items on the Confirm window.
DescriptionItem
Numeric Characters (0-9)
Uppercase Characters (A-Z)
Lowercase Characters (a-z)
Symbols

Backup Keys to File wizard

Use the Backup Keys to File wizard to create backup data encryption license keys as files on RWC. This wizard includes the following windows:
Backup Keys to File window
Confirm window

Backup Keys to File window

The following figure shows the Backup Keys to File window.
Displays the minimum number of numeric characters that should be used for this password.
Displays the minimum number of alphabetical upper case characters that should be used for this password.
Displays the minimum number of alphabetical lower case characters that should be used for this password.
Displays the minimum number of symbols that should be used for this password.
Displays the minimum number of characters for this password.Total
Backup Keys to File wizard 41
The following table lists descriptions of the items on the Backup Keys to File window.

Confirm window

The following figure shows the Confirm window.
DescriptionItem
The password for the backup data encryption license key.Password Character limits: 6 to 255 Valid characters:
Numbers (0 to 9)
Upper case (A-Z)
Lower case (a-z)
Symbols: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
The type the password again for confirmation.Re-enter Password
Click to save the password for the backup data encryption license key.Finish
42 DKA Encryption GUI Reference

Backup Keys to Server wizard

Use the Backup Keys to Server wizard to backup data encryption license keys on the key management server.
This wizard includes the following windows:
Backup Keys to Server window
Confirm window

Backup Keys to Server window

The following figure shows the Backup Keys to Server window.
The following table lists descriptions of the items on the Backup Keys to Server window.
DescriptionItem
Optionally, enter a description for the backup data encryption license key.Description Character limits: 256
Backup Keys to Server wizard 43

Confirm window

The following figure shows the Confirm window.
The following table lists descriptions for the item in the Backup Keys table.

Restore Keys from file wizard

Use the Restore Keys wizard to restore data encryption license keys from a file you backed up on the RWC computer.
This wizard includes the following windows:
Restore Keys from File window
Confirm window

Restore Keys from File window

The following figure shows the Restore Keys from File window.
DescriptionItem
Shows the description for the backup data encryption license key.Description
44 DKA Encryption GUI Reference
The following table lists descriptions of the items on the Restore Keys from File window.
DescriptionItem
The file name of the selected backup file.File Name
Browse
Password

Confirm window

The following figure shows the Confirm window.
Select the backup file (.ekf). The name of the selected file is shown for File Name.
The password that you typed when you created the backup data encryption license key.
Restore Keys from file wizard 45
The following table lists descriptions of the items on the Confirm window.

Restore Keys from Server wizard

Use the Restore Keys from Server wizard to restore data encryption license keys from the key management server.
This wizard includes the following windows:
Restore Keys from Server window
Confirm window

Restore Keys from Server window

The following figure shows the Restore Keys from Server window. This window includes the Available
Backup Keys table.
DescriptionItem
The item of the data encryption license key to restore.Item
The value of the data encryption license key to restore.Value
The following table lists descriptions of the items in the Available Backup Keys table that is shown in the Restore Keys from Server window.
UUID
Backup Date
Description

Confirm window

The following figure shows the Confirm window.
46 DKA Encryption GUI Reference
DescriptionItem
Shows the UUID of the data encryption license key that you backed up on the key management server.
Shows the time you backed up the data encryption license key on the key management server.
Shows the description you typed when you backed up the data encryption license key on the key management server.
The following table lists descriptions of the items in the Selected Backup Keys table in the Confirm window.
DescriptionItem
UUID
Backup Date
Description

Delete Keys wizard

Use the Delete Keys wizard to delete keys and backup data encryption license keys in RWC. This wizard includes the following windows:
Delete Keys window
Confirm window

Delete Keys window

The following figure shows the Delete Keys window. This window includes the Selected Keys table.
Shows the UUID of the data encryption license key you backed up on the key management server.
Shows the time when you backed up the data encryption license key on the key management server.
Shows the description you typed when you backed up the data encryption license key on the key management server.
Delete Keys wizard 47
The following table lists descriptions of the items in the Selected Keys table in the Delete Keys window.

Confirm window

The following figure shows the Confirm window of the Delete Keys wizard.
DescriptionItem
The IDs of data encryption license keys.Key ID
The data encryption license key types.Type If the key ID is 0 to 31, the label Internal is displayed.
The following table lists descriptions of the items in the Selected Keys table in the Confirm window.
DescriptionItem
The identifiers for the data encryption license keys.Key ID
The data encryption license key types.Type If the key ID is 0 to 31, the label Internal is displayed.

Delete Backup Keys on Server window

Use the Delete Backup Keys on Server window to confirm the deletion of a backup key in RWC. This window includes the Selected Backup Keys table. The following figure shows the Delete Backup Keys on Server window.
48 DKA Encryption GUI Reference
The following table lists the descriptions of the items in the Selected Backup Keys table.
DescriptionItem
UUID
Backup Date
Description
Shows the UUID of the data encryption license key you backed up on the key management server.
Shows the time when you backed up the data encryption license key on the key management server.
Shows the description you typed when you backed up the data encryption license key on the key management server.

View Backup Keys on Server window

Use the View Backup Keys on Server window to view a list of the backup data encryption license keys on the server.
This window includes the Backup Keys table. The following figure shows the View Backup Keys on Server window.
View Backup Keys on Server window 49

Backup Keys table

The Backup Keys table is shown on the View Backup Keys on Server window. This table lists the backup data encryption license keys.
The following table lists descriptions of the items in the Backup Keys table.
DescriptionItem
UUID
Backup Date
Description

Edit Encryption wizard

Use the Edit Encryption wizard to do the following:
Enable data encryption on a parity group.
Edit or associate the data encryption license key to the LDEV.
Edit the format type for the parity group.
This wizard includes the following windows:
Edit Encryption window
Confirm window
Shows the UUID of the backup data encryption license key on the key management server.
Shows the time you backed up the data encryption license key on the key management server.
Shows the description you typed when you backed up the data encryption license key on the key management server.
Opens the Delete Backup Keys on Server window.Delete Backup Keys on Server button
Open the Backup Keys to Server window.Backup Keys to Server button
Opens the Restore Keys from Server window.Restore Keys from Server button
50 DKA Encryption GUI Reference

Edit Encryption window

The Edit Encryption window includes the following items:
Available Parity Groups table
For more information about this table, see “Available Parity Groups table” (page 51).
Selected Parity Groups table
For more information about this table, see “Selected Parity Groups table” (page 52).
Encryption Key drop-down list, from which you can select the key ID of which to enable data
encryption or to disable data encryption at the parity-group level.
Format Type drop-down list, from which you can select the parity group’s format type.
Add button, which you can click to move a selected parity group in the Available Parity Groups
table to the Selected Parity Groups table.
The following figure shows the Edit Encryption window.
Available Parity Groups table
Use the Available Parity Groups table on the Edit Encryption window to view a list of the available parity groups.
The following figure shows the Available Parity Groups table on the Edit Encryption window.
Edit Encryption wizard 51
The following table lists descriptions of the items in the Available Parity Groups table.
DescriptionItem
Shows the parity group IDs.Parity Group ID
Shows the RAID level of the parity group.RAID Level For an interleaved parity group, the interleaved number appears after the
RAID level. Example: 1(2D+2D)*2
Shows the total capacity (unit) of the parity group.Capacity
Drive Type/RPM
Selected Parity Groups table
Use the Selected Parity Groups table to remove the parity group from the list. The following figure shows the Selected Parity Groups table on the Edit Encryption window.
52 DKA Encryption GUI Reference
Shows the hard disk drive types and RPM (rotation per minute) of the LDEV in the parity group.
Shows the encryption setting for the parity group:Encryption Key
Key ID - enabled
Disable - no encryption
The following table lists descriptions for the items in the _________ table.
DescriptionItem
Shows parity group IDs.Parity Group ID
Shows the RAID level of the parity group.RAID Level For an interleaved parity group, the interleaved number appears after the
RAID level. Example: 1(2D+2D)*2
Shows the total capacity (unit) of the parity group.Capacity
Drive Type/RPM

Confirm window

Use the Confirm window to confirm the changes to the data encryption license key and to view a list of the selected parity groups related to the data encryption license key.
The following image shows the Confirm window in the Edit Encryption wizard.
Shows the hard disk drive types and RPM (rotation per minute) of the LDEV in the parity group.
Encryption setting for the parity group:Encryption Key
Key ID - enabled
Disable - no encryption
Shows the format types of the parity group.Format Type The format type shows No Format regardless of the status of format type
you selected from the Format Type list.
Removes parity groups from the Selected Parity Groups table.Remove
Edit Encryption wizard 53
Selected Parity Groups table
Use the Selected Parity Groups table to view a list of the selected parity groups related to the data encryption license key.
The following table lists descriptions of the items in the Selected Parity Groups table.
DescriptionItem
Shows parity group identifier.Parity Group ID
Shows the RAID level of the parity group.RAID Level For an interleaved parity group, the interleaved number appears after the
RAID level. Example: 1(2D+2D)*2
Shows the total capacity of the parity group.Capacity
Drive Type/RPM
54 DKA Encryption GUI Reference
Shows the hard disk drive types and RPM (rotation per minute) of the LDEV in the parity group.
Encryption setting for the parity group:Encryption Key
Key ID - enabled
Disable - no encryption
Shows the format types of the parity group.Format Type

Glossary

bit The basic unit of data in a binary numbering system (binary digit), represented by a 0 or a 1.
Eight bits equals one byte.
DKA Disk adapter. LUN Logical unit number. A LUN results from mapping a logical unit number, port ID, and LDEV ID to
a RAID group. The size of the LUN is determined by the emulation mode of the LDEV and the number of LDEVs associated with the LUN.
LUSE Logical Unit Size Expansion. The LUSE feature is available when the HP StorageWorks LUN
Manager product is installed, and allows a LUN, normally associated with only a single LDEV, to be associated with 1 to 36 LDEVs. Essentially, LUSE makes it possible for applications to access a single large pool of storage.
OPEN-
x
parity group A set of hard disk drives that have the same capacity and that are treated as one group. A parity
RAID level A configuration of disk drives that uses striping, mirroring, and parity to improve performance
Remote Web Console
volume Volume on disk. An accessible storage area on disk, either physical or virtual.
A general term describing any of the supported OPEN emulation modes (for example, OPEN-E). There are two types of OPEN-x devices: legacy OPEN-x devices with a fixed size (such as OPEN-3, OPEN-8, OPEN-9, and OPEN-E), and OPEN-V, which has a variable size and is a CVS-based volume.
group contains both user data and parity information, which enables user data to be accessed if one or more drives in the group is not available.
and data availability and reliability. A browser-based program installed on the SVP that allows you to configure and manage the disk
array.
55

Index

A
AES-256, 6 audit logging, 8, 27
B
blocking volumes, 20, 23
requirements, 10
host platforms, 10 license key, 10 microcode, 10 password for encryption key, 42 Remote Web Console, 10 volume types, 10
C
contacting HP, 29 conventions
document, 30 storage capacity values, 30 text symbols, 31
D
data encryption operations
audit logging of, 8 disabling encryption, 7, 20 enabling encryption, 7, 19, 21 encrypting existing data, 7, 8, 24
troubleshooting, 27 decrypting data, 20 disabling encryption, 20 document
conventions, 30
related information, 29 documentation
HP website, 29
providing feedback, 29
E
emulation types, 6 enabling data encryption workflow, 19 encryption key operations
audit logging of, 8, 27
backing up the key, 6, 17
restoring the key, 22
troubleshooting, 27 encryption setting status, 52, 53, 54 external volumes, 10
S
storage capacity values
conventions, 30 Subscriber's Choice, HP, 29 symbols in text, 31
T
technical support
HP, 29
service locator website, 29 text symbols, 31 troubleshooting, 27 typographic conventions, 30
U
unblocking volumes, 22
V
volume types, 6 volumes
blocking, 20, 23
unblocking, 22
W
websites
HP , 29
HP Subscriber's Choice for Business, 29
product manuals, 29
X
XTS mode, 6
H
help
obtaining, 29
HP
technical support, 29
L
license key, 10
P
primary backup key, 6, 17
R
related documentation, 29
56 Index
Loading...