Quantum Q-EKM User's Guide
Quantum Encryption Key Manager
6-01847-02
Quantum Encryption Key Manager
Scalar Libraries
5SERS'UIDE5SERS'UIDE5SERS'UIDE5SERS'UIDE5SERS'UIDE
Quantum Encryption Key Manager User’s Guide, 6-01847-02, Rev A, August 2010. Product of USA.
Quantum Corporation provides this publication “as is” without warranty of any kind, either express or implied,
including but not limited to the implied warranties of merchantability or fitness for a particular purpose. Quantum
Corporation may revise this publication from time to time without notice.
COPYRIGHT STATEMENT
Copyright 2010 by Quantum Corporation. All rights reserved.
Your right to copy this manual is limited by copyright law. Making copies or adaptations without prior written
authorization of Quantum Corporation is prohibited by law and constitutes a punishable violation of the law.
TRADEMARK STATEMENT
Quantum, the Quantum logo, and Scalar are registered trademarks of Quantum Corporation. IBM is a trademark of
International Business Machines Corporation. Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both. Windows is a registered trademark of Microsoft
Corporation in the United States, or other countries (or regions), or both. UNIX is a registered trademark of The Open
Group in the United States and other countries (or regions). Other trademarks may be mentioned herein which belong
to other companies.
Contents
Preface viii
Chapter 1 Overview 1
Library Managed Encryption........................................................................... 2
Encryption-Enabled Tape Drive............................................................... 2
Quantum Encryption Key Management (Q-EKM)................................ 2
Encryption-Enabled Tape Library............................................................ 2
Managing Encryption With Q-EKM ............................................................... 3
Quantum Encryption Key Manager (Q-EKM) Components....................... 4
Keystore ....................................................................................................... 5
Configuration Files..................................................................................... 6
Tape Drive Table......................................................................................... 6
Encryption Keys................................................................................................. 6
Encryption Key Processing ....................................................................... 7
Encryption Certificates...................................................................................... 8
Chapter 2 Planning Your Q-EKM Environment 9
System Requirements........................................................................................ 9
Server Requirements.................................................................................. 9
Operating System Requirements............................................................ 10
Quantum Encryption Key Manager User’s Guide iii
Supported Libraries and Tape Drives ................................................... 10
Supported Media ...................................................................................... 11
Library Firmware Requirements ............................................................ 11
Tape Drive Firmware Requirements ..................................................... 11
Linux System Library Requirements ..................................................... 11
Using Multiple Q-EKM Servers for Redundancy ....................................... 11
Q-EKM Server Configurations....................................................................... 12
Single-Server Configuration.................................................................... 12
Two-Server Configuration....................................................................... 13
Multiple Libraries Accessing One Q-EKM Server or Server Pair ............. 14
Backing Up Keystore and Configuration Data............................................ 15
Disaster Recovery Planning............................................................................ 16
Chapter 3 Tips for Success 17
Chapter 4 Upgrading Q-EKM 19
Chapter 5 Q-EKM Server Operation and Configuration 24
Overview........................................................................................................... 25
Using and Changing Passwords.................................................................... 25
Q-EKM Admin Password........................................................................ 25
Keystore Password ................................................................................... 26
Logging On to Q-EKM Commands............................................................... 27
Q-EKM Server Commands............................................................................. 29
Displaying the Q-EKM Software Version ............................................. 30
Displaying the Q-EKM Server On/Off Status...................................... 30
Stopping the Q-EKM Server Process ..................................................... 30
Starting the Q-EKM Server Process ....................................................... 30
Turning Debug Logging On and Off ............................................................ 31
Synchronizing Primary and Secondary Q-EKM Servers ...........................33
Keeping the Keystores Matched .................................................................... 36
Changing the Communication Port Settings ............................................... 37
Quantum Encryption Key Manager User’s Guide iv
Chapter 6 Sharing Encrypted Tapes – Import/Export Operations 39
Sharing Encrypted Tape Cartridges.............................................................. 39
Special Considerations for Exchanging Files Between Linux
and Windows Servers .............................................................................. 41
Understanding How Q-EKM Uses Aliases.................................................. 41
Public Certificate Alias............................................................................. 41
Data Encryption Key Alias...................................................................... 42
Why You Should Not Change File Names................................................... 42
Exporting the Public Certificate.....................................................................43
Importing a Public Certificate........................................................................ 45
Exporting Data Encryption Keys...................................................................47
Exporting Your Native Keys................................................................... 47
Exporting Imported Keys ........................................................................ 49
Importing Data Encryption Keys................................................................... 52
Displaying the Native Public Certificate ......................................................54
Displaying Imported Public Certificates...................................................... 54
Chapter 7 Running Reports 56
Drives that Accessed the Q-EKM Server...................................................... 56
Q-EKM Server Keys......................................................................................... 58
End User License Agreement......................................................................... 59
Available WWN Key Ranges for Export ...................................................... 59
Chapter 8 Troubleshooting 61
Frequently Asked Questions.......................................................................... 62
What to do if Your Q-EKM Server Fails ....................................................... 64
Single Server Configuration Failure....................................................... 64
Two-Server Configuration Failure ......................................................... 64
Log Files ............................................................................................................65
Audit Log................................................................................................... 65
Debug Log.................................................................................................. 66
Standard Error Messages Log.................................................................66
Standard Out Messages Log ................................................................... 66
Capturing a Log Snapshot....................................................................... 66
Errors Reported By Q-EKM............................................................................ 67
Quantum Encryption Key Manager User’s Guide v
Appendix A Setting the System Path Variable in Windows 74
Glossary 75
Index 78
Quantum Encryption Key Manager User’s Guide vi
Figures
Figure 1 Q-EKM Components ................................................................... 4
Figure 2 Single Q-EKM Server................................................................. 13
Figure 3 Two Q-EKM Servers.................................................................. 14
Figure 4 Password Changes Menu.......................................................... 26
Figure 5 Q-EKM Commands Menu........................................................ 29
Figure 6 Debug Mode Change Menu ..................................................... 32
Figure 7 Key Import/Export Menu ........................................................ 44
Figure 8 Reports Menu ............................................................................. 57
Quantum Encryption Key Manager User’s Guide vii
Preface
Audience
Purpose
Quantum Encryption Key Manager User’s Guide viii
This book is intended for storage and security administrators responsible
for security and backup of vital data, and anyone assisting in the setup
and maintenance of Quantum Encryption Key Manager (Q-EKM) servers
in the operating environment. It assumes the reader has a working
knowledge of storage devices and networks.
This book contains information to help you use the Q-EKM component
for the Java™ platform. It includes concepts and procedures pertaining
to:
• Encryption on the IBM LTO-4 and LTO-5 tape drives
• Cryptographic keys
• Digital certificates
Document Organization
This document is organized as follows:
• Chapter 1, Overview
, provides an overview of tape encryption and
the Quantum Encryption Key Manager (Q-EKM) components.
• Chapter 2, Planning Your Q-EKM Environment
, provides the
information you need and the factors you should consider when
determining the best configuration for your Q-EKM environment.
• Chapter 3, Tips for Success
, provides tips for maintaining successful
Q-EKM operations and recovery in case of server failure.
• Chapter 4, Upgrading Q-EKM
, provides instructions for upgrading
your Q-EKM software.
• Chapter 5, Q-EKM Server Operation and Configuration
, provides
operational procedures for using Q-EKM.
• Chapter 6, Sharing Encrypted Tapes – Import/Export Operations
provides instructions on how to share encrypted tapes with different
sites, including importing and exporting public certificates and
encryption keys.
• Chapter 7, Running Reports
, describes several reports you can run
from the Q-EKM interface.
• Chapter 8, Troubleshooting
, provides troubleshooting procedures for
common Q-EKM issues.
• Appendix A, Setting the System Path Variable in Windows
, tells you
how to set the system path so you can enter Q-EKM commands from
the command line without changing the directory to the Q-EKM
directory.
,
Notational Conventions
This document concludes with a glossary
This manual uses the following conventions:
and an index.
Note: Notes emphasize important information related to the main
topic.
Caution: Cautions indicate potential hazards to equipment and are
included to prevent damage to equipment.
Quantum Encryption Key Manager User’s Guide ix
Warning: Warnings indicate potential hazards to personal safety and
are included to prevent injury.
This manual also uses the following conventions:
Convention Usage
Related Documents
bold
Bold
words or characters represent system
elements that you must use literally, such as
command names, file names, flag names,
path names, and selected menu options.
Arial regular text
Examples, text specified by the user, and
information that the system displays appear
in
Arial regular font.
italic Italicized words or characters represent
variable values that you must supply.
[item] Indicates optional items.
{item} Encloses a list from which you must choose
an item in format and syntax descriptions.
| A vertical bar separates items in a list of
choices.
<key> Indicates keys you press.
The following publications provide information related to encryption on
Scalar® libraries:
Document No. Document Title
6-01210-xx Scalar i500 User’s Guide
6-00421-xx Scalar i2000 User’s Guide
6-66879-xx Scalar i6000 User’s Guide
Refer to the appropriate product manuals for information about your
tape drive and cartridges.
Quantum Encryption Key Manager User’s Guide x
Contacts
Quantum company contacts are listed below.
Getting More Information or
Help
Quantum Corporate Headquarters
To order documentation on Quantum Encryption Key Manager or other
products contact:
Quantum Corporation (Corporate Headquarters)
1650 Technology Drive, Suite 700
San Jose, CA 95110-1382
Technical Publications
To comment on existing documentation send an e-mail to:
doc-comments@quantum.com
Quantum Home Page 0
Visit the Quantum home page at:
http://www.quantum.com
StorageCare™, Quantum’s comprehensive service approach, leverages
advanced data access and diagnostics technologies with crossenvironment, multi-vendor expertise to resolve backup issues faster and
at lower cost.
0
0
Accelerate service issue resolution with these exclusive Quantum
StorageCare services:
•
Service and Support Web site - Register products, license software,
browse Quantum Learning courses, check backup software and
operating system support, and locate manuals, FAQs, firmware
downloads, product updates and more in one convenient location.
Benefit today at:
www.quantum.com/support
• Telephone Support – Find contact information for your location at:
http://www.quantum.com/ServiceandSupport/Contacts/
ProductSelect/Index.aspx
Quantum Encryption Key Manager User’s Guide xi
• eSupport – Submit online service requests, update contact
information, add attachments, and receive status updates via e-mail.
Online Service accounts are free from Quantum. That account can
also be used to access Quantum’s Knowledge Base, a comprehensive
repository of product support information. Sign up today at:
http://www.quantum.com/osr
Non-Quantum Support
Red Hat Information
The following URL provides access to information about Red Hat Linux
®
systems:
• http://www.redhat.com
Microsoft Windows Information 0
The following URL provides access to information about Microsoft®
Windows
®
systems:
• http://www.microsoft.com
Quantum Encryption Key Manager User’s Guide xii
Quantum Encryption Key Manager User’s Guide xiii
Chapter 1
1Overview
Data is one of the most highly valued resources in a competitive business
environment. Protecting that data, controlling access to it, and verifying
its authenticity while maintaining its availability are priorities in our
security-conscious world. Data encryption is a tool that answers many of
these needs.
IBM LTO-4 and LTO-5 Fibre Channel and SAS tape drives are capable of
encrypting data as it is written to compatible data cartridges. Encryption
is performed at full line speed in the tape drive after compression.
(Compression is more efficiently done before encryption.) This new
capability adds a strong measure of security to stored data without the
processing overhead and performance degradation associated with
encryption performed on the server or the expense of a dedicated
appliance.
This chapter covers:
• Library Managed Encryption
• Managing Encryption With Q-EKM
• Quantum Encryption Key Manager (Q-EKM) Components
• Encryption Keys
• Encryption Certificates
Quantum Encryption Key Manager User’s Guide 1
Library Managed Encryption
The library managed tape drive encryption solution is composed of the
following elements:
• Encryption-Enabled Tape Drive
• Quantum Encryption Key Management (Q-EKM)
• Encryption-Enabled Tape Library
Overview
Library Managed Encryption
Encryption-Enabled Tape
Drive 1
Quantum Encryption Key
Management (Q-EKM) 1
IBM LTO-4 and LTO-5 Fibre Channel and SAS tape drives are encryptioncapable. This means that they are functionally capable of performing
hardware encryption, but this capability has not yet been activated. In
order to perform hardware encryption, the tape drives must be
encryption-enabled. They can be encryption enabled via the tape library.
SCSI IBM LTO-4 tape drives are encryption aware (they can load and
handle encrypted LTO-4 cartridges, but cannot process encryption
operations).
See Supported Libraries and Tape Drives
tape drives are supported by your library.
Encryption involves the use of several kinds of keys. How these keys are
generated, maintained, controlled, and transmitted depends upon the
operating environment where the encrypting tape drive is installed.
Some host applications are capable of performing key management. For
environments without such applications or those where application
agnostic encryption is desired, Quantum provides the Quantum
Encryption Key Manager (Q-EKM) component for the Java platform to
perform all necessary key management tasks. Managing Encryption With
Q-EKM on page 3 describes these tasks in more detail.
on page 10 for a list of which
Encryption-Enabled Tape
Library 1
Quantum Encryption Key Manager User’s Guide 2
On an encryption-enabled library, tape encryption occurs automatically
and transparently. The library communicates with the EKM server to
obtain encryption keys for the drives to read from or write to encrypted
data to the tapes.
Library managed encryption is provided for IBM LTO-4 and LTO-5 tape
drives in a Quantum Scalar tape libraries (see Supported Libraries and
Tape Drives on page 10).
Managing Encryption With Q-EKM
Quantum Encryption Key Manager (Q-EKM) generates, protects, stores,
and maintains data encryption keys that are used to encrypt information
being written to, and decrypt information being read from, tape media
(tape and cartridge formats).
Q-EKM uses a keystore to hold JCEKS keys and certificates required for
all encryption tasks.
Q-EKM acts as a process awaiting key generation or key retrieval
requests sent to it through a TCP/IP communication path between
Q-EKM and the tape library.
Overview
Managing Encryption With Q-EKM
When a tape drive writes encrypted data, it first requests an encryption
key from Q-EKM.
Upon receipt of the request, Q-EKM retrieves an existing Advanced
Encryption Standard (AES) key from a keystore and wraps it for secure
transfer to the tape drive, where it is unwrapped upon arrival and used to
encrypt the data being written to tape.
When an encrypted tape is read by a tape drive, the tape drive requests,
via the library, the required data encryption key from the Q-EKM server.
Q-EKM retrieves the required data encryption key from the keystore and
securely transfers it to the library, which provides it to the tape drive. The
tape drive uses the data encryption key to perform encryption and
decryption.
No data encryption key is stored anywhere on the cartridge memory or
the tape. Only the name of the data encryption key is stored on the tape,
so that in the future the key can be requested for further read or write
purposes.
Quantum Encryption Key Manager User’s Guide 3
Overview
Quantum Encryption Key Manager (Q-EKM) Components
Quantum Encryption Key Manager (Q-EKM) Components
Q-EKM is part of the IBM Java environment and uses the IBM Java
Security components for its cryptographic capabilities. Q-EKM has three
main components:
• Keystore
• Configuration Files
• Tape Drive Table
Figure 1 Q-EKM Components
Quantum Encryption Key Manager User’s Guide 4
Overview
Quantum Encryption Key Manager (Q-EKM) Components
Keystore 1
The keystore is defined as part of the Java Cryptography Extension (JCE)
and an element of the Java Security components, which are, in turn, part
of the Java runtime environment. Q-EKM supports the JCEKS keystore.
The keystore contains:
• The 1024 data encryption keys generated by the Q-EKM server on
which it resides. These keys are used for encrypting and decrypting
tapes.
• Data encryption keys that you imported (for example, keys that other
companies or individuals sent to you). These keys can be used to
decrypt tapes provided by the other parties.
• Your Q-EKM server’s native public certificate.
• Public certificates that you imported from other parties. These are
used to wrap your data encryption keys for transit to another party to
use in decrypting tapes you may have provided to them).
• Public and private keys used for secure communication.
• Metadata (for example, which data encryption keys were used on
which tapes).
The keystore file is named
EKMKeys.jck and is located in the root QEKM
directory as follows:
Windows
c:\Program Files\Quantum\QEKM
Linux
/opt/Quantum/QEKM
Caution: It is impossible to overstate the importance of preserving
your keystore data. Without access to your keystore, you
will not be able to decrypt your encrypted tapes. Please see
Backing Up Keystore and Configuration Data
and Disaster Recovery Planning
on page 16 for
on page 15
information on how to protect your keystore data.
Quantum Encryption Key Manager User’s Guide 5
Overview
Encryption Keys
Configuration Files 1
Tap e Drive Tab le 1
The configuration files contain the configuration information for your
Q-EKM server installation.
The two configuration files are named:
• ClientKeyManagerConfig.properties
• KeyManagerConfig.properties
The configuration files are located in the root QEKM directory as follows:
Windows
Linux
c:\Program Files\Quantum\QEKM
/opt/Quantum/QEKM
Caution: Do not edit these files. If you make a mistake when
altering the configuration files, you could lose access to
your keystore and be unable to encrypt or restore data.
The tape drive table is used by Q-EKM to keep track of all the tape drives
that have ever requested a key from the Q-EM server. The tape drive
table is a non-editable, binary file. Q-EKM automatically adds new/
replaced tape drives to the drive table.
Encryption Keys
An encryption key is typically a random string of bits generated
specifically to scramble and unscramble data. Encryption keys are created
using algorithms designed to ensure that each key is unique and
unpredictable. The longer the length of key used, the harder it is to break
the encryption code.
The IBM LTO-4 and LTO-5 method of encryption uses 256-bit AES
algorithm keys to encrypt data. 256-bit AES is the encryption standard
currently recognized and recommended by the U.S. government, which
allows three different key lengths. 256-bit keys are the longest allowed by
AES.
Quantum Encryption Key Manager User’s Guide 6
Overview
Encryption Keys
Q-EKM uses two types of encryption algorithms:
• Symmetric
• Asymmetric
Symmetric, or secret key encryption, uses a single key for both encryption
and decryption. Symmetric key encryption is generally used for
encrypting large amounts of data in an efficient manner. 256-bit AES keys
are symmetric keys.
Asymmetric, or public/private encryption, uses a pair of keys. Data that
is encrypted using one key can only be decrypted using the other key in
the public/private key pair. When an asymmetric key pair is generated,
the public key is typically used to encrypt, and the private key is typically
used to decrypt.
Q-EKM uses both symmetric and asymmetric keys—symmetric
encryption for high-speed encryption of user or host data, and
asymmetric encryption (which is necessarily slower) for protecting the
symmetric key.
Upon installation, Q-EKM generates 1024 unique encryption keys.
Encryption Key Processing 1
In library-managed tape encryption, unencrypted data is sent to the tape
drive and converted to ciphertext using a pre-generated symmetric data
key from the keystore available to Q-EKM, and is then written to tape.
Q-EKM selects a pre-generated data key in round-robin fashion. Data
keys are reused on multiple tape cartridges when all pre-generated data
keys have been used at least once.
The data key is sent to the tape drive in encrypted, or wrapped, form by
Q-EKM. The tape drive unwraps this data key and uses it to perform
encryption or decryption. However, no wrapped key is stored anywhere
on the tape cartridge.
After the encrypted volume is written, the data key must be accessible,
based on the alias or key label, and available to Q-EKM in order for the
volume to be read.
Quantum Encryption Key Manager User’s Guide 7
Encryption Certificates
Each Q-EKM server pair uses one unique encryption certificate. The
encryption certificate contains the public key of the public/private key
pair that protects data encryption keys during transit to another site. The
destination Q-EKM server provides its public key to the source Q-EKM
server as part of its public certificate, which the source Q-EKM server
uses to wrap (encrypt) exported data encryption keys for transport. Upon
arrival, the file containing the wrapped data encryption keys can only be
unwrapped by the corresponding private key, which resides on the
destination Q-EKM server and is never shared.
Overview
Encryption Certificates
Quantum Encryption Key Manager User’s Guide 8
Chapter 2
2Planning Your Q-EKM
Environment
Use the information in this chapter to determine the best Q-EKM
configuration for your needs. Many factors must be considered when you
are planning how to set up your encryption strategy. Please review these
topics with care.
• System Requirements
• Using Multiple Q-EKM Servers for Redundancy
• Q-EKM Server Configurations
• Multiple Libraries Accessing One Q-EKM Server or Server Pair
• Backing Up Keystore and Configuration Data
• Disaster Recovery Planning
System Requirements
Server Requirements 2
Quantum Encryption Key Manager User’s Guide 9
Q-EKM server requirements are:
• Xeon-class server.
• Minimum 1 GB memory.
• Minimum 10 GB free hard disk space.
Planning Your Q-EKM Environment
System Requirements
• The Q-EKM server must have IP connectivity through any firewalls
to all Quantum libraries using the Q-EKM server to obtain data
encryption keys. The Q-EKM firmware uses TCP port 3801 for the
Q-EKM server and TCP port 443 for SSL, by default.
• Domain Name System (DNS) must be configured on all Q-EKM
servers in order for the servers to communicate successfully.
• The Q-EKM server should be protected and backed up following
your data protection practices so that critical keystore data can be
quickly restored in the event of a server failure.
• It is strongly recommended that the server(s) you designate for
Q-EKM not be running any other programs or have any other files on
them, especially .jre or java. If they do, you may have problems with
installation.
• On Windows machines, Q-EKM must be installed on the “C” drive
only. Make sure your server has a working “C” drive.
Operating System Requirements 2
Supported Libraries and Tap e Drives 2
Q-EKM runs on:
• Windows Server 2003
• Windows Server 2008
• Red Hat Enterprise Linux 4
• Red Hat Enterprise Linux 5
Q-EKM supports the following libraries and tape drives:
Scalar i500 tape library
IBM LTO-4 (Fibre-Channel and SAS)
IBM LTO-5 (Fibre-Channel)
Scalar i2000 tape library
Scalar i6000 tape library
IBM LTO-4 (Fibre-Channel)
IBM LTO-4 (Fibre-Channel)
IBM LTO-5 (Fibre-Channel)
Note: In order to use LTO-5 tape drives with Q-EKM, you must be
running Q-EKM version 2.0 or higher.
Quantum Encryption Key Manager User’s Guide 10
Planning Your Q-EKM Environment
Using Multiple Q-EKM Servers for Redundancy
Supported Media 2
Library Firmware Requirements 2
Tape Drive Firmware Requirements 2
Linux System Library Requirements 2
Q-EKM supports IBM LTO-4 and IBM LTO 5 media.
It is recommended that you upgrade your library to the latest released
version.
It is recommended that you upgrade your tape drive firmware to the
latest version qualified with your library firmware.
For Linux, the following libraries must be installed on your Q-EKM
server:
•
glibc, version 2.3 or later
•libstdc++.so5
•libXp.so.6
Using Multiple Q-EKM Servers for Redundancy
Q-EKM is designed to work with tape drives and libraries to allow
redundancy, and thus high availability, so you can have up to two
Q-EKM server servicing the same tape drives and libraries. Moreover,
these Q-EKM servers need not be on the same systems as the tape drives
and libraries. The only requirement is that they be available to the
libraries through TCP/IP connectivity.
This allows you to have two Q-EKM servers that are mirror images of
each other with built-in synchronization as well as a failover in the event
that one Q-EKM server becomes unavailable. When you configure your
library, you can point it to two Q-EKM servers (primary and secondary).
If the primary Q-EKM server becomes unavailable for any reason, the
library will use the secondary Q-EKM server.
In order for the secondary server to be used in a failover situation, its
keystore must be identical to that of the primary server. Keeping the
keystores matched is a manual process (it does not happen
automatically). See Keeping the Keystores Matched
Quantum Encryption Key Manager User’s Guide 11
on page 36.
Q-EKM Server Configurations
Q-EKM can be installed as a Single-Server Configuration or as a Two-
Server Configuration.
Planning Your Q-EKM Environment
Q-EKM Server Configurations
Single-Server Configuration 2
A single-server configuration, shown in Figure 2, is the simplest Q-EKM
configuration. However, because of the lack of redundancy, it is not
recommended. In this configuration, all tape drives rely on a single key
manager server with no backup. Should the server go down, the keystore
becomes unavailable, making any encrypted tape unreadable (and
preventing encrypted writes). In a single-server configuration, you must
make sure that current, non-encrypted backup copies of the keystore and
configuration files are maintained in a safe place, separate from Q-EKM,
so its function can be rebuilt on a replacement server if the server copies
are lost.
The keystore and configuration files are:
•
ClientKeyManagerConfig.properties
• EKMKeys.jck
• KeyManagerConfig.properties
• library_serialnum
• library_wwnamekey
• QEKMIEKey<librarySN>.pk12
The files are all in the root QEKM directory located here:
Windows
c:\Program Files\Quantum\QEKM
Linux
Quantum Encryption Key Manager User’s Guide 12
/opt/Quantum/QEKM
Figure 2 Single Q-EKM Server
Planning Your Q-EKM Environment
Q-EKM Server Configurations
Two-Server Configuration2
The recommended two-server configuration allows the library to
automatically fail over to the secondary Q-EKM server should the
primary Q-EKM server be inaccessible for any reason.
Note: When different Q-EKM servers are used to handle requests
from the same set of tape drives, the information in the
associated keystores MUST be identical. This is required so
that regardless of which Q-EKM server is contacted, the
necessary information is available for the Q-EKM server to
support requests from the tape drives.
In an environment with two Q-EKM servers, such as those shown in
Figure 3
, the library will automatically fail over to the secondary Q-EKM
server should the primary go down. In such a configuration it is essential
that the servers are synchronized and that the two keystores match.
Once synchronization is configured, updates to the configuration files of
the primary Q-EKM server are automatically duplicated on the secondary
Q-EKM server (see Synchronizing Primary and Secondary Q-EKM
Servers on page 33). However, the keystore file is not automatically
updated. Any change to the keystore on the primary server (such as
Quantum Encryption Key Manager User’s Guide 13
Figure 3 Two Q-EKM Servers
Planning Your Q-EKM Environment
Multiple Libraries Accessing One Q-EKM Server or Server Pair
importing certificates and keys) must be manually duplicated on the
secondary server (see Keeping the Keystores Matched
on page 36).
Multiple Libraries Accessing One Q-EKM Server or Server
Pair
Multiple libraries may access and use the same Q-EKM server (in a
single-server configuration) or server pair. The only requirement is that
the libraries be available to the Q-EKM servers through TCP/IP
connectivity. If you want to connect more than one library to an Q-EKM
server/pair, keep the following in mind:
• Each library must have its own Encryption Key Management license
(see your library user’s guide for instructions).
Quantum Encryption Key Manager User’s Guide 14
Planning Your Q-EKM Environment
Backing Up Keystore and Configuration Data
• Each library can only be configured to use one Q-EKM server/pair at
a time.
• The ports configured on the library must be set to the same values as
the ports on the Q-EKM server (see Changing the Communication
Port Settings on page 37 and your library user’s guide for details).
Backing Up Keystore and Configuration Data
Due to the critical nature of the keys in the keystore, you should always
back up the keystore so that you can recover it, if needed, and be able to
read the tapes that were encrypted using certificates imported into the
keystore.
Your configuration files are also important to back up so that if your
server dies you can reconstruct it exactly as it was configured before.
Use your system backup capabilities to back up the entire
regularly. The
Windows c:\Program Files\Quantum\QEKM
Linux /opt/Quantum/QEKM
Caution: Do not use Q-EKM to encrypt the backups! Back up to
For disaster recovery, see Disaster Recovery Planning on page 16.
QEKM directory is located here:
clear tape! If you encrypt your backup, and you later lose
your keystore, you will not be able to decrypt the tapes to
recover your data.
QEKM directory
Quantum Encryption Key Manager User’s Guide 15
Loading...