Quantum QKM User Manual
Quantum Key Manager
6-66531-02 A
Quantum Key Manager
Quantum Tape Libraries
User’s Guide User’s Guide User’s Guide User’s Guide User’s Guide User’s Guide
Quantum Key Manager User’s Guide, 6-66531-02, Rev A, July 2009. Product of USA.
Quantum Corporation provides this publication “as is” without warranty of any kind, either express or implied,
including but not limited to the implied warranties of merchantability or fitness for a particular purpose. Quantum
Corporation may revise this publication from time to time without notice.
COPYRIGHT STATEMENT
Copyright 2009 by Quantum Corporation. All rights reserved.
Your right to copy this manual is limited by copyright law. Making copies or adaptations without prior written
authorization of Quantum Corporation is prohibited by law and constitutes a punishable violation of the law.
TRADEMARK STATEMENT
Quantum, the Quantum logo, and Scalar are registered trademarks of Quantum Corporation. IBM is a trademark of
International Business Machines Corporation. Windows is a registered trademark of Microsoft Corporation in the
United States, or other countries (or regions), or both. UNIX is a registered trademark of The Open Group in the
United States and other countries (or regions). Other trademarks may be mentioned herein which belong to other
companies.
Contents
Preface ix
Chapter 1 Overview 1
Library Managed Encryption........................................................................... 2
Encryption-Enabled Tape Drive............................................................... 2
Quantum Key Manager (QKM)................................................................ 2
Encryption-Enabled Tape Library............................................................ 2
How QKM Key Management Works.............................................................. 3
Encryption Keys ................................................................................................ 4
Encryption Certificates...................................................................................... 4
Keystore............................................................................................................... 5
Mirrored Hard Disk Drives.............................................................................. 6
Why You Need to Back Up Your Keystore.................................................... 6
Chapter 2 Safety 7
Electrical Safety ................................................................................................. 8
Handling Static-Sensitive Devices .................................................................. 9
Quantum Key Manager User’s Guide iii
Chapter 3 Planning Your QKM Environment 10
QKM Server Requirements............................................................................. 10
Cooling and Airflow Requirements .............................................................. 11
Rack Considerations........................................................................................ 12
Multiple Libraries Accessing One QKM Server Pair.................................. 13
Disaster Recovery Planning............................................................................ 13
Chapter 4 Installation and Initial Configuration 15
Items Required ................................................................................................. 16
Installing the QKM Servers ............................................................................ 16
Configuring the QKM Servers ....................................................................... 18
Scalar i500 – Library Setup and Configuration............................................ 20
1. Installing the EKM License on the Scalar i500.................................. 21
2. Scheduling Sufficient Time..................................................................21
3. Preparing QKM Partitions................................................................... 21
4. Configuring the QKM Server IP Addresses on the Library ........... 22
5. Installing the TLS Certificates on the Scalar i500 ............................. 22
6. Running QKM Path Diagnostics on the Scalar i500 ........................ 23
7. Configuring QKM Partitions and Generating Data
Encryption Keys................................................................................. 24
8. Saving the Library Configuration ...................................................... 25
9. Backing Up the Keystores.................................................................... 25
Scalar i2000 – Library Setup and Configuration.......................................... 26
1. Installing the EKM License on the Scalar i2000................................ 26
2. Scheduling Sufficient Time..................................................................27
3. Preparing QKM Partitions................................................................... 27
4. Installing the TLS Certificates on the Scalar i2000 ........................... 27
5. Configuring the QKM Server IP Addresses and
Generating Data Encryption Keys .................................................. 28
6. Running QKM Path Diagnostics on the Scalar i2000 ...................... 29
7. Waiting for Key Generation to Complete ......................................... 30
8. Configuring QKM Partitions...............................................................30
9. Saving the Library Configuration ...................................................... 31
10. Backing Up the Keystores.................................................................. 31
Quantum Key Manager User’s Guide iv
Chapter 5 Using the QKM Server 33
QKM Server Controls, LEDs, and Connectors ............................................ 34
Front Panel................................................................................................. 34
Rear Panel ..................................................................................................36
Turning On the QKM Server.......................................................................... 37
Turning Off the QKM Server .........................................................................38
Logging in to the QKM Server....................................................................... 38
Accessing QKM Admin Commands............................................................. 39
Notes on Using QKM Command Line Interface and Admin
Commands................................................................................................. 40
Running the Setup Wizard ............................................................................. 41
Changing the Password ..................................................................................42
Changing the IP Address................................................................................ 43
Changing the Time Zone ................................................................................ 44
Changing the Date and Time ......................................................................... 45
Backing Up the Keystore ................................................................................ 45
Restoring the Keystore .................................................................................... 48
Setting the QKM Server Hostname ............................................................... 50
Accessing QKM Server Information .............................................................51
Displaying the Help Menu......................................................................51
Displaying the QKM Server Software Version..................................... 52
Capturing QKM Server Logs Without Stopping the Key Server....... 52
Displaying the End User License Agreement....................................... 52
Turning Trace Level Logging On and Off............................................. 53
Chapter 6 Using the Library to Initiate QKM Functions 54
Generating Data Encryption Keys................................................................. 54
Generating Data Encryption Keys at Initial Setup............................... 55
Generating Data Encryption Keys When the Set is Depleted ............ 55
Importing and Exporting Data Encryption Keys........................................ 57
Importing and Exporting Encryption Certificates ...................................... 58
Sharing Encrypted Tapes Offsite................................................................... 58
Running QKM Path Diagnostics ................................................................... 60
Quantum Key Manager User’s Guide v
Chapter 7 Logs 61
QKM Encryption Key Import Warning Log................................................ 61
QKM Server Logs............................................................................................ 62
Retrieving QKM Server Logs Via the Library ...................................... 62
Capturing QKM Server Logs Via the Server Without
Stopping the Key Server Process..................................................... 63
Capturing QKM Server Logs Via the Server While
Stopping the Key Server Process..................................................... 63
Chapter 8 Troubleshooting 65
Library RAS Tickets......................................................................................... 65
QKM Server LED Error Indicators ................................................................ 66
POST Beep Codes............................................................................................. 67
Common Problems ..........................................................................................68
Chapter 9 Hardware Replacement Procedures 71
Replacing a Hard Disk Drive .........................................................................72
Replacing a QKM Server and Both Hard Disk Drives ............................... 75
Terminology .............................................................................................. 76
Required Items .......................................................................................... 76
Procedure ................................................................................................... 76
Chapter 10 Updating and Rolling Back QKM Server Software 78
Viewing the Currently Installed Version of QKM Server Software......... 79
Updating QKM Server Software.................................................................... 79
Equipment Required ................................................................................ 79
Procedure ................................................................................................... 79
Rolling Back QKM Server Software .............................................................. 81
Equipment Required ................................................................................ 81
Procedure ................................................................................................... 81
Quantum Key Manager User’s Guide vi
Appendix A Specifications 83
QKM Server Physical Specifications ............................................................. 83
QKM Server Environmental Specifications ................................................. 84
Air Temperature ....................................................................................... 84
Humidity.................................................................................................... 84
QKM Server Acoustical Noise Emissions..................................................... 84
QKM Server Heat Output............................................................................... 84
QKM Server Electrical Input .......................................................................... 85
Number of Data Encryption Keys Generated..............................................85
Supported Quantum Libraries....................................................................... 85
Supported Tape Drives ................................................................................... 86
Firmware Requirements ................................................................................. 86
Library Firmware Requirements ............................................................ 86
Tape Drive Firmware Requirements ..................................................... 86
Supported Backup Applications.................................................................... 87
Glossary 88
Index 90
Quantum Key Manager User’s Guide vii
Figures
Figure 1 Rear Panel.................................................................................... 17
Figure 2 Front Panel .................................................................................. 17
Figure 3 Front Panel Controls, LEDs, and Connectors ........................ 34
Figure 4 Rear Panel Connectors............................................................... 36
Figure 5 Rear Panel LEDs......................................................................... 37
Figure 6 QKM Admin Commands (Example) ...................................... 40
Figure 7 Help Menu .................................................................................. 52
Figure 8 LED Locations on Front of Server............................................ 66
Figure 9 LED Locations on Front of Server............................................ 73
Figure 10 Replacing a Hard Disk Drive ................................................... 74
Quantum Key Manager User’s Guide viii
Preface
Audience
Purpose
Document Organization
Quantum Key Manager User’s Guide ix
This book is intended for storage and security administrators responsible
for security and backup of vital data, and anyone assisting in the setup
and maintenance of Quantum Key Manager servers and software in the
operating environment. It assumes the reader has a working knowledge
of storage devices and networks.
This book contains information to help you install, configure, and run
your QKM system.
This document is organized as follows:
• Chapter 1,
the Quantum Key Manager (QKM) components.
• Chapter 2,
information.
• Chapter 3,
considerations for how to set up your QKM server environment.
Overview, provides an overview of tape encryption and
Safety, provides basic electrical and electrostatic safety
Planning Your QKM Environment, provides
• Chapter 4, Installation and Initial Configuration, provides
instructions on how to set up the QKM server and configure the
library to use QKM.
Notational Conventions
• Chapter 5,
Using the QKM Server, provides instructions on using the
QKM server hardware and general usage commands.
• Chapter 6,
Using the Library to Initiate QKM Functions, provides
information on how to use the library remote web client to generate,
import, and export data encryption keys and encryption certificates,
and how to share encrypted tapes offsite.
• Chapter 7,
Logs, describes the various QKM logs and how to access
them.
• Chapter 8,
Troubleshooting, describes how to detect and resolve
problems with the QKM server hardware or operation.
• Chapter 9,
Hardware Replacement Procedures, describes how to
replace a defective hard disk drive and how to replace a QKM server.
• Chapter 10,
Updating and Rolling Back QKM Server Software,
explains how to update and roll back QKM server software.
• Appendix A,
Specifications,, provides hardware and operational
specifications for the QKM server.
This document concludes with a glossary
and an index.
This manual uses the following conventions:
Note: Notes emphasize important information related to the main
topic.
Caution: Cautions indicate potential hazards to equipment and are
included to prevent damage to equipment.
Warning: Warnings indicate potential hazards to personal safety and
are included to prevent injury.
Quantum Key Manager User’s Guide x
Documentation and Firmware
The following publications provide information related to Quantum Key
Manager. For the latest versions of library documents, visit
www.quantum.com
. For the latest QKM documentation and firmware
updates, see www.quantum.com/serviceandsupport/
softwareanddocumentationdownloads/qkm/index.aspx.
Document No. Document Title
6-66532-xx Quantum Key Manager Quick Start Guide
6-66533-xx Quantum Key Manager Rack Installation
6-66572-xx Quantum Key Manager Safety Information by IBM
6-66535-xx Quantum Key Manager Open Source License
Agreement
6-01210-xx Scalar i500 User’s Guide
6-00421-xx Scalar i2000 User’s Guide
Contacts
Quantum company contacts are listed below.
Quantum Corporate Headquarters
To order documentation on Quantum Key Manager or other products
contact:
Quantum Corporation
P.O. Box 57100
Irvine, CA 92619-7100
(949) 856-7800
(800) 284-5101
Technical Publications
To comment on existing documentation send an e-mail to:
doc-comments@quantum.com
0
0
Quantum Key Manager User’s Guide xi
Quantum Home Page 0
Visit the Quantum home page at:
http://www.quantum.com
Getting More Information or
Help
StorageCare™, Quantum’s comprehensive service approach, leverages
advanced data access and diagnostics technologies with crossenvironment, multi-vendor expertise to resolve backup issues faster and
at lower cost.
Accelerate service issue resolution with these exclusive Quantum
StorageCare services:
•
Service & Support Web site - Register products, license software,
browse Quantum Learning courses, check backup software and
operating system support, and locate manuals, FAQs, firmware
downloads, product updates and more in one convenient location.
Benefit today at: http://www.quantum.com/ServiceandSupport/
Index.aspx.
•
Online Service Center - Submit online service requests, update contact
information, add attachments, and receive status updates via email.
Online Service accounts are free from Quantum. That account can
also be used to access Quantum’s Knowledge, a comprehensive
repository of product support information. Sign up today at: http://
www.quantum.com/osr.
For further assistance, or if training is desired, contact a Technical
Assistance Center:
North America and Mexico +1 800-827-3822
Europe, Middle East, and Africa 00800-9999-3822
Worldwide support: http://www.quantum.com/ServiceandSupport/
Contacts/Worldwide/Index.aspx
For the most up to date information on Quantum Global Services, please
visit: http://www.quantum.com/ServiceandSupport/Contacts/
Worldwide/Index.aspx.
Quantum Key Manager User’s Guide xii
Chapter 1
1Overview
Data is one of the most highly valued resources in a competitive business
environment. Protecting that data, controlling access to it, and verifying
its authenticity while maintaining its availability are priorities in our
security-conscious world. Data encryption is a tool that answers many of
these needs.
The HP LTO-4 Fibre Channel or SAS tape drive is capable of encrypting
data as it is written to any LTO-4 data cartridge. Encryption is performed
at full line speed in the tape drive after compression. (Compression is
more effectively done before encryption.) This new capability adds a
strong measure of security to stored data without the processing
overhead and performance degradation associated with encryption
performed on the server or the expense of a dedicated data encryption
appliance.
This chapter covers:
• Library Managed
• How QKM Key Management Works
• Encryption Keys
• Encryption Certificates
• Keystore
• Mirrored Hard Disk Drives
• Why You Need to Back Up Your Keystore
Quantum Key Manager User’s Guide 1
Encryption
Library Managed Encryption
The library managed tape drive encryption solution is composed of three
major elements:
• Encryption-Enabled Tape Drive
• Quantum Key Manager (QKM)
• Encryption-Enabled Tape Library
Overview
Library Managed Encryption
Encryption-Enabled Tape
Drive 1
Quantum Key Manager
(QKM) 1
Encryption-Enabled Tape
Library 1
HP LTO-4 Fibre Channel and SAS tape drives are encryption-capable. This
means that they are functionally capable of performing hardware
encryption, but this capability has not yet been activated. In order to
perform hardware encryption, the tape drives must be encryption-enabled.
They can be encryption enabled via the tape library.
See Supported Backup Applications
drives are supported by QKM on your library.
Encryption involves the use of several kinds of keys, in successive layers.
How these keys are generated, maintained, controlled, and transmitted
depends upon the operating environment where the encrypting tape
drive is installed. Some host applications are capable of performing key
management. For environments without such applications or those
where application agnostic encryption is desired, Quantum provides the
Quantum Key Manager (QKM) solution to perform all necessary key
management tasks. How QKM Key Management Works
describes these tasks in more detail.
On an encryption-enabled library, tape encryption occurs automatically
and transparently. The library communicates with the QKM server to
obtain data encryption keys for the drives to read from or write to tapes.
on page 87 for a list of which tape
on page 3
Library managed encryption is provided for HP LTO-4 tape drives in a
Quantum Scalar i500 or Scalar i2000 tape library. Key generation and
management is performed by QKM. Data encryption keys pass from
QKM to the drives via the library, making encryption transparent to
applications.
Quantum Key Manager User’s Guide 2
How QKM Key Management Works
Quantum Key Manager (QKM) generates, protects, stores, and maintains
data encryption keys that are used to encrypt information being written
to, and decrypt information being read from, HP LTO-4 tape media (tape
and cartridge formats).
QKM acts as a process awaiting key generation or key retrieval requests
sent to it through a secure TCP/IP communication path between QKM
and the tape library.
When a new data encryption key is needed, the tape drive requests a key,
which the library forwards to the primary QKM server. The library
requests a data encryption key from the primary QKM server first, unless
the primary QKM server is down and failover to the secondary QKM
server has occurred. If failover to the secondary QKM server occurred,
then the library continues to request data encryption keys from the
secondary QKM server until either the library is rebooted or the
secondary server goes down and failover back to the primary occurs.
After a library reboot, the library goes back to forwarding requests to the
primary server.
Overview
How QKM Key Management Works
Upon receipt of the request, QKM retrieves an existing data encryption
key from the keystore and securely transfers it to the library, which then
provides it to the tape drive where it is used to encrypt the data being
written to tape. Once a data encryption key is assigned to a tape, it is
never reused on another tape.
When an encrypted tape is read by an HP LTO-4 tape drive, the tape
drive requests, via the library, the required data encryption key from the
QKM server. QKM retrieves the required data encryption key from the
keystore and securely transfers it to the library, which provides it to the
tape drive. The HP LTO-4 tape drive uses the data encryption key to
perform encryption or decryption.
No data encryption key is stored anywhere on the cartridge memory or
the tape. Only the name of the data encryption key is stored on the tape,
so that in the future the key can be requested for further read or write
purposes. The first read/write operation on an encrypted tape requires
the tape drive to request the data encryption key.
Quantum Key Manager User’s Guide 3
Encryption Keys
Overview
Encryption Keys
An encryption key is typically a random string of bits generated
specifically to encrypt and decrypt data. Encryption keys are created
using algorithms designed to ensure that each key is unique and
unpredictable. The longer the length of key used, the harder it is to break
the encryption code.
The HP LTO-4 method of encryption uses 256-bit AES algorithm to
encrypt data. 256-bit AES is the encryption standard currently recognized
and recommended by the US government, which allows three different
key lengths. 256-bit keys are the longest allowed by AES.
QKM uses two types of encryption algorithms:
• Symmetric
• Asymmetric
Symmetric, or secret key encryption, uses a single key for both encryption
and decryption. Symmetric key encryption is generally used for
encrypting large amounts of data in an efficient manner. 256-bit AES
encryption uses symmetric keys.
Asymmetric, or public/private encryption, uses a pair of keys. Data that
is encrypted using one key can only be decrypted using the other key in
the public/private key pair. When an asymmetric key pair is generated,
the public key is typically used to encrypt, and the private key is typically
used to decrypt.
QKM uses both symmetric and asymmetric keys—symmetric encryption
for high-speed encryption of user or host data stored on tape, and
asymmetric encryption (which is necessarily slower) for secure
communication and protecting the symmetric keys while in transit.
Encryption Certificates
Each QKM server pair uses one unique encryption certificate. The
encryption certificate contains the public key of the public/private key
Quantum Key Manager User’s Guide 4
Overview
Keystore
pair that protects data encryption keys during transit to another site. The
destination QKM server provides its public key to the source QKM server
as part of its encryption certificate, which the source QKM server uses to
wrap (encrypt) exported data encryption keys for transport. Upon
arrival, the file containing the wrapped data encryption keys can only be
unwrapped by the corresponding private key, which resides on the
destination QKM server and is never shared.
For more information, see the following:
Keystore
• Encryption Keys
• Sharing Encrypted Tapes Offsite
• Importing and Exporting Data Encryption Keys
• Importing and Exporting Encryption Certificates
The keystore contains:
• All of the data encryption keys generated by the QKM server on
which it resides. These keys are used for encrypting and decrypting
tapes.
• A copy of the data encryption keys generated by the other QKM
server in the pair.
• Data encryption keys that you imported (for example, keys that other
companies or individuals sent to you). These keys can be used to
decrypt tapes provided by the other companies or individuals.
on page 4)
on page 58
on page 57
on page 58
• Your QKM server pair’s encryption certificate
• Encryption certificates that you imported (for example, that other
companies or individuals sent to you). These are used to wrap your
data encryption keys for transit to another party to use in decrypting
tapes you may have provided to them.
• Public and private keys used for secure communication.
• Metadata (for example, which data encryption keys were used on
which tapes).
Quantum Key Manager User’s Guide 5
Mirrored Hard Disk Drives
Each QKM server contains two hard disk drives in a RAID 1 (mirrored)
configuration. The two hard disk drives are constantly being
synchronized, so that each is an exact duplicate of the other. If one hard
disk drive fails, the other one contains all the required information to
allow the server to continue to work as normal. As soon as the failed hard
disk drive is replaced, all the data on the working hard disk drive is
duplicated onto the new hard disk drive.
Why You Need to Back Up Your Keystore
Quantum requires you to back up your keystores every time you
generate data encryption keys (and before you start using these keys).
Overview
Mirrored Hard Disk Drives
Although QKM contains features designed to protect your keystore in
case of hard disk drive or server failure, these features do not cover every
situation.
In the following cases, if you have no backup, there is no way to recover
your keystores:
• If both QKM servers and all four hard disk drives were to suffer
environmental damage causing them to become inoperable, the only
way to recover your keystore is via the backup.
• If you forget your password, the only way to recover your data is to
completely replace your server and its hard disk drives, and perform
a restore from your backup.
Also, each QKM server generates its own unique data encryption keys,
meaning that the keystore on each QKM server is different. This is why
you need to back up each QKM server separately, every time a server
generates data encryption keys.
For instructions on how to perform a backup, see Backing Up the
Keystore on page 45.
Quantum Key Manager User’s Guide 6
Chapter 2
2Safety
This chapter provides some important information for handling your
server safely. Please also review the safety information in Safety
Information by IBM located on the Quantum Key Manager Documentation
CD.
This chapter covers:
• Electrical Safety
• Handling Static-Sensitive Devices
Quantum Key Manager User’s Guide 7
Electrical Safety
Safety
Electrical Safety
Warning: DANGER: Electrical current from power, telephone, and
communication cables is hazardous. To avoid a shock
hazard:
• Do not connect or disconnect any cables or perform installation,
maintenance, or reconfiguration of this product during an electrical
storm.
• Connect all power cords to a properly wired and grounded electrical
outlet.
• Connect to properly wired outlets any equipment that will be
attached to this product.
• When possible, use one hand only to connect or disconnect signal
cables.
• Never turn on any equipment when there is evidence of fire, water,
or structural damage.
• Disconnect the attached power cords, telecommunications systems,
networks, and modems before you open the device covers, unless
instructed otherwise in the installation and configuration
procedures.
• Connect and disconnect cables as described in the following table
when installing, moving, or opening covers on this product or
attached devices.
To Connect:
1. Turn everything OFF.
2. First, attach all cables to devices.
3. Attach signal cables to connectors.
4. Attach power cords to outlet.
5. Turn device
Quantum Key Manager User’s Guide 8
ON
To Disconnect:
1. Turn everything OFF.
2. First, remove power cords from outlet.
3. Remove signal cables from connectors.
4. Remove all cables from devices.
Handling Static-Sensitive Devices
Caution: Static electricity can damage the server and other
electronic devices. To avoid damage, keep static-sensitive
devices in their static-protective packages until you are
ready to install them. To reduce the possibility of damage
from electrostatic discharge, observe the following
precautions:
• Limit your movement. Movement can cause static electricity to build
up around you.
• The use of a grounding system is recommended. For example, wear
an electrostatic-discharge wrist strap, if one is available. Always use
an electrostatic-discharge wrist strap or other grounding system
when you work inside the server with the power on
• Handle the device carefully, holding it by its edges or its frame.
Safety
Handling Static-Sensitive Devices
• Do not touch solder joints, pins, or exposed circuitry.
• Do not leave the device where others can handle and damage it.
• While the device is still in its static-protective package, touch it to an
unpainted metal surface on the outside of the server for at least 2
seconds. This drains static electricity from the package and from your
body.
• Remove the device from its package and install it directly into the
server without setting down the device. If it is necessary to set down
the device, put it back into its static-protective package. Do not place
the device on the server cover or on a metal surface.
• Take additional care when you handle devices during cold weather.
Heating reduces indoor humidity and increases static electricity.
Quantum Key Manager User’s Guide 9
Chapter 3
3Planning Your QKM
Environment
Use the information in this chapter to determine the operating
environment for your QKM system. This chapter includes:
• QKM Server Requirements
• Cooling and Airflow Requirements
• Rack Considerations
• Multiple Libraries Accessing One QKM Server Pair
• Disaster Recovery Planning
QKM Server Requirements
QKM comes standard with two key servers pre-loaded with software.
One QKM server is to be used as the primary key server; the other one is
to be used as a secondary server for failover purposes, in case the primary
server stops working.
Quantum Key Manager User’s Guide 10
Planning Your QKM Environment
Cooling and Airflow Requirements
Caution: The server appliances are designed for one purpose only
— to store and manage your encryption keys. Do not
install additional hardware on the server. Never install
any software, file, or operating system on the server unless
it is an upgrade or patch supplied by Quantum. Doing so
may make your server inoperable and will void your
warranty.
• The QKM server must have IP connectivity through any firewalls to
all Quantum libraries using the QKM server to obtain LTO-4
encryption keys.
• QKM uses TCP port 6000 for the QKM server, and secure sockets
layer (SSL) is always enabled. These settings cannot be changed.
• Refer to the QKM Server Environmental Specifications
temperature and humidity requirements.
Cooling and Airflow Requirements
To maintain proper airflow and system cooling, observe the following:
• Ensure there is adequate space around the server to allow the server
cooling system to work properly. Leave approximately 2 inches
(50 mm) of open space around the front and rear of the server.
• Do not place objects in front of the fans.
• Do not leave open space above or below an installed server in your
rack cabinet. To help prevent damage to server components, always
install a filler panel to cover the open space and to help ensure proper
air circulation.
Caution: Do not operate the server for more than 10 minutes
without a drive installed in each bay.
on page 84 for
Quantum Key Manager User’s Guide 11
Caution: Do not open the server cover to adjust or fix internal
Rack Considerations
If the QKM server is installed in a rack, consider the following:
Warning: Do not place any object weighing more than 110 lb. (50 kg)
• Install the server only in a rack cabinet that has perforated doors.
• Do not block any air vents. Usually 6 in. (15 cm) of air space provides
Planning Your QKM Environment
Rack Considerations
components. If the server has a problem, contact
Quantum Service & Support for a replacement.
on top of rack-mounted devices.
proper airflow.
• Plan the device installation starting from the bottom of the rack
cabinet.
• Install the heaviest device in the bottom of the rack cabinet.
• Do not leave open space above or below an installed server in your
rack cabinet. To help prevent damage to server components, always
install a filler panel to cover the open space and to help ensure proper
air circulation.
• Do not extend more than one device out of the rack cabinet at the
same time.
• Connect all power cords to properly wired and grounded electrical
outlets.
• Do not overload the power outlet when installing multiple devices in
the rack.
Quantum Key Manager User’s Guide 12
Planning Your QKM Environment
Multiple Libraries Accessing One QKM Server Pair
Multiple Libraries Accessing One QKM Server Pair
Multiple libraries may access and use the same QKM server pair. The
only requirement is that they be available to the QKM servers through
TCP/IP connectivity. If you want to connect more than one library to a
QKM server pair, keep the following in mind:
• Each library must be licensed to use QKM. See 1. Installing the EKM
License on the Scalar i500 on page 21 or 1. Installing the EKM License
on the Scalar i2000 on page 26.
• Each library can only access one QKM server pair at a time.
• Each library triggers the QKM servers to create a unique set of data
encryption keys. When more libraries are connected to a QKM server,
more initial data encryption keys will reside in the QKM server’s
keystore.
• Each library’s set of unique data encryption keys is maintained
separately on the QKM server. When you generate more keys for a
particular library, this does not affect any of the other libraries and
their sets of encryption keys. Each library only triggers creation of its
own set of keys.
Disaster Recovery Planning
Quantum recommends that you plan for disaster recovery in the
following ways:
• Maintain each of the two QKM servers in a different geographical
location, preferably in a different city, state, or country, to mitigate
the possibility of both servers being compromised in the event of
natural disaster or theft.
Quantum Key Manager User’s Guide 13
Planning Your QKM Environment
Disaster Recovery Planning
• Back up the QKM server each time new keys are generated and store
the backups in a safe location (see Backing Up the Keystore
on
page 45).
Caution:
Do not use QKM to encrypt the sole copy of your QKM
server keystore backup.
If both servers were to fail,
you would not be able to recover the encrypted
backup and would lose all data you had stored on all
your encrypted tapes.
• Remember your password. If you lose your password, you lose login
access to the QKM server, including backup and restore capability. If
you lose your password, Quantum will not be able to recover it for
you.
• Replace a failed hard disk drive immediately. Even though the
second hard disk drive allows you to continue to operate,
redundancy is removed and a second hard disk drive failure would
cause the server to fail.
• Replace a failed server immediately. Even though the other QKM
server allows you to continue to operate, you do not want to risk the
second server failing as well.
Quantum Key Manager User’s Guide 14
Chapter 4
4Installation and Initial
Configuration
This chapter provides instructions for how to set up and configure the
QKM server. Perform the QKM server installation and configuration
steps; then perform all of the steps in the section appropriate for your
library,
This chapter contains the following sections.
• Items Required
• Installing the QKM Servers
• Configuring the QKM Servers
• Scalar i500 – Library Setup and Configuration
in order, before you begin encrypting tapes.
• Scalar i2000 – Library Setup and Configuration
Caution: The server appliances are designed for one purpose only
— to store and manage your encryption keys. Do not
install additional hardware on the server. Never install
any software, file, or operating system on the server unless
it is an upgrade or patch supplied by Quantum. Doing so
may make your server inoperable and will void your
warranty.
Quantum Key Manager User’s Guide 15
Items Required
Installation and Initial Configuration
Items Required
You need the following to install and configure each QKM server:
• QKM server (each comes with two hard disk drives installed).
• Power cord (supplied).
• Rackmount kit (supplied).
• Ethernet cable, crossover (for initial configuration, not supplied).
• Ethernet cable, standard (for standard operation, not supplied).
• Laptop or PC, to connect to each server to perform initial
configuration.
• The most recent library firmware installed on your library.
(Minimum versions required:
• For Microsoft ® Windows®, you may need to install a utility to use
secure shell (SSH) and secure file transfer protocol (SFTP). Two such
utilities are PuTTY, available at http://
www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP,
available at http://winscp.net
Scalar i500: 570G; Scalar i2000: 595A.)
.
Installing the QKM Servers
Follow the instructions below for both QKM servers.
1 Determine the location for the servers. It is recommended that the
two servers be in different geographical locations for disaster
recovery purposes. Ensure the air temperature is below 95 °F (35 °C).
2 Install the QKM server in a rack. Follow the Rack Installation
Instructions (included with the rail kit and located on the Quantum
Key Manager Documentation CD).
3 Connect the power cord into the rear of the QKM server (see
Figure 1
Quantum Key Manager User’s Guide 16
) and plug it into a grounded power outlet.
Figure 1 Rear Panel
Power cord connector
Ethernet Port 1
(configuration)
Ethernet Port 2
(network)
Power button
Power-on LED
Installation and Initial Configuration
Installing the QKM Servers
4 Approximately 20 seconds after you connect the server to AC power,
the power button becomes active, and one or more fans might start
running loudly for about 20 seconds. Observe the Power-on LED on
the front panel of the QKM server (see Figure 2
). It should be
flashing, indicating the server is turned off and connected to an AC
power source. If the LED is not flashing, there could be a problem
with the power supply or the LED. Check the power connection. If
this LED still does not flash, contact Quantum Service & Support.
5 Turn on the QKM server by pressing the power button on the front of
the server (see Figure 2
).
Figure 2 Front Panel
6 Again observe the Power-on LED on the front panel of the QKM
server. Wait until it is on but not flashing, indicating the server is
turned on.
Wait about 3 minutes to allow the server to complete startup before you
Quantum Key Manager User’s Guide 17
connect via SSH in the next step.
Configuring the QKM Servers
Follow the instructions below for both QKM servers.
Note: Both QKM servers must be configured, operational, and
connected to the network before any libraries can be set up to
use them.
The configuration process requires you to read and accept the end user
license agreement, and then complete a setup wizard. The setup wizard
helps you configure your password, IP address, netmask, gateway, time
zone, date, and time. Before beginning, decide what you want each of
these values to be. You can also change these values in the future.
Allow 30 minutes per server to complete the configuration.
1 Set the IP address of the laptop or PC you will use to connect to the
QKM server to
Installation and Initial Configuration
Configuring the QKM Servers
192.168.18.100.
2 Connect a crossover Ethernet cable from the laptop or PC to
Port 1
on the rear of the QKM server (see Figure 1).
Note: Ethernet Port 1 is used only for configuration. Once you
perform the initial configuration, you will use Ethernet
Port 2 for QKM server communication via your network.
3 Using SSH, connect to the server using the IP address
192.168.18.3.
Note: The IP address of Ethernet Port 1 is a static IP address that
cannot be changed.
4 At the login prompt, enter the user login ID (which will never
change):
akmadmin
5 At the password prompt, enter the default password:
password
6 At the command prompt, enter:
./qkmcmds
Ethernet
Quantum Key Manager User’s Guide 18
Loading...