Quantum QKM User Manual

Quantum Key Manager
6-66531-02 A
Quantum Key Manager
Quantum Tape Libraries
User’s Guide User’s Guide User’s Guide User’s Guide User’s Guide User’s Guide
Quantum Key Manager User’s Guide, 6-66531-02, Rev A, July 2009. Product of USA.
Quantum Corporation provides this publication “as is” without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability or fitness for a particular purpose. Quantum Corporation may revise this publication from time to time without notice.
COPYRIGHT STATEMENT
Copyright 2009 by Quantum Corporation. All rights reserved.
Your right to copy this manual is limited by copyright law. Making copies or adaptations without prior written authorization of Quantum Corporation is prohibited by law and constitutes a punishable violation of the law.
TRADEMARK STATEMENT
Quantum, the Quantum logo, and Scalar are registered trademarks of Quantum Corporation. IBM is a trademark of International Business Machines Corporation. Windows is a registered trademark of Microsoft Corporation in the United States, or other countries (or regions), or both. UNIX is a registered trademark of The Open Group in the United States and other countries (or regions). Other trademarks may be mentioned herein which belong to other companies.

Contents

Preface ix
Chapter 1 Overview 1
Library Managed Encryption........................................................................... 2
Encryption-Enabled Tape Drive............................................................... 2
Quantum Key Manager (QKM)................................................................ 2
Encryption-Enabled Tape Library............................................................ 2
How QKM Key Management Works.............................................................. 3
Encryption Keys ................................................................................................ 4
Encryption Certificates...................................................................................... 4
Keystore............................................................................................................... 5
Mirrored Hard Disk Drives.............................................................................. 6
Why You Need to Back Up Your Keystore.................................................... 6
Chapter 2 Safety 7
Electrical Safety ................................................................................................. 8
Handling Static-Sensitive Devices .................................................................. 9
Quantum Key Manager User’s Guide iii
Chapter 3 Planning Your QKM Environment 10
QKM Server Requirements............................................................................. 10
Cooling and Airflow Requirements .............................................................. 11
Rack Considerations........................................................................................ 12
Multiple Libraries Accessing One QKM Server Pair.................................. 13
Disaster Recovery Planning............................................................................ 13
Chapter 4 Installation and Initial Configuration 15
Items Required ................................................................................................. 16
Installing the QKM Servers ............................................................................ 16
Configuring the QKM Servers ....................................................................... 18
Scalar i500 – Library Setup and Configuration............................................ 20
1. Installing the EKM License on the Scalar i500.................................. 21
2. Scheduling Sufficient Time..................................................................21
3. Preparing QKM Partitions................................................................... 21
4. Configuring the QKM Server IP Addresses on the Library ........... 22
5. Installing the TLS Certificates on the Scalar i500 ............................. 22
6. Running QKM Path Diagnostics on the Scalar i500 ........................ 23
7. Configuring QKM Partitions and Generating Data
Encryption Keys................................................................................. 24
8. Saving the Library Configuration ...................................................... 25
9. Backing Up the Keystores.................................................................... 25
Scalar i2000 – Library Setup and Configuration.......................................... 26
1. Installing the EKM License on the Scalar i2000................................ 26
2. Scheduling Sufficient Time..................................................................27
3. Preparing QKM Partitions................................................................... 27
4. Installing the TLS Certificates on the Scalar i2000 ........................... 27
5. Configuring the QKM Server IP Addresses and
Generating Data Encryption Keys .................................................. 28
6. Running QKM Path Diagnostics on the Scalar i2000 ...................... 29
7. Waiting for Key Generation to Complete ......................................... 30
8. Configuring QKM Partitions...............................................................30
9. Saving the Library Configuration ...................................................... 31
10. Backing Up the Keystores.................................................................. 31
Quantum Key Manager User’s Guide iv
Chapter 5 Using the QKM Server 33
QKM Server Controls, LEDs, and Connectors ............................................ 34
Front Panel................................................................................................. 34
Rear Panel ..................................................................................................36
Turning On the QKM Server.......................................................................... 37
Turning Off the QKM Server .........................................................................38
Logging in to the QKM Server....................................................................... 38
Accessing QKM Admin Commands............................................................. 39
Notes on Using QKM Command Line Interface and Admin
Commands................................................................................................. 40
Running the Setup Wizard ............................................................................. 41
Changing the Password ..................................................................................42
Changing the IP Address................................................................................ 43
Changing the Time Zone ................................................................................ 44
Changing the Date and Time ......................................................................... 45
Backing Up the Keystore ................................................................................ 45
Restoring the Keystore .................................................................................... 48
Setting the QKM Server Hostname ............................................................... 50
Accessing QKM Server Information .............................................................51
Displaying the Help Menu......................................................................51
Displaying the QKM Server Software Version..................................... 52
Capturing QKM Server Logs Without Stopping the Key Server....... 52
Displaying the End User License Agreement....................................... 52
Turning Trace Level Logging On and Off............................................. 53
Chapter 6 Using the Library to Initiate QKM Functions 54
Generating Data Encryption Keys................................................................. 54
Generating Data Encryption Keys at Initial Setup............................... 55
Generating Data Encryption Keys When the Set is Depleted ............ 55
Importing and Exporting Data Encryption Keys........................................ 57
Importing and Exporting Encryption Certificates ...................................... 58
Sharing Encrypted Tapes Offsite................................................................... 58
Running QKM Path Diagnostics ................................................................... 60
Quantum Key Manager User’s Guide v
Chapter 7 Logs 61
QKM Encryption Key Import Warning Log................................................ 61
QKM Server Logs............................................................................................ 62
Retrieving QKM Server Logs Via the Library ...................................... 62
Capturing QKM Server Logs Via the Server Without
Stopping the Key Server Process..................................................... 63
Capturing QKM Server Logs Via the Server While
Stopping the Key Server Process..................................................... 63
Chapter 8 Troubleshooting 65
Library RAS Tickets......................................................................................... 65
QKM Server LED Error Indicators ................................................................ 66
POST Beep Codes............................................................................................. 67
Common Problems ..........................................................................................68
Chapter 9 Hardware Replacement Procedures 71
Replacing a Hard Disk Drive .........................................................................72
Replacing a QKM Server and Both Hard Disk Drives ............................... 75
Terminology .............................................................................................. 76
Required Items .......................................................................................... 76
Procedure ................................................................................................... 76
Chapter 10 Updating and Rolling Back QKM Server Software 78
Viewing the Currently Installed Version of QKM Server Software......... 79
Updating QKM Server Software.................................................................... 79
Equipment Required ................................................................................ 79
Procedure ................................................................................................... 79
Rolling Back QKM Server Software .............................................................. 81
Equipment Required ................................................................................ 81
Procedure ................................................................................................... 81
Quantum Key Manager User’s Guide vi
Appendix A Specifications 83
QKM Server Physical Specifications ............................................................. 83
QKM Server Environmental Specifications ................................................. 84
Air Temperature ....................................................................................... 84
Humidity.................................................................................................... 84
QKM Server Acoustical Noise Emissions..................................................... 84
QKM Server Heat Output............................................................................... 84
QKM Server Electrical Input .......................................................................... 85
Number of Data Encryption Keys Generated..............................................85
Supported Quantum Libraries....................................................................... 85
Supported Tape Drives ................................................................................... 86
Firmware Requirements ................................................................................. 86
Library Firmware Requirements ............................................................ 86
Tape Drive Firmware Requirements ..................................................... 86
Supported Backup Applications.................................................................... 87
Glossary 88
Index 90
Quantum Key Manager User’s Guide vii

Figures

Figure 1 Rear Panel.................................................................................... 17
Figure 2 Front Panel .................................................................................. 17
Figure 3 Front Panel Controls, LEDs, and Connectors ........................ 34
Figure 4 Rear Panel Connectors............................................................... 36
Figure 5 Rear Panel LEDs......................................................................... 37
Figure 6 QKM Admin Commands (Example) ...................................... 40
Figure 7 Help Menu .................................................................................. 52
Figure 8 LED Locations on Front of Server............................................ 66
Figure 9 LED Locations on Front of Server............................................ 73
Figure 10 Replacing a Hard Disk Drive ................................................... 74
Quantum Key Manager User’s Guide viii

Preface

Audience
Purpose
Document Organization
Quantum Key Manager User’s Guide ix
This book is intended for storage and security administrators responsible for security and backup of vital data, and anyone assisting in the setup and maintenance of Quantum Key Manager servers and software in the operating environment. It assumes the reader has a working knowledge of storage devices and networks.
This book contains information to help you install, configure, and run your QKM system.
This document is organized as follows:
Chapter 1, the Quantum Key Manager (QKM) components.
Chapter 2, information.
Chapter 3, considerations for how to set up your QKM server environment.
Overview, provides an overview of tape encryption and
Safety, provides basic electrical and electrostatic safety
Planning Your QKM Environment, provides
Chapter 4, Installation and Initial Configuration, provides instructions on how to set up the QKM server and configure the library to use QKM.
Notational Conventions
Chapter 5,
Using the QKM Server, provides instructions on using the
QKM server hardware and general usage commands.
Chapter 6,
Using the Library to Initiate QKM Functions, provides
information on how to use the library remote web client to generate, import, and export data encryption keys and encryption certificates, and how to share encrypted tapes offsite.
Chapter 7,
Logs, describes the various QKM logs and how to access
them.
Chapter 8,
Troubleshooting, describes how to detect and resolve
problems with the QKM server hardware or operation.
Chapter 9,
Hardware Replacement Procedures, describes how to
replace a defective hard disk drive and how to replace a QKM server.
Chapter 10,
Updating and Rolling Back QKM Server Software,
explains how to update and roll back QKM server software.
Appendix A,
Specifications,, provides hardware and operational
specifications for the QKM server.
This document concludes with a glossary
and an index.
This manual uses the following conventions:
Note: Notes emphasize important information related to the main
topic.
Caution: Cautions indicate potential hazards to equipment and are
included to prevent damage to equipment.
Warning: Warnings indicate potential hazards to personal safety and
are included to prevent injury.
Quantum Key Manager User’s Guide x
Documentation and Firmware
The following publications provide information related to Quantum Key Manager. For the latest versions of library documents, visit
www.quantum.com
. For the latest QKM documentation and firmware updates, see www.quantum.com/serviceandsupport/
softwareanddocumentationdownloads/qkm/index.aspx.
Document No. Document Title
6-66532-xx Quantum Key Manager Quick Start Guide
6-66533-xx Quantum Key Manager Rack Installation
6-66572-xx Quantum Key Manager Safety Information by IBM
6-66535-xx Quantum Key Manager Open Source License
Agreement
6-01210-xx Scalar i500 User’s Guide
6-00421-xx Scalar i2000 User’s Guide
Contacts
Quantum company contacts are listed below.
Quantum Corporate Headquarters
To order documentation on Quantum Key Manager or other products contact:
Quantum Corporation P.O. Box 57100 Irvine, CA 92619-7100 (949) 856-7800 (800) 284-5101
Technical Publications
To comment on existing documentation send an e-mail to:
doc-comments@quantum.com
0
0
Quantum Key Manager User’s Guide xi
Quantum Home Page 0
Visit the Quantum home page at:
http://www.quantum.com
Getting More Information or Help
StorageCare™, Quantum’s comprehensive service approach, leverages advanced data access and diagnostics technologies with cross­environment, multi-vendor expertise to resolve backup issues faster and at lower cost.
Accelerate service issue resolution with these exclusive Quantum StorageCare services:
Service & Support Web site - Register products, license software,
browse Quantum Learning courses, check backup software and operating system support, and locate manuals, FAQs, firmware downloads, product updates and more in one convenient location. Benefit today at: http://www.quantum.com/ServiceandSupport/
Index.aspx.
Online Service Center - Submit online service requests, update contact
information, add attachments, and receive status updates via email. Online Service accounts are free from Quantum. That account can also be used to access Quantum’s Knowledge, a comprehensive repository of product support information. Sign up today at: http://
www.quantum.com/osr.
For further assistance, or if training is desired, contact a Technical Assistance Center:
North America and Mexico +1 800-827-3822 Europe, Middle East, and Africa 00800-9999-3822 Worldwide support: http://www.quantum.com/ServiceandSupport/
Contacts/Worldwide/Index.aspx
For the most up to date information on Quantum Global Services, please visit: http://www.quantum.com/ServiceandSupport/Contacts/
Worldwide/Index.aspx.
Quantum Key Manager User’s Guide xii
Chapter 1

1Overview

Data is one of the most highly valued resources in a competitive business environment. Protecting that data, controlling access to it, and verifying its authenticity while maintaining its availability are priorities in our security-conscious world. Data encryption is a tool that answers many of these needs.
The HP LTO-4 Fibre Channel or SAS tape drive is capable of encrypting data as it is written to any LTO-4 data cartridge. Encryption is performed at full line speed in the tape drive after compression. (Compression is more effectively done before encryption.) This new capability adds a strong measure of security to stored data without the processing overhead and performance degradation associated with encryption performed on the server or the expense of a dedicated data encryption appliance.
This chapter covers:
Library Managed
How QKM Key Management Works
Encryption Keys
Encryption Certificates
Keystore
Mirrored Hard Disk Drives
Why You Need to Back Up Your Keystore
Quantum Key Manager User’s Guide 1
Encryption

Library Managed Encryption

The library managed tape drive encryption solution is composed of three major elements:

Encryption-Enabled Tape Drive

Quantum Key Manager (QKM)

Encryption-Enabled Tape Library

Overview
Library Managed Encryption
Encryption-Enabled Tape Drive 1
Quantum Key Manager (QKM) 1
Encryption-Enabled Tape Library 1
HP LTO-4 Fibre Channel and SAS tape drives are encryption-capable. This means that they are functionally capable of performing hardware encryption, but this capability has not yet been activated. In order to perform hardware encryption, the tape drives must be encryption-enabled. They can be encryption enabled via the tape library.
See Supported Backup Applications drives are supported by QKM on your library.
Encryption involves the use of several kinds of keys, in successive layers. How these keys are generated, maintained, controlled, and transmitted depends upon the operating environment where the encrypting tape drive is installed. Some host applications are capable of performing key management. For environments without such applications or those where application agnostic encryption is desired, Quantum provides the Quantum Key Manager (QKM) solution to perform all necessary key management tasks. How QKM Key Management Works describes these tasks in more detail.
On an encryption-enabled library, tape encryption occurs automatically and transparently. The library communicates with the QKM server to obtain data encryption keys for the drives to read from or write to tapes.
on page 87 for a list of which tape
on page 3
Library managed encryption is provided for HP LTO-4 tape drives in a Quantum Scalar i500 or Scalar i2000 tape library. Key generation and management is performed by QKM. Data encryption keys pass from QKM to the drives via the library, making encryption transparent to applications.
Quantum Key Manager User’s Guide 2

How QKM Key Management Works

Quantum Key Manager (QKM) generates, protects, stores, and maintains data encryption keys that are used to encrypt information being written to, and decrypt information being read from, HP LTO-4 tape media (tape and cartridge formats).
QKM acts as a process awaiting key generation or key retrieval requests sent to it through a secure TCP/IP communication path between QKM and the tape library.
When a new data encryption key is needed, the tape drive requests a key, which the library forwards to the primary QKM server. The library requests a data encryption key from the primary QKM server first, unless the primary QKM server is down and failover to the secondary QKM server has occurred. If failover to the secondary QKM server occurred, then the library continues to request data encryption keys from the secondary QKM server until either the library is rebooted or the secondary server goes down and failover back to the primary occurs. After a library reboot, the library goes back to forwarding requests to the primary server.
Overview
How QKM Key Management Works
Upon receipt of the request, QKM retrieves an existing data encryption key from the keystore and securely transfers it to the library, which then provides it to the tape drive where it is used to encrypt the data being written to tape. Once a data encryption key is assigned to a tape, it is never reused on another tape.
When an encrypted tape is read by an HP LTO-4 tape drive, the tape drive requests, via the library, the required data encryption key from the QKM server. QKM retrieves the required data encryption key from the keystore and securely transfers it to the library, which provides it to the tape drive. The HP LTO-4 tape drive uses the data encryption key to perform encryption or decryption.
No data encryption key is stored anywhere on the cartridge memory or the tape. Only the name of the data encryption key is stored on the tape, so that in the future the key can be requested for further read or write purposes. The first read/write operation on an encrypted tape requires the tape drive to request the data encryption key.
Quantum Key Manager User’s Guide 3

Encryption Keys

Overview
Encryption Keys
An encryption key is typically a random string of bits generated specifically to encrypt and decrypt data. Encryption keys are created using algorithms designed to ensure that each key is unique and unpredictable. The longer the length of key used, the harder it is to break the encryption code.
The HP LTO-4 method of encryption uses 256-bit AES algorithm to encrypt data. 256-bit AES is the encryption standard currently recognized and recommended by the US government, which allows three different key lengths. 256-bit keys are the longest allowed by AES.
QKM uses two types of encryption algorithms:
• Symmetric
• Asymmetric
Symmetric, or secret key encryption, uses a single key for both encryption and decryption. Symmetric key encryption is generally used for encrypting large amounts of data in an efficient manner. 256-bit AES encryption uses symmetric keys.
Asymmetric, or public/private encryption, uses a pair of keys. Data that is encrypted using one key can only be decrypted using the other key in the public/private key pair. When an asymmetric key pair is generated, the public key is typically used to encrypt, and the private key is typically used to decrypt.
QKM uses both symmetric and asymmetric keys—symmetric encryption for high-speed encryption of user or host data stored on tape, and asymmetric encryption (which is necessarily slower) for secure communication and protecting the symmetric keys while in transit.

Encryption Certificates

Each QKM server pair uses one unique encryption certificate. The encryption certificate contains the public key of the public/private key
Quantum Key Manager User’s Guide 4
Overview

Keystore

pair that protects data encryption keys during transit to another site. The destination QKM server provides its public key to the source QKM server as part of its encryption certificate, which the source QKM server uses to wrap (encrypt) exported data encryption keys for transport. Upon arrival, the file containing the wrapped data encryption keys can only be unwrapped by the corresponding private key, which resides on the destination QKM server and is never shared.
For more information, see the following:
Keystore
Encryption Keys
Sharing Encrypted Tapes Offsite
Importing and Exporting Data Encryption Keys
Importing and Exporting Encryption Certificates
The keystore contains:
• All of the data encryption keys generated by the QKM server on which it resides. These keys are used for encrypting and decrypting tapes.
• A copy of the data encryption keys generated by the other QKM server in the pair.
• Data encryption keys that you imported (for example, keys that other companies or individuals sent to you). These keys can be used to decrypt tapes provided by the other companies or individuals.
on page 4)
on page 58
on page 57
on page 58
• Your QKM server pair’s encryption certificate
• Encryption certificates that you imported (for example, that other companies or individuals sent to you). These are used to wrap your data encryption keys for transit to another party to use in decrypting tapes you may have provided to them.
• Public and private keys used for secure communication.
• Metadata (for example, which data encryption keys were used on which tapes).
Quantum Key Manager User’s Guide 5

Mirrored Hard Disk Drives

Each QKM server contains two hard disk drives in a RAID 1 (mirrored) configuration. The two hard disk drives are constantly being synchronized, so that each is an exact duplicate of the other. If one hard disk drive fails, the other one contains all the required information to allow the server to continue to work as normal. As soon as the failed hard disk drive is replaced, all the data on the working hard disk drive is duplicated onto the new hard disk drive.

Why You Need to Back Up Your Keystore

Quantum requires you to back up your keystores every time you generate data encryption keys (and before you start using these keys).
Overview
Mirrored Hard Disk Drives
Although QKM contains features designed to protect your keystore in case of hard disk drive or server failure, these features do not cover every situation.
In the following cases, if you have no backup, there is no way to recover your keystores:
• If both QKM servers and all four hard disk drives were to suffer environmental damage causing them to become inoperable, the only way to recover your keystore is via the backup.
• If you forget your password, the only way to recover your data is to completely replace your server and its hard disk drives, and perform a restore from your backup.
Also, each QKM server generates its own unique data encryption keys, meaning that the keystore on each QKM server is different. This is why you need to back up each QKM server separately, every time a server generates data encryption keys.
For instructions on how to perform a backup, see Backing Up the
Keystore on page 45.
Quantum Key Manager User’s Guide 6
Chapter 2

2Safety

This chapter provides some important information for handling your server safely. Please also review the safety information in Safety
Information by IBM located on the Quantum Key Manager Documentation CD.
This chapter covers:
Electrical Safety
Handling Static-Sensitive Devices
Quantum Key Manager User’s Guide 7

Electrical Safety

Safety
Electrical Safety
Warning: DANGER: Electrical current from power, telephone, and
communication cables is hazardous. To avoid a shock hazard:
• Do not connect or disconnect any cables or perform installation, maintenance, or reconfiguration of this product during an electrical storm.
• Connect all power cords to a properly wired and grounded electrical outlet.
• Connect to properly wired outlets any equipment that will be attached to this product.
• When possible, use one hand only to connect or disconnect signal cables.
• Never turn on any equipment when there is evidence of fire, water, or structural damage.
• Disconnect the attached power cords, telecommunications systems, networks, and modems before you open the device covers, unless instructed otherwise in the installation and configuration procedures.
• Connect and disconnect cables as described in the following table when installing, moving, or opening covers on this product or attached devices.
To Connect:
1. Turn everything OFF.
2. First, attach all cables to devices.
3. Attach signal cables to connectors.
4. Attach power cords to outlet.
5. Turn device
Quantum Key Manager User’s Guide 8
ON
To Disconnect:
1. Turn everything OFF.
2. First, remove power cords from outlet.
3. Remove signal cables from connectors.
4. Remove all cables from devices.

Handling Static-Sensitive Devices

Caution: Static electricity can damage the server and other
electronic devices. To avoid damage, keep static-sensitive devices in their static-protective packages until you are ready to install them. To reduce the possibility of damage from electrostatic discharge, observe the following precautions:
• Limit your movement. Movement can cause static electricity to build up around you.
• The use of a grounding system is recommended. For example, wear an electrostatic-discharge wrist strap, if one is available. Always use an electrostatic-discharge wrist strap or other grounding system when you work inside the server with the power on
• Handle the device carefully, holding it by its edges or its frame.
Safety
Handling Static-Sensitive Devices
• Do not touch solder joints, pins, or exposed circuitry.
• Do not leave the device where others can handle and damage it.
• While the device is still in its static-protective package, touch it to an unpainted metal surface on the outside of the server for at least 2 seconds. This drains static electricity from the package and from your body.
• Remove the device from its package and install it directly into the server without setting down the device. If it is necessary to set down the device, put it back into its static-protective package. Do not place the device on the server cover or on a metal surface.
• Take additional care when you handle devices during cold weather. Heating reduces indoor humidity and increases static electricity.
Quantum Key Manager User’s Guide 9
Chapter 3
3Planning Your QKM
Environment
Use the information in this chapter to determine the operating environment for your QKM system. This chapter includes:
QKM Server Requirements
Cooling and Airflow Requirements
Rack Considerations
Multiple Libraries Accessing One QKM Server Pair
Disaster Recovery Planning

QKM Server Requirements

QKM comes standard with two key servers pre-loaded with software. One QKM server is to be used as the primary key server; the other one is to be used as a secondary server for failover purposes, in case the primary server stops working.
Quantum Key Manager User’s Guide 10
Planning Your QKM Environment

Cooling and Airflow Requirements

Caution: The server appliances are designed for one purpose only
— to store and manage your encryption keys. Do not install additional hardware on the server. Never install any software, file, or operating system on the server unless it is an upgrade or patch supplied by Quantum. Doing so may make your server inoperable and will void your warranty.
• The QKM server must have IP connectivity through any firewalls to all Quantum libraries using the QKM server to obtain LTO-4 encryption keys.
• QKM uses TCP port 6000 for the QKM server, and secure sockets layer (SSL) is always enabled. These settings cannot be changed.
• Refer to the QKM Server Environmental Specifications temperature and humidity requirements.
Cooling and Airflow Requirements
To maintain proper airflow and system cooling, observe the following:
Ensure there is adequate space around the server to allow the server cooling system to work properly. Leave approximately 2 inches (50 mm) of open space around the front and rear of the server.
Do not place objects in front of the fans.
Do not leave open space above or below an installed server in your rack cabinet. To help prevent damage to server components, always install a filler panel to cover the open space and to help ensure proper air circulation.
Caution: Do not operate the server for more than 10 minutes
without a drive installed in each bay.
on page 84 for
Quantum Key Manager User’s Guide 11
Caution: Do not open the server cover to adjust or fix internal

Rack Considerations

If the QKM server is installed in a rack, consider the following:
Warning: Do not place any object weighing more than 110 lb. (50 kg)
Install the server only in a rack cabinet that has perforated doors.
Do not block any air vents. Usually 6 in. (15 cm) of air space provides
Planning Your QKM Environment
Rack Considerations
components. If the server has a problem, contact Quantum Service & Support for a replacement.
on top of rack-mounted devices.
proper airflow.
Plan the device installation starting from the bottom of the rack cabinet.
Install the heaviest device in the bottom of the rack cabinet.
Do not leave open space above or below an installed server in your rack cabinet. To help prevent damage to server components, always install a filler panel to cover the open space and to help ensure proper air circulation.
Do not extend more than one device out of the rack cabinet at the same time.
Connect all power cords to properly wired and grounded electrical outlets.
Do not overload the power outlet when installing multiple devices in the rack.
Quantum Key Manager User’s Guide 12
Planning Your QKM Environment

Multiple Libraries Accessing One QKM Server Pair

Multiple Libraries Accessing One QKM Server Pair
Multiple libraries may access and use the same QKM server pair. The only requirement is that they be available to the QKM servers through TCP/IP connectivity. If you want to connect more than one library to a QKM server pair, keep the following in mind:
• Each library must be licensed to use QKM. See 1. Installing the EKM
License on the Scalar i500 on page 21 or 1. Installing the EKM License on the Scalar i2000 on page 26.
• Each library can only access one QKM server pair at a time.
• Each library triggers the QKM servers to create a unique set of data encryption keys. When more libraries are connected to a QKM server, more initial data encryption keys will reside in the QKM server’s keystore.
• Each library’s set of unique data encryption keys is maintained separately on the QKM server. When you generate more keys for a particular library, this does not affect any of the other libraries and their sets of encryption keys. Each library only triggers creation of its own set of keys.

Disaster Recovery Planning

Quantum recommends that you plan for disaster recovery in the following ways:
• Maintain each of the two QKM servers in a different geographical location, preferably in a different city, state, or country, to mitigate the possibility of both servers being compromised in the event of natural disaster or theft.
Quantum Key Manager User’s Guide 13
Planning Your QKM Environment
Disaster Recovery Planning
• Back up the QKM server each time new keys are generated and store the backups in a safe location (see Backing Up the Keystore
on
page 45).
Caution:
Do not use QKM to encrypt the sole copy of your QKM server keystore backup.
If both servers were to fail, you would not be able to recover the encrypted backup and would lose all data you had stored on all your encrypted tapes.
• Remember your password. If you lose your password, you lose login access to the QKM server, including backup and restore capability. If you lose your password, Quantum will not be able to recover it for you.
• Replace a failed hard disk drive immediately. Even though the second hard disk drive allows you to continue to operate, redundancy is removed and a second hard disk drive failure would cause the server to fail.
• Replace a failed server immediately. Even though the other QKM server allows you to continue to operate, you do not want to risk the second server failing as well.
Quantum Key Manager User’s Guide 14
Chapter 4
4Installation and Initial
Configuration
This chapter provides instructions for how to set up and configure the QKM server. Perform the QKM server installation and configuration steps; then perform all of the steps in the section appropriate for your library,
This chapter contains the following sections.
Items Required
Installing the QKM Servers
Configuring the QKM Servers
Scalar i500 – Library Setup and Configuration
in order, before you begin encrypting tapes.
Scalar i2000 – Library Setup and Configuration
Caution: The server appliances are designed for one purpose only
— to store and manage your encryption keys. Do not install additional hardware on the server. Never install any software, file, or operating system on the server unless it is an upgrade or patch supplied by Quantum. Doing so may make your server inoperable and will void your warranty.
Quantum Key Manager User’s Guide 15

Items Required

Installation and Initial Configuration
Items Required
You need the following to install and configure each QKM server:
• QKM server (each comes with two hard disk drives installed).
• Power cord (supplied).
• Rackmount kit (supplied).
• Ethernet cable, crossover (for initial configuration, not supplied).
• Ethernet cable, standard (for standard operation, not supplied).
• Laptop or PC, to connect to each server to perform initial configuration.
• The most recent library firmware installed on your library. (Minimum versions required:
• For Microsoft ® Windows®, you may need to install a utility to use secure shell (SSH) and secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at http://
www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP,
available at http://winscp.net
Scalar i500: 570G; Scalar i2000: 595A.)
.

Installing the QKM Servers

Follow the instructions below for both QKM servers.
1 Determine the location for the servers. It is recommended that the
two servers be in different geographical locations for disaster recovery purposes. Ensure the air temperature is below 95 °F (35 °C).
2 Install the QKM server in a rack. Follow the Rack Installation
Instructions (included with the rail kit and located on the Quantum Key Manager Documentation CD).
3 Connect the power cord into the rear of the QKM server (see
Figure 1
Quantum Key Manager User’s Guide 16
) and plug it into a grounded power outlet.
Figure 1 Rear Panel
Power cord connector
Ethernet Port 1 (configuration)
Ethernet Port 2 (network)
Power button
Power-on LED
Installation and Initial Configuration
Installing the QKM Servers
4 Approximately 20 seconds after you connect the server to AC power,
the power button becomes active, and one or more fans might start running loudly for about 20 seconds. Observe the Power-on LED on the front panel of the QKM server (see Figure 2
). It should be flashing, indicating the server is turned off and connected to an AC power source. If the LED is not flashing, there could be a problem with the power supply or the LED. Check the power connection. If this LED still does not flash, contact Quantum Service & Support.
5 Turn on the QKM server by pressing the power button on the front of
the server (see Figure 2
).
Figure 2 Front Panel
6 Again observe the Power-on LED on the front panel of the QKM
server. Wait until it is on but not flashing, indicating the server is turned on.
Wait about 3 minutes to allow the server to complete startup before you
Quantum Key Manager User’s Guide 17
connect via SSH in the next step.

Configuring the QKM Servers

Follow the instructions below for both QKM servers.
Note: Both QKM servers must be configured, operational, and
connected to the network before any libraries can be set up to use them.
The configuration process requires you to read and accept the end user license agreement, and then complete a setup wizard. The setup wizard helps you configure your password, IP address, netmask, gateway, time zone, date, and time. Before beginning, decide what you want each of these values to be. You can also change these values in the future.
Allow 30 minutes per server to complete the configuration.
1 Set the IP address of the laptop or PC you will use to connect to the
QKM server to
Installation and Initial Configuration
Configuring the QKM Servers
192.168.18.100.
2 Connect a crossover Ethernet cable from the laptop or PC to
Port 1
on the rear of the QKM server (see Figure 1).
Note: Ethernet Port 1 is used only for configuration. Once you
perform the initial configuration, you will use Ethernet Port 2 for QKM server communication via your network.
3 Using SSH, connect to the server using the IP address
192.168.18.3.
Note: The IP address of Ethernet Port 1 is a static IP address that
cannot be changed.
4 At the login prompt, enter the user login ID (which will never
change):
akmadmin
5 At the password prompt, enter the default password:
password
6 At the command prompt, enter:
./qkmcmds
Ethernet
Quantum Key Manager User’s Guide 18
Loading...
+ 74 hidden pages