Quantum Scalar i40, Scalar i80, Scalar i500, Scalar i6000, Scalar i3 Quick Start Manual

Scalar Key Manager 2.5

Quick Start Guide

This quick start guide provides basic installation and configuration
instructions for the Scalar® Key Manager (SKM). SKM can be deployed in
one of two ways:

• a pair of physical appliances (servers) purchased from Quantum, or

• a pair of virtual machines (VMs) installed in a VMware® or KVM
environment.

Definition of terms: This guide uses the following terms to differentiate
between the two types of deployment:

• SKM appliance server — Physical key server purchased from
Quantum.

• SKM VM server — Virtual machine key server purchased from
Quantum and installed in a VMware or KVM environment.

• SKM server — Generic term applying to either an SKM appliance server
or an SKM VM server.

These instructions guide you through installing and configuring both
options. For more information, see the
located at http://www.quantum.com/ServiceandSupport/

SoftwareandDocumentationDownloads/SKM/Index.aspx. (Scroll down and

click the Documentation tab, and then locate the Product Use Guides
heading.)

Perform all of the steps, in order, before you begin encrypting tapes.

This instruction uses the following conventions:

Note: Notes emphasize important information related to the main topic.

Caution: Cautions indicate potential hazards to equipment and are

included to prevent damage to equipment.

Scalar Key Manager User’s Guide

Scalar Key Manager 2.5

Contents

Installing and Configuring the SKM
Appliance Servers

Items Required for Setup ................. 2

Installing the SKM Appliance Servers 3

Configuring the SKM Appliance

Servers .............................................. 5

Installing and Configuring the SKM

VMware Servers .................................... 9

Equipment and Software Needed for

VMware ............................................ 9

Deploying the .ova Image on

VMware .......................................11

Configuring the SKM VM Servers on

VMware .......................................... 11

Installing and Configuring the SKM KVM

Servers ................................................ 17

Equipment and Software Needed for

KVM ................................................ 17

Deploying the .raw Image on KVM 18
Configuring the SKM VM Servers on

KVM ................................................ 21

Installing TLS Certificates on the SKM

Server for Pre-SKM 2.4 (240Q) ........... 25

Installation Process ......................... 25

Requirements for Installing User-

provided TLS Certificates ................ 27

Installing TLS Certificates on the SKM

Server for SKM 2.4 (240Q) or Later .... 28

Begin the Installation ..................... 28

Executing the Script Using the -d

Option ............................................ 28

Executing the Script Without Using the

-d Option ........................................ 31

Generating Quantum Bundles for

Certificates ..................................... 36

Configuring Your Library For SKM ..... 38

Configuring the Scalar i40/i80 and

Scalar i500 Tape Libraries ............... 38

Configuring the Scalar i2000/i6000

Tape Library .................................... 40

Configuring the Scalar i3/i6 Tape

Library ............................................ 41

Backing Up the Servers ....................... 43

Configuring Multiple Libraries ........... 42

................................. 2

www.quantum.com

Quantum Scalar Key Manager 2.5 Quick Start Guide

Installing and Configuring the SKM Appliance Servers

Follow the instructions in this section if you are deploying a pair of physical SKM
appliance servers.

Caution: The SKM appliance servers are designed for one purpose only—to store and

manage your encryption keys. Do not install additional hardware on the
servers. Never install any software, file, or operating system on the servers
unless it is an upgrade or patch supplied by Quantum. Doing so can make
your server inoperable and will void your warranty.

Items Required for
Setup

You need the following to install and configure each SKM appliance server:

• (2) SKM appliance servers (each comes with two hard disk drives installed).

• Power cord (supplied).

• Rackmount kit (supplied).

• CAT5e or higher Ethernet cable, crossover (for initial configuration, not supplied).

• CAT5e or higher Ethernet cable, standard (for standard operation, not supplied).

• Laptop or PC, to connect to each server to perform initial configuration.

• Library firmware must be at the following minimum versions to run SKM. To access
all the features of SKM, the most recent library firmware is recommended.

Library Minimum Firmware Required

Scalar i40/i80 120G

Scalar i500 570G

Scalar i2000 595A

Scalar i6000 600A

Scalar i3
Note: Requires SKM 2.4 (240Q) or

later

110G

Scalar i6
Note: Requires SKM 2.4 (240Q) or

• For Microsoft® Windows®, you may need to install utilities to use secure shell (SSH)
and secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at

http://www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP, available at
http://winscp.net.

2 Installing and Configuring the SKM Appliance Servers

110G

later

Scalar Key Manager 2.5

• The SKM server must have IP connectivity through any firewalls to all Quantum
libraries using the SKM appliance server to obtain encryption keys.

• SKM uses TCP ports 80, 6000 and 6001 for SKM server communication. These ports
must all be open on your network in a bi-directional mode in order for SKM
communication between the SKM servers and libraries to work.

Installing the SKM
Appliance Servers

Follow the instructions below for both SKM appliance servers.

Caution: Do not remove any hard drive from the appliance server unless it is failed or

you are instructed to do so by Quantum service. Removing any hard drive
may render it unusable.

1 Determine the location for the servers. It is recommended that the two servers be in

different geographical locations for disaster recovery purposes. Ensure the air
temperature is below 95 °F (35 °C).

2 Install the SKM appliance server in a rack. Follow the

Installation

www.quantum.com/ServiceandSupport/SoftwareandDocumentationDownloads/
SKM/Index.aspx.)

3 Connect the power cord into the rear of the SKM appliance server (see Figure 1) and

plug it into a grounded power outlet.

Depending on the server model you have, it will take 20 seconds to 3 minutes for
power button to become active. During this time, one or more fans might run loudly
and then quiet down. On some models, the power-on LED on the front panel (see

Figure 2) blinks rapidly (4 times per second), indicating the power button is not

active yet.

instruction sheet (included with the rail kit and located at http://

Scalar Key Manager Rack

Installing and Configuring the SKM Appliance Servers 3

Quantum Scalar Key Manager 2.5 Quick Start Guide

Power cord
connector

Ethernet Port 1
(configuration)

Ethernet Port 2 
(network)

Power cord
connector

Ethernet Port 1
(configuration)

Ethernet Port 2 
(network)

M2 and earlier

M3 and M4

Power cord
connector

Ethernet Port 1
(configuration)

Ethernet Port 2 
(network)

M5

Power cord
connector

Ethernet Port 2
(network)

Ethernet Port 1 
(configuration)

M6

Figure 1 SKM Appliance Server
Rear Panel

The rear of your server looks like one of the drawings below.

4 Observe the power-on LED on the front panel (see Figure 2). Wait until the power-on

LED blinks slowly to indicate that the power button is active.

If the power-on LED is not blinking, there could be a problem with the power supply
or the LED. Check the power connection. If this LED still does not blink, contact
Quantum Support.

4 Installing and Configuring the SKM Appliance Servers

Figure 2 Front Panel

Power ButtonPower-on LED

M3 and earlier

M4 and later

Power Button and LED

M5

Power Button and LED

M6

Scalar Key Manager 2.5

5 Power on the SKM appliance server by pressing the power button on the front of

the server (see

Figure 2).

Configuring the SKM
Appliance Servers

Installing and Configuring the SKM Appliance Servers 5

6 Again, observe the power-on LED on the front panel. Wait until it is illuminated but

not blinking, indicating the server is powered on.

7 Wait about 3 minutes to allow the server to complete startup before you connect via

SSH in the next step.

Follow the instructions below for both SKM appliance servers.

Note: Both SKM appliance servers must be configured, operational, and connected to

the network before any libraries can be set up to use them.

Configuration requires you to read and accept the end user license agreement, and then
complete a setup wizard to configure the following values. Before beginning, decide
what each value should be. (You can change these values in the future, if desired.)

• Password

• Time zone, date, and time

• IP address, netmask, and gateway

Allow 30 minutes per server to complete the configuration.

Quantum Scalar Key Manager 2.5 Quick Start Guide

1 Set the IP address of the laptop or PC you will use to connect to the SKM appliance

server to 192.168.18.100.

2 Connect a CAT5e crossover Ethernet cable from the laptop or PC to Ethernet Port 1

on the rear of the SKM server (see

Note: Ethernet Port 1 is used only for configuration. Once you perform the initial

configuration, you will use Ethernet Port 2 for SKM appliance server
communication via your network.

3 Using SSH, connect to the server using the IP address for Ethernet Port 1:

192.168.18.3.

Note: The IP address of Ethernet Port 1 is a static IP address that cannot be

changed.

4 At the login prompt, type the following (this is the user login ID which will never

change):

akmadmin

5 At the Password prompt, type the default password:

Figure 1 on page 4).

Figure 3 Changing the
Password

password

6 At the akmadmin@skmserver prompt, type the following:

./skmcmds

7 At the Password prompt, type the default password again:

password

The End User License Agreement displays.

8 Read the license agreement. Press <Enter> to scroll through the agreement. At the

end, type

y to accept and continue or n to decline and stop the installation process.

9 Press <Enter> to begin the setup wizard.

10 The first setup wizard task prompts you to change the akmadmin password (see

Figure 3). There is only one password for SKM. It is called the akmadmin password,

and is required for all logins and access to SKM Admin commands, including backup
and restore.

6 Installing and Configuring the SKM Appliance Servers

Scalar Key Manager 2.5

Caution: EXTREMELY IMPORTANT: Remember Your

Password!



If you change the password from the default and forget it, there is
no way to retrieve it!



Each SKM server has its own password. If you set them differently,
you must remember both.



If you forget your password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.



Charges may apply for replacement of an SKM appliance server
required due to changing and then forgetting the password.













CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!

• If you do not wish to change the password at this time, just press <Enter> at the

“change password” prompts and the default password (
You can change the password at any time later using SKM Admin Commands.

• If you wish to change the password:

a At the (current) UNIX password prompt, type the default password

password) and press <Enter>.

(

password) remains.

b Type a new password and press <Enter>.

c Type the new password again and press <Enter>.

d Press <Enter>.

11 Continue through the setup wizard to configure the rest of the settings: time zone,

date, time, SKM server IP address, netmask, and gateway. If you press <Enter>
without entering a value, the existing value remains.

Note: To ensure proper TLS certificate generation, Quantum recommends setting

both the Primary and Secondary SKM servers to the same date, time and
time zone even if they are in different time zones. (On both servers, use the
date, time and time zone values applicable to the Primary SKM server.)



Then, 24 hours after TLS certificate generation, you can correctly set the
date, time and time zone for the secondary server.

The IP address you are configuring is for Ethernet Port 2, the port you will be using
for network connection to SKM.

Ethernet Port 1 IP Address (never changes): 192.168.18.3
Ethernet Port 2 Default IP Address: 192.168.20.4 or 192.168.18.4 depending on

the server version





Installing and Configuring the SKM Appliance Servers 7

Quantum Scalar Key Manager 2.5 Quick Start Guide

Note: Ports are identified on the back of the server as Port 1 and Port 2, but when

configuring SKM through the console the ports are referred to onscreen as
Ports 0 and 1 respectively. (That is, labeled Port 1 = Port 0 in the console,
and labeled Port 2 = Port 1 in the console.)

Note: The netmask must match the netmask and gateway of the connected

libraries.

12 When the setup wizard is complete, press <Enter>.

The list of SKM Admin commands displays (see Figure 4). If you made any mistakes
during the setup wizard, you can go back and change them by entering the number
corresponding to the item.

Figure 4 SKM Admin
Commands

13 Type q and press <Enter> at the command prompt to quit, save your changes, and

restart the SKM key server. This process takes a few seconds. Wait until the

akmadmin@skmserver prompt appears.

Note: You MUST quit at this point. Otherwise your changes will not be saved and

14 Disconnect the CAT5e crossover Ethernet cable from Ethernet Port 1 (see Figure 1

on page 4).

15 On the laptop you are using to configure SKM, change the hard-coded IP address

back to DHCP.

8 Installing and Configuring the SKM Appliance Servers

you will not be able to continue the installation process.

Scalar Key Manager 2.5

16 Connect a standard CAT5e Ethernet cable from Ethernet Port 2 on the back of the

SKM appliance server to your network (see
this port using the IP address assigned in Step 11 above.

17 Complete steps 1-16 on the secondary SKM node before proceeding.

18 When you are finished, do one of the following:

• For pre-SKM 2.4 (240Q) systems, proceed to Installing TLS Certificates on the

SKM Server for Pre-SKM 2.4 (240Q) on page 25.

• For SKM 2.4 (240Q) and later systems, proceed to Installing TLS Certificates on

the SKM Server for SKM 2.4 (240Q) or Later on page 28.

Note: You can see the version of software you are running at the top of the SKM

Admin Commands menu. To view the software version without accessing

SKM Admin Commands, refer to “Viewing the SKM Server Software
Version” in the SKM User’s Guide.

Figure 1 on page 4). You will connect to

Installing and Configuring the SKM VMware Servers

Equipment and
Software Needed for
VMware

Note: Quantum provides support for SKM, however Quantum does not support the

virtual environment hardware or software (VMware or KVM).

Follow the instructions in this section if you are deploying a pair of SKM VM servers for
installation in a VMware environment.

Perform all the instructions in this section for each SKM VM server. Use a different
installation CD for each VM.

Caution: It is recommended that the two SKM VM servers be installed in different

physical locations to provide better protection in case of disaster.

Caution: Quantum requires that you do not install any software, file, or operating

system on the SKM VM server unless it is an upgrade or patch supplied by
Quantum.

You need the following to set up and configure the SKM VM servers:

• Two (2) Scalar Key Manager VM Installation CD packages. You must use a different
CD package for each SKM server. Each CD package contains:

• SKM VM server software (.ova image)

• SKM server Quantum-provided TLS communication certificate bundle (.tgz file)

Installing and Configuring the SKM VMware Servers 9

Quantum Scalar Key Manager 2.5 Quick Start Guide

• Printed label on the CD case containing a unique serial number, MAC ID and
license key (required for installation)

• VMware® vSphere™ Client installed on a computer. The computer may be the same
as the server that hosts the VM but it does not have to be. The vSphere Client is
required for initial setup; after that, you can use vSphere Client or another method
to access the SKM VM server.

Note: These instructions in this section use vSphere Client version 5.0. If you use a

different version of vSphere, the instructions may differ.

• Resources required for each SKM VM server:

• (1) Ethernet interface

•(1) CD ROM drive

•1 GB RAM

• 8 GB of disk space

• VM host software must be one of the following:

•VMware ESX 4.x (64 bit) and higher

•VMware ESXi 4s.x (64 bit) and higher

• Video memory must be set to 3 MB.

• Library firmware must be at the following minimum versions to run SKM. To access
all the features of SKM, the most recent library firmware is recommended.

Library Minimum Firmware Required

Scalar i40/i80 120G

Scalar i500 570G

Scalar i2000 595A

Scalar i6000 600A

Scalar i3

110G

Note: Requires SKM 2.4 (240Q) or

later

Scalar i6

110G

Note: Requires SKM 2.4 (240Q) or

later

• If you plan to connect to the SKM VM server (now or in the future) via a Microsoft
Windows machine, you may need to install utilities to use secure shell (SSH) and
secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at

http://
www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP, available at http://
winscp.net.

• The SKM server must have IP connectivity through any firewalls to all Quantum
libraries using the SKM appliance server to obtain encryption keys.

10 Installing and Configuring the SKM VMware Servers

Scalar Key Manager 2.5

• SKM uses TCP ports 80, 6000 and 6001 for SKM server communication. These ports
must all be open on your network in a bi-directional mode in order for SKM
communication between the SKM servers and libraries to work.

Deploying the .ova
Image on VMware

Configuring the SKM
VM Servers on VMware

Follow the instructions below for both SKM VM servers. The .ova installation process is
performed via VMware’s vSphere Client.

1 Insert the

drive.

2 You may copy the .ova image to a shared network drive for faster deployment if you

wish.

3 Launch vSphere Client.

4 Log on to the VM host.

5 Highlight the IP address of the VM host.

6 Select File > Deploy OVF Template.

The Deploy OVF Template wizard opens.

7 Complete the wizard screens and click Finish when done.

A progress bar displays on the screen. When complete, the SKM VM server name
appears in the list of VMs on the screen. Deployment takes a few minutes to several
hours depending on network speed and location of the .ova image in relation to the
VM host. Wait until the file deploys before continuing.

Follow the instructions below for both SKM VM servers.

Note: Both SKM VM servers must be configured, operational, and connected to the

Scalar Key Manager VM Installation CD

network before any libraries can be set up to use them.

into the your computer’s CD ROM

Caution: You must use a different CD package for each VM server. Keep track of

The configuration process requires you to read and accept the end user license
agreement, and then complete a setup wizard. The setup wizard helps you configure
the following values. Before beginning, decide what you want each of these values to
be. You can also change these values in the future.

• Password

• Time zone, date, and time

• IP address, netmask, and gateway

Installing and Configuring the SKM VMware Servers 11

which CD you use for which SKM server. It is recommended that you keep
each CD in its respective CD case and write on the case which server it
applies to. The TLS certificates and serial number/MAC ID/license key are
unique and you must use the correct ones if you ever need to reinstall the
SKM server. Also, if you accidentally use the same CD package for both VM
servers, you will not be able to complete the configuration.

Quantum Scalar Key Manager 2.5 Quick Start Guide

Allow 30 minutes per server to complete the configuration.

1 Using vSphere Client, make sure the SKM VM server you just created is powered OFF

(right-click the VM server, select Power, then select Power Off).

2 Right-click the SKM VM server and select Edit Settings.

3 Configure the MAC address as follows (see Figure 5):

a Under the Hardware tab, select Network adapter 1.

b Under MAC Address, select Manual.

c In the MAC Address field, type the MAC ID from the label attached to the CD

case of the CD from which you deployed the .ova image.

d Click OK.

Figure 5 Configuring the MAC
Address (Example)

4 Configure the video memory as follows:

a Right-click the SKM VM server and select Edit Settings.

b Under the Hardware tab, select Video card (see Figure 6).

c On the right side of the screen, under Enter total video RAM, change the

d Click OK.

12 Installing and Configuring the SKM VMware Servers

setting to 3 MB.

Figure 6 Video Card Settings

Scalar Key Manager 2.5

5 Power ON the SKM VM server (right-click the SKM VM server in the left panel, select

Power, then select Power On).

6 Highlight the SKM VM server in the left panel.

7 In the right panel, click the Console tab. Wait a few moments for the software to

load.

Note: When using the console, you will lose the ability to use your mouse/cursor.

To regain the use of the mouse/cursor, press <Ctrl+Alt>.

Note: If you receive the following error message when trying to use the console,

follow the workaround steps listed below.



Error message: This kernel requires an x86-64 CPU, but only detected an
xxxx

CPU. Unable to boot - please use a kernel appropriate for your CPU.

Workaround: First be sure that you are indeed using a 64-bit host server. If
so, change the host BIOS processor settings as follows, then follow the
onscreen instructions:



- 64-bit: Yes

- Virtual Technology: Enable

- Execute Disable: Disable

Installing and Configuring the SKM VMware Servers 13

Quantum Scalar Key Manager 2.5 Quick Start Guide

8 At the skmserver login prompt, type the following (this is the user login ID which

will never change):

akmadmin

9 At the Password prompt, type the default password:

password

10 At the akmadmin@skmserver prompt, type:

./skmcmds

11 At the Password prompt, type the default password:

password

12 When prompted for the license, type the 29-digit License Key (including hyphens)

from the label on the CD case of the CD from which you deployed the .ova image,
and press <Enter>. The license is not case sensitive.

The license file is created.

13 When prompted, press <Enter>.

The End User License Agreement displays.

14 Read the license agreement. Press <Enter> to scroll through the agreement. At the

end, type

15 When prompted, press <Enter> to set up the server.

16 The first setup wizard task prompts you to change the akmadmin password (see

Figure 7). There is only one password for SKM. It is called the akmadmin password,

and is required for all logins and access to commands, including backup and restore.

Caution: EXTREMELY IMPORTANT: Remember Your

y to accept and continue or n to decline and stop the installation process.

Password!



If you change the password from the default and forget it, there is
no way to retrieve it!



Each SKM server has its own password. If you set them differently,
you must remember both.



If you forget the password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.











CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!

• If you do not wish to change the password at this time, just press <Enter> at

14 Installing and Configuring the SKM VMware Servers

the password prompt and the default password (password) remains
unchanged. You can change the password at any time later using SKM Admin
Commands.

Figure 7 Changing the
Password

Scalar Key Manager 2.5

• If you wish to change the password:

a At the (current) UNIX password prompt, type the default password

(

password) and press <Enter>.

b Type the new password and press <Enter>.

c Type the new password again and press <Enter>.

d Press <Enter>.

17 Continue through the setup wizard to configure the rest of the settings: time zone,

date, time, IP address, netmask, and gateway. If you press <Enter> without
entering a value, the existing value remains.

Note: To ensure proper TLS certificate generation, Quantum recommends setting

both the Primary and Secondary SKM servers to the same date, time and
time zone even if they are in different time zones. (On both servers, use the
date, time and time zone values applicable to the Primary SKM server.)



Then, 24 hours after TLS certificate generation, you can correctly set the
date, time and time zone for the secondary server.

Note: The default SKM VM server IP address is: 192.168.20.4.

18 When finished press <Enter>.

A message lets you know there are no certificates loaded on the SKM server.

19 Press <Enter>.

The list of SKM Admin commands displays (see Figure 8). If you made any mistakes
during the setup wizard, you can go back and change them by typing the number
corresponding to the item you want to change at the command prompt.



Installing and Configuring the SKM VMware Servers 15

Quantum Scalar Key Manager 2.5 Quick Start Guide

Figure 8 SKM Admin
Commands

20 At the Command prompt, type q and press <Enter> to quit, save your changes,

and restart the SKM key server. This process takes a few seconds.

Note: You MUST quit at this point. Otherwise your changes will not be saved and

you will not be able to continue the installation process.

21 Complete steps 1-20 on the secondary SKM node before proceeding.

22 When you are finished, do one of the following:

• For pre-SKM 2.4 (240Q) systems, proceed to Installing TLS Certificates on the

SKM Server for Pre-SKM 2.4 (240Q) on page 25.

• For SKM 2.4 (240Q) and later systems, proceed to Installing TLS Certificates on

the SKM Server for SKM 2.4 (240Q) or Later on page 28.

Caution: Do NOT power on the VM instance yet. Wait until you configure the

MAC ID per the instructions below. Otherwise, you will have problems
with the MAC address later.

16 Installing and Configuring the SKM VMware Servers

Scalar Key Manager 2.5

Installing and Configuring the SKM KVM Servers

Note: Quantum provides support for SKM, however Quantum does not support the

virtual environment hardware or software (VMware or KVM).

Follow the instructions in this section if you are deploying a pair of SKM VM servers for
installation in a KVM environment.

Perform all the instructions in this section for each SKM VM server. Use a different
installation CD for each VM.

Caution: It is recommended that the two SKM VM servers be installed in different

physical locations to provide better protection in case of disaster.

Caution: Quantum requires that you do not install any software, file, or operating

system on the SKM VM server unless it is an upgrade or patch supplied by
Quantum.

Equipment and
Software Needed for
KVM

You need the following to set up and configure the SKM VM servers:

• Two (2) Scalar Key Manager VM Installation CD packages. You must use a different
CD package for each SKM server. Each CD package contains:

• SKM VM server software (.raw.bz2 image)

• SKM server Quantum-provided TLS communication certificate bundle (.tgz file)

• Printed label on the CD case containing a unique serial number, MAC ID, and
license key (required for installation)

• QEMU-KVM installed on a computer. The computer may be the same as the server
that hosts the VM but it does not have to be. Access to QEMU-KVM is required for
initial setup.

• Resources required for each SKM VM server:

• (1) Ethernet interface

•(1) CD ROM drive

•1 GB RAM

• 8 GB of disk space

• KVM host software must Virtual Machine Manager 0.9.0 or higher

• Library firmware must be at the following minimum versions to run SKM. To access
all the features of SKM, the most recent library firmware is recommended.

Library Minimum Firmware Required

Scalar i40/i80 120G

Installing and Configuring the SKM KVM Servers 17

Quantum Scalar Key Manager 2.5 Quick Start Guide

Library Minimum Firmware Required

Scalar i500 570G

Scalar i2000 595A

Scalar i6000 600A

Deploying the .raw
Image on KVM

Scalar i3
Note: Requires SKM 2.4 (240Q) or

later

Scalar i6
Note: Requires SKM 2.4 (240Q) or

later

• The SKM server must have IP connectivity through any firewalls to all Quantum
libraries using the SKM appliance server to obtain encryption keys.

• SKM uses TCP ports 80, 6000 and 6001 for SKM server communication. These ports
must all be open on your network in a bi-directional mode in order for SKM
communication between the SKM servers and libraries to work.

Follow the instructions below for both SKM VM servers. The .raw installation process is
performed via QEMU-KVM.

1 Insert the

drive.

2 Decompress the .raw.bz2 image file to a known location. You may copy the image

to a shared network drive for faster deployment if you wish.

Scalar Key Manager VM Installation CD

110G

110G

into the your computer’s CD ROM

For example: bunzip2 5-01071-01_220Q.GC00300.raw.bz2

3 Launch QEMU-KVM.

4 Log on to the VM host.

5 Under the local host, right-click and select New.

The New VM wizard opens.

18 Installing and Configuring the SKM KVM Servers

Scalar Key Manager 2.5

6 In the Name field, type the name of the new virtual machine.

7 Select Import existing disk image and click Forward.

8 Click Browse and navigate to the .raw file.

9 For OS type select Linux and for Version select Ubuntu [version] (Lucid Lynx).

Click Forward.

Installing and Configuring the SKM KVM Servers 19

Quantum Scalar Key Manager 2.5 Quick Start Guide

10 For Memory (RAM) select 1024 and for CPUs select 2. Click Forward.

11 For Advanced Options select the host device which corresponds with your virtual

network interface.

20 Installing and Configuring the SKM KVM Servers

Scalar Key Manager 2.5

12 Select Set a fixed MAC address and enter the MAC address provided on the

installation CD. Ensure Virt Type is set to kvm and the Architecture is set to the
default value.

13 Click Finish when done.

A progress bar displays on the screen. When complete, the SKM VM server name
appears in the list of VMs on the screen. Deployment takes a few minutes to several
hours depending on network speed and location of the .ova image in relation to the
VM host. Wait until the file deploys before continuing.

Caution: Do NOT power on the VM instance yet. Wait until you configure the

MAC ID per the instructions below. Otherwise, you will have problems
with the MAC address later.

Configuring the SKM
VM Servers on KVM

Follow the instructions below for both SKM VM servers.

Note: Both SKM VM servers must be configured, operational, and connected to the

network before any libraries can be set up to use them.

Caution: You must use a different CD package for each VM server. Keep track of

which CD you use for which SKM server. It is recommended that you keep
each CD in its respective CD case and write on the case which server it
applies to. The TLS certificates and serial number/MAC ID/license key are
unique and you must use the correct ones if you ever need to reinstall the
SKM server. Also, if you accidentally use the same CD package for both VM
servers, you will not be able to complete the configuration.

The configuration process requires you to read and accept the end user license
agreement, and then complete a setup wizard. The setup wizard helps you configure
the following values. Before beginning, decide what you want each of these values to
be. You can also change these values in the future.

• Password

• Time zone, date, and time

• IP address, netmask, and gateway

Allow 30 minutes per server to complete the configuration.

1 Power ON the SKM VM server (right-click the SKM VM server in the left panel, select

Power, then select Power On).

2 Highlight the SKM VM server in the left panel.

3 In the right panel, click the Console tab. Wait a few moments for the software to

load.

Note: When using the console, you will lose the ability to use your mouse/cursor.

Installing and Configuring the SKM KVM Servers 21

To regain the use of the mouse/cursor, press <Ctrl+Alt>.

Quantum Scalar Key Manager 2.5 Quick Start Guide

Note: If you receive the following error message when trying to use the console,

follow the workaround steps listed below.
Error message: This kernel requires an x86-64 CPU, but only detected an
xxxx

CPU. Unable to boot - please use a kernel appropriate for your CPU.

Workaround: First be sure that you are indeed using a 64-bit host server. If
so, change the host BIOS processor settings as follows, then follow the
onscreen instructions:

- 64-bit: Yes

- Virtual Technology: Enable

- Execute Disable: Disable

4 At the skmserver login prompt, type the following (this is the user login ID which

will never change):

akmadmin

5 At the Password prompt, type the default password:

password

6 At the akmadmin@skmserver prompt, type:

./skmcmds





7 At the Password prompt, type the default password:

password

8 When prompted for the license, type the 29-digit License Key (including hyphens)

from the label on the CD case of the CD from which you deployed the .ova image,
and press <Enter>. The license is not case sensitive.

The license file is created.

9 When prompted, press <Enter>.

The End User License Agreement displays.

10 Read the license agreement. Press <Enter> to scroll through the agreement. At the

end, type

11 When prompted, press <Enter> to set up the server.

12 The first setup wizard task prompts you to change the akmadmin password (see

Figure 7). There is only one password for SKM. It is called the akmadmin password,

and is required for all logins and access to commands, including backup and restore.

y to accept and continue or n to decline and stop the installation process.

22 Installing and Configuring the SKM KVM Servers

Scalar Key Manager 2.5

Caution: EXTREMELY IMPORTANT: Remember Your

Password!



If you change the password from the default and forget it, there is
no way to retrieve it!



Each SKM server has its own password. If you set them differently,
you must remember both.



If you forget the password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.











CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!

• If you do not wish to change the password at this time, just press <Enter> at
the password prompt and the default password (password) remains
unchanged. You can change the password at any time later using SKM Admin
Commands.

• If you wish to change the password:

a At the (current) UNIX password prompt, type the default password

(

password) and press <Enter>.

b Type the new password and press <Enter>.

Figure 9 Changing the
Password

c Type the new password again and press <Enter>.

d Press <Enter>.

13 Continue through the setup wizard to configure the rest of the settings: time zone,

date, time, IP address, netmask, and gateway. If you press <Enter> without
entering a value, the existing value remains.

Note: To ensure proper TLS certificate generation, Quantum recommends setting

both the Primary and Secondary SKM servers to the same date, time and
time zone even if they are in different time zones. (On both servers, use the
date, time and time zone values applicable to the Primary SKM server.)



Then, 24 hours after TLS certificate generation, you can correctly set the
date, time and time zone for the secondary server.



Installing and Configuring the SKM KVM Servers 23

Quantum Scalar Key Manager 2.5 Quick Start Guide

Note: The default SKM VM server IP address is: 192.168.20.4.

14 When finished press <Enter>.

A message lets you know there are no certificates loaded on the SKM server.

15 Press <Enter>.

The list of SKM Admin commands displays (see Figure 8). If you made any mistakes
during the setup wizard, you can go back and change them by typing the number
corresponding to the item you want to change at the command prompt.

Figure 10 SKM Admin
Commands

16 At the Command prompt, type q and press <Enter> to quit, save your changes,

and restart the SKM key server. This process takes a few seconds.

Note: You MUST quit at this point. Otherwise your changes will not be saved and

17 Complete steps 1-16 on the secondary SKM node before proceeding.

18 When you are finished, do one of the following:

• For pre-SKM 2.4 (240Q) systems, proceed to Installing TLS Certificates on the

• For SKM 2.4 (240Q) and later systems, proceed to Installing TLS Certificates on

19

24 Installing and Configuring the SKM KVM Servers

you will not be able to continue the installation process.

SKM Server for Pre-SKM 2.4 (240Q) on page 25.

the SKM Server for SKM 2.4 (240Q) or Later on page 28.

Scalar Key Manager 2.5

Installing TLS Certificates on the SKM Server for Pre-SKM 2.4
(240Q)

TLS certificates are required on the SKM server. You can choose to use the Quantum­provided TLS certificates or install your own, as follows:

• SKM appliance server: The SKM appliance server comes with Quantum-provided

TLS certificates already installed. You can install your own TLS certificates (to
overwrite the installed certificates) if you wish.

Note: This applies only to earlier SKM releases. Beginning with SKM 2.5, TLS

certificates are no longer pre-installed, and must be installed on both the
SKM server and tape library.

• SKM VM server: The

provided TLS certificates that you can install on the SKM VM server. Alternatively,
you can install your own TLS certificates on the SKM VM server.

If you install your own TLS certificates, you must make sure that your certificates meet
all of the requirements in Requirements for Installing User-provided TLS Certificates
page 27.

Note: Any time you install TLS certificates, they will overwrite any TLS certificates

currently installed on the SKM server.

Note: Beginning with SKM 2.4 (240Q), a different procedure is used to install TLS

certificates. Refer to

(240Q) or Later on page 28.

Scalar Key Manager VM Installation CD

Installing TLS Certificates on the SKM Server for SKM 2.4

Installation Process This procedure must be performed on both SKM servers.

1 SSH in to the SKM server. (If you have an SKM VM server, you can SSH in or continue

to use the vSphere console and proceed to

2 At the skmserver login prompt, type the login ID:

Step 4 below.)

akmadmin

contains Quantum-

on

3 At the Password prompt, type your password.

4 At the akmadmin@skmserver prompt, type:

./skmcmds

5 At the Password prompt, type your password.

A message displays alerting you that the SKM key server will be stopped.

6 Type y to agree to stop the SKM key server and continue.

A message appears stating the SKM key server is being stopped.

Installing TLS Certificates on the SKM Server for Pre-SKM 2.4 (240Q) 25

Quantum Scalar Key Manager 2.5 Quick Start Guide

7 Press <Enter> to continue.

The list of SKM Admin Commands displays.

8 At the command prompt, enter d to Display/update TLS communication

certificates.

The Display/update TLS communication certificates menu displays.

9 Using SFTP, transfer the Quantum certificate bundle file or your own certificates to

the /home/akmadmin/certs directory on the SKM server. Be sure to move the
appropriate bundle; there is a primary bundle and a secondary bundle.

10 At the command prompt, enter one of the following:

• If you used the -d or no -d option: i (to Install user provided

communication certificates

OR

• If you used the -q option: a (to Apply Quantum-provided communication

certificate bundle

).

)

Figure 11 Example of
Quantum Certificate Bundle
Displayed on Screen

Note: The Quantum certificate bundle is located on the

Installation CD

and has the file name QKMCertXXXXXXX.tgz (XXXXXXX is

Scalar Key Manager VM

a unique combination of letters and numbers).

11 Once you have transferred the files, press <Enter>.

A list of the certificate/bundle files currently in the /home/akmadmin/certs
directory displays (

Figure 11 shows an example).

12 Type the file name of the appropriate certificate/bundle and press <Enter>. If you

are installing your own certificates, follow the onscreen instructions to load all three
certificates.

The certificates are installed.

13 Press <Enter>.

14 At the Command prompt, type q and press <Enter> to exit to the Display/update

TLS communication certificates menu.

15 At the Command prompt, type q and press <Enter> to quit, save your changes,

and restart the SKM key server. This process takes a few seconds.

Note: You MUST quit at this point. Otherwise the server will remain stopped and

26 Installing TLS Certificates on the SKM Server for Pre-SKM 2.4 (240Q)

you will not be able to continue the configuration process on the library.

Scalar Key Manager 2.5

Note: Remember, you must repeat all preceding steps on the secondary SKM

server.

16 Proceed to Configuring Your Library For SKM on page 38.

Requirements for
Installing User-provided
TLS Certificates

When providing your own certificates, it is assumed you understand the concepts of PKI
and can access the tools or third-party resources needed to generate or obtain
certificates.

Note: You must be running SKM 1.1 or higher on your SKM servers in order to install

your own TLS certificates.

Note: If you install your own TLS certificates on the SKM server, you must also install

your own certificates on the library. Similarly, if you use the Quantum-provided
TLS certificates on the SKM server, you must also use the Quantum provided TLS
certificates on the library. Some newer libraries come with Quantum-provided
TLS certificates pre-installed, and other newer libraries require certificate
installation. See your library user’s guide for instructions on how to verify
whether TLS certificates are installed on the library and how to install them.

You need to provide the following certificates:

• Root Certificate (also called the CA certificate, or Certificate Authority Certificate)

• Server Certificate

• Admin Certificate

These files must be in the proper format, as follows. If any of the following requirements
is not met, none of the certificates will be imported.

• The Root Certificate must be 2048 bits.

• The Root Certificate must be in PEM format.

• The Admin and Server certificates must be in pkcs12 (.p12) format, with a separate
certificate and private key contained in each.

• The Admin and Server certificates must be signed by the Root Certificate.

• Certificates must have the Organization name (O) set in their Issuer and Subject info.

• The Admin certificate must have its Organizational Unit name (OU) set as
“akm_admin” in its Subject Info.

• The same Root Certificate must be installed on the SKM servers and the library.

• All the certificates must have a valid validity period according to the date and time
settings on the SKM server.

Installing TLS Certificates on the SKM Server for Pre-SKM 2.4 (240Q) 27

Quantum Scalar Key Manager 2.5 Quick Start Guide

Installing TLS Certificates on the SKM Server for SKM 2.4
(240Q) or Later

Beginning with SKM 2.4 (240Q), it is now possible to self-generate library/SKM TLS
communication certificates using SKM server with version 2.4 (240Q) or greater loaded.

This certificate-generation process generates sets of TLS certificates that can be loaded
onto the primary and secondary SKM servers and all libraries attached to the servers.

Note: The TLS certificate generation process must be run on only one of the SKM

servers, so there is no need to generate TLS Certificates on both SKM servers.
Either the Primary or Secondary SKM server can be used to generate the
certificates.

Specifically, the genSKMcerts script is loaded onto the SKM servers using one of two
ways to generate certificates:

• By executing the script using the “-d” option. Certificates are generated using a set
of default values similar to the certificates currently provided by Quantum.

• By executing the script
information used to generate the certificates must be provided.

without

using the “-d” option. If the “-d” option is not used,

Begin the Installation 1 SSH in to the SKM server. (If you have an SKM VM server, you can SSH in or continue

to use the vSphere console and proceed to

2 At the skmserver login prompt, type the login ID:

Step 4 below.)

akmadmin

3 At the Password prompt, type your password.

A message displays alerting you that the SKM key server will be stopped.

4 Type y to agree to stop the SKM key server and continue.

A message appears stating the SKM key server is being stopped.

5 Do one of the following:

• To execute the script using the -d option, proceed with the steps in Executing

the Script Using the -d Option on page 28.

• To execute the script

Executing the Script Without Using the -d Option on page 31.

without

using the -d option, proceed with the steps in

Executing the Script
Using the -d Option

28 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

Use the following procedure to generate certificates using the -d option, which uses
default values. The generated certificates are valid for ten years from the date on which
they were generated.

1 Once logged into the SKM server, execute genSKMcerts –d to generate certificates

using the defaults.

Scalar Key Manager 2.5

The following illustration shows the default values (in brackets) used:

2 When prompted, enter and re-enter a password that will be used during the pk12

file generation.

TLS certificate generation is completed using the default values. A message informs
you when certificate generation is complete. The location of the certificates (

akmadmin/generatedcerts

) is also provided.

/home/

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 29

Quantum Scalar Key Manager 2.5 Quick Start Guide

3 Complete the process by loading the certificates onto the SKM servers and tape

libraries using the procedures described in the user’s guide for the applicable
libraries.

• For the Scalar i40/i80, refer to “Importing Encryption Certificates” in the

i40 and Scalar i80 User’s Guide

• For the Scalar i2000/i6000, refer to “Step 3 — Installing TLS Communication
Certificates on the Library” in the

• For the Scalar i3, refer to the topic “Load Certificate - Encryption” in the Scalar i3
Documentation Center: http://qsupport.quantum.com/kb/flare/content/

Scalar_i3/docCenter/Encryption_Load_Certificate.htm

• For the Scalar i6, refer to the topic in the Scalar i3 Documentation Center: http:/

/qsupport.quantum.com/kb/flare/content/Scalar_i6/docCenter/
Encryption_Load_Certificate.htm

Names of the files to copy are listed on the final screen that informs you that
certificate generation is complete.

.

Quantum Scalar i2000/i6000 User’s Guide

Scalar

.

After you finish loading the certificates onto the SKM servers and tape libraries,
return to this guide and proceed with the steps in
on page 38.

4 (Optional) If desired, you can verify the certificate details by running the ls -R

generatedcerts/

30 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

Configuring Your Library For SKM

command.

Scalar Key Manager 2.5

Executing the Script

Without

Using the -d

Option

Use the following procedure to generate certificates without using the -d option. This
method requires you to enter certificate values. If desired, you can press Enter to accept
the default value (displayed in brackets) for any item.

1 Once logged into an SKM server running version 2.4 (240Q) or greater, execute

genSKMcerts to begin entering the values used to generate certificates.

2 Enter the size of the key in bits. Valid key sizes are 1024, 2048 or 4096 bits. The

default size is 2048 bits.

3 Enter the duration in days for which the TLS certificates will be valid. The default

duration is 10 years (3650 days).

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 31

Quantum Scalar Key Manager 2.5 Quick Start Guide

4 At this time the only valid certificate digest is “SHA1”, so press Enter to accept the

default value and continue.

5 Enter your two-character country identifier.

6 Enter your state or province name.

7 Enter your locality or city name.

32 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

8 Enter your company or organization name.

9 Enter your organizational unit or section name.

Scalar Key Manager 2.5

10 The next three entries are common names for the Tape libraries, SKM primary server

and SKM secondary server. The names must be unique because these names will be
used for the different sets of certificates.

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 33

Quantum Scalar Key Manager 2.5 Quick Start Guide

11 The last entry is optional: an email address that will be included with the certificate

information.

12 When prompted, confirm that the displayed information is correct.

•Enter y to confirm and begin the certificate-generation process.

•Enter n if you want to change any of the values you entered. Note that the

After you confirm that the displayed values are correct, certificate generation
begins.

34 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

defaults are now the values you previously entered, so you can easily bypass any
correct values and change only the incorrect values.

Scalar Key Manager 2.5

13 When prompted, enter and re-enter a password that will be used during the pk12

file generation.

A message informs you when certificate generation is complete. The location of the
certificates (

14 Complete the process by loading the certificates onto the SKM servers and tape

libraries using the procedures described in the user’s guide for the applicable
libraries.

/home/akmadmin/generatedcerts) is also provided.

• For the Scalar i40/i80, refer to “Importing Encryption Certificates” in the

i40 and Scalar i80 User’s Guide

• For the Scalar i2000/i6000, refer to “Step 3 — Installing TLS Communication
Certificates on the Library” in the

• For the Scalar i3, refer to the topic “Load Certificate - Encryption” in the Scalar i3
Documentation Center: http://qsupport.quantum.com/kb/flare/content/

Scalar_i3/docCenter/Encryption_Load_Certificate.htm

• For the Scalar i6, refer to the topic in the Scalar i3 Documentation Center: http:/

/qsupport.quantum.com/kb/flare/content/Scalar_i6/docCenter/
Encryption_Load_Certificate.htm

.

Quantum Scalar i2000/i6000 User’s Guide

Scalar

.

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 35

Quantum Scalar Key Manager 2.5 Quick Start Guide

Names of the files to copy are listed on the final screen that informs you that
certificate generation is complete.

Generating Quantum
Bundles for Certificates

After you finish loading the certificates onto the SKM servers and tape libraries,
return to this guide and proceed with the steps in
on page 38.

15 If desired, you can verify the certificate details by running the ls -R

generatedcerts/

After certificates are generated, follow this procedure to generate a set of Quantum
bundles that can be loaded onto the library and SKM servers using the user interface.

1 Enter the command genSKMcerts -Q.

command.

Configuring Your Library For SKM

36 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

Scalar Key Manager 2.5

2 Onscreen messages provide status as the Quantum certificate bundles are generated

using the default values, so no user input is required. (The generated bundle files are
saved at

/home/akmadmin/generatedcerts/qbundles.)

After bundle generation is complete, load the bundles listed on the screen onto the
library and SKM servers using the user interface.

•The TapeLibraryQKMCert_xxxxxxxxxx.tgz bundle may be loaded onto any
library attached to the SKM server pair.

•The QKMPrimaryServerCert_xxxxxx.tgz bundle must be loaded onto the
primary SKM server.

•The QKMSecondaryServerCert_xxxxxxx.tgz bundle must be loaded onto the
secondary SKM server.

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 37

Quantum Scalar Key Manager 2.5 Quick Start Guide

Configuring Your Library For SKM

All of the steps that follow deal with configuring your library for SKM and generating
data encryption keys. Depending on the size of your library, it may take up to 2.5 hours
to complete all of the following steps.

Also, please note that you cannot perform the following configuration steps until you
have completed all previous steps. Both SKM servers must be fully configured and up
and running.

Caution: Do not perform any library- or host-initiated operations on the library

partitions to be used for SKM until all of the following steps are complete.

Follow the instructions for your library:

• Configuring the Scalar i40/i80 and Scalar i500 Tape Libraries on page 38

• Configuring the Scalar i2000/i6000 Tape Library on page 40

• Configuring the Scalar i3/i6 Tape Library on page 41

Configuring the
Scalar
Scalar

i40/i80 and
i500 Tape

Libraries

Perform these steps, in order, on the Scalar i40/i80 and Scalar i500 libraries only.

See the library user’s guide or online help for detailed instructions on how to
complete each of these steps.

1 Install the Encryption Key Management (EKM) license on your library.

2 Prepare partitions for library-managed encryption:

a Install HP LTO-4, HP LTO-5, and/or HP LTO- 6 , o r I B M LTO -5, IBM LT O -6, and / or

IBM LTO-7 (i500 only) tape drives in the library, if not already installed. Unload
all tape cartridges from these tape drives.

b On the tape drives, install the latest version of firmware that is qualified for the

library firmware installed on your library. Refer to the library release notes for
the correct version of tape drive firmware.

3 TLS certificates must be installed on the library as well as on the SKM server. Verify

the appropriate TLS communication certificates are installed on the library. If you
installed your own TLS certificates on the SKM servers, you must install your own TLS
certificates on the library. If you used Quantum-supplied TLS certificates on the SKM
servers, you must use Quantum-supplied certificates on the library.

Some newer libraries ship with TLS certificates already installed, , and other newer
libraries require certificate installation. See your library user’s guide for instructions
on how to check whether TLS certificates are installed and how to install them.

Note these general guidelines:

• For pre-2.4 SKM servers, preloaded TLS certificates on the library will work

• For 2.4 (240Q) and later SKM servers, preloaded TLS certificates on the library

38 Configuring Your Library For SKM

will not work, and you must download the generated library TLS certificate onto
the library

Figure 12 EKM Path
Diagnostics PASSED Window

Scalar Key Manager 2.5

4 Configure the SKM server IP addresses on the library.

a From the library’s Web client, navigate to the encryption system configuration

screen.

b Enter the primary and secondary SKM server IP addresses or host names in the

fields provided.

c Click Apply.

5 Run EKM Path Diagnostics and make sure all the tests pass. Pass/fail status is

displayed in a progress window after the diagnostics completes (see
is required to make sure the library is connected properly to both SKM servers. If any
of the tests fail, follow the instructions in the online help or library user’s guide to
troubleshoot and then run EKM Path Diagnostics again.

Figure 12). This

6 Configure SKM partitions and generate data encryption keys:

a On the library’s Web client, navigate to the encryption partition configuration

screen.

b For each partition in which you will use SKM, in the Encryption Method drop-

down list, select Enable Library Managed.

c Click Apply.

Data encryption keys are generated. When you enable library managed

encryption on a partition in the library for the first time, the library
automatically triggers each SKM server to generate a set of unique data
encryption keys. The key generation process should take 30 minutes or less to
complete, depending on network performance. The library notifies you when
the process is complete.

d Wait for the process to complete before continuing to the next step.

7 Save the library configuration.

8 Proceed to Backing Up the Servers on page 43.

Configuring Your Library For SKM 39

Quantum Scalar Key Manager 2.5 Quick Start Guide

Configuring the
Scalar

i2000/i6000 Tape

Library

Perform these steps, in order, on the Scalar i2000/i6000 library only.

See the library user’s guide or online help for detailed instructions on how to
complete each of these steps.

1 Install the Encryption Key Management (EKM) license on your library.

2 Prepare partitions for library-managed encryption:

a Install HP LTO-4, HP LTO-5, and/or HP LTO- 6 , o r I B M LTO -5, IBM LT O -6, and / or

IBM LTO-7 tape drives in the library, if not already installed. Unload all tape
cartridges from these tape drives.

b On the tape drives, install the latest version of firmware that is qualified for the

library firmware installed on your library. Refer to the library release notes for
the correct version of tape drive firmware.

3 TLS certificates must be installed on the library as well as on the SKM server. Verify

the appropriate TLS communication certificates are installed on the library. If you
installed your own TLS certificates on the SKM servers, you must install your own TLS
certificates on the library. If you used Quantum-supplied TLS certificates on the SKM
servers, you must use Quantum-supplied certificates on the library.

4 Configure the SKM server IP addresses and generate data encryption keys.

a On the library’s remote Web client, navigate to the EKM server configuration

screen.

b Enter the SKM primary and secondary server IP addresses or hostnames in the

fields provided.

c Click OK.

Data encryption keys are generated. As soon as you apply the SKM server IP

addresses, the library automatically triggers each SKM server to generate a set
of unique data encryption keys. The key generation process should take 30
minutes or less to complete, depending on network performance. The library
generates a RAS ticket when the process is complete. Wait until you receive this
ticket before going to the next step.

Note: If the key generation fails, the library generates a RAS ticket. Follow the

instructions in the ticket to resolve any errors, then initiate manual key
generation by changing the encryption method on an SKM partition to
Enable Library Managed (as described in
generation continues to fail, run EKM Path Diagnostics to help
determine where the problem lies.

5 Configure partitions for library-managed encryption.

a On the library’s remote client, navigate to the EKM partition configuration

screen.

b For each partition in which you will use SKM, in the Encryption Method drop-

down list, select Enable Library Managed.

c Click OK.

Step 5 below). If key

40 Configuring Your Library For SKM

6 Save the library configuration.

7 Proceed to Backing Up the Servers on page 43.

Scalar Key Manager 2.5

Configuring the Scalar
i3/i6 Tape Library

Perform these steps, in order, on the Scalar i3 or i6 library only.

Refer to the i3 or i6 Documentation Center for detailed instructions on how to complete
each of the following steps.

• Scalar i3 Documentation Center: http://www.quantum.com/scalari3docs

• Scalar i6 Documentation Center: http://www.quantum.com/scalari6docs

1 Install the Encryption Key Management (EKM) license on your library.

2 For the Scalar i3, Prepare partitions for library-managed encryption by doing the

following:

a Install the following tape drives in the library, if not already installed. Unload all

tape cartridges from these tape drives.

For the Scalar i3:

• IBM HH SAS LTO6

• IBM HH SAS LTO7

• IBM HH FC LTO6

• IBM HH FC LTO7

For the Scalar i6:

• IBM FH FC LTO6

• IBM FH FC LTO7

b On the tape drives, install the latest version of firmware that is qualified for the

library firmware installed on your library. Refer to the library release notes for
the correct version of tape drive firmware.

3 TLS certificates must be installed on the library as well as on the SKM server. Refer to

the following links to the Scalar i3/i6 Documentation Centers for instructions on
how to install certificates.

• For Scalar i3: http://qsupport.quantum.com/kb/flare/content/Scalar_i3/

docCenter/Encryption_Overview_Quattro.htm

• For Scalar i6: http://qsupport.quantum.com/kb/flare/content/Scalar_i6/

docCenter/Encryption_Overview_Quattro.htm

4 Configure the SKM server IP addresses and generate data encryption keys.

a On the library’s remote Web client, navigate to the EKM server configuration

screen.

b Enter the SKM primary and secondary server IP addresses or hostnames in the

fields provided.

c Click OK.

Configuring Your Library For SKM 41

Quantum Scalar Key Manager 2.5 Quick Start Guide

Data encryption keys are generated. As soon as you apply the SKM server IP

addresses, the library automatically triggers each SKM server to generate a set
of unique data encryption keys. The key generation process should take 30
minutes or less to complete, depending on network performance. The library
generates a RAS ticket when the process is complete. Wait until you receive this
ticket before going to the next step.

Note: If the key generation fails, the library generates a RAS ticket. Follow the

instructions in the ticket to resolve any errors, then initiate manual key
generation by changing the encryption method on an SKM partition to
Enable Library Managed (as described in
generation continues to fail, run EKM Path Diagnostics to help
determine where the problem lies.

5 Configure partitions for library-managed encryption.

a From the Navigation panel, select Partitions.

b In the North Panel, select the partition you want to set up.

c From the Operations panel, click EKM.

d At the Enable Library-Managed Encryption (LME) field, select the check box to

enable LME.

Step 5 below). If key

e Click Apply to save your settings.

f Click Close to exit the window.

For additional information, refer to these links to the Scalar i3 or Scalar i6
Documentation Center:

• For Scalar i3: http://qsupport.quantum.com/kb/flare/content/Scalar_i3/

docCenter/Partition_EKM.htm

• For Scalar i6: http://qsupport.quantum.com/kb/flare/content/Scalar_i6/

docCenter/Partition_EKM.htm

6 Proceed to Backing Up the Servers on page 43.

Configuring Multiple Libraries

If you will have multiple libraries accessing the same SKM server pair, repeat Configuring

Your Library For SKM on page 38 and Backing Up the Servers on page 43 for each

additional library.

42 Configuring Multiple Libraries

Backing Up the Servers

Every time you generate new data encryption keys, you must back up both servers
before you begin using the keys to encrypt data. You must back up each server
separately because each contains different data. If a server fails and needs to be
replaced, the backup is required to restore operation.

Caution: EXTREMELY IMPORTANT: Back Up Your Servers!

Scalar Key Manager 2.5



It is critical that you back up both servers before using the keys to
encrypt data.





The only way to read encrypted tapes is via the keys in the keystore. If
your servers fail without a backup, you will permanently lose access to
all your encrypted data.





If both servers are lost, and no backup exists, Quantum will be unable
to restore any data from your encrypted media.





The backup is required for server hardware replacement or for
restoring a rebuilt SKM VM server.





CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!

Note: For multiple libraries accessing the same SKM server pair: If you are

configuring more than one library to use the same SKM servers, be aware that
each library triggers the SKM servers to create a set of data encryption keys
which are added to the keystore.





You must make sure all the keys are included in your backup before you start
using those keys. If you are configuring several libraries at the same time, you
can wait until all the keys are generated and then perform a single backup of
each server, provided that you do not use the keys before you back them up.
However, if there is a time delay between the key generation during which you
intend to begin serving keys for encryption, you will need to perform multiple
backups — one after each key generation session.

Perform the following steps for each SKM server separately.

1 Connect to the SKM server using SSH (if you have an SKM VM server, you can use

SSH or continue to use the vSphere Client console).

2 At the skmserver login prompt, enter the login ID:

akmadmin

3 At the Password prompt, enter your password.

4 At the akmadmin@skmserver prompt, enter:

./skmcmds

Backing Up the Servers 43

For assistance, contact the Quantum Customer Support Center:
USA: 1-800-284-5101 (toll free) or +1-720-249-5700
EMEA: +800-7826-8888 (toll free) or +49-6131-3241-1164
APAC: +800-7826-8887 (toll free) or +603-7953-3010
Worldwide: http://www.quantum.com/ServiceandSupport

About Quantum

Quantum is a proven global expert in Data Protection and Big Data
management, providing specialized storage solutions for physical,
virtual and cloud environments. From small businesses to major
enterprises, more than 50,000 customers trust Quantum to help
maximize the value of their data by protecting and preserving it over
its entire lifecycle. With Quantum, customers can Be Certain they’re
able to adapt in a changing world—keeping more data longer,
bridging from today to tomorrow, and reducing costs. See how at
www.quantum.com/BeCertain.

©2017 Quantum Corporation. All rights reserved. Quantum and the Quantum logo are registered
trademarks of Quantum Corporation and its affliates in the United States and/or other countries. All
other trademarks are the property of their respective owners. Printed in USA.

Quantum Scalar Key Manager 2.5 Quick Start Guide

5 At the Password prompt, enter your password. A message displays alerting you that

the SKM key server will be stopped.

6 Type y and press <Enter> to agree to stop the SKM key server. The list of SKM

Admin commands displays.

7 At the command prompt, enter 7 to Back up SKM server.

8 Press <Enter>. Backup files are created and consolidated into a single file, whose

name and location are displayed on the screen.

9 Note the name and location of the backup file:

/home/akmadmin/backups/SKM<version>KeyServer<serial
number><date><time>.tgz

For example:

/home/akmadmin/backups/SKM2_0KeyServerJ1144W802152017123429.tgz

10 Use SFTP to copy the backup files to a desired location.

Caution: You must copy the backup file to another location and not just leave it

on the SKM server. This is so that, if the SKM server fails, you can
restore the backup from the remote location onto the new server.



Keep track of which backup file applies to which server so you know
which one to restore in the event that you lose a server. To further help
you identify the particular server, this backup file also contains the SKM
server’s serial number.



Caution: Do not use SKM to encrypt the sole copy of your SKM server

backup. If both servers were to fail, you would not be able to recover

the encrypted backup and would lose all data you had stored on all
your encrypted tapes.

11 Press <Enter>. The SKM Admin commands menu displays.
12 At the command prompt, type q and press <Enter> to quit SKM Admin commands

and restart the SKM key server.

13 Repeat the above steps on the other server in the SKM server pair.

*6-66532-10 A*

44 6-66532-10 Rev A, May 2017