Quantum Scalar i40, Scalar i80, Scalar i500, Scalar i6000, Scalar i3 Quick Start Manual
...
Scalar Key Manager 2.5
Quick Start Guide
This quick start guide provides basic installation and configuration
instructions for the Scalar® Key Manager (SKM). SKM can be deployed in
one of two ways:
• a pair of physical appliances (servers) purchased from Quantum, or
• a pair of virtual machines (VMs) installed in a VMware® or KVM
environment.
Definition of terms: This guide uses the following terms to differentiate
between the two types of deployment:
• SKM appliance server — Physical key server purchased from
Quantum.
• SKM VM server — Virtual machine key server purchased from
Quantum and installed in a VMware or KVM environment.
• SKM server — Generic term applying to either an SKM appliance server
or an SKM VM server.
These instructions guide you through installing and configuring both
options. For more information, see the
located at http://www.quantum.com/ServiceandSupport/
SoftwareandDocumentationDownloads/SKM/Index.aspx. (Scroll down and
click the Documentation tab, and then locate the Product Use Guides
heading.)
Perform all of the steps, in order, before you begin encrypting tapes.
This instruction uses the following conventions:
Note: Notes emphasize important information related to the main topic.
Caution: Cautions indicate potential hazards to equipment and are
included to prevent damage to equipment.
Scalar Key Manager User’s Guide
Scalar Key Manager 2.5
Contents
Installing and Configuring the SKM
Appliance Servers
Items Required for Setup ................. 2
Installing the SKM Appliance Servers 3
Configuring the SKM Appliance
Servers .............................................. 5
Installing and Configuring the SKM
VMware Servers .................................... 9
Equipment and Software Needed for
VMware ............................................ 9
Deploying the .ova Image on
VMware .......................................11
Configuring the SKM VM Servers on
VMware .......................................... 11
Installing and Configuring the SKM KVM
Servers ................................................ 17
Equipment and Software Needed for
KVM ................................................ 17
Deploying the .raw Image on KVM 18
Configuring the SKM VM Servers on
KVM ................................................ 21
Installing TLS Certificates on the SKM
Server for Pre-SKM 2.4 (240Q) ........... 25
Installation Process ......................... 25
Requirements for Installing User-
provided TLS Certificates ................ 27
Installing TLS Certificates on the SKM
Server for SKM 2.4 (240Q) or Later .... 28
Begin the Installation ..................... 28
Executing the Script Using the -d
Option ............................................ 28
Executing the Script Without Using the
-d Option ........................................ 31
Generating Quantum Bundles for
Certificates ..................................... 36
Configuring Your Library For SKM ..... 38
Configuring the Scalar i40/i80 and
Scalar i500 Tape Libraries ............... 38
Configuring the Scalar i2000/i6000
Tape Library .................................... 40
Configuring the Scalar i3/i6 Tape
Library ............................................ 41
Backing Up the Servers ....................... 43
Configuring Multiple Libraries ........... 42
................................. 2
www.quantum.com
Quantum Scalar Key Manager 2.5 Quick Start Guide
Installing and Configuring the SKM Appliance Servers
Follow the instructions in this section if you are deploying a pair of physical SKM
appliance servers.
Caution: The SKM appliance servers are designed for one purpose only—to store and
manage your encryption keys. Do not install additional hardware on the
servers. Never install any software, file, or operating system on the servers
unless it is an upgrade or patch supplied by Quantum. Doing so can make
your server inoperable and will void your warranty.
Items Required for
Setup
You need the following to install and configure each SKM appliance server:
• (2) SKM appliance servers (each comes with two hard disk drives installed).
• Power cord (supplied).
• Rackmount kit (supplied).
• CAT5e or higher Ethernet cable, crossover (for initial configuration, not supplied).
• CAT5e or higher Ethernet cable, standard (for standard operation, not supplied).
• Laptop or PC, to connect to each server to perform initial configuration.
• Library firmware must be at the following minimum versions to run SKM. To access
all the features of SKM, the most recent library firmware is recommended.
Library Minimum Firmware Required
Scalar i40/i80 120G
Scalar i500 570G
Scalar i2000 595A
Scalar i6000 600A
Scalar i3
Note: Requires SKM 2.4 (240Q) or
later
110G
Scalar i6
Note: Requires SKM 2.4 (240Q) or
• For Microsoft® Windows®, you may need to install utilities to use secure shell (SSH)
and secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at
http://www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP, available at
http://winscp.net.
2 Installing and Configuring the SKM Appliance Servers
110G
later
Scalar Key Manager 2.5
• The SKM server must have IP connectivity through any firewalls to all Quantum
libraries using the SKM appliance server to obtain encryption keys.
• SKM uses TCP ports 80, 6000 and 6001 for SKM server communication. These ports
must all be open on your network in a bi-directional mode in order for SKM
communication between the SKM servers and libraries to work.
Installing the SKM
Appliance Servers
Follow the instructions below for both SKM appliance servers.
Caution: Do not remove any hard drive from the appliance server unless it is failed or
you are instructed to do so by Quantum service. Removing any hard drive
may render it unusable.
1 Determine the location for the servers. It is recommended that the two servers be in
different geographical locations for disaster recovery purposes. Ensure the air
temperature is below 95 °F (35 °C).
2 Install the SKM appliance server in a rack. Follow the
Installation
www.quantum.com/ServiceandSupport/SoftwareandDocumentationDownloads/
SKM/Index.aspx.)
3 Connect the power cord into the rear of the SKM appliance server (see Figure 1) and
plug it into a grounded power outlet.
Depending on the server model you have, it will take 20 seconds to 3 minutes for
power button to become active. During this time, one or more fans might run loudly
and then quiet down. On some models, the power-on LED on the front panel (see
Figure 2) blinks rapidly (4 times per second), indicating the power button is not
active yet.
instruction sheet (included with the rail kit and located at http://
Scalar Key Manager Rack
Installing and Configuring the SKM Appliance Servers 3
Quantum Scalar Key Manager 2.5 Quick Start Guide
Power cord
connector
Ethernet Port 1
(configuration)
Ethernet Port 2
(network)
Power cord
connector
Ethernet Port 1
(configuration)
Ethernet Port 2
(network)
M2 and earlier
M3 and M4
Power cord
connector
Ethernet Port 1
(configuration)
Ethernet Port 2
(network)
M5
Power cord
connector
Ethernet Port 2
(network)
Ethernet Port 1
(configuration)
M6
Figure 1 SKM Appliance Server
Rear Panel
The rear of your server looks like one of the drawings below.
4 Observe the power-on LED on the front panel (see Figure 2). Wait until the power-on
LED blinks slowly to indicate that the power button is active.
If the power-on LED is not blinking, there could be a problem with the power supply
or the LED. Check the power connection. If this LED still does not blink, contact
Quantum Support.
4 Installing and Configuring the SKM Appliance Servers
Figure 2 Front Panel
Power ButtonPower-on LED
M3 and earlier
M4 and later
Power Button and LED
M5
Power Button and LED
M6
Scalar Key Manager 2.5
5 Power on the SKM appliance server by pressing the power button on the front of
the server (see
Figure 2).
Configuring the SKM
Appliance Servers
Installing and Configuring the SKM Appliance Servers 5
6 Again, observe the power-on LED on the front panel. Wait until it is illuminated but
not blinking, indicating the server is powered on.
7 Wait about 3 minutes to allow the server to complete startup before you connect via
SSH in the next step.
Follow the instructions below for both SKM appliance servers.
Note: Both SKM appliance servers must be configured, operational, and connected to
the network before any libraries can be set up to use them.
Configuration requires you to read and accept the end user license agreement, and then
complete a setup wizard to configure the following values. Before beginning, decide
what each value should be. (You can change these values in the future, if desired.)
• Password
• Time zone, date, and time
• IP address, netmask, and gateway
Allow 30 minutes per server to complete the configuration.
Quantum Scalar Key Manager 2.5 Quick Start Guide
1 Set the IP address of the laptop or PC you will use to connect to the SKM appliance
server to 192.168.18.100.
2 Connect a CAT5e crossover Ethernet cable from the laptop or PC to Ethernet Port 1
on the rear of the SKM server (see
Note: Ethernet Port 1 is used only for configuration. Once you perform the initial
configuration, you will use Ethernet Port 2 for SKM appliance server
communication via your network.
3 Using SSH, connect to the server using the IP address for Ethernet Port 1:
192.168.18.3.
Note: The IP address of Ethernet Port 1 is a static IP address that cannot be
changed.
4 At the login prompt, type the following (this is the user login ID which will never
change):
akmadmin
5 At the Password prompt, type the default password:
Figure 1 on page 4).
Figure 3 Changing the
Password
password
6 At the akmadmin@skmserver prompt, type the following:
./skmcmds
7 At the Password prompt, type the default password again:
password
The End User License Agreement displays.
8 Read the license agreement. Press <Enter> to scroll through the agreement. At the
end, type
y to accept and continue or n to decline and stop the installation process.
9 Press <Enter> to begin the setup wizard.
10 The first setup wizard task prompts you to change the akmadmin password (see
Figure 3). There is only one password for SKM. It is called the akmadmin password,
and is required for all logins and access to SKM Admin commands, including backup
and restore.
6 Installing and Configuring the SKM Appliance Servers
Scalar Key Manager 2.5
Caution: EXTREMELY IMPORTANT: Remember Your
Password!
If you change the password from the default and forget it, there is
no way to retrieve it!
Each SKM server has its own password. If you set them differently,
you must remember both.
If you forget your password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.
Charges may apply for replacement of an SKM appliance server
required due to changing and then forgetting the password.
CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!
• If you do not wish to change the password at this time, just press <Enter> at the
“change password” prompts and the default password (
You can change the password at any time later using SKM Admin Commands.
• If you wish to change the password:
a At the (current) UNIX password prompt, type the default password
password) and press <Enter>.
(
password) remains.
b Type a new password and press <Enter>.
c Type the new password again and press <Enter>.
d Press <Enter>.
11 Continue through the setup wizard to configure the rest of the settings: time zone,
date, time, SKM server IP address, netmask, and gateway. If you press <Enter>
without entering a value, the existing value remains.
Note: To ensure proper TLS certificate generation, Quantum recommends setting
both the Primary and Secondary SKM servers to the same date, time and
time zone even if they are in different time zones. (On both servers, use the
date, time and time zone values applicable to the Primary SKM server.)
Then, 24 hours after TLS certificate generation, you can correctly set the
date, time and time zone for the secondary server.
The IP address you are configuring is for Ethernet Port 2, the port you will be using
for network connection to SKM.
Ethernet Port 1 IP Address (never changes): 192.168.18.3
Ethernet Port 2 Default IP Address: 192.168.20.4 or 192.168.18.4 depending on
the server version
Installing and Configuring the SKM Appliance Servers 7
Quantum Scalar Key Manager 2.5 Quick Start Guide
Note: Ports are identified on the back of the server as Port 1 and Port 2, but when
configuring SKM through the console the ports are referred to onscreen as
Ports 0 and 1 respectively. (That is, labeled Port 1 = Port 0 in the console,
and labeled Port 2 = Port 1 in the console.)
Note: The netmask must match the netmask and gateway of the connected
libraries.
12 When the setup wizard is complete, press <Enter>.
The list of SKM Admin commands displays (see Figure 4). If you made any mistakes
during the setup wizard, you can go back and change them by entering the number
corresponding to the item.
Figure 4 SKM Admin
Commands
13 Type q and press <Enter> at the command prompt to quit, save your changes, and
restart the SKM key server. This process takes a few seconds. Wait until the
akmadmin@skmserver prompt appears.
Note: You MUST quit at this point. Otherwise your changes will not be saved and
14 Disconnect the CAT5e crossover Ethernet cable from Ethernet Port 1 (see Figure 1
on page 4).
15 On the laptop you are using to configure SKM, change the hard-coded IP address
back to DHCP.
8 Installing and Configuring the SKM Appliance Servers
you will not be able to continue the installation process.
Scalar Key Manager 2.5
16 Connect a standard CAT5e Ethernet cable from Ethernet Port 2 on the back of the
SKM appliance server to your network (see
this port using the IP address assigned in Step 11 above.
17 Complete steps 1-16 on the secondary SKM node before proceeding.
18 When you are finished, do one of the following:
• For pre-SKM 2.4 (240Q) systems, proceed to Installing TLS Certificates on the
SKM Server for Pre-SKM 2.4 (240Q) on page 25.
• For SKM 2.4 (240Q) and later systems, proceed to Installing TLS Certificates on
the SKM Server for SKM 2.4 (240Q) or Later on page 28.
Note: You can see the version of software you are running at the top of the SKM
Admin Commands menu. To view the software version without accessing
SKM Admin Commands, refer to “Viewing the SKM Server Software
Version” in the SKM User’s Guide.
Figure 1 on page 4). You will connect to
Installing and Configuring the SKM VMware Servers
Equipment and
Software Needed for
VMware
Note: Quantum provides support for SKM, however Quantum does not support the
virtual environment hardware or software (VMware or KVM).
Follow the instructions in this section if you are deploying a pair of SKM VM servers for
installation in a VMware environment.
Perform all the instructions in this section for each SKM VM server. Use a different
installation CD for each VM.
Caution: It is recommended that the two SKM VM servers be installed in different
physical locations to provide better protection in case of disaster.
Caution: Quantum requires that you do not install any software, file, or operating
system on the SKM VM server unless it is an upgrade or patch supplied by
Quantum.
You need the following to set up and configure the SKM VM servers:
• Two (2) Scalar Key Manager VM Installation CD packages. You must use a different
CD package for each SKM server. Each CD package contains:
• SKM VM server software (.ova image)
• SKM server Quantum-provided TLS communication certificate bundle (.tgz file)
Installing and Configuring the SKM VMware Servers 9
Quantum Scalar Key Manager 2.5 Quick Start Guide
• Printed label on the CD case containing a unique serial number, MAC ID and
license key (required for installation)
• VMware® vSphere™ Client installed on a computer. The computer may be the same
as the server that hosts the VM but it does not have to be. The vSphere Client is
required for initial setup; after that, you can use vSphere Client or another method
to access the SKM VM server.
Note: These instructions in this section use vSphere Client version 5.0. If you use a
different version of vSphere, the instructions may differ.
• Resources required for each SKM VM server:
• (1) Ethernet interface
•(1) CD ROM drive
•1 GB RAM
• 8 GB of disk space
• VM host software must be one of the following:
•VMware ESX 4.x (64 bit) and higher
•VMware ESXi 4s.x (64 bit) and higher
• Video memory must be set to 3 MB.
• Library firmware must be at the following minimum versions to run SKM. To access
all the features of SKM, the most recent library firmware is recommended.
Library Minimum Firmware Required
Scalar i40/i80 120G
Scalar i500 570G
Scalar i2000 595A
Scalar i6000 600A
Scalar i3
110G
Note: Requires SKM 2.4 (240Q) or
later
Scalar i6
110G
Note: Requires SKM 2.4 (240Q) or
later
• If you plan to connect to the SKM VM server (now or in the future) via a Microsoft
Windows machine, you may need to install utilities to use secure shell (SSH) and
secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at
http://
www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP, available at http://
winscp.net.
• The SKM server must have IP connectivity through any firewalls to all Quantum
libraries using the SKM appliance server to obtain encryption keys.
10 Installing and Configuring the SKM VMware Servers
Scalar Key Manager 2.5
• SKM uses TCP ports 80, 6000 and 6001 for SKM server communication. These ports
must all be open on your network in a bi-directional mode in order for SKM
communication between the SKM servers and libraries to work.
Deploying the .ova
Image on VMware
Configuring the SKM
VM Servers on VMware
Follow the instructions below for both SKM VM servers. The .ova installation process is
performed via VMware’s vSphere Client.
1 Insert the
drive.
2 You may copy the .ova image to a shared network drive for faster deployment if you
wish.
3 Launch vSphere Client.
4 Log on to the VM host.
5 Highlight the IP address of the VM host.
6 Select File > Deploy OVF Template.
The Deploy OVF Template wizard opens.
7 Complete the wizard screens and click Finish when done.
A progress bar displays on the screen. When complete, the SKM VM server name
appears in the list of VMs on the screen. Deployment takes a few minutes to several
hours depending on network speed and location of the .ova image in relation to the
VM host. Wait until the file deploys before continuing.
Follow the instructions below for both SKM VM servers.
Note: Both SKM VM servers must be configured, operational, and connected to the
Scalar Key Manager VM Installation CD
network before any libraries can be set up to use them.
into the your computer’s CD ROM
Caution: You must use a different CD package for each VM server. Keep track of
The configuration process requires you to read and accept the end user license
agreement, and then complete a setup wizard. The setup wizard helps you configure
the following values. Before beginning, decide what you want each of these values to
be. You can also change these values in the future.
• Password
• Time zone, date, and time
• IP address, netmask, and gateway
Installing and Configuring the SKM VMware Servers 11
which CD you use for which SKM server. It is recommended that you keep
each CD in its respective CD case and write on the case which server it
applies to. The TLS certificates and serial number/MAC ID/license key are
unique and you must use the correct ones if you ever need to reinstall the
SKM server. Also, if you accidentally use the same CD package for both VM
servers, you will not be able to complete the configuration.
Quantum Scalar Key Manager 2.5 Quick Start Guide
Allow 30 minutes per server to complete the configuration.
1 Using vSphere Client, make sure the SKM VM server you just created is powered OFF
(right-click the VM server, select Power, then select Power Off).
2 Right-click the SKM VM server and select Edit Settings.
3 Configure the MAC address as follows (see Figure 5):
a Under the Hardware tab, select Network adapter 1.
b Under MAC Address, select Manual.
c In the MAC Address field, type the MAC ID from the label attached to the CD
case of the CD from which you deployed the .ova image.
d Click OK.
Figure 5 Configuring the MAC
Address (Example)
4 Configure the video memory as follows:
a Right-click the SKM VM server and select Edit Settings.
b Under the Hardware tab, select Video card (see Figure 6).
c On the right side of the screen, under Enter total video RAM, change the
d Click OK.
12 Installing and Configuring the SKM VMware Servers
setting to 3 MB.
Figure 6 Video Card Settings
Scalar Key Manager 2.5
5 Power ON the SKM VM server (right-click the SKM VM server in the left panel, select
Power, then select Power On).
6 Highlight the SKM VM server in the left panel.
7 In the right panel, click the Console tab. Wait a few moments for the software to
load.
Note: When using the console, you will lose the ability to use your mouse/cursor.
To regain the use of the mouse/cursor, press <Ctrl+Alt>.
Note: If you receive the following error message when trying to use the console,
follow the workaround steps listed below.
Error message: This kernel requires an x86-64 CPU, but only detected an
xxxx
CPU. Unable to boot - please use a kernel appropriate for your CPU.
Workaround: First be sure that you are indeed using a 64-bit host server. If
so, change the host BIOS processor settings as follows, then follow the
onscreen instructions:
- 64-bit: Yes
- Virtual Technology: Enable
- Execute Disable: Disable
Installing and Configuring the SKM VMware Servers 13
Quantum Scalar Key Manager 2.5 Quick Start Guide
8 At the skmserver login prompt, type the following (this is the user login ID which
will never change):
akmadmin
9 At the Password prompt, type the default password:
password
10 At the akmadmin@skmserver prompt, type:
./skmcmds
11 At the Password prompt, type the default password:
password
12 When prompted for the license, type the 29-digit License Key (including hyphens)
from the label on the CD case of the CD from which you deployed the .ova image,
and press <Enter>. The license is not case sensitive.
The license file is created.
13 When prompted, press <Enter>.
The End User License Agreement displays.
14 Read the license agreement. Press <Enter> to scroll through the agreement. At the
end, type
15 When prompted, press <Enter> to set up the server.
16 The first setup wizard task prompts you to change the akmadmin password (see
Figure 7). There is only one password for SKM. It is called the akmadmin password,
and is required for all logins and access to commands, including backup and restore.
Caution: EXTREMELY IMPORTANT: Remember Your
y to accept and continue or n to decline and stop the installation process.
Password!
If you change the password from the default and forget it, there is
no way to retrieve it!
Each SKM server has its own password. If you set them differently,
you must remember both.
If you forget the password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.
CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!
• If you do not wish to change the password at this time, just press <Enter> at
14 Installing and Configuring the SKM VMware Servers
the password prompt and the default password (password) remains
unchanged. You can change the password at any time later using SKM Admin
Commands.
Loading...