Quantum SCALAR KEY MANAGER OPEN SOURCE LICENSE AGREEMENT, SKM OPEN SOURCE LICENSE AGREEMENT User Manual
Scalar Key Manager
Quick Start Guide
This quick start guide provides basic installation and configuration
instructions for the Scalar® Key Manager (SKM). SKM can be deployed in
one of two ways:
• a pair of physical appliances (servers) purchased from Quantum, or
• a pair of virtual machines (VMs) installed in a VMware® environment.
Definition of terms: This guide uses the following terms to differentiate
between the two types of deployment:
• SKM appliance server — Physical key server purchased from
Quantum.
Scalar Key Manager
Contents
Installing and Configuring the SKM
Appliance Servers................................... 2
Items Required for Setup................... 2
Installing the SKM Appliance Servers 2
Configuring the SKM Appliance
Servers................................................ 3
Installing and Configuring the SKM VM
Servers.................................................... 6
Equipment and Software Needed .....6
Deploying the .ova Image.................. 7
Configuring the SKM VM Servers ...... 7
Installing TLS Certificates on the SKM
Server ................................................... 11
Installation Process .......................... 11
Requirements for Installing User-
provided TLS Certificates ................. 12
Configuring Your Library For SKM ....... 13
Configuring the Scalar i500 Tape
Library .............................................. 13
Configuring the Scalar i2000/i6000
Tape Library ...................................... 14
Backing Up the Keystores .................... 15
Configuring Multiple Libraries............. 17
• SKM VM server — Virtual machine key server purchased from
Quantum and installed in a VMware environment.
• SKM server — Generic term applying to either an SKM appliance server
or an SKM VM server.
These instructions guide you through installing and configuring both
options. For more information, see the
the
Scalar Key Manager Documentation CD
Perform all of the steps, in order, before you begin encrypting tapes.
This instruction uses the following conventions:
Note: Notes emphasize important information related to the main topic.
Caution: Cautions indicate potential hazards to equipment and are
included to prevent damage to equipment.
WARNING: Warnings indicate potential hazards to personal safety and
are included to prevent injury.
Scalar Key Manager User’s Guide
.
on
www.quantum.com
Scalar Key Manager Quick Start Guide
Installing and Configuring the SKM Appliance Servers
Follow the instructions in this section if you are deploying a pair of physical SKM
appliance servers.
Caution: The SKM appliance servers are designed for one purpose only—to store and
manage your encryption keys. Do not install additional hardware on the
servers. Never install any software, file, or operating system on the servers
unless it is an upgrade or patch supplied by Quantum. Doing so can make
your server inoperable and will void your warranty.
Items Required for Setup
Installing the SKM Appliance Servers
You need the following to install and configure each SKM appliance server:
• (2) SKM appliance servers (each comes with two hard disk drives installed).
• Power cord (supplied).
• Rackmount kit (supplied).
• Ethernet cable, crossover (for initial configuration, not supplied).
• Ethernet cable, standard (for standard operation, not supplied).
• Laptop or PC, to connect to each server to perform initial configuration.
• The most recent library firmware installed on your library. (Minimum versions
required: Scalar i500: 570G; Scalar i2000: 595A; Scalar i6000: 600A.)
• For Microsoft® Windows®, you may need to install a utility to use secure shell (SSH)
and secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at
http://www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP, available at
http://winscp.net.
Follow the instructions below for both SKM appliance servers.
1 Determine the location for the servers. It is recommended that the two servers be in
different geographical locations for disaster recovery purposes. Ensure the air
temperature is below 95 °F (35 °C).
2 Install the SKM appliance server in a rack. Follow the
Installation
Manager Documentation CD
2 Installing and Configuring the SKM Appliance Servers
instruction sheet (included with the rail kit and located on the
.
Scalar Key Manager Rack
Scalar Key
Figure 1 SKM Appliance Server
Power cord connector
Ethernet Port 1
(configuration)
Ethernet Port 2
(network)
Power button
Power-on LED
Rear Panel
Scalar Key Manager
3 Connect the power cord into the rear of the SKM appliance server (see Figure 1) and
plug it into a grounded power outlet.
4 Approximately 20 seconds after you connect the SKM appliance server to AC power,
the power button becomes active, and one or more fans might start running loudly
for about 20 seconds. Observe the power-on LED on the front panel of the SKM
appliance server (see Figure 2). It should be flashing, indicating the server is turned
off and connected to an AC power source. If the power-on LED is not flashing, there
could be a problem with the power supply or the LED. Check the power connection.
If this LED still does not flash, contact Quantum Support.
Figure 2 Front Panel
Configuring the SKM Appliance Servers
urn on the SKM appliance server by pressing the power button on the front of the
5 T
server (see Figure
2).
6 Again observe the power-on LED on the front panel of the SKM appliance server.
Wait until it is on but not flashing, indicating the server is turned on.
7 W
ait about 3 minutes to allow the server to complete startup before you connect via
SSH in the next step.
Follow the instructions below for both SKM appliance servers.
Note: Both SKM appliance servers must be configured, operational, and connected to
the network before any libraries can be set up to use them.
Installing and Configuring the SKM Appliance Servers 3
agreement, and then complete a setup wizard. The setup wizard helps you configure
The configuration process requires you to read and accept the end user license
Scalar Key Manager Quick Start Guide
your password, IP address, netmask, gateway, time zone, date, and time. Before
beginning, decide what you want each of these values to be. You can also change these
values in the future.
Allow 30 minutes per server to complete the configuration.
1 Set the IP address of the laptop or PC you will use to connect to the SKM appliance
server to 192.168.18.xxx (where xxx is any number from 0 to 255 except 3).
2 Connect a crossover Ethernet cable from the laptop or PC to Ethernet Port 1 on the
rear of the SKM server (see
Note: Ethernet Port 1 is used only for configuration. Once you perform the initial
configuration, you will use Ethernet Port 2 for SKM appliance server
communication via your network.
3 Using SSH, connect to the server using the IP address 192.168.18.3.
Note: The IP address of Ethernet Port 1 is a static IP address that cannot be
changed.
4 At the login prompt, enter the user login ID (which will never change):
Figure 1 on page 3).
akmadmin
5 At the password prompt, enter the default password:
password
6 At the akmadmin@skmserver prompt, enter:
./skmcmds
7 At the password prompt, enter the default password again:
password
The End User License Agreement displays.
8 Read and accept the license agreement. Press <Enter> to scroll through the
agreement, and at the end, enter
y to accept.
9 Press <Enter> to begin the setup wizard.
10 The first setup wizard task prompts you to change your password. There is only one
password for SKM, which is required for all logins and access to SKM Admin
commands, including backup and restore.
retrieve it.
If you lose the password, there is no way to
• If you do not wish to change the password at this time, just press <Enter> at the
“change password” prompts and the default password (
password) remains. You
can change the password at any time later using SKM Admin Commands.
• If you wish to change the password:
a At the “(current) UNIX password” prompt, enter the default password:
password
b Enter the new password.
4 Installing and Configuring the SKM Appliance Servers
Scalar Key Manager
c Enter the new password again.
d Press <Enter>.
Caution: EXTREMELY IMPORTANT:
Remember Your Password!
If you forget your password, there is no way to retrieve it!
Each SKM server has its own password. If you set them differently,
you must remember both.
If you forget your password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.
CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!
11 Continue through the setup wizard to configure the rest of the settings: time zone,
date and time, SKM server IP address, netmask, and gateway. If you press <Enter>
without entering a value, the existing value remains.
Note: The IP address you are configuring is for Ethernet Port 2, the port you will
be using for SKM operations.
Ethernet Port 1 IP Address (never changes): 192.168.18.3
Ethernet Port 2 Default IP Address: 192.168.20.4
12 When the setup wizard is complete, press <Enter>.
The list of SKM Admin commands displays. If you made any mistakes during the
setup wizard, you can go back and change them by entering the number
corresponding to the item. To view the list at any time, enter ./skmcmds at the
command prompt.
13 Enter q at the command prompt to save your changes and restart the SKM key
server. This process takes a few seconds.
14 Disconnect the crossover Ethernet cable from Ethernet Port 1 (see Figure 1 on
page 3).
15 Connect a standard Ethernet cable from Ethernet Port 2 on the back of the SKM
appliance server to your network (see
port using the IP address assigned in Step 11 above.
16 Repeat the above steps on the other SKM appliance server.
Figure 1 on page 3). You will connect to this
Installing and Configuring the SKM Appliance Servers 5
Scalar Key Manager Quick Start Guide
Installing and Configuring the SKM VM Servers
Follow the instructions in this section if you are deploying a pair of SKM VM servers for
installation in a VMware environment.
Perform all the instructions in this section for each SKM VM server. Use a different
installation CD for each VM.
Caution: It is recommended that the two SKM VM servers be installed in different
physical locations to provide better protection in case of disaster.
Caution: Quantum requires that you do not install any software, file, or operating
system on the SKM VM server unless it is an upgrade or patch supplied by
Quantum.
Equipment and Software Needed
You need the following to set up and configure the SKM VM servers:
• Two (2) Scalar Key Manager VM Installation CDs, one to configure each SKM server.
Each CD contains:
• SKM VM server software (.ova image)
• SKM server Quantum-provided TLS communication certificate bundle (.tgz file)
• Printed label on the DVD case containing MAC ID and license key (required for
installation)
• VMware® vSphere™ Client installed on a computer. The computer may be the same
as the server that hosts the VM but it does not have to be. The vSphere Client is
required for initial setup; after that, you can use vSphere Client or another method
to access the SKM VM server.
Note: These instructions in this section use vSphere Client version 4.0.0. If you use
a different version of vSphere, the instructions may differ.
• Resources required for each SKM VM server:
• (1) Ethernet interface
•(1) CD/DVD ROM drive
• 512 MB RAM
• 8 GB of disk space
• VM host software must be either the ESX 4.0 (64 bit) or the ESXi 4.0 (64 bit).
• The most recent library firmware installed on your library. (Minimum versions
required: Scalar i500: 570G; Scalar i2000: 595A; Scalar i6000: 600A.)
6 Installing and Configuring the SKM VM Servers
Scalar Key Manager
• If you plan to connect to the SKM VM server (now or in the future) via a Microsoft
Windows machine, you may need to install a utility to use secure shell (SSH) and
secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at
www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP, available at http://
winscp.net.
http://
Deploying the .ova Image
Follow the instructions below for both SKM VM servers. The OVA installation process is
performed via VMware’s vSphere Client.
1 Insert the
drive.
2 You may copy the .ova image to a shared network drive for faster deployment if you
wish.
3 Launch vSphere Client.
4 Log in to the VM host.
5 Highlight the IP address of the VM host.
6 Select File > Deploy OVF template.
The Deploy OVF Wizard displays.
7 Select Deploy from file.
8 Click the Browse button, navigate to the .ova image, and click Open.
9 Click Next.
10 Click Next.
11 Enter a name for the SKM VM server and click Next.
12 Click Finish to begin deployment.
A progress bar displays on the screen. When complete, the SKM VM server name
appears in the list of VMs on the screen. Deployment takes 15 minutes to several
hours depending on network speed and location of the .ova file in relation to the
VM host. Wait until the file deploys before continuing.
Scalar Key Manager VM Installation CD
into the your computer’s CD ROM
Configuring the SKM
Follow the instructions below for both SKM VM servers.
VM Servers
Note: Both SKM VM servers must be configured, operational, and connected to the
network before any libraries can be set up to use them.
Caution: Keep track of which CD you use for which SKM server. It is recommended
that you keep the correct CD in its respective DVD case and write on the
DVD case which server it applies to. The TLS certificates and MAC ID/license
key are unique and you must use the correct ones if you ever need to
reinstall the SKM server.
Installing and Configuring the SKM VM Servers 7
Scalar Key Manager Quick Start Guide
The configuration process requires you to read and accept the end user license
agreement, and then complete a setup wizard. The setup wizard helps you configure
your password, IP address, netmask, gateway, time zone, date, and time. Before
beginning, decide what you want each of these values to be. You can also change these
values in the future.
Allow 30 minutes per server to complete the configuration.
1 In vSphere Client, right-click the SKM VM server you just created in the left panel
and select Edit Settings.
Figure 3 Configuring the MAC
Address (Example)
2 Configure the
MAC address as follows (see Figure 3):
a Under the Hardware tab,
b Under MAC Ad
c In the MAC Ad
dress, select Manual.
dress field, enter the MAC ID from the label attached to the CD
case of the CD from which you deployed the .ova file.
d Cl
ick OK.
select Network adapter 1.
3 Power on the SKM VM server (right-click the SKM VM server in the left panel, click
Power, then click Power On).
4 High
8 Installing and Configuring the SKM VM Servers
light the SKM VM server in the left panel.
Scalar Key Manager
5 In the right panel, select the Console tab.
Note: When using the console, you will lose the ability to use your mouse/cursor.
To regain the use of the mouse/cursor, press <Ctrl+Alt>.
Note: If you receive the following error message when trying to use the console,
follow the workaround steps listed below.
Error message: This kernel requires an x86-64 CPU, but only detected an
xxxx
CPU. Unable to boot - please use a kernel appropriate for your CPU.
Workaround: First be sure that you are indeed using a 64-bit host server. If
so, change the host BIOS processor settings as follows, then follow the
onscreen instructions:
- 64-bit: Yes
- Virtual Technology: Enable
- Execute Disable: Disable
6 Press the <Enter> key on your keyboard.
7 At the skmserver login prompt, enter:
akmadmin
8 At the password prompt, enter the default password:
password
9 At the akmadmin@skmserver prompt, enter:
./skmcmds
10 At the password prompt, enter the default password:
password
11 When prompted for the license, enter the 29-digit License Key (including hyphens)
from the label on the CD case of the CD from which you deployed the .ova file. The
license is not case sensitive.
12 When prompted, press <Enter>.
The End User License Agreement displays.
13 Read and accept the license agreement. Press <Enter> to scroll through the
agreement, and at the end, enter y to accept.
14 When prompted, press <Enter> to set up the server.
15 The setup wizard begins immediately with a prompt to change your password (see
Figure 4 on page 10). There is only one password for SKM, which is required for all
logins and access to commands, including backup and restore. If you lose the
password, there is no way to retrieve it.
• If you do not wish to change the password at this time, just press <Enter> at
the password prompts and the default password (password) remains. You can
change the password at any time later using SKM Admin Commands.
Installing and Configuring the SKM VM Servers 9
Scalar Key Manager Quick Start Guide
• If you wish to change the password:
a At the “(current) UNIX password” prompt, enter the default password:
password
Figure 4 Changing the
Password
b Enter
c Enter
d Press <E
Caution: EXTREMELY IMPORTANT:
the new password.
the new password again.
nter>.
Remember Your Password!
If you forget your password, there
Each SKM server has its own password. If you
you must remember both.
If you forget your password, you will lose login access to the SKM
, including backup and restore capability. Quantum will NOT
server
be able to restore the password.
CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!
is no way to retrieve it!
set them differently,
16 Continue through the setup wizard to configure the rest of the settings: time zone,
date and time, IP address, netmask, and gateway. If you press <Enter> without
entering a value, the existing value remains.
Note: The default SKM VM server IP address is: 192.168.18.3.
17 When the setup wizard is complete, press <Enter>.
A message lets you know there are no certificates l
you need to quit skmcmds to complete the setup.
18 Press <E
The list of SKM Admin commands displays.
setup wizard, you can go back and change them by entering the number
corresponding to the item you want to change. To view the list at any time, enter
./skmcmds at the com
10 Installing and Configuring the SKM VM Servers
nter>.
mand prompt.
oaded on the SKM server and that
If you made any mistakes during the
19 Enter q at the Command prompt to save your changes and restart the SKM key
server. This process takes a few seconds.
Installing TLS Certificates on the SKM Server
TLS certificates are required on the SKM server. You can choose to use the Quantumprovided TLS certificates or install your own, as follows:
• SKM appliance server: The SKM appliance server comes with Quantum-provided
TLS certificates already installed. You can install your own TLS certificates (to
overwrite the installed certificates) if you wish.
Scalar Key Manager
• SKM VM server: The
provided TLS certificates that you can install on the SKM VM server. Alternatively,
you can install your own TLS certificates on the SKM VM server.
If you install your own TLS certificates, you must make sure that your certificates meet
all of the requirements in Requirements for Installing User-provided TLS Certificates
page 12.
Note: Any time you install TLS certificates, they will overwrite any TLS certificates
currently installed on the SKM server.
Scalar Key Manager VM Installation CD
contains Quantum-
on
Installation Process 1 SSH in to the SKM server (if you have an SKM VM server, you can SSH in or continue
to use the vSphere console).
2 At the login prompt, enter the login ID:
akmadmin
3 At the password prompt, enter your password.
4 At the akmadmin@skmserver prompt, enter:
./skmcmds
5 At the password prompt, enter your password.
A message displays alerting you that the SKM key server will be stopped.
6 Enter y to agree to stop the SKM key server and continue.
A message appears stating the SKM key server is being stopped.
7 Press <Enter> to continue.
The list of SKM Admin Commands displays
8 At the command prompt, enter d to Display/update TLS communication
certificates.
The Display/update TLS communication certificates menu displays.
Installing TLS Certificates on the SKM Server 11
Scalar Key Manager Quick Start Guide
9 At the command prompt, enter one of the following:
•i (to Install user provided communication certificates), or
• a (to Apply Quantum-provided communication certificate bundle).
Requirements for Installing User-provided TLS Certificates
10 Using SFTP, transfer the certificate bundle file (.tgz file) from the
VM Installation CD
/home/akmadmin/certs directory on the SKM server.
11 Once you have transferred the files, press <Enter>.
12 Once the transfer is complete, follow the commands to enter the name of the
Quantum certificate bundle or your certificates as directed.
Note: You must be running SKM 1.1 or higher on your SKM servers in order to install
your own TLS certificates.
Note: If you install your own TLS certificates on the SKM server, you must also install
your own certificates on the library. Similarly, if you use the Quantum-provided
TLS certificates on the SKM server, you must also use the Quantum provided TLS
certificates on the library. Newer libraries come with Quantum-provided TLS
certificates pre-installed. See your library user’s guide for instructions on how
to verify whether TLS certificates are installed on the library and how to install
them.
You need to provide the following certificates:
• Root Certificate (also called the CA certificate, or Certificate Authority Certificate)
(if Quantum certificates) or transfer your own certificates to the
Scalar Key Manager
• Server Certificate
• Admin Certificate
Place the certificate files in a known location on your computer.
These files must be in the proper format, as follows. If any of the following requirements
is not met, none of the certificates will be imported.
• The Root Certificate must be 2048 bits.
• The Root Certificate must be in PEM format.
• The Admin and Server certificates must be in pkcs12 (.p12) format, with a separate
certificate and private key contained in each.
• The Admin and Server certificates must be 1024 bits.
• The Admin and Server certificates must be signed by the Root Certificate.
• The Admin certificate must have its Organizational Unit name set as “akm_admin”
in its Subject Info.
• The same Root Certificate must be installed on the SKM servers and the library.
• All the certificates must have a valid validity period according to the date and time
settings on the SKM server.
12 Installing TLS Certificates on the SKM Server
Configuring Your Library For SKM
All of the steps that follow deal with configuring your library for SKM and generating
data encryption keys. Depending on the size of your library, it may take up to 2.5 hours
to complete all of the following steps.
Also, please note that you cannot perform the following configuration steps until you
have completed all previous steps. Both SKM servers must be fully configured and up
and running.
Caution: Do not perform any library- or host-initiated operations on the library
partitions to be used for SKM until all of the following steps are complete.
Follow the instructions for your library:
• Configuring the Scalar i500 Tape Library on page 13
• Configuring the Scalar i2000/i6000 Tape Library on page 14
Scalar Key Manager
Configuring the Scalar i500 Tape Library
Perform these steps, in order, on the Scalar i500 library only.
See the library user’s guide or online help for detailed instructions on how to
complete each of these steps.
1 Install the Encryption Key Management (EKM) license on your library.
2 Prepare partitions for library-managed encryption:
a Install HP LTO-4 and/or LTO-5 tape drives in the library, if not already installed.
Unload all tape cartridges from these tape drives.
b Ensure that the partitions you want to configure for SKM contain only HP LTO-4
and/or LTO-5 tape drives.
c On the tape drives, install the latest version of firmware that is qualified for the
library firmware installed on your library. Refer to the library release notes for
the correct version of tape drive firmware.
3 Configure the SKM server IP addresses on the library.
a From the library’s web client, navigate to the encryption system configuration
screen.
b Enter the primary and secondary SKM server IP addresses or host names in the
fields provided
c Click Apply.
4 Check to see if TLS communication certificates are installed on the library. If not,
install either the Quantum-supplied library TLS certificates (shipped separately from
the SKM appliance or software) or your own TLS certificates on the library. This is
different from installing TLS certificates on the SKM server.
5 Run EKM Path Diagnostics. This is an required to make sure the library is connected
properly to both SKM servers.
Configuring Your Library For SKM 13
Scalar Key Manager Quick Start Guide
6 Configure SKM partitions and generate data encryption keys:
a On the library’s web client, navigate to the encryption partition configuration
screen.
b For each partition in which you will use SKM, in the Encryption Method drop-
down list, select Enable Library Managed.
c Click Apply.
Data encryption keys are generated. When you enable library managed
encryption on a partition in the library for the first time, the library
automatically triggers each SKM server to generate a set of unique data
encryption keys. This may take 15 minutes to an hour, depending on network
performance. The library notifies you when the process is complete.
d Wait for the process to complete before continuing to the next step.
7 Save the library configuration.
Configuring the
Scalar
i2000/i6000 Tape
Library
Perform these steps, in order, on the Scalar i2000/i6000 library only.
See the library user’s guide or online help for detailed instructions on how to
complete each of these steps.
1 Install the Encryption Key Management (EKM) license on your library.
2 Prepare partitions for library-managed encryption:
a Install HP LTO-4 and/or LTO-5 tape drives in the library, if not already installed.
Unload all tape cartridges from these tape drives.
b Ensure that the partitions you want to configure for SKM contain only HP LTO-4
and/or LTO-5 tape drives.
c On the tape drives, install the latest version of firmware that is qualified for the
library firmware installed on your library. Refer to the library release notes for
the correct version of tape drive firmware.
3 Check to see if TLS communication certificates are installed on the library. If not,
install either the Quantum-supplied library TLS certificates (shipped separately from
the SKM appliance or software) or your own TLS certificates on the library. This is
different from installing TLS certificates on the SKM server.
4 Configure the SKM server IP addresses and generate data encryption keys.
a On the library’s remote web client, navigate to the EKM server configuration
screen.
b Enter the SKM primary and secondary server IP addresses or hostnames in the
fields provided.
c Click OK.
Data encryption keys are generated. As soon as you apply the SKM server IP
addresses, the library automatically triggers each SKM server to generate a set
of unique data encryption keys. This takes 1 to 2 hours, depending on network
performance. The library generates a RAS ticket when the process is complete.
Wait until you receive this ticket before going to the next step.
14 Configuring Your Library For SKM
Scalar Key Manager
Note: If the key generation fails, the library generates a RAS ticket. Follow the
instructions in the ticket to resolve any errors, then initiate manual key
generation by changing the encryption method on an SKM partition to
Enable Library Managed (as described in
generation continues to fail, run EKM Path Diagnostics to help
determine where the problem lies.
5 Configure partitions for library-managed encryption.
a On the library’s remote client, navigate to the EKM partition configuration
screen.
b For each partition in which you will use SKM, in the Encryption Method drop-
down list, select Enable Library Managed.
c Click OK.
6 Save the library configuration.
Step 5 below). If key
Backing Up the Keystores
Every time you generate new data encryption keys, you must back up both keystores
before you begin using the keys to encrypt data. You must back up each keystore
separately because each contains different data. If a server fails and needs to be
replaced, the backup is required to restore operation.
Caution: EXTREMELY IMPORTANT:
Back Up Your Keystores!
It is critical that you back up both keystores before using the keys to
encrypt data.
The only way to read encrypted tapes is via the keys in the keystore. If
your servers fail without a backup, you will permanently lose access to
all your encrypted data.
If both servers are lost, and no backup exists, Quantum will be unable
to restore any data from your encrypted media.
The backup is required for server hardware replacement.
CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!
Backing Up the Keystores 15
Scalar Key Manager Quick Start Guide
Note: For multiple libraries accessing the same SKM server pair: If you are
configuring more than one library to use the same SKM servers, be aware that
each library triggers the SKM servers to create a set of data encryption keys
which are added to the keystore. You need to make sure all the keys are
included in your backup before you start using those keys. If you are
configuring several libraries at the same time, you can wait until all the keys are
generated and then perform a single backup of each server, provided that you
do not use the keys before you back them up. However, if there is a time delay
between the key generation during which you intend to begin serving keys for
encryption, you will need to perform multiple backups—one after each key
generation session.
Perform the following steps for each SKM server separately.
1 Connect to the SKM server using SSH (if you have an SKM VM server, you can SSH in
or continue to use the vSphere console).
2 At the login prompt, enter the login ID:
akmadmin
3 At the password prompt, enter your password.
4 At the akmadmin@skmserver prompt, enter:
./skmcmds
5 At the password prompt, enter your password.
A message displays alerting you that the SKM key server will be stopped.
6 Enter y to agree to stop the SKM key server.
A list of commands displays.
7 At the command prompt, enter the number or letter corresponding to Back up
keystore
Backup files are created and placed into a single .tgz file.
8 Note the name and location of the backup file:
/home/akmadmin/SKMData<serial number><date><time>.tgz
9 Use SFTP to copy the backup files to a desired location.
Caution: You must copy these backup files to another location and not just leave
Caution: Keep track of which backup file(s) apply to which server so you know
.
them on the SKM server. This is so that, if the SKM server fails, you can
restore the backup from the remote location onto the new server.
which one(s) to restore in the event that you lose a server.
16 Backing Up the Keystores
Caution: Do not use SKM to encrypt the sole copy of your SKM server
keystore backup. If both servers were to fail, you would not be able to
recover the encrypted backup and would lose all data you had stored
on all your encrypted tapes.
10 Press <Enter>.
11 Enter q to quit the Admin commands and restart the SKM key server.
12 Repeat the above steps on the other server in the SKM server pair.
Configuring Multiple Libraries
If you will have multiple libraries accessing the same SKM server pair, repeat Configuring
Your Library For SKM on page 13 and Backing Up the Keystores on page 15 for each
additional library.
Scalar Key Manager
Configuring Multiple Libraries 17
Backup. Recovery. Archive. It’s What We Do.
©2010 Quantum Corporation. All rights reserved. Quantum, the Quantum logo, and all
other logos are registered trademarks of Quantum Corporation or of their respective owners.
Protected by Pending and Issued U.S. and Foreign Patents, including U.S. Patent No. 5,990,810.
For assistance, contact the Quantum Customer Support Center:
USA: 800-284-5101 (toll free) or 949-725-2100
EMEA: 00800-4-782-6886 (toll free) or +49 6131 3241 1164
APAC: +800 7826 8887 (toll free) or +603 7953 3010
Worldwide: http://www.quantum.com/ServiceandSupport
About Quantum
Quantum Corp. (NYSE:QTM) is the leading global storage company
specializing in backup, recovery and archive. Combining focused
expertise, customer-driven innovation, and platform independence,
Quantum provides a comprehensive range of disk, tape, media and
software solutions supported by a world-class sales and service
organization. This includes the DXi™-Series, the first disk backup
solutions to extend the power of data deduplication and replication
across the distributed enterprise. As a long-standing and trusted
partner, the company works closely with a broad network of
resellers, OEMs and other suppliers to meet customers’ evolving
data protection needs.
Scalar Key Manager Quick Start Guide
*6-66532-03*
18 6-66532-03 Rev A, June 2010
Loading...