Dell Encryption Key Manager 3.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012 Dell Inc.
Contents Notes, Cautions, and Warnings...................................................................................................2 1 Overview.......................................................................................................................................5 Hardware and Software Requirements....................................................................................................................5 Server Hardware Requirements..............................................
Starting and Stopping the EKM 3.0 Server in Windows ........................................................................................24 Starting and Stopping the EKM 3.0 Server in Linux................................................................................................24 6 Migration and Merge................................................................................................................25 Migrating an Encryption Key Manager (EKM) 2.X Version during the EKM 3.
Overview 1 Dell Encryption Key Manager (EKM) 3.0 is an encryption utility that secures the data stored on LTO tape cartridges by managing encryption keys for Dell tape automation solutions, including the ML and TL PowerVault series. EKM 3.0 manages the lifecycle of tape encryption keys, including generation, distribution, administration, and deletion. This guide describes how to install, configure, and perform basic operations in Dell Encryption Key Manager 3.0 (EKM 3.0).
• Available disk storage (for EKM 3.0 installation and typical key storage): 5 GB NOTE: If the system on which you are installing EKM 3.0 has 24 or more CPUs, refer to the EKM 3.0 Release Notes for details on how to update EKM 3.0 after completing the installation. To access the EKM 3.0 Release Notes, go to support.dell.com/manuals, then navigate to Software → Systems Management → Dell Encryption Key Manager. Browser Requirements EKM 3.
Installing EKM 3.0 2 This chapter describes how to install EKM 3.0 on Windows and Linux. NOTE: If you are currently using EKM 2.X, Dell recommends maintaining your current infrastructure (servers, operating systems, tape libraries, etc. under EKM 2.X protection), unless you are experiencing problems. EKM 3.0 does not support virtual machines as hosts. If you are using a virtual machine as your EKM 2.X host, you must stay with EKM 2.X or migrate to a physical server.
Preparing for the Installation of EKM 3.0 in Red Hat Enterprise Linux This chapter describes the pre-installation steps for Dell Encryption Key Manager 3.0 in Red Hat Enterprise Linux. NOTE: The installation procedure takes approximately 45 minutes. Do not turn off the system until the installation completes. To prepare for the installation of EKM 3.0, perform the following steps: 1. Insert the EKM 3.
b) c) d) e) Double-click etc. Double-click Services. In the Services file, change 50000/tcp and 50000/udp to 50100/tcp and 50100/udp. Click Save. Continue to Performing the EKM 3.0 Installation Procedure. Performing the EKM 3.0 Installation Procedure This chapter describes how to install EKM 3.0. NOTE: The installation procedure takes approximately 45 minutes. Do not turn off the system until the installation completes. NOTE: If you are installing EKM 3.
– – – – – Cannot be longer than eight characters Cannot begin with “ibm,” “sys,” “sql,” or a number Cannot begin or end with an underscore character (_) Cannot be a DB2–reserved word (for example, “users,” “admins,” “guests,” “public,” and “local”) or an SQL-reserved word Cannot be a user name of an existing user on the system This is the ID for the EKM 3.0 DB2 database administrator account. EKM 3.0 creates a local user account on your system with this user name. 8.
17. The EKM Port defaults to 16310 in Windows and Linux. This is the recommended port. Click Next. NOTE: If the port provided is used by a different service, then the EKM 3.0 installer will prompt you to select a different port. Use the netstat command to determine the ports that are being used, then select a port that is available. Record the port number. You will use this port to access the EKM 3.0 portal. The Migration screen appears. This screen is used to migrate from EKM 2.X to EKM 3.0.
NOTE: If you migrated an EKM 2.X version into the newly-installed EKM 3.0, then Dell strongly recommends that you create a backup of EKM 3.0 to ensure the new keys are not lost. Refer to Creating a Backup of the Keystore. NOTE: If you are reinstalling EKM 3.0 and the installation fails due to an incomplete uninstall, perform the uninstall manually. Refer to Manually Uninstalling EKM 3.0 in Windows.
Setting up Primary and Secondary EKM 3.0 Servers 3 This chapter describes how to install, use, and uninstall EKM 3.0 on the primary and secondary servers. CAUTION: To prevent possible data loss due to an EKM 3.0 server failure, Dell recommends using a primary and secondary EKM 3.0 server setup. This configuration provides redundancy in the event that the primary EKM 3.0 server is down or unavailable. NOTE: You cannot have a primary EKM 3.0 and a secondary EKM 2.X server or vice versa. Installing EKM 3.
Using EKM 3.0 on the Secondary Server The secondary EKM 3.0 server is used for redundancy in the event that the primary EKM 3.0 server is down or unavailable. Use the backup created on the primary EKM 3.0 server to perform the restore operation on the secondary EKM 3.0 server periodically in order to keep the primary and secondary EKM 3.0 servers synchronized. Refer to Performing Backups and Restoring from a Backup. By default, the secondary EKM 3.
Performing Backups and Restoring from a Backup 4 You can perform a backup at any time. Performing a backup creates a backup file that contains the keystore, which contains devices and keys. Backups do not contain device groups, users, or user groups. The DB2 database contains these. You can restore from a backup at any time. NOTE: If keys are not backed up, they will not be served. If keys are not available to be served, encrypted backup jobs will fail.
11. When the backup file has been created, an Information pop-up window appears, confirming that the file was successfully created. In the pop-up window, click OK. The backup file you created displays in the table on the Backup and Restore screen. 12. Click Return home at the bottom of the screen. The Welcome to Dell Encryption Key Manager screen appears. Restoring from a Backup You can restore from a backup. You can use a backup to create secondary key servers as well as to recreate the EKM 3.
Using EKM 3.0 5 This chapter describes some basic EKM 3.0 operations. NOTE: EKM 3.0 is based on IBM Tivoli Key Lifecycle Manager (TKLM) V2 FixPack 2, but has been customized to support Dell tape library environments by selecting the relevant subset of TKLM features for tape. For EKM 3.0 usage information not covered in this guide, refer to the TKLM documentation, which includes the following: • IBM Tivoli Key Manager 2.0 Quick Start Guide • IBM Tivoli Key Manager 2.
Creating a Master Keystore This chapter describes how to create the master keystore. The first time you log into EKM 3.0, you must create the master keystore. NOTE: If you migrated an EKM 2.X keystore during the EKM 3.0 installation, a keystore is already created, and this procedure will not apply. NOTE: At a later point, if you want to create additional keys and/or key groups, refer to Creating Key Groups for the Device Group. To create the master keystore, perform the following steps. 1.
3. If at a later point you want to change the port settings for communication between EKM 3.0 and the tape library, ensure that the ports are changed within the tape library's settings, EKM 3.0, and the firewall of the system on which EKM 3.0 is installed. Configuring EKM 3.0 to Accept Devices that Contact EKM 3.0 for Keys This chapter describes how to configure the behavior of EKM 3.0 to handle devices that attempt to connect to EKM 3.0 to request keys.
4. Under Device family, select the LTO radio button. 5. In the Device group name field, enter a device group name. Dell recommends that you enter a name that reflects the use of this device group, for example, Accounting. 6. Click Create. An Information pop-up window informs you of the device family setting. 7. In the Information pop-up window, click OK. The device group is created. The new device group displays in the list on the Manage Device Groups screen.
Adding a Device to a Device Group This chapter describes how to add a device to an existing device group. NOTE: The default device groups in EKM 3.0 are FUTURE_DEVICES and LTO. NOTE: In order to add a device to a device group automatically, you must create a key group and a backup, or the tape library's key path diagnostics will fail and the device will not be added. Refer to Creating Key Groups for a Device Group and Creating a Backup of the Keystore for more information. 1. Log into the EKM 3.0 portal.
5. Select the key group that you want to modify. 6. Click Modify at the top of the table. The Modify Key Group subwindow appears. 7. In the Modify Key Group subwindow, select the desired radio button. If you select the Create additional keys in key group radio button, enter the number of keys you want to add to the key group in the Number of keys to create field. In the First three letters of key name field, enter three letters, which will be the prefix of the new keys.
Verifying the Server Certificate This chapter describes how to verify that the server certificate that you want to use is the certificate in use. To do this, perform the following steps: 1. Log into the EKM 3.0 portal. Refer to Logging into the Encryption Key Manager 3.0 Portal. The Welcome to Dell Encryption Key Manager screen appears. 2. In the navigation pane, navigate to Dell Encryption Key Manager → Advanced Configuration → Server Certificates. The Administer Server Certificates screen appears. 3.
Press Enter. The command runs for a short amount of time, and the wsadmin command prompt appears. NOTE: The commands are case-sensitive. There are no spaces around the parenthesis or brackets. Do not enter the less than and greater than symbols (< >) around variables. NOTE: To log out of the WebSphere server, type Exit and press Enter. Starting and Stopping the EKM 3.0 Server in Windows This chapter describes how to start and stop the EKM 3.0 server in Windows. 1.
Migration and Merge 6 During the EKM 3.0 installation, you can migrate EKM 2.X into EKM 3.0. After the EKM 3.0 installation, you can merge EKM 2.X into EKM 3.0. This chapter describes the merge and migration procedures. NOTE: You can only migrate or merge an EKM 2.X version that has been used to create keys.
Migrating an Encryption Key Manager (EKM) 2.X Version during the EKM 3.0 Installation Perform this procedure only if you are configuring the Migration screen during the EKM 3.0 installation. The Migration screen is used to migrate an Encryption Key Manager (EKM) 2.X version into EKM 3.0. NOTE: If you are currently using EKM 2.X, Dell recommends maintaining your current infrastructure (servers, operating systems, tape libraries, etc. that are under EKM 2.X protection), unless you are experiencing problems.
NOTE: If an error message displays, verify the path to your EKM 2.X directory. 6. Continue with the EKM 3.0 installation. Refer to Performing the EKM 3.0 Installation Procedure. NOTE: The password for the new EKM 3.0 keystore is the same password that was associated with the EKM 2.X keystore used for migration. CAUTION: Do not delete EKM 2.X after you have migrated its keys to EKM 3.0 since EKM 3.0 references the keystore that is in the EKM 2.X folder. In order to prevent EKM 2.
Merging Encryption Key Manager (EKM) 2.X into EKM 3.0 after Installing EKM 3.0 This chapter describes the post-installation EKM 2.X to EKM 3.0 merge procedure for Windows and Linux. This procedure uses the EKM 2.X to EKM 3.0 merge tool. Use this procedure if EKM 3.0 is already installed and configured and you want to merge EKM 2.X into EKM 3.0. NOTE: If you are using a primary/secondary EKM 3.0 server configuration, then you must perform the merge procedure only on the primary EKM 3.0 server.
Merge Tool Prerequisites Before running the merge tool, verify that the following requirements are met: • EKM 3.0 must be installed and the master keystore must be created or the merge procedure will fail. Refer to Creating a Master Keystore. • When merging from EKM 2.X to EKM 3.0, EKM 2.X and EKM 3.0 must be installed on the same operating system version. • If you have previously merged or migrated EKM 2.X into EKM 3.
8. Edit the KeyManagerConfig.properties file so that it contains only the following properties: – config.keygroup.xml.file – config.keystore.password.obfuscated – config.keystore.file – config.drivetable.file.url Delete the other lines. For an example, refer to Code Example in this procedure. 9. Add the following DB2 options to the new KeyManagerConfig.properties file: – jdbcURL = jdbc:db2://localhost:/ or jdbcURL = jdbc:db2://
11. Navigate to the EKM2DKMMerge folder on the EKM 3.0 installation media. From the EKM2DKMMerge folder, copy the EKM2DKMMerge.jar file to the folder you created earlier in this procedure (for example C:\EKM_Files in Windows, or /opt/EKM_Files in Linux). NOTE: You must use the same command prompt or terminal session for all of the following steps. If you change command prompts or terminal sessions, the CLASSPATH that you set will not automatically apply to other command prompts or terminal sessions. 12.
\TIPProfile\installedApps\TIPCell\tklm_kms.ear \com.ibm.tklm.server.api.jar;%WAS_HOME%\profiles\TIPProfile\installedApps \TIPCell\tklm_kms.ear\com.ibm.tklm.server.db.ejb.jar;%CLASSPATH% NOTE: Replace the drive letters as necessary. NOTE: If you are using 64–bit Windows, edit the batch file to replace Program Files in the CLASSPATH above with Program Files (x86).
NOTE: If you receive the following error, you are attempting to migrate while a duplicate item is on the EKM 2.X server and the EKM 3.0 server. . Duplicate - =
- Migration failed. Please refer to the debug file for more information. Refer to Deleting the ekmcert Certificate, Keys, and Key Groups, and Renaming Devices If you receive the following error and you want to delete the key instead of renaming it, do not close the command prompt or terminal session.
Merge Failure If the merge procedure fails, perform the following steps: 1. Verify that the EKM 3.0 server is started. If it is not, start the EKM 3.0 server using the startserver command. Refer to Starting and Stopping the EKM 3.0 Server in Windows or Starting and Stopping the EKM 3.0 Server in Linux. 2. Close the command prompt. 3. Capture the debug log by saving it to another location or renaming it. The debug log is located in the following directory: :\Dell\EKM\bin\products\tklm\logs\debug.
Deleting the ekmcert Certificate, Keys, and Key Groups, and Renaming Devices When performing an EKM 2.X to EKM 3.0 merge, there cannot be duplicate ekmcert certificates, key aliases, key group aliases, or devices in EKM 2.X and on the EKM 3.0 server. NOTE: If there are duplicate keys or key groups, Dell recommends that you rename the duplicate keys and key groups in EKM 2.X before merging them into EKM 3.0. Refer to the EKM 2.X user's guide for more information.
ekmcert Certificate Deletion Each EKM 2.X installation has one ekmcert certificate. If you are merging or migrating more than one EKM 2.X into EKM 3.0, you must delete the ekmcert certificate in EKM 3.0 before attempting to merge a new EKM 2.X. Because ekmcert is a certificate and not a key, it is not part of any key groups on the EKM 3.0 server. Therefore, if you merged an EKM 2.X version into EKM 3.0 and then removed EKM 2.X key groups from EKM 3.
1. Log into the EKM 3.0 portal. Refer to Logging into the Encryption Key Manager 3.0 Portal. The Welcome to Dell Encryption Key Manager screen appears. 2. In the navigation pane, navigate to Dell Encryption Key Manager → Key and Device Management. They Key and Device Management screen appears. 3. In the Manage keys and devices drop-down menu, select LTO and click Go. The Key and Device Management screen appears. 4.
where is the name of the EKM 2.X keystore you are importing. For example: keytool -list -keystore EKMKeys.jck -storetype JCEKS The system prompts you for a password. 4. Enter the EKM 2.X keystore password and press Enter. The EKM 2.X keystore type, the ekmcert certificate, the keystore provider, and the keys in the EKM 2.X keystore are displayed. You will use the list of keys to compare against the EKM 3.0 keystore to verify that these keys are not in the EKM 3.0 keystore.
Uninstalling EKM 3.0 7 This chapter describes how to uninstall EKM 3.0 from Windows and Linux. CAUTION: Uninstalling EKM 3.0 will render all encrypted data written to the Dell PowerVault Tape Library via library-managed encryption (LME) unreadable. Ensure all critical data is restored before uninstalling EKM 3.0. If there is a possibility that you may reinstall EKM 3.0 in the future, create a backup before uninstalling EKM 3.0. Copy the EKM 3.
Uninstalling EKM 3.0 in Linux This procedure uses the EKM 3.0 uninstall program for Linux. NOTE: The uninstall process take approximately 35 minutes. Do not turn off the system until the installation completes. 1. Open a terminal session and navigate to /opt/dell/ekm/Uninstall_EKM. 2. Run Uninstall EKM by issuing the following command: ./Uninstall EKM A pop-up window appears. 3. Click Run in the pop-up window. The Uninstall EKM window appears. 4. Click Uninstall. The uninstall process runs. 5.
Troubleshooting 8 This chapter provides troubleshooting information, frequently asked questions, common errors messages, and support contact information. NOTE: If your issue is not covered in this chapter, refer to the TKLM troubleshooting guide. For information on how to access the TKLM documentation, see the Documentation and Reference Materials section of the ReadThisFirst.txt file on the EKM 3.0 installation media.
System Prerequisite Checks EKM 3.0 performs system prerequisite checks before the installation. If you receive an error message after the License Agreement screen, follow the instructions in the error message. For the most common errors, refer to the items below for instructions. Minimum System Requirements Failed If you receive a Minimum System Requirements Failed error, click Cancel and Exit and confirm that your system meets the requirements.
NOTE: These are the minimum values required to install EKM 3.0 on Linux. EKM 3.0 may need more shared memory (kernel.shmmax) in order to install successfully. If the install fails, then uninstall EKM 3.0, increase kernel.shmmax by approximately 25%, and reinstall EKM 3.0. To uninstall EKM 3.0, refer to Uninstalling EKM 3.0. 2.
Error Codes To access a list of error codes and their descriptions, refer to the Documentation and Reference Materials section of the ReadThisFirst.txt file on the EKM 3.0 installation media.
Windows Reference Files You can use the following log files and error files to troubleshoot issues with the EKM 3.0 Windows installation: • C:\tklm_install.stderr (standard error log file) • C:\tklmV2properties\*.log (DB2 install log files) • C:\Users\Administrator\IA-TIPInstall-00.txt (EKM 3.0 install log file) NOTE: This path applies to Windows Server 2008 versions. For Windows Server 2003 R2 with Service Pack 2, the EKM 3.
Linux Reference Files You can use the following log files and error files to troubleshoot issues with the EKM 3.0 Linux installation: • /root/IA-TipInstall_*.log • /tklm_install.stderr (standard error log file) • /tklmV2properties/*.log • /opt/dell/ekm/products/tklm/logs/audit/tklm_audit.
Manually Uninstalling EKM 3.0 When uninstalling EKM 3.0, first use the automated uninstall procedure. Refer to Uninstalling EKM 3.0. If the automated uninstall process fails, manually uninstall EKM 3.0. Manually Uninstalling EKM 3.0 in Windows If you are reinstalling EKM 3.0 and the installation fails due to an incomplete uninstall, perform the uninstall manually. If any item is already uninstalled, skip that step.
17. Navigate to Start → Administrative Tools → Computer Management . In the left pane, navigate to Local Users and Groups → Groups . In the right pane, delete the DB2 administrator groups (DB2ADMINS and DB2USERS). 18. In Windows Explorer, navigate to :\Users. Delete the folder that has the same name as the DB2 user name. 19. In Windows Explorer, navigate to :\Users\Administrator. Delete the IA-TIPInstall-xx log text file. 20. Stop and delete any of the following EKM 3.
1. Open a terminal session. 2. Remove the DB2 instance by issuing the following commands: cd /opt/dell/ekm/products/tklm/_uninst ./removeDB2Inst.sh ./removeDB2Inst.sh ./removeDB2Inst.sh ./removeDB2Inst.sh For example: ./removeDB2Inst.sh ./removeDB2Inst.sh ./removeDB2Inst.sh ./removeDB2Inst.sh /opt/dell/db2ekm /ekm_dell1 /home/db2ekm /db2ekm 3.
No. EKM 3.0 only supports the operating systems, their versions, editions, service pack levels, and bit levels listed in Hardware and Software Requirements. Can I copy files from the EKM 3.0 installer onto the hard disk on my system and install from my local system? No. EKM 3.0 only supports installation from the EKM 3.0 media. Refer to Installing EKM 3.0. During the EKM 3.0 installation, what do I do when I receive an error message stating that the silent install failed? Refer to the tklm_install.
1. Open a command prompt and navigate to the audit log file directory. In Windows, the audit log is located at :\Dell\EKM\products\tklm\logs\audit\tklm_audit.txt. In Linux, the audit log is located at: /opt/dell/ekm/products/tklm/logs/audit/tklm_audit.log. 2. Copy the current audit log file to a temporary file so it can be opened. The current audit log file is active and cannot be opened while being updated. 3. Open the temporary copy in a text editor (for example, WordPad).
import the certificate returned, and use it for encryption. For information on how to access the TKLM documentation, see the Documentation and Reference Materials section of the ReadThisFirst.txt file on the EKM 3.0 installation media. Known Issues and Their Resolutions Issue: I cannot create a backup. Description: Using Internet Explorer, you attempt to create a backup of the keystore. When you specify a backup location that does not exist, the backup is not created. Resolution: Do one of the following.
• Ignore the error. This error does not impact EKM 3.0 performance. • Use a different supported browser (for example, Internet Explorer 6.X or Firefox). Refer to Hardware and Software Requirements. Issue: I cannot sort information in tables. Description: Using the Filter fields at the top of the tables on the Administer Server Certificates, Backup and Restore, and Credential Store screens does not sort the items in the tables. Resolution: Click the header row of each column to sort the items.
Description The system tray displays a green icon. Resolution This is a known issue that does not affect the usability or reliability of EKM 3.0. When you log out of the system and log back in, the icon will not appear. Issue: When configuring the installation of EKM 3.0, some fields display a “0”. Description When configuring the installation of EKM 3.0, some fields display a “0”. This happens when you use an installation profile when you install EKM 3.
Installing the compat-libstdc++ Library The compat-libstdc++-33-3.2.3-61 or later library must be installed before installing EKM 3.0 on Linux platforms. If you receive the following error while installing EKM 3.0 on Linux, you must install compat-libstdc++ : Your operating system does not have the compat-libstdc++ packaged installed. To install compat-libstdc++: 1. In a terminal session, navigate to the compat-libstdc++ RPM file in the EKMPREREQLIBS folder on the EKM 3.
