HP StorageWorks Secure Key Manager pre-installation survey and checklists (AJ087-96009, May 2008)

ManualsBrandsHP ManualsStorageEncryption and Key Management

banner

HP StorageWorks Secure Key Manager

pre-installation survey and checklists

Use the survey and checklist to establish system-wide information and ensure proper conﬁguration for

the SKM and the

Enterprise Tape Libraries with Extended Tape Library Architecture (ETLAs) to which the

system is attached. This must be done before beginning system installation to ensure success.

SKM pre-installation survey

The survey identiﬁes critical information HP needs to install and conﬁgure the HP Secure Key Manager

(SKM). The survey also identiﬁes prerequisites that must be in place prior to installation (for example,

ETLA library ﬁrmware versions and conﬁgurations), even though they are not part of the HP SKM

installation service. Finally, the survey includes areas which you should consider prior to installation in

order to ensure your security policies are not subject to disruption, and can continue to function without

interruption if a disruption does occur. This includes reviewing site requirements and guidelines for

planning backups of the SKM.

NOTE:

Standard installation consists of installing two appliances and enrolling one ETLA Tape Library at

one location. Requirements exceeding the standard service, such as installing additional appliances,

enrolling multiple ETLA Tape Libraries, complex or custom implementation, or integration activities can

be accommodated at additional cost.

Sourcing the SKM security ofﬁcer (SO) role and ensuring installation support

TheSOrolewilldeﬁne and oversee the security policies for your data center, or even for the enterprise. If

you already have an SO and security polices, they will deﬁne how the SKM integrates and enhances

those policies. With HP’s SKM and ETLA tape libraries, the SO may be responsible for ensuring

the installation meets your company’s business objectives. This includes ensuring the correct libraries

and drives are selected for encryption, and selecting the appropriate key generation policies for your

business. After installation, the SO may be responsible for auditing those policies, and determining when

policy changes are needed.

During installation someone representing your SO and your backup administrator must be present

to enter passwords and answer any security-related and company-related questions that arise. After

installation, they will also initiate tests HP has deﬁned which will initialize, write, and read some scratch

LTO4 media using your backup application.

AJ087-96009

Printed in the US

The information in this document is subject to change without notice.

AJ087-96009

2nd edition: May, 2008

Summary of content (9 pages)

PAGE 1
banner HP StorageWorks Secure Key Manager pre-installation survey and checklists Use the survey and checklist to establish system-wide information and ensure proper configuration for the SKM and the Enterprise Tape Libraries with Extended Tape Library Architecture (ETLAs) to which the system is attached. This must be done before beginning system installation to ensure success.
PAGE 2
Planning step: Designate someone to represent the SO and your backup administrator who will be present during all steps of the SKM configuration, the enrollment of the ETLA libraries, and validation testing of the HP SKM solution. Designing the cluster, identifying any cross-geography requirements The HP SKM is deployed in a minimum configuration of 2 SKM nodes. These nodes may be deployed in the same or different physical locations.
PAGE 3
Also, review the physical security implications of having the SKM at a site. The SKM will contain keys to your data, and is therefore of high value. Physical security must be appropriate to that value. Planning step: Review the installation site(s) and ensure they have adequate capacity and security to meet your business requirements, and to meet the equipment power, rack, and cooling requirements.
PAGE 4
Planning step: For each ETLA library, define a client account username and password. Passwords must not be a dictionary word, must be 8 characters, must contain both alpha and numeric characters, and must begin with a letter. Passwords are case-sensitive and can include special characters. Enrolling the ETLA libraries with the SKM Each of the ETLA libraries selected for encryption must be configured to use the SKM.
PAGE 5
Table 3 ETLA Tape Library 1 device information Library identifier (for example, asset # or location) Library type (EML or ESL) Advanced Secure Manager License is installed? (y/n) IP address of the library Library client user name Client password defined? (y/n) Library is partitioned, if appropriate? (y/n) Library or Partition 11 key generation policy (KT, KP, or NE) Partition 21 key generation policy Partition 31 key generation policy Partition 41 key generation policy Partition 51 key generation policy Par
PAGE 6
Table 4 ETLA Tape Library 2 device information Library identifier (for example, asset # or location) Library type (EML or ESL) Advanced Secure Manager License is installed? (y/n) IP address of the library Library client user name Client password defined? (y/n) Library is partitioned, if appropriate? (y/n) Library or Partition 11 key generation policy (KT, KP, or NE) Partition 21 key generation policy Partition 31 key generation policy Partition 41 key generation policy Partition 51 key generation policy Par
PAGE 7
Table 5 ETLA Tape Library 3 device information Library identifier (for example, asset # or location) Library type (EML or ESL) Advanced Secure Manager License is installed? (y/n) IP address of the library Library client user name Client password defined? (y/n) Library is partitioned, if appropriate? (y/n) Library or Partition 11 key generation policy (KT, KP, or NE) Partition 21 key generation policy Partition 31 key generation policy Partition 41 key generation policy Partition 51 key generation policy Par
PAGE 8
Organization name Locality name State or province name Country name 8
PAGE 9
E-mail address of SO Web interface port number for appliance 1 Fully qualified host name for appliance 1 For appliance 1, network port 1 IP address Subnet mask Default gateway For appliance 1, network port 2 (optional) IP address Subnet mask (same as port 1 if blank) Default gateway (same as port 1 if blank) For appliance 2 Admin password defined? Web interface port number Fully qualified hostname For appliance 2, network port 1 IP address Subnet mask Default gateway For appliance 2, network port 2 (optiona