HP StorageWorks Secure Key Manager Pre-installation survey and checklists, for connecting to ETLA libraries (AJ087-96012, November 2008)

ManualsBrandsHP ManualsStorageEncryption and Key Management

Table Of Contents

HP StorageWorks Secure Key Manager Pre-installation survey and checklists, for connecting to ETLA libraries
- SKM pre-installation survey
- SKM pre-installation checklists

banner

HP StorageWorks Secure Key Manager

Pre-installation survey and checklists, for

connecting to ETLA libraries

Use the survey and checklist to establish system-wide information and ensure proper conﬁguration for the

Secure Key Man

ager (SKM) and the Enterprise Tape Libraries with Extended Tape Library Architecture

(ETLAs) to wh

ich the system is attached. This must be done before beginning system installation to

ensure success.

SKM pre-installation survey

The survey identiﬁes critical information HP needs to install and conﬁgure the HP Secure Key Manager

(SKM). The survey also identiﬁes prerequisites that must be in place prior to installation (for example,

ETLA library ﬁ rmware versions and conﬁgurations), even though they are not part of the HP SKM

installation service. Finally, the survey includes areas which you should consider prior to installation in

order to ensure your security policies are not subject to disruption, and can continue to function without

interruption if a disruption does occur. This includes reviewing site requirements and guidelines for

planning backups of the SKM.

NOTE:

Standard installation consists of installing two appliances and enrolling one ETLA Tape Library at

one location. Requirements exceeding the standard service, such as installing additional appliances,

enrolling multiple ETLA Tape Libraries, complex or custom implementation, or integration activities can

be accommodated at additional cost.

Sourcing the SKM security ofﬁcer (SO) role and ensuring installation support

TheSOrolewilldeﬁne and oversee the security policies for your data center, or even for the enterprise. If

you already have an SO and security polices, they will deﬁne how the SKM integrates and enhances

those policies. With HP’s SKM and ETLA tape libraries, the SO may be responsible for ensuring

the installation meets your company’s business objectives. This includes ensuring the correct libraries

and drives are selected for encryption, and selecting the appropriate key generation policies for your

business. After installation, the SO may be responsible for auditing those policies, and determining when

policy changes are needed.

AJ087-96012

Printed in the US

The information in this document is subject to change without notice.

AJ087-96012

3nd edition: November 2008

Summary of content (9 pages)

PAGE 1
banner HP StorageWorks Secure Key Manager Pre-installation survey and checklists, for connecting to ETLA libraries Use the survey and checklist to establish system-wide information and ensure proper configuration for the Secure Key Manager (SKM) and the Enterprise Tape Libraries with Extended Tape Library Architecture (ETLAs) to which the system is attached. This must be done before beginning system installation to ensure success.
PAGE 2
During installation someone representing your SO and your backup administrator must be present to enter passwords and answer any security-related and company-related questions that arise. After installation, they will also initiate tests HP has defined that will initialize, write, and read some scratch LTO4 media using your backup application.
PAGE 3
NOTE: Each node of the SKM cluster requires two (2) power connections to the rack’s power distribution unit. Due to the size of the secure bezel, the SKM requires 2U of the rack per appliance, 1U for the appliance and 1U blank below the appliance. HP recommends that a rack blank be installed in the unit directly below each appliance. Also, review the physical security implications of having the SKM at a site. The SKM will contain keys to your data, and is therefore of high value.
PAGE 4
Planning step: For each ETLA library, define a client account username and password. Passwords must not be a dictionary word, must be 8 characters, must contain both alpha and numeric characters, and must begin with a letter. Passwords are case-sensitive and can include special characters. Enrolling the ETLA libraries with the SKM Each of the ETLA libraries selected for encryption must be configured to use the SKM.
PAGE 5
Table 3 ETLA Tape Library 1 device information Library identifier (for example, asset # or location) Library type (EML or ESL) Advanced Secure Manager License is installed? (y/n) IP address of the library Library client user name Client password defined? (y/n) Library is partitioned, if appropriate? (y/n) Library or Partition 11 key generation policy (KT, KP, or NE) Partition 21 key generation policy Partition 31 key generation policy Partition 41 key generation policy Partition 51 key generation policy Par
PAGE 6
Table 4 ETLA Tape Library 2 device information Library identifier (for example, asset # or location) Library type (EML or ESL) Advanced Secure Manager License is installed? (y/n) IP address of the library Library client user name Client password defined? (y/n) Library is partitioned, if appropriate? (y/n) Library or Partition 11 key generation policy (KT, KP, or NE) Partition 21 key generation policy Partition 31 key generation policy Partition 41 key generation policy Partition 51 key generation policy Par
PAGE 7
Table 5 ETLA Tape Library 3 device information Library identifier (for example, asset # or location) Library type (EML or ESL) Advanced Secure Manager License is installed? (y/n) IP address of the library Library client user name Client password defined? (y/n) Library is partitioned, if appropriate? (y/n) Library or Partition 11 key generation policy (KT, KP, or NE) Partition 21 key generation policy Partition 31 key generation policy Partition 41 key generation policy Partition 51 key generation policy Par
PAGE 8
Table 6 SKM data Secure location is prepared? Rack space has been identified? Rack(s) is/are on the list of supported racks? Rack(s) contain sufficient power outlets (2 per node)? For appliance 1 Admin password defined? Cluster password defined? Local CA and Certificate information: Certificate Authority (CA) name CA common name Server certificate name Organization name Locality name State or province name Country name 8
PAGE 9
E-mail address of SO Web interface port number for appliance 1 Fully qualified host name for appliance 1 For appliance 1, network port 1 IP address Subnet mask Default gateway For appliance 1, network port 2 (optional) IP address Subnet mask (same as port 1 if blank) Default gateway (same as port 1 if blank) For appliance 2 Admin password defined? Web interface port number Fully qualified hostname For appliance 2, network port 1 IP address Subnet mask Default gateway For appliance 2, network port 2 (optiona