5SER S 'UIDE 5SER S 'UIDE 5SER S 'UIDE 5SER S 'UIDE 5SER S 'UIDE Quantum Encryption Key Manager Scalar Libraries 6-01847-02
Quantum Encryption Key Manager User’s Guide, 6-01847-02, Rev A, August 2010. Product of USA. Quantum Corporation provides this publication “as is” without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability or fitness for a particular purpose. Quantum Corporation may revise this publication from time to time without notice. COPYRIGHT STATEMENT Copyright 2010 by Quantum Corporation. All rights reserved.
Contents Preface Chapter 1 viii Overview 1 Library Managed Encryption........................................................................... 2 Encryption-Enabled Tape Drive............................................................... 2 Quantum Encryption Key Management (Q-EKM)................................ 2 Encryption-Enabled Tape Library............................................................ 2 Managing Encryption With Q-EKM ...............................................................
Supported Libraries and Tape Drives ................................................... 10 Supported Media ...................................................................................... 11 Library Firmware Requirements ............................................................ 11 Tape Drive Firmware Requirements ..................................................... 11 Linux System Library Requirements .....................................................
Chapter 6 Sharing Encrypted Tapes – Import/Export Operations 39 Sharing Encrypted Tape Cartridges.............................................................. 39 Special Considerations for Exchanging Files Between Linux and Windows Servers .............................................................................. 41 Understanding How Q-EKM Uses Aliases .................................................. 41 Public Certificate Alias.......................................................................
Appendix A Setting the System Path Variable in Windows 74 Glossary 75 Index 78 Quantum Encryption Key Manager User’s Guide vi
Figures Figure 1 Q-EKM Components ................................................................... 4 Figure 2 Single Q-EKM Server................................................................. 13 Figure 3 Two Q-EKM Servers .................................................................. 14 Figure 4 Password Changes Menu.......................................................... 26 Figure 5 Q-EKM Commands Menu ........................................................
Preface Audience Purpose This book is intended for storage and security administrators responsible for security and backup of vital data, and anyone assisting in the setup and maintenance of Quantum Encryption Key Manager (Q-EKM) servers in the operating environment. It assumes the reader has a working knowledge of storage devices and networks. This book contains information to help you use the Q-EKM component for the Java™ platform.
Document Organization This document is organized as follows: • Chapter 1, Overview, provides an overview of tape encryption and the Quantum Encryption Key Manager (Q-EKM) components. • Chapter 2, Planning Your Q-EKM Environment, provides the information you need and the factors you should consider when determining the best configuration for your Q-EKM environment. • Chapter 3, Tips for Success, provides tips for maintaining successful Q-EKM operations and recovery in case of server failure.
Warning: Warnings indicate potential hazards to personal safety and are included to prevent injury. This manual also uses the following conventions: Related Documents Convention Usage bold Bold words or characters represent system elements that you must use literally, such as command names, file names, flag names, path names, and selected menu options. Arial regular text Examples, text specified by the user, and information that the system displays appear in Arial regular font.
Contacts Quantum company contacts are listed below. Quantum Corporate Headquarters 0 To order documentation on Quantum Encryption Key Manager or other products contact: Quantum Corporation (Corporate Headquarters) 1650 Technology Drive, Suite 700 San Jose, CA 95110-1382 Technical Publications 0 To comment on existing documentation send an e-mail to: doc-comments@quantum.com Quantum Home Page 0 Visit the Quantum home page at: http://www.quantum.
• eSupport – Submit online service requests, update contact information, add attachments, and receive status updates via e-mail. Online Service accounts are free from Quantum. That account can also be used to access Quantum’s Knowledge Base, a comprehensive repository of product support information. Sign up today at: http://www.quantum.com/osr Non-Quantum Support Red Hat Information The following URL provides access to information about Red Hat Linux® systems: • http://www.redhat.
Quantum Encryption Key Manager User’s Guide xiii
Chapter 1 1 Overview Data is one of the most highly valued resources in a competitive business environment. Protecting that data, controlling access to it, and verifying its authenticity while maintaining its availability are priorities in our security-conscious world. Data encryption is a tool that answers many of these needs. IBM LTO-4 and LTO-5 Fibre Channel and SAS tape drives are capable of encrypting data as it is written to compatible data cartridges.
Overview Library Managed Encryption Library Managed Encryption The library managed tape drive encryption solution is composed of the following elements: • Encryption-Enabled Tape Drive • Quantum Encryption Key Management (Q-EKM) • Encryption-Enabled Tape Library Encryption-Enabled Tape Drive 1 IBM LTO-4 and LTO-5 Fibre Channel and SAS tape drives are encryptioncapable. This means that they are functionally capable of performing hardware encryption, but this capability has not yet been activated.
Overview Managing Encryption With Q-EKM Library managed encryption is provided for IBM LTO-4 and LTO-5 tape drives in a Quantum Scalar tape libraries (see Supported Libraries and Tape Drives on page 10). Managing Encryption With Q-EKM Quantum Encryption Key Manager (Q-EKM) generates, protects, stores, and maintains data encryption keys that are used to encrypt information being written to, and decrypt information being read from, tape media (tape and cartridge formats).
Overview Quantum Encryption Key Manager (Q-EKM) Components Quantum Encryption Key Manager (Q-EKM) Components Q-EKM is part of the IBM Java environment and uses the IBM Java Security components for its cryptographic capabilities.
Overview Quantum Encryption Key Manager (Q-EKM) Components Keystore 1 The keystore is defined as part of the Java Cryptography Extension (JCE) and an element of the Java Security components, which are, in turn, part of the Java runtime environment. Q-EKM supports the JCEKS keystore. The keystore contains: • The 1024 data encryption keys generated by the Q-EKM server on which it resides. These keys are used for encrypting and decrypting tapes.
Overview Encryption Keys Configuration Files 1 The configuration files contain the configuration information for your Q-EKM server installation. The two configuration files are named: • ClientKeyManagerConfig.properties • KeyManagerConfig.properties The configuration files are located in the root QEKM directory as follows: Windows c:\Program Files\Quantum\QEKM Linux /opt/Quantum/QEKM Caution: Tape Drive Table 1 Do not edit these files.
Overview Encryption Keys Q-EKM uses two types of encryption algorithms: • Symmetric • Asymmetric Symmetric, or secret key encryption, uses a single key for both encryption and decryption. Symmetric key encryption is generally used for encrypting large amounts of data in an efficient manner. 256-bit AES keys are symmetric keys. Asymmetric, or public/private encryption, uses a pair of keys. Data that is encrypted using one key can only be decrypted using the other key in the public/private key pair.
Overview Encryption Certificates Encryption Certificates Each Q-EKM server pair uses one unique encryption certificate. The encryption certificate contains the public key of the public/private key pair that protects data encryption keys during transit to another site. The destination Q-EKM server provides its public key to the source Q-EKM server as part of its public certificate, which the source Q-EKM server uses to wrap (encrypt) exported data encryption keys for transport.
Chapter 2 Planning Your Q-EKM Environment 2 Use the information in this chapter to determine the best Q-EKM configuration for your needs. Many factors must be considered when you are planning how to set up your encryption strategy. Please review these topics with care.
Planning Your Q-EKM Environment System Requirements • The Q-EKM server must have IP connectivity through any firewalls to all Quantum libraries using the Q-EKM server to obtain data encryption keys. The Q-EKM firmware uses TCP port 3801 for the Q-EKM server and TCP port 443 for SSL, by default. • Domain Name System (DNS) must be configured on all Q-EKM servers in order for the servers to communicate successfully.
Planning Your Q-EKM Environment Using Multiple Q-EKM Servers for Redundancy Supported Media Library Firmware Requirements Tape Drive Firmware Requirements Linux System Library Requirements 2 Q-EKM supports IBM LTO-4 and IBM LTO 5 media. 2 It is recommended that you upgrade your library to the latest released version. 2 It is recommended that you upgrade your tape drive firmware to the latest version qualified with your library firmware.
Planning Your Q-EKM Environment Q-EKM Server Configurations Q-EKM Server Configurations Q-EKM can be installed as a Single-Server Configuration or as a TwoServer Configuration. Single-Server Configuration 2 A single-server configuration, shown in Figure 2, is the simplest Q-EKM configuration. However, because of the lack of redundancy, it is not recommended. In this configuration, all tape drives rely on a single key manager server with no backup.
Planning Your Q-EKM Environment Q-EKM Server Configurations Figure 2 Single Q-EKM Server Two-Server Configuration 2 The recommended two-server configuration allows the library to automatically fail over to the secondary Q-EKM server should the primary Q-EKM server be inaccessible for any reason. Note: When different Q-EKM servers are used to handle requests from the same set of tape drives, the information in the associated keystores MUST be identical.
Planning Your Q-EKM Environment Multiple Libraries Accessing One Q-EKM Server or Server Pair importing certificates and keys) must be manually duplicated on the secondary server (see Keeping the Keystores Matched on page 36). Figure 3 Two Q-EKM Servers Multiple Libraries Accessing One Q-EKM Server or Server Pair Multiple libraries may access and use the same Q-EKM server (in a single-server configuration) or server pair.
Planning Your Q-EKM Environment Backing Up Keystore and Configuration Data • Each library can only be configured to use one Q-EKM server/pair at a time. • The ports configured on the library must be set to the same values as the ports on the Q-EKM server (see Changing the Communication Port Settings on page 37 and your library user’s guide for details).
Planning Your Q-EKM Environment Disaster Recovery Planning Disaster Recovery Planning Quantum recommends that you plan for disaster recovery in the event that your primary and secondary servers become unavailable. Disaster recovery requires that you maintain, in a secure location, current, non-Q-EKM encrypted copies of the following files: • ClientKeyManagerConfig.properties • EKMKeys.jck • KeyManagerConfig.properties • library_serialnum • library_wwnamekey • QEKMIEKey.
Chapter 3 3 Tips for Success Do these things to ensure optimal performance and successful recovery in case of server loss: • Remember your keystore password — otherwise you can’t import and export certificates and keys, or share encrypted tapes with other sites. • Remember your Q-EKM admin password — otherwise you can’t log onto Q-EKM Commands or upgrade your system. • Save a copy of your keystore and configuration files from your initial install.
Tips for Success • Back up your keystore and configuration files regularly. In case of catastrophic server failure, a current backup will allow you to start up again immediately right where you left off.
Chapter 4 4 Upgrading Q-EKM Upgrading updates the Q-EKM software to the latest version, preserving your keystore and configuration settings. Note: If you have a Q-EKM server pair, you should upgrade both Q-EKM servers in the pair. You may upgrade them at the same time or with time in between upgrades. The order of the steps presented here is for upgrading servers with time between upgrades.
Upgrading Q-EKM 1 Stop all host I/O communication to the Q-EKM server. 2 On all libraries that access the Q-EKM server, make the following configuration changes (see your library user’s guide or online help for instructions): a If automatic EKM path diagnostics is enabled, disable it. b For all partitions configured for library managed encryption, make sure all move operations are completed. c Turn all partitions configured for library managed encryption offline.
Upgrading Q-EKM 5 Insert the upgrade CD into your Q-EKM server’s CD ROM drive. If the CD does not autorun, do the following: Do one of the following: Windows • Navigate to the CD directory and doubleclick the file named installWindows.bat; or • Open a command window. Change the directory to the root directory on the CD. At the command prompt, enter installWindows.bat. Open a command window. Change the directory to the Q-EKM CD directory. At the command prompt, enter sh installLinux.sh.
Upgrading Q-EKM 9 If the Q-EKM server is running, you are prompted for the Q-EKM admin password. Enter the password (see Q-EKM Admin Password on page 25). If the Q-EKM server is not running, no password is requested. The Q-EKM server process confirms it is stopped. 10 When prompted, press . The old JRE is removed and a new one is installed. This may take a few minutes. The Q-EKM server process restarts. When the upgrade process is complete, you are prompted to press .
Upgrading Q-EKM 18 Make a copy of the keystore and configuration files and store these in a secure location. If you were to ever lose your servers, you could recover with this backup. (It is preferable to use a current backup [see Backing Up Keystore and Configuration Data on page 15], but you should keep this also in a secure location in case nothing else exists.) Do NOT use Q-EKM to encrypt this backup! The files you need to copy are: • ClientKeyManagerConfig.properties • EKMKeys.
Chapter 5 5 Q-EKM Server Operation and Configuration This chapter details the Q-EKM passwords you will use and the commands available to customers via the command line interface.
Chapter 5 Q-EKM Server Operation and Configuration Overview Overview Once installed, Q-EKM performs all of its operations from a single folder on your server. The folder is called QEKM and is located here: Windows c:\Program Files\Quantum\QEKM Linux /opt/Quantum/QEKM This folder contains log files, your keystore, and configuration files. To access the Q-EKM user interface to perform operations, you need to log into the Q-EKM commands menu (see Logging On to Q-EKM Commands on page 27).
Chapter 5 Q-EKM Server Operation and Configuration Using and Changing Passwords 5 Changing the Q-EKM Admin Password Caution: It is CRITICAL that you remember the Q-EKM admin password! Without it, you will not be able to issue any QEKM commands. 1 Log on to Q-EKM Commands (see Logging On to Q-EKM Commands on page 27). 2 At the Enter Command prompt, enter 4 (for Change passwords). The Q-EKM password change menu displays (see Figure 4).
Chapter 5 Q-EKM Server Operation and Configuration Logging On to Q-EKM Commands The keystore password is case sensitive, must contain a minimum of 6 characters and a maximum of 24 characters, and can contain any combination of letters, numbers, and special characters. Note: Not all special characters are supported (for example, the “at” symbol [@] and asterisk [*] are not supported). If you get a message stating “invalid password,” one of your special characters may not be supported.
Chapter 5 Q-EKM Server Operation and Configuration Logging On to Q-EKM Commands 2 Navigate to the correct directory: Windows C:\Program Files\Quantum\QEKM (Alternatively, you may choose to update your Windows system path variable — see Appendix A, Setting the System Path Variable in Windows.) Linux /opt/Quantum/QEKM 3 Enter the following command to access the command menu: Windows qekmcmds Linux ./qekmcmds 4 Enter the Q-EKM admin password (see Q-EKM Admin Password on page 25).
Chapter 5 Q-EKM Server Operation and Configuration Q-EKM Server Commands Figure 5 Q-EKM Commands Menu Q-EKM Server Commands Q-EKM commands are presented in a menu format. For instructions on accessing these commands, see Logging On to Q-EKM Commands on page 27. Caution: Any commands that change configuration settings will shut down and then restart the Q-EKM server process. Do not perform such commands if backup operations are in process.
Chapter 5 Q-EKM Server Operation and Configuration Q-EKM Server Commands Displaying the Q-EKM Software Version 5 The Q-EKM software version is displayed in the first line of the Q-EKM commands menu (see Logging On to Q-EKM Commands on page 27). You can also find the software version listed in the qekm_version file located in the QEKM directory: Displaying the Q-EKM Server On/Off Status Windows c:\Program Files\Quantum\QEKM Linux /opt/Quantum/QEKM Displays whether Q-EKM server is running or stopped.
Chapter 5 Q-EKM Server Operation and Configuration Turning Debug Logging On and Off 2 At the Enter Command prompt, enter 3. You receive the following message: Starting EKM Server... Please check the logs to make sure EKM Server has started successfully. 3 Press to return to the command menu.
Chapter 5 Q-EKM Server Operation and Configuration Turning Debug Logging On and Off be asked to turn debug logging on and then re-create the problem in order to generate troubleshooting data. Note: Remember to turn debug off once you have finished gathering data. If you forget to do this and the file becomes too large, stop the Q-EKM server process, delete the debug_server file, and restart the Q-EKM server process. This re-creates the debug log with no data in it.
Chapter 5 Q-EKM Server Operation and Configuration Synchronizing Primary and Secondary Q-EKM Servers 6 Verify the Q-EKM server process started by doing one of the following: • Issue the Display the Q-EKM server status command (see Displaying the Q-EKM Server On/Off Status on page 30), or • Check the native_stdout.log file (located in the keymanager folder in the QEKM directory; see Standard Out Messages Log on page 66). 7 Press to return to the command menu.
Chapter 5 Q-EKM Server Operation and Configuration Synchronizing Primary and Secondary Q-EKM Servers Note: In order to synchronize properly, the TCP and SSL ports on the primary and secondary Q-EKM servers must be set to the same values. Synchronization causes the entire configuration files of the primary server to overwrite the configuration files on the secondary server.
Chapter 5 Q-EKM Server Operation and Configuration Synchronizing Primary and Secondary Q-EKM Servers 4 When prompted, enter the secondary Q-EKM server’s IP address. Caution: Ensure you enter the correct IP address of the secondary Q-EKM server. If you enter the wrong IP address, changes to the configuration files will not be synchronized to the secondary server. You receive a message that looks similar to the following: Sync IP address: x.x.x.x port: 443 ipaddress=x.x.x.x 1 file(s) moved.
Chapter 5 Q-EKM Server Operation and Configuration Keeping the Keystores Matched 8 Press . The synchronization setup completes and the first sync occurs. You receive several lines of confirmation text: * Verify primary to secondary server sync has been configured. * Primary to secondary sync has been configured. Syncing primary to secondary --------------------------------------------Sync completed --------------------------------------------- Press to return to the command menu.
Chapter 5 Q-EKM Server Operation and Configuration Changing the Communication Port Settings Changing the Communication Port Settings Changes the communication port settings on the Q-EKM server. You should not need to change the default port settings unless the default ports are being used by other software on the host. The Q-EKM server is set up with the following ports by default: • TCP Port (also referred to as the EKM Port) – Default Value 3801 • SSL Port – Default Value 443.
Chapter 5 Q-EKM Server Operation and Configuration Changing the Communication Port Settings 8 Verify the Q-EKM server process started by doing one of the following: • Issue the Display the Q-EKM server status command (see Displaying the Q-EKM Server On/Off Status on page 30), or • Check the native_stdout.log file (located in the keymanager folder in the QEKM directory; see Standard Out Messages Log on page 66).
Chapter 6 6 Sharing Encrypted Tapes – Import/Export Operations This chapter covers: • Sharing Encrypted Tape Cartridges • Special Considerations for Exchanging Files Between Linux and Windows Servers • Understanding How Q-EKM Uses Aliases • Why You Should Not Change File Names • Exporting the Public Certificate • Importing a Public Certificate • Exporting Data Encryption Keys • Importing Data Encryption Keys • Displaying the Native Public Certificate • Displaying Imported Public Certificates Sharing Encr
Sharing Encrypted Tapes – Import/Export Operations Sharing Encrypted Tape Cartridges Q-EKM creates unique key aliases across all Q-EKM installations worldwide (see Understanding How Q-EKM Uses Aliases on page 41). This ensures that you can safely share Q-EKM-encrypted tapes with other sites or companies. In order to share encrypted data on an encrypted tape, a copy of the symmetric key used to encrypt the data on the tape must be made available to the other organization to enable them to read the tape.
Sharing Encrypted Tapes – Import/Export Operations Special Considerations for Exchanging Files Between Linux and Windows Servers Special Considerations for Exchanging Files Between Linux and Windows Servers When moving public certificate files and key files between Linux and Windows servers, make sure the files are copied and transported in binary format. Files transported in other formats, such as ASCII, will become corrupted. (Windows defaults to an ASCII; FTP generally creates ASCII output.
Sharing Encrypted Tapes – Import/Export Operations Why You Should Not Change File Names case, the recipient is asked to enter the library serial number when importing the file. In these cases, the originator must supply the alias.
Sharing Encrypted Tapes – Import/Export Operations Exporting the Public Certificate The reasons you should NOT change file names are: • The default file name contains an alias, which is either the library serial number or WWN key (see Understanding How Q-EKM Uses Aliases on page 41). The alias is required in order to import the file.
Sharing Encrypted Tapes – Import/Export Operations Exporting the Public Certificate Figure 7 Key Import/Export Menu 3 At the command prompt, enter 3 (for Export public certificate). 4 Enter the keystore password (see Keystore Password on page 26). 5 You are requested to “Enter a file name for the public certificate or press enter [QEKMIECert.cer]:” The name in [brackets] is the default file name of your native public certificate file.
Sharing Encrypted Tapes – Import/Export Operations Importing a Public Certificate 8 If you changed the default name of the public certificate file so that it no longer includes the library serial number (the default name is QEKMIECert.cer), you must provide the library serial number along with the public certificate file to the source Q-EKM server administrator, because they need it to export their keys for you. See Understanding How Q-EKM Uses Aliases on page 41 for more information.
Sharing Encrypted Tapes – Import/Export Operations Importing a Public Certificate 7 Possible Step: You may be asked to enter the library serial number associated with the public certificate. If you are not asked for the library serial number, then skip this step. You will be asked for the library serial number if the default name of the key file was changed and Q-EKM cannot identify the library serial number from the file name (the default name is QEKMIECert.cer).
Sharing Encrypted Tapes – Import/Export Operations Exporting Data Encryption Keys The keystore file is called EKMKeys.jck and is located in the QEKM directory of the Q-EKM server: Windows c:\Program Files\Quantum\QEKM Linux /opt/Quantum/QEKM Exporting Data Encryption Keys In order for another Q-EKM server (i.e., the “destination server”) to read tapes encrypted by your Q-EKM server, you need to export the encryption keys used to encrypt those tapes and send them to the destination server.
Sharing Encrypted Tapes – Import/Export Operations Exporting Data Encryption Keys 5 Enter your keystore password. A list of certificates available to export keys displays. The list includes your Q-EKM server’s native public certificate and all public certificates that you have ever imported.
Sharing Encrypted Tapes – Import/Export Operations Exporting Data Encryption Keys 9 Send the data encryption key file to the administrator of the destination Q-EKM server. Note: If sending between Linux and Windows systems, make sure the files are copied and transported in binary format (see Special Considerations for Exchanging Files Between Linux and Windows Servers on page 41).
Sharing Encrypted Tapes – Import/Export Operations Exporting Data Encryption Keys 5 Enter your keystore password. A list of certificates available to export keys displays. The list includes your Q-EKM server’s native public certificate and all public certificates that you have ever imported.
Sharing Encrypted Tapes – Import/Export Operations Exporting Data Encryption Keys You are asked to enter one of the listed WWN keys to identify the range of keys that you want to export. Each range represents a set of 1024 encryption keys that you imported. You will need to know the WWN key of the set that you want to export. If you don’t know the WWN key, your choices are either: • • Get the WWN key from the original owner of the key set.
Sharing Encrypted Tapes – Import/Export Operations Importing Data Encryption Keys If you change the default name of the exported encryption key file so that it no longer includes the WWN key (the default name is EXK00E09E_.jck), you must provide the library WWN key that you selected for the export in Step 7 along with the encryption key file to the destination Q-EKM server administrator, because they need it to import your keys.
Sharing Encrypted Tapes – Import/Export Operations Importing Data Encryption Keys 7 Possible Step: You may be asked to enter the WWN key for the imported keys. If you are not asked for the WWN key, then skip this step. You will be asked for the WWN key if the default name of the key file was changed and Q-EKM cannot identify the WWN key from the file name (the default name is EXK00E09E_.jck).
Sharing Encrypted Tapes – Import/Export Operations Displaying the Native Public Certificate Displaying the Native Public Certificate You can view the contents of your Q-EKM server’s native public certificate, including the alias (see Public Certificate Alias on page 41), owner/issuer, and validity dates. To display the information: 1 Log on to Q-EKM Commands (see Logging On to Q-EKM Commands on page 27). 2 At the Command Prompt, enter i (for the Import/Export keys option).
Sharing Encrypted Tapes – Import/Export Operations Displaying Imported Public Certificates 4 Enter your keystore password (see Keystore Password on page 26). The information is displayed. If it just displays “Keystore entries: xxxx” that means you have no imported certificates. 5 Press to return to the Key Import/Export menu.
Chapter 7 Running Reports 7 This chapter details the reports you can run from the Q-EKM commands menu. The reports are: • Drives that Accessed the Q-EKM Server • Q-EKM Server Keys • End User License Agreement • Available WWN Key Ranges for Export Drives that Accessed the Q-EKM Server This report provides a list of all drives that have ever successfully asked for a key from the Q-EKM server.
Chapter 7 Running Reports Drives that Accessed the Q-EKM Server To generate the tape drive report: 1 Log on to Q-EKM Commands (see Logging On to Q-EKM Commands on page 27). 2 At the Enter Command prompt, enter r (for Reports). The Q-EKM Reports menu displays (see Figure 8). Figure 8 Reports Menu 3 Enter 1 (for List drives that have accessed the Q-EKM server). The information is displayed on the screen and also collected and saved to a file. The name and location of the file is displayed.
Chapter 7 Running Reports Q-EKM Server Keys Q-EKM Server Keys This report provides a list of all the data encryption keys and certificates in the keystore. The list includes the keys and certificates generated by your Q-EKM server, plus all of the keys and certificates you imported. The data is displayed on the screen and also saved to a file. The file is named keyreport.
Chapter 7 Running Reports End User License Agreement End User License Agreement The End User License Agreement (EULA) is presented during the installation or upgrade process and must be accepted by the user before installation/upgrade can take place. If you wish to review the EULA at any time thereafter, do the following: To generate the key report: 1 Log on to Q-EKM Commands (see Logging On to Q-EKM Commands on page 27). 2 At the Enter Command prompt, enter r (for Reports).
Chapter 7 Running Reports Available WWN Key Ranges for Export 2 At the Enter Command prompt, enter r (for Reports). The Q-EKM Reports menu displays (see Figure 8 on page 57). 3 Enter 4 (for Display available wwname key ranges for export).
Chapter 8 8 Troubleshooting This chapter covers: • Frequently Asked Questions • What to do if Your Q-EKM Server Fails • Log Files • Audit Log • Debug Log • Standard Error Messages Log • Standard Out Messages Log • Capturing a Log Snapshot • Errors Reported By Q-EKM Quantum Encryption Key Manager User’s Guide 61
Troubleshooting Frequently Asked Questions Frequently Asked Questions Question Answer How can I tell if the Q-EKM server is running? Do one of the following: • Issue the Q-EKM “status: command (see Displaying the Q-EKM Server On/Off Status on page 30). • Check the native_stdout.log (see Standard Out Messages Log on page 66). What is the difference between Application-Managed Encryption (AME) and Library-Managed Encryption (LME) and how do they work? AME is not part of Q-EKM.
Troubleshooting Frequently Asked Questions Question Answer How will I be notified of write/read errors or Q-EKM server problems? Q-EKM does not report these types of errors. Errors are reported in the following ways: • The host/ISV application reports read and write failures. • The library issues a RAS ticket when a write or read operation fails. • The library issues a RAS ticket when it cannot communicate with a Q-EKM server.
Troubleshooting What to do if Your Q-EKM Server Fails What to do if Your Q-EKM Server Fails This section covers: • Single Server Configuration Failure • Two-Server Configuration Failure Single Server Configuration Failure 8 If the single Q-EKM server goes down, the library issues a “failed” RAS ticket indicating it cannot communicate with the server. If the Q-EKM server failed due to circumstances within your control (for instance, a power outage), get it back up and running as soon as possible.
Troubleshooting Log Files Note: Keep in mind that synchronization occurs from the primary Q-EKM server to the secondary, not vice versa. The secondary server remains the secondary server, even during a failover. Do not make changes to the secondary server’s configuration because the primary server’s configuration files will overwrite them during the next synchronization.
Troubleshooting Log Files Debug Log 8 The debug log captures a record of everything the Q-EKM server does. The debug log does not collect information unless debug is turned on. Debug logging is turned off by default. See Turning Debug Logging On and Off on page 31 for more information about the debug log and how to to turn logging on and off.
Troubleshooting Errors Reported By Q-EKM When you run the command, Q-EKM creates the following: Windows c:\Program Files\Quantum\QEKM\ snapshot__
Troubleshooting Errors Reported By Q-EKM Error Number EE02 Description Encryption Read Message Failure: DriverErrorNotifyParam eterError: “Bad ASC & ASCQ received. ASC & ASCQ does not match with either of Key Creation/Key Translation/Key Acquisition operation.” Action The tape drive asked for an unsupported action. Ensure that you are running the latest version of Q-EKM (to determine the latest version, contact your Quantum Representative).
Troubleshooting Errors Reported By Q-EKM Error Number EE23 Description Encryption Read Message Failure: Internal error: ”Unexpected error........” Action The message received from the drive or library could not be parsed because of general error. Ensure that you are running the latest version of Q-EKM (to determine the latest version, contact your Quantum Representative). Turn on Debug on the Q-EKM server. Try to re-create the problem and gather debug logs. When finished collecting data, turn Debug off.
Troubleshooting Errors Reported By Q-EKM Error Number EE29 Description Encryption Read Message Failure: Invalid signature Action The message received from the drive or library does not match the signature on it. Ensure that you are running the latest version of Q-EKM (to determine the latest version, contact your Quantum Representative). Turn on Debug on the Q-EKM server. Try to re-create the problem and gather debug logs. When finished collecting data, turn Debug off.
Troubleshooting Errors Reported By Q-EKM Error Number EE2C Description Encryption Read Message Failure: QueryDSKParameterErr or: “Error parsing a QueryDSKMessage from a device. Unexpected dsk count or unexpected payload.” Action The tape drive asked Q-EKM to do an unsupported function. Ensure that you are running the latest version of Q-EKM (to determine the latest version, contact your Quantum Representative).
Troubleshooting Errors Reported By Q-EKM Error Number EE2E Description Encryption Read Message Failure: Internal error: Invalid signature type Action The message received from the drive or library does not have a valid signature type. Ensure that you are running the latest version of Q-EKM (to determine the latest version, contact your Quantum Representative). Turn on Debug on the Q-EKM server. Try to re-create the problem and gather debug logs. When finished collecting data, turn Debug off.
Troubleshooting Errors Reported By Q-EKM Error Number EEE1 Description Encryption logic error: Internal error: “Unexpected error: EK/ EEDK flags conflict with subpage.” Action Ensure that you are running the latest version of Q-EKM (to determine the latest version, contact your Quantum Representative). Check the versions of drive or library firmware and update them to the latest release, if needed. Turn on Debug on the Q-EKM server. Try to re-create the problem and gather debug logs.
Appendix A Setting the System Path Variable in Windows A You may wish to update your system Path environment variable to include the path to the QEKM directory. This allows you to enter Q-EKM commands on any command line rather than having to change the directory to the QEKM directory each time. To update the system Path environment variable: 1 Choose Start > Control Panel > System. 2 Select the Advanced tab. 3 Click Environment Variables. 4 Under System variables, select Path. 5 Click Edit.
Glossary This glossary defines the special terms, abbreviations, and acronyms used in this publication and other related publications. A AES Advanced Encryption Standard. A block cipher adopted as an encryption standard by the US government. alias A unique identifier used to match the encrypted data key with the private key required to unwrap the protected symmetric data key.
E EKM Encryption Key Management. A system whereby encryption keys are generated, stored, protected, transferred, loaded, and used. encryption The conversion of data into a cipher. A key is required to encrypt and decrypt the data. Encryption provides protection from persons or software that attempt to access the data without the key. I IP Internet Protocol.
S SSL Secure Sockets Layer. A security protocol that works in conjunction with IP to ensure that packets reach their intended destinations securely. T TCP Transmission Control Protocol. Works in conjunction with IP to ensure that packets reach their intended destinations.
Index communication ports, changing 37 A configuration files 6 backup 15 aliases 41 data encryption key 42 configurations single server 12 public certificate 41 two servers 13 asymmetric encryption 7 audit log 65 debug log 31, 66 backing up 10, 15, 18 backups encryption of 15, 16 debug logging, turning on and off 31 disaster recovery 16, 17 display Q-EKM server status 30 DNS requirements 10 C changing file names 42 changing port settings 37 changing the Q-EKM admin password 26 EKM path diagnost
public 40 exporting symmetric 40 data encryption keys 47 imported keys 49 keystore 5 native keys 47 backing up 15 public certificate 43 manually copying 17 matching 17, 36 password 17, 26 N non-Quantum support xii O operating system requirements 10 F failed server 64 failover 64 L file names, changing 42 library 2 firmware requirements Linux requirements 11 P passwords 25 library 11 Linux-to-Windows transfers 41 changing Q-EKM admin 26 tape drive 11 logging on 27 keystore 17, 26 logs
installing and configuring 24, 56 planning 9 shutting down Q-EKM server process 30 Q-EKM server single-server configuration 12 running 30 snapshot, capturing 66 status 30 SSL port 37 stopped 30 standard error messages log 66 Quantum Encryption Key Manager, see Q-EKM W Windows-to-Linux transfers 41 WWN key report 59 standard messages out log 66 starting the Q-EKM server process 30 stopping the Q-EKM server process 30 R supported media 11 recovering 17 supported tape drives 10 redundancy 11
