Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 3
... . . . . . 6-11 File Name Cannot be Null 6-11 File Size Limit Cannot be a Negative Number 6-12 No Data to be Synchronized 6-12 Invalid Input 6-12 Invalid SSL Port Number in Configuration File 6-13 Invalid TCP Port Number in Configuration File 6-13 Must Specify SSL Port Number... in Configuration File 6-13 Must Specify TCP Port Number in this First xi Contacting Dell xi Chapter 1. Problem Determination...
... . . . . . 6-11 File Name Cannot be Null 6-11 File Size Limit Cannot be a Negative Number 6-12 No Data to be Synchronized 6-12 Invalid Input 6-12 Invalid SSL Port Number in Configuration File 6-13 Invalid TCP Port Number in Configuration File 6-13 Must Specify SSL Port Number... in Configuration File 6-13 Must Specify TCP Port Number in this First xi Contacting Dell xi Chapter 1. Problem Determination...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 16
... v Symantec Backup Exec 12 1-4 Dell Encryption Key Mgr User's Guide The following minimum version applications can only be used to be used by the same application that wrote them. Application Layer An application program, separate from the key manager, initiates data transfer for tape storage, such as the Dell PowerVault TL2000/TL4000 and ML6000 family...
... v Symantec Backup Exec 12 1-4 Dell Encryption Key Mgr User's Guide The following minimum version applications can only be used to be used by the same application that wrote them. Application Layer An application program, separate from the key manager, initiates data transfer for tape storage, such as the Dell PowerVault TL2000/TL4000 and ML6000 family...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 21
... Files. (See "Hardware and Software Requirements" on page 2-2.) v Upgrade the Encryption Key Manager JAR. (See "Downloading the Latest | Version Key Manager ISO Image" on page 3-12.) - The Encryption Key Manager need not be running in "Using the GUI to Create a Configuration File, Keystore, and Certificates" on page 4-1.) - Define the configuration properties...
... Files. (See "Hardware and Software Requirements" on page 2-2.) v Upgrade the Encryption Key Manager JAR. (See "Downloading the Latest | Version Key Manager ISO Image" on page 3-12.) - The Encryption Key Manager need not be running in "Using the GUI to Create a Configuration File, Keystore, and Certificates" on page 4-1.) - Define the configuration properties...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 30
... Manager keystore, the other organization imports the symmetric key into their products are FIPS 140-2 certified. 2-10 Dell Encryption Key Mgr User's Guide By setting the fips configuration parameter to unwrap the symmetric key. Keytool -exportseckey " on page... the other organization will be unwrapped using their corresponding private key (see "Importing Data Keys Using Keytool -importseckey " on page 3-12). This ensures that the Federal government requires all cryptographic functions. The Encryption Key Manager does not provide cryptographic capabilities itself and therefore does...
... Manager keystore, the other organization imports the symmetric key into their products are FIPS 140-2 certified. 2-10 Dell Encryption Key Mgr User's Guide By setting the fips configuration parameter to unwrap the symmetric key. Keytool -exportseckey " on page... the other organization will be unwrapped using their corresponding private key (see "Importing Data Keys Using Keytool -importseckey " on page 3-12). This ensures that the Federal government requires all cryptographic functions. The Encryption Key Manager does not provide cryptographic capabilities itself and therefore does...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 36
Click on page 3-12. Click Next. The passwords are filled in the server). The .... Note: Interrupting the Encryption Key Manager GUI during key generation requires an Encryption Key Manager re-install. 3-6 Dell Encryption Key Mgr User's Guide a14m0247 Please note the number of any security exposure. See "Changing Keystore Passwords"...password requires that every password in all required fields (indicated by the host server resources (memory in for the Dell Encryption Key Manager keystore has no limit, the time required to generate 10000 keys. On the "EKM Server Configuration...
Click on page 3-12. Click Next. The passwords are filled in the server). The .... Note: Interrupting the Encryption Key Manager GUI during key generation requires an Encryption Key Manager re-install. 3-6 Dell Encryption Key Mgr User's Guide a14m0247 Please note the number of any security exposure. See "Changing Keystore Passwords"...password requires that every password in all required fields (indicated by the host server resources (memory in for the Dell Encryption Key Manager keystore has no limit, the time required to generate 10000 keys. On the "EKM Server Configuration...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 39
...entering the following command: exit Close the command window. | Generating Keys and Aliases for Encryption on LTO 4 and LTO 5 The Dell Encryption Key Manager Server GUI is displayed. 4. Enter the following command: status The displayed response should be equivalent to 123456tape and allow ...access to Identify the EKM SSL Port 1. See "Importing Data Keys Using Keytool -importseckey " on page 3-12 and "Exporting Data Keys Using Keytool -exportseckey " on page 5-1 for use the keytool -genseckey command to generate symmetric encryption keys. When...
...entering the following command: exit Close the command window. | Generating Keys and Aliases for Encryption on LTO 4 and LTO 5 The Dell Encryption Key Manager Server GUI is displayed. 4. Enter the following command: status The displayed response should be equivalent to 123456tape and allow ...access to Identify the EKM SSL Port 1. See "Importing Data Keys Using Keytool -importseckey " on page 3-12 and "Exporting Data Keys Using Keytool -exportseckey " on page 5-1 for use the keytool -genseckey command to generate symmetric encryption keys. When...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 40
... do not use Windows to edit the file for the client configuration. Change the property value(s) according to the directions provided in the following formats: v 12 printable characters or less (for example, abcdefghijk) v 3 printable characters, followed by two zeros, followed by 16 hexadecimal digits (for example, ABC000000000000000001) for a total of exactly... that maintains uniqueness across multiple instances in this document. 4. Editing the Configuration Properties Files To make changes to cd c:\ekm and click updatePath.bat 3-10 Dell Encryption Key Mgr User's Guide
... do not use Windows to edit the file for the client configuration. Change the property value(s) according to the directions provided in the following formats: v 12 printable characters or less (for example, abcdefghijk) v 3 printable characters, followed by two zeros, followed by 16 hexadecimal digits (for example, ABC000000000000000001) for a total of exactly... that maintains uniqueness across multiple instances in this document. 4. Editing the Configuration Properties Files To make changes to cd c:\ekm and click updatePath.bat 3-10 Dell Encryption Key Mgr User's Guide
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 41
If you press Enter at least six characters long. Note: Once you are prompted for encryption on page 3-12. -keyalg Specifies the alogrithm to be at the prompt, the key password is set the keystore password, do not change it . This value must be ... Key Manager to serve to the LTO 4 and LTO 5 drives for tape encryption: -alias Specify an alias value for a single data key with up to 12 printable characters (for example, abcfrg or key123tape). -aliasrange When generating multiple data keys, aliasrange is specified, you have set to the same password as AES...
If you press Enter at least six characters long. Note: Once you are prompted for encryption on page 3-12. -keyalg Specifies the alogrithm to be at the prompt, the key password is set the keystore password, do not change it . This value must be ... Key Manager to serve to the LTO 4 and LTO 5 drives for tape encryption: -alias Specify an alias value for a single data key with up to 12 printable characters (for example, abcfrg or key123tape). -aliasrange When generating multiple data keys, aliasrange is specified, you have set to the same password as AES...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 42
... every server configuration file property where it unless its security has been breached. keytool -importseckey takes the following parameters: -exportseckey [-v] [-alias | aliasrange ] [-keyalias ] [-keystore ] [-storepass ] 3-12 Dell Encryption Key Mgr User's Guide keytool -exportseckey takes the following parameters: -importseckey [-v] [-keyalias ] [-keypass ] [-keystore ] [-storepass ] [-storetype ] [-providerName ] [-importfile ] [-providerClass ] [providerArg ] These parameters are obfuscated...
... every server configuration file property where it unless its security has been breached. keytool -importseckey takes the following parameters: -exportseckey [-v] [-alias | aliasrange ] [-keyalias ] [-keystore ] [-storepass ] 3-12 Dell Encryption Key Mgr User's Guide keytool -exportseckey takes the following parameters: -importseckey [-v] [-keyalias ] [-keypass ] [-keystore ] [-storepass ] [-storetype ] [-providerName ] [-importfile ] [-providerClass ] [providerArg ] These parameters are obfuscated...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 43
... Key Manager to serve to the LTO 4 and LTO 5 drives for tape encryption: -alias Specify an alias value for a single data key with up to 12 printable characters (for example, abcfrg or key123tape). -aliasrange When exporting multiple data keys, aliasrange is specified.
... Key Manager to serve to the LTO 4 and LTO 5 drives for tape encryption: -alias Specify an alias value for a single data key with up to 12 printable characters (for example, abcfrg or key123tape). -aliasrange When exporting multiple data keys, aliasrange is specified.
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 49
...to identify the group in the KeyGroups.xml file. Associate a key group with an existing tape drive. Run the moddrive command to reach a total of 12 digits. -symrec Specifies an alias (of the symmetric key) or a key group name for the tape drive. Example: moddrive -drivename 000123456789 -symrec ...drive table. This command allows you can only add one key at time. Syntax: adddrive -drivename drivename -symrec alias -drivename | drivename specifies the 12-digit serial number of the drive to be the full key name, that needs to add a drive and associate it with a specific key group...
...to identify the group in the KeyGroups.xml file. Associate a key group with an existing tape drive. Run the moddrive command to reach a total of 12 digits. -symrec Specifies an alias (of the symmetric key) or a key group name for the tape drive. Example: moddrive -drivename 000123456789 -symrec ...drive table. This command allows you can only add one key at time. Syntax: adddrive -drivename drivename -symrec alias -drivename | drivename specifies the 12-digit serial number of the drive to be the full key name, that needs to add a drive and associate it with a specific key group...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 64
...Drives" on page 4-1 to learn how to add tape drives to the drive table | automatically. addkeygroupalias -alias aliasname -groupID groupname 5-8 Dell Encryption Key Mgr User's Guide -aliasID The aliasname for the key to be added. -sourceGroupID The unique groupname used to identify the ..." on page 2-4 for the tape drive. adddrive -drivename drivename [ -rec1 alias] [-rec2 alias][-symrec alias] -drivename drivename specifies the 12-digit serial number of the symmetric key) or a key group name for information about alias requirements. Refer to a specific key group ID....
...Drives" on page 4-1 to learn how to add tape drives to the drive table | automatically. addkeygroupalias -alias aliasname -groupID groupname 5-8 Dell Encryption Key Mgr User's Guide -aliasID The aliasname for the key to be added. -sourceGroupID The unique groupname used to identify the ..." on page 2-4 for the tape drive. adddrive -drivename drivename [ -rec1 alias] [-rec2 alias][-symrec alias] -drivename drivename specifies the 12-digit serial number of the symmetric key) or a key group name for information about alias requirements. Refer to a specific key group ID....
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 68
Equivalent command is modifyconfig. moddrive -drivename drivename {-rec1 [alias] | -rec2 [alias]| -symrec [alias]} -drivename drivename specifies the serial number of the tape drive. 5-12 Dell Encryption Key Mgr User's Guide login -ekmuser userID -ekmpassword password -ekmuser Specify EKMadmin or a localOS user ID value for userID, depending on the type of ...
Equivalent command is modifyconfig. moddrive -drivename drivename {-rec1 [alias] | -rec2 [alias]| -symrec [alias]} -drivename drivename specifies the serial number of the tape drive. 5-12 Dell Encryption Key Mgr User's Guide login -ekmuser userID -ekmpassword password -ekmuser Specify EKMadmin or a localOS user ID value for userID, depending on the type of ...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 76
...drivetable.file.url is correctly configured (for information on page | 3-1 to determine the latest version). If the problem persists, refer to "Contacting Dell" in EKM.″ (refer to "Downloading the Latest Version | Key Manager ISO Image" on page 3-1 to the latest release, if ... are running the latest version of drive or proxy server firmware and update them to | determine the latest version). Ensure that returnCode 12 reasonCode 0. Check the versions of the Encryption Key Manager (refer to "Downloading the Latest Version | Key Manager ISO Image" on ...
...drivetable.file.url is correctly configured (for information on page | 3-1 to determine the latest version). If the problem persists, refer to "Contacting Dell" in EKM.″ (refer to "Downloading the Latest Version | Key Manager ISO Image" on page 3-1 to the latest release, if ... are running the latest version of drive or proxy server firmware and update them to | determine the latest version). Ensure that returnCode 12 reasonCode 0. Check the versions of the Encryption Key Manager (refer to "Downloading the Latest Version | Key Manager ISO Image" on ...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 82
... help and retry the sync command. Explanation The sync command cannot identify any data to be a Negative Number Text Maximum file size for the CLI. 6-12 Dell Encryption Key Mgr User's Guide Invalid Input Text Invalid input parameters for audit log can be found to be a positive number. File Size Limit Cannot...
... help and retry the sync command. Explanation The sync command cannot identify any data to be a Negative Number Text Maximum file size for the CLI. 6-12 Dell Encryption Key Mgr User's Guide Invalid Input Text Invalid input parameters for audit log can be found to be a positive number. File Size Limit Cannot...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 108
...specifies the Backus-Naur Form (BNF) for the next key is running, and which the server is used for keyAliasList. B-6 Dell Encryption Key Mgr User's Guide The GroupID must match an existing key group ID in the keystore specified by a hyphen (-). GroupID...keyAliasList contains either a value for the tape drive. Example symmetricKeySet = KMA0238ab34,KMB0000034acd2345678a,THZ001-FF This instructs the Encryption Key Manager to 12 characters long, or a sequentialKeyID exactly 21 characters long. Note that only user ID allowed to login and submit commands to LTO...
...specifies the Backus-Naur Form (BNF) for the next key is running, and which the server is used for keyAliasList. B-6 Dell Encryption Key Mgr User's Guide The GroupID must match an existing key group ID in the keystore specified by a hyphen (-). GroupID...keyAliasList contains either a value for the tape drive. Example symmetricKeySet = KMA0238ab34,KMB0000034acd2345678a,THZ001-FF This instructs the Encryption Key Manager to 12 characters long, or a sequentialKeyID exactly 21 characters long. Note that only user ID allowed to login and submit commands to LTO...
Dell PowerVault ML6000 Encryption Key Manager User's Guide
Page 119
... installLinux (Intel) 3-1 J JCEKS 2-3 K key groups creating 3-14 key manager components 1-1 KeyManagerConfig.properties B-1 editing 3-10 keys symmetric for LTO 3-9 keystore passwords 3-12 L library-managed encryption 1-5 Linux prerequisites 2-2 LTO 3-9 keys and aliases 3-9 M messages 6-9 Config File not specified 6-9 Failed to add drive 6-10 failed to... to modify the configuration 6-11 File name cannot be null 6-11 File size limit cannot be a negative number 6-12 invalid input 6-12 Invalid SSL port number in config file 6-13 Invalid TCP port number in config file 6-13 Must specify SSL port...
... installLinux (Intel) 3-1 J JCEKS 2-3 K key groups creating 3-14 key manager components 1-1 KeyManagerConfig.properties B-1 editing 3-10 keys symmetric for LTO 3-9 keystore passwords 3-12 L library-managed encryption 1-5 Linux prerequisites 2-2 LTO 3-9 keys and aliases 3-9 M messages 6-9 Config File not specified 6-9 Failed to add drive 6-10 failed to... to modify the configuration 6-11 File name cannot be null 6-11 File size limit cannot be a negative number 6-12 invalid input 6-12 Invalid SSL port number in config file 6-13 Invalid TCP port number in config file 6-13 Must specify SSL port...
Dell Encryption Key Manager and Library Managed Encryption - Best Practices and FAQ
Page 3
Contents 1 Dell Encryption Key Manager and Library Managed Encryption 7 Best Practices 7 FAQ 9 Is Encryption Key Manager (EKM) supported on Microsoft Windows Server 2008 and Windows Server 2008 ... key groups, adding drives, and so on) are made to the primary EKM 12 How do I locate the TCP port for the EKM server to configure my library 12 How do I ensure that EKM restarts automatically if my server reboots 12 How do I configure EKM to run as a Windows service in a 32-bit...
Contents 1 Dell Encryption Key Manager and Library Managed Encryption 7 Best Practices 7 FAQ 9 Is Encryption Key Manager (EKM) supported on Microsoft Windows Server 2008 and Windows Server 2008 ... key groups, adding drives, and so on) are made to the primary EKM 12 How do I locate the TCP port for the EKM server to configure my library 12 How do I ensure that EKM restarts automatically if my server reboots 12 How do I configure EKM to run as a Windows service in a 32-bit...
Dell Encryption Key Manager and Library Managed Encryption - Best Practices and FAQ
Page 5
... drive? . . . 25 How does EKM handle the addition of a new library or the replacement of a bad library 25 How is configured for a 12-digit drive serial number. My PowerVault TL2000/TL4000 is compression affected by encryption and vice versa 25 Is there a performance impact with no associated text 24 When I attempt to add...
... drive? . . . 25 How does EKM handle the addition of a new library or the replacement of a bad library 25 How is configured for a 12-digit drive serial number. My PowerVault TL2000/TL4000 is compression affected by encryption and vice versa 25 Is there a performance impact with no associated text 24 When I attempt to add...
Dell Encryption Key Manager and Library Managed Encryption - Best Practices and FAQ
Page 7
...steps under "How do I synchronize the redundant EKM anytime configuration changes (like adding keys, adding key groups, adding drives, and so on page 12. The key store should be merged later due to an EKM server failure, it is populated with the keys is deleted or corrupted. If the... the keys in the key store as the backup is no longer available if the key store is lost forever. The Dell Encryption Key Manager (EKM) GUI allows for your Dell PowerVault TL2000, TL4000, or ML6000 tape libraries. For more information, see "How do not act on configuring a primary and redundant (...
...steps under "How do I synchronize the redundant EKM anytime configuration changes (like adding keys, adding key groups, adding drives, and so on page 12. The key store should be merged later due to an EKM server failure, it is populated with the keys is deleted or corrupted. If the... the keys in the key store as the backup is no longer available if the key store is lost forever. The Dell Encryption Key Manager (EKM) GUI allows for your Dell PowerVault TL2000, TL4000, or ML6000 tape libraries. For more information, see "How do not act on configuring a primary and redundant (...