Configuring encryption for a non-encrypted-licensed library
Select to configure an encryption method for data that is stored on tape cartridges. The library supports transparent library-managed encryption by the tape drive itself (IBM® Ultrium 4 (Model 3572-S4H), Ultrium 5 (Model 3572-S5H), Ultrium 6 (Model 3572-S6H), Ultrium 7 (Model 3572-S7H), Ultrium 8 (Model 3572-S8H), and Ultrium 9 (Model 3572-S9H) if you purchased the Encryption Activation Key feature, relieving the host of the burden of managing encryption applications and systems.
Note: Application Managed Encryption (AME) does not require a key. Library Managed Encryption (LME) and System Managed Encryption (SME) require a license
key, which is available by purchasing Feature Code 5901.
Note: Application Managed Encryption is the only option on a
non-encryped-licensed library.
To modify the encryption settings:
- In the Configure Library menu in the left navigation pane of the Web User Interface, click Encryption
- Enter the Feature Activation Key (see Figure 1) and click Submit to enable encryption in your library.In the Encryption method: drop-down menu, choose Application Managed or Library Managed to enable encryption in your library. No further configuration steps are necessary.
- Select the Security settings.
- Enable SSL for EKM - Select to enable secure communications between the tape library and the EKM server.
- Select the Encryption method settings.
- Application Managed Encryption - For encryption in operating environments that run an application capable of generating and managing encryption policies and keys. If you select application-managed encryption, no further configuration steps are necessary.
- System Managed Encryption - For encryption in operating environments where no application is capable of key management runs, and encryption is set up implicitly through each instance of the IBM device driver.
- Library Managed Encryption - For transparent encryption by the TS2900 Tape Autoloader tape drive.
Note: System Managed Encryption and Library Managed Encryption are transparent to each other. A tape encrypted with System Managed Encryption might be decrypted with Library Managed Encryption, and vice versa, provided both have access to the same EKM keystore. - Select the Primary EKM Server Settings
(Library Managed Encryption only) - the address of the primary encryption key manager on a server.
IPv4 and IPv6 addresses are supported. Host names can be entered instead of numerical IP addresses
if the DNS server is specified.
- Address - The IP address of the primary encryption key manager.
- TCP port number - The port number of the primary encryption key manager for TCP. The default port number is 3801.
- SSL port number - The port number of the primary encryption key manager for SSL. The default port number is 443.
- Select the Secondary EKM Server Settings
(Library Managed Encryption only) - The address of the secondary encryption key manager on a server.
IPv4 and IPv6 addresses are supported. Host names can be entered instead of numerical IP addresses
if the DNS server is specified.
- Address - The IP address of the secondary encryption key manager.
- TCP port number - The port number of the secondary encryption key manager for TCP. The default port number is 3801.
- SSL port number - The port number of the secondary encryption key manager for SSL. The default port number is 443.
- Select the Encryption policy settings
(library-managed encryption only).
- Encrypt All - All tape cartridges that are loaded into the tape drive are encrypted.
- Internal Label - Selective Encryption - This option is used only for Veritas Technologies NetBackup.
- Internal Label - Encrypt All - This option is used only for Veritas Technologies NetBackup.
- Skip over the Advanced Encryption Settings. The purpose of these advanced encryption settings is to allow only IBM Support personnel (under the direction of the drive development team) to provide a solution to an unforeseen problem or to support a unique configuration. These options are not intended for use by the customer without the guidance of IBM Technical Support.
- Click Submit to enable the settings.
To determine whether a cartridge is encrypted, use and select the cartridge. The screen displays whether the cartridge is encrypted, not encrypted, or unknown.
Click Submit to transfer the settings to the library. A dialog message is displayed when the settings are updated successfully.
Key Path Diagnostics
Select to run diagnostic tests of the encryption key path if the drive in your Model S4H, S5H, S6H, S7H, S8H, or S9H library is set up for library-managed encryption. Key Path Diagnostics run tests for the tape drives, network connection, EKM path, and the EKM configuration.
Note: Verify the device is Offline at the host prior to exercising any service
functions. Ensure that any media in the drive is moved from the drive.
The test consists of four parts:
- Drive Test - The library completes a drive communication test to confirm communication with the drive Ethernet test.
- Ethernet Test - The library pings each EKM server IP address and records the result.
- EKM Path Test - The library completes an EKM communication test for each EKM server IP address that passed the Ethernet Test. The library sends an LDI Crypto Diagnostics command to the drive. This drive command causes the drive to send a test message to the EKM verifying that the application is up and running.
- EKM Config Test - The library completes an EKM configuration test for each EKM server IP address that passed the EKM Path Test. The library sends an LDI Crypto Diagnostics command to the drive. This drive command causes the drive to establish a link and obtain a default key from the EKM. This test verifies that the drive is correctly configured in the EKM.
Click Start to run the diagnostics tests.