Configuring Encryption Key Server Access

The Setup - Encryption System Configuration screen allows you to configure library access to a primary and secondary key management server. For KMIP key managers, you can configure up to eight additional key servers for increased failover capability. For an overview of library managed encryption, see About Library Managed Encryption.

NOTE: You cannot edit the encryption system configuration settings when any EKM partition is enabled for library managed encryption. If this happens, go to Setup > Encryption > Partition Configuration and change all EKM partition settings from Library Managed Encryption (Enabled) to Library Managed Encryption (Disabled). Then go to Setup > Encryption > System Configuration and make your changes to the system configuration settings. Finally, go back to Setup > Encryption > Partition Configuration and change all the EKM partition settings back to Library Managed Encryption (Enabled). (See Configuring Partition Encryption.)

NOTE: This operation should not be performed concurrently by multiple administrators logged in from different locations. You can access the appropriate screens, but you cannot apply changes while another administrator is performing the same operation.

You need administrator privileges to configure key server system settings.

Unload tape cartridges from all encryption-capable tape drives in the library.
From the Setup menu, select Encryption > System Configuration.
Key Server Type: If visible, select which encryption system you plan to use (SKM (Scalar Key Manager) , KMIP (Key Management Interoperability Protocol) , Q-EKM (Quantum Encryption Key Manager) , or TKLM (Tivoli Key Lifecycle Manager) ). Note that the library does not support using more than one encryption system.
Automatic EKM Path Diagnostics: Enable or disable as desired. When enabled, this feature performs a check, at specified intervals, to make sure both key servers are connected to the library and functioning properly. The library generates a RAS ticket if there are problems. For more information, see Automatic EKM Path Diagnostics.
Interval: If Automatic EKM Path Diagnostics is enabled, select the interval at which the library performs the diagnostics.
Test Warning Threshold: For Q-EKM and TKLM only. If Automatic EKM Path Diagnostics is enabled, specify the number of consecutive missed test intervals required to generate a RAS ticket.
SSL/TLS Connection: Enable/disable Secure Sockets Layer or Transport Layer Security as follows, depending on which key server you are using:
- SKM — SSL is always enabled. The SSL port number is always 6000.
  
  NOTE: SKM does not actually perform SSL communication but instead uses Transport Layer Security (TLS) communication protocol. However, the check box is still called “SSL.”
- KMIP Key Manager — SSL is always enabled.
- Q-EKM — To enable SSL for communication between the library and the EKM servers, select the SSL Connection check box. (The check box will change from Disabled to Enabled.) The feature is disabled by default. If you enable SSL, you must make sure that the port numbers listed in the Port text boxes (below) match the SSL port numbers set on the Q-EKM servers. The default SSL port number is 443.
  
  NOTE: Keys are always encrypted before being sent from the Q-EKM server to a drive, whether SSL is enabled or not. Enabling SSL provides additional security.
- TKLM — To enable SSL for communication between the library and the TKLM servers, select the SSL Connection check box. (The check box will change from Disabled to Enabled.) The feature is disabled by default. If you enable SSL, you must make sure that the port numbers listed in the Port text boxes (below) match the SSL port numbers set on the TKLM servers. The default SSL port number is 3801.
  
  NOTE: Keys are always encrypted before being sent from the TKLM server to a drive, whether SSL is enabled or not. Enabling SSL provides additional security.
Key Server IP Address or Host Name — In the text boxes, assign your key servers in the order in which you want failover to occur. The “#” column denotes the server failover order. (For KMIP, you can change the failover order by clicking the up/down arrow buttons in the Order column.)
- SKM requires two servers.
- KMIP Key Manager requires at least two servers and can have up to 10 servers for increased failover capacity.
- Q-EKM requires one or two servers. If you do not plan to use a secondary key server, you may type a zero IP address, 0.0.0.0, in the #2 text box, or you may leave the text box blank.
- TKLM requires one or two servers. If you do not plan to use a secondary key server, you may type a zero IP address, 0.0.0.0, in the #2 text box, or you may leave the text box blank.
For an initial key request, the library tries server #1 (the primary server) first. If server #1 is not available to perform a key request, the library tries server #2. For KMIP key managers, if server #2 is not available, the library will try server #3, and so on, in order. Once the library identifies a server that can perform the request, this server remains the active server until it fails a key request or the library is rebooted. At that point, the library starts over and uses server #1 for key requests.

In the text boxes, type either:
- The IPv4 or IPv6 address of the key server (if DNS is not enabled), or
- The host name of the key server (if DNS is enabled).

Port — In the Port text boxes, type the port numbers corresponding to the listed servers. Note the following:

SKM — The port number is always 6000. You cannot change SKM port numbers.
KMIP Key Manager — The port number must match the configured port number on the KMIP key manager server. A typical port number used for communication between the KMIP key manager server and the library is port 9003.

Q-EKM — The default port number is 3801 unless SSL is enabled. If SSL is enabled, the default port number is 443.

NOTE: If you change the Q-EKM port number for the key server from the default setting on the library, you must also change the port number on the actual key server to match, or library managed encryption will not work properly. See the Quantum Encryption Key Manager User’s Guide for information on setting the port number on the Q-EKM key server.

NOTE: If you are using a secondary key server for Q-EKM, then the port numbers for both the primary and secondary key servers must be set to the same value. If they are not, synchronization and failover will not occur.

TKLM — The default port number is 3801 unless SSL is enabled. If SSL is enabled, the default port number is 443.

NOTE: If you change the TKLM port number for the key server from the default setting on the library, you must also change the port number on the actual key server to match, or library managed encryption will not work properly. See the Quantum Encryption Key Manager User’s Guide for information on setting the port number on the TKLM key server.

NOTE: If you are using a secondary key server for TKLM, then the port numbers for both the primary and secondary key servers must be set to the same value. If they are not, synchronization and failover will not occur.

Click Apply.
The Progress Window displays. The Progress Window contains information on the action, elapsed time, and status of the requested operation. Do one of the following:
- If Success displays in the Progress Window, the system settings were successfully configured. Click Close to close the Progress Window.
- If Failure displays in the Progress Window, the system settings were not successfully configured. Follow the instructions listed in the Progress Window to resolve any issues that occurred during the operation.
Ensure all ports corresponding to the EKM servers are open on your firewall to allow the library to connect to the servers. For SKM, ports 80, 6000, and 6001 must be open.
Save the library configuration.
For instructions on how to save the library configuration, see Saving the Configuration.

You may also access the EKM Path Diagnostics from this screen. For more information, see EKM Path Diagnostics.

See also: