Download
Share
Print this page
  1. Manuals
  2. Brands
  3. Quantum Manuals
  4. Server
  5. Scalar i6000
  6. Quick start manual

Quantum Scalar i6000 Quick Start Manual

Safenet keysecure
Hide thumbs Also See for Scalar i6000:

Advertisement

Quick Links

Download this manual See also: User Manual, Manual
Quantum Scalar i6000 & SafeNet KeySecure Quick Start
Guide
SafeNet's KeySecure k460 servers work with Quantum's Scalar i6000 appliance server to create a KMIP-
compliant encryption system. The Key Management Interoperability Protocol (KMIP®) is a specification
developed by OASIS®. Its function is to standardize communication between enterprise key management
systems and encryption systems.
Details about the Quantum Scalar i6000/SafeNet k460 KMIP-compliant implementation include:
A minimum of two SafeNet KeySecure servers are required for failover purposes. A total of 10 SafeNet
encryption servers are allowed, for increased failover capability.
Data encryption keys are generated one at a time, as needed, upon request.
This document summarizes the information available in the quick start and user guides that accompany
your Quantum Scalar i6000 library and SafeNet KeySecure appliances and provides step-by-step
instruction for configuring the devices for combined use. For detailed information about each individual
product, such as feature configuration instructions and hardware specifics, consult the following
documents:
Scalar i6000 User's Guide
Scalar i6000 User's Guide Addendum
KeySecure v6.0.0 Installation Guide
KeySecure v6.0.0 User Guide
Step 1: Install and Configure the SafeNet KeySecure
You will need the following equipment for each KeySecure:
Null modem cable.
Ethernet cable.
KeySecure power cable.
Console terminal or PC.
Phillips Screwdriver.
SafeNet Pin Entry Device (PED).
9-pin Micro-D data cable (included with the PED).
3 SafeNet iKeys. Apply the labels so that there is one blue, one red, and one black iKey.
Q
S
6000 & S
UANTUM
CALAR I
N
K
S
Q
AFE
ET
EY
ECURE
UICK
S
G
TART
UIDE
4

Advertisement

loading
Need help?

Need help?

Do you have a question about the Scalar i6000 and is the answer not in the manual?

Questions and answers

Related Manuals for Quantum Scalar i6000

Summary of Contents for Quantum Scalar i6000

  • Page 1 Quantum Scalar i6000 & SafeNet KeySecure Quick Start Guide SafeNet’s KeySecure k460 servers work with Quantum’s Scalar i6000 appliance server to create a KMIP- compliant encryption system. The Key Management Interoperability Protocol (KMIP®) is a specification developed by OASIS®. Its function is to standardize communication between enterprise key management systems and encryption systems.
  • Page 2 During the initialization process, you must have the following information: • An IP address for the KeySecure. • An IP address for the SSKM. This must be on the same subnet as the KeySecure IP. • The subnet mask for the network. •...
  • Page 3 1 stop bit Hardware flow control The initialization process begins after you power up the KeySecure. System starting up... Release 6.0.0 Are you ready to begin setup? (y/halt): y Enter y to continue or halt to abort the process. Entering halt shuts down the machine. Create the admin account.
  • Page 4 IP address: Subnet mask [255.255.255.0]: Default gateway [10.20.30.1]: Hostname: You have entered the following configuration: IP address: 192.168.15.25 Subnet mask: 255.255.255.0 Default gateway: 192.168.15.1 Hostname: box1.company.com Is this correct? (y/n): y Network settings have been successfully configured. Enter and confirm the IP address, Subnet mask, Default gateway, and Hostname of your KeySecure. The script displays default values for the Subnet mask, and Default gateway in brackets.
  • Page 5 SETTING SO PIN... M value? (1-16) >01 Press 1 and press Enter. SETTING SO PIN... N value? (M-16) >01 Press 1 and press Enter. SETTING SO PIN... Insert a SO / HSM Admin PED Key. Press ENTER. Insert the SO/HSM Admin (blue) iKey and press Enter. SETTING SO PIN...
  • Page 6 The PED displays the following text: SETTING DOMAIN... Would you like to reuse an existing keyset? (Y/N) Press No. SETTING DOMAIN... M value? (1-16) >00 Press 1 and press Enter. SETTING DOMAIN... N value? (M-16) >01 Press 1 and press Enter. SETTING DOMAIN...
  • Page 7 Press 1 and press Enter. SETTING USER PIN... N value? (M-16)... >00 Press 1 and press Enter. SETTING USER PIN... Insert a USER / Partition Owner PED Key. Press ENTER. Insert the User/Partition (black) iKey and press Enter. SETTING USER PIN... Enter new PED PIN: Enter a PIN value.
  • Page 8 Insert the Domain (red) iKey and press Enter. READING DOMAIN... Enter PED PIN: Enter the PIN for the Domain (red) iKey and press Enter. READING DOMAIN... Are you duplicating this keyset? (Y/N) Press No LOGIN SECRET VALUE... MxCT-c7F9-HHX5-YtH3 Please write it down. Press Enter. Write down the password displayed on the PED.
  • Page 9 Warning: If SSKM is not started soon, IP 192.168.15.125 may become stale SUCCESS: Configured network interface with ip=192.168.15.125, netmask=255.255.255.0 and interface=eth0 Start SSKM now? (y/n): y SUCCESS: SSKM Started OK Note: The SSKM can only be started when the HSM is initialized. If you defer the HSM initialization, you can configure the SSKM interface, but you must start the SSKM after initializing the HSM.
  • Page 10 Name, Locality Name, State or Province Name, Country Name, Email Address, and Key Size. Note: To integrate with the Quantum Scalar i6000, the CA’s Key Size must be 2048. Select either Self-signed Root CA or Intermediate CA Request as the Certificate Authority Type.
  • Page 11 Step 3: Create a Server Certificate on the KeySecure To create a server certificate, you must create a certificate request and sign it with the local CA: Navigate to the Create Certificate Request section of the Certificate and CA Configuration page (Security SSL Certificates).
  • Page 12 Copy the certificate request text. The certificate text looks similar, but not identical, to the following text. -----BEGIN CERTIFICATE REQUEST----- MIIBmzCCAQQCAQAwWzEPMA0GA1UEAxMGZmxldGNoMQkwBwYDVQQKEwAxCTAHBgNVBAsTADEJM AcGA1UEBxMAMQkwBwYDVQQIEwAxCzAJBgNVBAYTAlVTMQ8wDQYJKoZIhvcNAQkBFgAwgZ8wDQ YJKoZIhvcAYBABTUxxgY0AMIGJAoGBAMUqA1t4m&Nm0sCcUqnt5Yug+qTSbgEFnvnYWUApHKD lx5keC1lguQDU1ol2Xcc3YGrUviGCe4y0JIMK2giQ5b+ABQDemRiD11vInQqkhV6ngWBRD0lp KCjU6QXDEE9KGCKBRh5uqL70rr2LErqxUuYwOu50Tfn4T3tKb1HGgfdzAgMBAAGgADANBgkqh kiG9w0BAQQFAAOBgQCuYnv8vBzXEZpgLD71FfeDK2Zqh0FnfTHXAkHrj4JP3MCMF5nKHgOSRV mImNHHy0cYKTDP+hor68R76XhLVapKMqNuUHUYf7CTB5JNHHy0cYKTNHHy0cYKTuV1Ce8nvvU G+yp2Eh8aJ7thaua41xDFXPmIEXTqzXi1++DCWAdWaysojPCZugY7jNWXmg== -----END CERTIFICATE REQUEST----- Important! Be sure to include the first and last lines (-----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----), and copy only the text in the certificate.
  • Page 13 Click Install Certificate. Paste the text of the signed certificate into the Certificate Response field. Click Save. When you return to the main Certificate Configuration page, the certificate request is now an active certificate. It can be used in to establish SSL connections with client applications. Step 4: Create a Client Certificate for the i6000 Note: The i6000’s client certificate must be a RSA-1024 certificate for which the i6000 must have the...
  • Page 14 What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California...
  • Page 15 Enter Export Password: Verifying - Enter Export Password: The client certificate and the Local CA certificate will be imported to the Scalar i6000 library in step 8. Step 5: Configure the KMIP Server on the KeySecure To configure the KMIP server settings: Navigate to the Cryptographic Key Server Configuration page (Device Key Server).
  • Page 16 Select the KMIP link. View the Cryptographic Key Server Properties. Click Edit to alter any values. The available fields are: IP - IP address(es) on which the key server is enabled on the KeySecure. We strongly recommend that you select a specific IP address rather than using [All]. If you have multiple IP addresses available, using a single address here enables the key server to listen for traffic on only one IP address.
  • Page 17 The available fields are: Password Authentication - determines whether you require users to provide a username and password to access the key server when using KMIP. There are two options: • Optional - (default) no password authentication is required; global sessions are allowed; unauthenticated users can create global keys;...
  • Page 18 Step 6: Install the Encryption Key Management License To install the encryption key management license: Log on to the Scalar i6000 library as an administrator, if you are not currently viewing the physical library. Click Setup > Licenses. The Licenses dialog box appears.
  • Page 19 On the tape drives, install the latest version of firmware that is qualified for the library firmware installed on your library. Refer to the Scalar i6000 Release Notes for the correct version of tape drive firmware. Step 8: Install the Root and Client Certificates in the Library Transport Layer Security (TLS) communication certificates are unique certificates that must be installed on the library in order for the library to communicate securely with attached SafeNet KeySecures.
  • Page 20 From the Key Server Type drop-down list, select KMIP Key Manager. Note: Some of the fields will be disabled. Click Browse to retrieve the Root Certificate File. Click Browse to retrieve the Client Certificate File. In the Client Certificate Password field, type the password used when generating the certificate files (your server administrator should provide this).
  • Page 21 Step 9: Configure Library Access to the SafeNet KeySecure To configure the library access to the SafeNet KeySecure: From the menu bar, click Setup > Encryption > Server Configuration. The EKM Server Configuration dialog box appears. From the Key Server Type drop-down list, select KMIP Key Manager. Fill in the rest of the fields as follows: For the server IP address, you can enter the following: IPv4 address...
  • Page 22 Test the settings by clicking the EKM Path Diagnostics Test button. The Path Diagnostic Results dialog box appears. If all the tests do not pass, troubleshoot until they all pass. For more information on EKM Path Diagnostics, see Scalar i6000 User’s Guide. Click Close.
  • Page 23 • Enable Library Managed — Enables library managed encryption support via a connected key manager server for all tape drives and encryption-capable media assigned to the partition. This is the method you want to use for library communication with SafeNet KeySecures. Details and restrictions for using library managed encryption include: Only LTO-4 and LTO-5 tape cartridges will be encrypted in library managed encryption partitions, unless they contain unencrypted data already, and data is appended.
  • Page 24 Select the check box for the partition whose encryption method you want to change. Change the encryption method by selecting Enable Library Managed from the Encryption Method drop-down list: Note: If you change a partition from Enable Library Managed to Allow Application Managed, any encrypted data that was written to the tapes while the partition was configured for library managed encryption can no longer be read, until you change the partition back to Enable Library Managed.