Use this chapter and checklists to prepare for the installation.
There are a few things to be aware of to install encryption hardware into a supported configuration, such as:
Use the following checklist to ensure that the customer is ready to receive the Key Management System and to ensure that you are ready to start the installation.
Table 3-1 Site Planning Checklist
Question | Completed? | Comments: |
---|---|---|
Important: The Oracle Key Manager and appliances are considered "secure" items. Follow the customers security guidelines during delivery and installation. |
||
Does the customer have a delivery dock? If no, where will the equipment be delivered? |
Yes__ No__ |
|
If a delivery dock is available, what are the hours of operation? |
|
|
Are there street or alley limitations that might hinder delivery? |
Yes__ No__ |
|
Will authorized personnel be available to handle and accept the delivery? |
Yes__ No__ |
|
Is the delivery location close to the computer room where the equipment will be installed? |
Yes__ No__ |
|
Is an elevator available to move the equipment to the appropriate floors? |
Yes__ No__ |
|
Is there a staging area where the equipment can be placed close to the installation site? |
Yes__ No__ |
|
Are there special requirements to dispose of or recycle packing material? Pallets, plastic, and cardboard? |
Yes__ No__ |
|
Does the site meet the environmental requirements for temperature, humidity, and cooling? |
Yes__ No__ |
See "Key Management Appliance" for the appliance specifications. |
Does the intended site meet the power requirements? |
Yes__ No__ |
See "Key Management Appliance" for the appliance specifications. KMA: 90 to 132 VAC | 180 to 264 VAC 57 to 63 Hz | 47 to 53 Hz 2.3 to 4.6 Amps Maximum continuous power is 150 W |
Has the customer identified the circuit breakers locations and ratings? |
Yes__ No__ |
|
Does the customer want redundant power options? If so, an additional APC power switch is required to create an uninterrupted power configuration. |
Yes__ No__ |
Check for updated model and part numbers. (Part number #419951602) |
Are there any power cable routing requirements and concerns? |
Yes__ No__ |
See "Power Cables" for more information. |
Personnel: |
||
Are there trained/qualified Oracle representatives locally to install and maintain the encryption equipment? |
Yes__ No__ |
Names: |
Connectivity: Cabling is very important to establish a reliable network between the OKM, KMAs, Ethernet switches, and tape drives. |
||
Does this customer support IPv6 implementations? |
Yes__ No__ |
|
Does the customer intend on using Managed switches for LANs 2 and 3? |
Yes__ No__ |
Cable considerations are impacted by the decision to use a managed switch and the corresponding topology of the service network. |
Is a Wide Area Service Network being considered? |
Yes__ No__ |
Designing the service network across a WAN to remote sites adds additional failover capability to the agents and can facilitate disaster recovery scenarios. |
Does the customer want to aggregate the service ports (LAN 2 and LAN 3)? |
Yes__ No__ |
Requires additional cables and compatible port configuration on a customer supplied managed switch. |
Does the customer plan to use a private network for the agents (tape drives)? |
Yes__ No__ |
Removes contention for the tape drives. |
Will there be a Service Delivery Platform (SDP) installed at this site? |
Yes__ No__ |
See SDP for information. |
Will the customer be monitoring the OKM using SNMP? |
Yes__ No__ |
SNMP v3 recommended SNMP v2 supported |
Are there considerations for monitoring of ELOM/ILOM using the LAN 1 port? |
Yes__ No__ |
Refer to the SunFire X2100/2200 ELOM Administration Guide, or X4170 ILOM Supplement Guides for information. |
Have you and the customer completed a:
|
Yes__ No__ Yes__ No__ Yes__ No__ |
|
Have you determined the type and number of Ethernet cables required? Customer supplied:
Supplied in the encryption kits:
|
Yes__ No__ |
Notes:
A configuration drawing will help identify the cables needed. |
Configurations |
||
Does the customer have adequate rack space to hold the KMAs and Ethernet switches? |
Yes__ No__ |
|
What type of support configurations does the customer want or need? o Existing configuration o New configuration |
Configuration __ SL8500 __ SL3000 __ SL500 __ SL150 __ 9310/9741e __ L-Series __ SL24/48 __ Rackmount |
Encryption-capable Drives: T-Series & LTO drives T-Series & LTO drives LTO only T-Series only except for T10000C/D T-Series only except for T10000C/D LTO only T-Series only |
Does the customer have existing tape drives they want to upgrade to encryption-capable? |
Yes__ No__ |
See Chapter 4, "Components" for x-options (conversion bills). |
Are these drives already installed in a library? |
Yes__ No__ |
|
Drive types? Check current and required firmware versions. |
__ T10000A __ T10000B __ T10000C __ T10000D __ T9840D __ HP LTO4 __ IBM LTO4 __ HP LTO5 __ IBM LTO5 __ HP LTO6 __ IBM LTO6 |
Requires drive tray and Dione card Requires drive tray and Belisarius card Requires drive tray and Belisarius card |
Configurations (continued) |
||
Does the customer need to order more drives?
|
Yes__ No__ __ T10000A __ T10000B __ T10000C __ T10000D __ T9840D __ HP LTO4 __ IBM LTO4 __ HP LTO5 __ IBM LTO5 __ HP LTO6 __ IBM LTO6 |
How many tape drives? |
Are additional cartridges required?
|
Yes__ No__ Yes__ No__ Yes__ No__ Yes__ No__ |
Note: All versions of encryption tape drives use different, unique cartridges. T9840 = 9840 cartridges T10000 = T10000 cartridges LTO4 = LTO4 cartridges LTO5 = LTO5 cartridges LTO6 = LTO6 cartridges All versions of each cartridge-type are supported, for example: standard, sport, VolSafe, and WORM. |
Notes: |
||
Configurations: |
||
Tape Drives and Media: |
The KMAs can be installed in standard, RETMAFoot 1 19-inch, four post racks or cabinets. Note: Two-post racks are not supported.
The slide rails are compatible for a wide range of racks with the following standards:
Horizontal opening and unit vertical pitch conforming to ANSI/EIA 310-D-1992 or IEC 60927 standards.
Distance between front and rear mounting planes between 610 mm and 915 mm (24 in. to 36 in.).
Clearance depth to a front cabinet door must be at least 25.4 mm (1 in.).
Clearance depth to a rear cabinet door at least 800 mm (31.5 in.) to incorporate cable management or 700 mm (27.5 in.) without cable management.
Clearance width between structural supports and cable troughs and between front and rear mounting planes is at least 456 mm (18 in.).
An SL8500 library can have up to 4 optional accessory racks, (PN XSL8500-RACK-Z). If the customer wants power redundancy, a minimum of 2 racks are required.
Each rack can hold up to 6 units, called UsFoot 2 , of equipment, such as the key management appliances and the Ethernet switches. Each rack has a six-connector power distribution unit (PDU) that provides power and two cooling fans that provides additional air flow. Table 3-2 lists the rack guidelines.
Table 3-2 SL8500 Accessory Rack Guidelines
Guideline | Descriptions |
---|---|
Rack numbering |
Rack numbering is top-down from 1 to 4. Rack 1 is on the top; Rack 4 is on the bottom. |
Rack mounting |
Components must be able to function in a vertical orientation. |
Dimensional restrictions |
Rack module depth is 72 cm (28 in.). Recommended safe length is 66 cm (26 in.). |
Equipment weight |
The accessory rack itself is mounted on slides rated for 80 kg (175 lb). The recommended safe load is 64 kg (140 lb). The KMA is 10.7 kg (23.45 lb), the Ethernet switch is 1.5 kg (3.1 lb) |
Power consumption |
Per rack module is 4 Amps (maximum). Per outlet strip is 200–240 VAC, 50–60 Hz. The KMA is 185 W, the Ethernet Switch is 20 W. |
Power cord |
Power plug to connect to the rack PDU is: IEC320 C13 shrouded male plug. Minimum cord length is component plus 46 cm (18 in.) for a service loop. |
Thermal requirements |
Maximum power dissipation is 880 watts (3,000 Btu/hr) per rack module. |
Regulatory compliance |
Minimum requirements are: Safety—UL or CSA certification and Electromagnetic—Class A certification from agencies such as FCC or BSMI. |
StorageTek engineering recommends that customers supply a managed switch for connecting KMAs to the tape drives on their service network. Managed switches would then supply connectivity to the StorageTek-supplied unmanaged switches as well as any connectivity to customer supplied routers for wide area service network.
The following managed switches have been tested and are recommended:
Other managed switches can be used but engineering only provides configuration guidance on the above listed switches.
Managed switches are recommended for the following reasons:
Improved serviceability through better switch diagnostics and service network trouble shooting
Potential for minimizing single points of failure on the service network through use of redundant connections and spanning tree protocol.
Support for aggregation of the KMA service network interfaces to minimize single point of failure on the KMA's service interface.
Figure 3-1 provides an example of a managed switch configuration. In this example, if either KMA or either managed switch should fail, the drives still have a path from which they can communicate with the other KMA.
It is possible to aggregate physical Ethernet interfaces (LAN 2 and LAN 3) into a single virtual interface. Additional availability is achieved by aggregating these ports; if a failure occurs with either port, the other port maintains connectivity.
Make sure the Ethernet switch ports have the correct configuration. For example, Switch ports should be:
Set to auto negotiate settings for duplex (should be full duplex).
Set to auto negotiate speed settings, the KMA ports are capable of gigabit speeds.
Using identical speeds, such as: both set to 100 Mbps (auto speed negotiating may work fine).
To provide redundancy in case of a service network interface failure, the LAN 2 port may now be aggregated with the LAN 3 port. To use the port aggregation feature, you need to configure the switches for link aggregation. The Solaris port selection policy on the KMA is address based. Here is some information about the service port aggregation that may be needed to configure the switch:
Ports are aggregated manually, meaning they do not use LACP
Ports are full duplex (auto may work fine)
Switch ports used for aggregation groups must be identical speed, for example, both ports are set to 100 Mbps (auto speed negotiating may work fine)
Notes:
There may be an order or connection dependency. Create the aggregation group on the switch before connecting the KMAs service port.
If the aggregated IP address (IPv4 or IPv6) is not responding, reboot the KMA.
A System Dump using the Management GUI will contain display aggregated port information. The information is gathered using dladm commands.
To configure aggregated ports on an Extreme Ethernet switch
Log in to the switch using telnet.
Enter the following CLI commands:
show port sharing enable sharing <b> port></b> grouping <b> portlist</b> algorithm address-based L3_L4
Port specifies the master port for a load sharing group.
Portlist specifies one or more ports or slots and ports to be grouped to the master port. On a stand-alone switch (this is what is normally supplied), can be one or more port numbers. May be in the form 1, 2, 3, 4, 5.
Use a Web browser to connect to the switch IP.
Select port and then link aggregation from the menu.
From the subsequent dialog you can use the Create tab to create a new port grouping.
Note: If you need to install the switch, see the Brocade ICX 6430 and ICX 6450 Stackable Switches Hardware Installation Guide at: http://www.foundrynet.com/services/documentation/FastIronMerge/current/ICX6430-6450_07400a_InstallGuide.pdf |
Pre-configuration Requirements
Before you configure the switch, follow steps 1 - 4 in the Brocade ICX 6430 and ICX 6450 Web Configuration QuickStart Guide to attach a PC to the switch and assign an IP address to the management port using its Command Line Interface (CLI). Follow the ICX 6430 instructions in step 3.
You can access this guide at:
http://www.foundrynet.com/services/documentation/FastIronMerge/current/ICX6430-6450_07400_QuickStartGuide.pdf
Configuring the Brocade Switch
Configure the Brocade switch to use the Rapid Spanning Tree Protocol (RSTP), which was standardized by IEEE 802.1W.
After you perform the following steps, refer to the Brocade ICX 6430 and ICX 6450 Web Configuration QuickStart Guide for additional information about configuring Brocade ICX 6430 switches.
Start a web browser and connect to the switch at the IP address you established in the pre-configuration requirements above.
Enable (RSTP) as shown in the following steps.
Navigate to Configuration > System.
Ensure that Spanning Tree is enabled.
Click Clock to set the system clock.
Navigate to Configuration > VLAN.
Set the VLAN IP address.
Click Add Port VLAN.
Ensure that Spanning Tree is Disabled and 802.1W is Enabled.
Navigate to Configuration > RSTP and view the Ethernet ports.
Use ssh to access the management IP address of the switch to launch its CLI. Configure a trunk group for each KMA that should include aggregated service ports.
Brocade(config)#show trunk Brocade(config)#trunk ethernet Brocade(config)#trunk ethernet 1/1/1 to 1/1/2 Brocade(config)#trunk ethernet 1/1/3 to 1/1/4 < etc. for each KMA that should include aggregated service ports, port IDs as shown in Step 0> Brocade(config)#write memory Brocade(config)#trunk deploy |
Note: In this example, the ports had been put into VLAN 1, as indicated by the leading "1/" in the trunk commands. If no VLAN was created on the ports, then the trunk commands should not have the leading "1/". For example: xxxpara2xxx Brocade(config)#trunk ethernet 1/1 to 1/2 |
In the web interface, navigate to Configuration > Trunk and view the trunks that you just defined in the CLI.
Attach network cables between the pairs of ports on the switch to the service and aggregated service ports on each KMA that should contain aggregated service ports. Port IDs (shown in step 0) are associated with physical ports on the switch.
To do this:
Inspect the switch and identify the physical ports that are associated with the trunk groups that you created in step 0 and viewed in step 0.
For each KMA, attach a network cable between the first port in the trunk group and the service port on the KMA (labeled LAN 2 or NET 2).
Attach a network cable between the second port in the trunk group and the aggregated service port on the KMA (labeled LAN 3 or NET 3).
See Figure 1-11, Figure 1-12, and Table 1-3 for information on rear panel connections for the X2100 M2/X2200 M2 and X4170 M2 servers.
Mirroring ports can be useful when you want to use a network analyzer in the service network environment. Ports can be mirrored on Brocade ICX 6430 switches as follows:
Telnet to the switch management port.
On this switch, select a port that is not part of a trunk (for example, port 24 is designated as "1/1/24").
Access privileged mode on the switch by entering enable (# will be appended to the prompt indicating you are in privileged mode).
Enter configuration mode by entering configure terminal (you will see (config) appended to the prompt indicating config mode).
Configure the mirror-port with the command mirror-port ethernet 1/1/24.
Determine what port traffic you want to monitor (for example, port 1 designated as 1/1/1).
Enter the interface menu for port 1/1/1 by entering interface ethernet 1/1/1 (config-if-e1000-1/1/1 is appended to the prompt indicating you are configuring that port).
Enter monitor ethernet 1/1/24 both to monitor traffic in both directions on port 24.
Enter write to save the configuration changes.
In Figure 3-1, the service network consists of two customer-provided managed switches that are cabled to three unmanaged switches, which contains redundant paths that require a spanning tree configuration. This example may be easily scaled for larger SL8500 drive configurations by adding additional KMAs, switch hardware, and tape drives.
Managed switches must be enabled for Spanning Tree whenever the cabling includes redundancy.
Unmanaged switches have two paths to the managed switches for redundancy.
Unmanaged switches are then cabled for connectivity to the tape drives (agents)
Each unmanaged switch connects 16 drives. Cabled in groups of four. Ports 1–4, 6–9, 11–14, and 16–19.
Service Delivery Platform (SDP) connects to each Managed Switch at Port 1 (see the "Service Delivery Platform").
The following information is useful for customers and Oracle service representatives when setting-up and installing multi-site clusters.
Initially it is not advisable to begin with a multi-site network topology for the tape drives. A simple strategy may be best. Do not configure service network routes between sites so drives are restricted to just local KMAs within their site. After gaining confidence with the system the service network configuration can be extended to other sites using the KMA console menu option for networking.
Note: Even without a multi-site routed service network, use of default gateway settings can affect failover performance. Understanding the following information is important for configuring the KMA network. |
The cluster provides tape drives with a capability to select KMAs for retrieval of key material. To maximize the performance of tape drives with a robust, highly available network is essential. The topology of the network is an important planning and configuration task. The following is some information about how a tape drive utilizes the services of the cluster for retrieval of keys.
Tape drives (agents) utilize the discovery service of the KMAs to maintain knowledge about the cluster. This information includes the following properties for each KMA:
IP address (both IPv4 and IPv6 addresses)
Site Name
KMA ID
KMA Name
KMA Version – Helps determine FIPS support for supported tape drives
The following dynamic properties are also provided to tape drives when they issue a discover cluster request:
Responding – indicates if the KMA is responding on the network
Locked – indicates if the KMA is currently locked
The tape drives periodically retrieve this information as part of a tape operation (not when the tape drive is idle) and always request it as part of enrollment and whenever the drive is IPLed. The KMA that receives the discover cluster request provides this information for each KMA that is accessible over the service network. This is where the network planning and configuration exercise becomes important.
During normal tape drive operations, the drives use their local table of cluster information to select a KMA for key retrieval.
The drives use an algorithm to pick a random KMA from the cluster of KMAs within:
the same site as the drive and
that are unlocked and responding.
If all KMAs within a site are either locked or not responding then the tape drive attempts to access a KMA from another site.
Presumably this is a remote site with a network response time that may be higher than other the KMAs within the same site as the tape drive.
What is important is that the KMAs from other sites can be reached by the tape drive or the attempt to retrieve keys will timeout forcing a failover.
Whenever a tape drive's attempt to communicate with a KMA fails the drive tries to select another KMA for failover. Tape drives attempt a failover up to three (3) times before giving up and returning an error to the host tape application.
For each failover attempt, a similar selection algorithm is used for failovers as for Load Balancing. Consequently, the drive's information about the cluster state is used again (and may even be refreshed if it is time to refresh the information about the cluster).
Sometimes a drive chooses a non-responding KMA during a failover attempt if all other KMAs are non-responding. This is not ideal but because information about the cluster may be stale, there is a chance that a KMA has come back online and will respond. Whenever the drive discovers a new response state for a KMA, it updates the cluster information to mark a KMA as responding, or not responding, however the case may be.
The routing configuration of a KMA has an effect on responses to tape drive discovery requests. Mistakes in the routing configuration can lead to erroneous cluster information being provided to tape drives. This could cause drives to attempt communication with KMAs that they cannot reach over the network.
Customers need to consider the network topology they want for their tape drives. The ability for tape drives to failover to remote sites can improve drive reliability and availability when local KMAs are down or slow to respond (such as timeout situations because of heavy workloads).
Note: Providing the ability to failover to remote sites is something that needs to be planned for and should involve customer network engineers. |
For drives on the service network a route must be configured between sites and the KMA console network menu option should be used. The common mistake to avoid is configuring a default route.
Figure 3-2 provides an example for a multi-site routed service network.
The Service Delivery Platform (SDP) is a support solution for StorageTek's libraries and tape drives (T-Series only) that consists of a smart appliance and a dedicated network.
The SDP appliance can be configured to use the Dynamic Host Configuration Protocol (DHCP) to automate the assignment of IP addresses for device connections. Optionally, the SDP can be used as the DHCP server for the KMAs service network IP address.
Beginning with new deployments of SDP and the Oracle Key Manager the configuration was changed to strengthen security. The SDP product team recommends a firewall between the KMAs, switches, and tape drives on the service network because of the connectivity of KMAs to the customer's network. Refer to the Service Delivery Platform Security White Paper, May 2008 and the Optional Firewall.
When planning for a multi-site service network the subnet addressing scheme for the KMA service ports and drives needs to be determined. Use of duplicate network addresses must be avoided. For example, the use of 172.18.18.x networks (a common convention) need to be avoided.
KMAs will typically be connected to the customer's network for any of the following reasons:
Administrative access to the KMAs using the Oracle Key Manager GUI hosted in the customer network
Cluster replication between KMAs
KMA access to the customer's NTP server
KMA access to customer's SNMP Managers
Customer access to the KMA's service processor (ELOM or ILOM)
Similarly, with Oracle Key Manager's support for a routable, multi-site service network, customer supplied routers and networking equipment will be required to connect the various sites comprising the key management cluster.
Because of this connectivity into the customer's network, SDP security policy dictates that a firewall must be present between the devices connecting to a KMA and the SDP. This "customer firewall" is the firewall attached to Port2 of the SDP appliance in the following diagram. The firewall will need to be configured so that SDP can monitor the tape drives in the customer controlled portion of the service network.
DMZ in the diagram refers to the secure network architecture of SDP that secures the network traffic between the SDP onset unit and the Oracle network.
This firewall effectively partitions the service network in two: the Oracle controlled service network and the customer controlled service network. The Service Delivery Platform Security White Paper, May 2008 describes this network as the "Service Network interface". The Oracle Service Network interface is the connection between the SDP site unit and storage devices, this is the Port1 connection in the diagram. The Customer Network interface is the connection between SDP and Oracle storage devices connected to the customer operations center LAN that is attached to the customer network, Port 2 in the diagram. These devices include the tape drives and switches connected to the KMAs.
The "customer firewall" prevents this connection from having access to the customer's network and only to the devices that SDP can monitor.
Oracle service personnel still need to service equipment in both partitions of the service network and coordinate with SDP engineers for planning and configuration.
Encryption-capable tape drives add another element to the design for content management in an SL8500, SL3000, SL500, and SL150 library installation. All three libraries have a different design that share similar elements, considerations include:
Table 3-3 Content Management Planning
When planning for content, the most important aspect is to evaluate content (tape drives and data cartridges) with respect to the physical structure of the library.
These libraries provide several ways to accommodate growing data storage needs:
Addition of library modules—to the front, to the left or right, or up and down.
Capacity on Demand
Activation of slots without service representative involvement
Requires the installation of slots or modules up front
Flexible partitions
Ease to re-allocate resources as needs change
Real-Time Growth
Disaster recovery scenario's
Capacity on Demand is a non-disruptive optional feature that allows the customer to add capacity to the library using previously installed, yet inactive slots.
The installed physical capacity is separate from the activated capacity. The advantage of Capacity on Demand is that the customer only buys the storage that they need and not all the storage that is installed.
Activated capacity can be purchased in multiple increments.
When a customer purchases a hardware activation key to use more physical storage an encrypted key file is sent through e-mail. The file is then loaded into the library using the Storage Library Console (SLC).
Because the physical and the activated slot capacities are separate, the customer has the option of installing physical capacity in advance before they are ready to use these slots.
The advantage of installing physical capacity in advance is that now, scaling the library is non-disruptive, quick, and easy to accomplish.
For example: Whenever building a library configuration, there are two basic slot capacity questions you need to answer:
How many slots does the customer need to use?
How many cartridge slots does the customer want to physically install?
The definition of a partition is to divide into parts or shares.
Partitioning a library means the customer can have:
Multiple libraries from one physical piece of hardware.
More than one operating system and application manage the library.
An improvement in the protection or isolation of files.
An increase in system and library performance.
An increase in user efficiency.
Partitions may be customized to fit different requirements, such as:
Separating different encryption key groups.
Isolating clients as service centers.
Dedicating partitions for special tasks.
Giving multiple departments, organizations, and companies access to appropriate sized library resources.
Tip:
When using encryption-capable tape drives, partitions can add an additional layer to data security. Customers can assign partitions that limit the access to the tape drives and data cartridges.
Ideally, you would want to set up partitions that allow for future. Allowing room for growth allows the customer to activate slots within a partition using Capacity on Demand. This is the easiest and least disruptive growth path:
Install extra physical capacity.
Define partitions large enough to accommodate future growth.
Adjust the library capacity to meet current demands.
Essential guidelines for understanding partitions are:
Clear communication between the system programmers, network administrators, library software representatives and administrators, and service representatives.
Knowing what partitions exist, their boundaries, and who has access to the specific partitions that are configured.
Setting up a partition requires some important considerations:
Slots and tape drives are allocated to a specific partition and cannot be shared across other partitions.
Partition users must anticipate how much storage is needed for their resident data cartridges and the amount of free slots required for both current use and potential growth.
Remember:
Each partition acts as an independent library.
One partition will not recognize another partition within the library.
Disaster recovery is a subset of a larger process known as business continuity planning (BCP), which should include replacing hardware, re-establishing networks, resuming applications, and restoring data.
Disaster recovery is the process, policies, and procedures that relate to preparing for recovery or continuation of business critical information to an organization after a natural or human-induced disaster. This includes:
Recovery Point Objective (RPO): The point in time to recover data as defined by a business continuity plan. This is generally a definition of what the business determines is an "acceptable loss" in a disaster situation. This could be in hours, days, or even weeks.
Recovery Time Objective (RTO): The duration of time that a business process must be "restored" after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. This could be minutes when using a combined service network.
The OKM uses a cluster design that requires at least two key management appliances. This design helps reduce the risk of disrupting business continuity. Clustering KMAs allows for replication of database entries and workload balancing. In the unlikely event that a component should fail, it can be easily replaced and restored to operation.
An OKM can span multiple, geographically-separated sites. This highly reduces the risk of a disaster destroying the entire cluster. Clustering KMAs allows for replication of database entries and workload balancing. Although unlikely, that an entire cluster needs to be recreated, most of the key data can be recovered by recreating the OKM 2.x environment from a recent database backup.
While designing an encryption and archive strategy, an important design guideline is to make sure that critical data generated at any site is replicated and vaulted off-site. Many companies employ the services of a third-party disaster recovery (DR) site to allow them to restart their business operations as quickly as possible.
Refer to Disaster Recovery Reference Guide PN 31619710x for more information.
When planning for partitions, you also need to be aware of the location, quantity, type, and need for the tape drives and media.
In addition, an understanding about how to logically group and install the tape drives and locate the media for the different hosts, control data sets, interface types, and partitions is necessary. When planing for partitions:
Make sure the tape drive interface supports that operating system.
Open system platforms do not support ESCON or FICON interfaces.
Not all mainframes support Fibre Channel interfaces or LTO tape drives.
Make sure the media types match the application.
Install tape drives that use the same media types in the same partition.
Make sure there are enough scratch cartridges and free slots to support the application and workload.
One essential message for content management and partitioning is planning.
Items to plan for include:
Table 3-4 Steps and Tasks for Partitioning
The manager graphical user interface (GUI) consists of a three-paned display:
On the left is a navigational pane or tree.
In the center is an operations detail pane for the appropriate selection on the left.
On the bottom is a session events pane.
The manager is an easy-to-use graphical user interface that allows users to configure functions of the KMAs depending on the roles that user is assigned (see "Role-Based Operations").
The manager contains System, View, and Help menus in the upper left corner of the display with toolbar buttons that provide shortcuts to several menu options.
The manager defines and uses the following roles. Completing and assigning roles is a customer task, service representatives should only advise.
|
Views information about the Cluster. |
|
Performs backups. |
|
Manages key policies and key groups. Determines which Agents and Transfer Partners can use key groups. |
|
Manages Agents, Data Units, and Keys. |
|
Views and approves pending quorum operations. |
|
Full authority to view, modify, create, and delete
Sites, KMAs, Users, and Transfer Partners. |
Note: Each person or user may fulfill one or more of these roles. |
The figure below shows an example of the Users Detail screen. Use Table 3-6 to help prepare for the assignments.
Enter a User ID between 1 and 64 characters.
Provide a Description between 1 and 64 characters.
Click the Passphrase tab and enter a Passphrase twice.
Passphrases requirements are:
8 to 64 characters long
3 of 4 classes (upper case, lower case, numbers, and symbols)
Cannot include the user's name.
The KMA verifies that the requesting user has permission to execute an operation based on the user's roles. Unavailable operations typically indicate the wrong role.
There are four basic operations a user/role can have: Create, Delete, Modify, and View. Table 3-5 shows the system entities and functions that each user role can perform. In the "Roles" columns:
Yes indicates that the role is allowed to perform the operation.
Quorum indicates that the role is allowed but must belong to a quorum.
Blank indicates that the role is not allowed to perform the operation.
Table 3-5 System Operations and User Roles
Operation | Roles | |||||
---|---|---|---|---|---|---|
Security Officer | Compliance Officer | Operator | Backup Operator | Auditor | Quorum Member | |
Console |
||||||
Log In |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Set KMA Locale |
Yes |
|||||
Set KMA IP Address |
Yes |
|||||
Enable Tech Support |
Yes |
|||||
Disable Tech Support |
Yes |
Yes |
||||
Enable Primary Administrator |
Yes |
|||||
Disable Primary Administrator |
Yes |
Yes |
||||
Restart KMA |
Yes |
|||||
Shutdown KMA |
Yes |
|||||
Log into Cluster |
Quorum |
|||||
Set User's Passphrase |
Yes |
|||||
Reset KMA |
Yes |
|||||
Zeroize KMA |
Yes |
|||||
Logout |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Connect |
||||||
Log In |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Create Profile |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Delete Profile |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Set Config Settings |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Disconnect |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Key Split Credentials |
||||||
List |
Yes |
|||||
Modify |
Quorum |
|||||
Autonomous Unlock |
||||||
List |
Yes |
|||||
Modify |
Quorum |
|||||
Lock/Unlock KMA |
||||||
List Status |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Lock |
Yes |
|||||
Unlock |
Quorum |
|||||
Site |
||||||
Create |
Yes |
|||||
List |
Yes |
Yes |
||||
Modify |
Yes |
|||||
Delete |
Yes |
|||||
Security Parameters |
||||||
List |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Modify |
Yes |
|||||
KMA |
||||||
Create |
Yes |
|||||
List |
Yes |
Yes |
||||
Modify |
Yes |
|||||
Delete |
Yes |
|||||
User |
||||||
Create |
Yes |
|||||
List |
Yes |
|||||
Modify |
Yes |
|||||
Modify Passphrase |
Yes |
|||||
Delete |
Yes |
|||||
Role |
||||||
List |
Yes |
|||||
Key Policy |
||||||
Create |
Yes |
|||||
List |
Yes |
|||||
Modify |
Yes |
|||||
Delete |
Yes |
|||||
Key Group |
||||||
Create |
Yes |
|||||
List |
Yes |
Yes |
||||
List Data Units |
Yes |
Yes |
||||
List Agents |
Yes |
Yes |
||||
Modify |
Yes |
|||||
Delete |
Yes |
|||||
Agent |
||||||
Create |
Yes |
|||||
List |
Yes |
Yes |
||||
Modify |
Yes |
|||||
Modify Passphrase |
Yes |
|||||
Delete |
Yes |
|||||
Agent/Key Group Assignment |
||||||
List |
Yes |
Yes |
||||
Modify |
Yes |
|||||
Data Unit |
||||||
Create |
||||||
List |
Yes |
Yes |
||||
Modify |
Yes |
|||||
Modify Key Group |
Yes |
|||||
Delete |
||||||
Keys |
||||||
List Data Unit Keys |
Yes |
Yes |
||||
Destroy |
Yes |
|||||
Compromise |
Yes |
|||||
Transfer Partners |
||||||
Configure |
Quorum |
|||||
List |
Yes |
Yes |
Yes |
|||
Modify |
Quorum |
|||||
Delete |
Yes |
|||||
Key Transfer Keys |
||||||
List |
Yes |
|||||
Update |
Yes |
|||||
Transfer Partner Key Group Assignments |
||||||
List |
Yes |
Yes |
||||
Modify |
Yes |
|||||
Backup |
||||||
Create |
Yes |
|||||
List |
Yes |
Yes |
Yes |
Yes |
||
List Backups & Destroyed Keys |
Yes |
Yes |
||||
Restore |
Quorum |
|||||
Confirm Destruction |
Yes |
|||||
Core Security Backup |
||||||
Create |
Yes |
|||||
SNMP Manager |
||||||
Create |
Yes |
|||||
List |
Yes |
Yes |
||||
Modify |
Yes |
|||||
Delete |
Yes |
|||||
Audit Event |
||||||
View |
Yes |
Yes |
Yes |
Yes |
Yes |
|
View Agent History |
Yes |
Yes |
||||
View Data Unit History |
Yes |
Yes |
||||
View Data Unit Key History |
Yes |
Yes |
||||
System Dump |
||||||
Create |
Yes |
Yes |
||||
System Time |
||||||
List |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Modify |
Yes |
|||||
NTP Server |
||||||
List |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Modify |
Yes |
|||||
Software Version |
||||||
List |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Upgrade |
Yes |
|||||
Network Configuration |
||||||
Display |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Pending Quorum Operation |
||||||
Approve |
Quorum |
|||||
Delete |
Yes |
|||||
Key List |
||||||
Query |
Yes |
Yes |
||||
List Activity History |
Yes |
Yes |
||||
Agent Performance List |
||||||
Query |
Yes |
Yes |
||||
KMA Performance List |
||||||
Query |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Current Load |
||||||
Query |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Table 3-6 User Roles Work Sheet
User ID | Description | Passphrase (Confidential Password) | Roles | |||||
---|---|---|---|---|---|---|---|---|
Security Officer | Compliance Officer | Operator | Backup Operator | Auditor | Quorum Member | |||
Note: The Passphrase should not be recorded here for security reasons. This column is provided as a reminder that as User IDs are entered, the person with that ID will be required to enter a passphrase. |
The tape drives should be installed and tested in their appropriate configuration before adding the encryption capability to them. Each drive-type has its own requirements.
To obtain the drive data for each T-Series (T10000 and T9840) tape drive:
Using the Virtual Operator Panel, connect to each tape drive and record the last eight digits of the tape drive serial number.
Select: File > Connect to Drive
Select: Retrieve > View Drive Data > Manufacturing
Use the Appendix C, "Obtaining Support and Using Worksheets" to build information about the tape drives. You will find this information helpful during the installation, activation, and enrollment process for the tape drives (agents).
Note: Step 3 and Step 4 are not required for T10000C and T10000D drives running firmware versions 1.57.30x (T10000C) or 4.06.106 (T10000D) and higher. |
Request an Encryption Key File:
Log in to the Applications web site:
https://crcapplications.us.oracle.com/keyswebapp
Select Request an Encryption key.
Access is Restricted: You must be an employee, complete the encryption training courses, and include the name of the employee on the Request Encryption Key list.
Complete the Encryption Request form.
First name, last name, and e-mail address are automatically included.
Provide a site ID and order number.
Select the tape drive type (T10000A, T10000B, T10000C, T10000D, or T9840D).
Complete the serial number for the selected tape drive.
Add any optional remarks and click Request Key File. After submitting the Encryption File Request you will be prompted to download the file. This file contains the drive data you need to enable and enroll the drive. Encryption File Request for Drive Data
Family serial numbers start with:
T10000A = 5310 xxxxxxxx
T10000B = 5720 xxxxxxxx
T10000C = 5760 xxxxxxxx
T10000D = 5790 xxxxxxxx
T9840D = 5700 xxxxxxxx.
When selecting the drive family-type, the first four numbers of the serial number are automatically filled in.
Continue with this process until you obtain all the drive data files for each tape drive you are going to enable.
When enabling multiple drives, it is best to create a file structure where each tape drive has its own folder. For example:
Figure 3-9 uses a top-level folder name of crypto_drvs placed on the Desktop. (This is only for grouping of the other folders.)
Under crypto_drvs are the folders for each tape drive using the serial numbers.
In each serial number folder is the drive data file for that specific tape drive.
When activating the tape drives, the VOP requests a download location.
Complete the Appendix C, "Obtaining Support and Using Worksheets" to help with the activation and enrollment of the tape drives. What you need to know before beginning:
The drive number (serial or system) and IP address.
The Agent IDs and Passphrases.
Is this drive going to use tokens (Version 1.x) to get media keys (OKT) or use the appliance (KMA Version 2.x) to get the encryption keys?
Does the customer want this drive to remain in encryption mode? Or do they want the ability to switch encryption on and off?
Make copies of this page as necessary.
Notes:
Agent names (IDs) cannot be changed; however, an agent can be deleted and re-enrolled with a different name.
If you replace the agent, you can reuse the name; however, passphrases can only be used once, you will need to give the agent a new passphrase.
The replacement drive will need to be enrolled using the existing name and a new passphrase.
No enablement requirements or drive data is required for the LTO tape drives. The only preparation is to make sure the customer has the information to assign the IP addresses and Agent names for the tape drives in the OKM manager.
Note: The Virtual Operator Panel must be at:
|
To use the VOP for LTO tape drives, you need to launch a special file:
Figure 3-10 shows an example of the VOP 1.0.12 download contents.
The required tools to install and initially configure the KMAs are:
Standard field service tool kit, including both standard and Phillips screwdrivers, Torx driver and bits, and other tools necessary to mount the servers in a rack
Serial or null modem cable (P/N 24100134) with DB-9 connector
Adapter (P/N 10402019)
Straight Ethernet cable (P/N 24100216) 10-ft
Cross-over Ethernet cable (P/N 24100163) 10-ft
Service laptop (or personal computer)
Virtual Operator Panel (VOP) at Version 1.0.11 or higher for T-Series tape drives
Virtual Operator Panel for HP LTO tape drives at Version 1.0.12 or higher
Virtual Operator Panel for IBM LTO tape drives at Version 1.0.14 or higher
Virtual Operator Panel for LTO5 tape drives at Version 1.0.16 or higher
Virtual Operator Panel for LTO6 tape drives at Version 1.0.18 or higher
Multi-Drive Virtual Operator Panel (MD-VOP) Version 1.1 or higher
The manager (graphical user interface—GUI) must be installed on either a Windows XP or Solaris platforms.
Web Browsers: The Embedded Lights Out Manager is sensitive to Web browser and Java versions. Refer to http://docs.oracle.com/cd/E19121-01/sf.x2100m2/819-6588-14/index.html
for more information and Web browsers.
Table 3-7 lists the supported operating systems and Web browsers:
Table 3-7 Operating Systems and Web Browsers
Client OS | Supports these Web browsers | Java Runtime Environment Including Java Web Start |
---|---|---|
|
|
JRE 1.5 (Java 5.0 Update 7 or later) |
|
|
JRE 1.5 (Java 5.0 Update 7 or later) |
|
|
JRE 1.5 (Java 5.0 Update 7 or later) |
You can download the Java 1.5 runtime environment at: The current version of the ELOM Administration Guide is located at:
|
Table 3-8 lists the minimum firmware requirements.
Note: The firmware levels listed below apply to the associated OKM release and continue to change after the initial release. To access the latest firmware: |
Go to My Oracle Support at: http://support.oracle.com
and sign in.
Click the Patches & Updates tab.
Click Product or Family (Advanced).
In the Start Typing... field, type in the product information (for example, "Oracle Key Manager"), and click Search to see the latest firmware for each release.
Table 3-8 Firmware Compatibilities
Component | Version | Version | Version | Version | Version | Version | Version |
---|---|---|---|---|---|---|---|
OKM | 2.0.2 | 2.1 | 2.2 or 2.2.1 | 2.3 | 2.4 | 2.5 | 2.5.x/3.0 |
Library Management | |||||||
ACSLS | 7.1 and 7.1.1 with PUT0701, or 7.2, and 7.3 | ||||||
HSC | 6.1 or 6.2 | ||||||
VSM | 6.1 or 6.2 (includes VTCS and VTSS) | ||||||
VTL models | 1.0 or 2.0 | ||||||
Tape Drives | SL8500 | SL3000 | Lxxx | 9310/9311 | SL500 | VOP | SL150 |
T10000A FC |
L–3.11c D–137113 |
L–FRS_2.00 D–137113 |
L–3.17.03 D–137113 |
L–4.4.08 D–137113 |
n/a |
1.0.18 |
n/a |
T10000A FICON |
L–3.11c D–137114 |
L–FRS_2.00 D–137114 |
L–3.17.03 D–137114 |
L–4.4.08 D–137114 |
n/a |
1.0.18 |
n/a |
T10000B FC |
L–3.98b D–138x07 |
L–FRS_2.00 D–138x07 |
L–3.17.03 D–138x07 |
n/a |
n/a |
1.0.18 |
n/a |
T10000B FICON |
L–3.98b D–138x09 |
L–FRS_2.00 D–138x09 |
L–3.17.03 D–138x09 |
n/a |
n/a |
1.0.18 |
n/a |
T10000C FC |
L–FRS_7.0.0 D–1.53.316 |
L–FRS_3.0.0 D–1.53.316 |
n/a |
n/a |
n/a |
1.0.18 |
n/a |
T10000C FICON |
L–FRS_7.0.0 D–1.53.316 |
L–FRS_3.0.0 D–1.53.316 |
n/a |
n/a |
n/a |
1.0.18 |
n/a |
T10000D FC |
L–FRS_8.0.5 D–4.06.106 |
L–FRS_3.6.2 D-4.06.106 |
n/a |
n/a |
n/a |
n/a |
n/a |
T10000D FICON |
L_FRS_8.0.5 D_4.07.xxx |
L_FRS_3.6.2 D_4.07.xxx |
n/a |
n/a |
n/a |
n/a |
n/a |
T10000D FCoE |
L_FRS_8.3.0 D–4.06.106 |
L_FRS_4.xx D_4.06.106 |
n/a |
n/a |
n/a |
n/a |
n/a |
T9840D FC |
L–3.98 D–142x07 |
L–FRS_2.00 D–142x07 |
L–3.17.03 D–142x07 |
L–4.4.08 D–142x07 |
n/a |
1.0.12 |
n/a |
T9840D FICON & ESCON |
L–3.98 D–142x07 |
L–FRS_2.00 D–142x07 |
L–3.17.03 D–142x07 |
L–4.4.08 D–142x07 |
n/a |
1.0.12 |
n/a |
HP LTO4 HP LTO5 HP LTO6 |
L–3.98B D–H64S FC n/a for SCSI D–I5BS FC n/a for SAS D– J2AS FC n/a for SAS |
L–2.05 D–H64S FC n/a for SCSI D–I5BS FC n/a for SAS D– J2AS FC n/a for SAS |
n/a |
n/a |
L–1300 D–H64S FC D–B63S SCSI D–I5BS FC D–X5AS SAS D– J2AS FC n/a for SAS |
1.0.12 1.0.16 1.0.16 |
n/a for FC n/a for SCSI D–Y5BS FC D–Z55S SAS D–22CS FC D–329S SAS |
IBM LTO4 IBM LTO5 IBM LTO6 |
L–FRS_4.70 D–BBH4 FC n/a for SCSI D–BBNH FC L–8.01 D–CT94 FC |
L–FRS_2.30 D–BBH4 FC n/a for SCSI D–BBNH FC L–4.0 D–CT94 FC |
n/a |
n/a |
L–1373 D– BBH4 FC D– BBH4 SCSI D–BBNH FC L–1483 n/a for FC |
1.0.14 1.0.16 |
n/a for FC n/a for SCSI n/a for FC L–1.80 n/a for FC |
Legend: |
|||||||
L–Library firmware level D–Drive firmware level |
FC = Fibre Channel FCoE = Fibre Channel over Ethernet SPS = Special firmware. Requires approval. n/a = Not applicable. Not supported. |
Footnote Legend
Footnote 1: RETMA = Radio Electronics Television Manufacturers Association.