Skip Headers
Oracle® Key Manager 3 Disaster Recovery Reference Guide
Release 3.0
E49726-01
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

1 Introduction

Encryption is based on the science of cryptography and is one of the most effective ways to achieve data security today. To read an encrypted file, you must have access to the key that will enable you to decipher the file.

Disaster recovery (DR) is the process, policies, and procedures that relate to and preparing for recovery or continuation of business critical information to an organization after a natural or human-induced disaster.

Disaster recovery is a subset of a larger process known as business continuity planning (BCP) and should include replacing hardware, re-establishing networks, resuming applications, and restoring data.

A business continuity plan also includes non-IT related aspects such as key personnel, facilities, and communications to restore the reputation and continuity of the business.

The Oracle Key Manager (OKM) supplies a comprehensive key management platform solution designed to address the rapidly growing enterprise commitment to storage-based data encryption. Compiling with open security standards, OKM provides the capacity, scalability and interoperability to centrally manage encryption keys over widely distributed and heterogeneous storage infrastructures.

OKM is specifically designed to meet the unique challenges of storage key management including:

This chapter provides a a high-level overview of components, user roles, and the method for enabling and disabling encryption for recovery.

Architecture

The architecture for the OKM encryption solution consists of:

  • Key Management Appliance (KMA) – A security-hardened, dual-core processor with Solaris 10 (for X2100 M2, X2200 M2, X4170 M2) and Solaris 11 (for Netra SPARC T4-1) operating system that delivers policy-based key management and key provisioning services.


    Note:

    The KMAs can be installed with an SCA 6000 card, which is FIPS-compliant1 at Level 3.

  • OKM Graphical User Interface (GUI) – A stand-alone application that users run on their own system, using either a Windows–based or Solaris–based platform.

  • OKM Cluster – A full set of KMAs in the system. All KMAs in a Cluster are aware of the other KMAs in the system and replicate this information (active/active).

    This way, if any KMA should go down, encryption operations continue.

  • Agent (tape drive) – A device that performs encryption using keys managed by the KMA Cluster and OKM.


Note:

With the KMS 2.1 or later OKM release and the latest tape drive firmware, the following drives are FIPS-compliantFoot 1 .

Footnote 1 FIPS = Federal Information Processing Standards are publicly announced standards and guidelines developed by the United States Federal government. Many FIPS standards are modified versions of standards used in the wider community (ANSI, NIST, IEEE, ISO, etc.).

Tape Drive FIPS 140-2 Level
T10000A 1
T10000B 2
T10000C 1
T10000D 1
T9840D 1
LTO4 (HP and IBM) No plans for FIPS
LTO5 (HP and IBM) No plans for FIPS
LOT6 (HP) No plans for FIPS

FIPS levels of security for the above tape drives includes Levels 1 and 2.

Level 1—The lowest level with production-grade requirements.

Level 2—Adds requirements for physical tamper evidence and role-based authentication. Built on a validated operating platform.

This selection provides a higher level of security for the KMAs and tape drives.

  • Data unit – Media, a data cartridge.

  • Key Groups – An organization for keys that associates them with a Key Policy.

  • Network connections – The Key Management System consists of two networks:

    • Management network: OKM GUI to KMAs.

    • Service network: KMAs to encryption agents.

      These two networks isolate the storage devices from heavy corporate network traffic and improves the response time for key requests.

Figure 1-1 shows the rear panel and connections of a Netra SPARC T4-1 Key Management Appliance.

Figure 1-1 KMA Connections and Components

Surrounding text describes Figure 1-1 .

Role-Based Operations

OKM defines and uses the following roles. Completing and assigning roles is a customer task, service representatives should only advise.

Security Officer Manages security settings, users, sites, and Transfer Partners
Compliance Officer Manages key policies and Key Groups and determines which agents and Transfer Partners can use Key Groups
Operator Manages agents, data units, and keys
Backup Operator Performs backups
Auditor Views information about the OKM Cluster
Quorum Member Views and approves pending quorum operations.


Note:

Each person or user may fulfill one or more of these roles. The KMA verifies that the requesting user has permission to execute an operation based on the role. Unavailable operations typically indicate the wrong role.

There are a number of basic operations a user/role can perform. Among these are: Create, Delete, Modify, and View.

Figure 1-2 shows an example of the User Detail screen.

Figure 1-2 User Roles Detail Screen

Surrounding text describes Figure 1-2 .

Tape Drive and Media Comparison

Table 1-1 Tape Drive and Media Comparisons

Specification T10K-A T10K-B T10K-C T10K-D T9840D HP LTO4 HP LTO5 HP LTO6 IBM LTO4 IBM LTO5 IBM LTO6

Capacity (native)

500 GB

1 TB

5 TB

8 TB

75 GB

800 GB

1.5 TB

2.5 TB

800 GB

1.5 TB

2.5 TB

Transfer rates (native)

120 MB/s

120 MB/s

252 MB/s

252 MB/s

30 MB/s

120 MB/s

140 MB/s

160 MB/s

120 MB/s

140 MB/s

160 MB/s

Buffer size

256 MB

256 MB

2 GB

2 GB

64 MB

256 MB

256 MB

512 MB

256 MB

256 MB

512 MB

Load Time (sec)

16

16

13.1

13

8.5

19

12

22

15

12

12

Access (sec)

46

46

57

50

8

72

60

50

46

60

96

Tape speed (m/s)

2-4.95

2-3.74

5.62

4.75

3.4

7.0


7.12

7.0


6.8

Rewind time (sec)

90

90

10-13

10-13

16/8

106/54

96/78

98/51

106/54

96/78

42

Unload Time (sec)

23

23

23

23

12

22

17

19

22

17

17

Interfaces

Fibre Channel

2 & 4 Gb/s

4 Gb/s

4 Gb/s

16 Gb/s

4 Gb/s

4 Gb/s

8 Gb/s

8 Gb/s

4 Gb/s

8 Gb/s

8 Gb/s

SCSI/SAS

n/a

n/a

n/a

n/a

n/a

Ultra-320

n/a

6 Gb/s

Ultra-320

n/a

6 Gb/s

FICON

FCoE

2 Gb/s

2 Gb/s

4 Gb/s

8 Gb/s

10 Gb/s

2 Gb/s

n/a

n/a

n/a

n/a

n/a

n/a

ESCON

no

no

no

no

2 Gb/s

n/a

n/a

n/a

n/a

n/a

n/a

Compatibility

Tracks

768

1152

3,584

4,608

576

896

1,280

2,176

896

1,280

2,176

Length-usable

855 m (2805 ft)

855 m (2805 ft)

1,107 m (3,632 ft)

1,107 m (3,632 ft)

251 m (889 ft)

820 m (2690 ft)

850 m (2789 ft)

846 m (2776 ft)

820 m (2690 ft)

850 m (2789 ft)

846 m (2776 ft)

VolSafe—WORM

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes


T-Series Tape Drives

Table 1-2 shows the media compatibilities for the T-Series (T10000 and T9840) drives:

  • Encryption-capable T-Series tape drives

  • Non-encryption T-Series tape drives

Table 1-2 T-Series Tape Drive Media Compatibilities

Task Enrolled for Encryption Not Enrolled for Encryption

Write new data encrypted

Yes

No

Write new data not encrypted

No

Yes

Read encrypted data with key available

Yes

No

Read non-encrypted data

Yes

Yes

Append non-encrypted data to encrypted tape

No

No


Table 1-3 shows a comparison between the following:

  • Encryption-enabled and non-encrypted tape drives

  • Encrypted and non-encrypted media

Table 1-3 T-Series Tape Drive and Media Support

Tape Drive Types Non-encrypted Media Encrypted Media

Standard drive (non-encrypted)

  • Fully compatible

  • Read, write, and append

  • Not capable of reading, writing to or appending to this tape

  • Can re-write from the beginning of tape (BOT)

Encryption-capable drive

  • Read capability only

  • Not capable of appending to this tape

  • Can re-write from the beginning-of-tape (BOT)

  • Fully compatible

  • Read with correct keys

  • Write with current write keys


LTO Tape Drives

Both HP and IBM LTO tape drives are:

  • Specified to interchange with un-encrypted data cartridges from other tape drives that comply to the LTO U-28, U-316 and U-416 specifications.

  • Capable of interchanging encrypted data cartridges provided the correct encryption key is available.

Future compatibility:

In the future, LTO drives will be capable of:

  • Reading and writing tapes from the current generation

  • Reading and writing tapes from one earlier generation

  • Reading tapes from two earlier generations


Note:

Encryption is only supported with LTO4, LTO5, and LTO6 data cartridges on LTO4, LTO5, and LTO6 tape drives. To avoid problems, these drives will not write in normal or native modes once the drive is enabled for encryption.

Enabling and Disabling Encryption

The following are requirements that apply to encryption:

  • The T10000 tape drives must be at a minimum firmware level of 1.37.114.

  • The service representatives must install the Hardware Activation Keys for the tape drives, and have the required levels of the Virtual Operator Panel (VOP) available.

  • The customers, partners, and disaster recovery (DR) sites must use the current Customer version of the virtual operator panel (VOP) 1.0.12 or higher.

Enrolling the T-Series Tape Drives

During the initial T-Series tape drive enrollment process, the customer has the chance to configure the tape drives to:

  • Use Tokens, with an air gap configuration and KMS Version 1.x

  • Select if the drive can be switched between encryption and non-encryption modes

  • Select FIPS mode

  • Enter Agent values for the Key Management System

  • Enroll IPv4 and IPv6 addressing

Figure 1-3 T-Series Enrollment Selections

Surrounding text describes Figure 1-3 .
Use tokens

Select:

  • Yes if using KMS Version 1.x

  • No if using KMA Version 2.x or 3.x.

Permanently encrypting

Select:

  • Yes if permanent (cannot disable)

  • No, if switchable.

Set FIPS mode (Version 2.1 and later)

Enter the values for:

  • Agent ID:

  • Pass Phrase:

  • OKM IP address of the appliance.

Enrolling the LTO Tape Drives

The enrollment process and the VOP screens are different for LTO tape drives. The Enroll Drive tab allows the initial enrollment of the tape drives.

Once enrolled, the tab and Enroll button change to Unenroll.

Figure 1-4 LTO Enrollment Selections

Surrounding text describes Figure 1-4 .