Skip Headers
Oracle® Key Manager 3 Systems Assurance Guide
Release 3.0
E48394-01
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

3 Site Preparation

Use this chapter and checklists to prepare for the installation.

There are a few things to be aware of to install encryption hardware into a supported configuration, such as:

Site Planning Checklist

Use the following checklist to ensure that the customer is ready to receive the Key Management System and to ensure that you are ready to start the installation.

Table 3-1 Site Planning Checklist

Question Completed? Comments:

Delivery and Handling

Important: The Oracle Key Manager and appliances are considered "secure" items. Follow the customers security guidelines during delivery and installation.

Does the customer have a delivery dock? If no, where will the equipment be delivered?

Yes__ No__


If a delivery dock is available, what are the hours of operation?

                       


Are there street or alley limitations that might hinder delivery?

Yes__ No__


Will authorized personnel be available to handle and accept the delivery?

Yes__ No__


Is the delivery location close to the computer room where the equipment will be installed?

Yes__ No__


Is an elevator available to move the equipment to the appropriate floors?

Yes__ No__


Is there a staging area where the equipment can be placed close to the installation site?

Yes__ No__


Are there special requirements to dispose of or recycle packing material?

Pallets, plastic, and cardboard?

Yes__ No__


Environmental Planning

Does the site meet the environmental requirements for temperature, humidity, and cooling?

Yes__ No__

See "Key Management Appliance" for the appliance specifications.

Power Requirements

Does the intended site meet the power requirements?

Yes__ No__

See "Key Management Appliance" for the appliance specifications.

KMA: 90 to 132 VAC | 180 to 264 VAC

57 to 63 Hz | 47 to 53 Hz

2.3 to 4.6 Amps

Maximum continuous power is 150 W

Has the customer identified the circuit breakers locations and ratings?

Yes__ No__


Does the customer want redundant power options?

If so, an additional APC power switch is required to create an uninterrupted power configuration.

Yes__ No__

Check for updated model and part numbers.

(Part number #419951602)

Are there any power cable routing requirements and concerns?

Yes__ No__

See "Power Cables" for more information.

Personnel:

Are there trained/qualified Oracle representatives locally to install and maintain the encryption equipment?

Yes__ No__

Names:

Connectivity: Cabling is very important to establish a reliable network between the OKM, KMAs, Ethernet switches, and tape drives.

Does this customer support IPv6 implementations?

Yes__ No__


Does the customer intend on using Managed switches for LANs 2 and 3?

Yes__ No__

Cable considerations are impacted by the decision to use a managed switch and the corresponding topology of the service network.

Is a Wide Area Service Network being considered?

Yes__ No__

Designing the service network across a WAN to remote sites adds additional failover capability to the agents and can facilitate disaster recovery scenarios.

Does the customer want to aggregate the service ports (LAN 2 and LAN 3)?

Yes__ No__

Requires additional cables and compatible port configuration on a customer supplied managed switch.

Does the customer plan to use a private network for the agents (tape drives)?

Yes__ No__

Removes contention for the tape drives.

Will there be a Service Delivery Platform (SDP) installed at this site?

Yes__ No__

See SDP for information.

Will the customer be monitoring the OKM using SNMP?

Yes__ No__

SNMP v3 recommended SNMP v2 supported

Are there considerations for monitoring of ELOM/ILOM using the LAN 1 port?

Yes__ No__

Refer to the SunFire X2100/2200 ELOM Administration Guide, or X4170 ILOM Supplement Guides for information.

Have you and the customer completed a:

  • Cable plan?

  • Do the agents have private network?

  • Configuration drawing? A drawing can help determine the number of and length of the cables required.

Yes__ No__

Yes__ No__

Yes__ No__


Have you determined the type and number of Ethernet cables required?

Customer supplied:

  • OKM to the network

  • Encryption Network to the KMAs (LAN 0)

  • ELOM/ILOM monitoring (LAN 1)

  • Service network to agents (LAN 2 & 3)

Supplied in the encryption kits:

  • Switch to tape drives

Yes__ No__

Notes:

  • Ethernet cables are shipped with kits.

  • Lengths are dependant on the location of the switches and devices.

A configuration drawing will help identify the cables needed.

Configurations

Does the customer have adequate rack space to hold the KMAs and Ethernet switches?

Yes__ No__

See "Rack Specifications"

What type of support configurations does the customer want or need?

 o Existing configuration

 o New configuration

Configuration

__ SL8500

__ SL3000

__ SL500

__ SL150

__ 9310/9741e

__ L-Series

__ SL24/48

__ Rackmount

Encryption-capable Drives:

T-Series & LTO drives

T-Series & LTO drives

LTO only

T-Series only except for T10000C/D

T-Series only except for T10000C/D

LTO only

T-Series only

Does the customer have existing tape drives they want to upgrade to encryption-capable?

Yes__ No__

See Chapter 4, "Components" for x-options (conversion bills).

Are these drives already installed in a library?

Yes__ No__


Drive types?

Check current and required firmware versions.

__ T10000A

__ T10000B

__ T10000C

__ T10000D

__ T9840D

__ HP LTO4

__ IBM LTO4

__ HP LTO5

__ IBM LTO5

__ HP LTO6

__ IBM LTO6

Requires drive tray and Dione card

Requires drive tray and Belisarius card

Requires drive tray and Belisarius card

Configurations (continued)

Does the customer need to order more drives?

  • Tape drive type:

  • Interface types?

    (FC) Fibre Channel (all tape drives) (FI) FICON (T-Series only) (ES) ESCON (T9840D) SCSI (SL500 library and LTO drive only)

Yes__ No__

__ T10000A

__ T10000B

__ T10000C

__ T10000D

__ T9840D

__ HP LTO4

__ IBM LTO4

__ HP LTO5

__ IBM LTO5

__ HP LTO6

__ IBM LTO6

How many tape drives?

Are additional cartridges required?

  • Data cartridge

  • Cleaning cartridges

  • VolSafe cartridges

  • Labels

  • Type:                  

  • Quantity:                  

Yes__ No__

Yes__ No__

Yes__ No__

Yes__ No__

Note:

All versions of encryption tape drives use different, unique cartridges.

T9840 = 9840 cartridges

T10000 = T10000 cartridges

LTO4 = LTO4 cartridges

LTO5 = LTO5 cartridges

LTO6 = LTO6 cartridges

All versions of each cartridge-type are supported, for example: standard, sport, VolSafe, and WORM.


Notes:

Configurations:

Tape Drives and Media:


Rack Specifications

The KMAs can be installed in standard, RETMAFoot 1  19-inch, four post racks or cabinets. Note: Two-post racks are not supported.

The slide rails are compatible for a wide range of racks with the following standards:

  • Horizontal opening and unit vertical pitch conforming to ANSI/EIA 310-D-1992 or IEC 60927 standards.

  • Distance between front and rear mounting planes between 610 mm and 915 mm (24 in. to 36 in.).

  • Clearance depth to a front cabinet door must be at least 25.4 mm (1 in.).

  • Clearance depth to a rear cabinet door at least 800 mm (31.5 in.) to incorporate cable management or 700 mm (27.5 in.) without cable management.

  • Clearance width between structural supports and cable troughs and between front and rear mounting planes is at least 456 mm (18 in.).

SL8500 Rack Guidelines

An SL8500 library can have up to 4 optional accessory racks, (PN XSL8500-RACK-Z). If the customer wants power redundancy, a minimum of 2 racks are required.

Each rack can hold up to 6 units, called UsFoot 2 , of equipment, such as the key management appliances and the Ethernet switches. Each rack has a six-connector power distribution unit (PDU) that provides power and two cooling fans that provides additional air flow. Table 3-2 lists the rack guidelines.

Table 3-2 SL8500 Accessory Rack Guidelines

Guideline Descriptions

Rack numbering

Rack numbering is top-down from 1 to 4. Rack 1 is on the top; Rack 4 is on the bottom.

Rack mounting

Components must be able to function in a vertical orientation.

Dimensional restrictions

Rack module depth is 72 cm (28 in.). Recommended safe length is 66 cm (26 in.).

Equipment weight

The accessory rack itself is mounted on slides rated for 80 kg (175 lb). The recommended safe load is 64 kg (140 lb). The KMA is 10.7 kg (23.45 lb), the Ethernet switch is 1.5 kg (3.1 lb)

Power consumption

Per rack module is 4 Amps (maximum). Per outlet strip is 200–240 VAC, 50–60 Hz. The KMA is 185 W, the Ethernet Switch is 20 W.

Power cord

Power plug to connect to the rack PDU is: IEC320 C13 shrouded male plug. Minimum cord length is component plus 46 cm (18 in.) for a service loop.

Thermal requirements

Maximum power dissipation is 880 watts (3,000 Btu/hr) per rack module.

Regulatory compliance

Minimum requirements are: Safety—UL or CSA certification and Electromagnetic—Class A certification from agencies such as FCC or BSMI.


Network Considerations

StorageTek engineering recommends that customers supply a managed switch for connecting KMAs to the tape drives on their service network. Managed switches would then supply connectivity to the StorageTek-supplied unmanaged switches as well as any connectivity to customer supplied routers for wide area service network.

The following managed switches have been tested and are recommended:

  • 3COM Switch 4500G 24-Port (3CR17761-91)

  • Extreme Networks Summit X150-24t Switch

  • Brocade ICX 6430 Switch.

Other managed switches can be used but engineering only provides configuration guidance on the above listed switches.

Managed switches are recommended for the following reasons:

  • Improved serviceability through better switch diagnostics and service network trouble shooting

  • Potential for minimizing single points of failure on the service network through use of redundant connections and spanning tree protocol.

  • Support for aggregation of the KMA service network interfaces to minimize single point of failure on the KMA's service interface.

Figure 3-1 provides an example of a managed switch configuration. In this example, if either KMA or either managed switch should fail, the drives still have a path from which they can communicate with the other KMA.

KMA Service Port Aggregation

It is possible to aggregate physical Ethernet interfaces (LAN 2 and LAN 3) into a single virtual interface. Additional availability is achieved by aggregating these ports; if a failure occurs with either port, the other port maintains connectivity.

Make sure the Ethernet switch ports have the correct configuration. For example, Switch ports should be:

  • Set to auto negotiate settings for duplex (should be full duplex).

  • Set to auto negotiate speed settings, the KMA ports are capable of gigabit speeds.

  • Using identical speeds, such as: both set to 100 Mbps (auto speed negotiating may work fine).

Aggregated Service Network Switch Configuration

To provide redundancy in case of a service network interface failure, the LAN 2 port may now be aggregated with the LAN 3 port. To use the port aggregation feature, you need to configure the switches for link aggregation. The Solaris port selection policy on the KMA is address based. Here is some information about the service port aggregation that may be needed to configure the switch:

  • Ports are aggregated manually, meaning they do not use LACP

  • Ports are full duplex (auto may work fine)

  • Switch ports used for aggregation groups must be identical speed, for example, both ports are set to 100 Mbps (auto speed negotiating may work fine)

Notes:

  • There may be an order or connection dependency. Create the aggregation group on the switch before connecting the KMAs service port.

    • If the aggregated IP address (IPv4 or IPv6) is not responding, reboot the KMA.

  • A System Dump using the Management GUI will contain display aggregated port information. The information is gathered using dladm commands.

Extreme Network Switch Configuration

To configure aggregated ports on an Extreme Ethernet switch

  1. Log in to the switch using telnet.

  2. Enter the following CLI commands:

    show port sharing
    enable sharing <b> port></b> grouping <b> portlist</b> algorithm address-based L3_L4
    

    Port specifies the master port for a load sharing group.

    Portlist specifies one or more ports or slots and ports to be grouped to the master port. On a stand-alone switch (this is what is normally supplied), can be one or more port numbers. May be in the form 1, 2, 3, 4, 5.

3COM Network Switch Configuration
  1. Use a Web browser to connect to the switch IP.

  2. Select port and then link aggregation from the menu.

From the subsequent dialog you can use the Create tab to create a new port grouping.

Brocade ICX 6430 Switch Configuration

Note:

If you need to install the switch, see the Brocade ICX 6430 and ICX 6450 Stackable Switches Hardware Installation Guide at: http://www.foundrynet.com/services/documentation/FastIronMerge/current/ICX6430-6450_07400a_InstallGuide.pdf

Pre-configuration Requirements

Before you configure the switch, follow steps 1 - 4 in the Brocade ICX 6430 and ICX 6450 Web Configuration QuickStart Guide to attach a PC to the switch and assign an IP address to the management port using its Command Line Interface (CLI). Follow the ICX 6430 instructions in step 3.

You can access this guide at:

http://www.foundrynet.com/services/documentation/FastIronMerge/current/ICX6430-6450_07400_QuickStartGuide.pdf

Configuring the Brocade Switch

Configure the Brocade switch to use the Rapid Spanning Tree Protocol (RSTP), which was standardized by IEEE 802.1W.

After you perform the following steps, refer to the Brocade ICX 6430 and ICX 6450 Web Configuration QuickStart Guide for additional information about configuring Brocade ICX 6430 switches.

  1. Start a web browser and connect to the switch at the IP address you established in the pre-configuration requirements above.

    Enable (RSTP) as shown in the following steps.

  2. Navigate to Configuration > System.

    1. Ensure that Spanning Tree is enabled.

    2. Click Clock to set the system clock.

  3. Navigate to Configuration > VLAN.

    1. Set the VLAN IP address.

    2. Click Add Port VLAN.

    3. Ensure that Spanning Tree is Disabled and 802.1W is Enabled.

  4. Navigate to Configuration > RSTP and view the Ethernet ports.

  5. Use ssh to access the management IP address of the switch to launch its CLI. Configure a trunk group for each KMA that should include aggregated service ports.

    Brocade(config)#show trunk 
    Brocade(config)#trunk ethernet 
    Brocade(config)#trunk ethernet 1/1/1 to 1/1/2 
    Brocade(config)#trunk ethernet 1/1/3 to 1/1/4 
    < etc. for each KMA that should include aggregated service ports, port IDs as shown in Step  0> 
    Brocade(config)#write memory 
    Brocade(config)#trunk deploy 
    


    Note:

    In this example, the ports had been put into VLAN 1, as indicated by the leading "1/" in the trunk commands. If no VLAN was created on the ports, then the trunk commands should not have the leading "1/". For example: xxxpara2xxx Brocade(config)#trunk ethernet 1/1 to 1/2

  6. In the web interface, navigate to Configuration > Trunk and view the trunks that you just defined in the CLI.

  7. Attach network cables between the pairs of ports on the switch to the service and aggregated service ports on each KMA that should contain aggregated service ports. Port IDs (shown in step 0) are associated with physical ports on the switch.

    To do this:

    1. Inspect the switch and identify the physical ports that are associated with the trunk groups that you created in step 0 and viewed in step 0.

    2. For each KMA, attach a network cable between the first port in the trunk group and the service port on the KMA (labeled LAN 2 or NET 2).

    3. Attach a network cable between the second port in the trunk group and the aggregated service port on the KMA (labeled LAN 3 or NET 3).

See Figure 1-11, Figure 1-12, and Table 1-3 for information on rear panel connections for the X2100 M2/X2200 M2 and X4170 M2 servers.

Port Mirroring

Mirroring ports can be useful when you want to use a network analyzer in the service network environment. Ports can be mirrored on Brocade ICX 6430 switches as follows:

  1. Telnet to the switch management port.

  2. On this switch, select a port that is not part of a trunk (for example, port 24 is designated as "1/1/24").

  3. Access privileged mode on the switch by entering enable (# will be appended to the prompt indicating you are in privileged mode).

  4. Enter configuration mode by entering configure terminal (you will see (config) appended to the prompt indicating config mode).

  5. Configure the mirror-port with the command mirror-port ethernet 1/1/24.

  6. Determine what port traffic you want to monitor (for example, port 1 designated as 1/1/1).

  7. Enter the interface menu for port 1/1/1 by entering interface ethernet 1/1/1 (config-if-e1000-1/1/1 is appended to the prompt indicating you are configuring that port).

  8. Enter monitor ethernet 1/1/24 both to monitor traffic in both directions on port 24.

  9. Enter write to save the configuration changes.

In Figure 3-1, the service network consists of two customer-provided managed switches that are cabled to three unmanaged switches, which contains redundant paths that require a spanning tree configuration. This example may be easily scaled for larger SL8500 drive configurations by adding additional KMAs, switch hardware, and tape drives.

  • Managed switches must be enabled for Spanning Tree whenever the cabling includes redundancy.

  • Unmanaged switches have two paths to the managed switches for redundancy.

  • Unmanaged switches are then cabled for connectivity to the tape drives (agents)

  • Each unmanaged switch connects 16 drives. Cabled in groups of four. Ports 1–4, 6–9, 11–14, and 16–19.

  • Service Delivery Platform (SDP) connects to each Managed Switch at Port 1 (see the "Service Delivery Platform").

Figure 3-1 Managed Switch Configuration (Example)

Surrounding text describes Figure 3-1 .

Network Routing Configuration

The following information is useful for customers and Oracle service representatives when setting-up and installing multi-site clusters.

Initially it is not advisable to begin with a multi-site network topology for the tape drives. A simple strategy may be best. Do not configure service network routes between sites so drives are restricted to just local KMAs within their site. After gaining confidence with the system the service network configuration can be extended to other sites using the KMA console menu option for networking.


Note:

Even without a multi-site routed service network, use of default gateway settings can affect failover performance. Understanding the following information is important for configuring the KMA network.

Cluster Discovery, Load Balancing, and Failover

The cluster provides tape drives with a capability to select KMAs for retrieval of key material. To maximize the performance of tape drives with a robust, highly available network is essential. The topology of the network is an important planning and configuration task. The following is some information about how a tape drive utilizes the services of the cluster for retrieval of keys.

Discovery

Tape drives (agents) utilize the discovery service of the KMAs to maintain knowledge about the cluster. This information includes the following properties for each KMA:

  • IP address (both IPv4 and IPv6 addresses)

  • Site Name

  • KMA ID

  • KMA Name

  • KMA Version – Helps determine FIPS support for supported tape drives

The following dynamic properties are also provided to tape drives when they issue a discover cluster request:

  • Responding – indicates if the KMA is responding on the network

  • Locked – indicates if the KMA is currently locked

The tape drives periodically retrieve this information as part of a tape operation (not when the tape drive is idle) and always request it as part of enrollment and whenever the drive is IPLed. The KMA that receives the discover cluster request provides this information for each KMA that is accessible over the service network. This is where the network planning and configuration exercise becomes important.

Load Balancing

During normal tape drive operations, the drives use their local table of cluster information to select a KMA for key retrieval.

The drives use an algorithm to pick a random KMA from the cluster of KMAs within:

  • the same site as the drive and

  • that are unlocked and responding.

If all KMAs within a site are either locked or not responding then the tape drive attempts to access a KMA from another site.

Presumably this is a remote site with a network response time that may be higher than other the KMAs within the same site as the tape drive.

What is important is that the KMAs from other sites can be reached by the tape drive or the attempt to retrieve keys will timeout forcing a failover.

Failover

Whenever a tape drive's attempt to communicate with a KMA fails the drive tries to select another KMA for failover. Tape drives attempt a failover up to three (3) times before giving up and returning an error to the host tape application.

For each failover attempt, a similar selection algorithm is used for failovers as for Load Balancing. Consequently, the drive's information about the cluster state is used again (and may even be refreshed if it is time to refresh the information about the cluster).

Sometimes a drive chooses a non-responding KMA during a failover attempt if all other KMAs are non-responding. This is not ideal but because information about the cluster may be stale, there is a chance that a KMA has come back online and will respond. Whenever the drive discovers a new response state for a KMA, it updates the cluster information to mark a KMA as responding, or not responding, however the case may be.

KMA Routing Configuration and Discovery

The routing configuration of a KMA has an effect on responses to tape drive discovery requests. Mistakes in the routing configuration can lead to erroneous cluster information being provided to tape drives. This could cause drives to attempt communication with KMAs that they cannot reach over the network.

Customers need to consider the network topology they want for their tape drives. The ability for tape drives to failover to remote sites can improve drive reliability and availability when local KMAs are down or slow to respond (such as timeout situations because of heavy workloads).


Note:

Providing the ability to failover to remote sites is something that needs to be planned for and should involve customer network engineers.

For drives on the service network a route must be configured between sites and the KMA console network menu option should be used. The common mistake to avoid is configuring a default route.

Figure 3-2 provides an example for a multi-site routed service network.

Figure 3-2 Multi-Site Routed Service Network

Surrounding text describes Figure 3-2 .

Service Delivery Platform

The Service Delivery Platform (SDP) is a support solution for StorageTek's libraries and tape drives (T-Series only) that consists of a smart appliance and a dedicated network.

The SDP appliance can be configured to use the Dynamic Host Configuration Protocol (DHCP) to automate the assignment of IP addresses for device connections. Optionally, the SDP can be used as the DHCP server for the KMAs service network IP address.

Oracle Key Manager and the SDP

Beginning with new deployments of SDP and the Oracle Key Manager the configuration was changed to strengthen security. The SDP product team recommends a firewall between the KMAs, switches, and tape drives on the service network because of the connectivity of KMAs to the customer's network. Refer to the Service Delivery Platform Security White Paper, May 2008 and the Optional Firewall.

When planning for a multi-site service network the subnet addressing scheme for the KMA service ports and drives needs to be determined. Use of duplicate network addresses must be avoided. For example, the use of 172.18.18.x networks (a common convention) need to be avoided.

KMAs will typically be connected to the customer's network for any of the following reasons:

  • Administrative access to the KMAs using the Oracle Key Manager GUI hosted in the customer network

  • Cluster replication between KMAs

  • KMA access to the customer's NTP server

  • KMA access to customer's SNMP Managers

  • Customer access to the KMA's service processor (ELOM or ILOM)

Similarly, with Oracle Key Manager's support for a routable, multi-site service network, customer supplied routers and networking equipment will be required to connect the various sites comprising the key management cluster.

Because of this connectivity into the customer's network, SDP security policy dictates that a firewall must be present between the devices connecting to a KMA and the SDP. This "customer firewall" is the firewall attached to Port2 of the SDP appliance in the following diagram. The firewall will need to be configured so that SDP can monitor the tape drives in the customer controlled portion of the service network.

DMZ in the diagram refers to the secure network architecture of SDP that secures the network traffic between the SDP onset unit and the Oracle network.

This firewall effectively partitions the service network in two: the Oracle controlled service network and the customer controlled service network. The Service Delivery Platform Security White Paper, May 2008 describes this network as the "Service Network interface". The Oracle Service Network interface is the connection between the SDP site unit and storage devices, this is the Port1 connection in the diagram. The Customer Network interface is the connection between SDP and Oracle storage devices connected to the customer operations center LAN that is attached to the customer network, Port 2 in the diagram. These devices include the tape drives and switches connected to the KMAs.

The "customer firewall" prevents this connection from having access to the customer's network and only to the devices that SDP can monitor.

Oracle service personnel still need to service equipment in both partitions of the service network and coordinate with SDP engineers for planning and configuration.

Figure 3-3 SDP Connectivity Example

Surrounding text describes Figure 3-3 .

Content Management

Encryption-capable tape drives add another element to the design for content management in an SL8500, SL3000, SL500, and SL150 library installation. All three libraries have a different design that share similar elements, considerations include:

Table 3-3 Content Management Planning

Element SL8500 SL3000 SL500 SL150

Drive Quantity

You may need to order multiple kits or additional Ethernet switches to support all the encryption-capable tape drives in a library.

  • Single: 1 to 64 drives

  • 10 library complex: up to 640 drives

  • 1 to 56 tape drives

  • 1 to 18 tape drives

  • 1 to 20 tape drives

Encryption Drives Supported

  • T10000 A, B, C, and D

  • T9840D

  • LTO 4, 5, and 6

  • T10000 A, B, C, and D

  • T9840D

  • LTO 4, 5, and 6

  • LTO 4, 5, and 6 only (HP, IBM)

  • LTO 5 and 6 (HP)

Non-encryption Drives Supported

  • T10000 A, B, C, and D

  • T9840 A, B, C, and D

  • LTO 3, 4, 5, 6

  • T10000 A, B, C, and D

  • T9840 C and D

  • LTO 3, 4, 5, 6

  • LTO 2, 3, 4, 5, 6 (HP, IBM)

  • SDLT 600

  • DLT-S4

  • LTO 3, 4, 5, 6 (HP)

Interfaces:

The library interface and tape drive interfaces may be different.

  • Libraries

  • TCP/IP only

  • TCP/IP

  • Fibre Channel

  • TCP/IP

  • Fibre Channel

  • SCSI

  • Fibre Channel

  • Tape Drives

T10000 A, B, C, and D FC, FCoE (T10000D), and FICON

T9840D FC, FICON, ESCON

LTO 4, 5, and 6 FC only

T10000 A, B, and C FC, FCoE (T10000D), and FICON

T9840D FC, FICON, ESCON

LTO 4, 5, and 6 FC only

LTO 4, 5, 6 FC

LTO 4 SCSI

LTO 5, 6 SAS

LTO 4, 5, 6 FC

LTO 4 SCSI

LTO 5, 6 SAS

Media*

All libraries support true-mixed media—Any Cartridge, Any Slot

  • T10000 (Std, Sport, VolSafe)

  • 9840 (Std and VolSafe)

  • LTO 2, 3, 4, 5, 6 & T-WORM

  • DLTtape III

  • Super DLTtape I & II

  • T10000 (Std, Sport, VolSafe)

  • 9840 (Std and VolSafe)

  • LTO 2, 3, 4, 5, 6 & T-WORM

  • LTO 1, 2, 3, 4, 5, 6 & T-WORM

  • DLTtape III

  • Super DLTtape I & II

  • LTO 3, 4, 5, 6 & T-WORM

Partitioning

Yes

Yes

Yes

Yes

SNMP

Yes

Yes

Yes

Yes

SDP

Yes

Yes

No

Yes

Power Redundancy

Yes

Yes

No

Yes

Operating Systems

Enterprise and Open Systems

Enterprise and Open Systems

Open systems only

Open systems only

Library Management

  • ACSLS

  • HSC

  • ACSLS

  • HSC

  • ISV

  • ACSLS

  • ISV

  • ACSLS

  • HSC

FC = Fibre Channel

FICON = IBMs fiber connection

FCoE = Fibre Channel over Ethernet

SNMP = Simple Network Management Protocol

SDP = Service Delivery Platform

ACSLS = Automated Cartridge System Library Software

HSC = Host Software Component

ISV = Independent Software Vendor (Symantec, Legato, TSM)

*Important: Only LTO4 media—LTO4 and LTO4-WORM—are encryption-capable on the LTO4 tape drives.


When planning for content, the most important aspect is to evaluate content (tape drives and data cartridges) with respect to the physical structure of the library.

These libraries provide several ways to accommodate growing data storage needs:

  • Addition of library modules—to the front, to the left or right, or up and down.

  • Capacity on Demand

    • Activation of slots without service representative involvement

    • Requires the installation of slots or modules up front

  • Flexible partitions

  • Ease to re-allocate resources as needs change

  • Real-Time Growth

  • Disaster recovery scenario's

Capacity on Demand

Capacity on Demand is a non-disruptive optional feature that allows the customer to add capacity to the library using previously installed, yet inactive slots.

The installed physical capacity is separate from the activated capacity. The advantage of Capacity on Demand is that the customer only buys the storage that they need and not all the storage that is installed.

Activated capacity can be purchased in multiple increments.

When a customer purchases a hardware activation key to use more physical storage an encrypted key file is sent through e-mail. The file is then loaded into the library using the Storage Library Console (SLC).

RealTime Growth Technology

Because the physical and the activated slot capacities are separate, the customer has the option of installing physical capacity in advance before they are ready to use these slots.

The advantage of installing physical capacity in advance is that now, scaling the library is non-disruptive, quick, and easy to accomplish.

For example: Whenever building a library configuration, there are two basic slot capacity questions you need to answer:

  1. How many slots does the customer need to use?

  2. How many cartridge slots does the customer want to physically install?

Partitioning

The definition of a partition is to divide into parts or shares.

Benefits

Partitioning a library means the customer can have:

  • Multiple libraries from one physical piece of hardware.

  • More than one operating system and application manage the library.

  • An improvement in the protection or isolation of files.

  • An increase in system and library performance.

  • An increase in user efficiency.

Customized Fit

Partitions may be customized to fit different requirements, such as:

  • Separating different encryption key groups.

  • Isolating clients as service centers.

  • Dedicating partitions for special tasks.

  • Giving multiple departments, organizations, and companies access to appropriate sized library resources.

Tip:

When using encryption-capable tape drives, partitions can add an additional layer to data security. Customers can assign partitions that limit the access to the tape drives and data cartridges.

Ideally, you would want to set up partitions that allow for future. Allowing room for growth allows the customer to activate slots within a partition using Capacity on Demand. This is the easiest and least disruptive growth path:

  1. Install extra physical capacity.

  2. Define partitions large enough to accommodate future growth.

  3. Adjust the library capacity to meet current demands.

Essential guidelines for understanding partitions are:

  • Clear communication between the system programmers, network administrators, library software representatives and administrators, and service representatives.

  • Knowing what partitions exist, their boundaries, and who has access to the specific partitions that are configured.

  • Setting up a partition requires some important considerations:

    • Slots and tape drives are allocated to a specific partition and cannot be shared across other partitions.

    • Partition users must anticipate how much storage is needed for their resident data cartridges and the amount of free slots required for both current use and potential growth.

  • Remember:

    • Each partition acts as an independent library.

    • One partition will not recognize another partition within the library.

Disaster Recovery

Disaster recovery is a subset of a larger process known as business continuity planning (BCP), which should include replacing hardware, re-establishing networks, resuming applications, and restoring data.

Disaster recovery is the process, policies, and procedures that relate to preparing for recovery or continuation of business critical information to an organization after a natural or human-induced disaster. This includes:

  • Recovery Point Objective (RPO): The point in time to recover data as defined by a business continuity plan. This is generally a definition of what the business determines is an "acceptable loss" in a disaster situation. This could be in hours, days, or even weeks.

  • Recovery Time Objective (RTO): The duration of time that a business process must be "restored" after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. This could be minutes when using a combined service network.

The OKM uses a cluster design that requires at least two key management appliances. This design helps reduce the risk of disrupting business continuity. Clustering KMAs allows for replication of database entries and workload balancing. In the unlikely event that a component should fail, it can be easily replaced and restored to operation.

An OKM can span multiple, geographically-separated sites. This highly reduces the risk of a disaster destroying the entire cluster. Clustering KMAs allows for replication of database entries and workload balancing. Although unlikely, that an entire cluster needs to be recreated, most of the key data can be recovered by recreating the OKM 2.x environment from a recent database backup.

While designing an encryption and archive strategy, an important design guideline is to make sure that critical data generated at any site is replicated and vaulted off-site. Many companies employ the services of a third-party disaster recovery (DR) site to allow them to restart their business operations as quickly as possible.

Refer to Disaster Recovery Reference Guide PN 31619710x for more information.

Planning the Data Path

When planning for partitions, you also need to be aware of the location, quantity, type, and need for the tape drives and media.

In addition, an understanding about how to logically group and install the tape drives and locate the media for the different hosts, control data sets, interface types, and partitions is necessary. When planing for partitions:

  • Make sure the tape drive interface supports that operating system.

    • Open system platforms do not support ESCON or FICON interfaces.

    • Not all mainframes support Fibre Channel interfaces or LTO tape drives.

  • Make sure the media types match the application.

  • Install tape drives that use the same media types in the same partition.

  • Make sure there are enough scratch cartridges and free slots to support the application and workload.

Planning Tasks

One essential message for content management and partitioning is planning.

Items to plan for include:

Table 3-4 Steps and Tasks for Partitioning

Done? Item Task Responsibility*

__


Team

Create a Team.

When planning for content, data and partitions, use a process similar to that of the system assurance process; which is the exchange of information among team members to ensure all aspects of the implementation are planned carefully and performed efficiently. Team members should include representatives from both the customer.

  • Customer

  • Administrators

  • Operators

  • SE, PS

  • Svc Rep

__


Codes

Review the software and firmware requirements. Update as required.

  • Customer

  • SE, PS

  • Svc Rep

__


Planning

  • Define the customer expectations

  • Complete the assessment

  • Identify the configurations

  • Complete the planning diagrams (include network planning)

  • Service Delivery Platform (SDP)

  • Customer

  • Administrators

  • SE, PS

  • Svc Rep

__


Encryption

  • Complete an encryption survey (PS)

  • Select the type of tape drive, interface, and library configuration

  • Select location

  • Ensure there is adequate media

  • Customer

  • SE, PS

  • Svc Rep

__


Disaster Recovery

  • Develop a business continuity and disaster recovery plan

  • Select a backup site

  • Determine network configurations (LAN, WAN, aggregation)

  • Customer

  • SE, PS

  • Svc Rep

__


Media

  • Verify the distribution of cartridges and required tape drives are available and ready.

  • Customer

  • Operators

__


Library

  • Install and configure a library (if necessary).

  • Svc Rep

__


Activation

  • Activate the required features:

Library Tape drives

  • Customer

  • Administrators

  • Svc Rep

__


Partitions

  • Create partitions.

  • Customer

  • Administrators

  • Operators

__


Hosts

  • Momentarily stop all host activity if currently connected.

  • Customer

__


Use

Instruct the customer how to:

  • Use and manage the library

  • Use the OKM GUI

  • Customer

  • SE, PS

  • Svc Rep

__


Reference

Make sure the customer has access to the appropriate documents.

  • Customer

  • SE, PS

  • Svc Rep

  • SE = Systems engineer

  • PS = Professional services representative

  • Service = Customer services representative (Svc Rep)

  • Customer = System administrators, network administrators, system programmers, operators


Oracle Key Manager Interface

The manager graphical user interface (GUI) consists of a three-paned display:

  1. On the left is a navigational pane or tree.

  2. In the center is an operations detail pane for the appropriate selection on the left.

  3. On the bottom is a session events pane.

Figure 3-4 Manager Display

Surrounding text describes Figure 3-4 .

The manager is an easy-to-use graphical user interface that allows users to configure functions of the KMAs depending on the roles that user is assigned (see "Role-Based Operations").

The manager contains System, View, and Help menus in the upper left corner of the display with toolbar buttons that provide shortcuts to several menu options.

Role-Based Operations

The manager defines and uses the following roles. Completing and assigning roles is a customer task, service representatives should only advise.

  • Auditor
Views information about the Cluster.
  • Backup Operator
Performs backups.
  • Compliance Officer
Manages key policies and key groups. Determines which Agents and Transfer Partners can use key groups.
  • Operator
Manages Agents, Data Units, and Keys.
  • Quorum Member
Views and approves pending quorum operations.
  • Security Officer
Full authority to view, modify, create, and delete

Sites, KMAs, Users, and Transfer Partners.



Note:

Each person or user may fulfill one or more of these roles.

The figure below shows an example of the Users Detail screen. Use Table 3-6 to help prepare for the assignments.

User Roles Detail Screen

  1. Enter a User ID between 1 and 64 characters.

    Figure 3-5 User Role Detail Screen

    Surrounding text describes Figure 3-5 .
  2. Provide a Description between 1 and 64 characters.

  3. Click the Passphrase tab and enter a Passphrase twice.

Passphrases requirements are:

  • 8 to 64 characters long

  • 3 of 4 classes (upper case, lower case, numbers, and symbols)

  • Cannot include the user's name.

The KMA verifies that the requesting user has permission to execute an operation based on the user's roles. Unavailable operations typically indicate the wrong role.

There are four basic operations a user/role can have: Create, Delete, Modify, and View. Table 3-5 shows the system entities and functions that each user role can perform. In the "Roles" columns:

  • Yes indicates that the role is allowed to perform the operation.

  • Quorum indicates that the role is allowed but must belong to a quorum.

  • Blank indicates that the role is not allowed to perform the operation.

Table 3-5 System Operations and User Roles

Operation Roles
Security Officer Compliance Officer Operator Backup Operator Auditor Quorum Member

Console

Log In

Yes

Yes

Yes

Yes

Yes

Yes

Set KMA Locale

Yes






Set KMA IP Address

Yes






Enable Tech Support

Yes






Disable Tech Support

Yes


Yes




Enable Primary Administrator

Yes






Disable Primary Administrator

Yes


Yes




Restart KMA



Yes




Shutdown KMA



Yes




Log into Cluster

Quorum






Set User's Passphrase

Yes






Reset KMA

Yes






Zeroize KMA

Yes






Logout

Yes

Yes

Yes

Yes

Yes

Yes

Connect

Log In

Yes

Yes

Yes

Yes

Yes

Yes

Create Profile

Yes

Yes

Yes

Yes

Yes

Yes

Delete Profile

Yes

Yes

Yes

Yes

Yes

Yes

Set Config Settings

Yes

Yes

Yes

Yes

Yes

Yes

Disconnect

Yes

Yes

Yes

Yes

Yes

Yes

Key Split Credentials

List

Yes






Modify

Quorum






Autonomous Unlock

List

Yes






Modify

Quorum






Lock/Unlock KMA

List Status

Yes

Yes

Yes

Yes

Yes


Lock

Yes






Unlock

Quorum






Site

Create

Yes






List

Yes


Yes




Modify

Yes






Delete

Yes






Security Parameters

List

Yes

Yes

Yes

Yes

Yes


Modify

Yes






KMA

Create

Yes






List

Yes


Yes




Modify

Yes






Delete

Yes






User

Create

Yes






List

Yes






Modify

Yes






Modify Passphrase

Yes






Delete

Yes






Role

List

Yes






Key Policy

Create


Yes





List


Yes





Modify


Yes





Delete


Yes





Key Group

Create


Yes





List


Yes

Yes




List Data Units


Yes

Yes




List Agents


Yes

Yes




Modify


Yes





Delete


Yes





Agent

Create



Yes




List


Yes

Yes




Modify



Yes




Modify Passphrase



Yes




Delete



Yes




Agent/Key Group Assignment

List


Yes

Yes




Modify


Yes





Data Unit

Create







List


Yes

Yes




Modify



Yes




Modify Key Group


Yes





Delete







Keys

List Data Unit Keys


Yes

Yes




Destroy



Yes




Compromise


Yes





Transfer Partners

Configure

Quorum






List

Yes

Yes

Yes




Modify

Quorum






Delete

Yes






Key Transfer Keys

List

Yes






Update

Yes






Transfer Partner Key Group Assignments

List


Yes

Yes




Modify


Yes





Backup

Create




Yes



List

Yes

Yes

Yes

Yes



List Backups & Destroyed Keys


Yes

Yes




Restore

Quorum






Confirm Destruction




Yes



Core Security Backup

Create

Yes






SNMP Manager

Create

Yes






List

Yes


Yes




Modify

Yes






Delete

Yes






Audit Event

View

Yes

Yes

Yes

Yes

Yes


View Agent History


Yes

Yes




View Data Unit History


Yes

Yes




View Data Unit Key History


Yes

Yes




System Dump

Create

Yes


Yes




System Time

List

Yes

Yes

Yes

Yes

Yes


Modify

Yes






NTP Server

List

Yes

Yes

Yes

Yes

Yes


Modify

Yes






Software Version

List

Yes

Yes

Yes

Yes

Yes


Upgrade



Yes




Network Configuration

Display

Yes

Yes

Yes

Yes

Yes


Pending Quorum Operation

Approve






Quorum

Delete

Yes






Key List

Query


Yes

Yes




List Activity History


Yes

Yes




Agent Performance List

Query


Yes

Yes




KMA Performance List

Query

Yes

Yes

Yes

Yes

Yes

Yes

Current Load

Query

Yes

Yes

Yes

Yes

Yes

Yes


Table 3-6 User Roles Work Sheet

User ID Description Passphrase (Confidential Password) Roles



Security Officer Compliance Officer Operator Backup Operator Auditor Quorum Member












































































































Note: The Passphrase should not be recorded here for security reasons. This column is provided as a reminder that as User IDs are entered, the person with that ID will be required to enter a passphrase.


Preparing the Tape Drives

The tape drives should be installed and tested in their appropriate configuration before adding the encryption capability to them. Each drive-type has its own requirements.

T-Series Drive Data Preparation

To obtain the drive data for each T-Series (T10000 and T9840) tape drive:

  1. Using the Virtual Operator Panel, connect to each tape drive and record the last eight digits of the tape drive serial number.

    • Select: File > Connect to Drive

    • Select: Retrieve > View Drive Data > Manufacturing

    Figure 3-6 Tape Drive Serial Number—VOP

    Surrounding text describes Figure 3-6 .
  2. Use the Appendix C, "Obtaining Support and Using Worksheets" to build information about the tape drives. You will find this information helpful during the installation, activation, and enrollment process for the tape drives (agents).


    Note:

    Step 3 and Step 4 are not required for T10000C and T10000D drives running firmware versions 1.57.30x (T10000C) or 4.06.106 (T10000D) and higher.

  3. Request an Encryption Key File:

    Log in to the Applications web site:

    https://crcapplications.us.oracle.com/keyswebapp

    Select Request an Encryption key.

    Figure 3-7 Request an Encryption Key Application

    Surrounding text describes Figure 3-7 .

    Access is Restricted: You must be an employee, complete the encryption training courses, and include the name of the employee on the Request Encryption Key list.

  4. Complete the Encryption Request form.

    1. First name, last name, and e-mail address are automatically included.

    2. Provide a site ID and order number.

    3. Select the tape drive type (T10000A, T10000B, T10000C, T10000D, or T9840D).

    4. Complete the serial number for the selected tape drive.

    5. Add any optional remarks and click Request Key File. After submitting the Encryption File Request you will be prompted to download the file. This file contains the drive data you need to enable and enroll the drive. Encryption File Request for Drive Data

    Figure 3-8 Encryption File Request for Drive Data

    Surrounding text describes Figure 3-8 .

    Family serial numbers start with:

    • T10000A = 5310 xxxxxxxx

    • T10000B = 5720 xxxxxxxx

    • T10000C = 5760 xxxxxxxx

    • T10000D = 5790 xxxxxxxx

    • T9840D = 5700 xxxxxxxx.

    When selecting the drive family-type, the first four numbers of the serial number are automatically filled in.

  5. Continue with this process until you obtain all the drive data files for each tape drive you are going to enable.

Create a Drive Data File Structure

When enabling multiple drives, it is best to create a file structure where each tape drive has its own folder. For example:

  1. Figure 3-9 uses a top-level folder name of crypto_drvs placed on the Desktop. (This is only for grouping of the other folders.)

  2. Under crypto_drvs are the folders for each tape drive using the serial numbers.

  3. In each serial number folder is the drive data file for that specific tape drive.

    Figure 3-9 Drive Data File Structure

    Surrounding text describes Figure 3-9 .

    When activating the tape drives, the VOP requests a download location.

  4. Complete the Appendix C, "Obtaining Support and Using Worksheets" to help with the activation and enrollment of the tape drives. What you need to know before beginning:

    • The drive number (serial or system) and IP address.

    • The Agent IDs and Passphrases.

    • Is this drive going to use tokens (Version 1.x) to get media keys (OKT) or use the appliance (KMA Version 2.x) to get the encryption keys?

    • Does the customer want this drive to remain in encryption mode? Or do they want the ability to switch encryption on and off?

  5. Make copies of this page as necessary.

    Notes:

    • Agent names (IDs) cannot be changed; however, an agent can be deleted and re-enrolled with a different name.

    • If you replace the agent, you can reuse the name; however, passphrases can only be used once, you will need to give the agent a new passphrase.

    • The replacement drive will need to be enrolled using the existing name and a new passphrase.

LTO Tape Drive Preparation

No enablement requirements or drive data is required for the LTO tape drives. The only preparation is to make sure the customer has the information to assign the IP addresses and Agent names for the tape drives in the OKM manager.


Note:

The Virtual Operator Panel must be at:
  • Version 1.0.12 and higher to provide support for the HP LTO tape drives.

  • Version 1.0.14 and higher to provide support for the IBM LTO tape drives.


To use the VOP for LTO tape drives, you need to launch a special file:

  • Windows: Launch the batch file (ltoVOP.bat)

Figure 3-10 shows an example of the VOP 1.0.12 download contents.

Figure 3-10 VOP LTO Files

Surrounding text describes Figure 3-10 .

Required Tools

The required tools to install and initially configure the KMAs are:

  • Standard field service tool kit, including both standard and Phillips screwdrivers, Torx driver and bits, and other tools necessary to mount the servers in a rack

  • Serial or null modem cable (P/N 24100134) with DB-9 connector

  • Adapter (P/N 10402019)

  • Straight Ethernet cable (P/N 24100216) 10-ft

  • Cross-over Ethernet cable (P/N 24100163) 10-ft

  • Service laptop (or personal computer)

  • Virtual Operator Panel (VOP) at Version 1.0.11 or higher for T-Series tape drives

  • Virtual Operator Panel for HP LTO tape drives at Version 1.0.12 or higher

  • Virtual Operator Panel for IBM LTO tape drives at Version 1.0.14 or higher

  • Virtual Operator Panel for LTO5 tape drives at Version 1.0.16 or higher

  • Virtual Operator Panel for LTO6 tape drives at Version 1.0.18 or higher

  • Multi-Drive Virtual Operator Panel (MD-VOP) Version 1.1 or higher

Supported Platforms and Web Browsers

The manager (graphical user interface—GUI) must be installed on either a Windows XP or Solaris platforms.

Web Browsers: The Embedded Lights Out Manager is sensitive to Web browser and Java versions. Refer to http://docs.oracle.com/cd/E19121-01/sf.x2100m2/819-6588-14/index.html for more information and Web browsers.

Table 3-7 lists the supported operating systems and Web browsers:

Table 3-7 Operating Systems and Web Browsers

Client OS Supports these Web browsers Java Runtime Environment Including Java Web Start
  • Microsoft Windows XP

  • Microsoft Windows 2003

  • Microsoft Windows Vista

  • Windows 7 and 2008 server

  • Internet Explorer 6.0 and later Mozilla 1.7.5 or later

  • Mozilla Firefox 1.0

JRE 1.5 (Java 5.0 Update 7 or later)

  • Red Hat Linux 3.0 and 4.0

  • Mozilla 1.7.5 or later

  • Mozilla Firefox 1.0

JRE 1.5 (Java 5.0 Update 7 or later)

  • Solaris 9

  • Solaris 10

  • Solaris Sparc

  • SUSE Linux 9.2

  • Mozilla 1.7.5

JRE 1.5 (Java 5.0 Update 7 or later)

You can download the Java 1.5 runtime environment at: http://java.com

The current version of the ELOM Administration Guide is located at:

http://docs.oracle.com/cd/E19121-01/sf.x2200m2/819-6588-14/819-6588-14.pdf


Firmware Levels

Table 3-8 lists the minimum firmware requirements.


Note:

The firmware levels listed below apply to the associated OKM release and continue to change after the initial release. To access the latest firmware:

  1. Go to My Oracle Support at: http://support.oracle.com and sign in.

  2. Click the Patches & Updates tab.

  3. Click Product or Family (Advanced).

In the Start Typing... field, type in the product information (for example, "Oracle Key Manager"), and click Search to see the latest firmware for each release.

Table 3-8 Firmware Compatibilities

Component Version Version Version Version Version Version Version
OKM 2.0.2 2.1 2.2 or 2.2.1 2.3 2.4 2.5 2.5.x/3.0
Library Management
ACSLS 7.1 and 7.1.1 with PUT0701, or 7.2, and 7.3
HSC 6.1 or 6.2
VSM 6.1 or 6.2 (includes VTCS and VTSS)
VTL models 1.0 or 2.0
Tape Drives SL8500 SL3000 Lxxx 9310/9311 SL500 VOP SL150

T10000A FC

L–3.11c

D–137113

L–FRS_2.00

D–137113

L–3.17.03

D–137113

L–4.4.08

D–137113

n/a

1.0.18

n/a

T10000A FICON

L–3.11c

D–137114

L–FRS_2.00

D–137114

L–3.17.03

D–137114

L–4.4.08

D–137114

n/a

1.0.18

n/a

T10000B FC

L–3.98b

D–138x07

L–FRS_2.00

D–138x07

L–3.17.03

D–138x07

n/a

n/a

1.0.18

n/a

T10000B FICON

L–3.98b

D–138x09

L–FRS_2.00

D–138x09

L–3.17.03

D–138x09

n/a

n/a

1.0.18

n/a

T10000C FC

L–FRS_7.0.0

D–1.53.316

L–FRS_3.0.0

D–1.53.316

n/a

n/a

n/a

1.0.18

n/a

T10000C FICON

L–FRS_7.0.0

D–1.53.316

L–FRS_3.0.0

D–1.53.316

n/a

n/a

n/a

1.0.18

n/a

T10000D FC

L–FRS_8.0.5

D–4.06.106

L–FRS_3.6.2

D-4.06.106

n/a

n/a

n/a

n/a

n/a

T10000D FICON

L_FRS_8.0.5

D_4.07.xxx

L_FRS_3.6.2

D_4.07.xxx

n/a

n/a

n/a

n/a

n/a

T10000D FCoE

L_FRS_8.3.0

D–4.06.106

L_FRS_4.xx

D_4.06.106

n/a

n/a

n/a

n/a

n/a

T9840D FC

L–3.98

D–142x07

L–FRS_2.00

D–142x07

L–3.17.03

D–142x07

L–4.4.08

D–142x07

n/a

1.0.12

n/a

T9840D FICON & ESCON

L–3.98

D–142x07

L–FRS_2.00

D–142x07

L–3.17.03

D–142x07

L–4.4.08

D–142x07

n/a

1.0.12

n/a

HP LTO4

HP LTO5

HP LTO6

L–3.98B

D–H64S FC

n/a for SCSI

D–I5BS FC

n/a for SAS

D– J2AS FC

n/a for SAS

L–2.05

D–H64S FC

n/a for SCSI

D–I5BS FC

n/a for SAS

D– J2AS FC

n/a for SAS

n/a

n/a

L–1300 D–H64S FC

D–B63S SCSI

D–I5BS FC

D–X5AS SAS

D– J2AS FC

n/a for SAS

1.0.12

1.0.16

1.0.16

n/a for FC

n/a for SCSI

D–Y5BS FC

D–Z55S SAS

D–22CS FC

D–329S SAS

IBM LTO4

IBM LTO5

IBM LTO6

L–FRS_4.70

D–BBH4 FC

n/a for SCSI

D–BBNH FC

L–8.01

D–CT94 FC

L–FRS_2.30

D–BBH4 FC

n/a for SCSI

D–BBNH FC

L–4.0

D–CT94 FC

n/a

n/a

L–1373

D– BBH4 FC

D– BBH4 SCSI

D–BBNH FC

L–1483

n/a for FC

1.0.14

1.0.16

n/a for FC

n/a for SCSI

n/a for FC

L–1.80

n/a for FC

Legend:

L–Library firmware level

D–Drive firmware level

FC = Fibre Channel

FCoE = Fibre Channel over Ethernet

SPS = Special firmware. Requires approval.

n/a = Not applicable. Not supported.





Footnote Legend

Footnote 1: RETMA = Radio Electronics Television Manufacturers Association.
Footnote 2: U stands for rack units. One unit is equal to 4.4 cm (1.75 in.).