Skip Headers
Oracle® Key Manager 3 Systems Assurance Guide
Release 3.0
E48394-01
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

1 Introduction

Encryption is based on the science of cryptography, which is one of the most effective ways to achieve data security today. To read an encrypted file, you must have access to the key that will enable you to decipher the file.

This chapter introduces you to Oracle's Key Manager (OKM) and the components for encryption.

Planning for Encryption

Are your customer accounts concerned with:

  • Data security?

  • Data protection and sensitive information?

  • Government regulations and retention?

  • Data security is a major concern for IT professionals today—what happens if and when data falls into the wrong hands?

  • Access to sensitive data can happen when it is:

    • Sent over networks

    • Written on disk or tape

    • Stored in archives

  • Your customers may also be required to take measures to protect their data because of government regulations or contractual obligations with business partners. A number of regulations require organizations to encrypt their data.

Encryption can occur during three points in the life of the data. When data is:

  • Created (host-based)

  • Transported (appliance-based)

  • Stored (device-based)

Oracle offers device-based implementations, for a "data-at-rest" encryption solution. This offering provides an excellent solution for mixed environments with a variety of operating system types—both enterprise and open systems platforms.

Choosing device-based encryption is the least disruptive to an existing system infrastructure because the encryption functionality is built directly in to the tape drive, so there is no need to maintain special software specifically for encrypted data.

Encryption Standards

Oracle's encryption solutions are based on the most current advanced industry standards and functionality, including:

  • Federal Information Processing Standards

    • FIPS PUB 140-2, Security Requirements for Cryptographic Modules

    • FIPS PUB 46-3, Data Encryption Standard

    • FIPS PUB 171, Key Management

    FIPS are standards and guidelines adopted and declared under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996. FIPS defines four levels of security.

    Level 1 – The basic level with production-grade requirements.

    Level 2 – Adds requirements for physical tamper evidence and role-based authentication. Built on a validated operating platform.

    Level 3 – Adds requirements for physical tamper resistance and identity-based authentication. Requires additional physical or logical separations.

    Level 4 – Makes the physical security requirements more stringent and requires robustness against environmental attacks.

  • National Institute of Standards and Technology (NIST) AES-standard defining a cryptographic cipher using the Rijndael symmetric block cipher algorithm.

NIST 800-57 Part 1, Recommendations for Key Management

  • Institute of Electrical and Electronics Engineers IEEE 1619, working groups:

    1619.1 Standard for Tape Encryption—complete

    1619.2 Standard for Disk Encryption—in process

    1619.3 Standard for Key Management—in process

  • Common Criteria (CC), an International Consortium sponsored by the National Security Agency (NSA) that sets requirements for IT security.

  • International Standard Organization ISO/IEC 1779 Security Techniques

  • CCM–AES-256 encryption

CCM = "Counter with CBC-MAC," is a mode of encryption that provides for both a strong form of privacy (security) and efficient authentication. CBC–MAC ="Cipher Block Chaining–Message Authentication Code," a message integrity method in which each block of plain text is encrypted with a cipher. AES = "Advanced Encryption Standard," a block cipher encryption algorithm that uses both cryptographic techniques, Counter mode and CBC-MAC (CCM).

  • Symmetric encryption, uses one key to both encrypt and decrypt data.

  • Nonce, a non-repeating number that is incorporated into the mode of operation to ensure that repetitive plaintext does not result in repetitive ciphertext.

  • Cipher-suite

    • TLS 1.0 = Transport layer security

    • RSA = A 2048-bit key encryption algorithm

    • SHA1 = A widely used and secure hash algorithm

    • HMAC = Hash message authentication code (Hash-MAC)

Components

The Oracle Key Manager is a device-based encryption solution that uses:

  • An appliance (server) called the Key Management Appliance or KMA.

  • Network connectivity* (a clean gigabit Ethernet connection).

  • StorageTek automated libraries or Oracle databases.

  • StorageTek tape drives (T-Series and LTO) as the agents for encryption.

Components for the OKM Version 2.3 and above encryption solution consists of:

Key Management Appliance (KMA) The KMA for the hardware platform is one of the following server types:
  • SunFire X2100 M2, X2200 M2, or X4170 M2 for OKM 2.x

  • Netra SPARC T4-1 for OKM 3.0

These servers:

  • Run the key manager application on a specialized, pre-loaded version of the Solaris operating system (Solaris 10 for X2100 M2, X2200 M2, and X4170 M2; Solaris 11 for Netra SPARC T4-1)

  • Deliver a policy-based key manager and provisioning services

  • Generate the raw keys for encryption

SCA6000 card An optional Sun Cryptographic Accelerator (SCA6000) card for cryptographic processing and administrative functions is provided for customers that require FIPS-compliance.

Note: This is a FIPS 140-2 Level 3 hardware security module.

OKM Manager or OKM Manager GUI The manager is a client-side software component with a graphical user interface (GUI).

Note: The OKM Manager must be installed on a customer-provided, network-attached, PC, server, or workstation running Windows XP, Vista, 2003 Server, 7, 2008 Server, or running Solaris x86 or Solaris SPARC.

OKM CLI A command line interface to assist with automation of management tasks such as backup and reporting.
OKM Cluster A full set of KMAs in a system. All of the KMAs are aware of each other, and replicate information to each other.

Note: There must be a minimum of 2 servers in a cluster.

Agent Agents are devices (for example, tape drives) that are authenticated with the Key Manager and obtain key material over a "secure" (TLS) session.

Note: Agents that are tape drives should not be on public networks.

Data Unit ID A unique ID assigned by the OKM to each individual data cartridge.
Key Groups Provide organization for keys and associates them to a Key Policy.

Key Groups are used by the OKM to enforce access to the key material by the Encryption Agents (tape drives) or Oracle databases.

Network connections Sun Fire X2100 M2, X2200 M2, X4170 M2 KMAs contain these network connections:
  • Management network

  • Embedded or Integrated Lights Out Manager (ELOM/ILOM)

  • Service network, connection to the drives

  • Additional aggregate service port (optional)

Netra SPARC T4-1 KMAs network connections include:

  • Management network

  • Service network, connection to the drives

  • Additional aggregate service port (optional)

  • Integrated Lights Out Manager (ILOM)

  • Network 10/100/1000 ports for host

* Note: For additional security and to isolate LAN traffic, the customer may want to consider using Virtual Local Area Networks* (VLANs) when connecting to the management network.

* VLANs are broadcast domains that exist within a defined set of switches. Ports on these switches can be grouped together to provide a logical network to provide the services traditionally created by traditional routers in network configurations.


Important: Key management appliances should be installed in pairs as shown in the configuration drawings Figure 1-1 through Figure 1-4. Some key points include:

  • Multiple KMAs are clustered on a dedicated, private, local, or wide area network.

  • The servers in a OKM Cluster provide data replication so there is redundancy. This allows each key management appliance to serve as backups to others.

  • Tape drives and Oracle databases, called Agents, must remain connected to the network in the event an encryption key is needed.

  • Any KMA in the cluster can service any tape drive on the network provided there is an Ethernet connection between the two.

  • KMAs and agents can be logically "group" to create a site, where agents preference KMAs within the site to which they are assigned.

  • By default, Agents are serviced by the local KMAs if available.

  • Any KMA can be used for administration functions.

  • All changes to any KMA are replicated to all other KMAs in the cluster:

    • New keys generated at any site are replicated to all other KMAs in the cluster.

    • All administrative changes are propagated to all other KMAs in the cluster.

Encryption Hardware Kits

Encryption hardware kits come complete with Ethernet switches, cables, power distribution units, and mounting hardware for connection of the drive-types in either a library, standalone rack, or Oracle database configuration.

The type of configuration determines how the drives are installed, each configuration has its own kit, see Chapter 4, "Components" for more information.

Refer to the Oracle Key Manager Installation and Service Manual and the individual product installation manuals for specific installation instructions.

Key Manager Configurations

Multiple KMAsFoot 1  (two or more) must be installed together to create a clusterFoot 2 . Clusters of KMAs are able to fully replicate their data to each other KMA.


Note:

Cluster size should be strongly considered when designing the system for maximum availability.

The following figures show examples of Version 2.x configurations for the key management appliance:

  • Figure 1-1 Single site – local area network

  • Figure 1-2 Multiple sites – wide area network

  • Figure 1-3 Multiple sites with disaster recovery – wide area network

  • Figure 1-4 Disaster Recovery Configuration

  • Figure 1-5 Database and Automated Library configuration

This example uses a single site with a local area network for the management link. The service network for the tape drives shows all of the supported tape drives (Agents). Agents include T-Series (T10000 A, B, C, D, and T9840D) and LTO (generations 4, 5, and 6) tape drives.

Figure 1-1 Single Site Configuration

Surrounding text describes Figure 1-1 .

In this example, the KMAs are managed over a wide area network. All four KMAs belong in the same OKM cluster.

Figure 1-2 Dual Site Configuration

Surrounding text describes Figure 1-2 .

Note:

LTO encryption-capable tape drives are not supported in L-Series libraries.

This example uses two remote sites and a local (main) site within one OKM cluster. The main site contains a partitioned SL8500 library with specific key groups that provides backup facilities for all the KMAs (1–6) and media within the entire OKM cluster.

Figure 1-3 Multiple Site Configuration

Surrounding text describes Figure 1-3 .

In this example, there are two wide area networks; one for management and one for service.

  • The OKM communicates with all four KMAs in the cluster.

  • The service network consists of two interface ports, LAN 2 and LAN 3.

The KMA aggregates LAN2 with LAN 3 into an aggregated service port.

  • The service wide area network allows any KMA at either site to communicate with the agents.

Figure 1-4 Disaster Recovery Configuration

Surrounding text describes Figure 1-4 .

In this example, four KMAs in a cluster are supporting both Automated Tape Libraries and an Oracle database with Advanced Security Transparent Data Encryption (TDE) solution.

Figure 1-5 Database Example

Surrounding text describes Figure 1-5 .

Oracle Key Manager is now certified with Oracle Advanced Security Transparent Data Encryption. This means that the same encryption technology used in Oracle StorageTek tape drives is now available for managing encryption keys for Oracle 11g databases.

See Appendix B, "Encryption for Oracle Databases" for more information.

Key Management Appliance

These are the types of servers for the Key Management Appliance (KMA)

  • Netra SPARC T4-1 (OKM 3.0)

  • Sun Fire X2100 M2 (OKM 2.x)

  • Sun Fire X2200 M2 (OKM 2.x)

  • Sun Fire X4170 M2 (OKM 2.x)

Notes:

  • Subsequent releases of the OKM appliance may use different server hardware but are guaranteed to be interoperable with other deployed KMAs.

  • An OKM cluster may consist of a mix of Netra SPARC T4-1 systems and Sun Fire X2100s, X2200s, and X4170s systems, as systems are added to the cluster or replaced as failed units.

  • Existing Sun Fire KMAs cannot be upgraded to OKM 3.0. However, they can communicate with OKM 3.0 KMAs in the same cluster. OKM 3.0 KMAs can join an existing OKM 2.x cluster using a KMA running KMS 2.2 or later.

Netra SPARC T4-1 Server

Figure 1-6 shows a rear view of the server.

Figure 1-6 Key Management Appliance—Netra SPARC T4-1 Rear Panel

Surrounding text describes Figure 1-6 .
  1. Power supplies (PS1 - PS0 top to bottom) (AC supplies shown)

  2. Power supply status LEDs:

    • OK (output): (green)

    • Service Action Required: (amber)

    • AC or DC (input power): (green).

  3. Alarm port

  4. Expansion slot 0 (PCIe 2.0 x8 or XAUI)

  5. Expansion slot 3 (PCIe 2.0 x8)

  6. Expansion slot 1 (PCIe 2.0 x8 or XAUI)

  7. Expansion slot 4 (PCIe 2.0 x8)

  8. Expansion slot 2 (PCIe 2.0 x8)

  9. Service LEDs:

    • Locator LED/Locator button (white)

    • Service Action Required LED (amber)

    • Main Power/OK LED (green).

  10. SER MGT RJ-45 serial port

  11. NET MGT RJ-45 network port

  12. Network 10/100/1000 ports (NET0 to NET3) for host

  13. Physical Presence button access hole

  14. USB 2.0 ports (USB 0, USB 1)

  15. Video connector (HD-15)

  16. Grounding studs

Figure 1-7 shows a front view of the server.

Figure 1-7 Key Management Appliance—Netra SPARC T4-1 Front Panel

Surrounding text describes Figure 1-7 .
  1. Locator LED/Locator button: white

  2. Service Action Required LED: amber

  3. Main Power/OK LED: green

  4. Power button

  5. Alarm LEDs: Critical (red), Major (red), Minor (amber), and User (amber)

  6. Fan Fault (FM 0 to FM4) LEDs: green (normal), amber (fault)

  7. USB 2.0 port (USB 3, USB 4)

  8. USB 2.0 port (USB 3, USB 4)

  9. DVD drive

  10. Radio Frequency Identification (RFID) tag

  11. Fan modules (FM0 - FM4)

  12. Hard drives (HDD0- HDD3)

Hard drive fan module (FM 5) (internal - not shown)

Netra SPARC T4-1 Component Specifications

Table 1-1 shows the configuration for OKM 3.0 KMAs.

Table 1-1 Netra SPARC T4-1 Specifications

Specification

CPU

One 4-core 64 thread 2.85 GHz SPARC T4 processor

Memory

Four 8 GB DDR3L DIMMs

Removable mass storage

One 600 GB SAS drive

One slim line SATA DVD+/-RW drive (disabled)

Service Processor

ASPEED AST2300 BMC running Oracle ILOM 3.0.x

TPM support

TCG TPM v1.2 functionality support with an Infineon SLB 9635

Expansion slots

PCI-Express Generation 2:

  • Two full-height / half-length PCI2 2.0 x8 electrical / x16 mechanical slots with tool-less mechanical fillers

  • Three PCIe 2.0 x8 mechanical, x8 electrical low-profile, or one PCIe 2.0 x8 mechanical, x8 electrical low-profile and two XAUI cards (fiber or copper versions)

Front I/O ports

Two USB 2.0 port (Type A)

Rear I/O ports

From the motherboard:

  • Four 10/100/1000BASE-T Ethernet with integrated link/speed LEDs

  • SER MGT

  • NET MGT 10/100BASE-T Ethernet

  • Two USB 2.0 ports

  • VGA video port

  • Optional 10Gb dual ports with XAUI cards

From the PCI mezzanine board:

  • DCA relay connection

Front panel indicators and

switches

Provision for the following indicators and switches:

  • Power button switch

  • Locate button switch with integrated LED

  • System OK LED

  • System fault LED

  • Alarm LEDs - Critical, Major, Minor, and User

  • Fan module fault LEDs

Networking

4 Gbit Ethernet ports

Dimensions:

Height

87.1 mm (3.43 in.)

Width

445 mm (17.52 in.) including bezel

Depth

526 mm (20.71 in.) max to PSU handles.

501 mm (19.72 in.) max to rear I/O.

Weight

18.6 kg (41 lb.) fully configured without PCI

cards

Environmental:

Ambient temperature Foot 1 

Maximum: 5°C to 45°C (41°F to 113°F) up to

1829 meters (6000 feet)Foot 2 

Optimal: 21°C to 23°C (69.8°F to 73.4°F)

Short term maximum: -5°C to 55°C (23°F to 131°F)

Non-operating temperature

–40°C to 70°C (–40°F to 158°F)

Operating humidity

5% - 85% RH, non condensing, but not to exceed

0.024 kg water/kg dry air (0.053 lb. water/2.205

lbs. dry air).

Short term: 5%- 90% RH, non condensing, not to

exceed 0.024 kg water/kg dry air (0.053 lb.

water/2.205 lbs. dry air).

Non-operating humidity

93%, non condensing, 40°C (104°F)

Altitude – company requirement (operating)

Maximum 3000 meters (9840 feet) at 40°C (104°F)

Altitude – company requirement (non-operating)

Maximum 12,000 meters (39,370

feet)

Altitude – NEBS requirement (operating)

-60 meters to 1800 meters (-200 feet to 5905 feet) at

40°C (104°F)

1800 meters to 4000 meters (5905 feet to 13,123 feet)

at 30°C (86°F)

Altitude – NEBS requirement (non-operating)

Up to 12,000 meters (39,370 feet)


Footnote 1 Does not apply to removable media devices.

Footnote 2 Maximum ambient operating temperature is derated by 1°C per 500m elevation.

Sun Fire X4170 M2 Server

Figure 1-8 shows a rear view of the Sun Fire X4170 M2 server.

Figure 1-9 shows a front view of the Sun Fire X4170 M2 server.

Table 1-2 lists the specifications for the Sun Fire X4170 M2 server.

Figure 1-8 Key Management Appliance—X4170 Rear Panel

Surrounding text describes Figure 1-8 .
  1. AC Power connectors

  2. Serial Management (SER MGT) RJ-45 serial port

  3. Service Processor (NET MGT) port

  4. Ethernet ports (0, 1, 2, 3) , from left to right these ports are labeled "Net0" thru "Net3".

  5. USB ports (0, 1)

  6. Video connector (VGA)

Figure 1-9 Key Management Appliance—X4170 Front Panel

Surrounding text describes Figure 1-9 .
  1. Power /OK LED

  2. Power button

Table 1-2 lists the specifications for the Sun Fire X4170 M2 server.

Table 1-2 Sun Fire X1470 M2 Specifications

Specification

Processor

One quad-core (2.4-GHz)

Memory

1x4GB DDR3 DIMMs

Management Software

Service processor standard

Integrated Lights Out Manager (ILOM)

Mass storage

One SATA disk drive

PCI Slots

Two PCI-Express slots (PCIe) PCIe-0 contains the Sun Crypto Accelerator (SCA6000) if installed

Networking

Four USB 2.0 connectors on the rear panel

Two USB 2.0 connectors on the front panel

VGA with DB-15 connectors

Four 10/100/1000 Base-T Ethernet ports

Dimensions:

Height

4.34 cm (1.71 in.)

Width

42.5 cm (16.75 in.)

Depth

68.58 cm (27.0 in.)

Weight

16.36 kg (36 lb)

Environmental:

Operating temperature

5° C to 35° C (41° F to 95° F)

Non-operating temperature

-40° C to 70° C (-40° F to 158° F)

Operating humidity

10% to 90% relative humidity, non-condensing

Non-operating humidity

Up to 93% relative humidity, non-condensing

Altitude (operating)

Up to 3000 m, maximum ambient temperature is degraded by 1 degree C per 300 m above 900 m

Altitude (non-operating)

Up to 12,000 m


Sun Fire X2100 M2 and X2200 M2 Servers

Figure 1-10 shows a front view of the Sun Fire X2100/X2200 M2 server.

Figure 1-11 shows a rear view of the Sun Fire X2100/X2200 M2 server.

Table 1-3 lists the specifications for the Sun Fire X2100 M2 server.

Table 1-4 lists the specifications for the Sun Fire X2200 M2 server.

Figure 1-10 Key Management Appliance—X2100/X2200 Front Panel

Surrounding text describes Figure 1-10 .
  1. System identification button/LED

  2. Fault LED

  3. Power/OK LED

  4. Power button

  5. Optional hard disk drive bay (0)

  6. USB 2.0 connectors (2)

  7. CD/DVD drive (not populated)

  8. Optional hard disk drive bay (1)

Figure 1-11 Key Management Appliance—X2100/X2200 Rear Panel

Surrounding text describes Figure 1-11 .
  1. Power connector

  2. Ethernet connectors (2) Top = KMA Management Network (LAN 0) Bottom = Embedded Lights Out Manager (ELOM)

  3. System Identification LED

  4. Fault LED

  5. Power LED

  6. Ethernet Service Network connections (2) Left = Service network (LAN 2) Right = Aggregated service network (LAN 3)

  7. Serial port (DB9, RS232)

  8. PCIe slots (2) Top = SCA6000 card (not shown) Bottom = Blank (empty)

  9. VGA connector (if using a monitor/keyboard for the initial configuration)

  10. USB 2.0 ports (4)

Sun Fire X2100 M2 Server

Table 1-3 lists the specifications for the Sun Fire X2100 M2 server.

Table 1-3 Sun Fire X2100 Specifications

Specification

Processor

  • One dual-core AMD Operton processor

  • Processor frequencies: 2.2 GHz

  • Up to 1 MB level 2 cache

Memory

  • Four DIMM slots (up to 4 gigabytes)

  • Unbuffered ECC memory

IPMI 2.0

  • Service processor standard

  • Embedded Lights Out Manager

Mass storage

One SATA disk drive

PCI Slots

Two PCI-Express slots (PCIe) PCIe-0 contains the Sun Crypto Accelerator 6000 (SCA6000)

Networking

  • Four USB 2.0 connectors on the rear panel

  • Two USB 2.0 connectors on the front panel

  • Two ports: Serial port with DB-9; VGA with DB-15

  • Four 10/100/1000 Base-T Ethernet ports

Dimensions:

Height

43 mm (1.7 in.)

Width

425.5mm (16.8 in.)

Depth

550 mm (21.68 in.)

Weight (maximum)

10.7 kg (23.45 lb)

Mounting options

19-inch rackmount kit; Compact 1 rack-unit (1.75 in.)

Environmental:

Temperature

5°C to 35°C (41°F to 95°F)

Relative humidity

27°C (80°F) max wet bulb

Altitude

Up to 3,000 m (9,000 ft)

Power supply

90 – 2640 VAC, 47 – 63 Hz

One 6.5 Amp non-redundant power supply at 345 Watts Heat output is about 850 BTU/hour

Regulations meets or exceeds the following requirements:

Acoustic Noise Emissions declared in accordance with ISO 9296

Safety IEC 60950, UL/CSA60950, EN60950, CB scheme

RFI/EMI FCC Class A, Part 15 47 CFR, EN55022, CISPR 22, EN300-386:v1.31, ICES-003

Immunity: EN55024, EN300-386:v1.3.2

Certifications: Safety CE Mark, GOST, GS Mark, cULus Mark, CB scheme, CCC, S Mark

EMC CE Mark, Emissions and Immunity Class A Emissions Levels: FCC, C-Tick, MIC, CCC, GOST, BSMI, ESTI, DOC, S Mark


Sun Fire X2200 M2 Server

Table 1-4 lists the specifications for the Sun Fire X2200 M2 server.

Table 1-4 SunFire X2200 Specifications

Specification

Processor

  • Two Quad core AMD Opteron processors

  • Processor frequencies: 2.3Ghz

Memory

  • 8 GB of RAM, installed as 4, 2 GB Dimms

IPMI 2.0

  • Service processor standard

  • Embedded Lights Out Manager

Mass storage

One SATA disk drive

250 GB capacity

PCI Slots

Two PCI-Express slots (PCIe) PCIe-0 contains the Sun Crypto Accelerator 6000 (SCA6000)

Networking

  • Four USB 2.0 connectors on the rear panel

  • Two USB 2.0 connectors on the front panel

  • Two ports: Serial port with DB-9; VGA with DB-15

  • Four 10/100/1000 Base-T Ethernet ports

Dimensions:

Height

43 mm (1.69 in.)

Width

425.5 mm (16.75 in.)

Depth

633.7 mm (25 in.)

Weight

1.6 kg (24.64 lb.)

Mounting options

19-inch rackmount kit; Compact 1 rack-unit (1.75 in.)

Environmental:

Temperature

5°C to 35°C (41°F to 95°F)

Relative humidity

27°C (80°F) max wet bulb

Altitude

Up to 3,000 m (9,000 ft)

Power supply

100 – 240 VAC, 47 – 63 Hz

One 8 Amps non-redundant power supply at 500 Watts Heat output is about 850 BTU/hour

Regulations meets or exceeds the following requirements:

Safety: CE, CB Scheme, UL, CSA, CCC, BSMI, AR-S, GOST-R

EMC: CE, FCC, VCCI, ICES, BSMI, CCC, MIC, C-Tick, AR-S, GOST-R

Other: RoHS-compliant labeled, per WEEE (Waste Electrical and Electronics Equipment) Directive (2002/95/EC)


Network Considerations

Oracle recommends that customers supply a managed switch for connecting KMAs to the tape drives on private service networks. Managed switches then would supply connectivity to the supplied unmanaged tape drive switches as well as any connectivity to customer supplied routers for wide area service network.

The following managed switches have been tested and are recommended by engineering:

  • 3COM Switch 4500G 24-Port (3CR17761-91)

  • Extreme Networks Summit X150-24t Switch

  • Brocade ICX 6430 Switch.

Other managed switches can be used; however, there is only configuration guidance on the above listed switches.

Managed switches are recommended for the following reasons:

  • Improved serviceability through better switch diagnostics and service network trouble shooting

  • Potential for minimizing single points of failure on the service network through use of redundant connections and spanning tree protocol.

  • Support for aggreation of the KMA service network interfaces to minimize single point of failure on the KMA's service interface.

Figure 1-12 provides an example of a managed switch configuration. In this example, if either KMA or either managed switch should fail, the drives still have a path from which they can communicate with the other KMA.

Management Network

The OKM network should use a clean gigabit Ethernet connection for optimal replication and performance.

Service Processor Network

The Service Processor Network (ELOM or ILOM) should have spanning tree turned off or disabled.

KMA Service Port Aggregation

Beginning with OKM 2.1 it is possible to aggregate physical Ethernet interfaces (LAN 2 and LAN 3) into a single virtual interface. Additional availability is achieved by aggregating these ports; if a failure occurs with either port, the other port maintains connectivity.

Make sure the Ethernet switch ports have the correct configuration. For example, switch ports should be:

  • Set to auto negotiate settings for duplex (should be full duplex).

  • Set to auto negotiate speed settings, the KMA ports are capable of gigabit speeds.

  • Using identical speeds, such as: both set to 100 Mbps (auto speed negotiating may work fine).

In this example the service network consists of two customer-provided managed switches that are cabled to three unmanaged switches, which contains redundant paths that require a spanning tree configuration. This example may be easily scaled for larger SL8500 drive configurations by adding additional KMAs, switch hardware, and tape drives.

  • Managed switches must be enabled for Spanning Tree whenever the cabling includes redundancy.

  • Unmanaged switches have two paths to the managed switches for redundancy.

  • Unmanaged switches are then cabled for connectivity to the tape drives (agents)

  • Each unmanaged switch connects 16 drives. Cabled in groups of four. Ports 1–4, 6–9, 11–14, and 16–19.

  • "Service Delivery Platform" (SDP) connects to each Managed Switch at Port 1.

Figure 1-12 Managed Switch Configuration

Surrounding text describes Figure 1-12 .

Each key management appliance has four network connections. These include:

  • Management network for the X4170 M2 appliance

  • Service Processor (either ELOM or ILOM) network

  • Service network

  • Aggregated service network

The network ports are labeled differently between the X4170 M2 and X2100/X2100 M2 servers.

Table 1-5 KMA Network Connections - Sun Fire X2100 M2 and X2200 M2 Servers

Port Description

LAN 0

This is a required connection.

This network is called the "Management Network" and connects to the Oracle Key Manager (OKM), graphical user interface (GUI), to the KMAs in the cluster. This network can be local, remote, or a combination of both.

Customers are expected to provide the management network.

LAN 1*

LAN 1* This is the network connection for the Service Processor, the ILOM for an X4170 M2 server or the ELOM for an X2100 M2 or X2200 M2 server.

LAN 2

This is normally a required connection for the tape drives. This network is called the "Service Network" and connects to the tape drives, either directly or through Ethernet switches to create the network.

LAN 3

This is an optional connection with the Oracle Key Manager. This is the "Aggregated Network" connection with NET 2 or LAN 2. Aggregation or IEEE 802.1AX-2008, is a networking term that describes the use of multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability.

* Note – The ELOM IP address is most easily configured using a serial connection.

Connect a DB9-to-DB9 serial null modem cable from a laptop PC serial port to the serial port on the server. This is a one time connection for the initial configuration.


Table 1-6 KMA Network Connections - Netra SPARC T4-1 and X4170 M2 Servers

Port Description

SER MGT

The SER MGT RJ-45 port provides a serial connection to the ILOM. The ILOM IP address is most easily configured using this serial connection.

NET MGT

The NET MGT RJ-45 port provides an optional Ethernet connection to the ILOM. This port is not available until you configure the ILOM IP address.

NET 0

The NET 0 RJ-45 port is a required connection to the Management Network.

This network connects the server to the Oracle Key Manager GUI as well as to other KMAs in the cluster. The Management Network can be local, remote, or a combination of both.

Customers are expected to provide the management network.

NET 2

The NET 2 RJ-45 port is a required connection to the Service Network. This network connects the server to the tape drives, either directly or through Ethernet switches, to create the network.

NET 3

The NET 3 RJ-45 port is an optional connection to the Aggregated Network and provides aggregation with NET 2.

Aggregation, or IEEE 802.1AX-2008, is a networking term that describes using multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability.


The initial setup of a KMA requires a terminal emulator on a laptop or monitor/keyboard assembly to access the Service Processor. The Service Processor is a remote console function that requires a network connection and IP address to use these functions.

Key Management Appliance Physical Connections

All physical connections are from the rear of the KMA. See Figure 1-13 for Netra SPARC T4-1, Figure 1-14 for X2100 M2 and X2200 M2, and Figure 1-15 for X4170 M2.

Table 1-5 details the relationship between these connections on X2100/X2200 M2 servers and Table 1-6 shows the Netra SPARC T4-1 and X4170 M2 server connection descriptions.

Figure 1-13 Key Management Appliance—Rear Panel Connections Netra SPARC T4-1 Server

Surrounding text describes Figure 1-13 .

Figure 1-14 Key Management Appliance—Rear Panel Connections X2100/X2200 Servers

Surrounding text describes Figure 1-14 .

Note:

Each Ethernet connection (blue line) requires an IP address.

Figure 1-15 Key Management Appliance—Rear Panel Connections X4170 M2 Server

Surrounding text describes Figure 1-15 .

Note:

Each Ethernet connection (blue line) requires an IP address.

Internet Protocol Versions

Enhancements made to OKM 2.1 included support for the newest implementation of the Internet Protocol Suite, or IP.

  • The current version—IPv4—uses a 32-bit number written as four groups of three numbers separated by periods. Each group can be from 0 to 255, for example, 129.80.180.234.

    Within these four groups are two identifiers, the network address and the host address. The first two groups (129.80) identify the network address, the second two groups (180.234) identify the host.

  • The new generation, IPv6, uses a 128-bit value written as eight groups of four hexadecimal characters separated by colons, for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334 2001:0db8:85a3:::8a2e:0370:7334 (means the same as above)

    IPv6 addresses are typically composed of two logical parts: a 64-bit network prefix, and a 64-bit host address, which is either automatically generated or assigned.

Important:

The Key Manager supports a "dual stack" implementation where both protocols are used within the system. However, not all applications use IPv6, for example, Domain Name System (DNS); therefore, IPv4 is still necessary.

Automated Tape Libraries

Because every customer has different needs and requirements, Oracle's StorageTek automated tape libraries provides a variety of libraries to meet these customers demands.

Table 1-7 Tape Libraries

Tape Libraries L700 L1400 9310 SL24 SL48 SL500 SL3000 SL8500 SL150

Minimum slots

216

200

2,000

1

1

30 or 50

200

1,448

30

Maximum slots

1,344

1,344

6,000

24

48

440 to 575

5,925

10,000

300

Complex/ACS

No

No

144,000

No

No

No

No

100,000

No

Mixed-media

Yes

Yes

Yes

No

No

Yes

Yes

Yes

Yes

Pass-thru ports

Yes (1)

Yes (1)

Yes

No

No

No

No

Yes

No

Maximum drives

24, 40

24, 40

80, 960

1

2

2, 18

56

64, 640

20

CAP size

20–80

20–80

21 or 80

Mailslots

Mailslots

5–45

26

39

Mailslot

Number of CAPs

1–4

1–4

4x20

0–1

1–3

1–5

101

2

1

Interface type

SCSI, FC

SCSI, FC

TCP/IP

SCSI, FC, SAS

SCSI, FC, SAS

SCSI, FC

SCSI, FC

TCP/IP

SCSI, FC

Tape Technology (Encryption-capable Tape Drives Only)

T9840D (StorageTek)

Yes

Yes

Yes

No

No

No

Yes

Yes

No

T10000A (StorageTek)

Yes

Yes

Yes

No

No

No

Yes

Yes

No

T10000B (StorageTek)

Yes

Yes

Yes

No

No

No

Yes

Yes

No

T10000C

(StorageTek)

No

No

No

No

No

No

Yes

Yes

No

T10000D

(StorageTek)

No

No

No

No

No

No

Yes

Yes

No

LTO4 (HP and/or IBM)

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

No

LTO5 (HP and/or IBM)

No

No

No

Yes for HP, No for IBM

Yes for HP, no for IBM

Yes

Yes

Yes

Yes for HP, no for IBM

LTO6 (HP and/or IBM)

No

No

No

No

No

Yes for HP, no for IBM

Yes

Yes

Yes for HP, no for IBM

  1. Access expansion modules provide bulk cartridge loading capabilities from 234 to 468 cartridges (one or two AEMs)


Tape Drives

StorageTek provides storage solutions for:

  • Small to large businesses and organizations

  • Enterprise and client-server platforms

  • Stand-alone and automated tape environments.

You can choose from the following tape drive models:

  • StorageTek T10000A

  • StorageTek T10000B

  • StorageTek T10000C

  • StorageTek T10000D

  • StorageTek T9840 Model D only

  • Hewlett Packard (HP) Linear Tape-Open (LTO) Generations 4, 5, and 6

  • International Business Machines (IBM) Linear Tape-Open (LTO) Generations 4, 5, and 6

FIPS Compliant Tape Drives

Beginning with Version 2.1 and the latest tape drive firmware, the following drives are FIPSFoot 3  compliant.

Table 1-8 FIPS 140-2 Compliant Tape Drives

Tape Drive FIPS 140-2 Level

T10000A

1

T10000B

2

T10000C

1

T10000D

1

T9840D

1

LTO4 (HP and IBM)

No plans for FIPS*

LTO5 (HP and IBM)

No plans for FIPS*

LTO6 (HP)

No plans for FIPS*

* LTO drives may be FIPS validated in its basic form but not necessarily in specific encryption applications.


FIPS 140-2 levels of security for the above tape drives includes Levels 1 and 2.

Level 1 – The basic level with production-grade requirements.

Level 2 – Adds requirements for physical tamper evidence and role-based authentication. Built on a validated operating platform.

This selection provides a higher level of security for the KMAs and tape drives.

About the T10000 Tape Drive

The T10000 tape drives are modular, high-performance tape drives designed for high-capacity storage.

These models of the T10000 support encryption:

  • T10000A

  • T10000B

  • T10000C

  • T10000D

Dimensions: The tape drive is:

  • 8.89 cm (3.5 in.) high

  • 14.6 cm (5.75 in.) wide

  • 42.5 cm (16.75 in.) deep.

Capacity:

  • T10000A = 500 gigabytes (GB) of uncompressed data

  • T10000B = 1 terabyte (TB) of uncompressed dataFoot 4 

  • T10000C = 5 terabyte (TB) of uncompressed data

  • T10000D = 8 terabyte (TB) of uncompressed data

About the T9840D Tape Drive

The T9840D tape drive is a small, high-performance, access-centric tape drive that has an average access time of just 8 seconds.

This drive obtains its high-performance by using a unique dual-hub cartridge design with midpoint load technology. This enables fast access and reduces latency by positioning the read/write head in the middle of the tape.

There are four models of the T9840; however, only the T9840D supports encryption.

Dimensions: The tape drive is:

  • 8.25 cm (3.25 in.) high

  • 14.6 cm (5.75 in.) wide

  • 38.1 cm (15 in.) deep

Capacity: T9840D = 75 gigabytes (GB) of uncompressed data

For a variety of operating system platforms:

  • Enterprise mainframes (z/OS and OS/390)

  • Open system platforms (Windows, UNIX, and Linux)

About the LTO Tape Drives

Overview Linear Tape-Open (LTO) tape drives are a high-performance, high-capacity, data-storage device that is designed for backup and restore applications in both enterprise mainframe and open systems environments.

Both HP and IBM offer an Ultrium series of linear tape-open products, LTO4, LTO5, and LTO6.

Currently, the LTO4, LTO5, and LTO6 tape drives are capable of supporting tape- or device-based encryption.

Encryption Capable Both the HP and IBM LTO drives support write encryption and read decryption when integrated into a secure encryption system, such as Oracle's Key Manager.

Key management is essential to ensure that what is written on tape can be read in the future.

Being able to manage the "Keys to Encryption" requires a special, custom-designed, Ethernet adapter card mounted inside the drive tray. This adapter card provides a means for the LTO drives to connect to and interface with the Oracle Key Manager. Each vendor has their own unique version of an adapter card:

  • HP LTO4 = Dione card (external)

  • HP LTO5/LTO6 = Embedded (no adapter card required)

  • IBM = Belisarius card (external)

With this connection, the LTO drives are capable of communicating with the OKM to transfer encryption keys over the secure network.

Currently the LTO drives can only use one encryption key at a time. During a read operation, if another encryption key is found on the tape, the adapter card requests the key directly from the OKM.

Media (Native capacity) LTO6 tape drives use a 2.5 TB data cartridge, LTO5 a 1.5 TB data cartridge, and LTO4 tape drives use an 800 GB data cartridge. All are compatible with other vendor cartridges and other generations of LTO tape drives. These drives perform the following functions:
  • Reads/Writes LTO6 cartridges in Ultrium 6 format, including WORM

  • Reads/Writes LTO5 cartridges in Ultrium 5 format, including WORM

  • Reads/Writes LTO4 cartridges in Ultrium 4 format, including WORM

LTO 6, LTO5, and LTO4 tape drives also support Write Once, Read Many (WORM) secure media. This non-erasable, non-rewritable media complies with regulations such as HIPAA, Sarbanes-Oxley, and SEC 17A-4.

Interfaces LTO drives come with a Fibre Channel interface (FC), in either a single or dual port configuration.

The HP LTO tape drives also supports:

  • Ultra 320 Small Computer System Interface (SCSI)


Tape Drive Comparisons

Table 1-9 Tape Drive Comparison

Specification
HP IBM

T10K-A T10K-B T10K-C T10K-D T9840D LTO4 LTO5 LTO6 LTO4 LTO5 LTO6

Capacity (native)

500 GB

1 TB

5 TB

8 TB

75 GB

800 GB

1.5 TB

2.5 TB

800 GB

1.5 TB

2.5 TB

Transfer rates (native)

120 MB/s

120 MB/s

240 MB/s

254 MB/s

30 MB/s

120 MB/s

140 MB/s

160

MB/s

120 MB/s

140 MB/s

160 MB/s

Buffer size

256 MB

256 MB

2 GB

2 GB

64 MB

256 MB

256 MB

512 MB

256 MB

256 MB

1 GB

Load Time (seconds)

16

16

13.1

13.0

8.5

19

12

22

15

12

12

Access (seconds)

46

46

73.5

62.5

8

72

60

50

46

60

96

Tape speed (m/s)

2–4.95

2–3.74

5.62

4.75

3.4

7.0


7.12

7.0


6.8

Rewind time (seconds)

90

90

10-13

10-13

16 / 8

106/54

96/ 78

98/51

106/54

96/ 78

42

Unload Time

(seconds)

23

23

23

23

12

22

17

19

22

17

17

Interfaces

Fibre Channel

2 & 4 Gb/s

4 Gb/s

4 Gb/s

16 Gb/s

4 Gb/s

4 Gb/s

8 Gb/s

8 Gb/s

4 Gb/s

8 Gb/s

8 Gb/s

SCSI / SAS

n/a

n/a

n/a

n/a

n/a

Ultra-320

n/a

6 Gb SAS

Ultra-320

n/a

6 Gb SAS

FICON/

FCoE

2 Gb/s

n/a

2 Gb/s

n/a

4 Gb/s

n/a

8 Gb/s

10Gb/s

2 Gb/s

n/a







ESCON

n/a

n/a

n/a

n/a

2 Gb/s







Compatibility

Tracks

768

1152

3,584

4608

576

896

1280

2176

896

1280

2176

Length–usable

855 m (2805 ft)

855 m (2805 ft)

1,107 m (3,632 ft)

1107 m 3,632 ft)

251 m (889 ft)

820 m (2690 ft)

850 m (2789 ft)

846 m (2776 ft)

820 m (2690 ft)

850 m (2789 ft)

846 m (2776 ft)

VolSafe—

WORM

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes


For your information, the following tables provide tape drive and media comparisons.

StorageTek T-Series Tape Drives

Table 1-10 shows the media compatibilities for the T-Series (T10000 and T9840) drives:

  • Encryption-capable T-Series tape drives

  • Non-encryption T-Series tape drives

Table 1-10 T-Series Tape Drive Media Compatibilities

Task Enrolled for Encryption Not Enrolled for Encryption

Write new data encrypted

Yes

No

Write new data not encrypted

No

Yes

Read encrypted data with key available

Yes

No

Read non-encrypted data

Yes

Yes

Append non-encrypted data to encrypted tape

No

No


Table 1-11 shows a comparison between:

  • Encryption-enabled and non-encrypted tape drives

  • Encrypted and non-encrypted media

Table 1-11 T-Series Tape Drive and Media Support

Tape Drive Types Media Types

Non-encrypted Tapes Encrypted Tapes

Standard drive (non-encrypted)

  • Fully compatible

  • Read, write, and append

  • Not capable of reading, writing to or appending to this tape

  • Can re-write from the beginning of tape (BOT)

Encryption-capable drive

  • Read capability only

  • Not capable of appending to this tape

  • Can re-write from the beginning-of-tape (BOT)

  • Fully compatible

  • Read with correct keys

  • Write with current write key


LTO Tape Drives


Note:

Both HP and IBM LTO tape drives are:
  • Specified to interchange with un-encrypted data cartridges from other tape drives that comply to the LTO U-28, U-316 and U-416 specifications.

  • Capable of interchanging encrypted data cartridges provided the correct encryption key is available.


Future compatibility:

In the future, LTO drives will be capable of:

  • Reading and writing tapes from the current generation

  • Reading and writing tapes from one earlier generation

  • Reading tapes from two earlier generations


    Note:

    Encryption is only supported with LTO4 and LTO5 Data Cartridges on LTO4 and LTO5 tape drives. To avoid problems, these drives will not write in normal or native modes once the drive is enabled for encryption.

LTO Encryption Behavior

When LTO encryption is controlled by the Oracle Key Manager, the LTO drives can behave differently from StorageTek T-Series drives. There can also be slight differences between the HP and IBM drives from each other. These differences arise from specific aspects of the IBM and HP drive architecture.

Table 1-12, Table 1-13, and Table 1-14 list LTO4, LTO5, and LTO6 HP and IBM drive behavior.

Table 1-12 LTO4 Encryption Behavior

LTO4 Drive Performance HP Implementation IBM Implementation

Not Enrolled for Encryption

Read LTO4 non-encrypted data

OK non-encrypted

OK non-encrypted

Read LTO4 encrypted data

Error

Error

Write LTO4 from BOT

OK non-encrypted

OK non-encrypted

Read LTO3 tape

OK non-encrypted

OK non-encrypted

LTO4 append write to non-encrypted data (Space EOD and write)

OK non-encrypted

OK non-encrypted

LTO4 append write to non-encrypted data (Read to EOD and write)

OK non-encrypted

OK non-encrypted

LTO4 append write to encrypted data (Space EOD and write)

OK non-encrypted

OK non-encrypted

LTO4 append write to encrypted data (Read to EOD and write)

Error

Error

Enrolled for Encryption

Read LTO4 non-encrypted data

OK non-encrypted

OK - non-encrypted

Read LTO4 encrypted data

OK* encrypted

OK* encrypted

Write LTO4 from BOT

OK* encrypted

OK* encrypted

LTO4 append write to encrypted data

OK* encrypted

OK* encrypted

Write LTO3 tape

OK non-encrypted (Note 4)

Error (Note 5)

Read LTO3 tape

OK non-encrypted

OK non-encrypted

LTO4 append write to non-encrypted data (Space EOD and write)

OK* encrypted (Note 2)

Error (Note 1)

LTO4 append write to non-encrypted data (Read to EOD and write)

OK* encrypted (Note2)

Error (Note 1)

LTO4 append write to encrypted data (Space EOD and write)

OK* encrypted

OK* encrypted

LTO4 append write to encrypted data (Read to EOD and write)

OK* encrypted

OK* encrypted – but with prior read key (Note 3)

* If the correct key is available.




Note 1

IBM LTO drives do not allow the mixing of encrypted and non-encrypted data on a single tape.

Note 2

While this scenario allows appending encrypted data behind non-encrypted data, this has an operational benefit since it allows tapes pre-labeled with non-encrypted data to be used in HP LTO drives in the encrypting environment without having to re-label them.

Note 3

In this scenario, IBM drives will write encrypted data but will use the same key as they used to read the prior encrypted data on tape. The drive will not request a new key from the OKM when the write command is issued and this will ignore the Key Expiration Policy set by the OKM.

Note 4

HP drives will write tapes in non-encrypted mode. The LTO3 format does not support encryption and this could be considered a security violation since an HP LTO4/LTO5 drives can be made to write non-encrypted data simply by inserting a LTO3 cartridge.

Note 5

IBM drives will report an error if an attempt is made to write LTO3 tapes.

Table 1-13 LTO5 Encryption Behavior

LTO5 Drive Performance HP Implementation IBM Implementation

Not Enrolled for Encryption

Read LTO5 non-encrypted data

OK non-encrypted

OK non-encrypted

Read LTO5 encrypted data

Error

Error

Write LTO5 from BOT

OK non-encrypted

OK non-encrypted

Read LTO4 non-encrypted data

OK non-encrypted

OK non-encrypted

Read LTO4 encrypted data

Error

Error

Write LTO4 from BOT

OK non-encrypted

OK non-encrypted

Read LTO3

OK non-encrypted

OK non-encrypted

LTO5 append write to non-encrypted data (Space EOD and write)

OK non-encrypted

OK non-encrypted

LTO5 append write to non-encrypted data (Read to EOD and write)

OK non-encrypted

OK non-encrypted

LTO5 append write to encrypted data (Space EOD and write)

OK non-encrypted

OK non-encrypted

LTO5 append write to encrypted data (Read to EOD and write)

Error

Error

LTO4 append write to non-encrypted Data (Space EOD and write

OK non-encrypted

OK non-encrypted

LTO4 append write to non-encrypted Data (Read to EOD and write)

OK non-encrypted

OK non-encrypted

LTO4 append write to encrypted data (Space EOD and write)

OK non-encrypted

OK non-encrypted

LTO4 append write to encrypted data (Read to EOD and write)

Error

Error

Enrolled for Encryption

Read LTO5 non-encrypted data

OK non-encrypted

OK - non-encrypted

Read LTO5 encrypted data

OK* encrypted

OK* encrypted

Write LTO5 from BOT

OK* encrypted

OK* encrypted

LTO5 append write to encrypted data

OK* encrypted

OK* encrypted

Read LTO4 non-encrypted data

OK non-encrypted

OK non-encrypted

Read LTO4 encrypted data

OK* encrypted

OK* encrypted

Write LTO4 from BOT

OK* encrypted

OK* encrypted

LTO4 append write to encrypted data

OK* encrypted

OK* encrypted

LTO5 append write to non-encrypted data (Space EOD and write)

OK* encrypted (Note 2)

Error (Note 1)

LTO5 append write to non-encrypted data (Read to EOD and write)

OK* encrypted (Note2)

Error (Note 1)

LTO5 append write to encrypted data (Space EOD and write)

OK* encrypted

OK* encrypted

LTO5 append write to encrypted data (Read to EOD and write)

OK* encrypted

OK* encrypted – but with prior read key (Note 3)

LTO4 append write to non-encrypted Data (Space EOD and write)

OK* encrypted (Note 2)

Error (Note 1)

LTO4 append write to non-encrypted Data (Read to EOD and write)

OK* encrypted (Note2)

Error (Note 1)

LTO4 append write to encrypted data (Space EOD and write)

OK* encrypted

OK* encrypted

LTO4 append write to encrypted data (Read to EOD and write)

OK* encrypted

OK* encrypted – but with prior Read key (Note 3)

Read LTO3 non-encrypted data

OK non-encrypted

OK non-encrypted

* If the correct key is available.




Note 1

IBM LTO drives do not allow the mixing of encrypted and non-encrypted data on a single tape.

Note 2

While this scenario allows appending encrypted data behind non-encrypted data, this has an operational benefit since it allows tapes pre-labeled with non-encrypted data to be used in HP LTO drives in the encrypting environment without having to re-label them.

Note 3

In this scenario, IBM drives will write encrypted data but will use the same key as they used to read the prior encrypted data on tape. The drive will not request a new key from the OKM when the write command is issued and this will ignore the Key Expiration Policy set by the OKM.

Table 1-14 LTO6 Encryption Behavior

LTO6 Drive Performance HP Implementation IBM Implementation

Not Enrolled for Encryption

Read LTO6 non-encrypted data

OK non-encrypted

OK non-encrypted

Read LTO6 encrypted data

Error

Error

Write LTO6 from BOT

OK non-encrypted

OK non-encrypted

Read LTO5 non-encrypted data

OK non-encrypted

OK non-encrypted

Read LTO5 encrypted data

Error

Error

Write LTO5from BOT

OK non-encrypted

OK non-encrypted

Read LTO4 non-encrypted data

OK non-encrypted

OK non-encrypted

LTO6 append write to non-encrypted data (Space EOD and write)

OK non-encrypted

OK non-encrypted

LTO6 append write to non-encrypted data (Read to EOD and write)

OK non-encrypted

OK non-encrypted

LTO6 append write to encrypted data (Space EOD and write)

OK non-encrypted

OK non-encrypted

LTO6 append write to encrypted data (Read to EOD and write)

Error

Error

LTO5 append write to non-encrypted Data (Space EOD and write

OK non-encrypted

OK non-encrypted

LTO5 append write to non-encrypted Data (Read to EOD and write)

OK non-encrypted

OK non-encrypted

LTO5 append write to encrypted data (Space EOD and write)

OK non-encrypted

OK non-encrypted

LTO5 append write to encrypted data (Read to EOD and write)

Error

Error

Enrolled for Encryption

Read LTO6 non-encrypted data

OK non-encrypted

OK - non-encrypted

Read LTO6 encrypted data

OK* encrypted

OK* encrypted

Write LTO6 from BOT

OK* encrypted

OK* encrypted

LTO6 append write to encrypted data

OK* encrypted

OK* encrypted

Read LTO5 non-encrypted data

OK non-encrypted

OK non-encrypted

Read LTO5 encrypted data

OK* encrypted

OK* encrypted

Write LTO5 from BOT

OK* encrypted

OK* encrypted

LTO5 append write to encrypted data

OK* encrypted

OK* encrypted

Read LTO4 non-encrypted data

OK non-encrypted

OK non-encrypted

Read LTO4 encrypted data

OK* encrypted

OK* encrypted

LTO6 append write to non-encrypted data (Space EOD and write)

OK* encrypted (Note 2)

Error (Note 1)

LTO6 append write to non-encrypted data (Read to EOD and write)

OK* encrypted (Note2)

Error (Note 1)

LTO6 append write to encrypted data (Space EOD and write)

OK* encrypted

OK* encrypted

LTO6 append write to encrypted data (Read to EOD and write)

OK* encrypted

OK* encrypted – but with prior read key (Note 3)

LTO5 append write to non-encrypted Data (Space EOD and write)

OK* encrypted (Note 2)

Error (Note 1)

LTO5 append write to non-encrypted Data (Read to EOD and write)

OK* encrypted (Note2)

Error (Note 1)

LTO5 append write to encrypted data (Space EOD and write)

OK* encrypted

OK* encrypted

LTO5 append write to encrypted data (Read to EOD and write)

OK* encrypted

OK* encrypted – but with prior Read key (Note 3)

* If the correct key is available.




Note 1

IBM LTO drives do not allow the mixing of encrypted and non-encrypted data on a single tape.

Note 2

While this scenario allows appending encrypted data behind non-encrypted data, this has an operational benefit since it allows tapes pre-labeled with non-encrypted data to be used in an HP LTO drives in the encrypting environment without having to re-label them.

Note 3

In this scenario, IBM drives will write encrypted data but will use the same key as they used to read the prior encrypted data on tape. The drive will not request a new key from the OKM when the write command is issued and this will ignore the Key Expiration Policy set by the OKM.



Footnote Legend

Footnote 1: Multiple KMAs: Exceptions to this standard configuration must be made with the approval of Encryption Engineering, Professional Services, and Support Services.
Footnote 2: A Cluster is a group of linked appliances that work together, so that in many respects they form a single component.
Footnote 3: FIPS 140-2 = is a U.S. government computer security standard used to accredit cryptographic modules.Federal Information Processing Standards are publicly announced standards and guidelines developed by the United States Federal government. Many FIPS standards are modified versions of standards used in the wider community (ANSI, NIST, IEEE, ISO, etc.).
Footnote 4: Capacity: To get an idea of the capacity of a terabyte, consider the common megabyte (MB). Just over thousand megabytes equals one gigabyte, and just over one million megabytes equals a terabyte. 1,024 megabytes = 1 gigabyte; 1,024 gigabytes = 1 terabyte; 1,048,576 (1,0242) megabytes = 1 terabyte