registerFunction("getEKMPartitions"); session_start(); $user = $_SESSION['user']; $in_xAjax = false; $xAjax_objResponse; include('IOB_inc.htm'); include('common_admin_inc.htm'); $akmResult = akm_get_error_codes(); //error_log("akm_get_errorcodes = ". print_r($akmResult,true) ); class EKMdata { var $primaryIP; var $primaryPort; // default is 3801 (decimal) var $secondaryIP; var $secondaryPort; // default is 3801 (decimal) var $useSSL; function EKMdata( $primaryIP, $primaryPort, $secondaryIP, $secondaryPort, $ssl ) { $this->primaryIP = $primaryIP; $this->primaryPort = $primaryPort; $this->secondaryIP = $secondaryIP; $this->secondaryPort = $secondaryPort; $this->useSSL = $ssl; } }; class Encryption { var $libGuid; var $method; var $policy; var $density; var $key_path; var $method_not_used; var $policy_not_used; function Encryption( $libGuid, $method, $policy, $density, $key_path, $method_not_used, $policy_not_used) { $this->libGuid = $libGuid; $this->method = $method; $this->policy = $policy; $this->density = $density; $this->key_path = $key_path; $this->method_not_used = $method_not_used; $this->policy_not_used = $policy_not_used; } }; // The php function that is called from JavaScript tough xAjax when the user selects a I/O Blade. function getEKMPartitions($aBladeID) { global $in_xAjax; $user = $_SESSION['user']; $xAjax_objResponse = new xajaxResponse(); /// $in_xAjax = true; return $xAjax_objResponse; } $xajax->processRequest(); /*******************************************************************************************/ // Post needs this data also $libs = get_logical_libraries($user, $sortCriteria); //error_log("get_logical_libraries = ". print_r($libs,true) ); $lib_count = count($libs); // Handle the progress screen if opened and set the NEW data if ($_SERVER[REQUEST_METHOD] == "POST") { $operationInProgress = true; $status = new ReturnStatus(); error_log($_SERVER['PHP_SELF']." POST = ". print_r($_POST, true) ); $akmWasRan = false; $akm1st = true; foreach( $libs as $lib ) { // Construct the _POST variables to look for. $theMeth = "selMethod".$lib->name; $thePol = "selPolicy".$lib->name; $theServ = "serverType".$lib->name; // Did the setting for this LL change? if( $_POST[$theMeth] != $_POST[$lib->name] ) { if( isset( $_POST[$theMeth] ) ) { // Doubble check if any if this library's drives are loaded. $drives = get_all_drives_by_library($user, $lib->guid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY); //error_log( "\nDrives = ". print_r($drives, true) ); foreach($drives as $drive ) { $disableIt = true; // Default to disabled incase it's not an LTO4 // If any Drive is loaded with a tape we need to disable the changing of the paritions encryption. if(($drive->driveType == 'LTO-4') && ($drive->name == $lib->name)) { // It's an LTO4 drive that might be capable of encryption //error_log("+-=-=-=- ". $drive->location . "= \n". print_r($drive,true) ); if($drive->active || $drive->mediaPresent == "1") { error_log("Disabling changing Encryption because Meida is present in one of the drives"); error_back(0x50021); } } } $method = $_POST[$theMeth]; if( isset( $_POST[$thePol] ) ) $policy = $_POST[$thePol]; else $policy = 0; // REQ-Change - undo anything done above with policy if( $method == 4 ) // Library Managed $policy = 2; else $policy = 0xff; //PCR 22652 (This was 0) // If QKM to LME - Make sure the servers are up $iAkmReady = true; $bSet = true; if( $method == 4 && $_POST['qkmEnabled']==true && $_POST[$theServ] == 2) { $iAkmReady = akm_servers_available($user, true); // $iAkmReady = (akm_servers_available($user) == 1); error_log("\nakm_servers_available returned: ". print_r($iAkmReady, true)); } // Don't run the setupServer call if QKM is being set to LME without both servers running. // Or if it's already been run this iteration. if( $iAkmReady ) { // This only needs called when setting QKM to LME if( $akm1st == true && $method == 4 && $_POST['qkmEnabled']==true && $_POST[$theServ] == 2) // Library Managed { error_log("A QKM parition is being set to LME........."); if( $iAkmReady ) { $akm1st = false; // Reset the flag so we only run this once. error_log("\n\n*** We are running the QKM setupServer call. ***\n\n"); $iRes = akm_setup_servers($user); do { // NOTE: The check progress may not be started when you call it the first time so t get around this I am doing the sleep before chacking the status. sleep(10); @reset_inactive_timer($user); $akmStatus = akm_setup_progress($user, 0); error_log("Looped - akm_setup_progress returned: ". print_r($akmStatus,true) ); }while( $akmStatus->status != $akmResult->StatusFinished ); error_log("\n\n\n>>>>>>>>>>>>>>>>>>>>>>>>> We have finished the progress check <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n\n\n"); error_log("\nakm_setup_progress returned: ". print_r($akmStatus,true) ); error_log("$akmStatus->status != $akmResult->StatusFinished"); if( $akmStatus->status != $akmResult->SUCCEEDED && $akmStatus->status != $akmResult->StatusFinished ) { $status->setErrorCode( $akmStatus->status ); $bSet = false; } if( $akmStatus->result == $akmResult->SetupSucceededKeysGenerated ) $akmWasRan = true; } else //!?! This is OLD code that will be needed when we don't need both server to set LME for QKM { error_log("The severs are not ready - so the setupServer call is being skipped and an error is being retunred."); $status->setErrorCode( $iAkmReady ); $bSet = false; } } if( $bSet ) { // !?! NOTE: When we do overrides this call will need to happen AFTER we set the new IP's error_log( "Setting encryption for library ". $lib->name. " | Method = ". $method ." | Policy = ". $policy ); $encypt = new Encryption( $lib->guid, (int)$method, (int)$policy, -1, -1, -1, -1 ); set_partition_enryption( $user, $encypt ); } else error_log(">>> NOT RUNNING set_partition_enryption because of error <<<"); } else error_log(">>> NOT RUNNING set_partition_enryption because qkm is not ready<<<"); } } else error_log("Encryption Method for ".$lib->name." did not change!"); //if( $Brand == 'dell' ) { // See if we need to save server Setting onl;y (We don't do overrides) error_log( "if('". $_POST["serverType".$lib->name] ."' != '". $_POST["serverTypeOrig".$lib->name]."');" ); if( isset($_POST["serverType".$lib->name]) && ($_POST["serverType".$lib->name] != $_POST["serverTypeOrig".$lib->name]) ) { error_log("We are saving set_ekm_by_library! for $lib->name"); + // Create some varliables so the code is easier to read. $thePaddr = $_POST["paddr_".$lib->name]; $thePport = (int)$_POST["pport_".$lib->name]; $theSaddr = $_POST["saddr_".$lib->name]; $theSport = (int)$_POST["sport_".$lib->name]; $theSSL = isset($_POST["ssl_".$lib->name]); $ekmPaddr = $_POST["ekmPHost".$lib->name]; $ekmPport = (int)$_POST["ekmPPort".$lib->name]; $ekmSaddr = $_POST["ekmSHost".$lib->name]; $ekmSport = (int)$_POST["ekmSPort".$lib->name]; $ekmSSL = $_POST["ekmSSL".$lib->name]; $servType = $_POST["serverType".$lib->name]; error_log( "\nthePaddr - ekmPaddr | thePport - ekmPport == theSaddr -ekmSaddr | theSport - ekmSport - servType" ); error_log( "\n". $thePaddr ." - ". $ekmPaddr ." | ". $thePport ." - ". $ekmPport ."\n". $theSaddr ." - ". $ekmSaddr ." | ". $theSport ." - ". $ekmSport ." - ". $servType."\n" ); //if( $thePaddr != $ekmPaddr || $thePport != $ekmPport || // $theSaddr != $ekmSaddr || $theSport != $ekmSport || $theSSL != $ekmSSL ) { error_log("There was a change in the Overrides for ".$lib->name."!"); //$ekmData = new EKMdata($thePaddr, $thePport, $theSaddr, $theSport, $theSSL); $ekmData = new EKMdata($ekmPaddr, $ekmPport, $ekmSaddr, $ekmSport, $ekmSSL); error_log("Setting library ". $lib->guid ." to serverType ". $servType ."\n". print_r($ekmData, true) ); set_ekm_by_library($user, $lib->guid, $ekmData, $servType); } //else // error_log("There was NO changes in the Overrides for ".$lib->name."!"); } else error_log("Server Type for ".$lib->name." did not change!"); }// if DELL }// for lib if( $akmWasRan == true ) { print $status->closeMsg(4, "akm_setup_servers was run" ); //print $status->qkm CheckStatus('finishLogDump', $fileName, $OpGuid); } else print $status->out(); return; } $ekm_data = get_ekm( $user, 1 ); $qkm_data = get_ekm( $user, 2 ); // get QKM Data error_log("\nekm_data = " . print_r($ekm_data, true) ); error_log("\nqkm_data = " . print_r($qkm_data, true) ); $isQKM = isQKMEnabled( $qkm_data ); error_log("isQKMEnabled returned a ". $isQKM?"true":"false"); $isQEKM = isQEKMEnabled( $ekm_data ); error_log("isQEKMEnabled returned a ". $isQEKM?"true":"false"); $ekmMax = get_ekm_drive_cnt($user); $akmStatus = @akm_setup_progress($user, 0); error_log("\nakm_setup_progress returned: ". print_r($akmStatus,true) ); error_log("$akmStatus->status != $akmResult->StatusFinished"); if( $akmStatus->status == $akmResult->StatusFinished || $akmStatus->status == $akmResult->StatusNotStarted ) $libBusy = false; else $libBusy = true; ?> printJavascript(); ?> Setup Quantum Library Managed Encryption
Setup - Encryption Partition Configuration
Set up the Encryption for library partitions.

Quantum Encryption Key Manager must be licensed to configure or use it.
Please click here to add a license key.

primaryIP == "" && $qkm_data->primaryIP == "" && false ) // Servers defaults not setup { ?>
The Quantum Encryption Key Servers are not set up. Please make sure they are configured properly to view this page.
Please click here to go the "Setup - Encryption Key Server Access Configuration" page and set up your EKM servers.

Note: Encryption is supported on LTO-4 media and IBM and HP LTO-4 Fibre Channel and SAS tape drives. Encryption is not supported on SCSI tape drives. For more information refer to the online help or user's guide.
Select "Allow Application Managed" as the encryption method to disable library managed encryption. The "Allow Application Managed" encryption selection allows your backup application to control when encryption is used. If your backup application is not configured to control encryption, data will not be encrypted.

 
  LME Settings  
 
Partition Primary Host : Port Secondary Host : Port SSL Key Server Encryption Method
'Allow Application Managed', 4=>'Enable Library Managed' ); $Policies = array( 2=>'Encrypt All (default)', 6=>'Selective Encryption (internal label)', 7=>'Encrypt All(Internal Label)' ); $EKMLicensesUsed = 0; $aDriveLoaded = false; foreach($libs as $lib) { $libDriveLoaded = false; // First see if this LL even has a drive that supports Encryption. $theMethod = 255; // N/A $thePolicy = 255; // N/A $encryption = get_partition_enryption( $user, $lib->guid ); error_log("\nStored encryption values: ".print_r($encryption, true)); $drives = get_all_drives_by_library($user, $lib->guid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY); error_log( "\nDrives = ". print_r($drives, true) ); $ekm_data_lib = get_ekm_by_library( $user, $lib->guid ); error_log( "\nekm_data_lib = ". print_r($ekm_data_lib, true) ); $lib->EncryptCnt = 0; // Create the new attribute $contains_SCSI_LTO4 = false; $contains_non_SCSI_LTO4 = false; $vendor = ""; $disableIt = false; foreach($drives as $drive ) { //OLDWAY$disableIt = true; // Default to disabled incase it's not an LTO4 // If any Drive is loaded with a tape we need to disable the changing of the paritions encryption. if(($drive->driveType == 'LTO-4') && ($drive->name == $lib->name)) { //!?! If no CR's pop up delete all the OLDWAY stuff //OLDWAY$disableIt = false; // It's an LTO4 drive that might be capable of encryption //error_log("+-=-=-=- ". $drive->location . "= \n". print_r($drive,true) ); if($drive->active || $drive->mediaPresent == "1") { error_log("Disabling Encryption because Meida is present in one of the drives"); $disableIt = true; $aDriveLoaded = true; $libDriveLoaded = true; } $theMethod = $encryption->method; if( $theMethod == 255 || $theMethod == 0 ) $theMethod = 3; // Convert to Application managed. $thePolicy = $encryption->policy; // Check for IBM SCSI LTO4 drives which are NOT encryption Capable. // !?!Why do we NOT let them do this but we let them put a LTO2 drive in????????????????????????????? if( $drive->vendor == "IBM" && $drive->interfaceType == "SCSI") $contains_SCSI_LTO4 = true; else { $lib->EncryptCnt++; $contains_non_SCSI_LTO4 = true; } error_log("drive->vendor = ". $drive->vendor); error_log("isQEKM = ". $isQEKM); error_log("isQKM = ". $isQKM); //error_log("The test is: if(( (drive->vendor == 'IBM') && !isQEKM ) || ( (drive->vendor == 'HP') && !isQKM ))"); // Handle Drive Manufacter and Enabled Encryption types. //!?!if(( ($drive->vendor == "IBM") && !$isQEKM ) || ( ($drive->vendor == "HP") && !$isQKM )) //{ // error_log("Disabling Encryption because the correct servertype is NOT configured."); // $disableIt = true; //} if( $vendor == "" ) $vendor = $drive->vendor; if($drive->vendor != $vendor) { error_log("Disabling Encryption because not all drives in the system are the same vendor."); $disableIt = true; $vendor = "BOTH"; } } else { error_log("D R I V E ". $drive->location ." is NOT encryption capable.\n"); $disableIt = true; } } // Set VendorType to it's severtype for comping in apply 0 if both $vendorType = ($vendor == "BOTH"?0:($vendor == "IBM"?1:2)); if($contains_SCSI_LTO4 == true && $contains_non_SCSI_LTO4 == false) { error_log("Disabling Encryption because both LTO4 and Non-LTO 4 drives are present.."); $disableIt = true; $theMethod = 255; } ?> "; ?> document.getElementById('driveLoadedTxt').innerHTML = \"
You cannot edit the Encryption Method or Key Server of a partition with a tape cartridge loaded in a drive.\";"; //if( $Brand == 'dell' ) { echo ""; ?>
name."' name='" .$lib->name."' value='".$theMethod."'>"; echo ""; echo ""; echo ""; if( $libDriveLoaded ) { //OLDWAY$disableIt = true; // If ANY drive is loaded in the parition Disable the control echo "".$lib->name.""; if( $Brand != 'dell' ) echo'
(Cannot edit when a drive is loaded)
'; } else echo $lib->name; //////////////////////////////////////////////////////////////////////////////////////////////// Ovwerride START //if( $Brand == 'dell' ) { // Code to gray out edit fields if not LME //!?!if( $theMethod != 4 ) $disableItPart = true; // Only allow edits when the partition's encryption type is Library managed. if( $theMethod == 4 ) // They have the partition set to LME count it's LTO4 IBM Drives. $EKMLicensesUsed += $lib->EncryptCnt; ?>
> : > > : > useSSL==true?"CHECKED":""?> > name."' name='ekmPHost".$lib->name."' value='".$ekm_data_lib->primaryIP."'>"; echo ""; echo ""; echo ""; echo ""; } // if DELL // else // echo"
 
Click here to run EKM Path Diagnostics