Configuring Encryption Key Server Access

The web client allows you to configure library access to a primary and secondary Quantum Encryption Key Manager (Q-EKM) or Quantum Key Manager (QKM) server. For an overview of library managed encryption, see About Library Managed Encryption.

NOTE: You cannot edit the encryption system configuration settings when any QKM partition is enabled for library managed encryption. If this happens, go to Setup > Encryption > Partition Configuration, change all QKM partition settings from Enable Library Managed to Allow Application Managed. Then make your changes to the system configuration settings. Finally, go back and change all the QKM partition settings back to Enable Library Managed.

NOTE: This operation should not be performed concurrently by multiple administrative users logged in from different locations. You can access the appropriate screens, but you cannot apply changes while another administrative user is performing the same operation.

Users with administrative privileges can configure key server system settings, but users with user privileges cannot.

  1. From the Setup menu, select Encryption > System Configuration.
  2. Key Server Type: Displays which key server(s) are supported on your library. If you have only IBM encryption-capable tape drives in the library, Q-EKM is displayed in the drop-down and the Q-EKM server configuration screen settings are visible. If you have only HP encryption-capable tape drives in the library, QKM is displayed in the drop-down list and the QKM server configuration settings are visible. If you have both types of tape drives in the library, both are available from the drop-down list and you can configure them one at a time (see the following NOTE).

    NOTE: If you plan to use both Q-EKM and QKM, you can configure both here, one at a time. There are effectively two screens, which you can toggle between by using the drop-down list. Configure either Q-EKM or QKM first, click Apply to save your changes, then configure the other one. You can make changes to either screen whenever you need to, but remember that when you make a change, you must click Apply before switching to the other screen or your changes will not be saved.

  3. Automatic EKM Path Diagnostic:
  4. Secure Sockets Layer (SSL): Enable/disable as follows, depending on which key server you are using:
  5. Type the IP address (if DNS is not enabled) or the host name (if DNS is enabled) of the primary key server into the Primary Key Server IP Address or Host text box.

    NOTE: IP addresses must be in either IPv4 or IPv6 format.

  6. Type the port number for the primary key server into the Primary Key Server Port Number text box. For Q-EKM, the default port number is 3801 unless SSL is enabled. If SSL is enabled, the default port number is 443. For QKM, the port number is always 6000. You cannot change QKM port numbers.
  7. If you are using a secondary server for failover purposes, type the IP address or host name of the secondary key server into the Secondary Key Server IP Address or Host text box. For Q-EKM only: If you are not using a secondary key server, you may type a zero IP address, 0.0.0.0, in the text box, or you may leave the text box blank.

    NOTE: If you change the Q-EKM port number for the key server from the default setting on the library, you must also change the port number on the actual key server to match, or library managed encryption will not work properly. See your key server user's manual for information on changing the port number on the server.

  8. If you configured a secondary key server IP address, type the port number for the secondary server into the Secondary Key Server Port Number text box. For Q-EKM, the default port number is 3801 unless SSL is enabled. If SSL is enabled, the default port number is 443. For QKM, the port number is always 6000.

    NOTE: For Q-EKM: If you are using a secondary key server, then the port numbers for both the primary and secondary key servers must be set to the same value. If they are not, synchronization and failover will not occur.

  9. Click Apply.

    The Progress Window appears. The Progress Window contains information on the action, elapsed time, and status of the requested operation. Do one of the following:

  10. Save the library configuration.

    For instructions on how to save the library configuration, see Saving the Configuration.

You may also access the EKM Path Diagnostics from this screen. For more information, see Encryption Key Manager Path Diagnostics.

See also: