registerFunction("getEKMPartitions"); session_start(); $user = $_SESSION['user']; $in_xAjax = false; $xAjax_objResponse; include('IOB_inc.htm'); include('common_admin_inc.htm'); $akmResult = akm_get_error_codes(); //error_log("akm_get_errorcodes = ". print_r($akmResult,true) ); class EKMdata { var $primaryIP; var $primaryPort; // default is 3801 (decimal) var $secondaryIP; var $secondaryPort; // default is 3801 (decimal) var $useSSL; var $keyClassName; function EKMdata( $primaryIP, $primaryPort, $secondaryIP, $secondaryPort, $ssl, $keyClassName ) { $this->primaryIP = $primaryIP; $this->primaryPort = $primaryPort; $this->secondaryIP = $secondaryIP; $this->secondaryPort = $secondaryPort; $this->useSSL = $ssl; $this->keyClassName = $keyClassName; } }; class Encryption { var $libGuid; var $method; var $policy; var $density; var $key_path; var $method_not_used; var $policy_not_used; function Encryption( $libGuid, $method, $policy, $density, $key_path, $method_not_used, $policy_not_used) { $this->libGuid = $libGuid; $this->method = $method; $this->policy = $policy; $this->density = $density; $this->key_path = $key_path; $this->method_not_used = $method_not_used; $this->policy_not_used = $policy_not_used; } }; // The php function that is called from JavaScript tough xAjax when the user selects a I/O Blade. function getEKMPartitions($aBladeID) { global $in_xAjax; $user = $_SESSION['user']; $xAjax_objResponse = new xajaxResponse(); /// $in_xAjax = true; return $xAjax_objResponse; } $xajax->processRequest(); /*******************************************************************************************/ // Post needs this data also $libs = get_logical_libraries($user, $sortCriteria); //error_log("get_logical_libraries = ". print_r($libs,true) ); $lib_count = count($libs); // Handle the progress screen if opened and set the NEW data if ($_SERVER[REQUEST_METHOD] == "POST") { $operationInProgress = true; $status = new ReturnStatus(); error_log($_SERVER['REQUEST_URI']." POST = ". print_r($_POST, true) ); $akmWasRan = false; $akm1st = true; $bailOut = false; // Set this if akm_setup_servers fails so we know to exit the LME-enable loop // Take all the librarys offline beofre stating anything. // This way drives in other partitions can not be laoded while we are setting up a different parition. // PCR 27170 & 25610 Set the library to Offline so the user does not load any drives during this operation. //error_log( "Library = ". print_r($lib,true) ); $setOffline = array(); foreach( $libs as $lib ) { $theMeth = "selMethod".$lib->name; error_log( $_POST[$theMeth]." != ".$_POST[$lib->name] ); if( $_POST[$lib->name] != 255 && ($_POST[$theMeth] != $_POST[$lib->name]) ) { error_log("Taking the library ".$lib->guid." offline. It was ". $lib->status); change_library_mode($user, $lib->guid, 0); $setOffline[$lib->guid] = $lib->status; error_log( $setOffline[$lib->guid]." = ".$lib->status ); } } foreach( $libs as $lib ) { // Construct the _POST variables to look for. $theMeth = "selMethod".$lib->name; $thePol = "selPolicy".$lib->name; $theServ = "serverType".$lib->name; // Did the setting for this LL change? if( $_POST[$theMeth] != $_POST[$lib->name] ) { if( isset( $_POST[$theMeth] ) ) { // Doubble check if any if this library's drives are loaded. $drives = get_all_drives_by_library($user, $lib->guid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY); //error_log( "\nDrives = ". print_r($drives, true) ); foreach($drives as $drive ) { $disableIt = true; // Default to disabled incase it's not an LTO4 // If any Drive is loaded with a tape we need to disable the changing of the paritions encryption. if(($drive->driveType == 'LTO-4' || $drive->driveType == 'LTO-5') && ($drive->name == $lib->name)) { // It's an LTO4 drive that might be capable of encryption //error_log("+-=-=-=- ". $drive->location . "= \n". print_r($drive,true) ); if($drive->active || $drive->mediaPresent == "1") { error_log("Disabling changing Encryption because Media is present in one of the drives"); error_back(0x50021); } } } $method = $_POST[$theMeth]; if( isset( $_POST[$thePol] ) ) $policy = $_POST[$thePol]; else $policy = 0; // REQ-Change - undo anything done above with policy if( $method == 4 ) // Library Managed $policy = 2; else $policy = 0xff; //PCR 22652 (This was 0) // If SKM to LME - Make sure the servers are up $iAkmReady = true; $bSet = true; if( $method == 4 && $_POST['qkmEnabled']==true && $_POST[$theServ] == 2) { $iAkmReady = akm_servers_available($user, true); // $iAkmReady = (akm_servers_available($user) == 1); error_log("\nakm_servers_available returned: ". print_r($iAkmReady, true)); } // Don't run the setupServer call if SKM is being set to LME without both servers running. // Or if it's already been run this iteration. if( $iAkmReady ) { // This only needs called when setting SKM to LME if( $akm1st == true && $method == 4 && $_POST['qkmEnabled']==true && $_POST[$theServ] == 2) // Library Managed { error_log("A SKM parition is being set to LME........."); if( $iAkmReady ) { $akm1st = false; // Reset the flag so we only run this once. error_log("\n\n*** We are running the SKM setupServer call. ***\n\n"); $iRes = @akm_setup_servers($user); error_log("akm_setup_servers returned a '". $iRes ."'" ); // Check for an error returned akm_setup_servers if( $iRes != -2147483648 /* Succedded */ ) { error_log("akm_setup_servers failed with a ". $iRes); $akmStatus->status = $iRes; $status->setErrorCode( $akmStatus->status ); print $status->out(); return; } else { // The call to akm_setup_servers succedded - now lets wait for it to finish do { // NOTE: The check progress may not be started when you call it the first time so t get around this I am doing the sleep before chacking the status. sleep(10); @reset_inactive_timer($user); $akmStatus = @akm_setup_progress($user, 0); error_log("Looped - akm_setup_progress returned: ". print_r($akmStatus,true) ); if( $akmStatus->result == 0x2c /* BadSerialNumber */ ) { error_log("We got a BadSerialNumber error converting to GUI error 0x55000..."); $akmStatus->status = 0x55000; $bSet = false; break; } else if( $akmStatus->result == 0x7F000013 /* SetupDuplicateSerialNumber */ ) { error_log("We got a SetupDuplicateSerialNumber error..."); $akmStatus->status = 0x7F000013; $bSet = false; break; } // This does not work like I was first told. The status is NEVER SetupStatusTestingServers. It's always $akmResult->StatusFinished // I'm leaving this in for now so I rememeber I tried using the SetupStatusTestingServers // PCR 27028 Need to check for Bad Serial Numbers ONly when the status is EkmResult::SetupStatusTestingServers // if( $akmStatus->status == 0x7F000010 /*SetupStatusTestingServers*/ ) // { // if( $akmStatus->res == 0x2c /* BadSerialNumber */ ) // { // error_log("We got a BadSerialNumber error converting to GUI error 0x55000..."); // $akmStatus->status = 0x55000; // break; // } // else if( $akmStatus->res == 0x7F000013 /* SetupDuplicateSerialNumber */ ) // { // error_log("We got a SetupDuplicateSerialNumber error..."); // $akmStatus->status = 0x7F000013; // break; // } // } }while( $akmStatus->status != $akmResult->StatusFinished ); } error_log("\n\n\n>>>>>>>>>>>>>>>>>>>>>>>>> We have finished the progress check <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n\n\n"); error_log("\nakm_setup_progress returned: ". print_r($akmStatus,true) ); error_log("$akmStatus->status != $akmResult->StatusFinished"); // pcr 27905 errors were not being displayed becasue the status was StatusFinished. // I'm concered why ths check was in here to begin with, so I'm only commenting it out incase it casues another PCR later. // if( $akmStatus->status != $akmResult->SUCCEEDED && $akmStatus->status != $akmResult->StatusFinished ) if( $akmStatus->result == $akmResult->SUCCEEDED || $akmStatus->result == $akmResult->SetupSucceededKeysGenerated) error_log("akm_setup_progress returnd succedded"); else { if( $akmStatus->result != $akmResult->SUCCEEDED ) $akmStatus->status = $akmStatus->result; $status->setErrorCode( $akmStatus->status ); $bSet = false; $bailOut = true; } if( $akmStatus->result == $akmResult->SetupSucceededKeysGenerated ) $akmWasRan = true; } else //!?! This is OLD code that will be needed when we don't need both server to set LME for SKM { error_log("The severs are not ready - so the setupServer call is being skipped and an error is being retunred."); $status->setErrorCode( $iAkmReady ); $bSet = false; } } if( $bSet ) { // !?! NOTE: When we do overrides this call will need to happen AFTER we set the new IP's error_log( "Setting encryption for library ". $lib->name. " | Method = ". $method ." | Policy = ". $policy ); $encypt = new Encryption( $lib->guid, (int)$method, (int)$policy, -1, -1, -1, -1 ); set_partition_enryption( $user, $encypt ); } else error_log(">>> NOT RUNNING set_partition_enryption because of error <<<"); } else error_log(">>> NOT RUNNING set_partition_enryption because SKM is not ready<<<"); } } else error_log("Encryption Method for ".$lib->name." did not change!"); if($bailOut) { error_log("Exiting library loop because akm setup failed."); break; // Exit "foreach lib" loop } //if( $Brand == 'dell' ) { // See if we need to save server Setting onl;y (We don't do overrides) error_log( "if('". $_POST["serverType".$lib->name] ."' != '". $_POST["serverTypeOrig".$lib->name]."');" ); if( isset($_POST["serverType".$lib->name]) && ($_POST["serverType".$lib->name] != $_POST["serverTypeOrig".$lib->name]) ) { error_log("We are saving set_ekm_by_library! for $lib->name"); // Create some varliables so the code is easier to read. $thePaddr = $_POST["paddr_".$lib->name]; $thePport = (int) $_POST["pport_".$lib->name]; $theSaddr = $_POST["saddr_".$lib->name]; $theSport = (int) $_POST["sport_".$lib->name]; $theSSL = isset($_POST["ssl_".$lib->name]); $ekmPaddr = $_POST["ekmPHost".$lib->name]; $ekmPport = (int) $_POST["ekmPPort".$lib->name]; $ekmSaddr = $_POST["ekmSHost".$lib->name]; $ekmSport = (int) $_POST["ekmSPort".$lib->name]; $ekmSSL = $_POST["ekmSSL".$lib->name]; $servType = $_POST["serverType".$lib->name]; $keyClassName = $_POST["ekeyClassName".$lib->name]; error_log( "\nthePaddr - ekmPaddr | thePport - ekmPport == theSaddr -ekmSaddr | theSport - ekmSport - servType" ); error_log( "\n". $thePaddr ." - ". $ekmPaddr ." | ". $thePport ." - ". $ekmPport ."\n". $theSaddr ." - ". $ekmSaddr ." | ". $theSport ." - ". $ekmSport ." - ". $servType."\n" ); //if( $thePaddr != $ekmPaddr || $thePport != $ekmPport || // $theSaddr != $ekmSaddr || $theSport != $ekmSport || $theSSL != $ekmSSL ) { error_log("There was a change in the Overrides for ".$lib->name."!"); //$ekmData = new EKMdata($thePaddr, $thePport, $theSaddr, $theSport, $theSSL); $ekmData = new EKMdata($ekmPaddr, $ekmPport, $ekmSaddr, $ekmSport, $ekmSSL, $keyClassName); error_log("Setting library ". $lib->guid ." to serverType ". $servType ."\n". print_r($ekmData, true) ); set_ekm_by_library($user, $lib->guid, $ekmData, $servType); } //else // error_log("There was NO changes in the Overrides for ".$lib->name."!"); } else error_log("Server Type for ".$lib->name." did not change!"); }// if DELL }// for lib // Put the library back to the original states error_log("Setting librarys back to original state..."); error_log("setOffline == " . print_r($setOffline, true) ); foreach( $libs as $lib ) { error_log( $lib->guid. " setOffline = \"". $setOffline[$lib->guid]."\""); if( isset($setOffline[$lib->guid]) ) { error_log("Setting the library ".$lib->guid." back to ". $lib->status); change_library_mode($user, $lib->guid, ($setOffline[$lib->guid]=="Online"?1:0)); } } if( $akmWasRan == true ) { print $status->closeMsg(4, "akm_setup_servers was run" ); //print $status->SKM CheckStatus('finishLogDump', $fileName, $OpGuid); } else print $status->out(); return; } $ekm_data = get_ekm( $user, 1 ); $qkm_data = get_ekm( $user, 2 ); // get SKM Data $rkm_data = get_ekm( $user, 3 ); // get RKM Data error_log("\nekm_data = " . print_r($ekm_data, true) ); error_log("\nqkm_data = " . print_r($qkm_data, true) ); error_log("\nrkm_data = " . print_r($rkm_data, true) ); $isQKM = isQKMEnabled( $qkm_data ); error_log("isQKMEnabled returned a ". $isQKM?"true":"false"); // Not doing RKM yet..... //$isRKM = isRKMEnabled( $rkm_data ); //error_log("isRKMEnabled returned a ". $isRKM?"true":"false"); $isRKM = false; $isQEKM = isQEKMEnabled( $ekm_data ); error_log("isQEKMEnabled returned a ". $isQEKM?"true":"false"); $ekmMax = get_ekm_drive_cnt($user); $akmStatus = @akm_setup_progress($user, 0); error_log("\nakm_setup_progress returned: ". print_r($akmStatus,true) ); error_log("$akmStatus->status != $akmResult->StatusFinished"); if( $akmStatus->status == $akmResult->StatusFinished || $akmStatus->status == $akmResult->StatusNotStarted ) $libBusy = false; else $libBusy = true; ?> printJavascript(); ?> Setup Quantum Library Managed Encryption
Setup - Encryption Partition Configuration
Set up the Encryption for library partitions.

Quantum Encryption Key Manager must be licensed to configure or use it.
Please click here to add a license key.

primaryIP == "" && $qkm_data->primaryIP == "" && false ) // Servers defaults not setup { ?>
The Quantum Encryption Key Servers are not set up. Please make sure they are configured properly to view this page.
Please click here to go the "Setup - Encryption Key Server Access Configuration" page and set up your EKM servers.

Note: Encryption is supported on LTO-4 and LTO-5 media and IBM and HP LTO-4 and LTO-5 Fibre Channel and SAS tape drives. Encryption is not supported on SCSI tape drives. For more information refer to the online help or user's guide.
Select "Allow Application Managed" as the encryption method to disable library managed encryption. The "Allow Application Managed" encryption selection allows your backup application to control when encryption is used. If your backup application is not configured to control encryption, data will not be encrypted.

 
  LME Settings  
 
Partition Primary Host : Port Secondary Host : Port SSL Key Server Encryption Method
'Allow Application Managed', 4=>'Enable Library Managed' ); $Policies = array( 2=>'Encrypt All (default)', 6=>'Selective Encryption (internal label)', 7=>'Encrypt All(Internal Label)' ); $EKMLicensesUsed = 0; $aDriveLoaded = false; foreach($libs as $lib) { $libDriveLoaded = false; // First see if this LL even has a drive that supports Encryption. $theMethod = 255; // N/A $thePolicy = 255; // N/A $encryption = get_partition_enryption( $user, $lib->guid ); error_log("\nStored encryption values: ".print_r($encryption, true)); $drives = get_all_drives_by_library($user, $lib->guid, $sortCriteria, (int)0,(int)MEDIA_TYPE_ANY); error_log( "\nDrives = ". print_r($drives, true) ); $ekm_data_lib = get_ekm_by_library( $user, $lib->guid ); error_log( "\nekm_data_lib = ". print_r($ekm_data_lib, true) ); $lib->EncryptCnt = 0; // Create the new attribute $contains_SCSI_LTO4 = false; $contains_non_SCSI_LTO4 = false; $vendor = ""; $disableIt = false; foreach($drives as $drive ) { //OLDWAY$disableIt = true; // Default to disabled incase it's not an LTO4 // If any Drive is loaded with a tape we need to disable the changing of the paritions encryption. if(($drive->driveType == 'LTO-4' || $drive->driveType == 'LTO-5') && ($drive->name == $lib->name)) { //!?! If no CR's pop up delete all the OLDWAY stuff //OLDWAY$disableIt = false; // It's an LTO4 drive that might be capable of encryption //error_log("+-=-=-=- ". $drive->location . "= \n". print_r($drive,true) ); if($drive->active || $drive->mediaPresent == "1") { error_log("Disabling Encryption because Media is present in one of the drives"); $disableIt = true; $aDriveLoaded = true; $libDriveLoaded = true; } $theMethod = $encryption->method; if( $theMethod == 255 || $theMethod == 0 ) $theMethod = 3; // Convert to Application managed. $thePolicy = $encryption->policy; // Check for IBM SCSI LTO4 drives which are NOT encryption Capable. // !?!Why do we NOT let them do this but we let them put a LTO2 drive in????????????????????????????? if( $drive->vendor == "IBM" && $drive->interfaceType == "SCSI") $contains_SCSI_LTO4 = true; else { $lib->EncryptCnt++; $contains_non_SCSI_LTO4 = true; } error_log("drive->vendor = ". $drive->vendor); error_log("isQEKM = ". $isQEKM); error_log("isQKM = ". $isQKM); //error_log("The test is: if(( (drive->vendor == 'IBM') && !isQEKM ) || ( (drive->vendor == 'HP') && !isQKM ))"); // Handle Drive Manufacter and Enabled Encryption types. //!?!if(( ($drive->vendor == "IBM") && !$isQEKM ) || ( ($drive->vendor == "HP") && !$isQKM )) //{ // error_log("Disabling Encryption because the correct servertype is NOT configured."); // $disableIt = true; //} if( $vendor == "" ) $vendor = $drive->vendor; if($drive->vendor != $vendor) { error_log("Disabling Encryption because not all drives in the system are the same vendor."); $disableIt = true; $vendor = "BOTH"; } } else { error_log("D R I V E ". $drive->location ." is NOT encryption capable.\n"); $disableIt = true; } } // Set VendorType to it's severtype for comping in apply 0 if both $vendorType = ($vendor == "BOTH"?0:($vendor == "IBM"?1:2)); if($contains_SCSI_LTO4 == true && $contains_non_SCSI_LTO4 == false) { error_log("Disabling Encryption because both LTO4 and Non-LTO 4 drives are present.."); $disableIt = true; $theMethod = 255; } ?> "; ?> document.getElementById('driveLoadedTxt').innerHTML = \"
You cannot edit the Encryption Method or Key Server of a partition with a tape cartridge loaded in a drive.\";"; //if( $Brand == 'dell' ) { echo ""; ?>
name."' name='" .$lib->name."' value='".$theMethod."'>"; echo ""; echo ""; echo ""; if( $libDriveLoaded ) { //OLDWAY$disableIt = true; // If ANY drive is loaded in the parition Disable the control echo "".$lib->name.""; if( $Brand != 'dell' ) echo'
(Cannot edit when a drive is loaded)
'; } else echo $lib->name; //////////////////////////////////////////////////////////////////////////////////////////////// Ovwerride START //if( $Brand == 'dell' ) { // Code to gray out edit fields if not LME //!?!if( $theMethod != 4 ) $disableItPart = true; // Only allow edits when the partition's encryption type is Library managed. if( $theMethod == 4 ) // They have the partition set to LME count it's LTO4 IBM Drives. $EKMLicensesUsed += $lib->EncryptCnt; ?>
> : > > : > useSSL==true?"CHECKED":""?> > name."' name='ekmPHost".$lib->name."' value='".$ekm_data_lib->primaryIP."'>"; echo ""; echo ""; echo ""; echo ""; echo ""; } // if DELL // else // echo"
 
Click here to run EKM Path Diagnostics