Configuring Encryption Key Server Access
The web client allows you to configure library access to a primary and secondary Quantum Encryption Key Manager (Q-EKM) or Scalar Key Manager (SKM) server. For an overview of library managed encryption, see About Library Managed Encryption.
 |
NOTE: You cannot edit the encryption system configuration settings when any EKM partition is enabled for library managed encryption. If this happens, go to Setup > Encryption > Partition Configuration and change all EKM partition settings from Enable Library Managed to Allow Application Managed. Then go to Setup > Encryption > System Configuration and make your changes to the system configuration settings. Finally, go back to Setup > Encryption > Partition Configuration and change all the EKM partition settings back to Enable Library Managed. (See Configuring Partition Encryption.)
|
 |
NOTE: This operation should not be performed concurrently by multiple administrators logged in from different locations. You can access the appropriate screens, but you cannot apply changes while another administrator is performing the same operation.
|
You need administrator privileges to configure key server system settings.
- Unload tape cartridges from all encryption-capable tape drives in the library.
- From the Setup menu, select Encryption > System Configuration.
- Key Server Type: This field only displays if you have both IBM and HP encryption-enabled tape drives installed in the library. If this is the case, select which encryption solution you plan to use (Q-EKM for IBM tape drives; SKM for HP tape drives). Note that the library does not support using both Q-EKM and SKM on the same library.
- Automatic EKM Path Diagnostics: When enabled, this feature performs a check, at specified intervals, to make sure both key servers are connected to the library and functioning properly. The library generates a RAS ticket if there are problems. You can enable or disable the feature, and select the interval at which the library performs the check. You may also specify the number of consecutive missed test intervals required to generate a RAS ticket. For more information, see Automatic EKM Path Diagnostics.
- SSL Connection: Enable/disable Secure Sockets Layer,as follows, depending on which key server you are using:
- Q-EKM — If you want to enable SSL for communication between the library and the Q-EKM key servers, select the SSL Connection check box. (The default is Disabled.) If you enable SSL, you must make sure that the primary and secondary port numbers (see below) match the SSL port numbers set on the key servers. The default SSL port number is 443.
 |
NOTE: Keys are always encrypted before being sent from the Q-EKM server to a drive, whether SSL is enabled or not. Enabling SSL provides additional security.
|
- SKM — SSL is always enabled. The SSL port number is always 6000.
 |
NOTE: SKM does not actually perform SSL communication but instead uses Transport Layer Security (TLS) communication protocol. However, the check box is still called “SSL.”
|
- Type the IP address (if DNS is not enabled) or the host name (if DNS is enabled) of the primary key server into the Primary Key Server IP Address or Host text box.
 |
NOTE: IP addresses must be in either IPv4 or IPv6 format.
|
- Type the port number for the primary key server into the Primary Key Server Port Number text box. For Q-EKM, the default port number is 3801 unless SSL is enabled. If SSL is enabled, the default port number is 443. For SKM, the port number is always 6000. You cannot change SKM port numbers.
 |
NOTE: If you change the Q-EKM port number for the key server from the default setting on the library, you must also change the port number on the actual key server to match, or library managed encryption will not work properly. See your key server user's manual for information on changing the port number on the server.
|
- If you are using a secondary server for failover purposes, type the IP address or host name of the secondary key server into the Secondary Key Server IP Address or Host text box. For Q-EKM only: If you are not using a secondary key server, you may type a zero IP address, 0.0.0.0, in the text box, or you may leave the text box blank.
- If you configured a secondary key server IP address, type the port number for the secondary server into the Secondary Key Server Port Number text box. For Q-EKM, the default port number is 3801 unless SSL is enabled. If SSL is enabled, the default port number is 443. For SKM, the port number is always 6000.
 |
NOTE: For Q-EKM: If you are using a secondary key server, then the port numbers for both the primary and secondary key servers must be set to the same value. If they are not, synchronization and failover will not occur.
|
- Click Apply.
The Progress Window displays. The Progress Window contains information on the action, elapsed time, and status of the requested operation.Do one of the following:
-
- If Success displays in the Progress Window, the system settings were successfully configured. Click Close to close the Progress Window.
- If Failure displays in the Progress Window, the system settings were not successfully configured.Follow the instructions listed in the Progress Window to resolve any issues that occurred during the operation.
- Save the library configuration.
For instructions on how to save the library configuration, see Saving the Configuration.
You may also access the EKM Path Diagnostics from this screen. For more information, see EKM Path Diagnostics.
See also: