Sun Microsystems StorageTek Crypto, Technical Brief

Page 1: ...Sun StorageTekTM Crypto Key Management System HP LTO4 Encryption Capable Tape Drives Technical Brief Part Number 316196601 Revision A ...

Page 2: ......

Page 3: ...Sun Microsystems Inc www sun com Crypto Key Management System Version 2 0 HP LTO4 Tape Drive Technical Brief Part Number 316196601 June 2008 Revision A ...

Page 4: ...aires ou les applications de brevet en attente aux Etats Unis et dans les autres pays CE PRODUIT CONTIENT DES INFORMATIONS CONFIDENTIELLES ET DES SECRETS COMMERCIAUX DE SUN MICROSYSTEMS INC SON UTILISATION SA DIVULGATION ET SA REPRODUCTION SONT INTERDITES SANS L AUTORISATION EXPRESSE ECRITE ET PREALABLE DE SUN MICROSYSTEMS INC L utilisation est soumise aux termes de la Licence Cette distribution p...

Page 5: ...rder Numbers 6 2 Dione Card 7 Firmware Requirements 7 Dione Card Components 8 Connecting to the Dione Card 9 KMS Operations 10 Key Lifecycle 10 Media RFID Chips 12 Media Types 12 Removal and Replacement 14 Removal 14 3 Virtual Operator Panel 17 VOP Prerequisites 18 Computer Hardware Requirements 18 Operating System Certification 18 Java Runtime Environment Requirement 18 ...

Page 6: ...iv KMS LTO4 Technical Brief June 2008 Revision A 316196601 Using VOP 19 Start VOP 20 Diagnose Drive Tab 23 Run LED Diagnostic Test 23 Run Loopback Test 24 Get Log 25 Load Firmware 25 ...

Page 7: ...ese publications contain the additional information This guide has the following organization Chapter Use this chapter to Chapter 1 Introduction Chapter 2 Dione Card Chapter 3 Virtual Operator Panel Publication Description Part Number Crypto Key Management System Systems Assurance Guide StorageTek 31619480x Crypto Key Management System Installation and Service Manual StorageTek 31619490x Crypto Ke...

Page 8: ...om download index jsp customers Sun Partner Exchange https spe sun com spx control Login partners Uniform Software Repository http dlrequest sfbay sun com 88 usr login internal If your customer does not already have a Sun Online Account they will need to register For a new account go to https reg sun com register For more information about Sun StorageTek products got to http sunsolve sun com handb...

Page 9: ...ption key is found the Dione card requests the key directly from the KMS Media Native capacity The HP LTO4 drive with LTO4 media can store up to 800 GB of data This drive can also read and write on LTO3 media 400 GB and provides read only capabilities with LTO2 media 200 GB The LTO4 tape drive also supports Write Once Read Many WORM secure media This non erasable non rewritable media meets several...

Page 10: ...eet compliance regulations such as HIPAA Sarbanes Oxley SEC 17A 4 Mid range class Delivers confidence with a wide variety of supported backup applications Drive Tray FIGURE 1 1 shows an example of an LTO4 tape drive mounted in a drive tray FIGURE 1 1 LTO4 Tape Drive in Drive Tray SL8500 1 PWR power indicator green 2 FAULT Fault indicator red 3 MAINT Recessed button that resets the Dione card 4 The...

Page 11: ... 24 sec 19 sec 19 sec Access time average to first file 64 75 sec 72 sec 62 sec Tape speed meters per second 5 50 m s 5 32 m s 7 0 m s Tape read write speed 6 20 m s 5 32 m s 6 20 m s Rewind time maximum average 104 52 sec 98 49 sec 124 sec Unload time 13 19 sec 19 sec 19 sec Cleaning time 58 to 152 sec Interface Support SCSI Fibre Channel Ultra3 SCSI LVD FC1 Ultra 320 LVD FC2 Ultra 320 LVD FC4 MT...

Page 12: ...0 ppm 900 ppm Maximum tape speed 7 29 m s Rewind speed 7 00 m s Durability 1 000 000 passes Cartridge Width 105 4 0 30 mm Depth 102 0 0 30 mm Height 21 5 0 25 mm Weight 0 220 kg Track density TPI 1260 1773 2212 Data tracks 512 704 896 Data channels 8 16 16 Number of wraps 64 44 56 Number of bands 4 4 4 Bit density 7 40 Kb mm 9 64 Kb mm 13 52 Kb mm Cartridge memory capacity 4096 bytes 4096 bytes 81...

Page 13: ...tibility with other manufacturers LTO Ultrium drives and tapes that meet the LTO Ultrium format specification Note Currently only LTO4 media is encryption capable on the LTO4 tape drives While LTO4 can read and write to LTO3 media if an LTO4 drive encrypted data on LTO3 media then LTO3 drives could not read those tapes Therefore when LTO3 media is inserted into an LTO4 drive the encryption capabil...

Page 14: ...rchased TABLE 1 5 Configured End Items Order Numbers Part Numbers Description SL500 LTO4E HP4FC SL500Z LTO4 HP FC 4Gb SL500 Encryp Dr LTO4E HPSC SL500Z LTO4 HP SCSI SL500 Encryp Dr SL8500 LTO4E HP4FC SL85Z LTO4 HP FC 4Gb SL8500 EncrypDr SL3000 LTO4E HP4FC SL30Z LTO4 HP FC 4Gb SL3000 EncrypDr TABLE 1 6 Conversion Bill Numbers Part Numbers Description SL500 XHPLTO4E FCUPL500Z Crypto drive upgrade fo...

Page 15: ... on the tape drive and the secure Ethernet port for use with the KMS The Dione card includes Telnet server for configuration and management FTP server for installing new firmware and retrieving firmware trace logs SOAP client with TLS 1 0 support for communication with the KMS Firmware Requirements The minimum firmware requirements include TABLE 2 1 Firmware Requirements Component Version or above...

Page 16: ... the drive tray FIGURE 2 1 shows an example of a Dione card which consists of Dione card Ethernet connector RJ 45 Power connection inline with the tape drive power Communications connection to the tape drive Reset switch on the drive tray rear panel Green Status LED on the drive tray rear panel FIGURE 2 1 Dione Card Components 1 Dione card 2 Ethernet connection RJ 45 3 Reset switch 4 Green status ...

Page 17: ...l program load IPL If the LED does not come on when power is applied and there is power on the tape drive there is a problem with the Dione card If this LED does not go out after 30 seconds approximately there is a problem with the Dione card After 30 seconds the LED goes out and stays out until the tape drive is in an encryption capable mode tape loaded key available encrypting or decrypting Rese...

Page 18: ...similar set of operations occur The backup application sends a read request The drive recognizes that the data is encrypted and requests a decryption key from the Dione card Note The LTO4 tape format stores the metadata key along with encrypted data This gives the Dione card a method to retrieve the required key for decryption The Dione card verifies the Key Associated Data in the data block to de...

Page 19: ...erations when appending data to a tape The end result is that encryption keys previously used on that tape will continue to be used for write operations even if the state of the key has changed to expired or compromised The encryption period is a user defined policy An encryption period of a year or longer is recommended to mitigate the risk of write operations using an expired key Most applicatio...

Page 20: ...nal metadata for a Data Unit cartridge The External Tag field of the Data Unit contains the physical barcode information when the library firmware update is available Refer to the Crypto KMS Administration Guide for more information about Data Units and the ExternalTag field Note When installing the HP LTO4 tape drive in an SL500 library you must disable the Fast Load option Disabling this option ...

Page 21: ...es an example of a KMS Manager display screen using the elements from and HP LTO4 drive FIGURE 2 4 KMS Manager Data Unit List 1 Data Unit ID data cartridge 2 External Tag volume serial number 3 Description LTO4 or LTO4WORM 4 External Unique ID vendor unique RFID contents 1 2 4 3 ...

Page 22: ... com app docs prod tape storage hic Removal The following procedure basically describes how to remove and replace a Dione card 1 Follow the procedures for taking the drive offline 2 Follow the procedures for removing the drive from the library SL8500 Modular Library System Installation Manual StorageTek 96138 SL3000 Modular Library System Installation Manual StorageTek 316194201 SL500 Modular Libr...

Page 23: ...te and insert the T10 mounting screws 3 Connect P5 and P6 to the card 4 Plug in the following cables in this order Signal connector from the card to the rear of the drive Drive power from rear of the drive Power jumper 5 Insert the card and plate into its position and fasten it with one T10 screw 6 Position the HBD card back into place 7 Re connect the cables to the HBD card 8 Insert the drive and...

Page 24: ...Removal and Replacement 16 KMS LTO4 Technical Brief June 2008 Revision A 316196601 ...

Page 25: ...sion 1 0 12 and higher support for the HP LTO4 tape drive is provided through the Dione Card on page 7 which serves as a serial to Ethernet translation device for the tape drive FIGURE 3 1 shows an example of the VOP Display FIGURE 3 1 Virtual Operator Panel Display 1 Connect Tab 2 Monitor Drive Tab 3 Configure Drive Tab 4 Diagnose Drive Tab 5 Drive status indicators colors Online Offline Loaded S...

Page 26: ... application your computer system must meet certain prerequisites These are the minimum Hardware requirements Operating system certifications Java Runtime Environment JRE minimum release level requirements Computer Hardware Requirements The minimum hardware requirements include 512 MB memory 1 0 GHz processor Ethernet port available for static IP addressing RJ45 RJ45 Ethernet cross over cable dire...

Page 27: ...rives on and configure them one by one To use VOP for LTO4 tape drives you need to launch a special file Windows Launch the batch file ltoVOP bat Solaris Linux Launch the ltoVOP file above the batch file TABLE 3 1 VOP Versions Files Documents and Download Sites Version Document Files Posted File Size Customer 96179 VOP_CUST_REL_1 0 12 zip 05 28 2008 21 30 6055192 General_Instructions_Download 05 2...

Page 28: ...ning tape drive diagnostics Before beginning make sure you have the assigned IP addresses and Agent names for the tape drives available and defined in the KMS manager To start the VOP for the LTO4 1 Configure and connect your laptop to an LTO4 tape drive For example use a cross over cable and connect directly to a tape drive 2 Start the executable file ltoVOP file or bat to start the application 3...

Page 29: ...ormation You will need customer input for the KMA ID IP Address and Passphrase 6 Click Commit and respond Yes to the set drive offline pop up if still online The commit process takes about 30 seconds to complete 7 Click on the Diagnose Drive tab to observe the commit process FIGURE 3 4 Configure Drive FIGURE 3 5 Commit Passed ...

Page 30: ...ou can enroll the drive If you were to Unenroll the Agent for example To turn encryption off then re enroll the agent to turn encryption back on the pass phrase must be re entered or the agent recreated in the KMS before re enrollment 9 Enter the new IP address in the connection window and click Connect 10 0 0 5 for this example 10 Select the Configure Drive tab The new settings are shown in the d...

Page 31: ...lick on Run LED Diag The display changes the button to EXIT LED Diag 2 During this time if you press the Reset switch the green encryption LED will flash 3 Click EXIT LED Diag to end this test The green LED is on when you power on the LTO4 tape drive for 30 seconds as the Dione card performs an initial program load IPL After 30 seconds the LED goes out and stays out until the tape drive is in an e...

Page 32: ...ab 24 KMS LTO4 Technical Brief June 2008 Revision A 316196601 Run Loopback Test To run the Loopback diagnostic test 1 Click on Run Loopback Test 2 Observe the display as the test starts and ends FIGURE 3 8 Run LED Diag ...

Page 33: ...ick Get Log 2 Create and select a location for the file Once the file has transferred the operation is complete Load Firmware To load new Dione card firmware Obtain the firmware and place it in a directory file easy to locate Click on Load Firmware A dialog box opens requesting the location of the firmware Navigate to that location and load the files Note there are two files to download bin and hd...

Page 34: ...Diagnose Drive Tab 26 KMS LTO4 Technical Brief June 2008 Revision A 316196601 ...

Page 35: ...n LED 9 loading firmware 25 reset switch 9 Download Center vi drive tray example 2 E encryption indicator 17 enroll 22 External Tag field 12 F Fast Load option 12 firmware requirements 7 G Get Log 25 guides v H hardware requirements VOP 18 Hewlett Packard 1 HP LTO specifications 2 3 I interchange 5 interfaces types of 1 introduction 1 J Java Runtime Environment 18 K KMA ID 21 KMS operations 10 L L...

Page 36: ...physical barcode information 12 potential issue 11 prerequisites VOP 18 publications v R Radio Frequency Identification 12 read operations 10 related publications documents v reliability 4 removal and replacement procedures 14 requirements firmware 7 resellers vi reset switch 9 RFID chip media 12 S SCSI interfaces 1 SDP 20 Service Delivery Platform 20 specifications 3 StorageTek Partners site vi W...

Page 37: ......

Page 38: ...6188101 HONG KONG 852 2877 7077 HUNGARY 361 202 4415 INDIA 91 80 229 8989 INDONESIA 65 216 8333 IRELAND 353 1 668 4377 ISRAEL 972 9 9710500 ITALY 39 02 9259511 JAPAN 81 3 5779 1820 KOREA 82 2 3453 6602 MALAYSIA 603 2116 1887 MIDDLE EAST 00 9714 3366333 MEXICO 525 261 0344 NETHERLANDS 31 33 4515200 NEW ZEALAND 0800 786 338 NORTH WEST AFRICA 00 9714 3366333 NORWAY FROM NORWAY 47 22023950 TO NORWAY 4...