HP Enterprise Secure Key Manager manual Basic encryption test, Failover test

Page 25

To use 2048-bit certificates, update the autoloader or library to the current version and retry the test. The earliest firmware versions that generate 2048-bit certificates are:

1/8 G2 autoloader: 4.30

MSL2024: 6.20

MSL4048: 8.70

MSL8048 and MSL8096: 1130

Basic encryption test

1.Using your backup application, load a scratch tape into a drive in a partition configured for encryption with the key server.

2.Rewind and then initialize the tape. This will overwrite any previous contents with an encrypted header. If all is configured correctly, the backup application will report successful media initialization.

a.Log in to the key managers and confirm that a new key was created. Refer to your server documentation for instructions.

b.Log in to other key servers in the cluster and confirm that the key is replicated to each server.

3.Using your backup application, unload the cartridge to a slot.

4.From the key server find the key that was created in step 2 and temporarily disable the key’s ability to be exported.

See your server documentation for instructions.

5.Using your backup application, load the same tape into any drive in the partition configured for encryption with a key server. Read the header of the tape using a media identification or similar command.

The backup application should report a failure because the key cannot be exported but header is encrypted.

One of the key server logs should show a request for the key and that the request was denied.

6.Using the backup application, unload the media to a slot.

7.From the key server, re-enable the ability to export the key that was disabled in step 4.

8.Repeat step 5. The command should succeed.

9.Unload the media to a slot.

This concludes the basic encryption test.

Failover test

1.From the basic encryption test, step 8, identify the key server that provided the key. This is the server that logged the key export.

2.From the key server, temporarily disable that server’s ability to communicate with clients. See the server documentation for instructions.

3.Repeat step 5 of the basic encryption test.

The command should succeed, with the key provided by a different server. You can identify the server that exported the key by inspecting each server’s log files.

4.Unload the media to a slot.

5.If there are more than two key servers, continue disabling server-client communications and repeating this test until every server has successfully served the key.

Basic encryption test

25

Page 24 Page 26
Image 25
Page 24 Page 26
Contents Abstract Warranty Contents Introduction Using an encryption key serverHP Enterprise Secure Key Manager Eskm Media compatibility for drives supporting encryption Considerations for using an encryption key serverLicensing KMIP-based key serversMSL6480 Installing the encryption licenseHP Enterprise Secure Key Manager Eskm integration Using the Eskm WizardHP Enterprise Secure Key Manager Eskm integration Page HP Enterprise Secure Key Manager Eskm integration Page KMIP-based key server integration Creating the client user name and password on the serverConfiguring the Kmip feature for the MSL6480 Using the Kmip Wizard Configuring the Kmip feature for the MSL6480 KMIP-based key server integration Enrolling the autoloader or library with a Kmip server Set or enter the Kmip security passwordGenerating the client certificate request Entering the Kmip client credentialsSigning the client certificate on the server Installing the signed client certificate---END Certificate Enabling KMIP-based encryption Configuring access to the key serversKMIP-based key server integration MSL6480 Connectivity testAutoloader and other MSL libraries Failover test Basic encryption testPage Contacting HP Support and other resourcesTypographic conventions Documentation feedback
Top Page Image Contents