HP Enterprise Secure Key Manager manual 25

To use 2048-bit certificates, update the autoloader or library to the current version and retry the test. The earliest firmware versions that generate 2048-bit certificates are:

•1/8 G2 autoloader: 4.30

•MSL2024: 6.20

•MSL4048: 8.70

•MSL8048 and MSL8096: 1130

Basic encryption test

1.Using your backup application, load a scratch tape into a drive in a partition configured for encryption with the key server.

2.Rewind and then initialize the tape. This will overwrite any previous contents with an encrypted header. If all is configured correctly, the backup application will report successful media initialization.

a.Log in to the key managers and confirm that a new key was created. Refer to your server documentation for instructions.

b.Log in to other key servers in the cluster and confirm that the key is replicated to each server.

3.Using your backup application, unload the cartridge to a slot.

4.From the key server find the key that was created in step 2 and temporarily disable the key’s ability to be exported.

See your server documentation for instructions.

5.Using your backup application, load the same tape into any drive in the partition configured for encryption with a key server. Read the header of the tape using a media identification or similar command.

• The backup application should report a failure because the key cannot be exported but header is encrypted.

• One of the key server logs should show a request for the key and that the request was denied.

6.Using the backup application, unload the media to a slot.

7.From the key server, re-enable the ability to export the key that was disabled in step 4.

8.Repeat step 5. The command should succeed.

9.Unload the media to a slot.

This concludes the basic encryption test.

Failover test

1.From the basic encryption test, step 8, identify the key server that provided the key. This is the server that logged the key export.

2.From the key server, temporarily disable that server’s ability to communicate with clients. See the server documentation for instructions.

3.Repeat step 5 of the basic encryption test.

The command should succeed, with the key provided by a different server. You can identify the server that exported the key by inspecting each server’s log files.

4.Unload the media to a slot.

5.If there are more than two key servers, continue disabling server-client communications and repeating this test until every server has successfully served the key.