Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1020807.1
Update Date:2011-02-07
Keywords:
Solution Type  Technical Instruction Sure

Solution  1020807.1 :   KMS - KMS 1.x Procedure to Enroll New Drive  

Related Items 
    

  • Oracle Key Manager
    •  
Related Categories 
    

  • GCS>Sun Microsystems>Storage - Tape>Encryption KMS
    •  

PreviouslyPublishedAs
265169 


 Oracle Confidential (PARTNER). Do not distribute to customers

 Reason: Confidential for Partners and Oracle Support personnel






Applies to: 
 
Oracle Key Manager - Version: 1.1.0 and later   [Release: 1.0 and later ]
All Platforms

Checked for relevance on 7-Feb-2011.

Responded to comment section.



Goal

Description
Procedure to enroll new drive/replacement drive in KMS 1.x .
(Key Management System)


Solution

Steps to Follow
Use the following instructions to enroll new drive to KMS 1.x. (Key Management System).
1. CSE provides customer with file or CD with drive PC key- Key retrieved from:  http://crcapplications.central/keyswebapp/

2. If drive is running 1.41.xxx then the drive may need to be licensed via VOP. (Virtual Op Panel)
    If so use VOP 1.0.13 and higher, Offline drive.  
    If license tab is seen, then the drive requires CSE to load "drivedata" license from VOP.

   a) CSE selects encrypt TAB, browses to location of the drivedata file, click commit.
   b) Drive should IPL (Initial Program Poad) after this.
   c) Next Use Tokens needs to be set as YES
   d) Permanently encrypt needs to be YES.
   e) FIPS mode should be set as NO.
   f) Click commit.
   g) Customer continues with step 3

3. Customer logs onto KMS GUI with user privileges.

4. Select drives, select create.

5. Enter drive name, description and CD path of PC key file, click apply.

6. Write the enabling Key Token (EKT)

7. Logon to KMS GUI as security office

8. Place appropriate EKT token in tokenbay.

9. Select Tokens from GUI, select write device keys

10. Click the box for just the new drive or drives you want to enable.

11. KMS 1.1 check -Drive reset box for just the new drive, KMS 1.2 check - Use PC Key box, click apply

12. Place token in tokenbay connected to drive switch, if air-gap configuration.

13. Drive encrypt LED should change from Green to solid amber, Needs OKT (Operational Key Token) displayed on VOP

14. OKT token now needs to be wrote.

15. Log onto KMS GUI as user login

16. Select drive pools, view/modify

17. Select new drive under available enabled drives, click add drive, click apply.

18. Select Tokens, select write Media Keys.

19. Check box of drive pool to write to token, click apply.

20. Message Operational Token written should be displayed.

21. If on air-gap configuration, OKT should now be placed in tokenbay connected to tape drives.

22. The drive if unloaded should now read OKT and encrypt LED change to solid RED.

23. If this fails then reboot of tape drive should be tried.


NOTE: If running T10000 Code 1.37.xxx this requires bridge code RB.37.117 be installed or drive may fail to load keys- request code from T3 tape support.
              Code 1.38.xx and above does not require bridge code.


NOTE: If drive and token report error, *KMS/drive out-of-sync. Drive using outdated device keys error code 0x28
              Check Drive was reset in VOP, and Use tokens YES is set.

Also customer may need to refresh drive pool mappings, and re-write OKT 


Product
Sun StorageTek Crypto Key Management Station 1.0




 KMS 1.x, Procedure, Enroll new drive, T10000, 9940, Key Token, 1.2



Attachments

This solution has no attachment


















       

Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.

 Feedback