This document provides information about features that were added to the HP StoreEver MSL6480 Tape Library. New features include basic data and control path failover, a new graphical view of partition elements. HP shall not be liable for technical or editorial errors or omissions contained herein.
This document provides information about features that were added to the HP StoreEver MSL6480 Tape Library. New features include basic data and control path failover, a new graphical view of partition elements. HP shall not be liable for technical or editorial errors or omissions contained herein.
This document provides information about features that were added to the HP StoreEver MSL6480 Tape Library. New features include basic data and control path failover, a new graphical view of partition elements. HP shall not be liable for technical or editorial errors or omissions contained herein.
Abstract This document provides information about features that were added to the HP StoreEver MSL6480 Tape Library after the HP StoreEver MSL6480 Tape Library User and Service Guide (part number QU625-96001) was published. New features include basic data and control path failover, a new graphical view of partition elements, support for the HP Enterprise Secure Key Manager, a security user, a wellness test, and Japanese language option for the remote management interface (RMI). HP Part Number: QU625-96016 Published: September 2013 Edition: 1 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgments Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft, Windows, Windows XP, and Windows NT are U.S. registered trademarks of Microsoft Corporation. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Warranty WARRANTY STATEMENT: To obtain a copy of the warranty for this product, see the warranty information website: http://www.hp.com/go/storagewarranty Contents 1 Introduction...............................................................................................4 Security user............................................................................................................................4 Performing the wellness test........................................................................................................5 Managing license keys..............................................................................................................5 User interface enhancements......................................................................................................5 Configuring the system language...........................................................................................5 Using the partition map graphical view...................................................................................5 Viewing library or partition configuration settings.....................................................................6 Configuring the encryption key manager type..........................................................................7 Configuring use of the MSL Encryption Kit....................................................................................7 Errata...................................................................................................................................11 2 Basic control path and data path failover....................................................12 HP LTO-5 and LTO-6 data path port failover overview..................................................................12 HP LTO-5 and LTO-6 control path failover overview......................................................................13 Technology for drive-assisted failover.........................................................................................14 Technology for data path port failover..................................................................................15 Technology for control path failover......................................................................................15 Traditional bridged library control path............................................................................15 Virtual library connection using NPIV...............................................................................16 Failover licenses.....................................................................................................................18 Configuring and verifying control path failover...........................................................................19 Configuration requirements after enabling control path failure..................................................19 Verifying control path failover..............................................................................................20 Hardware-specific requirements...........................................................................................20 Configuring data path port failover...........................................................................................21 Enabling data path port failover..........................................................................................21 Verifying data path port failover..........................................................................................21 3 HP Enterprise Secure Key Manager (ESKM) integration..................................22 ESKM license.........................................................................................................................22 Configuring use of the ESKM....................................................................................................22 4 Support and other resources......................................................................24 Contacting HP........................................................................................................................24 Related information.................................................................................................................24 Websites..........................................................................................................................24 Typographic conventions.........................................................................................................24 5 Documentation feedback...........................................................................26 Contents 3 1 Introduction This document includes information about features added to the library after the user guide was published. These features include: Basic control path and data path failover. See Basic control path and data path failover (page 12). HP Enterprise Secure Key Manager support. See HP Enterprise Secure Key Manager (ESKM) integration (page 22). Security user. See Security user (page 4). Wellness test. See Performing the wellness test (page 5) Licensed features and license management support. Licensed features: ESKM integration Control path failover Data path failover Add and view licenses from the RMI. See Managing license keys (page 5). Manage licenses from HP Command View for Tape Libraries versions 3.7 and later. HP 1/8 G2 and MSL Encryption Kit integration changes and enhancements. See Configuring use of the MSL Encryption Kit (page 7). Added the ability to back up a subset of encryption keys on the token. This makes it possible to seed a new token with the most recently used keys from an earlier token. Added support for automatic encryption kit key generation. Disallowed creation of a new encryption key when media is loaded in any tape drive that is configured for encryption. User interface enhancements. See User interface enhancements (page 5). Graphic view of partitions. See Using the partition map graphical view (page 5). View of library or partition configuration settings. See Viewing library or partition configuration settings (page 6). Configuring the encryption key manager type. See Configuring the encryption key manager type (page 7). Japanese language option for the remote management interface (RMI). See Configuring the system language (page 5). Updates to the partition wizards and status displays to support the other new features. Note that the Expert Partition Wizard is used to configure many advanced features, even when the library is configured as a single partition. Security user The security user is required to configure library security features, such as HP 1/8 G2 and MSL Encryption Kit and ESKM integration, and has access to all administrator functionality. 4 Introduction The security password is required to log in as the security user. The default security password is security. If the security password is lost, the service password is required to change the security password. HP recommends changing the security password to avoid unauthorized access to library administrative and security functionality. Performing the wellness test The wellness test exercises basic library functionality. At the end of the test, cartridges will not be in their original storage slots. The test will take the library offline to hosts for the duration of the test. CAUTION: The test can move cartridges between partitions. To run the wellness test, navigate to the Maintenance > Library Tests > Wellness Test screen and then click Start Test. Managing license keys License keys register licensed library functionality. From the Configuration > System > License Key Handling screen you can add and view license keys. 1. Navigate to the Configuration > System > License Key Handling screen. 2. In the Add License Key pane, enter the License Key and then click Add License. You can also manage library license keys from HP Command View for Tape Libraries versions 3.7and later. User interface enhancements Configuring the system language The RMI is available in English and Japanese. From the Configuration > System > Language screen you can choose the language for the RMI, including the online help. Using the partition map graphical view In the Status > Partition Map > Graphical View screen you can see a physical representation of the cartridges in the storage slots, mailslots, and tape drives for each module. Expand the module section to see the map for that module. The partition number is shown for each element. Hover over the element for status and configuration information about the partition or drive. Performing the wellness test 5 Viewing library or partition configuration settings In the Status > Partition Map > Configuration Status screen you can see the current configuration settings for a partition. Expand the sections for additional information. NOTE: The configurations listed in this screen can be modified using the Expert Partition Wizard. Partition Number The partition number assigned by the library Partition Name The partition name assigned with one of the partition wizards Partition S/N The partition serial number assigned by the library Number of Drives The number of tape drives configured for the partition. Expand the section to see information about each drive, including the drive number, LTO generation, interface, and serial number. Number of Slots The number of storage slots assigned to the partition Number of Mailslots The number of mailslots assigned to the partition Barcode Label Length Rep. to Host The number of barcode characters reported to the host application. Barcode Label Alignment Rep. to Host The end of the barcode label reported to the host application when reporting fewer than the maximum number of characters. For example, when reporting only six characters of the barcode label 12345678, if alignment is left, the library will report 123456. If alignment is right, the library will report 345678. Key Manager Type The type of encryption key manager configured for use with the partition. Active Control Path Drive The tape drive that hosts the LUN for the partition Passive Control Path Drive The tape drive that the library will use as an alternate if there is a failure of the active control path drive. CPF Setting Enabled when basic command path failover is enabled DPF Setting Enabled when basic data path failover is enabled 6 Introduction Configuring the encryption key manager type The Configuration > Encryption screen displays the available data encryption key manager types along with the status of each type. Only one encryption manager type can be configured for the library at a time and it will be used for all tape drives and partitions. To change the configured encryption key manager, select the key manager and then click Submit. Configuring use of the MSL Encryption Kit The Configuration > Encryption > USB MSL Encryption Kit screen displays information about the token and provides access to enter the token PIN, and configure a new token. Access to this screen is only available to the security user. For additional information on using the MSL Encryption Kit, see the HP StoreEver MSL Encryption Kit User Guide on the HP Business Support website: http://www.hp.com/support/manuals. NOTE: Only one encryption method is allowed at a time and it is used for the entire library. If the ESKM is active, the MSL Encryption Kit will not be used. Entering the token PIN Figure 1 Entering the token PIN 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Verify that the correct token is available. 3. Enter the Token PIN and then click Submit. Configuring use of the MSL Encryption Kit 7 Changing the token PIN Figure 2 Changing the PIN or token name 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Expand the Pin Management section. 3. Enter the current and new PINs. The PIN must be at least 8 characters and no longer than 16 characters. The PIN must contain at least one lower case letter, one upper case letter, and at least two digits. 4. Click Submit. CAUTION: The key server token protects the encryption keys with a PIN. If you lose the PIN, you will not be able to restore data from your encrypted tapes using that token. Neither you nor a service engineer can recover a lost PIN. Keep a copy of the PIN in a safe place. Changing the token name 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Expand the Pin Management section. 3. Enter the new token name. The name can have up to 126 characters. TIP: Using a descriptive name, including the dates when the keys on the token were used, could be helpful if your log of tapes written with keys on the token is lost. 4. Click Submit. 8 Introduction Generating a new write key Figure 3 Managing encryption keys 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Expand the Key Management section. 3. Click Apply. Enabling and configuring automatic key generation When automatic key generation is enabled, the library will automatically request the key server token to generate a new key periodically, according to the policy you configure. Be aware that when new keys are created automatically they are not backed up until you do so manually. To avoid only having one copy of the new key, set the automatic key generation policy for a time when you can back up the new key before tapes are written using the new key. 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Expand the Key Management section. 3. Set the policy for the new key generation frequency, and the date and time this will occur. 4. Click Submit to apply your selections. Configuring use of the MSL Encryption Kit 9 NOTE: A key is not generated when the library time is advanced past a time when a new key would have been generated. If you advance the library time, check the automatic key generation policy to see whether a new key is needed, and if so, manually generate it. One new key is generated if the library is off at a time when a new key would have been automatically generated. To prevent a new key from being generated in this case, disable automatic key generation before powering off the autoloader or library. Backing up the token data to a file HP recommends that the token data be backed up to a file each time an encryption key is added. 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Expand the Key Management section. 3. Enter a password to secure the backup file. The password must be at least 8 characters and no longer than 16 characters. The password must contain at least one lower case letter, one upper case letter, and at least two digits. 4. If you are creating a backup file to seed a new token, enter the number of keys to include in the backup. The library will back up the highest-numbered keys, which are normally the most recent. 5. Click Save. Restoring token data from a backup file 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Expand the Key Management section. 3. Enter the token restore password. This is the password that was created when the token backup file was created. It is generally NOT the token PIN. 4. Browse to the location of the token backup file on the local computer. 5. Click Restore. Configuring an automatic key generation policy 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Expand the Key Management section. 3. Set the day of the week, time of day and frequency. A new key can only be generated when no media is in a tape drive, so HP recommends selecting a time when all drives are unloaded. 4. Check Enabled. 5. Click Submit. Enabling or disabling encryption Encryption is enabled or disabled for all partitions and tape drives in the library. 10 Introduction Figure 4 Enabling or disabling encryption 1. Navigate to the Configuration > Encryption > USB MSL Encryption Kit screen. 2. Expand the Enable/Disable Encryption section. 3. Click Enable or Disable. Errata The user guide contains the following errors and omissions: All USB key interaction with the library should be done with FAT-32 formatted USB keys. The library does not support USB devices formatted with LTFS or other file formats. The regulatory model number listed in the user guide is incorrect. The correct regulatory model numbers are: LVLDC-1101-CM (Base module) LVLDC-1101-EM (Expansion module) The electrical specifications listed in the user guide are inaccurate. The correct power specifications are: Power 200 Watts (max) Input requirements 100-120V, 200-240 VAC, 3.5 to 1.5 Amperes, 50 to 60 Hz Errata 11 2 Basic control path and data path failover With todays high dependency on access to business information, safe guarded data and limited backup windows, the reliability of the backup hardware and software is vital. Backup operations are usually automated, often done at night, and any first pass operator intervention is done remotely. To assist with these enterprise demands, Hewlett-Packard has introduced two reliability enhancements to MSL6480 tape libraries with LTO-5 and LTO-6 Fibre Channel tape drives. Data path port failover where a standby path is configured for the data path to the tape drive and activated following link failures. Library control path port failover where a second drive is configured to host a standby library control path that can be activated remotely following link failures. Failover functionality in the HP LTO-5 tape drives and HP LTO tape libraries transfers the active path and all settings to the standby path following failures. HP LTO-5 and LTO-6 data path port failover overview Data path port failover (see Data path port failover example configuration (page 13)) may be configured on each dual-port Fibre Channel tape drive. When data path port failover is configured, one link is active and is the primary data path. The second link is a standby data path. The drive will verify that the second link is able to receive a Fibre Channel signal and complete speed negotiation but the drive will not log into the SAN using the standby link. NOTE: The LTO-5 half-height drive only has one FC port and does not support data path failover. The drive monitors the links for errors and following detection of a fault, transfers the fabric identity (world wide names) and all settings (mode parameters, encryption settings, etc.) over to the standby link then activates that link. When properly configured the change is minimally disruptive to the host and does not require any configuration changes on the host or in the backup application. If no drive commands are outstanding when a failure is detected, the port change happens with virtually no disruption to the SAN. If a command is outstanding on the link when a failure is detected, the drive is not able to recover the command so that command will fail but the application will be able to continue to use the drive on the new path. Many applications are able to recover from a single command failure as long as the communication path to the drive is not lost. 12 Basic control path and data path failover Figure 5 Data path port failover example configuration 2. Standby data path 1. Primary data path 4. Standby data path 3. Primary data path 6. Dual-port FC tape drive 5. Dual-port FC tape drive HP LTO-5 and LTO-6 control path failover overview Library control path port failover (see Control path port failover example configuration (page 14)) may be configured with one drive hosting the path to the library controller and a second drive configured as an alternate standby path to the library controller. The library connections will share physical links with the drives but the library will have its own identity on the SAN. If data path port failover is also configured, the library control path will follow the data path on link failures. If the drive hosting the library control path fails, the library web interface may be used to take the control path drive offline and the library control path identity (world wide names) and all settings, (such as reservations and prevent/allow settings), will be moved over to the alternate master drive automatically. When properly configured, the change is minimally disruptive to the host and does not require any configuration changes on the host or in the backup application. If no library commands are sent while the port is being reconfigured, the port change happens with virtually no disruption to the SAN. Commands sent while the port is being reconfigured cannot be processed and will fail. Applications that retry commands are able to use the library following reconfiguration of the port. Applications that do not retry can be restarted remotely without making any hardware configuration changes. HP LTO-5 and LTO-6 control path failover overview 13 Figure 6 Control path port failover example configuration 2 8 7 1 4 3 5 6 2. Primary data path for drive 1 and active library control path 1. Library drive 1 (embedded in library) 4. Primary data path for drive 2 and standby library control path 3. Standby data path 6. Library drive 2 (embedded in library) 5. Standby data path 8. Primary library control path (logical via control link to drive) 7. Standby library control path (logical via control link to drive) Technology for drive-assisted failover The drive-assisted failover features in HP LTO-5 and LTO-6 drives use Fibre Channel switched fabric features to transfer a drive identity to a different port. The drive manages all of the SCSI configurations so that the settings expected by the application are still present after the port change. In a typical multi-path configuration the application must manage both paths and reconfigure the drive any time the active path is changed. Both data path port failover and control path port failover require at least one Fibre Channel switch between the drive and the host to provide some of the features required for failover with minimal host disruption. 14 Basic control path and data path failover Technology for data path port failover The HP LTO-5 and LTO-6 Fibre Channel tape drives configure both ports with identical worldwide names but only one port will connect to the fabric. By default the port that completes speed negotiation first will become the active port. If the ports on the drive are connected to different speed fabric the port connected to the highest speed fabric will typically complete speed negotiation first. The MSL6480 uses the default behavior and does not allow selection of a preferred port. Technology for control path failover The HP LTO-5 and LTO-6 Fibre Channel tape drives use a technology called N-Port Identifier Virtualization (NPIV), which is defined as part of the Fibre Channel standards maintained by the INCITS/T11 working group (see clause 6) in the FC-LS-2 specification. NPIV allows a single physical port to connect to a Fibre Channel switch multiple times using multiple node and port names. Traditional bridged library control path A typical connection for a Fibre Channel tape library using the drive to bridge commands to the library controller in a two drive tape library is shown in Figure 7 (page 15). Figure 7 Typical bridged library controller connection 1 1. Internal connection Technology for drive-assisted failover 15 In the typical bridged library controller connection each tape drive has one physical link to the SAN switch and connects to the SAN switch as one Fibre Channel device. The tape drive hosting the library controller path connects as one Fibre Channel device containing two logical units. The tape drive is logical unit number zero and the tape library is logical unit number one. Both devices are considered to be in the same Fibre Channel device which is called a Node. The tape library Fibre Channel node contains a tape drive logical unit and a media changer logical unit. The logical view of the tape library is shown in Figure 8 (page 16). Figure 8 Logical view of traditional configuration 1 2 3 2. Tape Drive at logical unit 0 1. Fibre Channel node 3. Library at logical unit 1 Virtual library connection using NPIV When configured to use library control path port failover, the drive will use NPIV to connect the library and the drive to a Fibre Channel switch as two different devices. The physical device connection is the same as that shown in Typical bridged library controller connection (page 15) with the internal connection between the library and the drives passing the host commands from the drive to the library and the link from the drive to the switch being shared. The logical view from the host is of three independent Fibre Channel devices. Two tape drives appear as independent devices and neither tape drive contains a library controller logical unit. 16 Basic control path and data path failover The library controller appears as a third independent device even though it is sharing the physical connection with one of the tape drives. The logical view and physical connections for a library using NPIV and configured to use library control path port failover is shown in Figure 9 (page 17). Figure 9 NPIV virtual library connection 1 2 2. Logical direct link to switch 1. Physical link to switch sharing drive link With NPIV creating a virtual device on the switch port to which the drive is connected, both the tape drive and the tape library are shown by the switch as independent devices even though they are connected to the same physical port. Because the library is presented to the host as an independent device it can be managed independently from the tape drive. In NPIV virtual library connection (page 17), the tape library contains two drives with both tape drives connected to a Fibre Channel switch. The library is presented as a virtual device using the same link one of the tape drives in the figure. When the tape library detects that the control path should fail over to an alternate path it is able to disconnect the library from the physical link and reconnect the library to the switch over the link used by the other drive without disrupting that link. Both drives could be active reading or writing and the library can be moved without disrupting the drive activity. The logical connection following a control path failover event is shown in Figure 10 (page 18). Technology for drive-assisted failover 17 Figure 10 NPIV library connection following failover 1 2 2. Logical direct link to switch 1. Physical link to switch sharing drive link NPIV library connection following failover (page 18) shows that the logical link for the library has moved and now shares the same physical link as the top drive. No changes to the physical cabling were required and any other activity on the links was not disrupted. Failover licenses The control path and data path failover features are licensed. Table 1 Failover licenses Description Part number HP StoreEver MSL6480 Control path failover License TC359A HP StoreEver MSL6480 Control path failover E-License TC359AAE HP StoreEver MSL6480 Data path failover License TC360A HP StoreEver MSL6480 Data path failover E-License TC360AAE From the Configuration > System > License Key Handling screen you can add and view license keys. 18 Basic control path and data path failover 1. Navigate to the Configuration > System > License Key Handling screen. 2. In the Add License Key pane, enter the License Key and then click Add License. You can also use Command View for Tape Libraries 3.7 or newer versions to manage licenses. Configuring and verifying control path failover The library only supports control path failover when used in a Fibre Channel SAN and connected as fabric devices. Control path failover is enabled independently for each partition in the library. The minimum configuration is: A partition with two or more LTO-5 or later generation dual-ported FC drives of the same type. For example, the partition can contain two LTO-5 full-height drives or two LTO-6 half-height drives, but not one of each. A host connection via a SAN switch with NPIV enabled for associated ports. The Control Path Failover license has been added to the library. 1. Launch the Expert Partition Wizard from the ConfigurationPartitionsExpert Wizard. 2. Select the partition that you want to configure and then click Edit. 3. Click Next until the Select Control Path Failover Type screen is displayed. 4. Check Enable Basic Control Path Failover (CPF) and then click Next. 5. In the Select Control Path Settings screen, select the active and passive control path drives, and then click Next. 6. If you are also enabling data path failover, continue with the instructions in Enabling data path port failover (page 21) If you are only enabling control path failover, click Next until the Finish Configuration screen is displayed. Verify the configuration settings and then click Finish. 7. Repeat the procedure to configure basic control path failover for additional library partitions. Configuration requirements after enabling control path failure When control path failover is enabled, the library is no longer presented as a logical unit behind the tape drive and is assigned a new Fibre Channel node name. After configuring the control path failover parameters, you might need to make additional changes: Switches using world wide name zoning will have to be configured to allow access to the library controller. If the switch interface does not allow manually entering a world wide name, the zone for the primary control path can be configured and then a failover may be forced to cause the secondary path to be enabled and the second zone configured. (To force a failover, see Verifying control path failover (page 20)). The library world wide name can be found in the Status > Library Status screen, as shown in Figure 11 (page 20). Configuring and verifying control path failover 19 Figure 11 Library world wide name displayed on the Status > Library Status screen Hosts connecting to the library might need to be rebooted if the operating system does not support dynamic device detection. Applications on hosts might need to be reconfigured to recognize the new library world wide name. Verifying control path failover After enabling control path failover, verify the configuration of both ports. To verify both paths, first verify that the hosts configured for access to the library are able to communicate with the library. It might be necessary to modify switch zoning to enable access to the library. After host access has been verified use the library front panel or RMI to power off the drive marked as Basic (Active) in Status > Drive Status. If the library has multiple partitions, verify control path failover for each partition. After the library has powered off the active drive, the Library LUN indicator should move to the passive drive. When the library has reported that the drive has been successfully powered off and the LUN indicator has moved to the passive drive, verify that host connectivity to the library has not changed. It might be necessary to configure switch zoning to allow host access. After verifying library connectivity using each of the library control paths, the library control path may be moved back to the original drive if so desired by clicking Failover on the Configuration > Drives > Manual Control Path Failover screen. Hardware-specific requirements Brocade switches For best reliability when control path failover is used Brocade switches should be running version 3.2.2e, 3.4.1b, or newer. Cisco switches Some Cisco switches that support NPIV do not have NPIV enabled by default. The Cisco MDS9148 may disable NPIV when power cycled. To enable NPIV on a Cisco switch use: Cisco_Device_Manager > Admin > Feature_Control or use the Cisco CLI commands show npiv status and npiv enable. 20 Basic control path and data path failover Configuring data path port failover Enabling data path port failover Data path failover can be used with the drive ports configured in loop mode or fabric mode. For best results and compatibility with control path failover, HP recommends that the drive ports be configured in fabric mode and connected to a switch. 1. Launch the Expert Partition Wizard from ConfigurationPartitionsExpert Wizard. 2. Select the partition that you want to configure and then click Edit. 3. Click Next until the Select Data Path Failover Settings screen is displayed. 4. Check the drives you want to enable for data path failover. 5. Click Next until the Finish Configuration screen is displayed. Verify the configuration settings and then click Finish. 6. Repeat the procedure to configure basic data path failover for additional library partitions. Verifying data path port failover After data path port failover is enabled, verify the configuration in the Status > Drive Status screen. After verifying that the configuration change was successful, verify that the hosts with access to the tape drive are still able to communicate with the drive. After verifying host access via the initial path, a data path port failover may be forced by disconnecting the cable from the active port on the drive. The drive status display shows which drive port is active and which port is in standby. After disconnecting the cable from the active port verify that the library network management page port status shows that the active port has changed. Reconnect the disconnected port and verify that it shows as Standby. Verify that each host still has access to the tape drive. If a particular port is the preferred active port and it is configured as Standby you can force selection of a particular port as the active port by disconnecting the cable from the other port. Configuring data path port failover 21 3 HP Enterprise Secure Key Manager (ESKM) integration The library now supports the ESKM, which allows encryption keys and encrypted tapes to be shared with other tape libraries that support the ESKM. ESKM license The ESKM feature requires a license. Table 2 MSL6480 ESKM licenses Description Part number HP StoreEver MSL6480 ESKM Encryption License TC469A HP StoreEver MSL6480 ESKM Encryption E-License TC469AAE From the Configuration > System > License Key Handling screen you can add and view license keys. 1. Navigate to the Configuration > System > License Key Handling screen. 2. In the Add License Key pane, enter the License Key and then click Add License. You can also use Command View for Tape Libraries 3.7 or newer versions to manage licenses. Configuring use of the ESKM With the ESKM Wizard you can configure use of the HP Enterprise Secure Key Management server with the library. Access the wizard from the Encryption menu on the RMI, which is only available to the security user and requires that the ESKM license has been added from the Configuration > System > License Key Handling screen. NOTE: The library only allows one encryption key manager type to be used at a time. For example, if ESKM is enabled and in use, the MSL Encryption Kit cannot also be used for encryption key generation and retrieval. For additional information on configuring ESKM for use with the library, see the HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries. Before running the wizard, verify that: The library configuration is complete, including defining all library partitions. A 1024-bit or 2048-bit server certificate for each HP ESKM device in the cluster has been created. The ESKM server certificate has been signed by the Certificate Authority (CA) you intend to use and has been installed on the ESKM. SSL is enabled on the ESKM KMS server. The HP ESKM Management Console is open and ready for use. The ESKM Management Console and library RMI are used together to configure the library for ESKM. 22 HP Enterprise Secure Key Manager (ESKM) integration Using the ESKM Wizard 1. Click EncryptionESKM Wizard to start the wizard. 2. The Wizard Information screen displays information about the wizard. If the library configuration is complete, click Next. 3. The Certificate Authority Information screen displays prerequisites for using the ESKM certificate. When the prerequisites are met, click Next. 4. The Certificate Authority Certificate Entry screen displays instructions for obtaining the certificate for the ESKM server. Follow the instructions to copy the certificate from the management console. Paste the certificate into the wizard and then click Next. 5. The Library Certificate Information screen displays prerequisites for generating and signing the certificate for the library. When you have verified that SSL has been enabled on the ESKM device and that the ESKM management console is open and ready for use, click Next. 6. In the ESKM Client Configuration screen enter the username and password that the library will use to communicate with the ESKM. If the username and password have not already been set up on the ESKM device, follow the instructions in the HP Enterprise Secure Key Manager User Guide to create a client account for the library. Enter the client username and password, and then click Next. 7. The Certificate Generation screen displays the current library certificate, if one exists. Select whether to keep the current certificate or generate a new one and then click Next. 8. In the ESKM Tier Selection screen you can group ESKM devices into tiers so the library will attempt to connect with ESKM devices in the top tier first, and then failover to connect with ESKM devices in a lower priority tier if necessary. For example, you might put ESKM devices in the same data center as the library in Tier 1 with ESKM devices in remote data centers in Tiers 2 and 3. One tier is used by default. To add a tier, click Add Tier. Enter the IP address or fully-qualified hostname and port number for up to six ESKM devices in each tier. To verify access to the ESKM devices, click Connectivity Check. When the tier configuration is complete, click Next. 9. The Setup Summary screen displays the settings that were collected by the wizard. Verify that the settings are correct and that there are no errors in the Done column. If you need to modify setting or address issues, either click Back to reach the applicable screen or Cancel out of the wizard to fix the issues and return later. If the settings are correct and there are no errors, click Finish. Configuring use of the ESKM 23 4 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers Technical support registration number (if applicable) Product serial numbers Error messages Operating system type and revision level Detailed questions Related information The following documents [and websites] provide related information: HP StoreEver MSL6480 Tape Library Getting Started Guide HP StoreEver MSL6480 Tape Library User and Service Guide HP Enterprise Secure Key Manager Configuration Guide for HP Tape Libraries You can find these documents on the MSL6480 manuals page of the HP Business Support Center website: http://h20565.www2.hp.com/portal/site/hpsc/public/psi/manualsResults/? sp4ts.oid=5386549 Websites HP Technical Support website: http://www.hp.com/support Net-SNMP website: http://www.net-snmp.net Typographic conventions Table 3 Document conventions Element Convention Cross-reference links and e-mail addresses Blue text: Table 3 (page 24) Website addresses Blue, underlined text: http://www.hp.com Bold text Keys that are pressed Text typed into a GUI element, such as a box GUI elements that are clicked or selected, such as menu and list items, buttons, tabs, and check boxes Text emphasis Italic text 24 Support and other resources Table 3 Document conventions (continued) Element Convention Monospace text File and directory names System output Code Commands, their arguments, and argument values Monospace, italic text Code variables Command variables Emphasized monospace text Monospace, bold text WARNING! Indicates that failure to follow directions could result in bodily harm or death. CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. IMPORTANT: Provides clarifying information or specific instructions. NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. Typographic conventions 25 5 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback. 26 Documentation feedback