background image

Q

UANTUM

 S

CALAR

 

I

6000 & S

AFE

N

ET

 K

EY

S

ECURE

 Q

UICK

 S

TART

 G

UIDE

4

Quantum Scalar i6000 & SafeNet KeySecure Quick Start 

Guide

SafeNet’s KeySecure k460 servers work with Quantum’s Scalar i6000 appliance server to create a KMIP-
compliant encryption system. The Key Management Interoperability Protocol (KMIP®) is a specification 
developed by OASIS®. Its function is to standardize communication between enterprise key management 
systems and encryption systems. 

Details about the Quantum Scalar i6000/SafeNet k460 KMIP-compliant implementation include:

A minimum of two SafeNet KeySecure servers are required for failover purposes. A total of 10 SafeNet 
encryption servers are allowed, for increased failover capability.

Data encryption keys are generated one at a time, as needed, upon request.

This document summarizes the information available in the quick start and user guides that accompany 
your Quantum Scalar i6000 library and SafeNet KeySecure appliances and provides step-by-step 
instruction for configuring the devices for combined use. For detailed information about each individual 
product, such as feature configuration instructions and hardware specifics, consult the following 
documents:

Scalar i6000 User’s Guide

Scalar i6000 User’s Guide Addendum

KeySecure v6.0.0 Installation Guide

KeySecure v6.0.0 User Guide

Step 1: Install and Configure the SafeNet KeySecure

You will need the following equipment for each KeySecure:

Null modem cable.

Ethernet cable.

KeySecure power cable.

Console terminal or PC.

Phillips Screwdriver.

SafeNet Pin Entry Device (PED).

9-pin Micro-D data cable (included with the PED).

3 SafeNet iKeys. Apply the labels so that there is one blue, one red, and one black iKey.

Summary of Contents for Scalar i6000

Page 1: ...ne at a time as needed upon request This document summarizes the information available in the quick start and user guides that accompany your Quantum Scalar i6000 library and SafeNet KeySecure applian...

Page 2: ...5 Use a screwdriver to tighten the screws This should securely attach the mounting brackets to the rack posts 6 Connect the null modem cable to the serial port on the back panel of the KeySecure Plug...

Page 3: ...nly be reset by another administrator with the appropriate access privileges This is a fundamental security precaution If all administrator passwords are lost you cannot re configure the KeySecure All...

Page 4: ...ation tool to run from The default value is recommended Enter the port number 9443 Enter the port number The script displays the default port of 9443 You can accept this default by pressing Enter or y...

Page 5: ...rm the same PIN value SETTING SO PIN Are you duplicating this keyset Y N g Press No The KeySecure CLI displays the following message Luna PED operation required to login as HSM Administrator use Secur...

Page 6: ...Press ENTER m Insert the Domain red iKey and press Enter SETTING DOMAIN Enter new PED PIN n Enter a PIN value SETTING DOMAIN Confirm new PED PIN o Confirm the same PIN value SETTING DOMAIN Are you dup...

Page 7: ...icating this keyset Y N w Press No USER LOGIN Insert a USER Partition Owner PED Key Press ENTER x Keep the User Partition black iKey inserted in the PED and press Enter USER LOGIN Enter PED PIN y Ente...

Page 8: ...y Press ENTER ae Insert the User Partition black iKey and press Enter USER LOGIN Enter PED PIN af Enter the PIN for the User Partition Owner black iKey and press Enter The KeySecure CLI displays the f...

Page 9: ...Web administration server Creating certificate for signing logs Creating SSH host keys SSH RSA key fingerprint 2048 41 63 d3 ca c9 ea 1f f7 a1 84 8b 05 b4 a6 3b 64 SSH DSA key fingerprint 2048 1d 04 d...

Page 10: ...6000 the CA s Key Size must be 2048 4 Select either Self signed Root CA or Intermediate CA Request as the Certificate Authority Type When you create a self signed root CA you must also specify a CA Ce...

Page 11: ...CA Configuration page Security SSL Certificates 2 Enter the Certificate Name Common Name Organization Name Organizational Unit Name Locality Name State or Province Name Country Name Email Address and...

Page 12: ...XhLVapKMqNuUHUYf7CTB5JNHHy0cYKTNHHy0cYKTuV1Ce8nvvU G yp2Eh8aJ7thaua41xDFXPmIEXTqzXi1 DCWAdWaysojPCZugY7jNWXmg END CERTIFICATE REQUEST Important Be sure to include the first and last lines BEGIN CERTIF...

Page 13: ...e key the certificate request can t be created on the KeySecure Below are the instructions for creating the certificate request in OpenSSL though you may use another certificate creation tool if desir...

Page 14: ...icate request A challenge password asdf1234 An optional company name 3 Open the certificate request in a text editor Copy the text 4 Copy the certificate request text The certificate text looks simila...

Page 15: ...mat using the following openssl command openssl pkcs12 export in signed crt inkey qtmkey pem out qtmbundle p12 Enter pass phrase for qtmkey pem Enter Export Password Verifying Enter Export Password Th...

Page 16: ...e key server is listening for client requests We recommend 5696 for KMIP Use SSL required for KMIP Server Certificate must point to a server certificate signed by a local CA Connection Timeout sec spe...

Page 17: ...connection is closed immediately When you select this option you must also select a Trusted CA List Profile and you must choose the field from which the username is derived Trusted CA List Profile sel...

Page 18: ...ion and Quantity Quantity refers to the number drives licensed to use this feature 3 In the Enter License Key box type the appropriate license key License keys are not case sensitive and are all inclu...

Page 19: ...le above Client Certificate qtmbundle p12 from the example above These files must be in the proper format as follows If any of the following requirements is not met neither of the certificates will be...

Page 20: ...lick Browse to retrieve the Client Certificate File 6 In the Client Certificate Password field type the password used when generating the certificate files your server administrator should provide thi...

Page 21: ...is configured Note Assign your SafeNet KeySecures on this screen in the order in which you want failover to occur Server 1 is the primary server Server 2 is the secondary server and so on For an initi...

Page 22: ...leshoot until they all pass For more information on EKM Path Diagnostics see Scalar i6000 User s Guide 5 Click Close 6 Click OK An Operation in Progress dialog box appears indicating the settings are...

Page 23: ...ver be appended to encrypted data on tape For data to be encrypted via library managed encryption the media must be blank or have been written to using library managed encryption at the first write op...

Page 24: ...re Using EKM Path Diagnostics EKM Path Diagnostics is a series of short tests performed by the library to determine if the EKM servers are connected and operating properly You can perform EKM Path Dia...

Reviews: