Page 47 of 51
© Copyright 2017 Oracle Corporation
This document may be freely reproduced and distributed whole and intact including this Copyright notice.
3.2 Cryptographic Officer Guidance (Normal Operation)
This section assumes the StorageTek T10000D Tape Drive has been placed into
one of the FIPS-Approved modes or the Mixed Mode. Instructions on how to
place the drive into another mode are provided in this section. The CO is
responsible for placing the ETD into one of the Approved modes of operation.
An Oracle Service Representative is not required to be present when switching
Approved modes. Switching between modes will cause keys to be zeroized.
3.2.1 Using SSH (all modes)
The module supports SSH communications for remote administration. SSH is
available in each mode of operation. When using SSH for remote administration,
only the following options may be used from an SSH client to establish a FIPS-
approved session:
1.
Protocol Version: SSH v2.0
2.
Encryption: AES 128-bit CTR or AES 128-bit CBC
3.
MAC: HMAC-SHA-1
4.
KEX: ecdh-sha2-nistp256 or diffie-hellman-group14-sha1
5.
Host Key: ecdsa-sha2-nistp256, ssh-rsa
Using the preceding options will allow a FIPS-approved SSH session to be
established.
3.2.2 Memory Dump Offload (all modes)
Memory dumps may only be offloaded using SFTP (SSH). All other forms of
offload are prohibited.
3.2.3 Switching To Encryption Disabled Approved Mode
The CO can place the module into the Encryption Disabled Mode from the
Encryption Enabled Mode or the Mixed Mode. The CO shall perform the
following steps to place the module into the Encryption Disabled Mode:
1.
Using the “Drive Operations” menu on VOP, reset the ETD
55
2.
After reboot, use the “Drive Operations” menu to place the drive offline
3.
Navigate to the “Encrypt” tab in the “Drive Data” window (Configure
Drive Data)
4.
Set the “Turn encryption off” field to “Yes”
5.
Press the “Commit” button
55
Step 1 is not required if the drive is currently operating in the Mixed Mode