Sun Microsystems
Sun StorageTek ™ T9840D Tape Drive Security Policy
6.1 Definition of Public Keys
Table 5 describes the public keys stored with the ETD.
Table 5: Description of Public Keys within the ETD
Public Key Name
Description
CA_Cert
CA Certificate public key self-signed by a KMS 2.x cluster. Contains a 2048-bit
RSA Public Key for each appliance in a KMS 2.x cluster. Used by the ETD to
authenticate the appliance during the TLS handshake.
Tape Drive Public
Key (TDPubKey)
The Tape drive Public Key is a 2048-bit RSA key used by TLS. The ETD sends
this key to the KMS 2.x cluster to authenticate the Tape Drive during the TLS
handshake. It is stored within an X.509 certificate within the ETD.
Key Wrap Key Public
Key (KWKPublicKey)
The Key Wrap Key Public Key is a 2048-bit RSA public key used to wrap the AES
Key Wrap Key.
Dump Encryption
Public Key
(DEPubKey)
The Dump Encryption Public Key is a 2048-bit RSA public key used to wrap the
DEKey. It is stored stored in an X.509 certificate
Firmware Signature
Public Key
(FSPubKey)
The Firmware Signature Public Key is a 2048-bit RSA key used to validate any
uploaded firmware.
Firmware Signature
Root Certificate Key
(FSRootCert)
The Firmware Signature Root Certificate Key is a 2048-bit RSA key within a PEM
encoded certificate used to validate the certificate chain within the candidate
firmware image.
7 Access Control Policy
7.1 Roles and Services
Table 6 shows the services available to each authorized role and CSP access (Crypto-Officer (C.O.), or
User). See section 6 for a description of the keys and CSPs.
Table 6: Services Authorized for Roles
Name of
Service
Service Description
Available
on:
Available in
FIPS mode
Available
in non-
FIPS
mode
Role
Access to
Keys/CSPs
Enroll ETD Authenticates an
external management
system acting on
behalf of the Crypto-
Officer (KMS 2.x
cluster) to the ETD
using the Passphrase.
RJ45(Ether
net)
Yes
Yes
C.O.
Uses
Passphrase;
Writes and uses
CA_Cert;
Writes
TDPrivKey;
Writes TDPubKey
Feb 5, 2010
Part 316055201, Rev: AA
Page 14
