Thales Datacryptor Ethernet Скачать руководство пользователя страница 1

Страница: 1 / 134

Datacryptor

Ethernet

User Manual

1270A450-005 June 2008

All manuals and user guides at all-guides.com

all-guides.com

Содержание Datacryptor Ethernet

Страница 1: ...Datacryptor Ethernet User Manual 1270A450 005 June 2008 All manuals and user guides at all guides com a l l g u i d e s c o m ...

Страница 2: ...Datacryptor Ethernet User Manual Preface Page 2 THALES All manuals and user guides at all guides com ...

Страница 3: ...tion 19 Hardware Installation 19 Rack Mounting Instructions 19 Cabling Requirements 20 To Cable the Datacryptor 21 Power on the Datacryptor 22 Software Installation 23 Requirements 23 Installation Procedure 24 6 Connecting to Datacryptor Ethernet Units 25 Users 25 IP Parameter Configuration via a Serial Connection 25 Dial Up Networking 27 Adding a Unit to Element Manager 28 Direct Invocation of Fr...

Страница 4: ...et Comm Tab for 1 and 10 Gigabit Datacryptors 75 The Ethernet Comm Tab for 100 Mb Datacryptor 77 The Ethernet Encryption Tab 79 The Expert Tab 80 The Ethernet Tunneling Tab 81 The Environment Tab 85 Appendix A Device Maintenance 86 Appendix B Loading Datacryptor Unit Software 88 Appendix C Product Specifications 95 Appendix D Environmental Regulatory 96 Appendix E SFP and XFP Interfaces 98 Appendi...

Страница 5: ...n whole or in part nor disclosed to any third party without the prior written permission of Thales e Security neither shall it be used otherwise than for the purpose for which it is supplied Thales e Security reserves the right to modify or revise all or part of this document without notice and shall not be responsible for any loss cost or damage including consequential damage caused by reliance o...

Страница 6: ...e Software Firmware or Documentation for any purpose except you may copy the Software into machine readable or printed form for backup purposes in the event the CD ROM or other provided media is damaged or destroyed You may combine the Software with other programs Any portion of the Software merged into or used in conjunction with another program will continue to be the property of THALES and is s...

Страница 7: ...THALES is unable to correct such defect within a reasonable amount of time you may terminate this Agreement by returning the Software Machine including Firmware Documentation and Key to the place where you obtained them either for replacement or if so elected by THALES a refund of the amount paid by you for the subject item 2 THALES shall replace any media not meeting THALES Limited Warranty and w...

Страница 8: ...FTWARE LICENSE CONTAINED THEREIN SHALL TAKE PRECEDENCE OVER ALL CONFLICTING TERMS AND CONDITIONS IF ANY CONTAINED IN THIS LICENSE AGREEMENT OTHERWISE ANY ADDITIONAL TERMS AND CONDITIONS SET FORTH IN THIS LICENSE AGREEMENT SHALL SUPPLEMENT AND BE READ IN CONJUNCTION WITH THE SOFTWARE LICENSE CONTAINED IN ANY SUCH SEPARATE AGREEMENT Hardware Warranty The period of warranty for this product starts on...

Страница 9: ...ERATIONAL ENVIRONMENT IS NOT RECOMMENDED THALES e SECURITY EXPRESSLY DISCLAIMS ANY AND ALL LIABILITY FOR DAMAGES INCLUDING BUT NOT LIMITED TO CONSEQUENTIAL DAMAGES RESULTING FROM USE OF THE UNIVERSAL CERTIFICATE OR ANY OTHER CERTIFICATE SUPPLIED BY THALES e SECURITY Prior to use in an operational environment please change the certificate authority following the procedure s described in the Key Man...

Страница 10: ...00 Fax 44 0 1844 208550 e mail emea sales thales esecurity com Asia Pacific THALES e Security ASIA LTD Units 2205 06 22 F Vicwood Plaza 199 Des Voeux Road Central Hong Kong Tel 852 2815 8633 Fax 852 2815 8141 e mail asia sales thales esecurity com PRODUCT SUPPORT CENTERS Americas Tel 1 954 888 6277 Toll free within USA 1 800 521 6261 Fax 1 954 888 6233 e mail support thalesesec com Europe Middle E...

Страница 11: ... or 10 Gig Ethernet as appropriate The differences between the two models are mainly in the speed of operation and the physical size of the casing This manual describes how to install the Thales Datacryptor Ethernet unit and the Element Manager software It also describes how to use the Element Manager software to configure and manage the Thales Datacryptor Ethernet device This document is intended...

Страница 12: ...oading Datacryptor Unit Software describes how to load software into your Thales Datacryptor Ethernet unit Your Datacryptor will be supplied pre loaded with software so you will only require the information in this appendix if a re load or upgrade is needed Appendix C Product Specifications gives the system specifications Appendix D Environment and Regulatory Information describes the operating co...

Страница 13: ...0 Mb Ethernet units have standard RJ45 sockets on the front panel for Host and Network connections while the 1 Gig and 10 Gig Ethernet units have two Small Form Factor sockets on the front panel these accept a range of transmit receive interfaces The 1 Gig Ethernet unit uses SFP type sockets and the 10 Gig Ethernet unit uses the XFP type sockets The host port is connected to the private network an...

Страница 14: ...Figure 3 4 Datacryptor 1 Gig Ethernet Rear Panel Figure 3 5 Thales Datacryptor 10 Gig Ethernet Front Panel Figure 3 6 Datacryptor 10 Gig Ethernet Rear Panel Note See The Front Panel LEDs in the Element Manager Reference section for full information on the LED indicators All manuals and user guides at all guides com ...

Страница 15: ... 1 Gig Ethernet unit or 20 Gbps full duplex 10 Gig Ethernet unit Network Interfaces 10 100BaseT User selectable between 10 Mbps and 100 Mbps 1 Gig Ethernet 1000 Mbps full duplex 10 Gig Ethernet 10 000 Mbps full duplex Auto negotiation does not apply to the 10 Gig Ethernet Key management Diffie Hellman key exchange groups 1 2 and 5 Encryption Advanced Encryption Standard AES FIPS 197 256 bit keys M...

Страница 16: ...etailed description of the environment required The PC can connect to a Datacryptor Ethernet unit to manage it using the IP protocol over a standard 10 100 Ethernet connection The PC can also connect to a Datacryptor Ethernet unit using PPP protocols via a serial connection Once the PC is connected to the Datacryptor Ethernet unit a communications session can be established and all the functions p...

Страница 17: ...d on either side of the connection securing the data transmitted across the untrusted public network Data is sent from a web server through to the host network It is then encrypted by the Datacryptor Ethernet for secure transfer over the public network where a second Datacryptor Ethernet decrypts the data at its destination Gigabit Ethernet Technology Overview The Gigabit Ethernet technology used ...

Страница 18: ...e packet This value is transmitted alongside the message and the receiving device then applies the same criteria and compares the two values Auto negotiation Auto negotiation was devised to address the need for multi speed devices on a network to operate at the optimum settings It achieves this by taking control of the connection medium and detecting the various mode options available in the devic...

Страница 19: ...Release Notes Quick Start Guide Note Interface transceivers if ordered will be shipped separately from the Datacryptor unit 1 Gig and 10 Gig Ethernet units only Rack Mounting Instructions The Datacryptor can be mounted in a standard 19 inch rack using the front mounting brackets or simply placed on a rack shelf or solid surface Preparation Before installing the Datacryptor in a 19 inch rack consid...

Страница 20: ... Gig and 10 Gig Ethernet units are fitted with two hot swappable power supply units consideration could be given to these types of Datacryptors using a different supply phase for each of the power supply units Disconnection Power disconnection is achieved by removal of the plugs from the mains outlet sockets Ensure that the socket outlets are close to the unit and can be easily identified and acce...

Страница 21: ...Directive 89 336 EEEU EMC C use only shielded cables DB 9 null modem cables and Category 5 STP cables To Cable the Datacryptor The Host and Network interface transceivers that are used with the 1 Gig and 10 Gig Ethernet units are shipped separately from the Datacryptor unit and therefore must be inserted before proceeding with the cabling operation The connections are the same when using any of th...

Страница 22: ... units The 100 Mb Ethernet units have a single fixed power supply unit The power supply units for all models of Datacryptor can be either AC or DC 48 V 2 The AC power supplies are auto sensing 100 to 240 Volts 50 to 60 Hz 3 Before applying power to the Datacryptor verify that the voltage shown on the UL label affixed to the unit s back panel is appropriate for your site WARNING 1 Gig and 10 Gig Et...

Страница 23: ...ting Software Installation There are two software programs the firmware resident in the Datacryptor Ethernet unit and the Element manager software The firmware provides the units functionality and is pre installed The unit has the ability to upgrade with new firmware offering new features without the requirement of returning the unit to Thales Instructions on the Firmware Upgrade ability will be p...

Страница 24: ...of the Front Panel Viewer being run concurrently The PC must be able to reach the Datacryptor on the Ethernet network or alternatively be connected to the unit via a serial cable to the unit s control port Installation Procedure To install the Element Manager on the PC Insert the CD ROM containing the Element Manager software into your PC This will auto start the installation page Select the Insta...

Страница 25: ... secure users for the Datacryptor Ethernet as anyone sending information will automatically use the Datacryptor Ethernet unit The people who administrate and configure the Datacryptor Ethernet do need to be secure and need to be authenticated using secure methods Certificates are loaded into the Datacryptor Ethernet units that have keys used to sign messages between the PC used for configuration a...

Страница 26: ...able Command Description HELP Display help for a command HELPKEYS List of keyboard usage in this command interface DEFAULT Return all IP address and net mask settings to defaults DISPLAY Display current IP address and net mask settings IPFORWARD Enable or disable IP forwarding ROUTE Add delete or display IP routing data SET Set an IP address and net mask settings SETTIME Display or set the unit ti...

Страница 27: ...nted in binary for example 255 255 1 0 is invalid To make the unit request an Ethernet Management Port IP address from a DHCP BOOTP server on the LAN set its Ethernet Management Port IP address to 255 0 0 0 and net mask to 255 255 255 255 this is an exception to the rule mentioned in the note above To reset the addresses to factory defaults use the DEFAULT command The above section details the ste...

Страница 28: ...ick Connect 11 A connection with the Datacryptor Ethernet will be made Ensure the connection is made then disconnect Adding a Unit to Element Manager Once the Management or Dial up connection is set up you can connect to each Datacryptor Ethernet unit by adding an icon in the Element Manager The Dial Up connection created earlier must be running if a serial connection is to be used 1 Start the Ele...

Страница 29: ...g to Datacryptor Ethernet Units 1270A450 005 June 2008 Page 29 4 Select the unit type as Datacryptor and enter the IP address of the Datacryptor Ethernet unit Press Enter or select Next to continue All manuals and user guides at all guides com ...

Страница 30: ... connect to the specified IP address and if successful display the unit s Unit Name by way of confirmation as above Type a descriptive name for the connection in the edit box this will be shown in the main window below its icon 7 Click Finish or press Enter to finish adding the new connection and Datacryptor icon which will be displayed as a new icon in the main window like this All manuals and us...

Страница 31: ...in a minute this should display the Front Panel Viewer for the unit an example for the 100 Mb Ethernet Datacryptor is given below It is possible to abort the connection attempt at the splash screen by pressing its Cancel button 9 You can now check the unit details at the top of the window to make sure that the unit is connected correctly and proceed to configure the unit All manuals and user guide...

Страница 32: ... Front Panel Viewer directly from Windows instead of going through the element manager This may be achieved by 1 Using Windows Explorer navigate to the location of the DC2k exe file create a shortcut and place on your desktop 2 Click on the shortcut 3 The Element Manager Supply IP Address will be displayed Enter the IP address of the Datacryptor Ethernet unit and press Enter or OK to continue Afte...

Страница 33: ...n e g an SNMP network manager to invoke the Front Panel Viewer for a specified Datacryptor unit If Dc2k exe is invoked without any parameters it will prompt the user to enter the IP address of the unit to connect to To display a short summary of the command line parameters supported use the command Dc2k exe All manuals and user guides at all guides com ...

Страница 34: ...s dialog Each will now be described in turn Remember that you also have access to online help while using the Element Manager via the F1 Help key and the Help menu Main Window The main window is displayed when the Element Manager application is launched providing access to menus toolbar and a window containing icons representing each of the Datacryptor units added to the system Each of the compone...

Страница 35: ...n Description Undo Delete Restore the last Datacryptor unit deleted Edit Unit Edit the selected unit s description IP address or connection method View The following options are available from the View pull down menu Menu Option Description Toolbar A toggle controlling the display of the Toolbar and its buttons Ticked when enabled Status bar A toggle controlling the display of the Status bar which...

Страница 36: ...d Poll all units on startup Help The following options are available from the Help pull down menu Menu Option Description Help Topics The main entry point into the application s on line Help system About The application s version information Toolbar Icons The Toolbar displays a number of graphic buttons that provide direct access to key functions Create New Datacryptor icon File New Datacryptor me...

Страница 37: ...on the Toolbar This displays a confirmation dialog first To change an icon s description IP address or connection method 1 Select the icon and select the Edit Edit Unit menu option or press F2 This displays the Edit Unit dialog 2 Edit the name IP address or connection method and click OK or press Enter Note The type of unit cannot be changed if you want to change the unit type it will have to be d...

Страница 38: ... button Note that the text on the splash screen may change from Identifying unit to Fetching unit information during the connection process The splash screen closes and the Front Panel Viewer is displayed when you successfully connect to a Datacryptor Ethernet unit to display its status and provide access to the management facilities There are some differences between the Front Panel Viewer for th...

Страница 39: ...atacryptor Ethernet User Manual Element Manager Reference 1270A450 005 June 2008 Page 39 100 Mb Ethernet Front Panel Viewer 1 Gig Ethernet Front Panel Viewer All manuals and user guides at all guides com ...

Страница 40: ...ad from the unit Management Version read from the application Application Version read from the unit Bootstrap Version Firmware number Serial Number Unit unique serial number In the blue rectangle a diagram of the unit s front panel shows the state of the LEDs which can be examined to check the state of the unit see the Front Panel LEDs section In addition if you move the mouse pointer to an LED a...

Страница 41: ...tor Light State Indication On Unit is powered on Power green Off No power On Normal operation Fast Flash Link Down Slow Flash Not used Network green Off Loss of Signal Loss of Synchronization On Errors have occurred Fast Flash New errors in log Error red Off No errors Off 100 Mbps operation 10M 100 Mb Ethernet unit only On 10 Mbps operation Off Normal operation no loopback enabled Slow flash Host ...

Страница 42: ... logged in the button changes to Logout Management Click on this button to display the Element Manager main window View Logs This button displays the Logs Window for you to produce examine and manage error and other logs from the selected unit Key Manager Displays the Key Manager dialog to manage the units CAs and Certificates Properties This button displays the Properties dialog box for the unit ...

Страница 43: ...y existing files and those generated by the Certificate Manager have not been extended The adminv2 usr file is in this original format The FPV may be configured to reject accept or upgrade User Key Material files that do not contain the extended fields accept Legacy files will be accepted by the Front Panel Viewer even if enhanced security is turned on The enhanced checks will not be made when a l...

Страница 44: ... problems with third party scripting tools Note also that ampersands question marks periods and commas are not allowed Selecting this box will enable password format checks in addition to the basic password requirements Those checks require the password to include At least two upper case alpha characters A Z At least two lower case alpha characters a z At least two numeric characters 0 9 At least ...

Страница 45: ...the new password will only be checked against the existing password and not against any of the previous passwords Setting this to ten indicates that the new password will be checked against the existing password and all nine previous passwords Defaults When the Front Panel Viewer is first installed these fields will default to the values shown here These settings permit the Front Panel Viewer to o...

Страница 46: ...means that they all have the Admin2 usr file that can be used to log into any unit that has the Universal CA loaded It is essential for security to change this Universal CA to a Custom CA as soon as possible If the unit owner has a copy of Certificate Manager a trusted member of staff can create the Custom CA if not an external SA can provide one The process of installing the required elements is ...

Страница 47: ...art the Commissioning Wizard which begins by displaying an overview of the process as shown below The first item in the list will be Installing a Certificate Authority CA as shown above 3 Click the Next button to proceed to step 1 below The first page of the wizard asks if a new CA is to be installed in the unit All manuals and user guides at all guides com ...

Страница 48: ...u to transfer control to a different custom CA 1 To stay under the control of the manufacturer CA select the No option and click the Next button or press Enter This will take you to step 3 2 To transfer from the manufacturer CA to a new CA select the Yes option Insert the diskette containing the new CA s CAC file and enter the path to the CAC file or use the Browse button to find it Click the Next...

Страница 49: ...e 2008 Page 49 Step 2 Installing the authenticating CA Insert the diskette containing the authenticating CA s CA file and enter the path to the CA file or use the Browse button to find it Click the Next button to proceed to step 3 All manuals and user guides at all guides com ...

Страница 50: ...t name as delivered since units are manufactured with unique names the same as the serial number or change it now according to your security procedures The edit box displays the unit s current unit name 1 To keep the displayed unit name click Next 2 Alternatively to change the unit s name click on the Yes radio button and edit the name Then click Next to continue All manuals and user guides at all...

Страница 51: ... the dates between which the Certificate is valid in the Effective Date start and Expiration Date finish fields The Start Time is effectively 00 00 and the End Time is 23 59 unless the issuing CA is different on the days selected The default end date is the last day of the issuing CA 3 Click Next to continue and a dialog will list the options you have chosen All manuals and user guides at all guid...

Страница 52: ...lashing which indicates that the unit has been commissioned successfully Check the unit s LEDs or get someone else to do so if the unit is remote and click Yes if they are flashing 3 The new CA and certificate can be seen in the Certificates tab of the Key Manager 4 Once a unit has been commissioned with the correct CA and Certificate it can be used for the transfer of secure information All manua...

Страница 53: ...word providing you know the original password Change Password Dialog This dialog is displayed when you select the Change Password button from the Login dialog Type the current password in the Old Password text box and enter the new password in the New Password and Re type New Password text boxes The basic password requirement is that it must be 8 to 28 case sensitive alphanumeric characters Howeve...

Страница 54: ...log recorded by the selected unit There is only one log but it contains data of four different types Audit A report of all management operations performed on this unit using the Element Manager Error A report of any faults that have been discovered with unit hardware and keyspace Key A report of all key update and erasure attempts CAUTION If the password is lost all Administrator functionality is ...

Страница 55: ...rrently displayed log s typically after saving them first Save As save the currently displayed log s in a named file You can then keep the file as a backup print it or process as appropriate Close close the Logs Window and return to the Front Panel Viewer The View menu provides Audit If this option is ticked the all the Audit entries in the log are shown Error If this option is ticked then all the...

Страница 56: ...nt tab click on its name or use Ctrl Tab to display the next tab or Ctrl Shift Tab to display the previous tab If you make changes on a tab they will be written to the unit when you click the Apply button or click the OK button to apply the changes and close the dialog You can also store or retrieve the properties by using the controls in the Unit Settings box on the General tab this provides an e...

Страница 57: ... from the unit Description read from the unit Change click this button to set the unit s clock calendar The clock is used to track the time that Keys are created and to track certificate expirations The unit operates internally on UTC time and the Element Manager attempts to correct when setting and when displaying for the users time zone Note If you set the unit s clock backwards to a date and ti...

Страница 58: ...em to the current unit by clicking the Apply button Save changes on exit tick this box to save the current properties to a named file when you exit the program Auto Refresh tick this box to re load the current setting from the unit every n seconds where n is set by the adjacent control Warning This may cause large amounts of data to be transferred from the unit under management and may degrade sys...

Страница 59: ...diagnostic facilities Reboot click this button to reboot the unit as if it had been turned off and on again This operation takes several minutes Rebooting halts all operations on the device and starts the boot process in the same manner as when the power is cycled Save any configuration changes prior to rebooting the unit Unsaved changes will be lost All manuals and user guides at all guides com ...

Страница 60: ...ed from a remote unit are looped back out to that remote unit An indication of the loopback status of the unit can be obtained from the Loopback LED on the Front panel See The Front Panel LEDs for the details These loopback options allow line diagnostic tests to be performed by external test equipment The Audit log will record when the host port Private Loopback or network port Public Loopback has...

Страница 61: ... as follows Control Port the IP address and net mask of the unit s Control Port this value is only used if the PPP does not negotiate another value Network the IP address and net mask of the unit s Network Port Ethernet the IP address and net mask of the unit s Ethernet management Port Control Port these fields show the settings for dial up networking SNMP Config click this button to configure the...

Страница 62: ...ypically a PC called an SNMP Network Manager This SNMP Network Manager must be compliant with the SNMP agent version support selection on the Agent Configuration tab see below A list of the log and SNMP trap numbers with descriptions is provided as an appendix to this guide To configure SNMP click the SNMP Config button on the unit s IP Management tab to display the SNMP Config dialog This dialog ...

Страница 63: ...community names An SNMP community defines a name and a set of permissions for that community name each SNMP request received by a Datacryptor unit is labeled with the originator s community name so the unit can decide whether to permit or deny the request These community strings will be utilized by the device to determine whether or not to allow SNMPv1 and SNMPv2c requests To disable SNMPv1 and SN...

Страница 64: ... control model based upon users and views Management of these users and views is controlled using native SNMPv3 commands Please utilize your existing SNMPv3 management tools to manage user and view based access control Management of the SNMPv3 users is a time consuming task and you should set your command timeout values to at least 120 seconds per transaction Default SNMPv3 user information is dis...

Страница 65: ... SNMP traps for this unit use the appropriate Enable checkboxes for the each version of SNMP When defining an SNMP Trap that is not on a local network connection the Datacryptor Ethernet must have a route defined for the address in order for the Traps to be delivered to the SNMP Manager To add a new SNMP trap manager 1 Select the Traps tab 2 Select the appropriate SNMP version tab 3 Click the Add ...

Страница 66: ...ld is unused because the unit only issues SNMP Version 3 traps You can set this field to any value without affecting behavior of trap issuance Trap Filter Tick the categories of event to send to this trap manager Note It may take up to 20 seconds to acknowledge the selected action All manuals and user guides at all guides com a l l g u i d e s c o m ...

Страница 67: ...tion alone or authentication and privacy combined or no security at all Add Trap Manager dialog for SNMPv3 Security Type Select the type of security that will be used for the reports from the drop down list If the security is set to none No Auth No Priv then the user name will be highlighted in red on the SNMPv3 tab as illustrated by the following image All manuals and user guides at all guides co...

Страница 68: ...Element Manager Reference Datacryptor Ethernet User Manual Page 68 THALES All manuals and user guides at all guides com ...

Страница 69: ... in the Edit Trap Manager dialog as required and then click OK Note It may take up to 20 seconds to acknowledge the selected action To delete an SNMP trap manager 1 Select the entry to delete by clicking on it and then click the Delete button 2 Click Yes to confirm deletion or No to cancel deletion Note It may take up to 20 seconds to acknowledge the selected action All manuals and user guides at ...

Страница 70: ...n on the Properties IP Management tab will display the IP routes dialog detailing the IP routes that have been defined for this unit and providing facilities to maintain the IP routes list Use the Add Edit and Delete buttons to manage the required list of IP routes All manuals and user guides at all guides com ...

Страница 71: ...e longest time that the unit will use a DEK for in days hours minutes or the time at which to perform a daily key exchange see next control Time of Day Key Exchange check this box to force a regular key exchange at the same time every day as specified by the DEK field Change KEK with DEK check this box to change the KEK when the DEK changes When this is checked the KEKs are not stored and will not...

Страница 72: ...e Datacryptor Ethernet will gradually increase the time intervals between attempted key exchanges It will try after one minute then after a further 2 minutes and then after a further 4 minutes i e the interval is doubled each time The interval will continue to double up to a maximum interval of 2 hours it will then continue to poll every 2 hours Force Key Exchange click this button to force an imm...

Страница 73: ...sed to select which version of RIP that the Datacryptor Ethernet is using Off this switches off compatibility with any version of RIP No RIP messages transmitted on any port RIP 1 select this if you wish the Datacryptor to be compatible with the first version of RIP This version of RIP only uses broadcasts to pass on information RIP 2 multicast this sets the Datacryptor to be compatible with RIP v...

Страница 74: ...e metric or cost that is associated to each route that is advertised in RIP responses sent out by the Datacryptor unit Generate Authentication Entries RIP 2 can implement an authentication entry in the first part of its response that contains a password If a router matches its own RIP password with that of the RIP response authentication entry it will accept the routing information in the RIP resp...

Страница 75: ...e 1 Gig Ethernet unit Differences between the 1 Gig and 10 Gig units will be stated where relevant Ethernet Comm Tab for the 1 Gigabit Datacryptor The properties are as follows Mode Selects one of two options for the transmission mode Bulk Unit encrypts everything including Ethernet header Tunneling Unit encrypts every thing below Ethernet header When a mode change is made then the following dialo...

Страница 76: ...ation allows the unit to automatically negotiate connection without intervention from the user Note The Datacryptor 1 Gig Ethernet only supports I000 Mbps full duplex and the 10 Gig Ethernet unit only supports I0 000 Mbps full duplex The 100 Mb unit supports a selection of one 10 Mbps or 100 Mbps Anything else will cause the auto negotiation if selected to fail and report Link Down on the General ...

Страница 77: ...mmunications settings of the Datacryptor unit They are as follows Mode Selects one of two options for the transmission mode Bulk Unit encrypts everything including Ethernet header Tunneling Unit encrypts every thing below Ethernet header When a mode change is made then the following dialog will be shown advising that the unit must be rebooted All manuals and user guides at all guides com ...

Страница 78: ...ion unit to let the Pause frames pass through unencrypted to the switch on the local side A typical rule is Plain public 01 80 c2 00 00 01 This Multicast address corresponds to address reserved in IEEE 802 3 for the Pause functionality Speed configured Must be set to 10 Meg or 100 Meg as appropriate to the speed of the link Enabling auto negotiation only permits the Datacryptor to tell requesting ...

Страница 79: ... the unit Target Encryption mode This allows you to select the target or required encryption mode using the drop down menu The three options are Standby Encrypt or Plain Peer Details The Peer unit s details Name IP Address etc are shown on the tab Ping Peer Unit button This button may be clicked to shows additional Peer information if required All manuals and user guides at all guides com ...

Страница 80: ...y the encryption of the Ethernet packets By default this mode is enabled and disabling the mode is only recommended when connecting this unit to a legacy Ethernet Datacryptor which does not support the CTS mode The Enable CTS Mode checkbox is greyed out when the Current Encryption Mode is Encrypt The CTS mode may only be changed when in Plain or Standby mode that includes during the time that Targ...

Страница 81: ...not displayed for the 10Gig Ethernet unit The 10Gig Ethernet unit does not support fragmentation MAC Settings Operating at the Layer 2 level the in band communications between the units will be controlled by using MAC Addresses The unit has two addresses assigned for use between the units at either end of an Ethernet Layer 2 link The Unit MAC Address is displayed The peer MAC address must be obtai...

Страница 82: ...ired address in the boxes shown Movement between the boxes can be achieved by using the mouse or the tab and shift tab key combinations The units MAC address must be inserted in the peer unit address box at the other end of the link Filter Rules Clicking the Display Filter Rules button will display the following dialog All manuals and user guides at all guides com ...

Страница 83: ...is to select a rule type Rule Type Plain this allows the Datacryptor unit to pass information from the specified addresses in plain and is used to allow network specific traffic To ensure compatibility and operation of equipment within the public network Block this option identifies individual addresses or a range of addresses which are to be denied access by the Datacryptor unit The second step i...

Страница 84: ...ragmentation can be enabled with the Fragmentation Size field in tunnel mode Encapsulated frames that become larger than the public networks allow can be fragmented The fragmentation works like this Outgoing frames including the tunnel header smaller or equal to Fragmentation Size will be sent to the WAN without modification Outgoing frames including the tunnel header larger than Fragmentation Siz...

Страница 85: ...nit condition These readings may be used to check that the Datacryptor environment is satisfactory for normal operation It is recommended that you make a note of these readings during normal operation These readings may be useful for comparison purposes in the event of problems such as overheating If the unit temperature becomes excessive the Alarm LED will be on and an entry will be made in the E...

Страница 86: ...re Make a note of these readings under normal operating conditions these readings can be used for comparison in the event of a Fan Heat monitor alarm Otherwise no special maintenance is required Physical Inspection The Datacryptor is housed in a tamper evident chassis Periodically check the chassis for evidence of tampering Items to look for include stripped screws and damaged seals Figure A 1 Loc...

Страница 87: ...r supply units will cause a high pitched continuous note to sound allowing a replacement to be planned Note There is only one power supply in the Datacryptor 100 Mb Ethernet and so no audible signal will be generated for power failure in that unit Lithium Battery The Datacryptor contains a lithium battery which has a typical life expectancy of 10 years dependant on usage The Datacryptor must be re...

Страница 88: ...sed to upgrade the bootstrap of the unit If a unit is being upgraded to application software greater then 1 07 04 then the user is advised to upgrade the bootstrap software to the latest version as this is required for the algorithm retention feature 1 Connect the Datacryptor to the COM port of the PC that has access to the Image Loader utility imgload exe and power it on 2 Start the imgload exe a...

Страница 89: ... differently depending on whether you are using a serial or an Ethernet connection Please use one of the next two sections as appropriate to your type of connection Operations during Serial Code Loading If you are using Ethernet loading please refer to the next section 1 The Image Loader will try to initialize communications with the Datacryptor This will take a short time if the Datacryptor has n...

Страница 90: ...s such as generation of correct Ethernet address and IP addresses used by later software if these are missing If housekeeping tasks are performed you will be notified in the Status Messages 5 The baud rate at which the upload will take place is displayed and the upload of the new application code will begin All manuals and user guides at all guides com ...

Страница 91: ...2008 Page 91 Operations during Ethernet Code Loading The following operations are only applicable if you are using an Ethernet connection for loading 1 The Image Loader will try to initialize communications with the Datacryptor All manuals and user guides at all guides com a l l g u i d e s c o m ...

Страница 92: ...ryptor Ethernet User Manual Page 92 THALES 2 Once the hardware has been validated select the Image Loader file ilf file containing the Datacryptor application image e g dc2k ilf Select the file and click OK All manuals and user guides at all guides com ...

Страница 93: ...rnet User Manual Appendix B Loading Datacryptor Unit Software 1270A450 005 June 2008 Page 93 3 Image Loader will begin uploading the code contained in the Image Loader file All manuals and user guides at all guides com ...

Страница 94: ...t you for the file name and location for saving the log file 2 Upload of the application is complete click Close to shut down the application or connect another Datacryptor for loading 3 After the application has been loaded and the unit reboots the algorithm will need to be loaded into the unit See the section Commissioning for more information Note Some algorithms may have to be loaded at the fa...

Страница 95: ...m W including mounting brackets x 240 mm D including connectors 3 0 Kg 15 Watts power dissipation typical 1 Gig Ethernet unit 44 mm H x 483 mm W including mounting brackets x 388 mm D including PSU fixed connector 8 6 Kg 120 Watts power dissipation typical 10 Gig Ethernet unit 88 mm H x 483 mm W including mounting brackets x 420 mm D including PSU fixed connector 10 3 Kg 140 Watts power dissipatio...

Страница 96: ... ICES 003 EN61000 3 2 1995 EN61000 3 3 1999 Harmonic Currents EN61000 4 2 1995 Electrostatic Discharge EN61000 4 3 1995 Radiated Immunity EN61000 4 4 1995 Electrical Fast Transient Burst EN61000 4 5 1995 Lightning Surge EN61000 4 6 1995 Conducted Disturbances EN61000 4 11 1995 Voltage Dips Variations and Short Interruptions FCC Information USA This equipment has been tested and found to comply wit...

Страница 97: ...all requirements of the Canadian interference causing Regulations Cet appareil numérique de la classe B est respecte toutes les exigences du Règlement sur le matériel du Canada European Notice Products with the CE Marking comply with both the EMC Directive 89 336 EEC and the Low Voltage Directive 73 23 EEC issued by the Commission of the European Community All manuals and user guides at all guides...

Страница 98: ...the time of ordering The 10 Gig Ethernet unit is supplied with 10 Gigabit Small Form Factor Pluggable XFP single mode fiber laser devices see below as specified at the time of ordering The following multi rate devices are supported Copper RJ45 1310nm single mode short range 1310nm single mode intermediate range 1310nm single mode long range 1550nm single mode intermediate range 1550nm single mode ...

Страница 99: ...mproperly handled and can result in complete or intermittent failures Always follow ESD prevention procedures when removing and replacing components Use the following guidelines to prevent ESD damage Always use an ESD wrist or ankle strap and ensure that it makes skin contact Connect the equipment end of the strap to an unpainted metal chassis surface If no wrist strap is available ground yourself...

Страница 100: ... the Baud rate settings are set to 115200 8 N 1 Not able to log in to the Front Panel Viewer Verify the password Configuration Symptom Explanation and Possible Solutions Datacryptor does not recognize its new IP address Verify the IP address using the Element Manager see The IP Management tab section above Correct the IP address if necessary save the configuration and then reboot the Datacryptor T...

Страница 101: ... test the connections see The Diagnostics Tab on page 59 Fan Heat Monitor Alarm Symptom Explanation and Possible Solutions Fan Heat Monitor Alarm Consult the Environment tab on the Properties dialog for readings of the fan speeds and unit temperature Compare these readings to those recorded during normal operation to determine the nature of the problem Verify that nothing has become inserted in th...

Страница 102: ...deviated from a RFC specification we have provided an updated RFC MIB files reflecting those changes Supported MIBs are listed in the table below MIB Name Description DC2K MIB R4 SMIv2 compliant MIB file containing Thales e Security enterprise specific values This MIB is used as the parent for all other MIB files except the RFC MIB files Please see the supplied MIB file for specific details DC2K M...

Страница 103: ... majority of read write attributes in this MIB as read only in order to preserve the security of sensitive attributes Please see the supplied MIB file for specific details DC2K MIB RFC1907 RFC 1907 defines a portion of the Management Information Base MIB II Specifically it defines the new SNMPv2 framework and the associated MIB objects The Datacryptor supports the majority of read write attributes...

Страница 104: ...e through the SNMP interface Modification of these attributes is only supported through the Datacryptor Front Panel Viewer FPV application Please see the supplied MIB file for specific details DC2K MIB RFC3418 RFC 2863 defines a portion of the Structure of Management Information SMIv2 The Datacryptor supports the majority of read write attributes in this MIB as read only in order to preserve the s...

Страница 105: ...umber of log trap message numbers usually failures that have the same text this is because the effect the user experiences can be caused by subtly different internal events occurring Logging these events differently can help Thales e Security diagnose complex support issues Standard Traps Message Trap No Information coldStart 0 Issued when the Datacryptor is powered up for the first time or whenev...

Страница 106: ...Critical Encrypt Clock Stopped Error Hardware 7 120 Critical Decrypt Clock Stopped Error Hardware 8 120 Critical Battery may need replacing Battery may be more than 10 years old or exhibiting symptoms of low voltage Error Hardware 9 120 Critical Random Number Generator diagnostics Failed Error Hardware 10 120 Critical Continuous Random Number Generator test failed Error Hardware 11 120 Critical Re...

Страница 107: ...d it will be necessary to reboot the unit If alarm persists contact Thales esecurity support Error Hardware 17 122 Major Alarm condition battery low Unit recovered from alarm and noted that the battery low alarm had been activated it will be necessary to reboot the unit If alarm persists contact Thales e security support Error Hardware 18 122 Major Alarm condition secure memory was erased Unit rec...

Страница 108: ...ared Error Hardware cleared 10 121 Critical Continuous Random Number Generator test cleared Error Hardware cleared 12 121 Critical Hardware Monitor reports all clear Error Hardware cleared 13 121 Critical Power Monitor reports all clear Log Trap Errors Software Log Type Code Trap No Severity Message Information Error Software 1 153 Critical Trace error Error Software 2 153 Critical Exec failure Er...

Страница 109: ...ftware 19 839 Major Algorithm version not supported by this application version User has tried to load incorrect version of algorithm Error Software 20 1849 Major Destination selector table full Error Software 21 1850 Major Source selector table full Error Software 22 1851 Major Security Policy table full Error Software 23 153 Critical SRAM Corruption has been detected Error Software 24 153 Critic...

Страница 110: ...nor DEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 5 205 Minor DEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 6 206 Minor DEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 7 207 Minor DEK exchange unsuccessful Unex...

Страница 111: ...st or units may be busy Key 16 216 Minor KEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 17 217 Minor KEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 18 218 Minor KEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 19 ...

Страница 112: ...tificates installed Generated by master unit when attempting to perform a Key Exchange with a non commissioned unit slave unit Key 28 228 Major Diffie Hellman parameters do not match Generated at Unsuccessful attempt to generate a KEK due to no matching Diffie Hellman parameters Key 29 229 Major No own unit certificate installed Generated by slave unit when a master unit is attempting to perform a...

Страница 113: ...expected time out in key exchange connection may be lost or units may be busy Key 41 237 Warning Commissioning unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 42 238 Warning Commissioning unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 44 239 Informational Management session already in progress Unit b...

Страница 114: ... Key 58 258 Minor DEK exchange unsuccessful Key 59 259 Minor DEK exchange unsuccessful Key 60 260 Minor DEK exchange unsuccessful Key 61 261 Minor DEK exchange unsuccessful Key 62 262 Minor DEK exchange unsuccessful Key 63 263 Minor DEK exchange unsuccessful Key 64 264 Minor DEK exchange unsuccessful Key 65 265 Minor DEK exchange unsuccessful Key 66 266 Minor Failed to create DEK Key 67 267 Minor ...

Страница 115: ...ported DEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 1006 506 Warning Peer reported DEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 1007 507 Warning Peer reported DEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 1...

Страница 116: ...17 Warning Peer reported KEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 1018 518 Warning Peer reported KEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units may be busy Key 1019 519 Warning Peer reported KEK exchange unsuccessful Unexpected time out in key exchange connection may be lost or units...

Страница 117: ...Peer reported no common certificates Key 1031 531 Warning Peer reported Certificate exchange unsuccessful Unexpected time out in protocol connection may be lost or units may be busy Key 1032 532 Warning Peer reported Certificate exchange unsuccessful Unexpected time out in protocol connection may be lost or units may be busy Key 1033 533 Warning Peer reported Certificate exchange unsuccessful Unex...

Страница 118: ...1 Major PEER DEK installation failed Key 1052 552 Major PEER Failed to set line mode Key 1053 553 Major PEER Receive and transmit keys are identical Key 1054 554 Major Peer has no KEK algorithm loaded or it is operating incorrectly PEER Failed KEK Known Answer Test Key 1055 555 Major Peer has no DEK algorithm loaded or it is operating incorrectly PEER Failed DEK Known Answer Test Key 1056 556 Majo...

Страница 119: ...ormational DEK installed Key 2002 602 Informational KEK installed Key 2003 603 Informational Installed CA certificate Key 2004 604 Informational Expired CA certificate Key 2005 605 Informational Removed CA certificate Key 2006 606 Informational Installed unit certificate Key 2007 607 Informational Expired unit certificate Key 2008 608 Informational Removed unit certificate Key 2009 609 Information...

Страница 120: ...ey 2028 628 Informational DEK algorithm loaded Key 2029 629 Informational Symmetric algorithm loaded Key 2030 630 Informational CA algorithm load failed Key 2031 631 Informational Key exchange algorithm load failed Key 2032 632 Informational KEK algorithm load failed Key 2033 633 Informational DEK algorithm load failed Key 2034 624 Informational Symmetric algorithm load failed Key 2035 635 Informa...

Страница 121: ...tional IP Transport SA with duplicate peer unit name removed Key 2053 800 Informational IP Tunneling SA with duplicate peer unit name removed Key 2054 799 Informational IP Trunk Protocol SA with duplicate peer unit name removed Trunk Mode not supported by Datacryptor AP Key 2055 801 Informational Peers private network information updated Key 2056 656 Minor NUA added by peer Key 2057 657 Minor NUA ...

Страница 122: ... Peer Unit has different SA Mode Key 2066 877 Minor SA is Offline SA is missing from Peer Unit Key 2067 878 Minor Stalled Key Exchange Installation Abandoned Key 2068 879 Minor Stalled Key Exchange Installation Abandoned Key 2069 880 Minor Stalled Key Exchange Installation Abandoned Key 2070 888 Informational Removed peer certificate by ACL Key 2071 889 Informational Peer s KEKs deleted All manual...

Страница 123: ...e Button Key requirement Audit 7 707 Informational Serial port configuration updated User has altered one of the control port parameters This could be either Baud Rate Data Bits Parity or Stop Bit values Audit 8 708 Informational IP management configuration updated User has altered the IP address Audit 9 709 Informational Comms configuration updated Audit 10 710 Informational T1 configuration upda...

Страница 124: ... configuration updated Audit 29 729 Major Failed to confirm setting peer encrypt mode Audit 30 730 Major Failed to confirm setting peer plain mode Audit 31 731 Major Failed to confirm setting peer standby mode Audit 32 732 Informational Timeslot to Bundle assignment changed Audit 33 816 Minor Unknown NUA Logged Audit 34 817 Minor X 25 DTE Link Restart Audit 35 818 Minor X 25 DCE Link Restart Audit...

Страница 125: ... Informational Tunnel SA Deleted Audit 66 753 Informational Transport SA Deleted Audit 67 754 Informational Trunk SA Deleted Trunk Mode not supported by Datacryptor AP Audit 68 788 Informational Force Standby on boot cleared Audit 69 756 Informational Key Algorithms stored in backup memory Audit 70 757 Informational Key Algorithms recovered from backup Audit 71 758 Critical Random No Generator dia...

Страница 126: ...onding and has caused the unit to reboot to attempt to recover Audit 79 766 Major Hot Standby reboot No response from Public CR Hot standby unit may have detected problem with Network Public port Ethernet interface which appears to have stopped responding and has caused the unit to reboot to attempt to recover Audit 80 767 Major Hot Standby reboot Failed to change IP address Hot Standby unit chang...

Страница 127: ... from Public known IP address Hot standby Public side configuration appears to work Audit 89 776 Informational Operating in Secondary mode Hot standby unit has become Secondary Audit 90 777 Informational Operating in Primary mode Hot standby unit has become Primary Audit 91 778 Major Primary unprotected No contact from Secondary unit on host side Hot standby Primary unit has detected that the seco...

Страница 128: ...ecurity configuration updated Audit 107 789 Informational System stopped The system was powered of at the time this message is logged Audit 108 790 Informational IP configuration updated Audit 109 791 Informational Key exchange forced Audit 110 792 Informational Default action set to passthrough Audit 111 793 Informational Default action set to discard Audit 112 794 Major Encrypt clock speed out o...

Страница 129: ...ional NUA in incoming calls disabled Audit 137 854 Informational Log text overflow Audit 137 864 Informational Log text overflow Lack of logging resource will mean that some log entries will not have associated text Audit 138 836 Informational Passthrough policy added Audit 139 833 Informational Discard policy added Audit 140 837 Informational Passthrough policy deleted Audit 141 834 Informational...

Страница 130: ...tional ACL configuration updated Audit 162 887 Informational ACL configuration update failed Audit 165 890 Informational SA Deleted by ACL Audit 900 891 Informational SONET configuration updated Audit 901 892 Informational SONET path hierarchy updated Audit 902 893 Informational SONET path encryption mode updated Audit 903 894 Informational SONET path overhead mode updated Audit 905 896 Informatio...

Страница 131: ...ided for backwards compatibility only Audit 915 906 Informational Hardware Monitor reports all clear Deprecated MIB provided for backwards compatibility only Audit 916 907 Informational Power Monitor reports alarm Deprecated MIB provided for backwards compatibility only Audit 917 908 Informational Power Monitor reports all clear Deprecated MIB provided for backwards compatibility only Audit 918 91...

Страница 132: ...ock cipher in which two identical plaintext blocks encrypt to different ciphertexts Ciphertext An unintelligible form of data that can only be read if specific operations are performed on it using a key and decrypting algorithm Ciphertext Stealing CTS CTS mode is a Datacryptor mode of operation that minimizes the latency caused by the encryption of the Ethernet packets passing through the Datacryp...

Страница 133: ...ty for packets sent between the two parties If the HMAC is correct it proves that it must have been added by the source Integrity Integrity assures that the content of a message has not been altered IP Internet Protocol this is the protocol that is used to transport data across the Internet Key Secret information used to decrypt or encrypt data MAC An abbreviation for Message Authentication Code a...

Страница 134: ...essages to masquerade as a legitimate user Secret Key The key used in symmetric encryption Both participants must share the same key and this key must remain secret to protect the communication Secure Hash Algorithm SHA A US standard for a cryptographically strong hash algorithm designed by the National Security Agency and defined by the National Institute of Standards and Technology NIST SFP The ...

Результаты поиска

Содержание Datacryptor Ethernet

Отзывы:

Похожие инструкции для Datacryptor Ethernet

Бренды по названию

Популярные бренды

Thales Datacryptor Ethernet, Руководство пользователя

Результаты поиска

Содержание Datacryptor Ethernet

Отзывы:

Похожие инструкции для Datacryptor Ethernet

Бренды по названию

Популярные бренды