© 2006 IBM Corporation IBM System Storage™ IBM Confidential User Guide on Solaris System Managed Encryption (version 3) Jeffrey Li (September 17, 2007)

© 2006 IBM Corporation

IBM System Storage™

IBM Confidential

User Guide on Solaris System Managed Encryption (version 3)

Jeffrey Li

(September 17, 2007)


IBM System Storage

Page 2 IBM Confidential

Change History

Version 1: 09/14/2006 Initial Version

Version 2: 01/03/2007 The setup parameter changers

Version 3: 09/17/2007 IPv6 support


IBM System Storage


Data Flow in Solaris IBMtape Device Driver

Requirements & Interoperability Support

Configuration Set-up

Error Recovery & Trouble-shooting


IBM System Storage


Data Flow in Solaris IBMtape Device Driver

IBMtape Device Driver

IBMtape Tape Monitor Daemon

(TMD)

EKM User Configuration File(/etc/ibmekm.conf)

Proxy MangerTCP/IP Manager


IBM System Storage


Requirements

Tape Drive/Library IBM TS1120 Encryption Capable Tape Drive IBM LTO-4 Tape Drive IBM Tape Libraries with TS1120 and LTO-4

IBMtape Device Driver Levels IBMtape 4.1.3.9 or above for Sparc system IBMtape 4.1.4.4.x64 or above for x64 system


IBM System Storage


Interoperability Support

Servers Solaris Sparc Servers Solaris x64 Servers

Operating System Solaris 8 or above on Sparc systems Solaris 10 on x64 systems

Storage Area Network (SAN) Fibre Channel Host Bus Adapters Switches


IBM System Storage


Configuration Set-up

Tape Drive Configuration Configure tape drive to be system-managed

encryption from drive or library user interface

IBMtape Device Driver Installation

IBMtape Device Driver Configuration

Test and Verify Configuration


IBM System Storage


Tape Drive Configuration Does the tape drive have an encryption capable ?Do you setup the tape drive in any encryption managed mode ?

Run # /opt/IBMtape/tapelist -l to display if the drive has an encryption capable or the encryption capable is enable in the drive with (e)

# /opt/IBMtape/tapelist -lInst# Special File Device Serial No TGT/LUN Ucode World Wide NN World Wide PN Device Physical Path Path Type------- ----------------- ------------------- ---------------------- ------- ------- ---------------------------- ---------------------------- ------------------------------------------------------------------------------------ ---------------16 /dev/rmt/4st 03592E05 000001350107 3/0 1942 500507630019F016 500507630099F016 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@3,0 Primary960 /dev/rmt/34st 03592E05(e) 000001365066 7/0 1942 500507630019F017 500507630099F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@7,0 Primary727 /dev/rmt/36st 03592E05(e) 000001365066 8/0 1942 500507630019F017 500507630059F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@8,0 Alt_path_1


IBM System Storage


IBMtape Device Driver Installation

What is new in the installation?

1. A new configuration file of ibmekm.conf in the directory of /etc2. A new entry for new pseudo device in /usr/kernel/drv/IBMtape.conf name="IBMtape" parent="pseudo" instance=16382;3. Remove a comment/entry in /etc/tmd.conf if the file exists #control_node_file = /devices/pseudo/IBMtape@16383:ibmcontrol


IBM System Storage


IBMtape EKM Proxy Configuration File> cat /etc/ibmekm.conf# IBM Encryption Key Manager Configuration File# (C) COPYRIGHT International Business Machines Corp. 2006 All Rights Reserved# Licensed Materials - Property of IBM# US Government Users Restricted Rights - Use, duplication or# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.## This file conatins the TCP/IP address(s) and port(s) for the Encryption Key# Server with a configuration entry in the following formats. The IPv4 address# entered as x.x.x.x:port. The IPv6 address entered as x:x:x:x:x:x:x:x port.# The server is for information only and is not used. The timeout value is# specified in seconds.## The format for IPv4 address:# server timeout address:port# for example,# ekmtest 10 9.12.123.1234:8050## The format for IPv6 address:# server timeout address port# for example,# ekmtest 10 fe80::207:30ee:edcb:d05d 8050## The Encryption Key Server address and port can be a local loop back# address 127.0.0.1:port in IPv4 format or ::1 port in IPv6 format if the server# is on the same host or a network address and port if external to the host.# Up to 16 server address and port entries are supported if there are multiple# TCP/IP connections to the same server and/or multiple servers.## Interoperability between IPv4 and IPv6 versions running on dual-stack hosts:# IPv4 Client <--> IPv4/IPv6 Server using IPv4 address for EKM server# IPv6 Client <--> IPv4 Server using IPv4 address for EKM server# IPv6 Client <--> IPv6 Server using IPv6 address for EKM server## Sample entry for a local server with a 10 second timeout using port 8050# in IPv4 format# ekmtest 10 127.0.0.1:8050

# in IPv6 format# ekmtest 10 ::1 8050

IBMtape Device Driver Installation (Continued)


IBM System Storage


1. Add configuration parameters for SME in IBMtape.conf

sys_encryption_proxy: Use System Encryption FCP Proxy Manager (OFF and ON, ON by default after IBMtape .4.1.4.5) sys_encryption_write: System Encryption for Write Commands at BOP (OFF, ON, CUSTOM, CUSTOM by default after IBMtape.4.1.4.5)

1) Global Setting to enable SME: sys_encryption_write=1; # System Encryption for Write Commands at BOP 2) Particular Setting to enable SME: name="IBMtape" class="scsi" target=10 lun=0 block_size=0 buffering=1 immediate=0 trailer=0 sili=0 sys_encryption_write=1;



IBM System Storage


1. Add configuration parameters for SME in IBMtape.conf 3) Particular Setting to disable SME: name="IBMtape" class="scsi" target=10 lun=0 block_size=0 buffering=1 immediate=0 trailer=0 sili=0 sys_encryption_proxy=0;



IBM System Storage


2. Add IPv4 and IPv6 address of EKM server in /etc/ibmekm.conf :

1. The entry format for EKM server with IPv4 and IPv6 address a) For IPv4 address: server timeout IPv4_address:port for example, ekmtest 10 9.12.123.1234:8050

b) For IPv6 address: server timeout IPv6_address port for example, ekmtest 10 fe80::207:30ee:edcb:d05d 8050

2. Interoperability between IPv4 and IPv6 versions running on dual-stack hosts: IPv4 Client <--> IPv4/IPv6 Server using IPv4 address for EKM server IPv6 Client <--> IPv4 Server using IPv4 address for EKM server IPv6 Client <--> IPv6 Server using IPv6 address for EKM server

IBMtape Device Driver Configuration (Continued)


IBM System Storage


3. Reload IBMtape driver module to read the configuration setup

# /opt/IBMtape/tmd –s --- Stop TMD daemon # rem_drv IBMtape --- Unload IBMtape from the kernel # add_drv IBMtape --- Load IBMtape into kernel # /opt/IBMtape/tmd --- Start TMD daemon

IBMtape Device Driver Configuration (Continued)


IBM System Storage


1. Run # /opt/IBMtape/tapelist –l to check whether the drive has the encryption capable

# /opt/IBMtape/tapelist -lInst# Special File Device Serial No TGT/LUN Ucode World Wide NN World Wide PN Device Physical Path Path Type------- ----------------- ------------------- ---------------------- ------- ------- ---------------------------- ---------------------------- ------------------------------------------------------------------------------------ --------------960 /dev/rmt/34st 03592E05(e) 000001365066 7/0 1942 500507630019F017 500507630099F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@7,0 Primary727 /dev/rmt/36st 03592E05(e) 000001365066 8/0 1942 500507630019F017 500507630059F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@8,0 Alt_path_1

Test Path:IBMtape tape drive

Test and Verify Configuration


IBM System Storage


2. Run # /opt/IBMtape/tmd -k/K to test ekm setup

# /opt/IBMtape/tmd -h [-k|K] EKM server test with debug flag on (k) and off (K)

# /opt/IBMtape/tmd -K (Upper case "K")EKM testing: testing servers complete, 2 server is available

Test Path:ibmekm.conf proxy manager/tcpip manager ekm server(s)

Test and Verify Configuration (Continued)


IBM System Storage


3. Run # /opt/IBMtape/tapeutil with option 57 “Get Encryption State” to verify that the drive is set to SME method

> ENTER COMMAND ('M' for Menu) ==> 57

GET_ENCRYPTION_STATE command succeeded.Encryption settings:

Drive Encryption Capable.... Yes Encryption Method............... System Encryption State.................. On

Test Path:IBMtape.conf IBMtape tape drive



IBM System Storage


4. Run ekmtest in tapeutil command-line or option 58 in menu mode

> tapeutil –f /dev/rmt/10stn ekmtest

Testing server configuration and connections… *Test complete, servers available 2Running basic drive to server encryption test… **Test complete, completion code 0Running full drive to server encryption test… ***Test complete, completion code 0

Test Path: * IBMtape.conf IBMtape tmd proxy_mgr/tcpip_mgr ibmekm.conf ** IBMtape tape drive *** IBMtape tape drive tmd proxy_mgr/tcpip_mgr tape drive



IBM System Storage


Error Recovery Encryption Key Manager Server Failover

Up to 16 server entries are supported

/etc/ibmekm.conf:# In IPv4 format: # my key network server ekmkey1 10 9.101.26.72:8050 # local loopback to server on host ekmkey2 10 127.0.0.1:8050

# In IPv6 format: # my key network server ekmkey3 10 2002:90b:e006:198:9:101:18:1 8050 # local loopback to server on host ekmkey4 10 ::1 8050

Example:


IBM System Storage


Trouble-shooting Tape drive is not encryption-capable

Run # /opt/IBMtape/tapelist –l command

Verify that the drive is marked as (e). If no, then the drive hardware needs to be updated to support data

encryption.

# Sample of correct settings

# /opt/IBMtape/tapelist -lInst# Special File Device Serial No TGT/LUN Ucode World Wide NN World Wide PN Device Physical Path Path Type------- ----------------- ------------------- ---------------------- ------- ------- ---------------------------- ---------------------------- ------------------------------------------------------------------------------------ --------------960 /dev/rmt/34st 03592E05(e) 000001365066 7/0 1942 500507630019F017 500507630099F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@7,0 Primary727 /dev/rmt/36st 03592E05(e) 000001365066 8/0 1942 500507630019F017 500507630059F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@8,0 Alt_path_1


IBM System Storage


Trouble-shooting (Continued)

Device driver or drive configuration error for system-managed encryption

View /usr/kernel/drv/IBMtape.conf file If user wants to write encrypted data, verify that the sys_encryption_write is

set to 1 Need to reload IBMtape driver when any parameter is modified

# Sample of correct settings

sys_encryption_write=1; # System Encryption for Write Commands at BOP


IBM System Storage



Run the tapeutil in menu mode and select option 57 “Get Encryption State” to display the current settings.

– Verify that the drive is set to system-managed encryption method. If not, then reconfigure the drive to the system encryption method.

# Sample for drive system managed encryption configured correctly



Drive Encryption Capable.... Yes Encryption Method............... System Encryption State.................. On


IBM System Storage



# Sample for drive system managed encryption configured incorrectly# Drive is currently configured for application managed encryption



Drive Encryption Capable.... Yes Encryption Method............... Application Encryption State.................. Off


IBM System Storage



Device driver TMD daemon stop Run # ps –ef | grep tmd to verify if the daemon is running # ps -ef | grep tmd

root 961 1 0 11:19:07 ? 0:03 tmd

root 1035 1016 0 11:42:31 pts/2 0:00 grep tmd

Action: run #/opt/IBMtape/tmd to start the daemon if tmd isn’t running

Check if a pseudo device entry is added in IBMtape.conf

name="IBMtape" parent="pseudo" instance=16382; Action: add the above entry in IBMtape.conf and reload IBMtape driver if no

such an entry in the conf file

Check if the pseudo device is configured by IBMtape driver in syslog of /var/adm/messages

Sep 11 13:01:29 myhost unix: pseudo-device: IBMtape16382 Sep 11 13:01:29 myhost unix: IBMtape16382 is /pseudo/IBMtape@16382

Action: reload IBMtape driver if can’t find the message


IBM System Storage



EKM server configuration error or not available Run the following command to verify server configuration and server

connectivity:

>/opt/IBMtape/tmd -k (Lowercase “k”) in debug mode

– If the server test fails with a configuration error “Can’t assign requested address”, check if either the /etc/ibmekm.conf file is missing or is invalid and then correct.

– If the server test fails with error “Network is down” no servers are available, check if all servers configured in the /etc/ibmekm.conf file are currently running on the server IP address.


IBM System Storage



EKM server configuration error or not available (Continued) Invoke the tapeutil menu and select option 58 or run the following

command to verify server configuration and server connectivity:

>tapeutil –f/dev/rmt/1stn ekmtest

– If the full drive to server encryption test fails with a permission error “Permission denied”, check if either the ekm server isn’t available recently

or the drive isn’t claimed in ekm server.


IBM System Storage



Other failures require PFE and/or development analysis the following data should be provided for a problem (2st for

example):– Collect the system, driver and device information running

/opt/IBMtape/diags_info script

– Turn on debug flag to log proxy manager/tcpip manager and tmd trace in /var/log/tmd.log and/or /var/adm/messages

# /opt/IBMtape/tmd –s --- stop the daemon

# /opt/IBMtape/tmd –t --- turn on the tracing and start the daemon

– tapeutil –f /dev/rmt/2stn ekmtest > ekmtest.out

– Trun on IBMtape tracing and log the trace in /var/adm/messages

Documents

© 2006 IBM Corporation IBM System Storage™ IBM Confidential User Guide on Solaris System Managed Encryption (version 3) Jeffrey Li (September 17, 2007)