Upload
stanley-dennis
View
214
Download
0
Embed Size (px)
Citation preview
© 2006 IBM Corporation
IBM System Storage™
IBM Confidential
User Guide on Solaris System Managed Encryption (version 3)
Jeffrey Li
(September 17, 2007)
© 2006 IBM Corporation
IBM System Storage
Page 2 IBM Confidential
Change History
Version 1: 09/14/2006 Initial Version
Version 2: 01/03/2007 The setup parameter changers
Version 3: 09/17/2007 IPv6 support
© 2006 IBM Corporation
IBM System Storage
Page 3 IBM Confidential
Data Flow in Solaris IBMtape Device Driver
Requirements & Interoperability Support
Configuration Set-up
Error Recovery & Trouble-shooting
© 2006 IBM Corporation
IBM System Storage
Page 4 IBM Confidential
Data Flow in Solaris IBMtape Device Driver
IBMtape Device Driver
IBMtape Tape Monitor Daemon
(TMD)
EKM User Configuration File(/etc/ibmekm.conf)
Proxy MangerTCP/IP Manager
© 2006 IBM Corporation
IBM System Storage
Page 5 IBM Confidential
Requirements
Tape Drive/Library IBM TS1120 Encryption Capable Tape Drive IBM LTO-4 Tape Drive IBM Tape Libraries with TS1120 and LTO-4
IBMtape Device Driver Levels IBMtape 4.1.3.9 or above for Sparc system IBMtape 4.1.4.4.x64 or above for x64 system
© 2006 IBM Corporation
IBM System Storage
Page 6 IBM Confidential
Interoperability Support
Servers Solaris Sparc Servers Solaris x64 Servers
Operating System Solaris 8 or above on Sparc systems Solaris 10 on x64 systems
Storage Area Network (SAN) Fibre Channel Host Bus Adapters Switches
© 2006 IBM Corporation
IBM System Storage
Page 7 IBM Confidential
Configuration Set-up
Tape Drive Configuration Configure tape drive to be system-managed
encryption from drive or library user interface
IBMtape Device Driver Installation
IBMtape Device Driver Configuration
Test and Verify Configuration
© 2006 IBM Corporation
IBM System Storage
Page 8 IBM Confidential
Tape Drive Configuration Does the tape drive have an encryption capable ?Do you setup the tape drive in any encryption managed mode ?
Run # /opt/IBMtape/tapelist -l to display if the drive has an encryption capable or the encryption capable is enable in the drive with (e)
# /opt/IBMtape/tapelist -lInst# Special File Device Serial No TGT/LUN Ucode World Wide NN World Wide PN Device Physical Path Path Type------- ----------------- ------------------- ---------------------- ------- ------- ---------------------------- ---------------------------- ------------------------------------------------------------------------------------ ---------------16 /dev/rmt/4st 03592E05 000001350107 3/0 1942 500507630019F016 500507630099F016 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@3,0 Primary960 /dev/rmt/34st 03592E05(e) 000001365066 7/0 1942 500507630019F017 500507630099F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@7,0 Primary727 /dev/rmt/36st 03592E05(e) 000001365066 8/0 1942 500507630019F017 500507630059F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@8,0 Alt_path_1
© 2006 IBM Corporation
IBM System Storage
Page 9 IBM Confidential
IBMtape Device Driver Installation
What is new in the installation?
1. A new configuration file of ibmekm.conf in the directory of /etc2. A new entry for new pseudo device in /usr/kernel/drv/IBMtape.conf name="IBMtape" parent="pseudo" instance=16382;3. Remove a comment/entry in /etc/tmd.conf if the file exists #control_node_file = /devices/pseudo/IBMtape@16383:ibmcontrol
© 2006 IBM Corporation
IBM System Storage
Page 10 IBM Confidential
IBMtape EKM Proxy Configuration File> cat /etc/ibmekm.conf# IBM Encryption Key Manager Configuration File# (C) COPYRIGHT International Business Machines Corp. 2006 All Rights Reserved# Licensed Materials - Property of IBM# US Government Users Restricted Rights - Use, duplication or# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.## This file conatins the TCP/IP address(s) and port(s) for the Encryption Key# Server with a configuration entry in the following formats. The IPv4 address# entered as x.x.x.x:port. The IPv6 address entered as x:x:x:x:x:x:x:x port.# The server is for information only and is not used. The timeout value is# specified in seconds.## The format for IPv4 address:# server timeout address:port# for example,# ekmtest 10 9.12.123.1234:8050## The format for IPv6 address:# server timeout address port# for example,# ekmtest 10 fe80::207:30ee:edcb:d05d 8050## The Encryption Key Server address and port can be a local loop back# address 127.0.0.1:port in IPv4 format or ::1 port in IPv6 format if the server# is on the same host or a network address and port if external to the host.# Up to 16 server address and port entries are supported if there are multiple# TCP/IP connections to the same server and/or multiple servers.## Interoperability between IPv4 and IPv6 versions running on dual-stack hosts:# IPv4 Client <--> IPv4/IPv6 Server using IPv4 address for EKM server# IPv6 Client <--> IPv4 Server using IPv4 address for EKM server# IPv6 Client <--> IPv6 Server using IPv6 address for EKM server## Sample entry for a local server with a 10 second timeout using port 8050# in IPv4 format# ekmtest 10 127.0.0.1:8050
# in IPv6 format# ekmtest 10 ::1 8050
IBMtape Device Driver Installation (Continued)
© 2006 IBM Corporation
IBM System Storage
Page 11 IBM Confidential
1. Add configuration parameters for SME in IBMtape.conf
sys_encryption_proxy: Use System Encryption FCP Proxy Manager (OFF and ON, ON by default after IBMtape .4.1.4.5) sys_encryption_write: System Encryption for Write Commands at BOP (OFF, ON, CUSTOM, CUSTOM by default after IBMtape.4.1.4.5)
1) Global Setting to enable SME: sys_encryption_write=1; # System Encryption for Write Commands at BOP 2) Particular Setting to enable SME: name="IBMtape" class="scsi" target=10 lun=0 block_size=0 buffering=1 immediate=0 trailer=0 sili=0 sys_encryption_write=1;
IBMtape Device Driver Configuration
© 2006 IBM Corporation
IBM System Storage
Page 12 IBM Confidential
1. Add configuration parameters for SME in IBMtape.conf 3) Particular Setting to disable SME: name="IBMtape" class="scsi" target=10 lun=0 block_size=0 buffering=1 immediate=0 trailer=0 sili=0 sys_encryption_proxy=0;
IBMtape Device Driver Configuration
© 2006 IBM Corporation
IBM System Storage
Page 13 IBM Confidential
2. Add IPv4 and IPv6 address of EKM server in /etc/ibmekm.conf :
1. The entry format for EKM server with IPv4 and IPv6 address a) For IPv4 address: server timeout IPv4_address:port for example, ekmtest 10 9.12.123.1234:8050
b) For IPv6 address: server timeout IPv6_address port for example, ekmtest 10 fe80::207:30ee:edcb:d05d 8050
2. Interoperability between IPv4 and IPv6 versions running on dual-stack hosts: IPv4 Client <--> IPv4/IPv6 Server using IPv4 address for EKM server IPv6 Client <--> IPv4 Server using IPv4 address for EKM server IPv6 Client <--> IPv6 Server using IPv6 address for EKM server
IBMtape Device Driver Configuration (Continued)
© 2006 IBM Corporation
IBM System Storage
Page 14 IBM Confidential
3. Reload IBMtape driver module to read the configuration setup
# /opt/IBMtape/tmd –s --- Stop TMD daemon # rem_drv IBMtape --- Unload IBMtape from the kernel # add_drv IBMtape --- Load IBMtape into kernel # /opt/IBMtape/tmd --- Start TMD daemon
IBMtape Device Driver Configuration (Continued)
© 2006 IBM Corporation
IBM System Storage
Page 15 IBM Confidential
1. Run # /opt/IBMtape/tapelist –l to check whether the drive has the encryption capable
# /opt/IBMtape/tapelist -lInst# Special File Device Serial No TGT/LUN Ucode World Wide NN World Wide PN Device Physical Path Path Type------- ----------------- ------------------- ---------------------- ------- ------- ---------------------------- ---------------------------- ------------------------------------------------------------------------------------ --------------960 /dev/rmt/34st 03592E05(e) 000001365066 7/0 1942 500507630019F017 500507630099F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@7,0 Primary727 /dev/rmt/36st 03592E05(e) 000001365066 8/0 1942 500507630019F017 500507630059F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@8,0 Alt_path_1
Test Path:IBMtape tape drive
Test and Verify Configuration
© 2006 IBM Corporation
IBM System Storage
Page 16 IBM Confidential
2. Run # /opt/IBMtape/tmd -k/K to test ekm setup
# /opt/IBMtape/tmd -h [-k|K] EKM server test with debug flag on (k) and off (K)
# /opt/IBMtape/tmd -K (Upper case "K")EKM testing: testing servers complete, 2 server is available
Test Path:ibmekm.conf proxy manager/tcpip manager ekm server(s)
Test and Verify Configuration (Continued)
© 2006 IBM Corporation
IBM System Storage
Page 17 IBM Confidential
3. Run # /opt/IBMtape/tapeutil with option 57 “Get Encryption State” to verify that the drive is set to SME method
> ENTER COMMAND ('M' for Menu) ==> 57
GET_ENCRYPTION_STATE command succeeded.Encryption settings:
Drive Encryption Capable.... Yes Encryption Method............... System Encryption State.................. On
Test Path:IBMtape.conf IBMtape tape drive
Test and Verify Configuration (Continued)
© 2006 IBM Corporation
IBM System Storage
Page 18 IBM Confidential
4. Run ekmtest in tapeutil command-line or option 58 in menu mode
> tapeutil –f /dev/rmt/10stn ekmtest
Testing server configuration and connections… *Test complete, servers available 2Running basic drive to server encryption test… **Test complete, completion code 0Running full drive to server encryption test… ***Test complete, completion code 0
Test Path: * IBMtape.conf IBMtape tmd proxy_mgr/tcpip_mgr ibmekm.conf ** IBMtape tape drive *** IBMtape tape drive tmd proxy_mgr/tcpip_mgr tape drive
Test and Verify Configuration (Continued)
© 2006 IBM Corporation
IBM System Storage
Page 19 IBM Confidential
Error Recovery Encryption Key Manager Server Failover
Up to 16 server entries are supported
/etc/ibmekm.conf:# In IPv4 format: # my key network server ekmkey1 10 9.101.26.72:8050 # local loopback to server on host ekmkey2 10 127.0.0.1:8050
# In IPv6 format: # my key network server ekmkey3 10 2002:90b:e006:198:9:101:18:1 8050 # local loopback to server on host ekmkey4 10 ::1 8050
Example:
© 2006 IBM Corporation
IBM System Storage
Page 20 IBM Confidential
Trouble-shooting Tape drive is not encryption-capable
Run # /opt/IBMtape/tapelist –l command
Verify that the drive is marked as (e). If no, then the drive hardware needs to be updated to support data
encryption.
# Sample of correct settings
# /opt/IBMtape/tapelist -lInst# Special File Device Serial No TGT/LUN Ucode World Wide NN World Wide PN Device Physical Path Path Type------- ----------------- ------------------- ---------------------- ------- ------- ---------------------------- ---------------------------- ------------------------------------------------------------------------------------ --------------960 /dev/rmt/34st 03592E05(e) 000001365066 7/0 1942 500507630019F017 500507630099F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@7,0 Primary727 /dev/rmt/36st 03592E05(e) 000001365066 8/0 1942 500507630019F017 500507630059F017 /devices/pci@1f,2000/pci@1/fibre-channel@4/IBMtape@8,0 Alt_path_1
© 2006 IBM Corporation
IBM System Storage
Page 21 IBM Confidential
Trouble-shooting (Continued)
Device driver or drive configuration error for system-managed encryption
View /usr/kernel/drv/IBMtape.conf file If user wants to write encrypted data, verify that the sys_encryption_write is
set to 1 Need to reload IBMtape driver when any parameter is modified
# Sample of correct settings
sys_encryption_write=1; # System Encryption for Write Commands at BOP
© 2006 IBM Corporation
IBM System Storage
Page 22 IBM Confidential
Trouble-shooting (Continued)
Run the tapeutil in menu mode and select option 57 “Get Encryption State” to display the current settings.
– Verify that the drive is set to system-managed encryption method. If not, then reconfigure the drive to the system encryption method.
# Sample for drive system managed encryption configured correctly
> ENTER COMMAND ('M' for Menu) ==> 57
GET_ENCRYPTION_STATE command succeeded.Encryption settings:
Drive Encryption Capable.... Yes Encryption Method............... System Encryption State.................. On
© 2006 IBM Corporation
IBM System Storage
Page 23 IBM Confidential
Trouble-shooting (Continued)
# Sample for drive system managed encryption configured incorrectly# Drive is currently configured for application managed encryption
> ENTER COMMAND ('M' for Menu) ==> 57
GET_ENCRYPTION_STATE command succeeded.Encryption settings:
Drive Encryption Capable.... Yes Encryption Method............... Application Encryption State.................. Off
© 2006 IBM Corporation
IBM System Storage
Page 24 IBM Confidential
Trouble-shooting (Continued)
Device driver TMD daemon stop Run # ps –ef | grep tmd to verify if the daemon is running # ps -ef | grep tmd
root 961 1 0 11:19:07 ? 0:03 tmd
root 1035 1016 0 11:42:31 pts/2 0:00 grep tmd
Action: run #/opt/IBMtape/tmd to start the daemon if tmd isn’t running
Check if a pseudo device entry is added in IBMtape.conf
name="IBMtape" parent="pseudo" instance=16382; Action: add the above entry in IBMtape.conf and reload IBMtape driver if no
such an entry in the conf file
Check if the pseudo device is configured by IBMtape driver in syslog of /var/adm/messages
Sep 11 13:01:29 myhost unix: pseudo-device: IBMtape16382 Sep 11 13:01:29 myhost unix: IBMtape16382 is /pseudo/IBMtape@16382
Action: reload IBMtape driver if can’t find the message
© 2006 IBM Corporation
IBM System Storage
Page 25 IBM Confidential
Trouble-shooting (Continued)
EKM server configuration error or not available Run the following command to verify server configuration and server
connectivity:
>/opt/IBMtape/tmd -k (Lowercase “k”) in debug mode
– If the server test fails with a configuration error “Can’t assign requested address”, check if either the /etc/ibmekm.conf file is missing or is invalid and then correct.
– If the server test fails with error “Network is down” no servers are available, check if all servers configured in the /etc/ibmekm.conf file are currently running on the server IP address.
© 2006 IBM Corporation
IBM System Storage
Page 26 IBM Confidential
Trouble-shooting (Continued)
EKM server configuration error or not available (Continued) Invoke the tapeutil menu and select option 58 or run the following
command to verify server configuration and server connectivity:
>tapeutil –f/dev/rmt/1stn ekmtest
– If the full drive to server encryption test fails with a permission error “Permission denied”, check if either the ekm server isn’t available recently
or the drive isn’t claimed in ekm server.
© 2006 IBM Corporation
IBM System Storage
Page 27 IBM Confidential
Trouble-shooting (Continued)
Other failures require PFE and/or development analysis the following data should be provided for a problem (2st for
example):– Collect the system, driver and device information running
/opt/IBMtape/diags_info script
– Turn on debug flag to log proxy manager/tcpip manager and tmd trace in /var/log/tmd.log and/or /var/adm/messages
# /opt/IBMtape/tmd –s --- stop the daemon
# /opt/IBMtape/tmd –t --- turn on the tracing and start the daemon
– tapeutil –f /dev/rmt/2stn ekmtest > ekmtest.out
– Trun on IBMtape tracing and log the trace in /var/adm/messages