ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Cloning the Encryption Key manager for DR

2009-03-03 09:55:28
Subject: Re: [ADSM-L] Cloning the Encryption Key manager for DR
From: "Strand, Neil B." <NBStrand AT LMUS.LEGGMASON DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Tue, 3 Mar 2009 09:54:37 -0500 
Bill,
On AIX you need to do the following:
1. Ensure the java5 SDK is installed

2. Set the environment variables for the user running the ekm process:
# java sets for EKM
export JAVA_HOME=/usr/java5/jre
P8=/usr/java5/jre/bin
P9=/usr/java5/bin
export CLASSPAT=H/usr/java5/jre/lib
export PATH=$JAVA_HOME:$P1:$P2:/etc:$P3:$P4:$P5:$P6:$P7:$P8:$P9:.:$PATH

Verify the installation as described in reference:
aixserver[/home/]# java -version
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build
pap32dev-20070201 (SR4))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 AIX ppc-32
j9vmap3223-20070201 (JIT enabled)
J9VM - 20070131_11312_bHdSMR
JIT  - 20070109_1805ifx1_r8
GC   - 200701_09)
JCL  - 20070126

3. Replace Restricted policy files in /usr/java5/jre/lib/security/ with
unrestricted policy files downloaded from IBM
- US_export_policy.jar
- local_policy.jar

Once these have been accomplished, you should be able to unzip the copy
from the original EKM server and run it.  - make sure you include the
encryption keys from the original EKM server.

4. Start the EKM admin session
java com.ibm.keymanager.KMSAdminCmd /ekm/KeyManagerConfig.properties
*note - make changes to the KeyManagerConfig.properties configuration
file as appropriate for the new server

5. Start the ekm server
startekm

6. Verify the status with the "status" command
Status

Now that the EKM is running, set your TS3310 to use the new server for
encryption.  If the TS3310 interface is the same as a TS3500, it will be
under the Cartridges/Barcode Encryption Policy on the left side of the
window.  Use identical settings as your original library.  You will also
need to point the library to use the new key manager.  This would be
under the Access/Key Manager Addresses on the left side of the window.
On the Ts3500 you can have 4 managers listed.

You could verify the new EKM is operational by pointing your original
library to the new EKM and trying to read data from an encrypted tape.


Reference:
IBM Encryption Key Manager - Introduction, Planning and User's Guide
GA76-0418-03
IBM Tape Encryption for TS1120 and Ultrium 4 Tape Drives Tech Doc by
Rolf Hahn/IBM Techline Germany
IBM System Storage TS1120 Tape Encryption: Planning, Implementation and
Usage Guide - RedBook



Cheers,
Neil
Neil Strand
Storage Engineer - Legg Mason
Baltimore, MD.
(410) 580-7491
Whatever you can do or believe you can, begin it.
Boldness has genius, power and magic.


-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Bill Boyer
Sent: Tuesday, March 03, 2009 8:19 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Cloning the Encryption Key manager for DR

Does anyone have procedures for taking an existing EKM (IBM'S version)
and cloning it to take to D/R for testing? I have a client that needs to
do this. They had IBM come in and configure a primary and secondary EKM
server for their TS3310 library and iSeries servers. Not TSM at this
stage although they hope to move TSM to LTO4 and the TS3310 later this
year. One of the operations staff that was there for the install
(doesn't work here anymore) sorta kinda remembers the IBM'r taking the
entire EKM directory, ZIP'ing it up. He then copied this to the 2nd
server, unZip'd it and ran a couple commands to install the service.
Unfortunately nobody there can remember this or find any notes about it.
The IBM'r said they could even take that ZIP file, put it on an
encrypted thumb-drive and store it in their D/R box offsite. It's just
no one can find the documentation from IBM on how to re-create the EKM
from the ZIP file.



Bill Boyer

IMPORTANT: E-mail sent through the Internet is not secure and timely delivery 
of Internet mail is not guaranteed. Legg Mason therefore, recommends that you 
do not send any  action-oriented or time-sensitive information to us via 
electronic mail, or any confidential or sensitive information including:  
social security numbers, account numbers, or personal identification numbers.

This message is intended for the addressee only and may contain privileged or 
confidential information. Unless you are the intended recipient, you may not 
use, copy or disclose to anyone any information contained in this message. If 
you have received this message in error, please notify the author by replying 
to this message and then kindly delete the message. Thank you.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ADSM-L] Windows Client: Backing up just one folder, Michael Green
Next by Date:  Re: [ADSM-L] Windows Client: Backing up just one folder, Heinz Flemming
Previous by Thread:  [ADSM-L] Cloning the Encryption Key manager for DR, Bill Boyer
Next by Thread:  [ADSM-L] Windows Client: Backing up just one folder, Michael Green
Indexes:  [Date] [Thread] [Top] [All Lists]