Josef,
Correct, but if we are using system mode, then the drives work as if
they are stand alone tape drives, and the tape library is irrelevent.
In my case I was trying to get it to work with a library that didn't
have a key manager integrated, so I was trying to get it to work in
system mode (using the tape driver to request the encryption key).
I just couldn't get the driver to transition into system mode, and
after enough testing, I concluded that there may be an issue with the
driver itself.
Anyways, EKM is only for IBM Libraries--if you are using EKM to
provide keys to a library. We weren't.
--Dave
Date: Sun, 17 Aug 2008 14:43:51 +0200
From: Josef Weingand <<mailto:WEINGAND AT DE.IBM DOT COM>WEINGAND AT DE.IBM DOT
COM>
Subject: Re: lto4 and encryption
The IBM EKM is only for use with IBM Libraries. You may consider IBM=20
TS3310 library instead of SL500
Mit freundlichen Gr=FC=DFen / Kind regards
Josef Weingand
Consulting IT Specialist
Technical Sales Systems Storage=20
Mobil +49 171 55 26 783 - Homeoffice Tel. +49 8845 757421=20
Fax +49 171 13 5526783=20
email: <mailto:weingand AT de.ibm DOT com>weingand AT de.ibm DOT com
SMS/eMail: <mailto:01715526783 AT t-d1-sms DOT de>01715526783 AT t-d1-sms DOT de
Vorsitzender des Aufsichtsrats: Erich Clementi
Gesch=E4ftsf=FChrung: Martin Jetter (Vorsitzender), Christian Diedrich,=20
Christoph Grandpierre, Matthias Hartmann, Thomas Fell, Michael Diemer
Sitz der Gesellschaft: Stuttgart
Registergericht: Amtsgericht Stuttgart, HRB 14562 WEEE-Reg.-Nr. DE=20
99369940
From:
goony
<<mailto:networker-forum AT BACKUPCENTRAL DOT COM>networker-forum AT BACKUPCENTRAL DOT COM>
To:
<mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU>NETWORKER AT LISTSERV.TEMPLE DOT
EDU
Date:
31.07.2008 02:05
Subject:
[Networker] lto4 and encryption
> The package is called EKM, search on IBM's web site for it.
> (Encryption Key Management).
>=20
> You'll need IBM Java, which is free for Linux, AIX and (I believe)
> Windows, but you have to buy it for Solaris.
>=20
> Dave=20
Thanks Dave!
I found the IBM EKM info at
<https://ccsmail.camcom.com/exchweb/bin/redir.asp?URL=http://preview.tinyurl.com/2jprlz>http://preview.tinyurl.com/2jprlz
and I've=20
downloaded the EKM Introduction, Planning, and User's Guide.
Questions:
I have a Solaris-based Networker V7.4.2 with a Sun/Storagetek SL500 tape=20
library, currently running 3 LTO3 drives, with room for 3 more LTO drives.
Sun sells IBM and HP LTO4 drives for the SL500.
Is there any possible configuration of using IBM EKM for key management if =
I add IBM LTO4 drives to my current configuration? I.e., can I do=20
encryption (with a separate key per tape volume) without the explicit=20
support for the key management within Networker? It sounds like it might=20
work but I'm unwilling to buy LTO4 drives unless I have a clear path to=20
success.
If I go the all-Sun path for key management, I'll need to buy 3 key=20
management appliances (KMS); a primary and a backup for the data center=20
and one for the remote recovery site. Their KMS appliance works with the=20
HP LTO4 drives which (I believe) have a separate connection (Ethernet?)=20
for out-of-band key management. In comparison, the IBM LTO4 drives appear=20
to do key management only via the data interface.
The Sun appliance-based approached is a helluva lot of overkill for my=20
configuration, when it appears that with the IBM EKM I can run it on the=20
Solaris system itself, or on any handy Linux server (read: a laptop in a=20
pinch). I hate the thought of buying 3 Sun KMS appliances ($28.5K list=20
each) that will be used to grab keys to write (on average) 3 tapes a day.=20
I don't need to manage keys for an enterprise, just for a few tape drives=20
and about 60-80 tape volumes.
In fact, a software-based approach (IBM EKM) is more appealing to me since =
as long as I have a save copy of my keys, I have a wider range of platform =
choices in which to create a key server in an emergency situation (as I=20
said before, the Solaris Networker server itself, or a Linux laptop)... if =
the "Sun KMS appliance" breaks or goes missing, then it may be a l-o-n-g=20
time before I can get another one.
Any thoughts or suggestions?
Thanks!
Goony
===================================
David Gold
Sr. Technical Consultant
Cambridge Computer Services, Inc.
Artists in Data Storage
Tel: 781-250-3000
Tel (Direct): 781-250-3260
Fax: 781-250-3360
dave AT cambridgecomputer DOT com
www.cambridgecomputer.com
===================================
----------------------------------------------------------------------------
*Any ideas, suggestion or comments are mine alone, and are not of my company*
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
