Bob said "FYI, I have been told, but have not tested, that _all_ keys in
the
keystore, regardless of keygroup, are tested when looking for a
decryption key."

I have to agree that is true....

I did a test of a tape made in SiteA, sent to SiteB
When I put the tape in the library - it did NOT go into my ENCR
Volumepool
I did the phase1 and I checked that the keytag matched one in my SiteB
kms.
I was then able to do the phase2

The point is - the keytag HAS to match something in the kms.

-----Original Message-----
From: bob944 [mailto:bob944 AT attglobal DOT net] 
Sent: Friday, March 12, 2010 1:22 PM
To: veritas-bu AT mailman.eng.auburn DOT edu
Cc: harpreet_singh AT ctl.creative DOT com
Subject: RE: [Veritas-bu] KMS Key Rotation

> Once you have setup the KMS and assuming you want to restore them.
> What is
> the necessary info required to restore.
> 
> Pool Name ??
> Key Name = ??
> Key Tag ??
> etc
> 
> Phase-1 and Phase-2 don't show this info.
> 
> From where we will get this info for the restore.

Why are you importing the tapes?  If you're restoring to the same
master which created them that's unnecessary.

But whether you've imported the images or the images are still on
their original server, the key tag is what you need, and that shows
up in the GUI (it's in the manual) for each image and, IIRC, in
bpimagelist.  That key tag is what NetBackup matches against keys in
Active and Inactive status; if found, that key is used for
decryption.  

If there is no matching key tag, you must restore/import/re-create
it from your documentation and/or the keystore backups you have
maintained.  Example management of keys/changes/records has been
supplied earlier, notably by Hinchcliffe.

FYI, I have been told, but have not tested, that _all_ keys in the
keystore, regardless of keygroup, are tested when looking for a
decryption key.




_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu