Resumen del contenido incluido en la página 1
TM
Sun StorageTek Crypto
Key Management System
HP LTO4 Encryption-Capable Tape Drives
Technical Brief
Part Number: 316196601
Revision: A
Resumen del contenido incluido en la página 2
Resumen del contenido incluido en la página 3
Crypto Key Management System Version 2.0 HP LTO4 Tape Drive Technical Brief Sun Microsystems, Inc. www.sun.com Part Number: 316196601 June 2008 Revision: A
Resumen del contenido incluido en la página 4
Copyright © 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document.In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in
Resumen del contenido incluido en la página 5
Contents Preface v Organization v Related Information v Additional Information vi 1. Introduction 1 Drive Tray 2 Specifications 3 Compatibility 5 Order Numbers 6 2. Dione Card 7 Firmware Requirements 7 Dione Card Components 8 Connecting to the Dione Card 9 KMS Operations 10 Key Lifecycle 10 Media RFID Chips 12 Media Types 12 Removal and Replacement 14 Removal 14 3. Virtual Operator Panel 17 VOP Prerequisites 18 Computer Hardware Requirements 18 Operating System Certification 18 Java Runtime
Resumen del contenido incluido en la página 6
Using VOP 19 Start VOP 20 Diagnose Drive Tab 23 Run LED Diagnostic Test 23 Run Loopback Test 24 Get Log 25 Load Firmware 25 iv KMS: LTO4 Technical Brief � June 2008 Revision: A � 316196601
Resumen del contenido incluido en la página 7
Preface TM This technical brief is intended for Sun StorageTek representatives, customers, and anyone responsible for planning the installation of the Crypto Key Management System (KMS) encryption solution. Organization This guide has the following organization: Chapter Use this chapter to: Chapter 1, “Introduction” Chapter 2, “Dione Card” Chapter 3, “Virtual Operator Panel” Related Information These publications contain the additional information: Publication Description Part Numbe
Resumen del contenido incluido en la página 8
Preface Additional Information Sun Microsystems, Inc. (Sun) offers several methods to obtain additional information. Sun’s External Web Site Sun’s external Web site provides marketing, product, event, corporate, and service information. The external Web site is accessible to anyone with a Web browser and an Internet connection. The URL for the external Web site is: http://www.sun.com The URL for StorageTek™ brand-specific information is: http://www.sun.com/storagetek/ Documentation and D
Resumen del contenido incluido en la página 9
CHAPTER 1 Introduction Overview The Hewlett Packard (HP) LTO4 is the fourth-generation of Ultrium, Linear Tape-Open tape drives. This generation offers more capacity and increased performance than earlier versions of LTO tape drives. Encryption The Hewlett Packard LTO4 is the first, non-StorageTek T-Series tape drive to Capable support the Crypto Key Management System Version 2.0. This encryption-capability requires a special, custom designed, Ethernet card—called the Dione card—that e
Resumen del contenido incluido en la página 10
Drive Tray Installing this tape drive in one of Sun StorageTek’s automated tape configurations offers customers with an even wider choice of tape-based storage solutions. ■ Server compatibility: Fibre Channel and SCSI models on popular (qualified) platforms from vendors such as Sun, HP, IBM, and Dell. ■ Software compatibility: Support for an extensive list of software applications such as ACSLS, HP, CA, VERITAS, Legato, Tivoli, and many more. ■ Support for WORM media: Allows for unalterabl
Resumen del contenido incluido en la página 11
Specifications Specifications TABLE 1-1 provides a comparison of tape drive specifications. TABLE 1-1 Tape Drive Specifications LTO2 LTO3 LTO4 Physical Specifications Height 8.25 cm (3.25 in.) 8.25 cm (3.25 in.) 8.25 cm (3.25 in.) Width 14.6 cm (5.75 in.) 14.6 cm (5.75 in.) 14.6 cm (5.75 in.) Length (depth) 21.38 cm (8.4 in.) 21.38 cm (8.4 in.) 21.38 cm (8.4 in.) Weight 2.1 kg (4.6 lb) 2.24 kg (4.94 lb) 2.24 kg (4.94 lb) Performance Specifications Capacity (native) 200 GB 400 GB 800 GB Tra
Resumen del contenido incluido en la página 12
Specifications TABLE 1-2 provides a comparison of media specifications. TABLE 1-2 Media Specifications Specification LTO 2 LTO 3 LTO 4 Tape Base film PEN (Poly-Ethylene-Naphthalate) Tape length 609m 680m 820m Tape length used for data 580m 648m 783m Tape width 12.65 mm 12.65 mm 12.65 mm Tape dimensional stability 1200 ppm 1200 ppm 900 ppm Maximum tape speed 7.29 m/s Rewind speed 7.00 m/s Durability 1,000,000 passes Cartridge Width 105.4±0.30 mm Depth 102.0±0.30 mm Height 21.5±0.25 mm We
Resumen del contenido incluido en la página 13
Specifications Compatibility HP LTO Ultrium 4 drives are specified to interchange with un-encrypted data cartridges from other tape drives that comply to the LTO U-28, U-316 and U-416 specifications: Future compatibility: In the future, HP LTO Ultrium drives will be capable of: ■ Reading and writing tapes from the current generation ■ Reading and writing tapes from one earlier generation ■ Reading tapes from two earlier generations HP LTO Ultrium drives will always maintain write and rea
Resumen del contenido incluido en la página 14
Order Numbers Order Numbers License Keys FIGURE 1-2 License Keys LTO4 Encryption Key Marketing Number Description Bundled X-HP-LTO4-EKEY-B One required per encryption enabled drive. Bundled with the drive at time of sale. After market X-HP-LTO4-EKEY-A One required per encryption enabled drive. After market for drives previously purchased. Configured End Items TABLE 1-5 Configured End Items—Order Numbers Part Numbers Description SL500 LTO4E-HP4FC-SL500Z LTO4 HP FC 4Gb SL500 Encryp Dr
Resumen del contenido incluido en la página 15
CHAPTER 2 Dione Card The Dione card—pronounced (D - O - nee)—is a custom design that provides an Ethernet interface for the HP LTO4 tape drive. With this interface, the HP LTO4 tape drive can: ■ Encrypt and decrypt data using the Sun StorageTek Crypto Key Management System (KMS), Version 2.0 and above ■ Configure and enroll the tape drive using the Virtual Operator Panel (VOP), Version 1.0.12 or higher Basically, the Dione card is a translation device between the serial interface on the
Resumen del contenido incluido en la página 16
Dione Card Components Dione Card Components The Dione card installs in the open area of the drive trays behind the tape drives. Library drive trays that support this card are the: ■ SL8500 ■ SL3000 ■ SL500 ■ L-Series Each drive tray has its own unique configuration depending on the space in the open area of the drive tray. FIGURE 2-1 shows an example of a Dione card, which consists of: ■ Dione card ■ Ethernet connector (RJ-45) ■ Power connection (inline with the tape drive power) ■ Commu
Resumen del contenido incluido en la página 17
Dione Card Components Connecting to the Dione Card FIGURE 2-2 shows two ways to connect to the Dione card: ■ Point-to-point using a crossover cable ■ Network using a switch or hub and standard (straight-through) Ethernet cables Note – The default IP address of the Dione card is 10.0.0.1. This address is the same as the T-Series tape drives. Because of this, the initial connection to the Dione card and LTO4 tape drive should be with a crossover cable to set a new IP address. Then once the I
Resumen del contenido incluido en la página 18
KMS Operations KMS Operations When the tape drive is powered-on, the Dione card communicates to the drive over the serial port to take control of drive encryption and decryption. HP LTO4 tape drives have the capability of storing one (1) key while encrypting or decrypting data. Therefore; it is essential that these drives stay connected to the KMS network for communications. Failover and load balancing will also occur between the KMAs in the system (KMS). The following is a brief descript
Resumen del contenido incluido en la página 19
KMS Operations FIGURE 2-3 Key Lifecycle A potential issue: That LTO4 drive firmware will not request a write key in the following scenario: Read, Space, Write-Filemark, Write. The drive will use the same key obtained for the Read command to encrypt the data provided for the Write command. The state of this key may be inappropriate for writing due to the policy associated with the drive (an expired key). Work-Around: Assign the drive’s Key Group having a key policy with a long encry
Resumen del contenido incluido en la página 20
KMS Operations At release, the functionality to set a key in a compromised state is not present. This is a low impact issue due to the system assigning unique encryption keys for each tape cartridge. It is rare that a compromised key scenario would ever be encountered. If it was it would only impact future writes to a single tape cartridge. This functionality will be implemented in the next drive firmware update. Media RFID Chips Use FIGURE 2-4 to connect the bulleted terms with the KMS Man