NonStop Volume Level Encryption Guide
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

NonStop Volume Level Encryption Guide

on

  • 1,707 views

 

Statistics

Views

Total Views
1,707
Views on SlideShare
1,707
Embed Views
0

Actions

Likes
0
Downloads
39
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

NonStop Volume Level Encryption Guide Document Transcript

  • 1. NonStop Volume Level Encryption Guide HP Part Number: 580587-001 Published: October 2009 Edition: J06.09 and subsequent J-series RVUs, and H06.20 and subsequent H-series RVUs
  • 2. © Copyright 2009 Hewlett-Packard Development Company, L.P. Legal Notice Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Export of the information contained in this publication may require authorization from the U.S. Department of Commerce. Microsoft, Windows, and Windows NT are U.S. registered trademarks of Microsoft Corporation. Intel, Pentium, and Celeron are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Java is a U.S. trademark of Sun Microsystems, Inc. Motif, OSF/1, UNIX, X/Open, and the "X" device are registered trademarks, and IT DialTone and The Open Group are trademarks of The Open Group in the U.S. and other countries. Open Software Foundation, OSF, the OSF logo, OSF/1, OSF/Motif, and Motif are trademarks of the Open Software Foundation, Inc. OSF MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THE OSF MATERIAL PROVIDED HEREIN, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. OSF shall not be liable for errors contained herein or for incidental consequential damages in connection with the furnishing, performance, or use of this material. © 1990, 1991, 1992, 1993 Open Software Foundation, Inc. The OSF documentation and the OSF software to which it relates are derived in part from materials supplied by the following:© 1987, 1988, 1989 Carnegie-Mellon University. © 1989, 1990, 1991 Digital Equipment Corporation. © 1985, 1988, 1989, 1990 Encore Computer Corporation. © 1988 Free Software Foundation, Inc. © 1987, 1988, 1989, 1990, 1991 Hewlett-Packard Company. © 1985, 1987, 1988, 1989, 1990, 1991, 1992 International Business Machines Corporation. © 1988, 1989 Massachusetts Institute of Technology. © 1988, 1989, 1990 Mentat Inc. © 1988 Microsoft Corporation. © 1987, 1988, 1989, 1990, 1991, 1992 SecureWare, Inc. © 1990, 1991 Siemens Nixdorf Informationssysteme AG. © 1986, 1989, 1996, 1997 Sun Microsystems, Inc. © 1989, 1990, 1991 Transarc Corporation.OSF software and documentation are based in part on the Fourth Berkeley Software Distribution under license from The Regents of the University of California. OSF acknowledges the following individuals and institutions for their role in its development: Kenneth C.R.C. Arnold, Gregory S. Couch, Conrad C. Huang, Ed James, Symmetric Computer Systems, Robert Elz. © 1980, 1981, 1982, 1983, 1985, 1986, 1987, 1988, 1989 Regents of the University of California.
  • 3. Table of Contents About This Document.........................................................................................................7 Supported Release Version Updates (RVUs)..........................................................................................7 Intended Audience.................................................................................................................................7 New and Changed Information in This Edition.....................................................................................7 Document Organization.........................................................................................................................7 Notation Conventions.............................................................................................................................7 General Syntax Notation...................................................................................................................7 Related Information................................................................................................................................8 Publishing History..................................................................................................................................9 HP Encourages Your Comments............................................................................................................9 1 Overview.......................................................................................................................11 Encryption.............................................................................................................................................11 Encryption principles............................................................................................................................11 Encryption techniques..........................................................................................................................11 Encryption management.......................................................................................................................11 HP NonStop I/O Essentials .............................................................................................................12 Supported systems and devices............................................................................................................12 System requirements and planning......................................................................................................12 Encryption in a system..........................................................................................................................13 Licensing...............................................................................................................................................13 2 Installation.....................................................................................................................15 Installation overview............................................................................................................................15 Installation steps...................................................................................................................................16 1. Install Storage CLIMs...................................................................................................................16 2. Install the license..........................................................................................................................16 3. Configure SAFEGUARD..............................................................................................................16 4. Create security group...................................................................................................................16 5. Configure eth1 (enterprise LAN).................................................................................................17 6. Install the ESKM..........................................................................................................................17 7. Perform pre-enrollment tasks......................................................................................................19 8. Register the CLIMs......................................................................................................................41 9. Verify connection between the CLIM and the key managers......................................................41 10. Back up the configuration files..................................................................................................42 11. Back up the Key Managers........................................................................................................42 3 Encrypting data on storage devices...........................................................................43 Encrypting data on disk drives.............................................................................................................43 Encrypting data with CLIM key rotation........................................................................................43 Encrypting data with REVIVE key rotation....................................................................................47 Changing encrypted disk keys........................................................................................................51 Decrypting a disk.............................................................................................................................51 Disk hardware replacement............................................................................................................51 Encrypting data on tape drives.............................................................................................................52 Encrypting data on tape drives.......................................................................................................52 Clearing tape drive encryption .......................................................................................................53 Tape drive hardware replacement...................................................................................................53 Table of Contents 3
  • 4. 4 Maintenance.................................................................................................................55 Security.................................................................................................................................................55 License...................................................................................................................................................55 ESKM license.........................................................................................................................................55 SCF commands.....................................................................................................................................55 STATUS SUBSYS $ZZSTO...............................................................................................................56 STATUS CLIM, ENCRYPTION.......................................................................................................56 STATUS CLIM, KEYMANAGER.....................................................................................................56 STATUS CLIM, KEYCHANGE........................................................................................................56 STATUS DISK, ENCRYPTION........................................................................................................57 STATUS DISK, ENCRYPTION, DETAIL.........................................................................................57 STATUS TAPE, ENCRYPTION........................................................................................................58 Troubleshooting....................................................................................................................................58 Fallback.................................................................................................................................................59 Adding CLIMs .....................................................................................................................................60 A Glossary of terms used in this manual......................................................................61 B Encryption background................................................................................................63 Index.................................................................................................................................65 4 Table of Contents
  • 5. List of Figures 1-1 System Connections......................................................................................................................13 3-1 Fault tolerant configuration..........................................................................................................44 3-2 Key rotation...................................................................................................................................44 3-3 Data encryption using INIT and START.......................................................................................47 5
  • 6. 6
  • 7. About This Document This document describes how to install and maintain volume level encryption provided by Storage CLIMs and the HP Enterprise Secure Key Manager. Supported Release Version Updates (RVUs) This manual supports J06.09 and all subsequent J-series RVUs, and H06.20 and all subsequent H-series RVUs, until otherwise indicated in a replacement publication. Intended Audience This manual is intended for service personnel who will install Storage CLIMs, and for security encryption administrators at customer sites who will maintain encryption on these devices. Security encryption administrators are expected to have knowledge of security concepts and best practices. New and Changed Information in This Edition This is a new manual. Document Organization This document is organized as follows: Chapter 1: Overview This chapter provides and overview of encryption, supported systems, system requirements, encryption in a system, and encryption licensing. Chapter 2: Installation This chapter describes the steps for installing and configuring components required for encryption. Chapter 3: Encrypting data on storage devices This chapter describes how to encrypt data on disk and tape devices. Chapter 4: Maintenance This chapter describes maintenance and best practices required for encryption. Appendix A (page 61) Glossary of terms used in this manual. Notation Conventions General Syntax Notation This list summarizes the notation conventions for syntax presentation in this manual. UPPERCASE LETTERS Uppercase letters indicate keywords and reserved words. Type these items exactly as shown. Items not enclosed in brackets are required. For example: MAXATTACH Italic Letters Italic letters, regardless of font, indicate variable items that you supply. Items not enclosed in brackets are required. For example: file-name [ ] Brackets Brackets enclose optional syntax items. For example: Supported Release Version Updates (RVUs) 7
  • 8. TERM [system-name.]$terminal-name INT[ERRUPTS] A group of items enclosed in brackets is a list from which you can choose one item or none. The items in the list can be arranged either vertically, with aligned brackets on each side of the list, or horizontally, enclosed in a pair of brackets and separated by vertical lines. For example: FC [ num ] [ -num ] [ text ] K [ X | D ] address | Vertical Line A vertical line separates alternatives in a horizontal list that is enclosed in brackets or braces. For example: INSPECT { OFF | ON | SAVEABEND } Punctuation Parentheses, commas, semicolons, and other symbols not previously described must be typed as shown. For example: error := NEXTFILENAME ( file-name ) ; LISTOPENS SU $process-name.#su-name Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must type as shown. For example: "[" repetition-constant-list "]" Item Spacing Spaces shown between items are required unless one of the items is a punctuation symbol such as a parenthesis or a comma. For example: CALL STEPMOM ( process-id ) ; If there is no space between two items, spaces are not permitted. In this example, no spaces are permitted between the period and any other items: $process-name.#su-name Related Information For information about... Refer to... CLIM hardware HP ProLiant DL385 Generation 5 Server Maintenance and Service Guide CLIM installation and configuration NonStop CLuster I/O Module (CLIM) Installation and Configuration Guide Cluster I/O Protocols (CIP) NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual subsystem Enterprise Secure Key Manager Enterprise Secure Key Manager Installation and Replacement Guide (on the CD hardware installation and shipped with the device) configuration Enterprise Secure Key Manager Enterprise Secure Key Manager Users Guide (on the CD shipped with the device) hardware and key configuration Operator messages Operator Messages Manual SCF device attributes and SCF Reference Manual for the Storage Subsystem commands 8
  • 9. For information about... Refer to... Storage devices NonStop Storage Overview Virtual tape Virtual TapeServer - Operations and Administration Guide Publishing History Part Number Product Version Publication Date 580587-001 N.A. November 2009 HP Encourages Your Comments HP encourages your comments concerning this document. We are committed to providing documentation that meets your needs. Send any errors found, suggestions for improvement, or compliments to docsfeedback@hp.com. Include the document title, part number, and any comment, error found, or suggestion for improvement you have concerning this document. Publishing History 9
  • 10. 10
  • 11. 1 Overview Encryption Encryption on storage devices protects sensitive customer data from theft and helps our customers comply with regulations like HIPAA and the Payment Card Industry (PCI) Data Security Standard. Volume level encryption provides system integrated volume level encryption for storage devices connected to Integrity NonStop NS Series systems or NonStop Integrity BladeSystems that use a Storage CLIM. Data-at-rest on disks and tape drives is encrypted using IEEE 1619 (disk) and IEEE 1619.1 (tape) industry standard algorithms. Encryption uses keys generated and stored by the HP Enterprise Secure Key Manager (ESKM). Encryption principles Keys generated by the key manager protect storage data. Keys are as valuable an asset as the data they protect, and they must be protected for the life of the data. If a key is lost or destroyed, the data is effectively lost because it cannot be accessed. Follow these practices: • Keys and system security should be managed by customer security officers, not system administrators • Keys should be protected by ESKM disk mirroring, backups, and distribution over multiple nodes so that they can be recovered in case of catastrophic failure CAUTION: There are no system back doors for recovering data if passwords or keys are lost. If keys are destroyed or lost, the data is lost. HP recommends that all ESKM backup and redundancy mechanisms should be fully used, and that alternate security officers should be trained and enrolled to manage the ESKM cluster and to perform recovery operations if needed. For more details about encryption, see Appendix B (page 63). Encryption techniques Volume level encryption provides data-at-rest encryption for entire disk or tape volumes, instead of files or columns. The system processes and transmits data in clear (unencrypted) text. Volume level encryption does not secure data while it is in transit to or from storage media. Customers must still configure their environment and applications in such a way as to control data access to sensitive information when data is in use on the NonStop system. Data comes from ServerNet in the clear and is placed in CLIM memory. It is encrypted and then transferred to the disk using the SAS or Fibre Channel HBA. Volume level encryption uses symmetric block encryption, also called block cipher, which uses a single key for encryption and decryption. This product uses these algorithms: • Disks: CBC-AES (key size 256) or XTS-AES (key size 256) — CBC-AES must be used for FIPS 140-2 mode — XTS-AES follows the IEEE 1619 spec • Tapes: GCM-AES (key size 256) Encryption management The CLIM is managed with a combination of OSM, the CLIMCMD tool, I/O Essentials, and an integrated Lights Out Management (iLO) interface. For details, see the NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual and the NonStop CLuster I/O Module (CLIM) Installation and Configuration Guide. Encryption 11
  • 12. Encrypted disks and drives are managed with the SCF storage subsystem. For descriptions of disk and tape attributes and commands to manage them, see the SCF Reference Manual for the Storage Subsystem. The ESKM is managed with the ESKM Management Console. For details, see the Enterprise Secure Key Manager Users Guide. HP NonStop I/O Essentials NonStop I/O Essentials is a plug-in to HP Systems Insight Manager (SIM). HP SIM is an infrastructure management tool for HP systems that runs on the system console. The NonStop I/O Essentials plug-in provides a graphical user interface alternative to the command line interfaces of the CLIMCMD tool and SCF. For more information about using NonStop I/O Essentials, see the NonStop I/O Essentials Installation and Quick Start Guide. Supported systems and devices Volume level encryption is supported on these systems: • NonStop Integrity BladeSystems (J-series) • NonStop Integrity NS16000 series servers (H-series) • NonStop Integrity NS2000 series servers (H-series) Encryption is not available for S-series or other platforms that do not support the Storage CLIM. Encryption is supported on these devices: • SAS disk drives • Enterprise Storage Servers • LTO-4 tape drives — encryption may be applied per-drive or per-media For disks, encryption is performed by the CLIM using keys generated by the key manager. Encryption is compatible with the Write Cache Enable feature. For tapes, encryption is performed by the LTO-4 tape drive. Storage CLIMs with encryption support connections to Secure VTS (Virtual Tape Server) tapes, whose encryption is performed by VTS. Volume level encryption is not compatible with the NetApp DataFort product. System requirements and planning This hardware is required to support encryption: • Any NonStop NS-series or NonStop BladeSystem with Storage CLIMs and an NSVLE encryption license • Storage CLIM • Key manager (ESKM) NonStop disks to be encrypted are not required to be mirrored, but mirroring is strongly advised, for fault tolerance. The CLIM is an HP ProLiant class server that can connect to HP Integrity NonStop BladeSystem or NS-series system to support connections to storage devices or to the network. The Storage CLIM provides fibre channel and SCSI attached storage (SAS) connectivity to storage devices. It supports only the HP documented applications and interfaces. For information about the CLIM, see the appropriate generation of the HP ProLiant DL385 Server Maintenance and Service Guide. The ESKM is based on HP ProLiant server technology. It generates, stores, and serves keys to CLIMs. It automatically replicates keys across clusters, can perform backup and restore of the key database, and provides a local Certificate Authority (CA) used to create client certificates for strong TLS authentication of CLIMs to the key manager. Key managers are installed in pairs or larger clusters for high availability. The key manager device may be installed anywhere (in the same or in another datacenter) but must be 12 Overview
  • 13. network-accessible to Storage CLIMs. The encryption Storage CLIM connects to key managers using its second LAN port (eth1). Encryption in a system Communication between a NonStop system and Storage CLIMs is done with a combination of ServerNet and the maintenance LAN. Users enter SCF commands to enable or disable encryption on a particular device and to set up encryption parameters. The second Ethernet port (eth1) on the CLIM is connected directly to the Enterprise LAN so that Storage CLIMs can communicate with the key manager. Figure 1-1 shows how system components are connected in a system. Figure 1-1 System Connections 1 NonStop processors 2 System console 3 ServerNet 4 CLIMs 5 Maintenance LAN 6 Key managers 7 Enterprise LAN Licensing Encryption is enabled by a license available from HP, which is installed on the NonStop system. Licensing is described in “License” (page 55). Enrolling CLIMs as ESKM clients also requires the availability of sufficient client licenses in the ESKM cluster. ESKM Client Licensing and license installation is described in the Enterprise Secure Key Manager Installation and Replacement Guide, on the CD shipped with the device. Encryption in a system 13
  • 14. 14
  • 15. 2 Installation Installation overview In order to use Volume Level Encryption, you must install the ESKM and establish ESKM/CLIM connectivity over the enterprise LAN. ESKM/CLIM interactions must be able to be authenticated through certificates and encrypted through SSL, so that the CLIM can securely receive keys from the ESKM. The appropriate security officers must be enabled to control volume encryption from the NonStop system. To accomplish this, you must perform these installation tasks: • Configure connectivity • Configure an ESKM cluster (if not already done) • Create a certificate authority on the ESKM if one does not exist • Have the ESKM certificate authority created server certificates for each ESKM • Have the CLIM create a client certificate for each CLIM • Have the ESKM CA sign the client certificates • Install the signed client certificates on the CLIMs • Create and populate an encryption group in Safeguard Installation is done by a service provider and a customer security officer. The service provider: • Installs and configures the CLIM • Installs the key manager • Configures LAN connection • Backs up the CLIM configuration The security officer: • Installs the license • Configures SAFEGUARD and creates the security group • Configures the connection between the CLIM and the key manager • Configures devices to be encrypted • Performs data encryption procedures To prepare for installation, have this information available: • CLIM names for the client certificates • Correct port numbers To install this product, follow these steps: ◦ “1. Install Storage CLIMs” (page 16) ◦ “2. Install the license” (page 16) ◦ “3. Configure SAFEGUARD” (page 16) ◦ “4. Create security group” (page 16) ◦ “5. Configure eth1 (enterprise LAN)” (page 17) ◦ “6. Install the ESKM” (page 17) ◦ “7. Perform pre-enrollment tasks” (page 19) ◦ “8. Register the CLIMs” (page 41) ◦ “9. Verify connection between the CLIM and the key managers” (page 41) ◦ “10. Back up the configuration files” (page 42) ◦ “11. Back up the Key Managers” (page 42) Installation overview 15
  • 16. Installation steps 1. Install Storage CLIMs If the system does not have Storage CLIMs, follow the procedures in the NonStop CLuster I/O Module (CLIM) Installation and Configuration Guide to install, connect, and configure them. The CLIM should be in the STARTED state. 2. Install the license Obtain the encryption license file by emailing License.Manager@hp.com. Install the file in $SYSTEM.ZLICENSE.NSVLE and change the filecode to 407. For details about the license, see “License” (page 55). 3. Configure SAFEGUARD SAFEGUARD must be running. Make it a generic process: ADD PROCESS $ZZKRN.#SAFEGUARD , & AUTORESTART 10 , & BACKUPCPU 1 , & DEFAULTVOL $SYSTEM.SYSTEM , & HIGHPIN ON , & HOMETERM $ZHOME , & INFILE $YMIOP.#CLCI , & MEMPAGES 0 , & NAME $ZSMP , & OUTFILE $ZHOME , & PRIMARYCPU 0 , & PRIORITY 198 , &v PROGRAM $SYSTEM.SYSTEM.OSMP , & SAVEABEND ON , & STARTMODE SYSTEM , & STARTUPMSG "BCKP-CPU" , & STOPMODE STANDARD , & TYPE OTHER , & USERID SUPER.SUPER 4. Create security group The customer security officer creates a group to administer security whose members will be the only users allowed to perform security tasks. The members must be in the SUPER group. Use SAFECOM to create the SECURITY-ENCRYPTION-ADMIN group: ADD GROUP SECURITY-ENCRYPTION-ADMIN, NUMBER 65536 ALTER GROUP NUMBER 65536, MEMBER SUPER.officer Verify the group with the SAFECOM INFO command: 16 Installation
  • 17. You can create other members now or later. Group membership takes effect at the next logon. 5. Configure eth1 (enterprise LAN) The service provider uses CLIMCMD to configure eth1 (the enterprise LAN) on the CLIM: climconfig interface -add eth1 climconfig ip -add eth1 -ipaddress 16.107.132.108 -netmask 255.255.252.0 climconfig route -add eth1 -default -gateway 16.107.132.1 ifstart eth1 IP addresses and route options are customer-dependent. See the NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual for details. 6. Install the ESKM The service provider installs the ESKM device. See the Enterprise Secure Key Manager Installation and Replacement Guide for details. This manual is on the CD shipped with the device. As part of the installation process, you may need to install an ESKM license pack. A client license is required for each user device (Storage CLIM) that will be created on the ESKM. Contact HP support to obtain it with email sent by Atalla Support. See the Enterprise Secure Key Manager Users Guide for additional guidance on installing the license file (on the CD shipped with the device). If the number of created users exceeds the number of available licenses, a warning is displayed in the ESKM GUI and the error is logged. If the license warning appears after registering the CLIMs (“8. Register the CLIMs” (page 41)), you must obtain additional licenses from HP. The Key Manager must be set up so that: • On the High Security Configuration page, FIPS mode is enabled. • On the KMS Server Settings page, “Allow Key and Policy Configuration Operations” and “Allow Key Export” are selected. • SSL is enabled with client certificate authentication. • The default ports are used. • All server certificates in the cluster have the same name. For the first node only, perform these tasks: 1. Start the appliance 2. Configure the appliance 3. Configure the first ESKM appliance Installation steps 17
  • 18. a. If you did not do so during the ESKM installation, create local CA NSVLECA (the name used in this example) and use it to sign the server certificate: 1) Log onto the Secure Key Manager GUI as admin. Login name is case sensitive. 2) On the Security tab, select Local CAs. 3) Enter information to create a local certificate authority: 4) Click Create. You can use the local CA to sign both server and client certificates. You must download this CA to the NonStop system. If a customer wants to use their own CA, they can import a known CA. See the Enterprise Secure Key Manager Users Guide for details. b. Set up the local Certificate Authority 1) Create the ESKM server certificate 2) Enable SSL on the Key Management System (KMS) Server 4. Establish a cluster a. Create the cluster b. Download the cluster key For all other ESKM nodes, perform these tasks: 1. Start the appliance 2. Configure the appliance 3. Add additional ESKM appliances to the cluster 4. Create and install the ESKM Server Certificate For one node, create the NSSuser (NonStop setup user) login with “User Administration Permission” and “Change Password Permission” selected. 18 Installation
  • 19. For all nodes, back up the configuration. See the Enterprise Secure Key Manager Users Guide for details. 7. Perform pre-enrollment tasks Before you can enroll the CLIMs as ESKM clients, you need to perform these pre-enrollment tasks: ◦ “A. Create server certificates NSLEServerCertificate” (page 19) ◦ “B. Sign the server certificate request NSLEServerCertificate with the local CA NSVLECA” (page 20) ◦ “C. Set FIPS compliant mode” (page 24) ◦ “D. Set KMS server settings” (page 24) ◦ “E. Set KMS server authentication settings” (page 25) ◦ “F. Create the NSSuser local user, if you have not created one, and set security” (page 26) ◦ “G. Create client certificate request for the NSSuser local user” (page 27) ◦ “H. Add local CA NSVLECA, other local CAs and known CAs to the key manager's trusted CA list ” (page 39) ◦ “I. Verify connection between the NonStop system and the Key Manager” (page 41) After you have performed these tasks, go on to “8. Register the CLIMs” (page 41). A. Create server certificates NSLEServerCertificate Perform this step for each Key Manager. a. Log on to the Secure Key Manager GUI as admin. Login name is case sensitive. b. On the Security tab, select Certificates. c. Fill in information to create a certificate: d. Click Create Certificate Request. e. In the Certificate List, select the radio button for NSVLESERVERCERTIFICATE certificate and click its name to open it: Installation steps 19
  • 20. f. Select and copy the text from----BEGIN CERTIFICATE REQUEST------ through ----END CERTIFICATE REQUEST----: Click Back to leave this screen. B. Sign the server certificate request NSLEServerCertificate with the local CA NSVLECA Perform this step for each Key Manager. 20 Installation
  • 21. a. On the Security tab, select Local CAs. b. In the Local Certificate Authority List, select the radio button for NSVLECA and click Sign Request: c. Paste the certificate request into the Certificate Request box. For Certificate Purpose, select Server : d. Click Sign Request. e. Select and copy the certificate text from ----BEGIN CERTIFICATE---- to -----END CERTIFICATE----: Installation steps 21
  • 22. f. On the Security tab, select Certificates. In the Certificate list, select the radio button for NSVLESERVERCERTIFICATE and click its name to open it. g. Select Install Certificate : 22 Installation
  • 23. h. Paste the signed certificate into the Certificate Response box and click Save to save the server certificate. Installation steps 23
  • 24. C. Set FIPS compliant mode For details about FIPS compliance and the ESKM, see the Enterprise Secure Key Manager Users Guide. a. On the Security tab, select High Security. b. Select Set FIPS Compliant: D. Set KMS server settings For details about the KMS server, see the Enterprise Secure Key Manager Users Guide. a. On the Device tab, select KMS Server. b. Select NSVLESERVERCERTIFICATE from the Server Certificate drop down list: c. Make sure all other KMS server settings are set as follows: Port lists the correct port on which the KMS Server is listening for client requests. The default port is 9000; however, you can use any available port. Use SSL is checked Server Certificate lists the server certificate Connection Timeout (sec) is 3600 Allow Key and Policy Configuration is checked Operations Allow Key Export is checked Click Edit and change them if necessary. 24 Installation
  • 25. d. Click Save. E. Set KMS server authentication settings a. On the Device tab, select KMS Server. b. On the KMS Server Authentication Settings screen, select Edit and verify that the settings are as follows: User Directory is Local Password Authentication is Required Client Certificate Authentication is Used for SSL session and username Trusted CA List Profile is the Trusted CA list profile that contains the Local CA that will be used to sign the client certificates Username Field in Client Certificate is CN (Common Name) When the client certificates are created, this field must contain the client (CLIM) username. HP recommends that you choose the most secure option. Customers who provide their own signed certificates must include the CLIM's username in their certificate, so they must know the CLIM usernames before creating the signed certificate. Require Client Certificate to Contain Source IP is not checked Installation steps 25
  • 26. c. Click Save. F. Create the NSSuser local user, if you have not created one, and set security a. On the Security tab, select Local Users & Groups. b. Under Local Users, select Add: c. Add the NSSuser name, and password, and select all permissions. The user name must be NSSuser This password will only be used in the “Register CLIMs with Key Managers” guided procedure in “8. Register the CLIMs” (page 41). 26 Installation
  • 27. d. Click Save. G. Create client certificate request for the NSSuser local user The certificate request for the NSSuser cannot be created using the key manager. The key manager does not allow the private key of the created key pair that corresponds to the certificate request to be exported. Use OpenSSL to create the NSSuser client certificate request one of these ways: • “Create signed NSSuser client certificate with a PC” (page 27) • “Create signed NSSuser client certificate with CLIMCMD” (page 33) Create signed NSSuser client certificate with a PC If you have a PC that has OpenSSL installed, with access to a NonStop TACL session and the Key Manager’s Web Browser interface, you can use it to create the NSSuser private key, NSSuser signed certificate, and NSSuser passphrase files for NonStop. a. Create an empty temporary directory on the PC: C:>mkdir zencrypt and change the directory to that empty temporary directory: Installation steps 27
  • 28. C:>cd zencrypt b. Use OpenSSL to create a NSSuser private key and a NSSuser client certificate request. You will be prompted to enter a passphrase. Choose a strong passphrase to protect the private key. You can fill in the other information any way you see fit. However, the Common Name must be NSSuser. C:zencrypt>openssl req -newkey rsa:2048 -keyout client.key -out client.csr The system responds, prompting you to enter various fields. Responses are shown in bold: Generating a 2048 bit RSA private key .......................................+++ ................................................................................ ................................................................................ ...............+++ writing new private key to 'client.key' Enter PEM pass phrase:passphrase Verifying - Enter PEM pass phrase:passphrase ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Cupertino Organization Name (eg, company) [Internet Widgits Pty Ltd]:HP Organizational Unit Name (eg, section) []:NonStop Common Name (eg, YOUR name) []:NSSuser Email Address []:MyEmail.Id@hp.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. C:zencrypt> c. Use OpenSSL to convert the NSSuser private key into a PEM formatted private key. You will be prompted to enter the passphrase that you used to create the private key: C:zencrypt>openssl rsa -in client.key -text -out client.key.pem Enter pass phrase for client.key:passphrase writing RSA key d. Use OpenSSL to convert the PEM formatted NSSuser private key into a DER formatted private key. You will be prompted to enter the passphrase that you used to create the private key: C:zencrypt>openssl pkcs8 -topk8 -in client.key.pem -outform DER -out client.key.der Enter Encryption Password:passphrase Verifying - Enter Encryption Password:passphrase e. Use the cat command to display the client certificate request: C:zencrypt>cat client.csr -----BEGIN CERTIFICATE REQUEST----- MIICwzCCAasCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH EwlDdXBlcnRpbm8xCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxEDAOBgNVBAMT B05TU3VzZXIxITAfBgkqhkiG9w0BCQEWEm1hcmMucGFsb21hQGhwLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmb7qDVMatrKRN8NIepS9f51Waw fjTliooc/u3Ke7UK2nk207Rm6elvGwZnomrwFcsbpQnXHuPtaaobu5c0Wcw6Tiap 2F36wYb8Zlq8q51pDwa/tUktkmlBWn4aNZJZCL5mIN6u5Jiz+TfHMkLHc1cVxjfm 82B6dKip49CePTI5UT4ayBoOQj0NdGtWeQYWhhFJfSu5w6EjHavCANCzl57kHpgO ItykW8lrFgM8H57sQ/csBbDVU/fsNiXBnlpxTtq4PvyZvhbcKsfbgXK1zqV/SlEu IgUDfKbU4IuV09Sh6SKORRDRd03NOiSsXfeZGKOo3m87+7ViNzaln93JiF8CAwEA AaAAMA0GCSqGSIb3DQEBBQUAA4IBAQC0f2yAr8EMo50izNCNskaRRlEQACB275Wd 28 Installation
  • 29. Zu7iq69t2oiSGdnhF2Qx59wJHfR+/QB9TJdnplVpXfp3U7ZmZBKnZEsnw3jHjTYf vLZUeAwYbLjn2JfuVL8LLDbyRUMvm7NAZMGPsGfhPEev8avBEWshjVa3uBpqc92N 9aqqJhxXYCORWQkPdTzRbsCDMemWRILYet0I8smKk0+bp/1p3uEFAOwyYu2Uz4ie Vx9jtGN3YoS4fm42QCXQxuLsCIzmEw33Kwae/njyxJML3YWl8Ar3zfPjbBvR77/0 3f2cvZoUl0ktKSw9BEOVllLkVil/9EkttGZ6djJPQkCDjMAoDFqa -----END CERTIFICATE REQUEST----- C:zencrypt> f. Select and copy the client certificate request text from -----BEGIN CERTIFICATE REQUEST----- through -----END CERTIFICATE REQUEST-----. g. Sign the NSSuser client certificate request with the local CA NSVLECA: 1) Log onto the Enterprise Secure Key Manager GUI as admin. On the Security tab, select Local CAs. 2) Select the trusted local CA NSVLECA and click Sign Request: h. Select Client as Certificate Purpose. Paste the copied certificate request into the box. Installation steps 29
  • 30. i. Click Sign Request. The Key Manager signs the NSSuser client certificate request with the NSVLECA Local CA and displays the NSSuser signed client certificate: 30 Installation
  • 31. j. Click Download at the bottom of the NSSuser signed client certificate. When the system asks if you want to open or save the signed.cer file, select Save. k. Save the NSSuser signed client certificate in the C:zencrypt directory on your PC and name the saved file client.signed. When the download completes, click the Close button. l. In your temporary directory, create a file called nssupass.txt: Type the NSSuser passphrase that you entered in Step 2 into this file, then save and close the file. (Do not enter the password for the NSSuser local user; it is used only in the “Register CLIMs with Key Managers” guided procedure in “8. Register the CLIMs” (page 41).) m. Verify that the directory has these files: C:zencrypt>dir Volume in drive C is PC COE Volume Serial Number is D0BC-6439 Directory of C:zencrypt 09/17/2009 06:16 PM <DIR> . 09/17/2009 06:16 PM <DIR> .. 09/17/2009 06:00 PM 1,033 client.csr 09/17/2009 06:00 PM 1,751 client.key 09/17/2009 06:00 PM 1,261 client.key.der 09/17/2009 06:00 PM 5,684 client.key.pem 09/17/2009 06:08 PM 1,313 client.signed.cer 09/17/2009 06:11 PM 928 client.signed.cer.der 09/17/2009 06:16 PM 11 nssupass.txt Installation steps 31
  • 32. 7 File(s) 11,981 bytes 2 Dir(s) 426,107,215,872 bytes free C:zencrypt> n. FTP the NSSuser passphrase file (NSSUPASS), the DER formatted NSSuser private key file (NSSUKEY), and the DER formatted NSSuser signed client certificate (NSSUCERT) to the $SYSTEM.ZENCRYPT subvolume on the NonStop system: C:zencrypt>ftp osm8.caclab.cac.cpqcorp.net Connected to osm8.caclab.cac.cpqcorp.net. 220 OSM8.caclab.cac.cpqcorp.net FTP SERVER T9552J01 (Version J01 TANDEM 10JUL200 9) ready. User (osm8.caclab.cac.cpqcorp.net:(none)): super.super 331 Password required for SUPER.SUPER. Password: 230 User SUPER.SUPER logged in. GUARDIAN API enabled ftp> ftp> cd $system.zencrypt 250 CWD command successful. ftp> ftp> put nssupass.txt nssupass 200 PORT command successful. 150 Opening data connection for nssupass (16.92.141.110,62449d). 226 Transfer complete. ftp: 11 bytes sent in 0.03Seconds 0.42Kbytes/sec. ftp> ftp> binary 200 Type set to I. ftp> ftp> put client.key.der nssukey,0 200 PORT command successful. 150 Opening data connection for nssukey (16.92.141.110,62452d). 226 Binary Transfer complete. ftp: 1261 bytes sent in 0.00Seconds 1261.00Kbytes/sec. ftp> put client.signed.cer.der nssucert,0 200 PORT command successful. 150 Opening data connection for nssucert (16.92.141.110,62455d). 226 Binary Transfer complete. ftp: 928 bytes sent in 0.00Seconds 464.00Kbytes/sec. ftp> ftp> quit 221 Goodbye. o. Delete the temporary files in the C:zencrypt directory and the directory itself: C:zencrypt>del * C:zencrypt*, Are you sure (Y/N)? y C:zencrypt>cd .. C:> rmdir zencrypt p. Log on onto the NonStop system as SUPER.SUPER, volume to $SYSTEM.ZENCRYPT, and FUP SECURE the files in the ZENCRYPT subvolume that you transferred: $SYSTEM ZENCRYPT 19> fup secure zencrypt*, CCCC $SYSTEM ZENCRYPT 20> $SYSTEM ZENCRYPT 20> fileinfo zencrypt* $SYSTEM. ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUCERT 0 928 17SEP2009 17:32 255,255 CCCC 14 112 NSSUKEY 0 1261 17SEP2009 17:32 255,255 CCCC 14 112 NSSUPASS 101 2074 17SEP2009 17:21 255,255 CCCC 14 14 $SYSTEM ZENCRYPT 21> Now the NonStop system has these files: the NSSuser passphrase file (NSSUPASS), the NSSuser private key file (NSSUKEY), and the NSSuser signed client certificate (NSSUCERT). Go on to “H. Add local CA NSVLECA, other local CAs and known CAs to the key manager's trusted CA list ” (page 39). 32 Installation
  • 33. Create signed NSSuser client certificate with CLIMCMD a. Log on to a TACL prompt as SUPER.SUPER on the system where you are creating the NSSuser files. Use the VOLUME command to create the $SYSTEM.ZENCRYPTsubvolume: $SYSTEM STARTUP 2> VOLUME $SYSTEM.ZENCRYPT $SYSTEM ZENCRYPT 3> $SYSTEM ZENCRYPT 3> fileinfo * No files match OSM8.$SYSTEM.ZENCRYPT.* $SYSTEM ZENCRYPT 4> b. Use the CLIMCMD mkdir command to create a temporary directory on the CLIM. You can use any CLIM on the system. This example uses a Storage CLIM named C100231 and a temporary directory “zencrypt”: $SYSTEM ZENCRYPT 4> climcmd c100231 mkdir /tmp/zencrypt/ comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Termination Info: 0 $SYSTEM ZENCRYPT 5> c. Use the CLIMCMD OpenSSL command to create a NSSuser private key and a NSSuser client certificate request. You will be prompted to enter a passphrase. Choose a strong passphrase to protect the private key. You can fill in the other information any way you see fit. However, the Common Name must be NSSuser. Enter this command, all on one line: $SYSTEM ZENCRYPT 5> climcmd c100231 openssl req –newkey rsa:2048 –keyout /tmp/zencrypt/client.key –out /tmp/zencrypt/client.csr The system responds, prompting you to enter various fields. Responses are shown in bold: comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Generating a 2048 bit RSA private key ........................................+++ ................................................................................ ........................+++ writing new private key to '/tmp/zencrypt/client.key' Enter PEM pass phrase:passphrase Verifying - Enter PEM pass phrase:passphrase ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Cupertino Organization Name (eg, company) [Internet Widgits Pty Ltd]:HP Organizational Unit Name (eg, section) []:NonStop Common Name (eg, YOUR name) []:NSSuser Email Address []:MyEmail.Id@hp.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. Termination Info: 0 $SYSTEM ZENCRYPT 6> d. Use the CLIMCMD OpenSSL command to convert the NSSuser private key into a PEM formatted private key. You will be prompted to enter the passphrase that you used to create the private key. Enter this command, all on one line: $SYSTEM ZENCRYPT 6> climcmd c100231 openssl rsa -in /tmp/zencrypt/client.key -text -out /tmp/zencrypt/client.key.pem Installation steps 33
  • 34. comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Enter pass phrase for /tmp/zencrypt/client.key:passphrase writing RSA key Termination Info: 0 $SYSTEM ZENCRYPT 7> e. Use the CLIMCMD OpenSSL command to convert the PEM formatted NSSuser private key into a DER formatted private key. You will be asked to enter the passphrase that you used to create the private key. Enter this command, all on one line:: $SYSTEM ZENCRYPT 7> climcmd c100231 openssl pkcs8 -topk8 -in /tmp/zencrypt/client.key.pem -outform DER –out /tmp/zencrypt/client.key.der comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Enter Encryption Password: passphrase Verifying - Enter Encryption Password: passphrase Termination Info: 0 $SYSTEM ZENCRYPT 8> f. Use the CLIMCMD cat command to display the client certificate request: $SYSTEM ZENCRYPT 8> climcmd c100231 cat /tmp/zencrypt/client.csr The system responds: comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b -----BEGIN CERTIFICATE REQUEST----- MIICwzCCAasCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH EwlDdXBlcnRpbm8xCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxEDAOBgNVBAMT B05TU3VzZXIxITAfBgkqhkiG9w0BCQEWEm1hcmMucGFsb21hQGhwLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKLFhBMpa0PyyPTMpG8DGqJn97GH l/XGvDOJy6JiHbLAu9/F6Z7LmLIBtdCI3AXcbuX+0T3xnQv2eA+woevy/ddKNGDH hhGI/q2Drix23kZCTfGk2GvTY/cFrpyAgBAzXyzPXqJRFADAu2N/GJrGAfYgX49n WRJ9+dy2+HKUxsRKUFYQ8aZt2B/ySfqLwttAELm+nCqYgYl2HA+JYluLBI7F7ntX ZqQQvlvf0eX7oflnHIlZTDgF0LXhUkpoprCrN7VJr/SMjOKQmtUa2wszEKOxbTr1 6beoDMRA3Xp5luCGVtG9Ez/QuBAjVhMfUDFvfnq0P4C6FnataajjH7w4PNsCAwEA AaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAWroF7LGsW2PpAoX3smbtQQEyV1nQusFyb s7kTCb6vAYkantN8u0EjZ88GX+b3NcsmohhH5nyeA2oMG50coZSrft4hOFzCh+MN n5REnSsv9gV0m/8vlWN/cnlpFa4zg2HpHmt91O1vGM1iahVLbyiEZeYdobrrjY+C TJesDbYp78lkv9J+fWPfvyd3DSLJmjUZHDmgCmO42n0AmXcilk79WEe/a/WMXRid e9Sk3UHafo3in5Hcjd3sp5cDqjt00sAWYFx0dcj7Pta0ZpxpE/H4B11FobEr4d/m hNf8EpSBBte5z/PxYdY5uF4nblTqEFD/ghQi5xRP0kSSWM0pBZOu -----END CERTIFICATE REQUEST----- Termination Info: 0 $SYSTEM ZENCRYPT 9> g. Select and copy the client certificate request text from -----BEGIN CERTIFICATE REQUEST----- through -----END CERTIFICATE REQUEST-----. h. Sign the NSSuser client certificate request with the local CA NSVLECA: 1) Log onto the Secure Key Manager GUI as admin. On the Security tab, select Local CAs. 2) Select the trusted local CA NSVLECA and click Sign Request: 34 Installation
  • 35. i. Select Client as Certificate Purpose. Paste the copied certificate request into the box. j. Click Sign Request. The Key Manager signs the NSSuser client certificate request with the NSVLECA Local CA and displays the NSSuser signed client certificate: Installation steps 35
  • 36. k. Select and copy the NSSuser client signed certificate text from -----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----. l. Go back to the TACL prompt and use TEDIT to create a file on the NonStop system called SIGNCERT: $SYSTEM ZENCRYPT 9> tedit SIGNCERT $SYSTEM.ZENCRYPT.SIGNCERT doesn't exist. OK to create? Respond Y or N: y m. Paste the NSSuser signed client certificate into the SIGNCERT edit file. 36 Installation
  • 37. Save and close the file. The NSSuser signed client certificate is now on the NonStop system. $SYSTEM ZENCRYPT 10> fileinfo * $SYSTEM.ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt SIGNCERT 101 1514 17SEP2009 17:19 255,255 NUNU 14 14 n. In the same subvolume, use TEDIT to create a file called NSSUPASS. Type the NSSuser passphrase that you entered in Step 3 into this file, then save and close the file. (Do not enter the password for the NSSuser local user; it is used only in the “Register CLIMs with Key Managers” guided procedure in “8. Register the CLIMs” (page 41).) The NSSuser passphrase is now on the NonStop system: $SYSTEM ZENCRYPT 12> fileinfo * $SYSTEM.ZENCRYT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUPASS 101 2074 17SEP2009 17:21 255,255 NUNU 14 14 SIGNCERT 101 1514 17SEP2009 17:19 255,255 NUNU 14 14 o. Use the SCF INFO CLIM $ZZCIP.clim-name, DETAIL command to get the Maintenance Interface IP address of the CLIM: $SYSTEM ZENCRYPT 14> scf info clim $zzcip.c100231, detail SCF - T9082H01 - (04DEC06) (15NOV06) - 09/21/2009 12:02:28 System OSM8 (C) 1986 Tandem (C) 2006 Hewlett Packard Development Company, L.P. CIP Detailed Info CLIM OSM8.$ZZCIP.C100231 Mode....................... STORAGE Configured Location........ Group 100 , Module 2 , Slot 3 , Port 1 ConnPts.................... 2 X1 Location................ Group 100 , Module 2 , Slot 3 , Port 1 Y1 Location................ Group 100 , Module 3 , Slot 3 , Port 1 SvNet ID 1................. 0x000E08C6 X2 Location................ Group 100 , Module 2 , Slot 3 , Port 2 Y2 Location................ Group 100 , Module 3 , Slot 3 , Port 2 SvNet ID 2................. 0x000E09C6 Maintenance Interface IP... 192.168.38.31 Total Errors = 0 Total Warnings = 0 Installation steps 37
  • 38. p. Use SFTP to transfer the SIGNCERT file to the Maintenance Interface IP Address of the CLIM. Once connected to the CLIM, put the SIGNCERT file into the CLIM’s /tmp/zencrypt directory: $SYSTEM ZENCRYPT 15> sftp -S $zssp0 root@192.168.38.31 comForte SFTP client version T9999H06_10Jul2009_comForte_SFTP_0086 Connecting to 192.168.38.31 via SSH2 process $zssp0 ... sftp> put signcert /tmp/zencrypt/client.signed Uploading signcert to /tmp/zencrypt/client.signed ---------------------------------- -------- --- ------- ---------- Filename BytesNow % Bytes/s Remaining ---------------------------------- -------- --- ------- ---------- signcert 0 0% 0.0KB --:-- ---------------------------------- -------- --- ------- ---------- Filename BytesNow % Bytes/s TimeSpent ---------------------------------- -------- --- ------- ---------- signcert 1514 100% 0.0KB 00:00 1514 bytes transferred in 0 seconds ( 0.0KB/s) sftp> sftp> quit q. Use the CLIMCMD OpenSSL command to convert the PEM formatted NSSuser client signed certificate that you SFTPed to the CLIM in Step 16 to a DER formatted client signed certificate: $SYSTEM ZENCRYPT 16> climcmd c100231 openssl x509 -inform PEM -in /tmp/zencrypt/client.signed -outform DER -out /tmp/zencrypt/client.signed.der comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Termination Info: 0 $SYSTEM ZENCRYPT 17> r. Use SFTP to transfer the DER formatted NSSuser client signed certificate and the DER formatted NSSuser client private key back to the NonStop system. Use binary transfer mode: $SYSTEM ZENCRYPT 17> sftp -S $zssp0 root@192.168.38.31 comForte SFTP client version T9999H06_10Jul2009_comForte_SFTP_0086 Connecting to 192.168.38.31 via SSH2 process $zssp0 ... sftp> binary File transfermode is now binary sftp> get /tmp/zencrypt/client.signed.der nssucert,0 Fetching /tmp/zencrypt/client.signed.der to nssucert,0 ---------------------------------- -------- --- ------- ---------- Filename BytesNow % Bytes/s Remaining ---------------------------------- -------- --- ------- ---------- /tmp/zencrypt/client.signed.der 0 0% 0.0KB --:-- ---------------------------------- -------- --- ------- ---------- Filename BytesNow % Bytes/s TimeSpent ---------------------------------- -------- --- ------- ---------- /tmp/zencrypt/client.signed.der 928 100% 0.0KB 00:00 928 bytes transferred in 0 seconds ( 0.0KB/s) sftp> sftp> get /tmp/zencrypt/client.key.der nssukey,0 Fetching /tmp/zencrypt/client.key.der to nssukey,0 ---------------------------------- -------- --- ------- ---------- Filename BytesNow % Bytes/s Remaining ---------------------------------- -------- --- ------- ---------- /tmp/zencrypt/client.key.der 0 0% 0.0KB --:-- ---------------------------------- -------- --- ------- ---------- Filename BytesNow % Bytes/s TimeSpent ---------------------------------- -------- --- ------- ---------- /tmp/zencrypt/client.key.der 1261 100% 0.0KB 00:00 1261 bytes transferred in 0 seconds ( 0.0KB/s) sftp> sftp> quit $SYSTEM ZENCRYPT 18> s. Verify that the NonStop temporary subvolume contains the DER formatted NSSuser signed certificate, the DER formatted NSSuser private key, the NSSuser passphrase file, and the signed certificate file: 38 Installation
  • 39. $SYSTEM ZENCRYPT 18> fileinfo * $SYSTEM.ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUCERT 0 928 17SEP2009 17:32 255,255 NUNU 14 112 NSSUKEY 0 1261 17SEP2009 17:32 255,255 NUNU 14 112 NSSUPASS 101 2074 17SEP2009 17:21 255,255 NUNU 14 14 SIGNCERT 101 1514 17SEP2009 17:19 255,255 NUNU 14 14 t. Secure these files as “CCCC“: $SYSTEM ZENCRYPT 19> fup secure *, CCCC $SYSTEM ZENCRYPT 20> $SYSTEM ZENCRYPT 20> fileinfo * $SYSTEM.ZENCRYPT CODE EOF LAST MODIFIED OWNER RWEP PExt SExt NSSUCERT 0 928 17SEP2009 17:32 255,255 CCCC 14 112 NSSUKEY 0 1261 17SEP2009 17:32 255,255 CCCC 14 112 NSSUPASS 101 2074 17SEP2009 17:21 255,255 CCCC 14 14 SIGNCERT 101 1514 17SEP2009 17:19 255,255 CCCC 14 14 $SYSTEM ZENCRYPT 21> u. Use the CLIMCMD rm command to delete the files on the temporary directory on the CLIM: $SYSTEM ZENCRYPT 23> climcmd c100231 rm -rf /tmp/zencrypt/ comForte SSH client version T9999H06_05Aug2009_comForte_SSH_0086b Termination Info: 0 $SYSTEM ZENCRYPT 24> The signed NSSuser client certificate has been created. Go on to “H. Add local CA NSVLECA, other local CAs and known CAs to the key manager's trusted CA list ” (page 39). H. Add local CA NSVLECA, other local CAs and known CAs to the key manager's trusted CA list The trusted CA list is the list of CAs that can be used by the key manager to verify a client certificate. You must add any known CAs that you have installed to the Trusted CA List profile, along with the local CAs created to be used to sign the CLIM client certificates. a. On the Security tab, select Trusted CA Lists. b. Select the radio button for the profile name Default: c. Select Properties for the Trusted Certificate Authority List d. Select Edit for the Trusted Certificate Authority List: Installation steps 39
  • 40. e. Find the desired local CA on the “Available CAs” list and the imported CAs (if any) and add it to the “Trusted CAs” list, using the Add button: f. Click Save. 40 Installation
  • 41. I. Verify connection between the NonStop system and the Key Manager Use ping to verify that the NonStop system and key managers can communicate: JUNO1.$SYSTEM.STARTUP 1> ping 16.107.200.122 PING 16.107.200.122: 56 data bytes 64 bytes from 16.107.200.122: icmp_seq=0. time=20. ms 64 bytes from 16.107.200.122: icmp_seq=1. time=10. ms 64 bytes from 16.107.200.122: icmp_seq=2. time=10. ms 64 bytes from 16.107.200.122: icmp_seq=3. time=10. ms ----16.107.200.122 PING Statistics---- 4 packets transmitted, 4 packets received, 0% packet loss round-trip (ms) min/avg/max = 10/12/20 JUNO1.$SYSTEM.STARTUP 2> If the key manager is not accessible from the NonStop system, set up access one of these ways: • If the system uses IP CLIMs and has an unused Ethernet port on an IP CLIM, you can connect the Key Manager to the subnet implemented by the PROVIDER using that IP CLIM. For details, see the NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual. In this case, all the applications using this IP CLIM share the same TCP/IP stack. • If the system has extra IP CLIMs, you can create a PROVIDER and CIPSAM process and connect the Key Manager to the subnet implemented by that PROVIDER. This option is more secure because applications using this IP CLIM do not share the same TCP/IP stack. • If the system uses G4SA or earlier adapters and has an unused Ethernet port on that adapter, you can create a conventional TCP/IP SUBNET object using that port. If the system uses NonStop TCP/IPv6, all TCPSAM processes have access to the port once the environment has been configured, except in the case of Logical Network Partitioning (LNP). If the system uses LNP, all applications using this port must use the TCPSAM process configured for that LNP. HP recommends using LNP for this purpose for increased security. Once you have configured the conventional TCP/IP process and SUBNET, or you have configured the TCPSAM process, you can associate the Key Manager with the TCP/IP process associated with that port. For information about creating a SUBNET, see the TCP/IP Configuration and Management Manual. For information about configuring the NonStop TCP/IPv6 environment, see the TCP/IPv6 Configuration and Management Manual. This completes NonStop pre-enrollment tasks. Go on to “8. Register the CLIMs” (page 41). 8. Register the CLIMs Be sure that you have obtained and installed (if needed) a license pack on the ESKM (described in the Enterprise Secure Key Manager Users Guide on the CD), shipped using email for installation on the device. The license installation step can be done before you register the CLIMs to the ESKM (i.e. prior to creating users on the ESKM). If you omit this step and the number of created user exceeds the number of licenses purchased, a warning message will appear in the GUI and in the log file. Register the CLIM to access the Key Manager with the “Register CLIMs with Key Managers” guided procedure. It is launched from an action within OSM Service Connection under the CLIMs object. The NSSuser local user is a temporary user. Delete it after you complete the registration process. If CLIMs that will be used for encryption are added to the system, you must follow the procedures to add the NSSuser, register the CLIMs, and delete the user. 9. Verify connection between the CLIM and the key managers Use SCF to verify that CLIMs and key managers can communicate: STATUS CLIM, KEYMANAGER Installation steps 41
  • 42. This example shows the display of links to all key managers: 41-> status clim $zzsto.c100281, keymanager STORAGE - KeyManager Status CLIM JUN01.$ZZSTO.#C100281 KeyManager 16.107.200.150 OK KeyManager 16.107.200.122 OK 10. Back up the configuration files Back up the CLIM configuration files. See the NonStop Cluster I/O Protocols (CIP) Configuration and Management Manual. Now the system is ready for the security officer to configure storage devices for encryption. 1 Back up the Key Managers 1. Back up the key managers. You should also back them up after creating disk volume keys. See the Enterprise Secure Key Manager Users Guide on the CD shipped with the device for details. 42 Installation
  • 43. 3 Encrypting data on storage devices This section describes how to encrypt data on disk drive and tape devices. Only the security officer can enable or disable encryption. Encrypting data on disk drives These procedures describe how to encrypt data on disk drives. Each disk has a unique encryption key, which means that primary and mirror disks of a mirrored volume will have different encryption keys. The CLIM performs the disk data encryption and decryption. You can encrypt data either by using REVIVE key rotation, or CLIM key rotation. Both techniques are cable of initial encryption, key rotation, and decryption. During a REVIVE key rotation the mirror disk is down, which implies a loss of fault tolerance. During CLIM key rotation, one path to the mirror disk remains up so that fault tolerance is preserved. The CLIM performs the key rotation and processor performance is not affected. Multiple disks can be encrypted concurrently. CAUTION: For mirrored drives, HP recommends that you use CLIM key rotation because it is more fault tolerant and the data is not passed through the host system. If a CLIM key rotation fails for any reason, use REVIVE key rotation to recover. You should consider not using unmirrored drives for encryption, but if you use them, you must use CLIM key rotation. If CLIM key rotation fails on an unmirrored disk, there is no way to recover the data. Encrypting data with CLIM key rotation This section describes how to encrypt data on disks with CLIM key rotation. CLIM key rotation is performed by doing a CLIM key change. It can change data on a disk from unencrypted to encrypted, from encrypted to unencrypted, or from encrypted to encrypted with a new key. This encryption method is fault tolerant. The primary and mirror disk are both up during the encryption, although one path to the mirror is down. This method is the only way to encrypt an un-mirrored disk. The time required to perform a key change depends on the amount of data on the disk. If a CLIM key change failure occurs (that is, the CLIM fails during the key change operation), the disk must be revived from its mirror or recovered from backup. Therefore, HP recommends that the disk should be mirrored before key rotation is performed. Only the security officer can enable or disable encryption, or revive a disk. An operator can perform a revive but cannot change the encryption attributes of a disk. Overview In a typical fault tolerant system there is a primary and a mirror disk, each attached to two CLIMs, with four paths, as shown in Figure 3-1: Encrypting data on disk drives 43
  • 44. Figure 3-1 Fault tolerant configuration 1 NonStop processors 2 CLIMs 3 Disks When you issue an SCF ALTER DISK, $disk-name-M NEWENCRYPTKEY command, SCF brings down the -MB path. This path stays down during the key rotation operation, as shown in Figure 3-2: Figure 3-2 Key rotation 1 NonStop processors 2 CLIMs 3 Disks The CLIM on the -M path reads the data, re-encrypts it with the new key and writes it back to the disk. The -MB path is automatically brought up at the completion of the key rotation on the -M path. Preparation for CLIM key rotation Before performing CLIM key rotation, prepare the disks: 44 Encrypting data on storage devices
  • 45. • Use FCHECK to check disk volume for errors: FCHECK –SCAN –VOL volume-name See FCHECK --HELP for help. • Use the DCOM disk space compression program to de-fragment the disk CLIM key rotation procedure CLIM key rotation is performed while the drive remains up and its alternate path is down. 1. Use the SCF STATUS DISK command to verify that all paths are in STARTED state: 91-> STATUS DISK $SAS112 STORAGE - Status DISK BLDQA2.$SAS112 LDev Primary Backup Mirror MirrorBackup Primary Backup PID PID 438 *STARTED STARTED *STARTED STARTED 2,403 3,544 2. Use the STATUS DISK, ENCRYPTION command to check the encryption state of the primary and mirror disks: 3. Use the ALTER DISK command to start CLIM key rotation on the primary disk: ALTER disk-name-P | -B | -M | -MB, NEWENCRYPTKEY, KEYALGORITHM keyalgorithm[, KEYSIZE keysize] You must specify –P, -B, -M or -MB. The default keysize is 256. This example uses the CBC-AES KEYALGORITHM: 4. Now, when you do a STATUS DISK, ENCRYPTION command, it shows ChangeStatus as “In progress at...” for the -P path, “In progress on other CLIM” for the -B path, and “No change in progress” for the -M and -MB paths: Encrypting data on disk drives 45
  • 46. The other path to the same physical disk is in the STOPPED state during encryption: 92-> STATUS DISK $SAS112 STORAGE - Status DISK BLDQA2.$SAS112 LDev Primary Backup Mirror MirrorBackup Primary Backup PID PID 438 *STARTED STOPPED *STARTED STARTED 2,403 3,544 The other path is updated automatically after the key rotation completes. If you try to start the path before the encryption finishes you will get an error. After the key rotation on the primary disk completes, proceed to the next step. 5. Use the SCF STATUS DISK, ENCRYPTION command to check the encryption state of the primary and mirror disks. 6. Use the SCF STATUS DISK command to verify that all paths are in the STARTED state: 7. Use the ALTER DISK command to start a key rotation on the mirror disk: ALTER disk-name-P | -B | -M | -MB, NEWENCRYPTKEY, KEYALGORITHM keyalgorithm[, KEYSIZE keysize] You must specify –P, -B, -M or -MB. The default keysize is 256. This example uses the CBC-AES KEYALGORITHM: 8. Now when you do a STATUS DISK, ENCRYPTION command it shows ChangeStatus as “In progress at …” for the -M path, “In progress on other CLIM” for the -MB path and “No change in progress” for the -P and -B paths: The other path to the same physical disk is in the STOPPED state during encryption. The other path is updated automatically after the key rotation completes. If you try to start the path before the key rotation finishes you will get an error. You can change EncryptRate and EncryptPriority with the ALTER DISK command: ALTER $ENCM21-P, ENCRYPTIONPRIORITY 6, ENCRYPTRATE 70 46 Encrypting data on storage devices
  • 47. • If you do not specify these values, the defaults are 50 for ENCRYPTRATE and 4 for ENCRYPTPRIORITY. The default values limit potential interference with system performance. • To speed up the encryption operation (even though this change might slow system performance), increase the ENCRYPTPRIOITY value and/or increase the ENCRYPTRATE value. • You may change these values only while an encryption operation is in progress. The new values affect the ongoing encryption operation from the point at which you entered the new values. They have no effect on future encryption operations. You can abort the key rotation operation (if it is taking too long, for instance) by stopping the path and using INITIALIZE on the disk. The data on that disk will be lost, and you must revive the disk to restore it. This is similar to encrypting data using INIT and REVIVE: 1. STOP the path performing the key rotation. 2. INITIALIZE the disk that was performing the key rotation with NEWENCRYPTKEY. 3. START the disk to revive it. Encrypting data with REVIVE key rotation This section describes how to encrypt data on mirrored disks by initializing and reviving the disk. Overview To encrypt a mirrored disk volume, use SCF DISK INITIALIZE and START commands, as shown in Figure 3-3: 1. Stop the mirror disk. 2. Set the mirror disk to be encrypted using the INITIALIZE command. This removes any data on the mirror disk. 3. Start the disk to revive it. This copies data from the primary to the mirror and encrypts it. During the revive operation only the primary disk is up. 4. After the mirror disk revive completes, repeat the process for the primary disk. Both the primary and mirror are now encrypted. Figure 3-3 Data encryption using INIT and START Encrypting data on disk drives 47
  • 48. 1 NonStop processors 2 CLIMs 3 Disks Preparation for REVIVE key rotation Before performing INIT and REVIVE, prepare the disks: • Use FCHECK to check the disk volume for errors: FCHECK –SCAN –VOL volume-name See FCHECK --HELP for help. REVIVE key rotation procedure To encrypt a mirrored disk volume, follow these procedures. For details about SCF commands, see the SCF Reference Manual for the Storage Subsystem. 1. Use the SCF STOP DISK command to stop both paths to the mirror disk: STOP disk-name-M STOP disk-name-MB 2. Use the INITIALIZE DISK command to initialize the stopped mirror disk with the new key: INITIALIZE disk-name-P | -M, NEWENCRYPTKEY, KEYALGORITHM keyalgorithm [, KEYSIZE keysize] You must specify -P or -M. The default keysize is 256. This example uses the XTS-AES KEYALGORITHM: 3. Issue a START command to revive the downed mirror disk: The data is read from the primary disk and written, encrypted with the mirror disk key, to the mirror disk. Wait for the mirror disk revive to complete and the mirror disk to come up, then proceed to the next step. 4. After the revive completes and the mirror disk is up, use the SCF STOP DISK command to stop both paths to the primary disk: STOP disk-name-P STOP disk-name-B 5. Use the INITIALIZE DISK command to initialize the stopped primary disk with the new key. Use the same key algorithm and key size that you used for the mirror disk. 6. Issue a START command to revive the downed primary disk. The data is read, decrypted with the mirror disk key from the mirror disk, and written, encrypted with the primary disk key, to the primary disk. Wait for the primary disk revive to complete and the primary disk to come up. 48 Encrypting data on storage devices
  • 49. 7. Use the STATUS DISK, ENCRYPTION command to verify that the disk is now encrypted: To see the rest of the display, answer Y: Encrypting data on disk drives 49
  • 50. The XTS-AES KeyAlgorithm uses two KeyNames. If the disk was initialized with the CBC-AES algorithm, one KeyName is displayed . 8. Use the STATUS DISK, ENCRYPTION, DETAIL command to verify that the CLIM can access the key: To see the rest of the display, answer Y: 50 Encrypting data on storage devices
  • 51. KeyAccess should be OK. Note that the primary and mirror have different key names. Changing encrypted disk keys To change disk encryption keys, re-encrypt the data on the disk with either the CLIM key rotation or REVIVE key rotation. The NEWENCRYPTKEY option that is specified in the INITIALIZE or ALTER command will cause a new key to be generated for that device. Disk keys should be changed periodically as required by the customer security policy. The customer security officer should determine the schedule of key change. Decrypting a disk To clear encryption on an encrypted disk, use the CLEARENCRYPTKEY option. This option may be used with the INITIALIZE disk command (during the REVIVE key rotation) or with the ALTER disk command (during CLIM key rotation ). To clear encryption using REVIVE key rotation: INITIALIZE disk-name-P | -M, CLEARENCRYPTKEY To clear encryption using CLIM key rotation: ALTER disk-name-P | -B | -M | -MB, CLEARENCRYPTKEY Disk hardware replacement If there is a disk failure and the encrypted disk is replaced with a new disk, the new disk will not be encrypted. The security officer is expected to INITIALIZE the disk with encryption. Unless that disk is altered to be encrypted, when it is revived SCF issues a warning that it is unencrypted and its mirror is encrypted. If the user is logged on as the, security officer, SCF allows the revive operation to continue; otherwise that action is not allowed. HP recommends that users verify device encryption status after any hardware replacement or software configuration change of an encrypted device. Encrypting data on disk drives 51
  • 52. Encrypting data on tape drives Tape data encryption and decryption is done by LTO-4. The CLIM gets the key from the key manager and sends it to the LTO-4 tape drive. The CLIM does not perform the encryption or decryption of tape data. Tape encryption always uses the GCM-AES algorithm with key size 256. This table shows whether encryption can be performed on different tape drives and media: Tape Drive LTO-3 LTO-4 LTO-4 Tape Media LTO-3 LTO-3 LTO-4 Unencrypted CLIM Read/Write, no encryption Read/Write, no encryption Read/Write, no encryption Encrypted CLIM Read/Write, no encryption Read/Write, no encryption Read/Write, encryption Encrypting data on tape drives These procedures describe how to encrypt data on tape drives. Tape encryption keys may be generated per drive (KEYPERDRIVE) or per tape media (KEYPERTAPE). KEYPERDRIVE means that all tapes that are written by the tape drive will use the same encryption key. KEYPERTAPE means that each tape that is written by the tape drive will use a unique encryption key. An encrypted tape drive can read tapes that were written with either key generation policy. An encrypted tape drive can read non-encrypted tapes. A non-encrypted tape drive can only read non-encrypted tapes. Encrypting tape data To encrypt tape data, follow these procedures: 1. Use the SCF STOP TAPE command to stop the drive. 2. Use the ALTER TAPE, KEYGENPOLICY key-gen-policy command to set the key generation policy to KEYPERTAPE or KEYPERDRIVE. 3. Issue a START TAPE command to start the drive. 4. Issue the STATUS TAPE, ENCRYPTION command and verify that the disk is encrypted: Verify that the key generation policy is the expected value and that KeyAccess is OK. Changing tape drive keys To create a new encryption key for a drive whose KEYGENPOLICY is set to KEYPERDRIVE, follow these procedures: 1. Use the SCF STOP TAPE command to stop the drive. 2. Use the ALTER TAPE, NEWENCRYPTKEY command. The next tapes written will use the new key. 3. Issue a START TAPE command to start the drive. 52 Encrypting data on storage devices
  • 53. Clearing tape drive encryption To clear tape drive encryption, follow these procedures: 1. Use the SCF STOP TAPE command to stop the drive. 2. Issue the ALTER TAPE, KEYGENPOLICY NOENCRYPTION command. The next tapes written will write data in non-encrypted form. 3. Issue a START TAPE command to start the drive. 4. Issue the STATUS TAPE, ENCRYPTION, DETAIL command and verify that the tape drive is not encrypted: Tape drive hardware replacement If an encrypted tape drive is replaced with a new drive, the new tape drive will not be encrypted. The security officer is expected to ALTER the tape drive to enable encryption. HP recommends that users verify device encryption status after any hardware replacement or software configuration change of an encrypted device. Encrypting data on tape drives 53
  • 54. 54
  • 55. 4 Maintenance Security Security is enhanced for volume level encryption. All users can perform status commands, but alter commands are restricted: • Some SCF commands require the user to be a member of the Safeguard SECURITY-ENCRYPTION-ADMIN group, 65536. • These SCF commands require the user to be on a user on local system. • Safeguard ($ZSMP) must be running at user logon so it can determine whether the user is in group 65536. If a user who attempts to perform a command is not in group 65536 or if Safeguard is not running, SCF returns an error: License Obtain the encryption license file by emailing License.Manager@hp.com You must install the file on the NonStop system in $SYSTEM.ZLICENSE and give it a filecode of 407: Once the license file is installed, the system is licensed for encryption. You can use the SCF command STATUS SUBSYS $ZZSTO to verify that a valid license is present: 8-> status subsys $zzsto STORAGE - Status SUBSYS $ZZSTO BulkIO EncryptionLicense LabelTape UPS OFF VALID ON OFF During normal operation you do not need to add or remove the license. ESKM license The ESKM requires that licenses be installed on that device. For details, see the Enterprise Secure Key Manager Installation and Replacement Guide on the CD shipped with the device. SCF commands For detailed syntax descriptions, see the SCF Reference Manual for the Storage Subsystem. SCF commands to alter encryption attributes cannot include other attributes on the same line. For example, this command is not valid: ALTER DISK,NEWENCRYPTKEY, PRIMARYCPU 2 Security 55
  • 56. STATUS SUBSYS $ZZSTO Use the STATUS SUBSYS $ZZSTO command to display the license status for the storage subsystem. The status will be shown as VALID or INVALID: 8-> status subsys $zzsto STORAGE - Status SUBSYS $ZZSTO BulkIO EncryptionLicense LabelTape UPS OFF VALID ON OFF STATUS CLIM, ENCRYPTION Use the STATUS CLIM, ENCRYPTION command to list encrypted devices by CLIM. This command is useful to determine which devices on a CLIM are encrypted: STATUS CLIM, KEYMANAGER Use the STATUS CLIM, KEYMANAGER command to display the CLIM to Key Manager connectivity status: STATUS CLIM, KEYCHANGE Use the STATUS CLIM, KEYCHANGE command to display key changes in progress on one or all CLIMs: 56 Maintenance
  • 57. STATUS DISK, ENCRYPTION Use the STATUS DISK, ENCRYPTION command to see the encryption status of a disk: STATUS DISK, ENCRYPTION, DETAIL Use the STATUS DISK, ENCRYPTION, DETAIL command to see the detailed encryption status of a disk: SCF commands 57
  • 58. STATUS TAPE, ENCRYPTION Use the SCF STATUS TAPE, ENCRYPTION command to see the encryption status of a tape drive: Troubleshooting SCF uses the maintenance LAN to communicate with the CLIM. If there are SCF to CLIM connectivity issues, SCF might return errors 120, 121, 122, 123, or 127: 58 Maintenance
  • 59. Follow these diagnostic strategies: For these issues... Check these... CLIM to Key Manager connectivity issues Use SCF to check KEYMANAGER status. Check hardware and network connectivity between the CLIM and Key Manager on the enterprise LAN. License issues (storage error 126) Use SCF to check ENCRYPTIONLICENSE status. Verify that the ZLICENSE file is installed in $SYSTEM.ZLICENSE and has a file code of 407. Device encryption issues • Storage error 115 contains error text from the CLIM. • Use SCF to check device ENCRYPTION status (use DETAIL option). • If key status is not OK, check CLIM to key manager connectivity and look for the key in the key manager using the key name. • If the license status is not OK, use SCF to check ENCRYPTIONLICENSE status. Follow these strategies for failure recover: Failure Recovery CLIM fails during a disk key change After you reboot the CLIM, the STATUS DISK, ENCRYPTION shows the ChangeStatus for both the paths to the disk as “In progress on other CLIM”. The disk must be initialized and revived from its mirror. Disk key change failure The STATUS DISK, ENCRYPTION shows ChangeStatus as “Change key aborted due to I/O errors”. This can occur if the disk hardware fails during key rotation. Recovery is the same as when CLIM fails during a disk key change. Key manager failure • CLIM is unable to communicate with the specific key manager. If other key managers in the cluster are still available, volume level encryption will continue to work. • The SCF STATUS KEYMANAGER command will report the failed key manager. • OSM will display an alarm for the failed key manager; however, OSM polls the key managers periodically and failure will not be detected immediately. • Fix the failed Key Manager CLIM LAN failure • CLIM will not be able to communicate with any key managers. • Encrypted volumes that are in the STARTED state will continue to work. • New encryption operations will not work: ALTER DISK, NEWENCRYPTKEY or INIT DISK, NEWENCRYPTKEY. • START command will not work • Fix the enterprise LAN problem. Key manager cluster failure Same as CLIM eth1 LAN failure. Key rotation failure The operation terminates abnormally. The CLIM automatically reboots, but the disk path ChangeStatus is still shown as “In progress on other CLIM”. To recover, you must initialize the disk. This will destroy all the data on the disk but it is backed up on its mirror. Fallback Volume level encryption software is fully backward-compatible with non-encrypted disks and tapes. You must decrypt any encrypted disks and tapes before falling back to a previous release version. Fallback 59
  • 60. Adding CLIMs If CLIMs that will be used for encryption are added to the system, you must follow the procedures to add the NSSuser, register the CLIMs, and delete the user. 60 Maintenance
  • 61. A Glossary of terms used in this manual Glossary A AES Advanced Encryption Standard is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. AES ciphers have been analyzed extensively and are now used worldwide. B Block cipher A symmetric key cipher operating on fixed-length groups of bits, termed blocks, with an unvarying transformation. For example, a block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext. The exact transformation is controlled using a second input, the key. Decryption is similar: the decryption algorithm takes a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plaintext. Blowfish Akeyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard is more widely used. C CA Certificate Authority. Creates client certificates for authentication. A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. CBC Cipher-block chaining. A block-cipher mode of operation invented by IBM in 1976. Each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block is dependent on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block. Certificate name The name of the certificate; this name is used internally by the ESKM. With the ESKM Management Console you can click the certificate name to view properties and access the certificate information. CN Common Name. Name of entity to which a certificate is issued. D DES Data Encryption Standard. A block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is based on a symmetric-key algorithm that uses a 56-bit key. E ESKM Enterprise Services Key Manager. Device that generates and stores keys. F FIPS Federal Information Processing Standard Publication. A standard for security categorization of federal information and information systems. 61
  • 62. CM Galois/Counter Mode. A mode of operation for symmetric key cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and privacy. GCM mode is defined for block ciphers with a block size of 128 bits. MS Key Management System (KMS) Server. The KMS server is the firmware component of the ESKM server that manages communications between the ESKM and the clients. SSuser NonStop Setup User. The user that performs the “8. Register the CLIMs” (page 41) installation step. CI Payment Card Industry SA RSA (which stands for Rivest, Shamir, and Adleman who first publicly described it) is an algorithm for public-key cryptography. It is the first algorithm known to be suitable for signing as well as encryption, and one of the first advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. SL Secure Sockets Layer. A cryptographic protocol that provides security for communications over networks. EX Xor-Encrypt-Xor. An encryption mode designed to allow very efficient processing of consecutive blocks. TS XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS). Ciphertext stealing provides support for sectors with size not divisible by block size, for example, 520-byte sectors and 16-byte blocks. 62 Glossary
  • 63. B Encryption background Encryption transforms plaintext data into encrypted data using an encryption key. Decryption transforms encrypted data back into the plaintext form using a decryption key. Encrypted data is secure because it cannot be decoded into plaintext form, in a reasonable amount of time, without the decryption key. There are two types of encryption: asymmetric and symmetric. Asymmetric, or public key, encryption This technique uses a private/public key pair. The private key is kept secret, while the public key is widely distributed. Data that is encrypted using the public key can only be decrypted with the corresponding private key. RSA is an example of public key encryption. Symmetric, or secret key, encryption This technique uses a single key for both encryption and decryption. Blowfish, Defense Encryption Standard (DES), triple DES, and Advanced Encryption Standard (AES) are typical secret key examples. This type of encryption is best suited for large amounts of data, usually performed in blocks. Symmetric encryption is subdivided into two classes, block ciphers and stream ciphers. Stream ciphers encrypt character by character providing a continuous stream of encrypted data whereas block ciphers operate on discrete blocks of data. The algorithms used in symmetric encryption are two-way, meaning that decryption is the reverse process of encryption. Symmetric block-level encryption, is sometimes referred to sometimes as a block cipher. There are many block cipher designs such as Blowfish, DES, Triple DES, and AES. The data to be encrypted is divided into blocks or groups of characters and the mathematical functions applied to each block. Key length varies according to the cipher with DES having 56-bit keys and AES having 128-, 192-, or 256-bit keys. The volume level encryption product follows the IEEE 1619 (disk) and IEEE 1619.1 (tape) standards using AES-XTS-256 and AES-CGM-256 encryption algorithms. 63
  • 64. 64
  • 65. Index Key rotation A detailed procedure, 45 Adding CLIMs, 41, 60 overview, 43 Keys C altering for disks, 45 CLIMs and ESKM, 12 adding to system, 41, 60 changing for tapes, 52 installing, 16 protecting, 11 CLuster I/O Module (see CLIM) specifying for disks, 48 Configuration, fault tolerant, 43 specifying for tapes, 52 Configuring eth1, 17 L D License Decryption, 51 installing, 16 Disk removing, 55 decrypting, 51 status, 55 encrypting, INIT and REVIVE, 47 encrypting, key rotation, 43 R encryption status, 57 Removing encryption, 51 E license, 55 Encrypting disks, 43, 47 S tapes, 52 SAFECOM INFO command, 16 Encryption SCF commands LTO-3, 52 ALTER DISK, CLEARENCRYPTIONKEY, 51 LTO-4, 52 ALTER DISK, ENCRYPTPRIORITY, 46 removing, 51 ALTER DISK, ENCRYPTRATE, 46 supported devices, 12 ALTER DISK, NEWENCRYPTKEY, 45 supported systems, 12 ALTER TAPE, KEYGENPOLICY, 52 system requirements, 12 ALTER TAPE, NEWENCRYPTKEY, 52 Encryption priority, altering, 46 format, 55 Encryption rate, altering, 46 INITIALIZE DISK, 48 Enterprise Storage Key Manager (see ESKM) RESET DISK, 48 ESKM START DISK, 48 description, 12 STATUS CLIM, ENCRYPTION, 56 installing, 17 STATUS CLIM, KEYCHANGE, 56 eth1, configuring, 17 STATUS CLIM, KEYMANAGER, 56 STATUS DISK, 45 F STATUS DISK, ENCRYPTION, 45, 49, 57 Fallback, 59 STATUS DISK, ENCRYPTION, DETAIL, 50, 57 STATUS SUBSYS, 55 H STATUS SUBSYS $ZZSTO, 56 HP SIM, 12 STATUS TAPE, ENCRYPTION, 58 HP Systems Insight Manager (SIM), 12 Security admin group, 16 I requirements, 55 Installing Security encryption group CLIM, 16 creating, 16 ESKM, 17 required for SCF, 55 key manager, 17 verifying, 16 license, 16 SECURITY-ENCRYPTION-ADMIN (see security overview, 15 encryption group) Status K disk encryption, 57 Key manager, installing, 17 license, 55 65
  • 66. tape drive, 58 System requirements, 12 T Tape drive encrypting, 52 new encryption key, 52 status, 58 Tapes encrypting, 52 encryption ststatus, 58 KEYGENPOLICY, 52 new encryption key, 52 V Verifying security encryption group, 16 W Write Cache Enable, 12 66 Index
  • 67. 67