TM
Sun StorageTek Crypto
Key Management System
HP LTO4 Encryption-Capable Tape Drives
Technical Brief
Part Number: 316196601
Revision: A
Crypto Key Management System
Version 2.0
HP LTO4 Tape Drive
Technical Brief
Sun Microsystems, Inc.
Part Number: 316196601
June 2008
Revision: A
Copyright © 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.
Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document.In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at
http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.
THIS PRODUCT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SUN MICROSYSTEMS, INC. USE,
DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR EXPRESS WRITTEN PERMISSION OF SUN
MICROSYSTEMS, INC.
Use is subject to license terms. This distribution may include materials developed by third parties.This distribution may include
materials developed by third parties.Parts of the product may be derived from Berkeley BSD systems, licensed from the University of
California.
UNIX is a registered trademark in the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.Sun, Sun
Microsystems, the Sun logo, Solaris, Sun StorageTek Crypto Key Management System, StorageTek and the StorageTek logo are
trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Products covered by and information contained in this service manual are controlled by U.S. Export Control laws and may be subject
to the export or import laws in other countries. Nuclear, missile, chemical biological weapons or nuclear maritime end uses or end
users, whether direct or indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified
on U.S. export exclusion lists, including, but not limited to, the denied persons and specially designated nationals lists is strictly
prohibited. Use of any spare or replacement CPUs is limited to repair or one-for-one replacement of CPUs in products exported in
compliance with U.S. export laws. Use of CPUs as product upgrades unless authorized by the U.S. Government is strictly prohibited.
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID.
Copyright © 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.
Sun Microsystems, Inc. détient les droits de propriété intellectuels relatifs à la technologie incorporée dans le produit qui est décrit
dans ce document.
En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plus des brevets américains listés à
et dans les autres pays.
CE PRODUIT CONTIENT DES INFORMATIONS CONFIDENTIELLES ET DES SECRETS COMMERCIAUX DE SUN
MICROSYSTEMS, INC. SON UTILISATION, SA DIVULGATION ET SA REPRODUCTION SONT INTERDITES SANS L
AUTORISATION EXPRESSE, ECRITE ET PREALABLE DE SUN MICROSYSTEMS, INC.
L'utilisation est soumise aux termes de la Licence.Cette distribution peut comprendre des composants développés par des tierces
parties.Cette distribution peut comprendre des composants développés par des tierces parties.Des parties de ce produit pourront être
dérivées des systèmes Berkeley BSD licenciés par l'Université de Californie.
UNIX est une marque déposée aux Etats-Unis et dans d'autres pays et licenciée exclusivement par X/Open Company, Ltd.Sun, Sun
Microsystems, le logo Sun, Solaris, Sun StorageTek Crypto Key Management System, StorageTek et le logo StorageTek sont des
marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.
Ce produit est soumis à la législation américaine en matière de contrôle des exportations et peut être soumis à la règlementation en
vigueur dans d'autres pays dans le domaine des exportations et importations. Les utilisations, ou utilisateurs finaux, pour des armes
nucléaires, des missiles, des armes biologiques et chimiques ou du nucléaire maritime, directement ou indirectement, sont strictement
interdites. Les exportations ou reexportations vers les pays sous embargo américain, ou vers des entités figurant sur les listes
d'exclusion d'exportation américaines, y compris, mais de manière non exhaustive, la liste de personnes qui font objet d'un ordre de ne
pas participer, d'une façon directe ou indirecte, aux exportations des produits ou des services qui sont régis par la législation
américaine en matière de contrôle des exportations et la liste de ressortissants spécifiquement désignés, sont rigoureusement
interdites. L'utilisation de pièces détachées ou d'unités centrales de remplacement est limitée aux réparations ou à l'échange standard
d'unités centrales pour les produits exportés, conformément à la législation américaine en matière d'exportation. Sauf autorisation par
les autorités des Etats-Unis, l'utilisation d'unités centrales pour procéder à des mises à jour de produits est rigoureusement interdite.
LA DOCUMENTATION EST FOURNIE “EN L'ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES
EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y
COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L'APTITUDE A UNE
UTILISATION PARTICULIERE OU A L'ABSENCE DE CONTREFACON.
We welcome your feedback. Use the OpinionLab [+] feedback system on the documentation Web site or Send your comments to:
Sun Learning Services
Sun Microsystems, Inc.
500 Eldorado Blvd.
Mailstop: UBRM06-307
Broomfield, CO 80021-6307
USA
Please include the publication name, part number, and edition number in your correspondence if they are available.
This will expedite our response.
Please
Recycle
Contents
v
v
v
1. Introduction
1
2
3
5
6
2. Dione Card
7
7
8
9
Removal 14
316196601 • Revision: A
iii
iv KMS: LTO4 Technical Brief • June 2008
Revision: A • 316196601
Preface
TM
This technical brief is intended for Sun StorageTek
representatives, customers,
and anyone responsible for planning the installation of the Crypto Key
Management System (KMS) encryption solution.
Organization
This guide has the following organization:
Chapter
Use this chapter to:
Related Information
These publications contain the additional information:
Publication Description
Part Number
Crypto Key Management System Systems Assurance Guide
Crypto Key Management System Installation and Service Manual
Crypto Key Management System Administrator Guide
StorageTek: 31619480x
StorageTek: 31619490x
StorageTek: 31619510x
316196601 • Revision: A
v
Preface
Additional Information
Sun Microsystems, Inc. (Sun) offers several methods to obtain additional
information.
Sun’s External Web Site
Sun’s external Web site provides marketing, product, event, corporate, and service
information. The external Web site is accessible to anyone with a Web browser and
an Internet connection.
The URL for StorageTek™ brand-specific information is:
Documentation and Download Web Sites
Web sites that enable customers, members, and employees to search for technical
documentation, downloads, patches, features, and articles include:
■
■
■
■
■
(internal)
If your customer does not already have a Sun Online Account they will need to
register. For a new account, go to: https://reg.sun.com/register
For more information about Sun StorageTek products, got to:
Partners Site
The Sun StorageTek Partners site is a Web site for partners with a StorageTek
Partner Agreement. This site provides information about products, services,
customer support, upcoming events, training programs, and sales tools to support
StorageTek Partners. Access to this site, beyond the Partners Login page, is
restricted. On the Partners Login page, employees and current partners who do
not have access can request a login ID and password and prospective partners can
apply to become StorageTek resellers.
The URL for partners with a Sun Partner Agreement is:
vi KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
1
CHAPTER
Introduction
Overview
The Hewlett Packard (HP) LTO4 is the fourth-generation of Ultrium, Linear
Tape-Open tape drives. This generation offers more capacity and increased
performance than earlier versions of LTO tape drives.
Encryption
Capable
The Hewlett Packard LTO4 is the first, non-StorageTek T-Series tape drive to
support the Crypto Key Management System Version 2.0.
This encryption-capability requires a special, custom designed, Ethernet
card—called the Dione card—that enables the LTO4 drive to connect to and
interface with the Key Management System (KMS) network.
With this connection, the LTO4 is capable of communicating with the KMS
to transfer encryption keys over the secure network.
Note: The HP LTO4 can only use one encryption key at a time. During a read
operation, if another encryption key is found, the Dione card requests the
key directly from the KMS.
Media
(Native capacity)
The HP LTO4 drive with LTO4 media can store up to 800 GB of data.
This drive can also read and write on LTO3 media (400 GB), and provides
read-only capabilities with LTO2 media (200 GB).
The LTO4 tape drive also supports Write Once, Read Many (WORM) secure
media. This non-erasable, non-rewritable media meets several compliance
regulations such as HIPAA, Sarbanes-Oxley, and SEC 17A-4.
Note: Encryption is only possible using LTO4 media, including LTO4
WORM media, with the HP LTO4 tape drive. If you insert LTO2 or LTO3
media, encryption will be disabled.
Interfaces
(Native rates)
The HP LTO4 drive supports up to 120 MB/s data transfer rates using Data
Rate Matching (DRM). This features allows the tape drive to dynamically
and continuously adjust the speed of the drive, from 40 to 120 MB/s for
maximum performance
Interface support for the HP LTO4 includes:
■ Ultra 320 Small Computer System Interface (SCSI)
■ 4 Giga-bits per second (Gbps) Fibre Channel
316196601 • Revision: A
1
Drive Tray
Installing this tape drive in one of Sun StorageTek’s automated tape configurations
offers customers with an even wider choice of tape-based storage solutions.
■
■
■
Server compatibility: Fibre Channel and SCSI models on popular (qualified)
platforms from vendors such as Sun, HP, IBM, and Dell.
Software compatibility: Support for an extensive list of software applications
such as ACSLS, HP, CA, VERITAS, Legato, Tivoli, and many more.
Support for WORM media: Allows for unalterable backups using Write-Once
Read-Many (WORM) media to meet compliance regulations such as HIPAA,
Sarbanes-Oxley, SEC 17A-4.
■
Mid-range class: Delivers confidence with a wide variety of supported backup
applications.
Drive Tray
FIGURE 1-1 LTO4 Tape Drive in Drive Tray—SL8500
1
2
3
4
5
6
7
1. “PWR” = power indicator (green)
2. “FAULT” = Fault indicator (red)
5. “PORT A” = Fibre Channel interface port
6. “PORT B” = Not used
3. “MAINT” = Recessed button that resets the
Dione card
7. RJ-45 connector. This port is auto sensing to 10
Mbps/100 Mbps data rates and used to:
4. The green LED is ON during the Dione card IPL
and when an encryption/decryption key is
present during drive operation
■
■
■
■
Configure the network
Enroll the agent on the KMS
Retrieve the diagnostic log file
Upgrade Dione card firmware
2
KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
Specifications
Specifications
TABLE 1-1 provides a comparison of tape drive specifications.
TABLE 1-1 Tape Drive Specifications
LTO2
LTO3
LTO4
Physical Specifications
Height
8.25 cm (3.25 in.)
14.6 cm (5.75 in.)
21.38 cm (8.4 in.)
2.1 kg (4.6 lb)
8.25 cm (3.25 in.)
14.6 cm (5.75 in.)
21.38 cm (8.4 in.)
2.24 kg (4.94 lb)
8.25 cm (3.25 in.)
14.6 cm (5.75 in.)
21.38 cm (8.4 in.)
2.24 kg (4.94 lb)
Width
Length (depth)
Weight
Performance Specifications
Capacity (native)
200 GB
30 MB/s
13.7 to 35.6 MB/s
64 MB
400 GB
80 MB/s
27 to 80 MB/s
128 MB
800 GB
120 MB/s
40 to 120 MB/s
128 MB
896
Transfer rate (native)
Streaming range (native)
Data Buffer size
Number of tracks
Load to ready *
512
704
15–24 sec
64–75 sec
5.50 m/s
6.20 m/s
104/52 sec
13–19 sec
19 sec
19 sec
Access time-average (to first file)
Tape speed (meters per second)
Tape read/write speed
Rewind time (maximum/average)
Unload time
72 sec
62 sec
5.32 m/s
5.32 m/s
98/49 sec
19 sec
7.0 m/s
6.20 m/s
124 sec
19 sec
Cleaning time
58 to 152 sec
Interface Support (SCSI)
(Fibre Channel)
Ultra3 SCSI (LVD)
FC1
Ultra-320 (LVD)
FC2
Ultra-320 (LVD)
FC4
MTBF (100% duty cycle)
250,000 hrs
250,000 hrs
250,000 hrs
Media/Format Compatibility
Read
Write
LTO1, LTO2
LTO1, LTO2
LTO 1, 2, 3
LTO 2, 3, 4
LTO2, LTO3
LTO3, LTO4
Note: HP drives support the LTO standard for backward compatibility, which is to write back
one generation and read back two generations.
Power
Consumption
38 W
35 W
30 W
Interface Codes:
Fibre Channel: FC1 = Fibre Channel 1Gb, FC2 = Fibre Channel 2Gb, FC4 = Fibre Channel 4Gb
Note: * Encryption-capable and un-initialized WORM cartridges can take longer to load.
316196601 • Revision: A
Chapter 1 Introduction
3
Specifications
TABLE 1-2 provides a comparison of media specifications.
TABLE 1-2 Media Specifications
Specification
Tape Base film
Tape length
LTO 2
LTO 3
LTO 4
PEN (Poly-Ethylene-Naphthalate)
609m
580m
680m
648m
820m
783m
Tape length used for data
Tape width
12.65 mm
1200 ppm
12.65 mm
1200 ppm
7.29 m/s
7.00 m/s
1,000,000 passes
105.4 0.30 mm
102.0 0.30 mm
21.5 0.25 mm
0.220 kg
12.65 mm
900 ppm
Tape dimensional stability
Maximum tape speed
Rewind speed
Durability
Cartridge Width
Depth
Height
Weight
Track density (TPI)
Data tracks
1260
1773
2212
512
704
896
Data channels
Number of wraps
Number of bands
Bit density
8
16
16
64
4
44
56
4
4
7.40 Kb/mm
4096 bytes
9.64 Kb/mm
4096 bytes
13.52 Kb/mm
8192 bytes
Cartridge memory capacity
TABLE 1-3 lists the reliability specifications.
TABLE 1-3 Reliability Specifications
Description
Specification
250,000 hours
100,000 swaps
60,000 hours
MTBF (100% duty cycle)
Load/unload life
Head life
Media durability
Maximum cartridge use
1,000,000 passes
20,000 threads
4
KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
Specifications
Compatibility
HP LTO Ultrium 4 drives are specified to interchange with un-encrypted data
cartridges from other tape drives that comply to the LTO U-28, U-316 and U-416
specifications:
Future compatibility:
In the future, HP LTO Ultrium drives will be capable of:
■
■
■
Reading and writing tapes from the current generation
Reading and writing tapes from one earlier generation
Reading tapes from two earlier generations
HP LTO Ultrium drives will always maintain write and read compatibility with
other manufacturers’ LTO Ultrium drives and tapes that meet the LTO Ultrium
format specification.
TABLE 1-4 LTO Media Compatibility
Capability
Native Capacity (Length)
800 GB WORM
800 GB (820m)
400 GB WORM
400 GB (680m)
200 GB (580m)
100 GB (580m)
50 GB (290m)
Format
LTO4
LTO4
LTO3
LTO3
LTO2
LTO1
LTO1
Write
Yes
Yes
Yes
Yes
No
Read
Yes
Yes
Yes
Yes
Yes
No
No
No
No
Note – Currently, only LTO4 media is encryption-capable on the LTO4 tape drives.
While LTO4 can read and “write” to LTO3 media, if an LTO4 drive encrypted data
on LTO3 media, then LTO3 drives could not read those tapes. Therefore, when
LTO3 media is inserted into an LTO4 drive, the encryption capability is disabled
and the drive will write non-encrypted data without notification.
316196601 • Revision: A
Chapter 1 Introduction
5
Order Numbers
Order Numbers
License Keys
FIGURE 1-2 License Keys
LTO4 Encryption Key
Marketing Number
Description
Bundled
X-HP-LTO4-EKEY-B
One required per encryption enabled drive.
Bundled with the drive at time of sale.
After market
X-HP-LTO4-EKEY-A
One required per encryption enabled drive.
After market for drives previously purchased.
Configured End Items
TABLE 1-5 Configured End Items—Order Numbers
Part Numbers
SL500
Description
LTO4E-HP4FC-SL500Z
LTO4E-HPSC-SL500Z
SL8500
LTO4 HP FC 4Gb SL500 Encryp Dr
LTO4 HP SCSI SL500 Encryp Dr
LTO4E-HP4FC-SL85Z
SL3000
LTO4 HP FC 4Gb SL8500 EncrypDr
LTO4 HP FC 4Gb SL3000 EncrypDr
LTO4E-HP4FC-SL30Z
X-Options (Conversion Bills)
TABLE 1-6 Conversion Bill Numbers
Part Numbers
Description
SL500
XHPLTO4E-FCUPL500Z
XHPLTO4E-SCUP500Z
SL3000/8500
Crypto drive upgrade for HP LTO4 FC SL500
Crypto drive upgrade for HP LTO4 SCSI SL500
XHPLTO4E-FCUP3085Z
Crypto drive upgrade for HP LTO4 FC SL3000/SL8500
Dione Card
TABLE 1-7 Dione Card Part Number
Part Number
Description
HP LTO4 Dione Card
419954901
6
KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
2
CHAPTER
Dione Card
The Dione card—pronounced (D - O - nee)—is a custom design that provides an
Ethernet interface for the HP LTO4 tape drive. With this interface, the HP LTO4
tape drive can:
■
Encrypt and decrypt data using the Sun StorageTek Crypto Key Management
System (KMS), Version 2.0 and above
■
Configure and enroll the tape drive using the Virtual Operator Panel (VOP),
Version 1.0.12 or higher
Basically, the Dione card is a translation device between the serial interface on the
tape drive and the secure Ethernet port for use with the KMS.
The Dione card includes:
■
■
■
Telnet server for configuration and management
FTP server for installing new firmware and retrieving firmware trace logs
SOAP client (with TLS 1.0 support) for communication with the KMS
Firmware Requirements
The minimum firmware requirements include:
TABLE 2-1 Firmware Requirements
Component
Version (or above)
Dione card
1.178
HP LTO4 tape drive
H45S Fibre Channel
B44S SCSI
KMS Version 2.0
ACSLS
2.02
7.1 and 7.1.1 with PUT0701, or 7.2, and 7.3
SL8500 library
SL3000 library
SL500 library
L-Series
3.98B
2.01 (SPS)—Requires approval
i15 — 1300 (SPS)—Requires approval
3.18.xx
1.0.12
Virtual Operator Panel
316196601 • Revision: A
7
Dione Card Components
Dione Card Components
The Dione card installs in the open area of the drive trays behind the tape drives.
Library drive trays that support this card are the:
■
■
■
■
SL8500
SL3000
SL500
L-Series
Each drive tray has its own unique configuration depending on the space in the
open area of the drive tray.
FIGURE 2-1 shows an example of a Dione card, which consists of:
■
■
■
■
■
■
Dione card
Ethernet connector (RJ-45)
Power connection (inline with the tape drive power)
Communications connection to the tape drive
Reset switch (on the drive tray rear panel)
Green Status LED (on the drive tray rear panel)
FIGURE 2-1 Dione Card Components
1. Dione card
6. Inline power connection
7. Tape drive power connection
8. Tape drive communications connection
9. Reset switch connection (2 wires)
2. Ethernet connection (RJ-45)
3. Reset switch
4. Green status LED
5. LED connection (2 wires)
8
KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
Dione Card Components
Connecting to the Dione Card
FIGURE 2-2 shows two ways to connect to the Dione card:
■
Point-to-point using a crossover cable
Network using a switch or hub and standard (straight-through) Ethernet cables
■
Note – The default IP address of the Dione card is 10.0.0.1.
This address is the same as the T-Series tape drives.
Because of this, the initial connection to the Dione card and LTO4 tape drive
should be with a crossover cable to set a new IP address. Then once the IP address
is set, you can connect the drive to the network for configuration and enrollment.
FIGURE 2-2 Connecting to the Dione Card
Point-to-Point: Crossover Cable Connection
Network: Standard Ethernet Connection
Green LED operation:
When you power-on the LTO4 tape drive, the green LED lights for 30 seconds as
the Dione card performs an initial program load (IPL).
■
■
If the LED does not come on when power is applied (and there is power on the
tape drive) there is a problem with the Dione card.
If this LED does not go out after 30 seconds (approximately), there is a problem
with the Dione card.
After 30 seconds, the LED goes out and stays out until the tape drive is in an
encryption-capable mode (tape loaded, key available, encrypting or decrypting).
Reset Switch operation:
The reset switch performs one of three functions:
1. In normal operation, pressing this button resets the Dione as if at power-on.
2. Pressing and holding for more than 3 to 4 seconds resets all the stored settings to
their manufacturing defaults, and then resets the Dione as if at power-on.
3. When Running the LED Test it temporarily changes the mode of operation
allowing you to press the switch causing the LED to flash. The flashing stops
when the switch is released.
316196601 • Revision: A
Chapter 2 Dione Card
9
KMS Operations
KMS Operations
When the tape drive is powered-on, the Dione card communicates to the drive
over the serial port to take control of drive encryption and decryption.
HP LTO4 tape drives have the capability of storing one (1) key while encrypting or
decrypting data. Therefore; it is essential that these drives stay connected to the
KMS network for communications. Failover and load balancing will also occur
between the KMAs in the system (KMS).
The following is a brief description about how the drive implements encryption:
■
During write operations, when the backup application starts writing, the Write
command triggers the drive to request an encryption key from the Dione card.
The Dione creates a secure connection to the KMA and requests a key.
The KMA provides the key.
The Dione card unwraps the key and sends it to the drive, which continues with
the write operation.
■
During read operations, a similar set of operations occur.
The backup application sends a read request.
The drive recognizes that the data is encrypted and requests a decryption key
from the Dione card.
Note: The LTO4 tape format stores the metadata (key) along with encrypted
data. This gives the Dione card a method to retrieve the required key for
decryption.
The Dione card verifies the Key Associated Data in the data block to determine
the Key ID for that block and requests the corresponding key from the KMA.
Once the key has been received, it is sent to the drive and the read proceeds.
■
During media loads and unloads the Dione card monitors tape drive and
fetches the appropriate Data Unit (for loads) or clearing of the encryption status
(for unloads).
Key Lifecycle
Keys undergo a lifecycle based on the key policy. The lifecycle imposed by the
KMS is based on the NIST 800-57 guidelines and has two time periods:
■
Encryption period the time after a key is assigned that it can be used to encrypt.
Cryptoperiod the time period it can be used for decryption.
■
It is assumed the two periods start at the same time when the key is assigned.
FIGURE 2-3 shows an example of how these periods interacts.
10 KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
KMS Operations
FIGURE 2-3 Key Lifecycle
A potential issue:
That LTO4 drive firmware will not request a write key in the following scenario:
Read, Space, Write-Filemark, Write.
The drive will use the same key obtained for the Read command to encrypt the
data provided for the Write command. The state of this key may be inappropriate
for writing due to the policy associated with the drive (an expired key).
Work-Around:
Assign the drive’s Key Group having a key policy with a long encryption period.
An encryption period of a year or longer is recommended.
Details:
The LTO-4 drive firmware will not request a write key in the following scenario:
Read, Space, Write-Filemark, Write. The drive will use the key obtained from the
Read command to encrypt the data provided for the Write command.
Most applications go through this sequence of operations when
appending data to a tape.
The end result is that encryption keys previously used on that tape will continue to
be used for write operations even if the state of the key has changed to expired or
compromised.
The encryption period is a user defined policy.
An encryption period of a year or longer is recommended to mitigate the risk of
write operations using an expired key. Most applications write sequentially to a
tape cartridge until it is full. It is rare that a customer would not fill a tape
cartridge with data within a year.
This is a low impact issue due to ability to mitigate exposure with a user defined
encryption period and due to the non-disruptive nature of the error. Data
encrypted with an expired key can still be accessed normally on future attempts to
append or restore.
It is recommended that the customer not destroy encryption keys as a means to
enforce data life-cycle management. Instead, enforce data life-cycle management
by expiring volumes through the backup and archive applications.
316196601 • Revision: A
Chapter 2 Dione Card 11
KMS Operations
At release, the functionality to set a key in a compromised state is not present.
This is a low impact issue due to the system assigning unique encryption keys for
each tape cartridge. It is rare that a compromised key scenario would ever be
encountered. If it was it would only impact future writes to a single tape cartridge.
This functionality will be implemented in the next drive firmware update.
Media RFID Chips
New data cartridges may not have the physical barcode information written to the
1
Radio Frequency Identification (RFID) chip—also know as the cartridge
memory—in the LTO4 cartridge during the initial mount (load).
This requires updated library firmware, and not all libraries support this function.
Future updates to library firmware will correct this problem allowing the cartridge
memory to write the physical barcode. Libraries include:
■
■
■
■
SL8500 = supported (3.98B and above)
SL3000 = supported (2.01 and above)
SL500 = supported (i15)
L-Series = requires an update (3.18.xx)
The barcode information from the cartridge memory is passed to the KMS and
stored as additional metadata for a Data Unit (cartridge).
1
2
The External Tag field of the Data Unit contains the physical barcode information
when the library firmware update is available.
Refer to the Crypto KMS Administration Guide for more information about Data
Units and the ExternalTag field.
Note – When installing the HP LTO4 tape drive in an SL500 library, you must
disable the “Fast Load” option. Disabling this option allows the library and tape
drive to update the RFID chip with the physical barcode information.
This is not necessary for the SL3000 and SL8500 libraries.
Media Types
Important:
Encryption is only possible on LTO4 media, including LTO4 WORM media.
If an earlier media-type (such as an LTO3 data cartridge) is found in the drive,
encryption is disabled until that media is unloaded.
When fetching the Data Unit from the KMA, the Dione card sets the:
3
4
■
■
■
Description field to either “LTO4” or “LTO4WORM”
External Tag field if the library stored a barcode label in the Cartridge Memory
External Unique ID is the (vendor-unique) Cartridge Memory Attribute
1. Radio Frequency Identification (RFID) chips are also called cartridge memory chips.
The RFID chip contains information about the cartridge, the tape, and the performance
over time. This non-volatile storage information includes:
• Manufacturing information
• Usage
• Initialization information
• Tape directory
• Pass history
• Error history
• Tape Alert flags
• Status of the MIR
12 KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
KMS Operations
FIGURE 2-4 provides an example of a KMS Manager display screen using the
elements from and HP LTO4 drive.
FIGURE 2-4 KMS Manager Data Unit List
2
4
3
1
1. Data Unit ID (data cartridge)
2. External Tag (volume serial number)
3. Description (LTO4 or LTO4WORM)
4. External Unique ID (vendor-unique RFID contents)
316196601 • Revision: A
Chapter 2 Dione Card 13
Removal and Replacement
Removal and Replacement
Encryption-capable HP LTO 4 tape drives contain an Ethernet card, which is a field
replaceable unit (FRU). Depending on the library, each drive tray contains the card in a
different location; however, the removal and replacement procedures are similar.
For specific information about the drive trays, refer to:
SL8500 Modular Library System Installation Manual
SL3000 Modular Library System Installation Manual
SL500 Modular Library System Installation Manual
L700/1400 Library Installation Manual
StorageTek: 96138
StorageTek: 316194201
StorageTek: 96114
StorageTek: 95843
StorageTek: 95896
L180 Library Installation Manual
If the manuals are not on hand, go to the Sun Documentation Web site at:
FIGURE 2-5 Dione Card and Connectors
1. Dione card
2. Ethernet connector
3. P5
5. Drive power jumper
6. Power connector to drive
7. P6
4. Signal connector
Removal
The following procedure basically describes how to remove and replace a Dione card:
1. Follow the procedures for taking the drive offline.
2. Follow the procedures for removing the drive from the library.
14 KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
Removal and Replacement
3. Place the drive and drive tray on a suitable work surface.
Caution:
Potential ESD damage: The encryption card contains ESD-sensitive components.
Make sure you follow proper ESD precautions.
4. Remove the two T9 screws from the top cover and remove the cover.
5. Remove the connectors from the HBD card.
6. Remove the four T10 screws that attach the drive to the tray.
7. Remove the T10 screw that attaches the encryption card.
8. Pull out the drive part way to gain access to the cables and connectors.
9. Remove the cable/connectors in this order:
■
■
■
■
■
Ethernet cable
P5
P6
Power cable
Signal cable
10. Remove the four T10 screws that fasten the card to its plate.
Replacement
Caution:
■ ESD-sensitive components. Make sure you follow the proper precautions.
■ Use care not to damage the thin, glass cable attached to J5. This cable is fragile
and easily damaged.
To replace the Dione card:
1. Obtain the encryption card and remove it from its wrapper.
2. Align the card on the plate and insert the T10 mounting screws.
3. Connect P5 and P6 to the card.
4. Plug in the following cables in this order:
■
■
■
Signal connector from the card to the rear of the drive
Drive power (from rear of the drive)
Power jumper
5. Insert the card and plate into its position and fasten it with one T10 screw.
6. Position the HBD card back into place.
7. Re-connect the cables to the HBD card.
8. Insert the drive and fasten it to the tray with four T10 screws.
9. Replace the top cover plate and fasten it with two T10 screws.
10. Insert the drive tray into its slot in the array.
11. Reconnect the cables to the rear of the drive.
316196601 • Revision: A
Chapter 2 Dione Card 15
Removal and Replacement
16 KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
3
CHAPTER
Virtual Operator Panel
The Sun StorageTek Virtual Operator Panel (VOP) is a computer-based application
that provides a graphical user interface (GUI) to these tape drives:
■
■
■
T10000A
T10000B
T9840D
With the VOP at Version 1.0.12 and higher, support for the HP LTO4 tape drive is
translation device for the tape drive.
FIGURE 3-1 Virtual Operator Panel Display
1
5
2
3
4
1. Connect Tab
5. Drive status indicators (colors)
2. Monitor Drive Tab
3. Configure Drive Tab
4. Diagnose Drive Tab
■
■
■
■
Online/Offline
Loaded
Service
Encrypt (Encryption indicator)
316196601 • Revision: A
17
The VOP application uses an Ethernet connection to communicate with the tape
drives, either:
■
Point-to-point, using a cross-over cable
■
Networked, using a switch and standard—straight—Ethernet cables
This Ethernet interface provides communication with the tape drives and allows:
■
Customer operators to:
■
■
■
Select and monitor drive status indicators
View, load, and configure drive settings
Enroll and un-enroll agents (tape drives) for use with the KMS
■
Services representatives to:
■
■
■
■
View, delete, load, and configure encryption and communication settings
IPL a drive
Run diagnostics, retrieve dumps, and logs for the Dione card
Enable and disable encryption
VOP Prerequisites
Before you can install and operate the VOP application, your computer system
must meet certain prerequisites. These are the minimum:
■
■
■
Hardware requirements
Operating system certifications
Java Runtime Environment (JRE) minimum release level requirements
Computer Hardware Requirements
The minimum hardware requirements include:
■
■
■
■
■
512 MB memory
1.0 GHz processor
Ethernet port available for static IP addressing
RJ45–RJ45 Ethernet cross-over cable (direct connection to drive)
RJ45–RJ45 Ethernet cables (indirect connection through an Ethernet switch)
Operating System Certification
These operating systems are certified for use with the VOP:
■
■
■
Windows 2000 or XP
Linux–Redhat 9.0, ES
Solaris–SunOS 5.8, SunOS 5.9, and SunOS 5.10
Java Runtime Environment Requirement
The VOP software application is a Java-based program; therefore, you need a
compatible version of Java Runtime Environment (JRE) installed.
Before attempting to install and run VOP, verify the presence, and release level of
JAVA is version J2SE 1.5, or higher.
18 KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
Using VOP
Using VOP
There are two versions of VOP: 1) Customer and 2) Service.
Refer to the VOP documentation for information about how to download and
TABLE 3-1 VOP Versions, Files, Documents, and Download Sites
Version
Document
Files
Posted
File Size
6055192
47104
Customer 96179
VOP_CUST_REL_1.0.12.zip
General_Instructions_Download
Document.txt
05/28/2008 21:30
05/28/2008 21:42
05/28/2008 21:56 173
Download Site:
Service
96180
VOP_SVC_REL_1.0.12.zip
General_Instructions_Download
Document.txt
05/28/2008 22:12
05/28/2008 22:24
7006234
47104
05/28/2008 22:44 173
Download Site:
For the initial configuration, use a secure point-to-point connection and the default
IP address 10.0.0.1. Because all tape drives use the same default IP address,
connecting them to a switch for the initial configuration will cause problems;
unless you power the drives on and configure them one-by-one.
To use VOP for LTO4 tape drives, you need to launch a special file:
■
Windows: Launch the batch file (ltoVOP.bat)
■
Solaris/Linux: Launch the ltoVOP file (above the batch file)
FIGURE 3-2 VOP Files and LTO Batch File
➪
316196601 • Revision: A
Chapter 3 Virtual Operator Panel 19
Using VOP
Start VOP
Important:
■
■
■
Remember, the Service Delivery Platform (SDP) does not support the LTO4
drives. You may need to make adjustments to the network addresses if mixing
tape drives on the same KMA and/or SDP network (LAN 2).
With this Ethernet connection, you cannot perform the same or similar functions
with this tape drive that you can with the T-Series drives, such as downloading
tape drive code and running tape drive diagnostics.
Before beginning, make sure you have the assigned IP addresses and Agent
names for the tape drives available and defined in the KMS manager.
To start the VOP for the LTO4:
1. Configure and connect your laptop to an LTO4 tape drive.
(For example: use a cross-over cable and connect directly to a tape drive.)
2. Start the executable file (ltoVOP .file or .bat) to start the application.
3. Enter the default IP address (10.0.0.1) and click Connect.
FIGURE 3-3 LTO VOP Connect Screen
TIP:
You may want to create a shortcut on your desktop that links you to the
ltoVOP executable file. Then click on this shortcut to launch this application.
4. Set the drive offline.
20 KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
Using VOP
5. Select the Configure Drive tab and enter the required information.
You will need customer input for the KMA ID, IP Address, and Passphrase.
FIGURE 3-4 Configure Drive
6. Click Commit and respond “Yes” to the set drive offline pop-up (if still online).
The commit process takes about 30 seconds to complete.
7. Click on the Diagnose Drive tab to observe the commit process.
FIGURE 3-5 Commit—Passed
316196601 • Revision: A
Chapter 3 Virtual Operator Panel 21
Using VOP
During the commit process, the tape drive goes offline then IPLs to save the new
settings to the Dione card.
Important:
When the drive comes back online, it is now using the new IP address.
8. To continue with the configuration and to “enroll” the tape drive, you must
connect the drive to the KMS network. The KMS must be able to communicate
with the tape drive to complete the enrollment process.
Note – The Agent must be already created with a pass phrase assigned in the
KMS before you can enroll the drive. If you were to “Unenroll” the Agent—for
example: To turn encryption off, then re-enroll the agent to turn encryption back
on—the pass phrase must be re-entered or the agent recreated in the KMS before
re-enrollment.
9. Enter the new IP address in the connection window and click Connect
(10.0.0.5 for this example).
FIGURE 3-6
10.0.0.5
10.0.0.5
10. Select the Configure Drive tab. The new settings are shown in the display.
11. Click “Enroll.”
12. Click on the Diagnose Drive tab to observe the enroll process.
■
■
■
The enroll process takes about 40 seconds to complete.
When the enrollment is complete, the button now indicates Unenroll.
You would use this button to unenroll the tape drive; which would turn
encryption off (see the note in Step 8).
22 KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
Diagnose Drive Tab
Diagnose Drive Tab
The Dione card and the VOP Diagnose Drive tab allow you to perform limit tests,
get logs for engineering review, and to load Dione card firmware.
Run LED Diagnostic Test
To run the LED diagnostic test:
1. Click on Run LED Diag. The display changes the button to EXIT LED Diag.
2. During this time, if you press the Reset switch, the green encryption LED
will flash.
3. Click EXIT LED Diag to end this test.
FIGURE 3-7 Run LED Diag
The green LED is on when you power-on the LTO4 tape drive for 30 seconds as the
Dione card performs an initial program load (IPL).
After 30 seconds, the LED goes out and stays out until the tape drive is in an
encryption-capable mode (tape loaded, key available, encrypting or decrypting).
316196601 • Revision: A
Chapter 3 Virtual Operator Panel 23
Diagnose Drive Tab
Get Log
If a Dione card or connection is consistently having problems, engineering may
request you retrieve a log of events from the Dione card.
1. Click Get Log.
2. Create and select a location for the file.
Once the file has transferred, the operation is complete.
FIGURE 3-9 Run LED Diag
Load Firmware
To load new Dione card firmware:
Obtain the firmware and place it in a directory file easy to locate.
Click on Load Firmware.
A dialog box opens requesting the location of the firmware.
Navigate to that location and load the files.
Note there are two files to download: *.bin and *.hdr.
316196601 • Revision: A
Chapter 3 Virtual Operator Panel 25
Diagnose Drive Tab
26 KMS: LTO4 Technical Brief • June 2008
Revision:A • 316196601
Index
firmware requirements, 7
B
batch file, 19
G
Get Log, 25
guides, v
C
cartridge memory, 12
comparisons
H
LTO tape drives, 3
media, 4
hardware requirements, VOP, 18
Hewlett Packard, 1
HP LTO
compliance regulations, 2
Configure Drive tab, 21
connecting to a Dione card, 9
conversion bills, 6
I
interchange, 5
interfaces, types of, 1
introduction, 1
D
Data Unit, 12
Dione card, 7
J
components, 8
Java Runtime Environment, 18
connections to, 9
default IP address, 9
green LED, 9
loading firmware, 25
reset switch, 9
K
KMA ID, 21
KMS operations, 10
Download Center, vi
drive tray example, 2
L
E
LED diagnostic test, 23
LED, green, 9
lifecycle, 10
encryption indicator, 17
enroll, 22
Linear Tape-Open, 1
load/unload operations, 10
Loopback diagnostic test, 24
LTO4
F
Fast Load option, 12
media, 1
316196601 • Revision: A
27
overview, 1
reset switch, 9
specifications, 3
RFID chip, media, 12
LTO4 interfaces, 1
S
M
SCSI interfaces, 1
SDP, 20
Service Delivery Platform, 20
specifications, 3
StorageTek
manual organization, v
manuals, v
media
encryption-capability, 5
introduction, 1
RFID chip, 12
Partners site, vi
Mid-range class, 2
Monitor Drive tab, 17
Sun
N
T
NIST 800-57 guidelines, 10
tape drive specifications, 3
O
U
operating systems, VOP, 18
order numbers, 6
organization, v
organization of this manual, v
overview
Ultrium, 1
unenroll, 22
Uniform Software Repository, vi
Dione card, 7
LTO4, 1
V
Virtual Operator Panel, 17
VOP, 17
VOP, 17
P
W
part numbers, 6
WORM, 1
WORM media, 2
write once, read many, 1
write operations, 10
Write-Once Read-Many, 2
Partner Agreement, vi
Partner Exchange, vi
Partners Web site, vi
Passphrase, 21
physical barcode information, 12
potential issue, 11
prerequisites, VOP, 18
publications, v
X
x-options, 6
R
Radio Frequency Identification, 12
read operations, 10
related publications, documents, v
reliability, 4
removal and replacement procedures, 14
requirements, firmware, 7
resellers, vi
28
KMS: LTO4 Technical Brief • June 2008
Revision: A • 316196601
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN Web sun.com
ARGENTINA: 5411-4317-5636 • AUSTRALIA: 1-800-550-786 • AUSTRIA: 43-1-601-26-0 • BALKANS: 301-6188-111 • BELGIUM: 32 2-704 89 83 • BRAZIL: 55-11-51872100 • BRUNEI: 65-216-8333 • CANADA: 1-800-422-8020 (GENERAL); 416-964-2001 (LEARNING MANAGEMENT SYSTEM SALES,TORONTO) • CHILE: 562-372-4500 • COLOMBIA: 571-629-2323
CZECH REPUBLIC: 420 2 33009311 • DENMARK: 45 4556 5040 • EGYPT: 00 202 570 9442 • FINLAND: 358-9-525-561 • FRANCE: 33-1-41-33-17-17 • GERMANY: 49-89-460-08-2788 • GREECE: 30-01-6188101 • HONG KONG: 852-2877-7077 • HUNGARY: 361-202-4415 • INDIA: 91-80-229-8989 • INDONESIA: 65-216-8333 • IRELAND: 353-1-668-4377
ISRAEL: 972-9-9710500 • ITALY: 39-02-9259511 • JAPAN: 81-3-5779-1820 • KOREA: 82-2-3453-6602 • MALAYSIA: 603-2116-1887 • MIDDLE EAST: 00 9714 3366333 • MEXICO: 525-261-0344 • NETHERLANDS: 31-33-4515200 • NEW ZEALAND: 0800-786-338 • NORTH WEST AFRICA: 00 9714 3366333 • NORWAY: FROM NORWAY: 47-22023950, TO NORWAY:
47-23369650 • PAKISTAN: 00-9714-3366333 • PEOPLE'S REPUBLIC OF CHINA: 8610-6803-5588 • PHILIPPINES: 632-885-7867 • POLAND: 48-22-8747848 • PORTUGAL: 351-21-413-4000 • RUSSIA: 7-095-935-8411 • SAUDI ARABIA: 00 9714 3366333 • SINGAPORE: 65-216-8300 • SOUTH AFRICA: 27-11-256-6300 • SPAIN: 34-902-210-412 • SRI LANKA:
65-2168333 • SWEDEN: 46-8-631 22 00 • SWITZERLAND: 41-1-908-90-50 (GERMAN) 41-22-999-0444 (FRENCH) • TAIWAN: 886-2-25185735 • THAILAND: 662-344-6855 • TURKEY: 90 212 335 22 00 • UNITED KINGDOM: 44-1276-416-520 • UNITED STATES: 1-800-422-8020 • VENEZUELA: 582-905-3800 • VIETNAM: 65-216-8333 • WORLDWIDE
HEADQUARTERS: 1-650-960-1300
THE NETWORK IS THE COMPUTER ©2006 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, and the Sun logo are trademarks or registered trademarks of Sun Microsystems, Inc. in the
United States and other countries.
SUN™
|