Sun Microsystems StorageTek HP LTO4 User Manual

TM  
Sun StorageTek Crypto  
Key Management System  
HP LTO4 Encryption-Capable Tape Drives  
Technical Brief  
Part Number: 316196601  
Revision: A  
Crypto Key Management System  
Version 2.0  
HP LTO4 Tape Drive  
Technical Brief  
Sun Microsystems, Inc.  
Part Number: 316196601  
June 2008  
Revision: A  
Copyright © 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.  
Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this  
document.In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at  
THIS PRODUCT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SUN MICROSYSTEMS, INC. USE,  
DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR EXPRESS WRITTEN PERMISSION OF SUN  
MICROSYSTEMS, INC.  
Use is subject to license terms. This distribution may include materials developed by third parties.This distribution may include  
materials developed by third parties.Parts of the product may be derived from Berkeley BSD systems, licensed from the University of  
California.  
UNIX is a registered trademark in the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.Sun, Sun  
Microsystems, the Sun logo, Solaris, Sun StorageTek Crypto Key Management System, StorageTek and the StorageTek logo are  
trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.  
Products covered by and information contained in this service manual are controlled by U.S. Export Control laws and may be subject  
to the export or import laws in other countries. Nuclear, missile, chemical biological weapons or nuclear maritime end uses or end  
users, whether direct or indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified  
on U.S. export exclusion lists, including, but not limited to, the denied persons and specially designated nationals lists is strictly  
prohibited. Use of any spare or replacement CPUs is limited to repair or one-for-one replacement of CPUs in products exported in  
compliance with U.S. export laws. Use of CPUs as product upgrades unless authorized by the U.S. Government is strictly prohibited.  
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND  
WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR  
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY  
INVALID.  
Copyright © 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.  
Sun Microsystems, Inc. détient les droits de propriété intellectuels relatifs à la technologie incorporée dans le produit qui est décrit  
dans ce document.  
En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plus des brevets américains listés à  
et dans les autres pays.  
CE PRODUIT CONTIENT DES INFORMATIONS CONFIDENTIELLES ET DES SECRETS COMMERCIAUX DE SUN  
MICROSYSTEMS, INC. SON UTILISATION, SA DIVULGATION ET SA REPRODUCTION SONT INTERDITES SANS L  
AUTORISATION EXPRESSE, ECRITE ET PREALABLE DE SUN MICROSYSTEMS, INC.  
L'utilisation est soumise aux termes de la Licence.Cette distribution peut comprendre des composants développés par des tierces  
parties.Cette distribution peut comprendre des composants développés par des tierces parties.Des parties de ce produit pourront être  
dérivées des systèmes Berkeley BSD licenciés par l'Université de Californie.  
UNIX est une marque déposée aux Etats-Unis et dans d'autres pays et licenciée exclusivement par X/Open Company, Ltd.Sun, Sun  
Microsystems, le logo Sun, Solaris, Sun StorageTek Crypto Key Management System, StorageTek et le logo StorageTek sont des  
marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.  
Ce produit est soumis à la législation américaine en matière de contrôle des exportations et peut être soumis à la règlementation en  
vigueur dans d'autres pays dans le domaine des exportations et importations. Les utilisations, ou utilisateurs finaux, pour des armes  
nucléaires, des missiles, des armes biologiques et chimiques ou du nucléaire maritime, directement ou indirectement, sont strictement  
interdites. Les exportations ou reexportations vers les pays sous embargo américain, ou vers des entités figurant sur les listes  
d'exclusion d'exportation américaines, y compris, mais de manière non exhaustive, la liste de personnes qui font objet d'un ordre de ne  
pas participer, d'une façon directe ou indirecte, aux exportations des produits ou des services qui sont régis par la législation  
américaine en matière de contrôle des exportations et la liste de ressortissants spécifiquement désignés, sont rigoureusement  
interdites. L'utilisation de pièces détachées ou d'unités centrales de remplacement est limitée aux réparations ou à l'échange standard  
d'unités centrales pour les produits exportés, conformément à la législation américaine en matière d'exportation. Sauf autorisation par  
les autorités des Etats-Unis, l'utilisation d'unités centrales pour procéder à des mises à jour de produits est rigoureusement interdite.  
LA DOCUMENTATION EST FOURNIE “EN L'ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES  
EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y  
COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L'APTITUDE A UNE  
UTILISATION PARTICULIERE OU A L'ABSENCE DE CONTREFACON.  
We welcome your feedback. Use the OpinionLab [+] feedback system on the documentation Web site or Send your comments to:  
Sun Learning Services  
Sun Microsystems, Inc.  
500 Eldorado Blvd.  
Mailstop: UBRM06-307  
Broomfield, CO 80021-6307  
USA  
Please include the publication name, part number, and edition number in your correspondence if they are available.  
This will expedite our response.  
Please  
Recycle  
iv KMS: LTO4 Technical Brief • June 2008  
Revision: A • 316196601  
Preface  
TM  
This technical brief is intended for Sun StorageTek  
representatives, customers,  
and anyone responsible for planning the installation of the Crypto Key  
Management System (KMS) encryption solution.  
Organization  
This guide has the following organization:  
Chapter  
Use this chapter to:  
Related Information  
These publications contain the additional information:  
Publication Description  
Part Number  
Crypto Key Management System Systems Assurance Guide  
Crypto Key Management System Installation and Service Manual  
Crypto Key Management System Administrator Guide  
StorageTek: 31619480x  
StorageTek: 31619490x  
StorageTek: 31619510x  
316196601 • Revision: A  
v
           
Preface  
Additional Information  
Sun Microsystems, Inc. (Sun) offers several methods to obtain additional  
information.  
Sun’s External Web Site  
Sun’s external Web site provides marketing, product, event, corporate, and service  
information. The external Web site is accessible to anyone with a Web browser and  
an Internet connection.  
The URL for the external Web site is: http://www.sun.com  
The URL for StorageTek™ brand-specific information is:  
Documentation and Download Web Sites  
Web sites that enable customers, members, and employees to search for technical  
documentation, downloads, patches, features, and articles include:  
Documentation: http://docs.sun.com/app/docs (customers)  
Internal access: http://docs.sfbay.sun.com/app/docs (internal)  
Sun Download Center: http://www.sun.com/download/index.jsp (customers)  
Sun Partner Exchange: https://spe.sun.com/spx/control/Login (partners)  
(internal)  
If your customer does not already have a Sun Online Account they will need to  
register. For a new account, go to: https://reg.sun.com/register  
For more information about Sun StorageTek products, got to:  
Partners Site  
The Sun StorageTek Partners site is a Web site for partners with a StorageTek  
Partner Agreement. This site provides information about products, services,  
customer support, upcoming events, training programs, and sales tools to support  
StorageTek Partners. Access to this site, beyond the Partners Login page, is  
restricted. On the Partners Login page, employees and current partners who do  
not have access can request a login ID and password and prospective partners can  
apply to become StorageTek resellers.  
The URL for partners with a Sun Partner Agreement is:  
vi KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
                 
1
CHAPTER  
Introduction  
Overview  
The Hewlett Packard (HP) LTO4 is the fourth-generation of Ultrium, Linear  
Tape-Open tape drives. This generation offers more capacity and increased  
performance than earlier versions of LTO tape drives.  
Encryption  
Capable  
The Hewlett Packard LTO4 is the first, non-StorageTek T-Series tape drive to  
support the Crypto Key Management System Version 2.0.  
This encryption-capability requires a special, custom designed, Ethernet  
card—called the Dione card—that enables the LTO4 drive to connect to and  
interface with the Key Management System (KMS) network.  
With this connection, the LTO4 is capable of communicating with the KMS  
to transfer encryption keys over the secure network.  
Note: The HP LTO4 can only use one encryption key at a time. During a read  
operation, if another encryption key is found, the Dione card requests the  
key directly from the KMS.  
Media  
(Native capacity)  
The HP LTO4 drive with LTO4 media can store up to 800 GB of data.  
This drive can also read and write on LTO3 media (400 GB), and provides  
read-only capabilities with LTO2 media (200 GB).  
The LTO4 tape drive also supports Write Once, Read Many (WORM) secure  
media. This non-erasable, non-rewritable media meets several compliance  
regulations such as HIPAA, Sarbanes-Oxley, and SEC 17A-4.  
Note: Encryption is only possible using LTO4 media, including LTO4  
WORM media, with the HP LTO4 tape drive. If you insert LTO2 or LTO3  
media, encryption will be disabled.  
Interfaces  
(Native rates)  
The HP LTO4 drive supports up to 120 MB/s data transfer rates using Data  
Rate Matching (DRM). This features allows the tape drive to dynamically  
and continuously adjust the speed of the drive, from 40 to 120 MB/s for  
maximum performance  
Interface support for the HP LTO4 includes:  
Ultra 320 Small Computer System Interface (SCSI)  
4 Giga-bits per second (Gbps) Fibre Channel  
316196601 • Revision: A  
1
                     
Drive Tray  
Installing this tape drive in one of Sun StorageTek’s automated tape configurations  
offers customers with an even wider choice of tape-based storage solutions.  
Server compatibility: Fibre Channel and SCSI models on popular (qualified)  
platforms from vendors such as Sun, HP, IBM, and Dell.  
Software compatibility: Support for an extensive list of software applications  
such as ACSLS, HP, CA, VERITAS, Legato, Tivoli, and many more.  
Support for WORM media: Allows for unalterable backups using Write-Once  
Read-Many (WORM) media to meet compliance regulations such as HIPAA,  
Sarbanes-Oxley, SEC 17A-4.  
Mid-range class: Delivers confidence with a wide variety of supported backup  
applications.  
Drive Tray  
FIGURE 1-1 shows an example of an LTO4 tape drive mounted in a drive tray.  
FIGURE 1-1 LTO4 Tape Drive in Drive Tray—SL8500  
1
2
3
4
5
6
7
1. “PWR” = power indicator (green)  
2. “FAULT” = Fault indicator (red)  
5. “PORT A” = Fibre Channel interface port  
6. “PORT B” = Not used  
3. “MAINT” = Recessed button that resets the  
Dione card  
7. RJ-45 connector. This port is auto sensing to 10  
Mbps/100 Mbps data rates and used to:  
4. The green LED is ON during the Dione card IPL  
and when an encryption/decryption key is  
present during drive operation  
Configure the network  
Enroll the agent on the KMS  
Retrieve the diagnostic log file  
Upgrade Dione card firmware  
2
KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
             
Specifications  
Specifications  
TABLE 1-1 provides a comparison of tape drive specifications.  
TABLE 1-1 Tape Drive Specifications  
LTO2  
LTO3  
LTO4  
Physical Specifications  
Height  
8.25 cm (3.25 in.)  
14.6 cm (5.75 in.)  
21.38 cm (8.4 in.)  
2.1 kg (4.6 lb)  
8.25 cm (3.25 in.)  
14.6 cm (5.75 in.)  
21.38 cm (8.4 in.)  
2.24 kg (4.94 lb)  
8.25 cm (3.25 in.)  
14.6 cm (5.75 in.)  
21.38 cm (8.4 in.)  
2.24 kg (4.94 lb)  
Width  
Length (depth)  
Weight  
Performance Specifications  
Capacity (native)  
200 GB  
30 MB/s  
13.7 to 35.6 MB/s  
64 MB  
400 GB  
80 MB/s  
27 to 80 MB/s  
128 MB  
800 GB  
120 MB/s  
40 to 120 MB/s  
128 MB  
896  
Transfer rate (native)  
Streaming range (native)  
Data Buffer size  
Number of tracks  
Load to ready *  
512  
704  
15–24 sec  
64–75 sec  
5.50 m/s  
6.20 m/s  
104/52 sec  
13–19 sec  
19 sec  
19 sec  
Access time-average (to first file)  
Tape speed (meters per second)  
Tape read/write speed  
Rewind time (maximum/average)  
Unload time  
72 sec  
62 sec  
5.32 m/s  
5.32 m/s  
98/49 sec  
19 sec  
7.0 m/s  
6.20 m/s  
124 sec  
19 sec  
Cleaning time  
58 to 152 sec  
Interface Support (SCSI)  
(Fibre Channel)  
Ultra3 SCSI (LVD)  
FC1  
Ultra-320 (LVD)  
FC2  
Ultra-320 (LVD)  
FC4  
MTBF (100% duty cycle)  
250,000 hrs  
250,000 hrs  
250,000 hrs  
Media/Format Compatibility  
Read  
Write  
LTO1, LTO2  
LTO1, LTO2  
LTO 1, 2, 3  
LTO 2, 3, 4  
LTO2, LTO3  
LTO3, LTO4  
Note: HP drives support the LTO standard for backward compatibility, which is to write back  
one generation and read back two generations.  
Power  
Consumption  
38 W  
35 W  
30 W  
Interface Codes:  
Fibre Channel: FC1 = Fibre Channel 1Gb, FC2 = Fibre Channel 2Gb, FC4 = Fibre Channel 4Gb  
Note: * Encryption-capable and un-initialized WORM cartridges can take longer to load.  
316196601 • Revision: A  
Chapter 1 Introduction  
3
         
Specifications  
TABLE 1-2 provides a comparison of media specifications.  
TABLE 1-2 Media Specifications  
Specification  
Tape Base film  
Tape length  
LTO 2  
LTO 3  
LTO 4  
PEN (Poly-Ethylene-Naphthalate)  
609m  
580m  
680m  
648m  
820m  
783m  
Tape length used for data  
Tape width  
12.65 mm  
1200 ppm  
12.65 mm  
1200 ppm  
7.29 m/s  
7.00 m/s  
1,000,000 passes  
105.4 0.30 mm  
102.0 0.30 mm  
21.5 0.25 mm  
0.220 kg  
12.65 mm  
900 ppm  
Tape dimensional stability  
Maximum tape speed  
Rewind speed  
Durability  
Cartridge Width  
Depth  
Height  
Weight  
Track density (TPI)  
Data tracks  
1260  
1773  
2212  
512  
704  
896  
Data channels  
Number of wraps  
Number of bands  
Bit density  
8
16  
16  
64  
4
44  
56  
4
4
7.40 Kb/mm  
4096 bytes  
9.64 Kb/mm  
4096 bytes  
13.52 Kb/mm  
8192 bytes  
Cartridge memory capacity  
TABLE 1-3 lists the reliability specifications.  
TABLE 1-3 Reliability Specifications  
Description  
Specification  
250,000 hours  
100,000 swaps  
60,000 hours  
MTBF (100% duty cycle)  
Load/unload life  
Head life  
Media durability  
Maximum cartridge use  
1,000,000 passes  
20,000 threads  
4
KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
       
Specifications  
Compatibility  
HP LTO Ultrium 4 drives are specified to interchange with un-encrypted data  
cartridges from other tape drives that comply to the LTO U-28, U-316 and U-416  
specifications:  
Future compatibility:  
In the future, HP LTO Ultrium drives will be capable of:  
Reading and writing tapes from the current generation  
Reading and writing tapes from one earlier generation  
Reading tapes from two earlier generations  
HP LTO Ultrium drives will always maintain write and read compatibility with  
other manufacturers’ LTO Ultrium drives and tapes that meet the LTO Ultrium  
format specification.  
TABLE 1-4 LTO Media Compatibility  
Capability  
Native Capacity (Length)  
800 GB WORM  
800 GB (820m)  
400 GB WORM  
400 GB (680m)  
200 GB (580m)  
100 GB (580m)  
50 GB (290m)  
Format  
LTO4  
LTO4  
LTO3  
LTO3  
LTO2  
LTO1  
LTO1  
Write  
Yes  
Yes  
Yes  
Yes  
No  
Read  
Yes  
Yes  
Yes  
Yes  
Yes  
No  
No  
No  
No  
Note – Currently, only LTO4 media is encryption-capable on the LTO4 tape drives.  
While LTO4 can read and “write” to LTO3 media, if an LTO4 drive encrypted data  
on LTO3 media, then LTO3 drives could not read those tapes. Therefore, when  
LTO3 media is inserted into an LTO4 drive, the encryption capability is disabled  
and the drive will write non-encrypted data without notification.  
316196601 • Revision: A  
Chapter 1 Introduction  
5
     
Order Numbers  
Order Numbers  
License Keys  
FIGURE 1-2 License Keys  
LTO4 Encryption Key  
Marketing Number  
Description  
Bundled  
X-HP-LTO4-EKEY-B  
One required per encryption enabled drive.  
Bundled with the drive at time of sale.  
After market  
X-HP-LTO4-EKEY-A  
One required per encryption enabled drive.  
After market for drives previously purchased.  
Configured End Items  
TABLE 1-5 Configured End Items—Order Numbers  
Part Numbers  
SL500  
Description  
LTO4E-HP4FC-SL500Z  
LTO4E-HPSC-SL500Z  
SL8500  
LTO4 HP FC 4Gb SL500 Encryp Dr  
LTO4 HP SCSI SL500 Encryp Dr  
LTO4E-HP4FC-SL85Z  
SL3000  
LTO4 HP FC 4Gb SL8500 EncrypDr  
LTO4 HP FC 4Gb SL3000 EncrypDr  
LTO4E-HP4FC-SL30Z  
X-Options (Conversion Bills)  
TABLE 1-6 Conversion Bill Numbers  
Part Numbers  
Description  
SL500  
XHPLTO4E-FCUPL500Z  
XHPLTO4E-SCUP500Z  
SL3000/8500  
Crypto drive upgrade for HP LTO4 FC SL500  
Crypto drive upgrade for HP LTO4 SCSI SL500  
XHPLTO4E-FCUP3085Z  
Crypto drive upgrade for HP LTO4 FC SL3000/SL8500  
Dione Card  
TABLE 1-7 Dione Card Part Number  
Part Number  
Description  
HP LTO4 Dione Card  
419954901  
6
KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
       
2
CHAPTER  
Dione Card  
The Dione card—pronounced (D - O - nee)—is a custom design that provides an  
Ethernet interface for the HP LTO4 tape drive. With this interface, the HP LTO4  
tape drive can:  
Encrypt and decrypt data using the Sun StorageTek Crypto Key Management  
System (KMS), Version 2.0 and above  
Configure and enroll the tape drive using the Virtual Operator Panel (VOP),  
Version 1.0.12 or higher  
Basically, the Dione card is a translation device between the serial interface on the  
tape drive and the secure Ethernet port for use with the KMS.  
The Dione card includes:  
Telnet server for configuration and management  
FTP server for installing new firmware and retrieving firmware trace logs  
SOAP client (with TLS 1.0 support) for communication with the KMS  
Firmware Requirements  
The minimum firmware requirements include:  
TABLE 2-1 Firmware Requirements  
Component  
Version (or above)  
Dione card  
1.178  
HP LTO4 tape drive  
H45S Fibre Channel  
B44S SCSI  
KMS Version 2.0  
ACSLS  
2.02  
7.1 and 7.1.1 with PUT0701, or 7.2, and 7.3  
SL8500 library  
SL3000 library  
SL500 library  
L-Series  
3.98B  
2.01 (SPS)—Requires approval  
i15 — 1300 (SPS)—Requires approval  
3.18.xx  
1.0.12  
Virtual Operator Panel  
316196601 • Revision: A  
7
         
Dione Card Components  
Dione Card Components  
The Dione card installs in the open area of the drive trays behind the tape drives.  
Library drive trays that support this card are the:  
SL8500  
SL3000  
SL500  
L-Series  
Each drive tray has its own unique configuration depending on the space in the  
open area of the drive tray.  
FIGURE 2-1 shows an example of a Dione card, which consists of:  
Dione card  
Ethernet connector (RJ-45)  
Power connection (inline with the tape drive power)  
Communications connection to the tape drive  
Reset switch (on the drive tray rear panel)  
Green Status LED (on the drive tray rear panel)  
FIGURE 2-1 Dione Card Components  
1. Dione card  
6. Inline power connection  
7. Tape drive power connection  
8. Tape drive communications connection  
9. Reset switch connection (2 wires)  
2. Ethernet connection (RJ-45)  
3. Reset switch  
4. Green status LED  
5. LED connection (2 wires)  
8
KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
     
Dione Card Components  
Connecting to the Dione Card  
FIGURE 2-2 shows two ways to connect to the Dione card:  
Point-to-point using a crossover cable  
Network using a switch or hub and standard (straight-through) Ethernet cables  
Note – The default IP address of the Dione card is 10.0.0.1.  
This address is the same as the T-Series tape drives.  
Because of this, the initial connection to the Dione card and LTO4 tape drive  
should be with a crossover cable to set a new IP address. Then once the IP address  
is set, you can connect the drive to the network for configuration and enrollment.  
FIGURE 2-2 Connecting to the Dione Card  
Point-to-Point: Crossover Cable Connection  
Network: Standard Ethernet Connection  
Green LED operation:  
When you power-on the LTO4 tape drive, the green LED lights for 30 seconds as  
the Dione card performs an initial program load (IPL).  
If the LED does not come on when power is applied (and there is power on the  
tape drive) there is a problem with the Dione card.  
If this LED does not go out after 30 seconds (approximately), there is a problem  
with the Dione card.  
After 30 seconds, the LED goes out and stays out until the tape drive is in an  
encryption-capable mode (tape loaded, key available, encrypting or decrypting).  
Reset Switch operation:  
The reset switch performs one of three functions:  
1. In normal operation, pressing this button resets the Dione as if at power-on.  
2. Pressing and holding for more than 3 to 4 seconds resets all the stored settings to  
their manufacturing defaults, and then resets the Dione as if at power-on.  
3. When Running the LED Test it temporarily changes the mode of operation  
allowing you to press the switch causing the LED to flash. The flashing stops  
when the switch is released.  
316196601 • Revision: A  
Chapter 2 Dione Card  
9
           
KMS Operations  
KMS Operations  
When the tape drive is powered-on, the Dione card communicates to the drive  
over the serial port to take control of drive encryption and decryption.  
HP LTO4 tape drives have the capability of storing one (1) key while encrypting or  
decrypting data. Therefore; it is essential that these drives stay connected to the  
KMS network for communications. Failover and load balancing will also occur  
between the KMAs in the system (KMS).  
The following is a brief description about how the drive implements encryption:  
During write operations, when the backup application starts writing, the Write  
command triggers the drive to request an encryption key from the Dione card.  
The Dione creates a secure connection to the KMA and requests a key.  
The KMA provides the key.  
The Dione card unwraps the key and sends it to the drive, which continues with  
the write operation.  
During read operations, a similar set of operations occur.  
The backup application sends a read request.  
The drive recognizes that the data is encrypted and requests a decryption key  
from the Dione card.  
Note: The LTO4 tape format stores the metadata (key) along with encrypted  
data. This gives the Dione card a method to retrieve the required key for  
decryption.  
The Dione card verifies the Key Associated Data in the data block to determine  
the Key ID for that block and requests the corresponding key from the KMA.  
Once the key has been received, it is sent to the drive and the read proceeds.  
During media loads and unloads the Dione card monitors tape drive and  
fetches the appropriate Data Unit (for loads) or clearing of the encryption status  
(for unloads).  
Key Lifecycle  
Keys undergo a lifecycle based on the key policy. The lifecycle imposed by the  
KMS is based on the NIST 800-57 guidelines and has two time periods:  
Encryption period the time after a key is assigned that it can be used to encrypt.  
Cryptoperiod the time period it can be used for decryption.  
It is assumed the two periods start at the same time when the key is assigned.  
FIGURE 2-3 shows an example of how these periods interacts.  
10 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
         
KMS Operations  
FIGURE 2-3 Key Lifecycle  
A potential issue:  
That LTO4 drive firmware will not request a write key in the following scenario:  
Read, Space, Write-Filemark, Write.  
The drive will use the same key obtained for the Read command to encrypt the  
data provided for the Write command. The state of this key may be inappropriate  
for writing due to the policy associated with the drive (an expired key).  
Work-Around:  
Assign the drive’s Key Group having a key policy with a long encryption period.  
An encryption period of a year or longer is recommended.  
Details:  
The LTO-4 drive firmware will not request a write key in the following scenario:  
Read, Space, Write-Filemark, Write. The drive will use the key obtained from the  
Read command to encrypt the data provided for the Write command.  
Most applications go through this sequence of operations when  
appending data to a tape.  
The end result is that encryption keys previously used on that tape will continue to  
be used for write operations even if the state of the key has changed to expired or  
compromised.  
The encryption period is a user defined policy.  
An encryption period of a year or longer is recommended to mitigate the risk of  
write operations using an expired key. Most applications write sequentially to a  
tape cartridge until it is full. It is rare that a customer would not fill a tape  
cartridge with data within a year.  
This is a low impact issue due to ability to mitigate exposure with a user defined  
encryption period and due to the non-disruptive nature of the error. Data  
encrypted with an expired key can still be accessed normally on future attempts to  
append or restore.  
It is recommended that the customer not destroy encryption keys as a means to  
enforce data life-cycle management. Instead, enforce data life-cycle management  
by expiring volumes through the backup and archive applications.  
316196601 • Revision: A  
Chapter 2 Dione Card 11  
   
KMS Operations  
At release, the functionality to set a key in a compromised state is not present.  
This is a low impact issue due to the system assigning unique encryption keys for  
each tape cartridge. It is rare that a compromised key scenario would ever be  
encountered. If it was it would only impact future writes to a single tape cartridge.  
This functionality will be implemented in the next drive firmware update.  
Media RFID Chips  
Use FIGURE 2-4 to connect the bulleted terms with the KMS Manager.  
New data cartridges may not have the physical barcode information written to the  
1
Radio Frequency Identification (RFID) chip—also know as the cartridge  
memory—in the LTO4 cartridge during the initial mount (load).  
This requires updated library firmware, and not all libraries support this function.  
Future updates to library firmware will correct this problem allowing the cartridge  
memory to write the physical barcode. Libraries include:  
SL8500 = supported (3.98B and above)  
SL3000 = supported (2.01 and above)  
SL500 = supported (i15)  
L-Series = requires an update (3.18.xx)  
The barcode information from the cartridge memory is passed to the KMS and  
stored as additional metadata for a Data Unit (cartridge).  
1
2
The External Tag field of the Data Unit contains the physical barcode information  
when the library firmware update is available.  
Refer to the Crypto KMS Administration Guide for more information about Data  
Units and the ExternalTag field.  
Note – When installing the HP LTO4 tape drive in an SL500 library, you must  
disable the “Fast Load” option. Disabling this option allows the library and tape  
drive to update the RFID chip with the physical barcode information.  
This is not necessary for the SL3000 and SL8500 libraries.  
Media Types  
Important:  
Encryption is only possible on LTO4 media, including LTO4 WORM media.  
If an earlier media-type (such as an LTO3 data cartridge) is found in the drive,  
encryption is disabled until that media is unloaded.  
When fetching the Data Unit from the KMA, the Dione card sets the:  
3
4
Description field to either “LTO4” or “LTO4WORM”  
External Tag field if the library stored a barcode label in the Cartridge Memory  
External Unique ID is the (vendor-unique) Cartridge Memory Attribute  
1. Radio Frequency Identification (RFID) chips are also called cartridge memory chips.  
The RFID chip contains information about the cartridge, the tape, and the performance  
over time. This non-volatile storage information includes:  
• Manufacturing information  
• Usage  
• Initialization information  
• Tape directory  
• Pass history  
• Error history  
• Tape Alert flags  
• Status of the MIR  
12 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
                 
KMS Operations  
FIGURE 2-4 provides an example of a KMS Manager display screen using the  
elements from and HP LTO4 drive.  
FIGURE 2-4 KMS Manager Data Unit List  
2
4
3
1
1. Data Unit ID (data cartridge)  
2. External Tag (volume serial number)  
3. Description (LTO4 or LTO4WORM)  
4. External Unique ID (vendor-unique RFID contents)  
316196601 • Revision: A  
Chapter 2 Dione Card 13  
 
Removal and Replacement  
Removal and Replacement  
Encryption-capable HP LTO 4 tape drives contain an Ethernet card, which is a field  
replaceable unit (FRU). Depending on the library, each drive tray contains the card in a  
different location; however, the removal and replacement procedures are similar.  
For specific information about the drive trays, refer to:  
SL8500 Modular Library System Installation Manual  
SL3000 Modular Library System Installation Manual  
SL500 Modular Library System Installation Manual  
L700/1400 Library Installation Manual  
StorageTek: 96138  
StorageTek: 316194201  
StorageTek: 96114  
StorageTek: 95843  
StorageTek: 95896  
L180 Library Installation Manual  
If the manuals are not on hand, go to the Sun Documentation Web site at:  
FIGURE 2-5 Dione Card and Connectors  
1. Dione card  
2. Ethernet connector  
3. P5  
5. Drive power jumper  
6. Power connector to drive  
7. P6  
4. Signal connector  
Removal  
The following procedure basically describes how to remove and replace a Dione card:  
1. Follow the procedures for taking the drive offline.  
2. Follow the procedures for removing the drive from the library.  
14 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
     
Removal and Replacement  
3. Place the drive and drive tray on a suitable work surface.  
Caution:  
Potential ESD damage: The encryption card contains ESD-sensitive components.  
Make sure you follow proper ESD precautions.  
4. Remove the two T9 screws from the top cover and remove the cover.  
5. Remove the connectors from the HBD card.  
6. Remove the four T10 screws that attach the drive to the tray.  
7. Remove the T10 screw that attaches the encryption card.  
8. Pull out the drive part way to gain access to the cables and connectors.  
9. Remove the cable/connectors in this order:  
Ethernet cable  
P5  
P6  
Power cable  
Signal cable  
10. Remove the four T10 screws that fasten the card to its plate.  
Replacement  
Caution:  
ESD-sensitive components. Make sure you follow the proper precautions.  
Use care not to damage the thin, glass cable attached to J5. This cable is fragile  
and easily damaged.  
To replace the Dione card:  
1. Obtain the encryption card and remove it from its wrapper.  
2. Align the card on the plate and insert the T10 mounting screws.  
3. Connect P5 and P6 to the card.  
4. Plug in the following cables in this order:  
Signal connector from the card to the rear of the drive  
Drive power (from rear of the drive)  
Power jumper  
5. Insert the card and plate into its position and fasten it with one T10 screw.  
6. Position the HBD card back into place.  
7. Re-connect the cables to the HBD card.  
8. Insert the drive and fasten it to the tray with four T10 screws.  
9. Replace the top cover plate and fasten it with two T10 screws.  
10. Insert the drive tray into its slot in the array.  
11. Reconnect the cables to the rear of the drive.  
316196601 • Revision: A  
Chapter 2 Dione Card 15  
Removal and Replacement  
16 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
3
CHAPTER  
Virtual Operator Panel  
The Sun StorageTek Virtual Operator Panel (VOP) is a computer-based application  
that provides a graphical user interface (GUI) to these tape drives:  
T10000A  
T10000B  
T9840D  
With the VOP at Version 1.0.12 and higher, support for the HP LTO4 tape drive is  
provided through the “Dione Card” on page 7—which serves as a serial to Ethernet  
translation device for the tape drive.  
FIGURE 3-1 shows an example of the VOP Display.  
FIGURE 3-1 Virtual Operator Panel Display  
1
5
2
3
4
1. Connect Tab  
5. Drive status indicators (colors)  
2. Monitor Drive Tab  
3. Configure Drive Tab  
4. Diagnose Drive Tab  
Online/Offline  
Loaded  
Service  
Encrypt (Encryption indicator)  
316196601 • Revision: A  
17  
               
The VOP application uses an Ethernet connection to communicate with the tape  
drives, either:  
Point-to-point, using a cross-over cable  
Networked, using a switch and standard—straight—Ethernet cables  
This Ethernet interface provides communication with the tape drives and allows:  
Customer operators to:  
Select and monitor drive status indicators  
View, load, and configure drive settings  
Enroll and un-enroll agents (tape drives) for use with the KMS  
Services representatives to:  
View, delete, load, and configure encryption and communication settings  
IPL a drive  
Run diagnostics, retrieve dumps, and logs for the Dione card  
Enable and disable encryption  
VOP Prerequisites  
Before you can install and operate the VOP application, your computer system  
must meet certain prerequisites. These are the minimum:  
Hardware requirements  
Operating system certifications  
Java Runtime Environment (JRE) minimum release level requirements  
Computer Hardware Requirements  
The minimum hardware requirements include:  
512 MB memory  
1.0 GHz processor  
Ethernet port available for static IP addressing  
RJ45–RJ45 Ethernet cross-over cable (direct connection to drive)  
RJ45–RJ45 Ethernet cables (indirect connection through an Ethernet switch)  
Operating System Certification  
These operating systems are certified for use with the VOP:  
Windows 2000 or XP  
Linux–Redhat 9.0, ES  
Solaris–SunOS 5.8, SunOS 5.9, and SunOS 5.10  
Java Runtime Environment Requirement  
The VOP software application is a Java-based program; therefore, you need a  
compatible version of Java Runtime Environment (JRE) installed.  
Before attempting to install and run VOP, verify the presence, and release level of  
JAVA is version J2SE 1.5, or higher.  
18 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
               
Using VOP  
Using VOP  
There are two versions of VOP: 1) Customer and 2) Service.  
Refer to the VOP documentation for information about how to download and  
install these applications. TABLE 3-1 is an example of these versions.  
TABLE 3-1 VOP Versions, Files, Documents, and Download Sites  
Version  
Document  
Files  
Posted  
File Size  
6055192  
47104  
Customer 96179  
VOP_CUST_REL_1.0.12.zip  
General_Instructions_Download  
Document.txt  
05/28/2008 21:30  
05/28/2008 21:42  
05/28/2008 21:56 173  
Download Site:  
Service  
96180  
VOP_SVC_REL_1.0.12.zip  
General_Instructions_Download  
Document.txt  
05/28/2008 22:12  
05/28/2008 22:24  
7006234  
47104  
05/28/2008 22:44 173  
Download Site:  
For the initial configuration, use a secure point-to-point connection and the default  
IP address 10.0.0.1. Because all tape drives use the same default IP address,  
connecting them to a switch for the initial configuration will cause problems;  
unless you power the drives on and configure them one-by-one.  
To use VOP for LTO4 tape drives, you need to launch a special file:  
Windows: Launch the batch file (ltoVOP.bat)  
Solaris/Linux: Launch the ltoVOP file (above the batch file)  
FIGURE 3-2 VOP Files and LTO Batch File  
316196601 • Revision: A  
Chapter 3 Virtual Operator Panel 19  
     
Using VOP  
Start VOP  
Important:  
Remember, the Service Delivery Platform (SDP) does not support the LTO4  
drives. You may need to make adjustments to the network addresses if mixing  
tape drives on the same KMA and/or SDP network (LAN 2).  
With this Ethernet connection, you cannot perform the same or similar functions  
with this tape drive that you can with the T-Series drives, such as downloading  
tape drive code and running tape drive diagnostics.  
Before beginning, make sure you have the assigned IP addresses and Agent  
names for the tape drives available and defined in the KMS manager.  
To start the VOP for the LTO4:  
1. Configure and connect your laptop to an LTO4 tape drive.  
(For example: use a cross-over cable and connect directly to a tape drive.)  
2. Start the executable file (ltoVOP .file or .bat) to start the application.  
3. Enter the default IP address (10.0.0.1) and click Connect.  
FIGURE 3-3 LTO VOP Connect Screen  
TIP:  
You may want to create a shortcut on your desktop that links you to the  
ltoVOP executable file. Then click on this shortcut to launch this application.  
4. Set the drive offline.  
20 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
       
Using VOP  
5. Select the Configure Drive tab and enter the required information.  
You will need customer input for the KMA ID, IP Address, and Passphrase.  
FIGURE 3-4 Configure Drive  
6. Click Commit and respond “Yes” to the set drive offline pop-up (if still online).  
The commit process takes about 30 seconds to complete.  
7. Click on the Diagnose Drive tab to observe the commit process.  
FIGURE 3-5 Commit—Passed  
316196601 • Revision: A  
Chapter 3 Virtual Operator Panel 21  
     
Using VOP  
During the commit process, the tape drive goes offline then IPLs to save the new  
settings to the Dione card.  
Important:  
When the drive comes back online, it is now using the new IP address.  
8. To continue with the configuration and to “enroll” the tape drive, you must  
connect the drive to the KMS network. The KMS must be able to communicate  
with the tape drive to complete the enrollment process.  
Note – The Agent must be already created with a pass phrase assigned in the  
KMS before you can enroll the drive. If you were to “Unenroll” the Agent—for  
example: To turn encryption off, then re-enroll the agent to turn encryption back  
on—the pass phrase must be re-entered or the agent recreated in the KMS before  
re-enrollment.  
9. Enter the new IP address in the connection window and click Connect  
(10.0.0.5 for this example).  
FIGURE 3-6  
10.0.0.5  
10.0.0.5  
10. Select the Configure Drive tab. The new settings are shown in the display.  
11. Click “Enroll.”  
12. Click on the Diagnose Drive tab to observe the enroll process.  
The enroll process takes about 40 seconds to complete.  
When the enrollment is complete, the button now indicates Unenroll.  
You would use this button to unenroll the tape drive; which would turn  
encryption off (see the note in Step 8).  
22 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
   
Diagnose Drive Tab  
Diagnose Drive Tab  
The Dione card and the VOP Diagnose Drive tab allow you to perform limit tests,  
get logs for engineering review, and to load Dione card firmware.  
Run LED Diagnostic Test  
To run the LED diagnostic test:  
1. Click on Run LED Diag. The display changes the button to EXIT LED Diag.  
2. During this time, if you press the Reset switch, the green encryption LED  
will flash.  
3. Click EXIT LED Diag to end this test.  
FIGURE 3-7 Run LED Diag  
The green LED is on when you power-on the LTO4 tape drive for 30 seconds as the  
Dione card performs an initial program load (IPL).  
After 30 seconds, the LED goes out and stays out until the tape drive is in an  
encryption-capable mode (tape loaded, key available, encrypting or decrypting).  
316196601 • Revision: A  
Chapter 3 Virtual Operator Panel 23  
     
Diagnose Drive Tab  
Run Loopback Test  
To run the Loopback diagnostic test:  
1. Click on Run Loopback Test.  
2. Observe the display as the test starts and ends.  
FIGURE 3-8 Run LED Diag  
24 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
   
Diagnose Drive Tab  
Get Log  
If a Dione card or connection is consistently having problems, engineering may  
request you retrieve a log of events from the Dione card.  
1. Click Get Log.  
2. Create and select a location for the file.  
Once the file has transferred, the operation is complete.  
FIGURE 3-9 Run LED Diag  
Load Firmware  
To load new Dione card firmware:  
Obtain the firmware and place it in a directory file easy to locate.  
Click on Load Firmware.  
A dialog box opens requesting the location of the firmware.  
Navigate to that location and load the files.  
Note there are two files to download: *.bin and *.hdr.  
316196601 • Revision: A  
Chapter 3 Virtual Operator Panel 25  
       
Diagnose Drive Tab  
26 KMS: LTO4 Technical Brief • June 2008  
Revision:A • 316196601  
Index  
firmware requirements, 7  
B
batch file, 19  
G
Get Log, 25  
guides, v  
C
cartridge memory, 12  
comparisons  
H
LTO tape drives, 3  
media, 4  
hardware requirements, VOP, 18  
Hewlett Packard, 1  
HP LTO  
compatibility, media, 5  
compliance regulations, 2  
Configure Drive tab, 21  
connecting to a Dione card, 9  
conversion bills, 6  
specifications, 2, 3  
I
interchange, 5  
interfaces, types of, 1  
introduction, 1  
D
Data Unit, 12  
default IP address, 9, 20  
Dione card, 7  
J
components, 8  
Java Runtime Environment, 18  
connections to, 9  
default IP address, 9  
green LED, 9  
loading firmware, 25  
reset switch, 9  
K
KMA ID, 21  
KMS operations, 10  
Download Center, vi  
drive tray example, 2  
L
E
LED diagnostic test, 23  
LED, green, 9  
lifecycle, 10  
encryption indicator, 17  
enroll, 22  
Linear Tape-Open, 1  
load/unload operations, 10  
Loopback diagnostic test, 24  
LTO4  
External Tag field, 12  
F
Fast Load option, 12  
media, 1  
316196601 • Revision: A  
27  
overview, 1  
reset switch, 9  
specifications, 3  
RFID chip, media, 12  
LTO4 interfaces, 1  
S
M
SCSI interfaces, 1  
Service Delivery Platform, 20  
specifications, 3  
StorageTek  
manual organization, v  
manuals, v  
media  
encryption-capability, 5  
introduction, 1  
RFID chip, 12  
Partners site, vi  
Web site, vi  
Mid-range class, 2  
Monitor Drive tab, 17  
Sun  
Partners Web site, vi  
Web site, vi  
N
T
NIST 800-57 guidelines, 10  
tape drive specifications, 3  
O
U
operating systems, VOP, 18  
order numbers, 6  
organization, v  
organization of this manual, v  
overview  
Ultrium, 1  
unenroll, 22  
Uniform Software Repository, vi  
Dione card, 7  
LTO4, 1  
V
Virtual Operator Panel, 17  
P
W
part numbers, 6  
Web sites, vi  
WORM, 1  
WORM media, 2  
write once, read many, 1  
write operations, 10  
Write-Once Read-Many, 2  
Partner Agreement, vi  
Partner Exchange, vi  
Partners Web site, vi  
Passphrase, 21  
physical barcode information, 12  
potential issue, 11  
prerequisites, VOP, 18  
publications, v  
X
x-options, 6  
R
Radio Frequency Identification, 12  
read operations, 10  
related publications, documents, v  
reliability, 4  
removal and replacement procedures, 14  
requirements, firmware, 7  
resellers, vi  
28  
KMS: LTO4 Technical Brief • June 2008  
Revision: A • 316196601  
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN Web sun.com  
ARGENTINA: 5411-4317-5636 • AUSTRALIA: 1-800-550-786 • AUSTRIA: 43-1-601-26-0 • BALKANS: 301-6188-111 • BELGIUM: 32 2-704 89 83 • BRAZIL: 55-11-51872100 • BRUNEI: 65-216-8333 • CANADA: 1-800-422-8020 (GENERAL); 416-964-2001 (LEARNING MANAGEMENT SYSTEM SALES,TORONTO) • CHILE: 562-372-4500 • COLOMBIA: 571-629-2323  
CZECH REPUBLIC: 420 2 33009311 • DENMARK: 45 4556 5040 • EGYPT: 00 202 570 9442 • FINLAND: 358-9-525-561 • FRANCE: 33-1-41-33-17-17 • GERMANY: 49-89-460-08-2788 • GREECE: 30-01-6188101 • HONG KONG: 852-2877-7077 • HUNGARY: 361-202-4415 • INDIA: 91-80-229-8989 • INDONESIA: 65-216-8333 • IRELAND: 353-1-668-4377  
ISRAEL: 972-9-9710500 • ITALY: 39-02-9259511 • JAPAN: 81-3-5779-1820 • KOREA: 82-2-3453-6602 • MALAYSIA: 603-2116-1887 • MIDDLE EAST: 00 9714 3366333 • MEXICO: 525-261-0344 • NETHERLANDS: 31-33-4515200 • NEW ZEALAND: 0800-786-338 • NORTH WEST AFRICA: 00 9714 3366333 • NORWAY: FROM NORWAY: 47-22023950, TO NORWAY:  
47-23369650 • PAKISTAN: 00-9714-3366333 • PEOPLE'S REPUBLIC OF CHINA: 8610-6803-5588 • PHILIPPINES: 632-885-7867 • POLAND: 48-22-8747848 • PORTUGAL: 351-21-413-4000 • RUSSIA: 7-095-935-8411 • SAUDI ARABIA: 00 9714 3366333 • SINGAPORE: 65-216-8300 • SOUTH AFRICA: 27-11-256-6300 • SPAIN: 34-902-210-412 • SRI LANKA:  
65-2168333 • SWEDEN: 46-8-631 22 00 • SWITZERLAND: 41-1-908-90-50 (GERMAN) 41-22-999-0444 (FRENCH) • TAIWAN: 886-2-25185735 • THAILAND: 662-344-6855 • TURKEY: 90 212 335 22 00 • UNITED KINGDOM: 44-1276-416-520 • UNITED STATES: 1-800-422-8020 • VENEZUELA: 582-905-3800 • VIETNAM: 65-216-8333 • WORLDWIDE  
HEADQUARTERS: 1-650-960-1300  
THE NETWORK IS THE COMPUTER ©2006 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, and the Sun logo are trademarks or registered trademarks of Sun Microsystems, Inc. in the  
United States and other countries.  
SUN™  

Yamaha CDX 993 User Manual
Toshiba MKxx59GSXP User Manual
The Singing Machine SMG 180 User Manual
Samsung GT B7300 User Manual
Samsung GT B3410 User Manual
Samsung B450 User Manual
Salton ME8DSBCAN User Manual
Philips AJ 3475 User Manual
Onkyo CR 515DAB User Manual
Nokia Advanced Car Kit CK 7W User Manual