Quantum Scalar i6000 User manual

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 4

Quantum Scalar i6000 & SafeNet KeySecure Quick Start

Guide

SafeNet’s KeySecure k460 servers work with Quantum’s Scalar i6000 appliance server to create a KMIP-

compliant encryption system. The Key Management Interoperability Protocol (KMIP®) is a specification

developed by OASIS®. Its function is to standardize communication between enterprise key management

systems and encryption systems.

Details about the Quantum Scalar i6000/SafeNet k460 KMIP-compliant implementation include:

•A minimum of two SafeNet KeySecure servers are required for failover purposes. A total of 10 SafeNet

encryption servers are allowed, for increased failover capability.

•Data encryption keys are generated one at a time, as needed, upon request.

This document summarizes the information available in the quick start and user guides that accompany

your Quantum Scalar i6000 library and SafeNet KeySecure appliances and provides step-by-step

instruction for configuring the devices for combined use. For detailed information about each individual

product, such as feature configuration instructions and hardware specifics, consult the following

documents:

•Scalar i6000 User’s Guide

•Scalar i6000 User’s Guide Addendum

•KeySecure v6.0.0 Installation Guide

•KeySecure v6.0.0 User Guide

Step 1: Install and Configure the SafeNet KeySecure

You will need the following equipment for each KeySecure:

•Null modem cable.

•Ethernet cable.

•KeySecure power cable.

•Console terminal or PC.

•Phillips Screwdriver.

•SafeNet Pin Entry Device (PED).

•9-pin Micro-D data cable (included with the PED).

•3 SafeNet iKeys. Apply the labels so that there is one blue, one red, and one black iKey.

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 5

During the initialization process, you must have the following information:

•An IP address for the KeySecure.

•An IP address for the SSKM. This must be on the same subnet as the KeySecure IP.

•The subnet mask for the network.

•The gateway for the network.

•A hostname for the KeySecure.

•A port on the KeySecure on which the web administration occurs. The default port is 9443.

•A port on the KeySecure on which KMIP communication occurs. We recommend port 5696, as this is

the standard created by IANA.

Secure the KeySecure in a standard 19-inch rack that provides sufficient space at the front and rear for

cabling, airflow, and maintenance.

To mount the KeySecure:

1Open the bezel.

2Position the rack mount brackets to align with holes in the rack posts.

3Use a screwdriver to start the screws into the mounting brackets. Do not tighten.

4Properly align the device in the rack.

5Use a screwdriver to tighten the screws. This should securely attach the mounting brackets to the

rack posts.

6Connect the null modem cable to the serial port on the back panel of the KeySecure. Plug the other

end of the null modem cable into the serial port of your console terminal or PC.

7Connect the ethernet cable to the ethernet interface on the back panel of the KeySecure. Plug the

other end of the ethernet cable to your network.

8Connect the 9-pin Micro-D data cable to the PED port on the back of the KeySecure. Plug the other

end of the data cable to the top of the PED.

9Connect the power cable from the power supply on the back panel of the KeySecure to an AC

power source. Unscrew the front plate to access the front panel components. Press the power switch

on the front panel. Reattach the front plate. The initial boot sequence and internal configuration can

take several minutes.

10 While the KeySecure performs the initial boot sequence, start a terminal emulation session using an

application such as HyperTerminal or Minicom. Use the following port settings:

-VT100/ANSI

-19200 bps

-8 data bits

-No parity

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 6

-1 stop bit

-Hardware flow control

11 The initialization process begins after you power up the KeySecure.

System starting up...

Release 6.0.0

Are you ready to begin setup? (y/halt): y

Enter yto continue or halt to abort the process. Entering halt shuts down the machine.

12 Create the admin account. You use this account to log in to the Management Console and the CLI.

You can modify this account and create additional users later.

For further administrative access to this device you will

need an administrative account. An account called 'admin' will

be created and will be the primary administrative account.

Please enter a password for the admin account:

Please enter password again:

User 'admin' has been created.

Enter and confirm the password. The system creates the user if the password entries are successful.

WARNING: Remember the admin password. An administrator password can only be reset by another

administrator with the appropriate access privileges. This is a fundamental security precaution. If all

administrator passwords are lost, you cannot re-configure the KeySecure. All keys and configuration

data will be unrecoverable and you must return the device to have the software reinstalled.

13 Set the system time zone, date, and time.

Please select your time zone:

1: Samoa Time Zone

2: Hawaii Time Zone

...

Enter time zone [5]:

Enter the local date (MM/DD/YYYY) [03/02/2011]:

Enter the local time (HH:MM:SS) [15:40:23]:

The time and date have now been set.

You can view the full list of time zones on the console. The script displays default values for the time

zone, date, and time in brackets. You can accept those defaults by pressing Enter, or you can enter

specific values.

14 Set the network addresses for the KeySecure.

To support network based configuration, a single IP address

is needed to bind to. Once an IP address is provided all further

configuration can be done remotely using SSH or using the Web

administration site.

Note that this will configure Ethernet #1 on your device.

Please enter the following information:

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 7

IP address:

Subnet mask [255.255.255.0]:

Default gateway [10.20.30.1]:

Hostname:

You have entered the following configuration:

IP address: 192.168.15.25

Subnet mask: 255.255.255.0

Default gateway: 192.168.15.1

Hostname: box1.company.com

Is this correct? (y/n): y

Network settings have been successfully configured.

Enter and confirm the IP address, Subnet mask, Default gateway, and Hostname of your KeySecure.

The script displays default values for the Subnet mask, and Default gateway in brackets. You can

accept those defaults by pressing Enter, or you can enter specific values.

Note: This procedure configures ethernet port 1.

15 Set the port number for the Management Console.

Further administration of this device can be done remotely.

Please enter the port number you wish the Web administration tool

to run from. The default value is recommended.

Enter the port number [9443]:

Enter the port number. The script displays the default port of 9443. You can accept this default by

pressing Enter, or you can enter another value.

16 Initialize the hsm. This requires physical access to the PED and the 3 iKeys.

Do you want to initialize the HSM now? (y/n): y

Luna PED operation required to initialize HSM - use Security Officer (blue)

PED key.

Important! When prompted to insert iKeys, there is a limited time (approx. 3 minutes) in which

to insert the token. After this time period, the operation times out and the HSM initialization must

occur separately from the KeySecure installation.

Note: The instructions below assume that you are using new iKeys. If overwriting or reusing existing

keys, the installation options will differ, slightly, from those listed below.

17 Insert the SO/HSM Admin (blue) iKey into the PED. The PED displays and the corresponding

actions are shown below.

SETTING SO PIN...

Would you like to reuse an existing keyset? (Y/N)

aPress No.

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 8

SETTING SO PIN...

M value? (1-16)

>01

bPress 1 and press Enter.

SETTING SO PIN...

N value? (M-16)

>01

cPress 1 and press Enter.

SETTING SO PIN...

Insert a SO / HSM Admin PED Key. Press ENTER.

dInsert the SO/HSM Admin (blue) iKey and press Enter.

SETTING SO PIN...

Enter new PED PIN:

eEnter a PIN value.

SETTING SO PIN...

Confirm new PED PIN:

fConfirm the same PIN value.

SETTING SO PIN...

Are you duplicating this keyset? (Y/N)

gPress No.

The KeySecure CLI displays the following message:

Luna PED operation required to login as HSM Administrator - use Security

Officer (blue) PED key.

The PED displays the following text:

SO LOGIN

Insert a SO / HSM Admin PED Key. Press ENTER.

hKeep the blue iKey inserted in the PED and press Enter.

SO LOGIN

Enter PED PIN:

iEnter the PIN for the SO/HSM Admin (blue) iKey and press Enter.

The KeySecure CLI displays the following message:

Luna PED operation required to generate cloning domain - use Domain (red)

key.

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 9

The PED displays the following text:

SETTING DOMAIN...

Would you like to reuse an existing keyset? (Y/N)

jPress No.

SETTING DOMAIN...

M value? (1-16)

>00

kPress 1 and press Enter.

SETTING DOMAIN...

N value? (M-16)

>01

lPress 1 and press Enter.

SETTING DOMAIN...

Insert a DOMAIN PED Key. Press ENTER.

mInsert the Domain (red) iKey and press Enter.

SETTING DOMAIN...

Enter new PED PIN:

nEnter a PIN value.

SETTING DOMAIN...

Confirm new PED PIN:

oConfirm the same PIN value.

SETTING DOMAIN...

Are you duplicating this keyset? (Y/N)

pPress No.

The KeySecure CLI displays the following message:

Luna PED operation required to create a partition - use User or

Partition Owner (black) PED key.

The PED displays the following text:

SETTING USER PIN...

Would you like to reuse an existing keyset? (Y/N)

qPress No.

SETTING USER PIN...

M value? (1-16)

>00

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 10

rPress 1 and press Enter.

SETTING USER PIN...

N value? (M-16)...

>00

sPress 1 and press Enter.

SETTING USER PIN...

Insert a USER / Partition Owner PED Key. Press ENTER.

tInsert the User/Partition (black) iKey and press Enter.

SETTING USER PIN...

Enter new PED PIN:

uEnter a PIN value.

SETTING USER PIN...

Confirm new PED PIN:

vConfirm the same PIN value.

SETTING USER PIN...

Are you duplicating this keyset? (Y/N)

wPress No.

USER LOGIN...

Insert a USER / Partition Owner PED Key. Press ENTER.

xKeep the User/Partition (black) iKey inserted in the PED and press Enter.

USER LOGIN...

Enter PED PIN:

yEnter the PIN for the User/Partition (black) iKey and press Enter.

The KeySecure CLI displays the following message:

Luna PED operation required to generate cloning domain on the

partition - use Domain (red) PED key.

The PED displays the following text:

SETTING DOMAIN...

Would you like to reuse an existing keyset? (Y/N)

zPress Yes. You will reuse the Domain (red) iKey you created above.

READING DOMAIN...

Insert a Domain PED Key. Press ENTER.

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 11

aa Insert the Domain (red) iKey and press Enter.

READING DOMAIN...

Enter PED PIN:

ab Enter the PIN for the Domain (red) iKey and press Enter.

READING DOMAIN...

Are you duplicating this keyset? (Y/N)

ac Press No

MxCT-c7F9-HHX5-YtH3

Please write it down. Press Enter.

ad Write down the password displayed on the PED.

The KeySecure CLI displays the following message:

Do you want to set the HSM password now? (y/n): y

The KeySecure CLI displays the following message:

Luna PED operation required for crypto user login on HSM - use User or

Partition Owner (black) PED key.

The PED displays the following text:

USER LOGIN...

Insert a USER / Partition Owner PED Key. Press ENTER.

ae Insert the User/Partition (black) iKey and press Enter.

USER LOGIN...

Enter PED PIN.

af Enter the PIN for the User/Partition Owner (black) iKey and press Enter.

The KeySecure CLI displays the following message:

Crypto user successful logged into the HSM

18 Configure the SSKM network interface. Alternatively, you can configure the SSKM network interface

later, using the CLI or the management console. For information about configuring the SSKM network

interface after installing the KeySecure, see Chapter 3, “SSKM Interface Configuration”.

Do you want to configure the SSKM Network Interface now (y/n): y

IP Address (in same subnet as IP of physical interface): 192.168.15.125

Netmask: 255.255.255.0

You have entered the following configuration:

IP address: 192.168.15.125

Subnet mask: 255.255.255.0

Is this correct? (y/n): y

Network Templates generated OK

IP address 192.168.15.125 scheduled for assignment to SSKM

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 12

Warning: If SSKM is not started soon, IP 192.168.15.125 may become stale

SUCCESS: Configured network interface with ip=192.168.15.125,

netmask=255.255.255.0 and interface=eth0

Start SSKM now? (y/n): y

SUCCESS: SSKM Started OK

Note: The SSKM can only be started when the HSM is initialized. If you defer the HSM initialization,

you can configure the SSKM interface, but you must start the SSKM after initializing the HSM. To start

the SSKM use the you cannot start the SSKM, though you can configure it.

At this point, you’ve given the installation program everything it needs.

The KeySecure creates a DSA key, an RSA key, and a Web Admin certificate. These keys are used to

authenticate the KeySecure to users making SSH and Web Admin connections to the KeySecure.

Because the actual key is fairly large, the KeySecure displays the key fingerprint on the console.

Creating certificate for Web administration server...

Creating certificate for signing logs...

Creating SSH host keys...

SSH RSA key fingerprint:

2048 41:63:d3:ca:c9:ea:1f:f7:a1:84:8b:05:b4:a6:3b:64

SSH DSA key fingerprint:

2048 1d:04:d7:02:60:d5:f2:11:30:12:0a:d9:bb:19:c2:fe

Webadmin certificate fingerprint (SHA-256):

1024 ad:8b:9f:79:5f:de:88:a0:89:36:d6:51:cd:0a:7f:ff:

d3:88:cd:7a:4a:f0:95:b8:21:b7:19:21:3c:71:39:c1

Initializing the key store. This could take several minutes.

waiting for the server to shut down.... done

server stopped

Starting services...

The Web-based Management Console will now be available at this URL:

<https://192.168.15.25:9443>

This device has now been configured.

Press Enter to continue.

Tip: To prevent a “man in the middle” attack when connecting to the KeySecure, we recommend that

you write down these fingerprints and compare them with what is presented when you connect to the

KeySecure via SSH or HTTPS.

19 At the end of this configuration process, setup is complete and you can log into the KeySecure via

the Management Console or the CLI.

YourDevice login: admin

Password: ******

YourDevice#

Use your admin username and password to log in to the system.

QUANTUM SCALAR I6000 & SAFENET KEYSECURE QUICK START GUIDE 13

Step 2: Create a Local CA on the KeySecure

Because the KMIP Interface operates over SSL, KMIP server configuration is done in three parts. First,

you must configure a local CA on the KeySecure. Second, you must create a server certificate signed by

that local CA. Third, you must configure the KMIP server settings.

To create a local certificate authority:

1Log in to the Management Console as an administrator with Certificate Authorities access control.

2Navigate to the Create Local Certificate Authority section of the Certificate and CA Configuration page

(Security >> Local CAs).

3Enter the Certificate Authority Name, Common Name, Organization Name, Organizational Unit

Name, Locality Name, State or Province Name, Country Name, Email Address, and Key Size.

Note: To integrate with the Quantum Scalar i6000, the CA’s Key Size must be 2048.

4Select either Self-signed Root CA or Intermediate CA Request as the Certificate Authority Type.

When you create a self-signed root CA, you must also specify a CA Certificate Duration and a

Maximum User Certificate Duration, which become valid once you click Create. Once you create a

self-signed root CA, you must add it to the trusted CA list for it to be recognized by the Key Server.

When you create an intermediate CA request, you must sign it with either an existing intermediate CA

or your organization’s root CA. Certificates signed by the intermediate CA can be verified by that same

intermediate CA, by the root itself, or by any intermediate CAs that link the signing CA with the root.

This enables you to de-centralize certificate signing and verification.

When creating an intermediate CA request, you must also specify a Maximum User Certificate

Duration when installing the certificate response. This duration cannot be longer than the signing CA’s

duration.

5Click Create to create the KeySecure’s local CA.

Other manuals for Scalar i6000

Other Quantum Server manuals

Quantum

Quantum NDX Series User manual

Quantum

Quantum Snap! Server 4000 User manual

Quantum

Quantum NDX Series User manual

Quantum

Quantum NDX Series User manual

Quantum

Quantum StorNext M660 User manual

Quantum

Quantum StorNext M440 User manual

Quantum

Quantum NDX Series User manual

Quantum

Quantum NDX Series User manual

Quantum

Quantum DXi6900 User manual

Popular Server manuals by other brands

HP Tc2120 - Server - 256 MB RAM installation guide

Lenovo

Lenovo ThinkServer RD230 manual

Avocent

Avocent CPS810 Installer/user guide

Dell

Dell PowerEdge R6615 Installation and service manual

FreeWave

FreeWave HT2+ installation guide

GIGA-BYTE TECHNOLOGY

GIGA-BYTE TECHNOLOGY G492-Z50 user manual

Lanner

Lanner HTCA-E400 user manual

Bull

Bull NovaScale T840 E2 user guide

Asus

Asus RS740-E70RS24-EG Configuration guide

Meinberg

Meinberg LANTIME M300/TCR manual 

HP ProLiant SL335s G7 Maintenance and service guide

ZyXEL Communications

ZyXEL Communications VANTAGE RADIUS 50 user guide

Lantronix

Lantronix xDirect-IAP quick start guide

Fujitsu

Fujitsu PRIMEQUEST 2400E3 General description

IBM

IBM 9040-MR9 manual

IBM

IBM 306m - eServer xSeries - 8849 user guide

green hippo

green hippo Hippotizer Nevis+ quick start guide

IBM

IBM 8203-E4A Brochure & specs