Identifying drives

Identify an LTO tape drive for use with IBM® Security Guardium® Key Lifecycle Manager. Before you begin, create the key groups that you want to associate with tape drives that you identify.

About this task

You can use the Add Tape Drives dialog or the Device Add REST Service to add a device. Your role must have the permission to the create action and a permission to the appropriate device group.

You can make any of the following choices for serving keys to devices.
Only accept manually added devices for communication
All incoming devices are not added to the data store. You must manually specify key service to each device.
Hold new device requests pending my approval
All incoming devices of a valid device group are added to the device store, but are not automatically served keys upon request. You must accept or reject a device in the pending devices list before the device is served keys upon request.
Automatically accept all new device requests for communication
All new incoming devices of a valid device group are added to the data store and are automatically served keys upon request.
Note: Do not use this setting if you intend to move the new device to another device group. Instead, select manual or pending approval mode to allow an opportunity to move the device into the appropriate device group before any keys are served.

Any setting is acceptable if there are no device groups. However, if device groups are specified:

Determine whether you want IBM Security Guardium Key Lifecycle Manager to automatically accept requests from all drives. For greater security, after all drives are discovered, you might turn off this option for a production environment.

Procedure

  1. Go to the appropriate page or directory:
    • Graphical user interface:
      1. Log on to the graphical user interface.
      2. In the Key and Device Management section on Welcome page, select LTO.
      3. Click Go to > Guided key and device creation.
      4. Alternatively, right-click LTO and select Guided key and device creation.
    • REST interface:
      • Open a REST client.
  2. Skip the Create Key Groups page. Click the Go to Next Step link or click Step 2: Identify Drives.
  3. You might specify that IBM Security Guardium Key Lifecycle Manager holds new device requests for your approval.
    • Graphical user interface:

      Select Hold new device requests pending my approval.

    • REST interface:
      1. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
      2. To run Device Group Attribute Update REST Service and to set the value of the device.AutoPendingAutoDiscovery attribute, send the HTTP PUT request. Pass the user authentication identifier that you obtained in Step a along with the request message as shown in the following example.
        PUT https://localhost:port/SKLM/rest/v1/deviceGroupAttributes
        Content-Type: application/json
        Accept : application/json
        Authorization: SKLMAuth authId=139aeh34567m
        {"name":"LTO","attributes":"device.AutoPendingAutoDiscovery 2"}
  4. Add a device:
    • Graphical user interface:
      1. On the Step 2: Identify Drives page, in the Devices table, click Add.
      2. On the Add Tape Drive dialog, type the required and optional information.
      3. Click Add Tape Drive.
    • REST interface:
      You can use Device Add REST Service to add a device. For example, you can send the following HTTP request:
      POST https://localhost:port/SKLM/rest/v1/devices
      Content-Type: application/json
      Accept : application/json
      Authorization : SKLMAuth userAuthId=37ea1939-1374-4db7-84cd-14e399be2d20
      Accept-Language : en
      {"type":"LTO","serialNumber":"FAA49403AQJF","attributes":"worldwideName
      ABCdeF1234567890,description marketingDivisionDrive"}

What to do next

Next, you can use the LTO Key and Device Management page to view all key groups and devices.