Enabling tape encryption
This topic provides an overview of how to enable encryption on the TS7700. You can enable encryption on back-end drives so that virtual drive operations on your TS7700 do not change. You can also manage encryption key server or Tivoli® Key Lifecycle Manager communications through the network to avoid interference with host operations. You can also control encryption by pools.
Before you begin
- The tape drives (TS1150 Tape Drives, TS1140 Tape Drives, TS1130 Tape Drives or TS1120 Tape Drives) are encryption-capable and enabled.
- The encryption key server, TKLM (Tivoli Key Lifecycle Manager), ISKLM (IBM® Security Key Lifecycle Manager for z/OS®), or Guardium Key Lifecycle Manager (GKLM) 4.1 is installed and configured on the network.
- Key-encrypting keys (KEKs) are defined.
- The license key for FC 9900, Tape Encryption Tape is installed and activated.
- Verify correct license keys are installed
-
Ask your IBM service representative to receive the most current level of TS7700 code.
- In the address bar of a web browser, enter the URL of the TS7700. For example, type:
http://virtual IP/Console
- At the TS7700 welcome screen, enter the userid and the password to log on to the TS7700, and select Login.
- From the navigation select Settings>Feature Licenses.
- The Feature Licenses page is displayed, including the table shown in Figure 1. Verify that FC 9900, Tape Encryption
configuration, displays on this table.
Figure 1. Currently active feature licenses
- In the address bar of a web browser, enter the URL of the TS7700. For example, type:
- If using TS1120 Tape Drives, verify they are encryption-capable
- From the navigation, select Physical>Physical Tape Drives.
- Select the radio button next to the drive you want to verify and select Select Action>Details. Then click Go.
- If Yes displays in the second column, adjacent
to Encryption Capable, encryption capability
and enablement are set. If No displays in the
column adjacent to Encryption Capable, encryption
capability and enablement are NOT set.Attention: If encryption capability and enablement are not set, contact your IBM Service Representative to enable encryption following the procedures in the IBM System Storage TS1120, TS1130, and TS1140 Tape Drives (16th Edition - June 2011) Maintenance Information IBM 3592 Models J1A, E05, E06, EU6, and E07.
- Verify encryption key server or TKLM is installed and configured on the network
- From the navigation select Settings>Cluster Settings> Encryption Key Server Addresses.
- Verify that at a minimum, the Primary key server address and Port fields
are complete.Attention: If encryption key server or TKLM is not installed and configured, contact your IBM Service Representative to enable encryption following the procedures in the IBM Encryption Key Server component for the Java™† platform Introduction, Planning, and User's Guide, the IBM Tivoli Key Lifecycle Manager Information Center, or the IBM Tivoli Key Lifecycle Manager Quick Start Guide.
About this task
- Enable the TS1150 Tape Drives, TS1140 Tape Drives, TS1130 Tape Drives or TS1120 Tape Drives for encryption.
- Note: If you intend to use tape drives in encryption mode, you must enable encryption on all tape drives that you attach to the TS7700.
Ask your IBM service representative to receive the most current levels of TS7700 code.
- Install and activate the encryption license key