HP StorageWorksSecure Key Managerusers guideAJ087-96011Part number: AJ087–960112nd edition: November 2008
CRLcommands ... 264Clienteventlogcommands ... 267Deviceresetandrestorecommands ...
Table 18 Netstat Information section componentsComponent DescriptionRunClick Run to see a list of all active network connections on the SKM.Reading Ne
A SKM appliance information sheetThe information on this sheet is specific to the HP StorageWorks Secure Key Manager (SKM) appliance towhich it is atta
Figure 34 Back of SKM applianceItemDescription1Serial number of the appliance2Product ID number (PID) of the appliance3Pull-out panel that also shows
B Using the Management ConsoleLogging in and outUse the Administrator Authentication screen to log into the Management Console.Figure 35 Viewing the A
Figure 37 Viewing the Security Summary sectionClick the High Security page link to access the High Security page. You can enable FIPS compliancefrom t
Table 21 System Summary section componentsComponent DescriptionProductDisplays your platform.Unit IDDisplays your Unit ID.Software Version Displays th
Figure 40 Viewing the Search Criteria sectionThe following table describes the components of the Search Criteria section.Table 23 Search Criteria sect
Filtering sectionsSome sections of the Management Console normally hold many rows of data. Key and Local Userssections may span multiple pages. Use th
Figure 44 Locating button to launch context-sensitive helpClicking this icon opens the documentation for the specific section in a new window. (Subsequ
The Key and Policy Configuration page enables you to create, import, and manage keys. This pagecontains the following sections:•Keys• Key Properties•Gr
Italiannotice ... 307Latviannotice... 308Lithuaniannotice ...
Figure 47 Viewing the Key sectionThe following table describes the components of the Keys section.110Using the Management Console
Table 27 Keys section componentsComponent DescriptionQuerySelect the query to apply to the pageRun QuerySelect this button to run a query. This Manage
key. Instead it gives a new name to the existing metadata and key bytes. To create a copy of an existingkey,usetheCloneKeysection.Figure 48 Viewing th
key version’s state permits the operation, and the request comes from a member of the permitted group.A key can have a maximum of 4000 versions.Group
For non-global keys, if a user is not the owner and is not a member of a group with permissions to use thekey, the user cannot access the key.The owne
Figure51ViewingtheKeyVersionsandAvailableUsagesectionTable 31 Key Versions and Available Usage section componentsComponent DescriptionVersionDisplays
Create QueryUse this section to create key queries. A key query enables you to view a subset of the keys that exist ontheSKM.Thissection enables you t
Figure 54 Viewing Saved Queries sectionTable 34 Saved Queries section componentsComponent DescriptionQuery NameDisplaysthenameofthequery.DescriptionDi
Table 35 Modify Query section componentsComponent DescriptionQuery NameThe name of the query. This field is only required when saving the query. You ca
Table 36 Create Key section componentsComponent DescriptionKey NameThis is the name that the server uses to refer to the key. The key name must begin
Figures1Identifythecontentsoftheshippingcarton... 262Connect the powersuppliestoACpowersources ... 293Viewing the Cer
Figure 57 Viewing the Clone Key sectionTable 37 Clone Key section componentsComponent DescriptionNew Key NameThis is the name that the server uses to
Figure 58 Viewing the Import Key sectionThe following table describes the components of the Import Key section.Table 38 Import Key section componentsC
Authorization Policy Configuration PageAn authorization policy enables you to limit how a group may use a key. You implement an authorizationpolicy whe
Figure 59 Viewing the Authorization Policies sectionThe following table describes the components of the Authorization Policies section.Table 39 Author
• User1 can make only 100 more requests between 11:31 AM and 11:59 AMNOTE:Had the limit been lowered to 75, User1 would only be allowed to make 25 mor
Active VersionsUse this section to configure the number of active versions allowed for a versioned key. Active versionsof a key can be used for both en
Figure 63 Viewing the Custom Key Attributes sectionTable 43 Custom Key Attributions section componentsComponents DescriptionAttribute NameEnter a uniq
Local UsersUse the Local Users section to add or modify local users. Once a user has been created, you can changethe password butyou cannot change the
NOTE:The User Administration Permission and Change Password Permission apply only tolocalusers. LDAPusers cannot be managed through the SKM; they must
Figure 66 Viewing the Custom Attributes sectionThe following table describes the components of the Custom Attributes section.Table 46 Custom Attribute
34Back of SKM appliance... 10235ViewingtheAdministratorAuthenticationscreen... 10336Viewing the Logoutwindow
Table 47 Local Groups section componentsComponent DescriptionGroupDisplays the local groups on the SKM.Add Click Add to add a group to the group list.
LDAP Server ConfigurationLightweight Directory Access Protocol (LDAP) is a protocol that allows you to enable authentication ofyour KMS Serverbased on
Table 50 LDAP User Directory Properties section componentsComponent DescriptionServer IP or HostnameThe IP address or hostname of the primary LDAP ser
Table 51 LDAP Schema Properties section componentsComponent DescriptionUser Base DNThe base distinguished name (DN) from which to begin the search for
Table 52 LDAP Failover Server Properties section componentsComponent DescriptionFailover ServerIPorHostnameTheIPaddressorhostnameoftheLDAPservertousea
Table 53 LDAP Users section componentsComponent DescriptionUsernameDisplays the users that can access the SKM from the LDAP server.LDAP GroupsThe LDAP
Figure 75 Viewing the User List sectionThe following table describes the components of the User List section.Table 55 LDAP Groups section componentsCo
Figure 76 Viewing the Certificate List sectionThe followingtable describes the components of the Certificate List section.Table 56 Certificate List secti
CAUTION:If you are copying the certificate text into an application such as Microsoft Word, it is important toensure that no carriage returns/line feed
Table 57 Certificate Information section componentsComponent DescriptionCertificate Name Name of the certificate. This name is only used internally.Key S
71ViewingtheLDAPSchemaPropertiessection ... 13272ViewingtheLDAPFailoverServerPropertiessection ... 13373Viewing the LDA
Figure 78 Viewing the Certificate Installation sectionNOTE:When multiple certificates are nested in one certificate, the certificate is installed as a cer
Figure 79 Viewing the Self Signed Certificate sectionThe following table describes the components of the Self Signed Certificate section.Table 59 Self S
Table 60 Create Certificate Request section componentsComponent DescriptionCertificate NameInternal name of a newly generated CR. This name will be used
Table 61 Import Certificate section componentsComponent DescriptionSourceSpecify the method for importing the certificate to the SKM. If you are uploadi
Figure 82 Viewing the Trusted Certificate Authority List Profiles sectionThe following table describes the components of the Trusted Certificate Authorit
Figure 84 Viewing the Trusted Certificate Authority List (Edit Mode)The following table describes the components of the Trusted Certificate Authority Li
Table 65 Local Certificate Authority List section componentsComponent DescriptionCA NameDisplays the internal name of a certificate authority.CA Informa
Figure 86 Viewing the CA Certifi cate Information sectionThe following table describes the components of the CA Certificate Information section.Table 66
Figure 87 Viewing the Sign Certificate Request sectionThe following table describes the components of the Sign Certificate Request section.Table 67 Sign
Table 68 Signed Certificates section componentsComponent DescriptionSerial NumberThe Serial Number, which is expressed in Base 16 notation, is assigned
108ViewingtheDateandTimeSettingssection... 181109ViewingtheNTPSettingssection ... 182110ViewingtheNetworkInter
Create Local CAThe Create Local CA section allows you to create a new local CA on the SKM. The fields are similar tothose used to create a certificate o
Table69CreateLocalCertificate Authority section componentsComponent DescriptionCertificate AuthorityNameInternal name of newly generated certificate auth
Figure 91 Viewing the CA Certificate List sectionThe following table describes the components of the CA Certificate List section.Table 70 CA Certificate
Figure 92 Viewing the Install CA Certificate sectionThe following table describes the components of the Install CA Certificate section.Table 71 Install
certificates revoked by local CAs. The format of CRLs exported by the SKM is in PEM-encoded X.509format.Auto-UpdateEach CA promises to update its CRL a
Using advanced security featuresAdvanced security features provide the highest level of secure operation on the SKM. This sectiondiscusses the followi
ClusteringClustering FIPS-compliant devices with non-FIPS-compliant devices will disable FIPS for all devices inthe cluster.BackupsFIPS and non-FIPS d
Table 72 FIPS Compliance section componentsComponent DescriptionIs FIPS CompliantIndicates if the SKM’s security configuration is consistent with FIPS
Table 73 High Security Settings section componentsComponent DescriptionDisable Creationand Use of GlobalKeysDisables the ability to create and use glo
IMPORTANT:Modifyinganyof the items in the Security Settings Configured Elsewhere section immediately takes theSKM out of FIPS compliance.Figure 95 View
14 5ViewingtheActivityLogsection... 23314 6ViewingtheCurrentActivityLogsection ... 234147Viewing the ClientE
1. View the Security Protocols enabled on your Internet Browser. You must enable TLS 1.0 to accessthe Management Console while FIPS-compliant.2. Log i
Table 75 FIPS Status Server testsTestpower-onConditionalDescriptionAES EncryptionXKnown Algorithm Test for the AES algorithm. This testis performed at
Figure 96 Viewing the FIPS Status Report: normalThe following table describes the components of the FIPS Status Server Settings section.162Using the M
Table 76 FIPS Status Report componentsComponent DescriptionProductDisplays the model of your device.Unit IDThe Unit ID is composed of alphanumeric cha
Figure 97 Viewing the FIPS Status Server Settings sectionThe following table describes the components of the FIPS Status Server Settings section.Table
In this scenario, the client application indicates that it is willing to perform an SSL resume (rather thana full handshake) by sending a previously n
Figure 98 Viewing the SSL Options sectionNOTE:Changes to theSSL Options cause the KMS Server to restart, which takes the KMS offline for a fewseconds.T
CAUTION:Exercise caution when modifying the SSL Cipher Order. Unless you are familiar with SSL Ciphers, youshould not rearrange the Cipher Order list.
Configuring the KMS ServerThe HP StorageWorks Secure Key Manager allows you to off-load cryptographic operations fromapplication servers and other back
When the client requests that the server generate a new key, it can specify that the key should beexportable and/or deletable. An exportable key is a
Tables1CreateBackup:SecurityItemssectioncomponents... 872CreateBackup:DeviceItemssectioncomponents ... 883CreateBackup:B
Table 80 KMS Server Settings section componentsComponent DescriptionIPThis field specifies the IP address(es) on which the KMS Server is enabled on the
Figure 101 Viewing the KMS Server Authentication Settings sectionThe following table describes the elements of the KMS Server Authentication Settings
Table 81 KMS Server Authentication Settings section componentsComponent DescriptionUser DirectoryThis field determines whether the KMS Server uses a lo
User Account Lockout SettingsUse the User Account Lockout Settings section to manage an account lockout policy.Figure 102 Viewing the User Account Loc
Health CheckUse the Health Check section to enable the health check feature, and set the port and IP address.Figure 103 Viewing the Health Check secti
the failure in the System Log and sends an SNMP trap indicating that the cluster is out of sync. Once adevice is out of sync, an administrator must sy
During synchronization, an SKM will inherit a new list of local CAs from the cluster. The device’s oldlist of local CAs will be deleted. Should you ne
Table 84 Cluster Members section componentsComponent DescriptionServer IPThe IP of the member device.Server PortTheportonwhichthedevicelistensforclust
Table 85 Cluster Settings section componentsComponent DescriptionLocal IPThe IP of the current device. If the device has multiple network interfaces,
Table 86 Create Cluster section componentsComponent DescriptionLocal IPThe IP of the current device. If the device has multiple network interfaces, th
34SavedQueriessectioncomponents ... 11735ModifyQuerysectioncomponents ... 11836 CreateKeysectioncomponents..
Table87JoinClustersectioncomponentsComponent DescriptionLocal IPThe IP of the current device. If the device has multiple network interfaces, thepull-d
NOTE:Synchronizing the time causes the KMS Server to restart if the time change is greater than oneminute. While restarting, the KMS Server is unavail
NOTE:Any change to the Date and Time Settings section causes the KMS Server to restart, which takes theKMS offline for a few seconds.NTP SettingsUse th
•PortSpeedSections• IP Authorization ProceduresNetwork Interfaces sectionsThe Network Configuration page contains the following network interface-relat
Figure 111 Viewing the Default Gateway List sectionThe following table describes the components of the Default Gateway List section.Table 91 Default G
All responses to incoming packets leave from 10.20.41.1 - except the responses to incoming packets fromthe 172.17.7.0 addresses (the local subnet of E
Figure 112 Viewing the Static Route List sectionThe followingtable describes the components of the Static Route List section.Table 92 Static Route Lis
Table 93 Hostname Setting section componentsComponent DescriptionHostnameThe hostname is the name used to identify the SKM on the network. It is origi
CAUTION:The Port Speed/Duplex setting is an advanced feature that should only be used when you are certainof the port speed and duplex settings of the
Figure 116 Viewing the IP Authorization Settings sectionThe following table describes the components of the IP Authorization Settings section.Table 96
72FIPSCompliancesectioncomponents ... 15773HighSecuritySettingssectioncomponents ... 15874Security Settings Confi
Table 97 Allowed Client IP Addresses section componentsComponents DescriptionIP Address, Rangeor SubnetEnter IP addresses in the following formats:• s
SNMPv1/v2 rely on the concept of a community to provide a low level of security for communicationsbetween the NMS and agent. In an HP SNMPv1/v2 deploy
Community: A community, also referred to as a community string, is used by the agent when it iscommunicating with an NMS running SNMPv1/v2. A communit
Table 98 SNMP Agent Settings section componentsComponent DescriptionSNMP Agent IPThis field specifies the IP address on which SNMP is enabled. You can s
Table 99 SNMPv1/SNMPv2 Community List section componentsComponent DescriptionCommunity NameCommunity names can contain only alphanumeric characters an
Table 100 SNMPv3 Username List section componentsComponent DescriptionUsernameTheusernamedefines from whom the SKM accepts SNMP messages, and it is one
Table 101 SNMP Management Station List section componentsComponent DescriptionManager TypeThe SNMP version used on the NMS. All three versions of SNMP
Table 102 SNMP Management Station Properties section componentsComponent DescriptionManager TypeTheSNMPversionusedontheNMS.AllthreeversionsofSNMParesu
Figure123ViewingtheCreateSNMPManagementStationsectionThe following table describes the components of the Create SNMP Management Station section.198Usi
Table 103 Create SNMP Management Station section componentsComponent DescriptionManager TypeTheSNMPversionusedontheNMS.AllthreeversionsofSNMParesuppor
Legal and notice information© Copyright 2007-2008 Hewlett-Packard Development Company, I.E.© Copyright 2000, 2008 Ingrian Networks, Inc.Confidential co
110GrantaCredentialsectioncomponents ... 215111RemoteAdministrationSettingssectioncomponents ... 217112LDAPAdministra
• KMS Server Statistics. KMS Server statistics are available through the MIBs; for each statisticset, you can view the following: current requests per
• Multiple Credentials Overview• Multiple Credentials Sections• Multiple Credentials Procedures• Remote Administration Settings Overview• Remote Admin
Using multiple administrator accountsMost likely, youwill want to create multiple administrators. When doing so, you should assign accesscontrols that
WARNING!It is absolutely crucial that you remember the passwords for all of your local administrators. For securityreasons, there is no way to reset a
If you use LDAP administrators predominantly, at least one local administrator account must always exist,and that local administrator must be a High A
Create LDAP AdministratorThe Create Local Administrator and Create LDAP Administrator sections are the same except that theCreate LDAP Administrator s
Table 104 Create LDAP Administrator section componentsComponent DescriptionUsernameEnter the loginname the administrator uses to access the SKM.Browse
Select LDAP UsernameThe Select LDAP Username section enables you to browse and select an LDAP user when creating anLDAP administrator account.Figure 1
Password expirationThe password expiration feature allows you to specify a duration for administrator passwords. By default,this feature is disabled.
Document the password policy and communicate it to all appropriate parties including security officersand other corporate personnel.Password Management
1 Installing and replacinghardwareThis section details the steps to install or replace the SKM hardware:• Preparing for the installation• Rack plannin
NOTE:These settings do not apply to LDAP administrator passwords. LDAP administrator passwords are notsubject to any of the constraints that apply to
NOTE:Changes made to this section (with the exception of the Password Expiration feature) apply to passwordscreated after the changes are saved. For e
NOTE:Credential grants cannot be inherited. One administrator can grant only their credentials to one otheradministrator.An administrator can grant cr
4. Enable the multiple credentials feature for the cluster by enabling the feature for one device withinthe cluster.System backupThe following informa
Table 108 Multiple Credentials for Key Administration section componentsComponent DescriptionRequire MultipleCredentialsSelect this checkbox to enable
Figure 130 Viewing the Grant a Credential sectionThe following table describes the components of the Grant a Credential section.Table 110 Grant a Cred
Remote Administration SettingsThe Remote Administration Settings section is shown here.Figure 131 Viewing the Remote Administration Settings sectionTh
Table 111 Remote Administration Settings section componentsComponents DescriptionWeb AdminServer IPTheWebAdminServerIPaddressisthelocalIPaddressusedto
LDAP Administrator ServerYou configure LDAP servers for administrators separately from LDAP servers for users. This allows forgreater flexibility, and s
Figure 132 Viewing LDAP Administrator Server Properties sectionTable 112 LDAP Administrator Server Properties section componentsComponent DescriptionH
• Use a portable field service kit with a folding static-dissipating work mat.If you do not have any of the suggested equipment for proper grounding, h
Figure 133 Viewing LDAP Schema Properties sectionTable 113 LDAP Schema Properties section componentsComponent DescriptionUser Base DNThe base distingu
Figure 134 Viewing the LDAP Failover Server Properties sectionTable 114 LDAP Failover Server Properties section componentsComponent DescriptionFailove
Your rotation schedule can be set to automatically rotate logs on a daily, weekly, or monthly basis, atany time of day. The system maintains these set
For example, the filename audit.log.1.2002-04-04_160146.demo would identify this file as:• An Audit Log.• The first log file in the log index.• A file crea
Secure logsThe SKM allows you to sign your log files before moving them to another machine or downloading them,which makes yourlogfiles more secure than
Table 116 Rotation Schedule section componentsComponent DescriptionLog NameOne of the predefined log names supported by the SKM. Log types are: System,
Table117LogRotationPropertiessectioncomponentsComponent DescriptionLog NameOne of the predefined log names supported by the SKM. Log types are: System,
Figure 137 Viewing the Syslog Settings sectionNOTE:Changes to the Syslog Settings section cause the KMS Server to restart, which takes the KMS offline
Table 119 Log Signing section componentsComponent DescriptionLog NameDisplays the logs available on the device.Sign LogSelect this option to enable Se
Table 120 Log Signing Certificate Information section componentsComponent DescriptionDownload LogSigning CertClick Download Log Signing Cert to downloa
WARNING!To reduce the risk of personal injury or equipment damage when unloading a rack:• At least two people are needed to safely unload a rack from
• Successful or failed cluster replication and synchronization.• Failed log transfers.• License errors.Figure 141 Viewing the System Log sectionThe fo
• Date and time change was made.• Username: the username that made the configuration change.• Event: a text description of the configuration change.Figu
data from the client or an error has occurred. When there is no data for a particular field, a dash isinserted. The format of the Activity Log is as fo
Table 127 Values for the Detail Field in the Activity LogRequest TypeDetail Informationauthentication username provided by the clientkey generationalg
Figure 146 Viewing the Current Activity Log sectionThe following table describes the components of the Current Activity Log section.Table 129 Current
Figure 147 Viewing the Client Event Log sectionThe following table describes the components of the Client Event Log section.Table 131 Client Event Log
•Throughput•LicenseUsage• Refresh Statistics (Server)•KMSStatisticsRefresh StatisticsThe Refresh Statistics section controls how frequently the System
Table 134 System Statistics section componentsComponent DescriptionCPU Utilization (%)This number represents the percentage of CPU time that was in us
Figure 152 Viewing the Throughput sectionThe following table describes the components of the Throughput section.Table 136 Throughput section component
Figure 154 Viewing the Refresh Statistics sectionThe following table describes the components of the Refresh Statistics section.Table 138 Refresh Stat
The maximum recommended ambient operating temperature (TMRA) for the SKM system is 35° C (95° F).The temperature in the room where the rack is located
Figure 155 Viewing the KMS Statistics sectionThe following table describes the components of the KMS Statistics section.Table 139 KMS Statistics secti
C Using the Command LineInterfaceShell commandsThe CLI supports a few shell commands that allow you to perform various search, cut, and pasteoperation
new cert “new cert request”is treated as three separate arguments:• new• cert• new cert requestEscaping characters using backslashYou can include a qu
If multiple commands match the pattern, those commands are displayed on the screen. For example, ifyou type sh au lo on the command line, the SKM exec
hostname (config)#Scripting modeThis section describes how to perform the following actions in scripting mode:•CreatingScripts•ExecutingScripts• Displ
Onceloaded,ascriptcaneitherbesteppedthrough(executedonelineatatime),ortheentirescriptcanbe run. To step through a script, use the command “step”, as s
passwdpassword settingsshow administratorshow credential settingsshow granted credentialshow password settingsAudit Log Commandsshow audit logtransfer
cert importcert requestcert selfsign installno certificateno requestshow certcli-show-requestCRL Commandscrl auto-updatecrl list sendcrl list updatecrl
show security settingsshow fips servershow fips statusHealth Check Configuration Commandshealth checkshow health checkHelp Commands?helpHistory Commandsh
gatewayip addressip authorizationip authorization allowedip name-serverno gatewayno ip addressno ip authorization allowedno ip name-serverno static ro
UnpackingPlace the shipping carton as close to the installation site as possible. Before unpacking the SKM, inspectthe shipping carton for damage that
SNMP Commandscommunityedit communityedit snmp usernameedit stationno communityno snmp usernameno stationshow communityshow snmp agentshow snmp usernam
show clockshow hostnameshow ntpshow ras settingstimezone setSystem Health Commandsshow system healthSystem Information Commandsshow deviceshow softwar
Activity log commandsactivity log level –SettheActivityLogLevel.Syntaxhostname (config)# activity log levelLog Level:1: Normal2: LowEnter a number (1
Relatedcommand(s)• edit administrator• show administrator•noadministratorcredential settings – establish the multiple credential settings.Syntaxhostna
Relatedcommand(s)• show granted credential• no granted credential•credentialsettings• show credential settingsldap test failover – connect to the fail
Relatedcommand(s)•administrator• edit administrator•noadministratorshow credential settings – display the multiple credential settings.Syntaxhostname#
Audit log commandsshow audit log – display all the audit logs’ names.Syntaxhostname# show audit log [name] [number of lines]Specify a log name and/or
Backup and restore commandsbackup – create a system backup.Syntaxhostname (config)# backupAfter executing the backup command, the system prompts you t
Relatedcommand(s)•nocacertificate•showcacertificateca profile –create an empty Trusted CA List profile.Syntaxhostname# ca profile <profile name>The
Relatedcommand(s)• cert request•cli-show-request•norequest•nocertificate•certimport•showcert•certselfsigninstallcert renew – renew a certificate that ha
Figure 1 Identify the contents of the shipping cartonItemDescription1Appliance2Power cords (2 — 1 black, 1 gray)3Null modem cable41U rack mounting har
Relatedcommand(s)•caprofile•caprofile duplicate•caprofile entry•caprofile rename•showcaprofile•showcaprofile•nocaprofile entryno ca profileentry – delete a C
Syntaxhostname# show local ca [ca name]Relatedcommand(s)•halt•nolocalcashow signed certificate – display information about certificates signed by local
Certificate commandscert import –importacertificate.SyntaxThe certificateimport process varies between SKMs.hostname# certimportPlease pick theupload opt
Syntaxhostname (config)# cert request <cert name>After executing the cert request command, the system prompts you to provide the followinginform
Relatedcommand(s)•certrequest•cli-show-request•norequest•certinstall•certimport•showcert• cert selfsign installno request –deleteacertificate request.S
Syntaxhostname (config)# crl list send <ca name>Transport Method:1) FTP 2) SCPEnter a number(1-2):Host:Filename:Username:Password:Relatedcommand
Relatedcommand(s)Noneno crl list –renew all revoked certificates signed by a local CA or delete the CRL published by aknown CA.Syntaxhostname (config)#
Client event logcommandsclientevent log rotate –rotatetheclienteventlog.Syntaxhostname (config)# clientevent log rotate <log name>Relatedcommand
Device reset and restore commandsreset factory settings – delete all information stored in the SKM and reset it to its original factorysetting.CAUTION
Diagnostic commandshost run – look up the host specified using the domain server.Syntaxhostname (config)# host run <hostname>Relatedcommand(s)•tr
Removing an existing SKM (appliance) from the systemSkip this step if you are installing a new appliance.1. Zeroize the original appliance. To do so,
Syntaxhostname# fips serverEnable FIPS Status Server [y]:Available IP addresses:1. All2. 172.17.3.21Local IP (1-2)[1]:Local Port [9081]:NOTE:You can vi
Syntaxhostname# show security settingsKey SecurityDisable Creation and Use of Global Keys: YesDisable Non-FIPS Algorithms and Key Sizes: YesDisable RS
Health check configuration commandshealth check – enable and configure the Health Check feature.Syntaxhostname (config)# health checkEnable Health Check
Log commandsactivity syslog –enabletheSKMtousethesyslogprotocoltosendActivityLogmessagestoanexternal machine.Syntaxhostname (config)# activity syslogE
Syntaxhostname (config)# clientevent syslogEnable Syslog [n]:Syslog Server #1 IP [None]:Syslog Server #1 Port [514]:Syslog Server #2 IP [None]:Syslog
Relatedcommand(s)•activitysyslog•showactivitysyslogThe no audit syslog command also clears all values in the Activity Log settings.no audit syslog – d
Relatedcommand(s)• edit log rotationshow log signing – check the status of the Secure Log feature on the SKM for a specificlog.Syntaxhostname# show log
Mode commandsconfigure –enterconfiguration mode.Syntaxhostname# configureRelatedcommand(s)•configure terminal•exit•scriptconfigure terminal –enterconfigu
Relatedcommand(s)•ipauthorization• ip authorization allowed• no ip authorization allowed• show ip authorization• show ip authorization allowedethernet
Syntaxhostname (config)# ip authorizationKMS Server:Please select from the following options:1) Allow All Connections 2) Only Allow IPs SpecifiedKMS S
117765. Repeat these steps with the other side rail.Attaching rails to the appliance1. Align one ofthe rails with the left side of the appliance (as y
SyntaxNOTE:The no ip authorization allowed command requires that you provide the indexnumber of the IP address you want to edit, rather than the actua
Syntaxhostname# show ip authorizationKMS Server: Only Allow IPs SpecifiedWeb Administration: Only Allow IPs SpecifiedSSH Administration: Only Allow IP
Services commandshalt –halttheSKM.Syntaxhostname (config)# haltRelatedcommand(s)• rebootkms-server run –activatetheKMSServer.Syntaxhostname (config)#
Syntaxhostname (config)# no webadmin startupRelatedcommand(s)•webadminstartupreboot – reboot the SKM.Syntaxhostname (config)# rebootRelatedcommand(s)•
Relatedcommand(s)•nowebadminrunwebadmin startup – enable web administration when starting up the SKM.Syntaxhostname (config)# webadmin startupRelatedc
SyntaxNOTE:When you execute the edit snmp username command, the system prompts you toprovidethenewSNMPv3usernameinformation.hostname (config)# edit sn
SyntaxNOTE:When you execute the edit station command, the system prompts you to providethe new SNMP management station information. In the example sho
Relatedcommand(s)•showsnmpusername•editsnmpusername•snmpusernameno station – remove an SNMP management station.Syntaxhostname (config)# no station <
SyntaxNOTE:When you execute the snmp username command, the system prompts you to providethe values for the new SNMPv3 username.hostname (config)# snmp
Syntaxhostname (config)# cipherspec priorityCURRENT PRIORITIESThe SSL cipher order is shown below:Priority Key Exchange Cipher KeysizeHash1 RSA AES128
2. Connect the appliance power supplies’ AC power connectors to two separate AC power sourcesusing the power cables provided (see Figure 2).Figure 2 C
Relatedcommand(s)• show cpiherspec•cipherspecpriority•cipherspec•nocipherspec•restorecipherspecno ssl protocol –removethespecified protocol.Syntaxhostn
Statistics commandsshow license – show the number of licenses currently in use.Syntaxhostname# showlicenseLicenses: 5Relatedcommand(s)•showlicenseusag
Syntaxhostname (config)# edit ras settingsAvailable IP addresses:1. All2. 192.168.200.195Web Admin Server IP [192.168.200.195] (1-2): 2Web Admin Serve
Relatedcommand(s)Nonereissue webadmin certificate – re–issue the web administration certificate.NOTE:This action is performed when initializing the SKM
Table 141 clock set syntax detailsParameterDescriptionmm/dd/yyhh:mm:ssmm:month:entervalueintherange1–12dd: day: enter value in the range 1 –31yy: year
System information commandsshow device – view the model number and Unit ID of the SKM.Syntaxhostname# show deviceRelatedcommand(s)•showsoftwareshow so
System log commandsno system log – clear the context of a system log file.Syntaxhostname (config)# no system log <log name>Relatedcommand(s)• sys
D TroubleshootingThis appendix addresses some of the typical problems you might face as the administrator of the SKM.Table 142 Common problemsProblem
298Troubleshooting
E Regulatory compliance noticesThis section contains regulatory notices for the HP StorageWorks Secure Key Manager (SKM) appliance.Regulatory complian
Contents1Installingandreplacinghardware... 21Preparingfortheinstallation... 21Toolsforinstallation ...
30Installing and replacing hardware
energy and, if not installed and used in accordance with the instructions, may cause harmful interferenceto radio communications. However, there is no
Compliance with these directives implies conformity to the following European Norms (in parentheses arethe equivalent international standards and regu
Taiwanese noticesBSMI Class A noticeTaiwan battery recycle statementRecovery mark:• Four-in-one recyclingsymbolRecovery text:• “Please recycle wasteba
Dutch laser noticeWAARSCHUWING: French laser noticeAVERTISSEMENT : cet appareil peut être équipé d'un laser classé en tant que Produit laser de
Italian laser noticeAVVERTENZA: AVVERTENZA Questo dispositivo può contenere un laser classificato come prodotto laser di Classe 1 in conformità alle
Recycling noticesDisposal of waste equipment by users in private household in the EuropeanUnionThis symbol on the product or on its packaging indicate
Estonian noticeFinnish noticeLaitteiden hävittäminen kotitalouksissa Euroopan unionin alueellaJos tuotteessa tai sen pakkauksessa on tämä merkki, tuot
Greek noticeHungarian noticeItaliannoticeSmaltimento delle apparecchiature da parte di privati nel territorio dell'Unione EuropeaQuesto simbolo p
Latvian noticeLithuanian noticePolish notice308Regulatory compliance notices
Portuguese noticeDescarte de Lixo Elétrico na Comunidade Européia Este símbolo encontrado no produto ou na embalagem indica que o produto não deve se
2Configuring the systemStarting the SKM applianceNOTE:To prepare to configure the system, have ready all information listed on the pre-install survey. T
Spanish noticeEliminación de residuos de equipos eléctricos y electrónicos por parte de usuarios particulares en la Unión EuropeaEste símbolo en el pr
Battery replacement noticesDutch battery noticeWAARSCHUWING: dit apparaat bevat mogelijk een batterij. - Probeer de batterijen na het verwijderen nie
German battery noticeVORSICHT: Dieses Produkt enthält unter Umständen eine Batterie oder einen Akku.- Versuchen Sie nicht, Batterien und Akkus außerh
Japanese batterynoticeSpanish battery noticeADVERTENCIA: Este dispositivo podría contener una batería.- No intente recargar las baterías si las extra
314Regulatory compliance notices
FSpecificationsThis section provides the VLS node and specifications.SKM appliance specificationsItemSpecificationHeight4.3 cm (1.70 in)Depth70.5 cm (27.8
EnvironmentalspecificationsOperating Non-operatingShippingTemperature110°C to 35°C(50°F to 95°F)-40°C to 66°C(-40°F to 150°F)-40°C to 66°C(-40°F to 150
G About this guideThis guide provides information about:• Installing an HP StorageWorks Secure Key Manager• Configuring an HP StorageWorks Secure Key M
WARNING!Indicates that failure to follow directions could result in bodily harm or death.CAUTION:Indicates that failure to follow directions could res
Customer self repairHP customer self repair (CSR) programs allow you to repair your StorageWorks product. If a CSR partneeds replacing, HP ships the p
c. Dated. Time. The time is based on a 24–hour clock. There is no a.m. or p.m. designation. Forexample, 1:20 p.m. is 13:20:00.e. IP address of the SKM
320About this guide
GlossaryActive Device In the VRRP group, this is the device that is receiving all network traffic. Thisis typically the primary device; however, in cas
fulfill client traffic, the secondary device stands down and the primary deviceagain becomes the active device.Primary device A designated device that,
IndexSymbols?, 272Aaccess control,205activity log level,252activity log rotate,252activity syslog,273administrator,252administratorscreating,205definin
Create LDAP Administrator section,205Create Local Certificate Authority section,150Create SNMP Management Station section,197credentialsgranting,214vie
keysaccess to and ownership of,168administration via multiple credentials,213authorization policies and usage periods,122 , 124creating,118deletable,1
Ppasswd,254password settings,254passwordsadministrator,202cluster,175patch releases,96permissions, user,127Ping Information section,98ping run,269port
show station,287show statistics,291show system log,296show system syslog,276Sign Certificate Request page,54sign request,261Signed Certificates section,
6. Configure the default settings for the key replication interval and retry attempts.NOTE:These commands require firmware version 1.1 or greater.a. Log
Where• <appliance hostname> is the hostname or IP address you provided in Starting the SKMappliance,step4.• <appliance port number> is 944
6. Add the Local CA to the Trusted CAs list.a. In Certificates & CAs,clickTrusted CA Lists to display the Trusted Certificate Authority List Profiles
4. Click Create Certificate Request.5. Click on the newly created certificate from Certificate List, for example SKM Server.6. Copy the certificate data,
11 . Click Sign Request.12. Copy the signed certificate data, from -----BEGIN to END…----- lines. Be careful to excludeextra carriage returns or spaces
• In Creating the cluster, the cluster is created on one SKM appliance.Skip this section if you already have an SKM cluster.• In Copying the Local CA
5. Copy the certifi cate data from the CA Certificate Information,from-----BEGIN CERTIFICATEREQUEST----- to -----END CERTIFICATE REQUEST--–––. Be carefu
Creatingauser... 45Creatingagroup ... 46Addingausertoagroup...
5. Add the first member’s CA to the Trusted CAs list.a. In the Certificates & CA menu, click Trusted CA Lists.b. Click on the Default Profile Name.c.
4. Click Create Certificate Request.5. Click on the newly created certificate SKM Server from Certificate List.6. Copy the certificate data, from lines --
3. Click Select None.4. Select Certificates then Choose from list and select SKM Server.5. Click Continue.6. Click Select None.7. Click Continue.8. In
3Performingconfiguration andoperation tasksKey and policy proceduresCreating a keyTo create a key:1. Log in to the Management Console as an administrat
7. To make the key exportable on from non-FIPS SKM, select Exportable.Anexportablekeycanbe exported by its owner and by members of a group with “Expor
Authorization policy proceduresCreating an authorization policyTo create an authorization policy:1. Log in to the Management Console as an administrat
6. To give this user the ability to change his or her own password via the XML interface, select ChangePassword Permission. Users with User Administra
3. Select the Username and click Delete.Deleting a groupTo delete a group:1. Log in to the Management Console as an administrator with Users, Groups,
Setting up an LDAP failover serverTo set up an LDAP failover server:1. Log in to the Management Console as an administrator with Users, Groups, and LD
NOTE:To generate a valid certificate, you must have a certificate authority sign a certificate request. You cancreate local CAs on the SKM, and use those
ConfiguringSNMPv3ontheSKM ... 63Administratorprocedures... 64Creatinganadministrator...
10. Copy the certificate text.11 . Navigate back to the Certificate List section.12. Select the certificate request and click Properties to access the Ce
9. Paste the certificate request into the Certificate Request field. Select Client as the Certificate Purpose,specify a Certificate Duration and click Sign
To install a certificate:1. Log in to the Management Console as an administrator with Certificates access control.2. Navigate to the Certificate List sec
2. Navigate to the Certificate List section of the Certificate and CA Configuration page (Security>Certificates).3. Select the Certificate Name and clic
Deleting a trusted CA list profileTo delete a trusted certificate authority list profile:1. Log in to the Management Console as an administrator with Cer
Deleting a local CATo delete a local CA:1. Log in to the Management Console as an administrator with Certificate Authorities access control.2. Navigate
8. Copy the CA certificate request text.The certificate text looks similar, but not identical, to the following text.-----BEGIN CERTIFICATE REQUEST-----
FIPS status server proceduresEnabling the FIPS status serverTo enable the FIPS Status Server:1. Log in to the Management Console as an administrator w
Enabling key and policy configuration by client applicationsEnabling key and policy configuration by client applications permits the following actions:•
6. Use the Username Field in Client Certificate field to specify which field in the client certificate mustcontain a valid username. This setting is optio
Rollingbacksoftware ... 96SystemHealthpage ... 96Refreshpage ...
5. Click Join Cluster.NOTE:After joining the cluster, you will be prompted to synchronize with an existing clustermember. We recommend that you synchr
Removing a device from a clusterTo remove a device from a cluster:1. Log in the ManagementConsoleofthedevicethatwillberemovedfromtheclusterasanadminis
Configuring an NTP server connectionTo configure an NTP server connection:1. Log in to the Management Console as an administrator with Network and Date/
9. For each service select either Allow All Connections to grant access to all clients or Only Allow IPsSpecified Below to grant access to only the cli
Administrator proceduresCreating an administratorTo create an administrator account:1. Log in the Management Console as an administrator with Administ
3. Click LDAP Test.Setting up the LDAP schemaTo set up the LDAPSchema:1. Log in to the SKM appliance as a Local administrator with High Access Adminis
2. Navigate to the Password Settings for Local Administrators section of the Administrator Configurationpage (Device Configuration > Administrators &
2. Navigate to the Multiple Credentials for Key Administration section on the AdministratorConfiguration page (Device > Administrators > Multiple
1. Open the certificate request in a text editor.2. Copy the text of the certificaterequest. Thecopiedtextmustincludetheheader(-----BEGINCERTIFICATE REQ
2. Navigate to the Remote Administration Settings section (Device > Administrators > RemoveAdministration).3. Click Edit.4. Select Web Admin Use
LDAPGroups... 135UserList ... 135Certificate and CA ConfigurationPage...
2. Determine the Key Sharing Group.a. From the filtered list of keys, choose the one with the most recent timestamp (the numbersequence at the end of t
NOTE:Steps c. through f. above ensure the backup filecontainsonlythesinglekey.g. In the Backup Summary section of the panel, verify that no settings, c
4. Send the tape and the Destination (backup) file to the Cluster #2 admin. Also transmit the Groupname and the backup password.NOTE:For security reaso
5. Import (restore) the backup file to Cluster #2a. On the SKM, from the Device Tab, in the Maintenance menu on the left, select Backup & Restore,t
6. Restart the SKM software.NOTE:Following a restore, the SKM must be restarted.a. From the SKM Device tab, in the Maintenance menu, select Services.b
7. Force replication of the key across Cluster #2.a. From the SKM Security tab, in the Keys menu on the left, select Keys.b. Use filtering from the Key
8. Ensure that the key sharing group has been added.a. From the SKM interface, Security tab, Users and LDAP Menu, select Local Users and Groups.b. Ver
1. FromtheSKMinterfaceontheDevicetabintheMaintenance menu on the left, select Backup &Restore, then select Create Backup.Figure 11 Creating the ba
7. In the Backup Summary section of the panel, verify that all of the settings, certificates, and localcertificate authorities are included in the backu
1. FromtheSKMinterfaceontheDevicetab,intheMaintenance menu, select Backup Restore,thenCreate Backup.2. In the Create Backup pane, in the Security Item
ClusterSettings ... 177CreateCluster... 178JoinCluster...
Log configuration proceduresConfiguring log rotationTo configure log rotation:1. Log in to the Management Console as an administrator with Logging access
2. Change the file extension on the log file to .eml. The file will now be recognized by Windowsas an E-mail file.3. Double-click on the file. Outlook Expr
Recreating the log signing certificatePrior to creating a new log signing certificate, backup the old certificate so you can verify previouslysigned logs
2. Navigate to the Log Viewer page (Device > Log Viewer) and click the tab for the log you wouldlike to download.3. Choose a log in the Log File fie
84Performing configuration and operation tasks
4MaintainingtheSKMBackup and restore overviewClustering SKM nodes is an effective way of exchanging keys and configuration data to allow for failover,b
Backup and restore pageThe Backup and restore page enables you to create and restore backups. This page contains thefollowing sections:• Create Backup
Table 1 Create Backup: Security Items section componentsComponents DescriptionSecurity ItemsClick Select All toincludeallofthekeymanagementitemsinyour
Table 2 Create Backup: Device Items section componentsComponents DescriptionDevice ItemsClick Select All toincludeallofthedeviceconfiguration items in
Table 3 Create Backup: Backup Settings section componentsComponents DescriptionBackup NameEnteranameforthebackupfile. For backups stored externally, th
RemoteAdministrationSettingsoverview ... 215RemoteAdministrationSettingssections... 215RemoteAdministrati
Figure 17 Viewing the Restore Backup sectionThe following table describes the components of the Restore Backup section.Table 4 Restore Backup section
Figure 18 Viewing the Backup Restore Information sectionThe following table describes the components of the Internal Backup List section.Table 5 Inter
Table 6 Internal Backup List section componentsComponents DescriptionBackup Name Displays the backup name.DateDisplaysthedateonwhichthebackupwascreate
Table 7 Services List section componentsComponents DescriptionName• KMS Server: the“brains” of the SKM, which manages all incoming and outgoingconnect
System Information pageUse the System Information page to perform software upgrades and examine information about thesystem and software currently ins
The following table describes the components of the License Information section.Table 10 License Information section componentsComponents DescriptionL
Upgradingtoapatch releasePatch releasesare lightweight; customers do not have to re-qualify an entire release. All patches arecumulative, which means
Figure 25 Viewing the Refresh Page sectionThe following table describes the components of the Refresh Page section.Table 12 Refresh Page section compo
Cooling Fan StatusThe Cooling FanStatus section provides information on the status all of the SKM’s cooling fans. Thefollowing table describes the dif
Traceroute InformationUse the Traceroute Information section to examine the path between the SKM and a destination.Figure 29 Viewing the Traceroute In
Comments to this Manuals