Hp Secure Key Manager User Manual

HP StorageWorksSecure Key Managerusers guide*AJ087-96018*Part number: AJ087–960183rd edition: April 2009

Secure logs ... 244Log Configuration page .

DescriptionComponentsClick Cancel to abort the backup and return to the Create Backup: Security Items section.CancelDisplays all of the items that cou

NOTE:Key Manager DataSecure appliance Number of Active Versions Allowed for a Key setting on the Keyand Policy Configuration page. If the key has more

Figure 19 Viewing the Internal Backup List sectionThe following table describes the components of the Internal Backup List section.Table 7 Internal Ba

Figure 20 Viewing the Services List sectionThe following table describes the components of the Services List section.Table 8 Services List section com

Figure 21 Viewing the Restart/Halt sectionThe following table describes the components of the Restart/Halt section.Table 9 Restart/Halt section compon

Figure 22 Viewing the Device Information sectionThe following table describes the components of the Device Information section.Table 10 Device Informa

Software Upgrade/InstallThe software upgrade and installation mechanism can be used to install new features, upgrade coresoftware, and apply security

IMPORTANT:You must be running the base release upon which the patch is built before upgrading to the patchrelease. You cannot upgrade directly from a

Figure 25 Viewing the Refresh Page sectionThe following table describes the components of the Refresh Page section.Table 13 Refresh Page section compo

Cooling Fan StatusThe Cooling Fan Status section provides information on the status all of the SKM's cooling fans. Thefollowing table describes t

Health check configuration commands ... 297Help commands ...

Traceroute InformationUse the Traceroute Information section to examine the path between the SKM and a destination.Figure 29 Viewing the Traceroute In

Figure 31 Viewing the Netstat Information sectionThe following table describes the components of the Netstat Information section.Table 19 Netstat Info

Maintaining the SKM112

A SKM appliance information sheetThis information is specific to the HP StorageWorks Secure Key Manager (SKM) appliance to whichit is attached. There

Figure 33 Front and top of SKM applianceFigure 34 Back of SKM applianceDescriptionItemProduct ID number (PID) of the appliance1Serial number of the ap

B Using the Management ConsoleLogging in and outUse the Administrator Authentication screen to log into the Management Console.Figure 35 Viewing the A

• Recent ActionsSecurity SummaryUse this section to view security-related summary information for your SKM.Figure 37 Viewing the Security Summary sect

DescriptionComponentDisplays the version of the software currently running on the SKM.Software VersionDisplays the current date.DateDisplays the curre

Figure 40 Viewing the Search Criteria sectionThe following table describes the components of the Search Criteria section.Table 24 Search Criteria sect

Using features common to the Security and Device tabsThe following sections describe how to set display parameters for Management Console viewing.Thes

Estonian notice ... 335Finnish notice ...

Accessing the Help systemThe Management Console provides you with two ways to access product documentation:context-sensitive help, and help. Both meth

Figure 46 Finding the Help linkClicking this icon opens the help system in a new web browser. The default page shows the table ofcontents.Using the Ke

CAUTION:Do not delete keys that might be needed to decrypt data at some point in the future. Once youdelete a key, there is no way to decrypt data tha

DescriptionComponentThe algorithm might be any of the following:• AES-256• AES-192• AES-128• DES-EDE-168 (three key triple DES)• DES-EDE-112 (two key

Figure 48 Viewing the Key Properties sectionThe following table describes the components of the Key Properties section.Table 29 Key Properties section

The state, combined with the key type and group permissions determine how the key version can beused. Ultimately, a key version can only be used when:

DescriptionComponentClick Delete to remove the permissions for a group.DeleteFor example, in Figure 49, members of group1 have permission to export ke

DescriptionComponentClick Add to add an attribute.AddClick Delete to remove the selected attribute.DeleteKey Versions and Available UsageUse this sect

Figure 52 Viewing the Public Key sectionThe following table describes the components of the Public Key section.Table 33 Public Key section componentsD

DescriptionComponentClick Save Query to save the query without executing it.Save QueryClick Run Query without Saving to execute the query. The query n

FiguresIdentify the contents of the shipping carton ... 321Connect the power supplies to

Figure 55 Viewing the Modify Query sectionNOTE:You cannot greatly modify the built-in query [All]. The Appliance will only permit you to change theCol

Figure 56 Viewing the Create Key sectionThe following table describes the components of the Create Key section.Table 37 Create Key section componentsD

DescriptionComponentWhen selected, the key contains multiple versions, up to a maximum of 4000. Eachkey version has unique key bytes, but shared key m

IMPORTANT:The server will not import keys that are known to be weak, such as 64 bit DES. In addition, the paritybits must be set properly; otherwise,

DescriptionComponentA check mark in the box indicates that the key is deletable via an XML request by thekey owner (or any user for global keys). Afte

NOTE:Authorization policies cannot be applied to global keys or to certificates. Key owners are not subjectto policy restrictions.The Authorization Po

Figure 60 Viewing the Authorization Policy Properties sectionThe following table describes the Authorization Policies Properties section.Table 41 Auth

Figure 61 Viewing the Authorized Usage Periods sectionThe following table describes the Authorization Usage Periods section.Table 42 Authorization Usa

Figure 62 Viewing the Active Versions sectionTable 43 Active Versions section componentsDescriptionComponentDisplays the number of active versions all

Configuring the users and groupsA user directory contains a list of users that may access the keys on your KMS Server, and a list ofgroups to which th

Front and top of SKM appliance ... 11433Back of SKM appliance ...

Figure 64 Viewing the Local Users sectionThe following table describes the components of the Local Users section.Table 45 Local Users section componen

NOTE:The User Administration Permission and Change Password Permission apply only to local users. LDAPusers cannot be managed through the SKM; they mu

Figure 66 Viewing the Custom Attributes sectionThe following table describes the components of the Custom Attributes section.Table 47 Custom Attribute

Figure 67 Viewing the Local Groups sectionThe following table describes the components of the Local Groups section.Table 48 Local Groups section compo

Figure 69 Viewing the User List sectionThe following table describes the components of the User List section.Table 50 User List section componentsDesc

Figure 70 Viewing the LDAP User Directory Properties sectionThe following table describes the components of the LDAP User Directory Properties section

Figure 71 Viewing the LDAP Schema Properties sectionThe following table describes the components of the LDAP Schema Properties section.Table 52 LDAP S

DescriptionComponentClick Edit to modify the properties.EditClick Clear to remove the current properties.ClearLDAP Failover Server PropertiesUse the L

• User ListLDAP UsersThe LDAP Users section displays the users available in the LDAP user directory.Figure 73 Viewing the LDAP Users sectionThe follow

Figure 74 Viewing the LDAP Groups sectionThe following table describes the components of the LDAP Groups section.Table 55 LDAP Groups section componen

Viewing the LDAP User Directory Properties section ... 14570Viewing the LDAP Schema Properties section

Certificate and CA Configuration PageCertificates identify one entity to another. In this case, when making SSL connections between a clientapplicatio

DescriptionComponentA certificate summary containing the following information:• Common Name: Name of entity to which certificate is issued. This is t

Figure 77 Viewing the Certificate Information sectionThe following table describes the components of the Certificate Information section.Table 58 Cert

DescriptionComponentClick Install Certificate to go to the Certificate Installation page. The Install Certificatebutton can be applied to either certi

The following table describes the components of the Certificate Installation section.Table 59 Certificate Installation section componentsDescriptionCo

DescriptionComponentThe duration during which the certificate is valid.Certificate Duration(days)Click Create to create the certificate.CreateClick Ba

DescriptionComponentE–mail address of person requesting the certificate. This field is optional.Email AddressSize of key being generated. The SKM supp

DescriptionComponentThe password used to access the key.Private Key PasswordClick Import Certificate to import the certificate to SKM.Import Certifica

DescriptionComponentClick Edit to change the name of a profile.EditClick Add to create a profile. A newly created profile is initially empty. You must

Figure 84 Viewing the Trusted Certificate Authority List (Edit Mode)The following table describes the components of the Trusted Certificate Authority

Viewing the Join Cluster section ... 197107Viewing the Date and Time Settin

Figure 85 Viewing the Local Certificate Authority List sectionThe following table describes the components of the Local Certificate Authority List sec

Figure 86 Viewing the CA Certificate Information sectionThe following table describes the components of the CA Certificate Information section.Table 6

Sign Certificate RequestUse the Sign Certificate Request section to sign certificate requests.Figure 87 Viewing the Sign Certificate Request sectionTh

Figure 88 Viewing the Signed Certificates sectionThe following table describes the components of the Signed Certificates section.Table 69 Signed Certi

Figure 89 Viewing the Signed Certificate Information sectionThe components of the Signed Certificate Information section are view-only.Create Local CA

Figure 90 Viewing the Create Local Certificate Authority sectionThe following table describes the components of the Create Local Certificate Authority

DescriptionComponentLocal CAs can be one of two types: Self-signed root CA, or Intermediate CA Request.When you create a self-signed root CA, you must

DescriptionComponentDisplays one of three values:Certificate Active - The CA can be used to issue certsand sign certificate requests.Certificate Expir

CRL v2 format. Support for CRLs on the SKM allows you to obtain, query, and maintain CRLs publishedby CAs supported on the SKM. The SKM uses CRLs to v

NOTE:The Auto-Update feature does not apply to local CAs.Force Periodic UpdateThe SKM performs a daily check of the Next Update field to determine whe

Viewing the Current Audit Log section ... 252144Viewing the Activity Log section ..

Only the following models are capable of operating in accordance with FIPS standards:• HP DL360 R05All other SKM can be configured for high security b

Software Patches and UpgradesHP will indicate which software patches and upgrades are FIPS certified. Apply only FIPS certifiedsoftware to a FIPS-comp

DescriptionComponentClick Set FIPS Compliant to alter the settings shown in the High Security Settings andSecurity Settings Configured Elsewhere secti

Figure 94 Viewing the High Security Settings sectionThe following table describes the components of the High Security Settings section.Table 74 High S

DescriptionComponentPrevents administrators from changing RAID drives through the Management Console.IMPORTANT:You cannot replace RAID drives and rema

DescriptionComponentDisplays the SSL Protocols enabled in the SSL Options section. Click the link to accessthe SSL Options section. FIPS compliance re

Configuring the High Security Settings on an SKMIMPORTANT:When you enable FIPS compliance on the SKM, the functionality displayed here is disabled. Mo

DescriptionConditionalpower-onTestKnown Algorithm Test for the X9.31 PRNG. This testis performed at power-on.XX9.31 PRNGTest of the random number gene

Figure 96 Viewing the FIPS Status Report: normalThe following table describes the components of the FIPS Status Server Settings section.Table 77 FIPS

DescriptionComponentDisplays the result and timestamp for each of the following self-tests:• AES Encryption• DES Encryption• DSA Encryption• HMAC Algo

TablesDocument conventions ... 231Create Backup: Security It

DescriptionComponentSelect the IP addresses on which the FIPS Status Server is enabled on the SKM.Local IPSelect the port on which the server status r

SSL Session TimeoutAll SSL sessions stored in the SKM's session cache have an expiration period, typically two hours.This means the SKM accepts a

IMPORTANT:Some web browsers, including Internet Explorer 6.0, do not have TLS 1.0 enabled by default. If youdisable SSL 2.0 and 3.0, please check firs

SSL Cipher OrderUse this section to enable, disable, and order the priority of SSL ciphers.Different applications and databases support different encr

DescriptionComponentThis field specifies the Hash function to use for SSL session integrity. The supportedHash functions are:• SHA–1: (Secure Hash Alg

The KMS Server can define a local users and groups list or you can use an LDAP server to centrallymanage your users and groups.Authentication OptionsT

Key Management Services Configuration sectionsThe Key Management Services Configuration page enables you to configure the KMS Server, KMSServer Authen

DescriptionComponentThe Connection Timeout value specifies in seconds how long client connections canremain idle before the KMS Server begins closing

Figure 101 Viewing the KMS Server Authentication Settings sectionThe following table describes the elements of the KMS Server Authentication Settings

DescriptionComponentThis field allows you to select a profile to use to verify that client certificates are signedby a CA trusted by the SKM. This opt

Public Key section components ... 12833Create Query section components ..

DescriptionComponentClick Edit to modify the account lockout settings.EditHealth Check overviewThe Health Check feature allows you to configure client

DescriptionComponentIn this field you specify the IP address on which you want to listen for health checkrequests. You can specify an individual IP ad

• LDAP Server• SSL• Administrators and Remote Administration• IP Authorization• Logging• Service Startup• Known CAs, CRLs, and Trusted CA List Profile

NOTE:When upgrading from a previous release, local CA replication is disabled by default.Automatic Synchronization BackupsPrior to each synchronizatio

DescriptionComponentThe port on which the device listens for cluster administration requests.CAUTION:The cluster port (typically 9001) must be differe

Figure 105 Viewing the Cluster Settings sectionThe following table describes the components of the Cluster Settings section.Table 86 Cluster Settings

Figure 106 Viewing the Create Cluster sectionThe following table describes the components of the Create Cluster section.Table 87 Create Cluster sectio

Figure 107 Viewing the Join Cluster sectionThe following table describes the components of the Join Cluster section.Table 88 Join Cluster section comp

• Date & Time ProceduresNetwork Time Protocol overviewThe Network Time Protocol (NTP) is a protocol by which computers on a network synchronize th

Figure 108 Viewing the Date and Time Settings sectionThe following table describes the components of the Date and Time Settings section.Table 89 Date

Legal and notice information© Copyright 2007, 2009 Hewlett-Packard Development Company, I.E.© Copyright 2000, 2008 Ingrian Networks, Inc.Confidential

Create Local Certificate Authority section components ... 16570CA Certificate List section components ...

Figure 109 Viewing the NTP Settings sectionThe following table describes the components of the NTP Settings section.Table 90 NTP Settings section comp

Network Interfaces sectionsThe Network Configuration page contains the following network interface-related section:• Network Interface ListNetwork Int

Figure 111 Viewing the Default Gateway List sectionThe following table describes the components of the Default Gateway List section.Table 92 Default G

Example 2. Example 2Used for Outgoing ConnectionsDefault GatewayInter-face-----------------------------------------------------------------—nononeEthe

This configuration is the same as example 3, but in this scenario there are some hosts and networksthat are not reachable through 172.17.7.1. Most oft

Hostname & DNS sectionsThe Network Configuration page contains the following hostname and DNS-related sections:• Hostname Setting• DNS Server List

The following table describes the components of the DNS Server List section.Table 95 DNS Server List section componentsDescriptionComponentsUse the Up

Figure 115 Viewing the Network Interface Port Speed/Duplex sectionThe following table describes the components of the Network Interface Port Speed/Dup

Figure 116 Viewing the IP Authorization Settings sectionThe following table describes the components of the IP Authorization Settings section.Table 97

Figure 117 Viewing the Allowed Client IP Addresses sectionThe following table describes the components of the Allowed Client IP Addresses section.Tabl

Change Your Password section components ... 229107Password Settings for Local Administrator

SNMP overviewThe SNMP protocol enables network and system administrators to remotely monitor devices on thenetwork, such as switches, routers, proxies

secret key, and sends the message to the receiver, who decrypts it using the DES algorithm and thesame secret key.Access controlAccess control in SNMP

This page contains the following sections:• SNMP Agent Settings – Changes to the SNMP Agent Settings section apply to all managementstations, username

NOTE:If you are configuring the agent to communicate with an NMS running SNMPv3 software, you candisregard this section.When creating a community on t

SNMPv3 Username ListAs the name suggests, the SNMPv3 Username List is used to configure the agent to communicate withan NMS running SNMPv3 software. Y

DescriptionComponentThis password is used to create the secret key that performs the encrypt and decryptoperations on the data shared between the agen

DescriptionComponentDisplays either the management community or username. The management communityis used to send SNMP data to the SNMPv1/v2 managemen

DescriptionComponentName that is used to send SNMP data to SNMPv3 management stations. The usernameis used to create a key that is shared by the agent

Figure 123 Viewing the Create SNMP Management Station sectionThe following table describes the components of the Create SNMP Management Station sectio

DescriptionComponentYou can choose from MD5 and SHA.Auth Protocol (v3only)This password is used to create the secret key that is used to authenticate

22

• Security Warnings – an administrative experienced multiple password failures while attemptingto log in, the system was reset to factory settings, th

and stored on the SKM appliance. The available access controls are grouped into categories anddescribed here.Security Configuration access controls en

When creating an administrator, you should assign the minimum amount of access controls needed.For example, a backup administrator will only need the

WARNING!It is absolutely crucial that you remember the passwords for all of your local administrators. Forsecurity reasons, there is no way to reset a

Configuration of the LDAP Administrator Server and the first LDAP administrator must be performedby a local administrator. Thereafter, you can use the

1. Log in the Management Console as an administrator with High Access Administrator accesscontrol.2. Navigate to the Administrator section on the Admi

DescriptionComponentAccess control options related to device security configuration.• Keys and Authorization Policies: Create, modify and delete keys

Select LDAP UsernameThe Select LDAP Username section enables you to browse and select an LDAP user when creating anLDAP administrator account.Figure 1

Password expirationThe password expiration feature allows you to specify a duration for administrator passwords. Bydefault, this feature is disabled.

CAUTION:In addition to all scheduled password changes, immediately change all administrator, user account,and backup passwords any time a security off

About this guideThis guide provides information about:• Installing an HP StorageWorks Secure Key Manager• Configuring an HP StorageWorks Secure Key Ma

DescriptionComponentRe-enter the new password.Confirm New Pass-wordClick Change Password to implement any changes made to this section.Change Password

DescriptionComponentEnter the minimum password length. The default length is 8. This value applies to allpasswords on the SKM (local administrator, us

Any request for these operations, from either the Management Console or the CLI, results in a requestfor additional administrator accounts and passwor

NOTE:If the SKM is configured to use NTP, modifications to the NTP system time can extend the life span ofa granted credential.NOTE:Granted credential

Multiple Credentials sectionsThe Multiple Credentials sections on the Administrator Configuration page lets you enable the multiplecredentials feature

Credentials GrantedUse the Credentials Granted section to view the credentials granted to or by the current administrator.Any credential grants that d

DescriptionComponentEnter the length of duration. This duration cannot be longer than the Maximum Durationfor Time-Limited Credentials established in

Figure 131 Viewing the Remote Administration Settings sectionThe following table describes the components of the Remote Administration Settings sectio

DescriptionComponentsThe SSH Admin Server IP address is the IP address used to configure the SKM from theCLI. You can select one specific IP address o

LDAP Administrator Server Properties sectionUse the LDAP Administrator Server Properties section to define the basic properties of the LDAPadministrat

ElementConvention• File and directory names• System output• Code• Commands, their arguments, and argument valuesMonospace text• Code variables• Comma

Figure 133 Viewing LDAP Schema Properties sectionTable 114 LDAP Schema Properties section componentsDescriptionComponentThe base distinguished name (D

DescriptionComponentClick to modify the properties.EditClick to remove the current properties.ClearClick to test the LDAP connection after you have de

For example, you can schedule that system rotate the Audit Log every Sunday morning at 3:15 orwhen the file size reaches 100 MB, whichever comes first

DescriptionValueThe date and time when the log file was created.datetime stampThe hostname of the SKM.hostnameFor example, the filename audit.log.1.20

2005-09-12 10:23:47 irwin.company.com KMS Server: Starting KMS Serverlog message at syslog server (displays on one line):-----------------------------

Figure 135 Viewing the Rotation Schedule sectionThe following table describes the components of the Rotation Schedule section.Table 117 Rotation Sched

Figure 136 Viewing the Log Rotation Properties sectionThe following table describes the components of the Log Rotation Properties section.Table 118 Lo

Syslog SettingsTo enable syslog, select a type of log, and click Edit. Specify a hostname or IP address of the primarylog server (Syslog Server #1) an

Figure 138 Viewing the Log Signing sectionThe following table describes the components of the Log Signing section.Table 120 Log Signing section compon

Figure 139 Viewing the Log Signing Certificate Information sectionThe following table describes the components of the Log Signing Certificate Informat

HP technical supportFor worldwide technical support information, see the HP support website:http://www.hp.com/supportBefore contacting HP, collect the

Figure 140 Viewing the Activity Log Settings sectionThe following table describes the components of the Activity Log Settings section.Table 122 Activi

Figure 141 Viewing the System Log sectionThe following table describes the components of the System Log section.Table 123 System Log section component

• Date and time change was made.• Username: the username that made the configuration change.• Event: a text description of the configuration change.Fi

Activity LogThe Activity Log contains a record of each request received by the KMS Server. For client requeststhat contain multiple cryptographic oper

Detail InformationRequest Typealgorithm and key size specified in the request; the value for the Deletable and Export-able options are listed as well

Current Activity LogFigure 146 Viewing the Current Activity Log sectionThe following table describes the components of the Current Activity Log sectio

DescriptionFieldenclosed in brackets ( [] ), the message field displays the plaintext that correspondswith the base64 encoded message included in the

DescriptionComponentClick Clear to delete the select log.ClearStatistics pageThe Statistics page enables you to view real-time system statistics about

DescriptionComponentClick Set Refresh Time to apply the new value.Set Refresh TimeClick Refresh Now to refresh the System Statistics page on demand.Re

Figure 151 Viewing the Connection Statistics sectionThe following table describes the components of the Connection Statistics section.Table 136 Connec

Documentation feedbackHP welcomes your feedback.To make comments and suggestions about product documentation, please send a message tostoragedocsFeedb

Figure 152 Viewing the Throughput sectionThe following table describes the components of the Throughput section.Table 137 Throughput section component

Refresh Statistics (server)The Refresh Statistics section controls how frequently the Server Statistics page is refreshed. Whenthe page is refreshed,

Figure 155 Viewing the KMS Statistics sectionThe following table describes the components of the KMS Statistics section.Table 140 KMS Statistics secti

C Using the Command Line InterfaceShell commandsThe CLI supports a few shell commands that allow you to perform various search, cut, and pasteoperatio

• new cert requestIf there are no spaces between segments of quoted and non–quoted text, the two segments are treatedas one argument. Thus, the comman

If the text you have entered can refer to multiple commands, tab completion will not work, but youcan press the return key to view the possible comman

To exit configure mode and go to view mode, type exit at the prompt:hostname (config)# exithostname#Entering script modeScript mode allows you to crea

NOTE:The Script Recorder takes care of all such formatting issues and hence is probably the best way tocreate scripts initially.Script recorderThe Scr

Entering passwordsWhenever a command that requires a password is executed in a script, the actual password will notbe stored in the script. Instead, w

transfer audit logAutologout Commandsautologoutshow-autologoutBackup and Restore Commandsbackupno backuprestore backupshow backupCA Cert Commandsca ce

1 Installing and replacing hardwareThis section details the steps to install or replace the SKM hardware:• Preparing for the installation• Rack planni

cert requestcert selfsign installno certificateno requestshow certcli-show-requestCRL Commandscrl auto-updatecrl list sendcrl list updatecrl settingsn

traceroute runFIPS Commandsshow fips statusfips serverreset factory settings zeroizesecurity settingsshow security settingsshow fips servershow fips s

show log rotationshow log signingshow logsigning certshow system syslogsystem syslogMode Commandsconfigureconfigure terminalexitscriptNetwork Commands

static routeServices Commandshaltkms-server runkms-server startupno kms-server-runno kms-server startupno snmp runno snmp startupno sshadmin runno ssh

show snmp usernameshow stationsnmp agentsnmp usernamestationSSL Commandscipherspeccipherspec priorityno cipherspecno export cipherspecno ssl protocolr

show ntpshow ras settingstimezone setSystem Health Commandsshow system healthSystem Information Commandsshow deviceshow softwaresoftware installsoftwa

• activity log rotate• show activity logRelated com-mand(s)show activity log – view the Activity Log.hostname# show activity log <log name> <

hostname# credential settingsRequire Multiple Credentials [n]:Num of Admins Required for Operations:1: 22: 33: 4Enter a number (1 - 3) [1]:Allow Time-

• show granted credential• no granted credential• credential settings• show credential settingsRelated com-mand(s)ldap test failover – connect to the

hostname config# password settingsEnable Password Expiration (y/n) [n]:Enable Password History (y/n) [n]:Minimum Password Length [8]:Must Passwords Co

• Use heel straps, toe straps, or boot straps at standing workstations.Wear the straps on both feet when standing on conductive floors or dissipating

hostname# show password settingsPassword Expiration: After 180 daysPassword History: 4 passwords rememberedMinimum Password Length: 8Passwords Must Co

show autologout – view the currently configured autologout settings.hostname# show autologoutSyntax• autologoutRelated com-mand(s)Backup and restore c

hostname# show backupSyntax• backup• no backup• restore backupRelated com-mand(s)CA certificate commandsca certificate install – install a CA certific

• ca profile• ca profile duplicate• ca profile rename• show ca profile• show ca profile• no ca profile• no ca profile entryRelated com-mand(s)ca profi

hostname (config)# local caEnter the certificate name:Enter the common name:Enter the organization name:Enter the organization unit name:Enter the loc

• ca profile• ca profile duplicate• ca profile entry• ca profile rename• show ca profile• show ca profile• no ca profileRelated com-mand(s)no local ca

• halt• no local caRelated com-mand(s)show signed certificate – display information about certificates signed by local CAs on the SKM.hostname# show s

The certificate import process varies between SKMs.hostname# cert importPlease pick the upload option for uploading your certificate:1) Console Paste

hostname (config)# cert request <cert name>After executing the cert request command, the system prompts you to provide the followinginformation:

• cert request• cli-show-request• no request• cert install• cert import• show cert• cert selfsign installRelated com-mand(s)no request – delete a cert

Rack warningsWARNING!To reduce the risk of personal injury or damage to the equipment, be sure that:• The leveling jacks are extended to the floor.• T

NoneRelated com-mand(s)crl list send – export a CRL.hostname (config)# crl list send <ca name>Transport Method:1) FTP 2) SCPEnter a number(1-2):

hostname (config)# crl settings <ca name>Transport Method:1) FTP 2) SCP 3) HTTPEnter a number(1-3):Host:Filename:Username:Password:Confirm passw

NoneRelated com-mand(s)show crl list – display the serial number and revocation date of all revoked certificates in the CRL.hostname# show crl listSyn

show clientevent log – view the client event log.hostname# show clientevent log <log name> <number of lines>Syntax• clientevent log rotate

NOTE:For security purposes, this command can only be run from the CLI at the console.You cannot execute this command remotely via the CLI over SSH or

• host run• traceroute run• ping runRelated com-mand(s)traceroute run – print the route packets take to the specified network host.hostname (config)#

• show fips serverRelated com-mand(s)reset factory settings zeroize – zeroize all keys and passwords on the device.NOTE:For security purposes, this co

hostname# show security settingsKey SecurityDisable Creation and Use of Global Keys: YesDisable Non-FIPS Algorithms and Key Sizes: YesDisable RSA Encr

hostname (config)# health checkEnable Health Check [n]:Local IP:1: All2: 192.168.200.195Enter a number (1 - 2) [1]:Local Port [9080]:Health check sett

Log commandsactivity syslog – enable the SKM to use the syslog protocol to send Activity Log messages to an externalmachine.hostname (config)# activit

ContentsAbout this guide ... 23Intended audience ...

When vertical space in the rack is not filled by an SKM or rack component, the gaps between thecomponents cause changes in airflow through the rack an

• cli-no-audit-syslog• show audit syslogRelated com-mand(s)clientevent syslog – enable the SKM to use the syslog protocol to send Client Event Log mes

log signing – enable Secure Logs.hostname (config)# log signing <log-name>Syntax• recreate logsigning cert• show logsigning cert• show log signi

show activity syslog – display the syslog settings for the Activity Log.hostname# show activity syslogSyntax• no activity syslog• activity syslogRelat

hostname (config)# system syslogSyslog Server #1 IP [None]:Syslog Server #1 Port [514]:Syslog Server #2 IP [None]:Syslog Server #2 Port [514]:Syntax•

Network commandsedit ip authorization allowed – edit the IP authorization settings for a particular IP address.NOTE:The ip authorization allowed comma

hostname (config)# ip address [<ip address> <submask> <interface #>]ip addressEnter the IP address:Enter the subnet mask:Available i

• no ip addressRelated com-mand(s)ip name–server – add a domain name server.hostname (config)# ip name-server <IP1> <IP2>...<IPn>NOT

no static route – delete a static route on the SKM.hostname (config)# no static routeSyntax• static route• show static routeRelated com-mand(s)show et

• edit ip authorization allowed• ip authorization• ip authorization allowed• no ip authorization allowed• show ip authorization allowedRelated com-man

• show static route• no static routeRelated com-mand(s)Services commandshalt – halt the SKM.hostname (config)# haltSyntax• rebootRelated com-mand(s)km

CAUTION:Protect the SKM from power fluctuations and temporary interruptions with a regulating uninterruptiblepower supply (UPS). This device protects

hostname (config)# no sshadmin runSyntax• sshadmin runRelated com-mand(s)no sshadmin startup – disable SSH administration when starting up the SKM.hos

• no snmp runRelated com-mand(s)snmp startup – enable SNMP when starting up the SKM.hostname (config)# snmp startupSyntax• no snmp startupRelated com-

edit community – edit a community.hostname (config)# edit community <community name>Enter your changes to the community public below.Press enter

NOTE:When you execute the edit station command, the system prompts you to provide thenew SNMP management station information. In the example shown her

NOTE:When you execute the edit snmp username command, the system prompts you toprovide the new SNMPv3 username information.hostname (config)# no snmp

hostname (config)# snmp agentAvailable IP addresses:1. All2. 192.168.200.195SNMP agent IP [All] (1-2): 1SNMP agent port [161]:Enable SNMP traps? (y/n)

SSL commandscipherspec – enable a cipher spec.NOTE:The cipher order pertains to the communication channel between the client (application, database,et

• show cpiherspec• cipherspec• no cipherspec• no export cipherspec• restore cipherspecRelated com-mand(s)no cipherspec – disable a cipherspec.hostname

• show cpiherspec• cipherspec priority• cipherspec• no cipherspec• no export cipherspecRelated com-mand(s)show cipherspec – view the priority of all c

hostname# show licenseLicenses: 5Syntax• show license usageRelated com-mand(s)show license usage – show the number of licenses currently in use.hostna

5. Place shipping materials back into the shipping cartons.6. Set the shipping cartons aside for later use.Identifying the shipping carton contentsA n

hostname (config)# edit ras settingsAvailable IP addresses:1. All2. 192.168.200.195Web Admin Server IP [192.168.200.195] (1-2): 2Web Admin Server Port

• show ntp• ntp• no ntp serverRelated com-mand(s)recreate ssh key – recreate the Secure Shell key.NOTE:If you execute the recreate ssh key command fro

hostname (config)# timezone set <time zone>Syntax• clock set• show clockRelated com-mand(s)Table 142 clock set syntax detailsDescriptionParamete

System information commandsshow device – view the model number and Unit ID of the SKM.hostname# show deviceSyntax• show softwareRelated com-mand(s)sho

• no system log• show system logRelated com-mand(s)transfer system log – transfer a system log off of the SKM.hostname# transfer system log <log_na

D TroubleshootingThis appendix addresses some of the typical problems you might face as the administrator of theSKM.Table 143 Common problemsPossible

Troubleshooting326

E Regulatory compliance noticesThis section contains regulatory notices for the HP StorageWorks Secure Key Manager (SKM) appliance.Regulatory complian

of this equipment in a residential area is likely to cause harmful interference, in which case the userwill be required to correct the interference at

Class B equipmentThis Class B digital apparatus meets all requirements of the Canadian Interference-Causing EquipmentRegulations.Cet appareil numériqu

CAUTION:There will be several tamper-evident labels. Do not cut or damage these labels because they arerequired for FIPS compliance audits.Selecting a

Korean noticesClass A equipmentClass B equipmentTaiwanese noticesBSMI Class A noticeTaiwan battery recycle statementRecovery text:• “Please recycle wa

Laser compliance noticesEnglish laser noticeThis device may contain a laser that is classified as a Class 1 Laser Product in accordance with U.S.FDA r

French laser noticeGerman laser noticeItalian laser noticeRegulatory compliance notices332

Japanese laser noticeSpanish laser noticeRecycling noticesEnglish noticeSecure Key Manager 333

Bulgarian noticeCzech noticeDanish noticeDutch noticeRegulatory compliance notices334

Estonian noticeFinnish noticeFrench noticeGerman noticeSecure Key Manager 335

Greek noticeHungarian noticeItalian noticeLatvian noticeRegulatory compliance notices336

Lithuanian noticePolish noticePortuguese noticeRomanian noticeSecure Key Manager 337

Slovak noticeSpanish noticeSwedish noticeTurkish noticeTürkiye Cumhuriyeti: EEE Yönetmeli ine UygundurRegulatory compliance notices338

Battery replacement noticesDutch battery noticeSecure Key Manager 339

9. Remove the rails from the original appliance for reuse on the replacement appliance. To do so,pull out on the tab of the rail that locks the center

French battery noticeGerman battery noticeRegulatory compliance notices340

Italian battery noticeJapanese battery noticeSecure Key Manager 341

Spanish battery noticeRegulatory compliance notices342

F SpecificationsThis section provides the VLS node and specifications.SKM appliance specificationsSpecificationItem4.3 cm (1.70 in)Height70.5 cm (27.8

ShippingNon-operatingOperating5% to 95%10% to 95%40% to 60%Relative humidity (noncondensing)2-1000 ft to 40,000 ft-1000 ft to 10,000 ft-1000 ft to 10,

GlossaryActive Device In the VRRP group, this is the device that is receiving all network traffic. This istypically the primary device; however, in ca

periodic time requests to servers, obtaining server time stamps, and using themto adjust the client's clock.Passive device In the VRRP group, the

IndexSymbols?, 298Aaccess control, 225activity log level, 275activity log rotate, 275activity syslog, 299administrator, 276administratorscreating, 225

clustersand multiple credentials, 233configuring, 193creating, 195joining, 196overview, 191password protection for, 192community, 311configure, 303con

Internal Backup List section, 101IP addressesDNS server, 205network, 201ip address, 304IP addressesclient, 208IP authorizationallowed client IP addres

3. With the appliance fully seated in the rack, tighten the thumbscrews just until the bezel is securedto the rack.Attaching the cables1. Connect a st

no ca certificate, 284no ca profile, 284no certificate, 288no cipherspec, 317no clientevent syslog, 301no community, 313no crl list, 291no export ciph

show statistics, 319show activity log, 276show activity syslog, 302show administrator, 279show audit log, 280show audit syslog, 302show autologout, 28

time settings, 198timezone set, 321TLS, 180tools, installation, 27Traceroute Information section, 109traceroute run, 295transfer audit log, 280transfe

Installing and replacing hardware36

2 Configuring the systemStarting the SKM applianceNOTE:To prepare to configure the system, have ready all information listed on the pre-install survey

5. Follow the prompts to enter the necessary information:TIP:Press Enter to accept the default.a. Admin account password. The Security Officer will us

6. Configure the default settings for the key replication interval and retry attempts.NOTE:These commands require firmware version 1.1 or greater.a. L

Creating and installing the SKM Server Certificate ... 47Propagating third-party certif

If you are replacing an SKM appliance or adding a member to an existing cluster, skip to Establishinga cluster.The configurations in this step are per

6. Add the Local CA to the Trusted CAs list.a. In Certificates & CAs, click Trusted CA Lists to display the Trusted Certificate Authority ListProf

3. Enter information required by the Create Certificate Request section of the window to create theSKM server certificate.a. Enter a Certificate Name

10. Enter data required by the Sign Certificate Request section of the window.a. Select the CA name from the Sign with Certificate Authority drop down

3. In the KMS Server Settings section of the window, click Edit. The following warning may display.4. Configure the KMS Server Settings as shown. (Ens

1. From the SKM management console, click the Device tab.2. In the Device Configuration menu, click Cluster.3. Type the cluster password in the Create

2. If you skipped Creating the cluster, retrieve the cluster key text file now. To do so, select theCluster Settings section of the window, click Down

6. Join the appliance to the cluster.a. Select the Device tab.b. In the Device Configuration menu, click on Cluster.c. In the Cluster, click on Join C

8. Click on the SKM Local CA.9. Click Sign Request.10. Enter information required in the Sign Certificate Request section of the window as shown:a. In

6. Click Select None.7. Click Continue.8. In the Create Backup screen, type a name, description, and password for the certificate backup.9. Select Dow

Viewing the FIPS status report ... 67KMS server procedures

Configuring the system50

3 Performing configuration and operationtasksKey and policy proceduresCreating a keyTo create a key:1. Log in to the Management Console as an administ

4. Enter a value in the Owner Username field to assign a specific owner or leave this value blankto create a global key. If an owner is listed for the

4. Click Download Public Key to download the public portion of the RSA key.Deleting a keyTo delete a key:1. Log in to the Management Console as an adm

User and group proceduresNOTE:User accounts and groups can be managed locally on the SKM and shared among clustered nodes.This is the preferred method

2. Navigate to the Local Groups section of the User & Group Configuration page (Security > LocalUsers & Groups).3. Select a Group and click

LDAP server proceduresSetting up the LDAP user directoryTo set up the LDAP user directory:1. Log in to the Management Console as an administrator with

2. Navigate to the LDAP Failover Server Properties section of the LDAP Server Configuration page(Security > LDAP > LDAP Server).3. Click Edit.4.

NOTE:To generate a valid certificate, you must have a certificate authority sign a certificate request. Youcan create local CAs on the SKM, and use th

7. Navigate to the Local Certificate Authority List section.8. Select a CA and click Sign Request.9. Paste the certificate request into the Certificat

Enabling signed logs ... 90Verifying a secure l

6. Copy the certificate request text. The certificate text looks similar, but not identical, to the followingtext.-----BEGIN CERTIFICATE REQUEST-----M

IMPORTANT:A self-signed certificate should be used for testing purposes only. Any attempt to connect with anSKM using a test self-signed certificate s

6. Click Save.The SKM verifies the validity of the newly installed certificate. If determined to be valid, thecertificate appears as “Certificate Acti

Certificate Authority (CA) proceduresAdding a CA certificate to the trusted CA listTo add a CA certificate to the trusted CA list:1. Log in to the Man

Deleting a trusted CA list profileTo delete a trusted certificate authority list profile:1. Log in to the Management Console as an administrator with

2. Navigate to the Local Certificate Authority List section of the Certificate and CA Configurationpage (Security > Local CAs).3. Select a certific

4. Select Intermediate CA Request as the Certificate Authority Type.5. Click Create. The new request appears in the Local Certificate Authority List s

2. Navigate to the Install CA Certificate section of the Certificate and CA Configuration page(Security > Known CAs).3. Enter a value for the Certi

KMS server proceduresThe KMS server is the firmware component of the SKM server that manages communications betweenthe SKM and the clients. This secti

Enabling password authenticationTo enable password authentication:1. Log in to the Management Console as an administrator with KMS Server access contr

Accessing the Help system ... 120Using the Key and Polic

Clustering proceduresCreating a clusterYou create a cluster on one SKM and then join other members to that cluster. To create a cluster:1. Select an S

4. Click Synchronize With and confirm this action. As part of the synchronization, the KMS Serverwill create an automatic synchronization backup befor

Upgrading a clusterA cluster can be upgraded by upgrading one device at a time. Once all of the devices are runningthe new software, you can configure

2. Navigate to the NTP Settings section of the Date & Time Configuration page (Device > Date &Time).3. Click Edit.4. Select Enable NTP.5. E

7. Repeat steps 3 through 6 as needed.8. Click Edit on the IP Authorization Settings section.9. For each service select either Allow All Connections t

1. Configure the agent at the SNMP Agent Settings section.2. Create an SNMPv3 username at the SNMPv3 Username List section to enable the NMS to access

5. If using SSL, select Use SSL and enter the Trusted Certificate Authority.6. Enter the number of seconds to wait for the LDAP server during connecti

3. Click LDAP Test.Password management proceduresChanging your passwordTo change your administrator account password:1. Log in to the Management Conso

access to the SKM configuration is secured but not in a haphazard manner. It is best to have adocumented procedure in place to handle such a situation

1. Log in to the Management Console as an administrator with High Access Administrator accesscontrol. This is the administrator that will grant creden

Support for Certificate Revocation Lists ... 167Local CAs ...

6. Click Sign Request. This will take you to the CA Certificate Information section where the certificateis displayed in PEM format.7. Click the Downl

5. Click Save.NOTE:This feature is immediately enabled when you select Web Admin User Authentication. Youwill be logged out of the Management Console

2. Determine the Key Sharing Group.a. From the filtered list of keys, choose the one with the most recent timestamp (the numbersequence at the end of

3. Export (backup) the key.a. From the Device tab, in the Maintenance menu on the left, select Backup & Restore, thenselect Create Backup to displ

Figure 7 Entering backup informationi. Click Backup.A message displays when the backup is complete. The backup operation should take a fewseconds.4. S

5. Import (restore) the backup file to Cluster #2a. On the SKM, from the Device Tab, in the Maintenance menu on the left, select Backup &Restore,

6. Restart the SKM software.NOTE:Following a restore, the SKM must be restarted.a. From the SKM Device tab, in the Maintenance menu, select Services.b

8. Ensure that the key sharing group has been added.a. From the SKM interface, Security tab, Users and LDAP Menu, select Local Users and Groups.b. Ver

3. In the Keys field, select No keys.4. Click Continue.5. In the Device Items field, click Select All.6. Click Continue.7. In the Backup Summary secti

1. From the SKM interface on the Device tab, in the Maintenance menu, select Backup Restore, thenCreate Backup.2. In the Create Backup pane, in the Se

Hostname Setting ... 205DNS Server List ...

1. Log in to the Management Console as an administrator with Logging access control.2. Navigate to the Log Configuration page (Device > Log Configu

3. Double-click on the file. Outlook Express will open and display a help screen with a securityheader that reads: “Digitally signed - signing digital

Recreating the log signing certificatePrior to creating a new log signing certificate, backup the old certificate so you can verify previouslysigned l

Clearing a logTo clear a log:1. Log in to the Management Console as an administrator with Logging access control.2. Navigate to the Log Viewer page (D

Performing configuration and operation tasks94

4 Maintaining the SKMBackup and restore overviewClustering SKM nodes is an effective way of exchanging keys and configuration data to allow forfailove

If one of these objects is being restored on a device where there is already a similar object with thesame name, the key, certificate, or local CA fro

Figure 14 Viewing the Create Backup: Security Items sectionThe following table describes the components of the Create Backup: Security Items section.T

DescriptionComponentsClick Continue to configure the next group of items.ContinueCreate Backup: Device ItemsUse this section to select the device item

Figure 16 Viewing the Create Backup: Backup Settings sectionThe following table describes the components of the Create Backup: Backup Settings section