Scalar Key Manager 2.

Contents

Installing and Configuring the SKM

Appliance Servers ................................. 2
Items Required for Setup ................. 2
Installing the SKM Appliance Servers 3
Configuring the SKM Appliance
Servers .............................................. 5
Scalar Key Manager 2.5 Installing and Configuring the SKM
VMware Servers .................................... 9

Quick Start Guide Equipment and Software Needed for

VMware ............................................ 9
Deploying the .ova Image on
VMware .......................................11
Configuring the SKM VM Servers on
VMware .......................................... 11
This quick start guide provides basic installation and configuration Installing and Configuring the SKM KVM
Servers ................................................ 17
instructions for the Scalar® Key Manager (SKM). SKM can be deployed in
one of two ways: Equipment and Software Needed for
KVM ................................................ 17
• a pair of physical appliances (servers) purchased from Quantum, or Deploying the .raw Image on KVM 18
• a pair of virtual machines (VMs) installed in a VMware® or KVM Configuring the SKM VM Servers on
KVM ................................................ 21
environment.
Installing TLS Certificates on the SKM
Definition of terms: This guide uses the following terms to differentiate Server for Pre-SKM 2.4 (240Q) ........... 25
between the two types of deployment: Installation Process ......................... 25
• SKM appliance server — Physical key server purchased from Requirements for Installing User-
Quantum. provided TLS Certificates ................ 27
Installing TLS Certificates on the SKM
• SKM VM server — Virtual machine key server purchased from Server for SKM 2.4 (240Q) or Later .... 28
Quantum and installed in a VMware or KVM environment. Begin the Installation ..................... 28
• SKM server — Generic term applying to either an SKM appliance server Executing the Script Using the -d
or an SKM VM server. Option ............................................ 28
Executing the Script Without Using the
These instructions guide you through installing and configuring both
-d Option ........................................ 31
options. For more information, see the Scalar Key Manager User’s Guide
Generating Quantum Bundles for
located at http://www.quantum.com/ServiceandSupport/
Certificates ..................................... 36
SoftwareandDocumentationDownloads/SKM/Index.aspx. (Scroll down and
click the Documentation tab, and then locate the Product Use Guides Configuring Your Library For SKM ..... 38
heading.) Configuring the Scalar i40/i80 and
Scalar i500 Tape Libraries ............... 38
Perform all of the steps, in order, before you begin encrypting tapes. Configuring the Scalar i2000/i6000
This instruction uses the following conventions: Tape Library .................................... 40
Configuring the Scalar i3/i6 Tape
Note: Notes emphasize important information related to the main topic. Library ............................................ 41
Backing Up the Servers ....................... 43
Configuring Multiple Libraries ........... 42
Caution: Cautions indicate potential hazards to equipment and are
included to prevent damage to equipment.

www.quantum.com

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Installing and Configuring the SKM Appliance Servers

Follow the instructions in this section if you are deploying a pair of physical SKM
appliance servers.

Caution: The SKM appliance servers are designed for one purpose only—to store and
manage your encryption keys. Do not install additional hardware on the
servers. Never install any software, file, or operating system on the servers
unless it is an upgrade or patch supplied by Quantum. Doing so can make
your server inoperable and will void your warranty.

Items Required for You need the following to install and configure each SKM appliance server:
Setup • (2) SKM appliance servers (each comes with two hard disk drives installed).
• Power cord (supplied).
• Rackmount kit (supplied).
• CAT5e or higher Ethernet cable, crossover (for initial configuration, not supplied).
• CAT5e or higher Ethernet cable, standard (for standard operation, not supplied).
• Laptop or PC, to connect to each server to perform initial configuration.
• Library firmware must be at the following minimum versions to run SKM. To access
all the features of SKM, the most recent library firmware is recommended.

Library Minimum Firmware Required

Scalar i40/i80 120G

Scalar i500 570G

Scalar i2000 595A

Scalar i6000 600A

Scalar i3 110G
Note: Requires SKM 2.4 (240Q) or
later

Scalar i6 110G
Note: Requires SKM 2.4 (240Q) or
later

• For Microsoft® Windows®, you may need to install utilities to use secure shell (SSH)
and secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at
http://www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP, available at
http://winscp.net.

2 Installing and Configuring the SKM Appliance Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

• The SKM server must have IP connectivity through any firewalls to all Quantum
libraries using the SKM appliance server to obtain encryption keys.
• SKM uses TCP ports 80, 6000 and 6001 for SKM server communication. These ports
must all be open on your network in a bi-directional mode in order for SKM
communication between the SKM servers and libraries to work.

Installing the SKM Follow the instructions below for both SKM appliance servers.
Appliance Servers
Caution: Do not remove any hard drive from the appliance server unless it is failed or
you are instructed to do so by Quantum service. Removing any hard drive
may render it unusable.

1 Determine the location for the servers. It is recommended that the two servers be in
different geographical locations for disaster recovery purposes. Ensure the air
temperature is below 95 °F (35 °C).
2 Install the SKM appliance server in a rack. Follow the Scalar Key Manager Rack
Installation instruction sheet (included with the rail kit and located at http://
www.quantum.com/ServiceandSupport/SoftwareandDocumentationDownloads/
SKM/Index.aspx.)
3 Connect the power cord into the rear of the SKM appliance server (see Figure 1) and
plug it into a grounded power outlet.
Depending on the server model you have, it will take 20 seconds to 3 minutes for
power button to become active. During this time, one or more fans might run loudly
and then quiet down. On some models, the power-on LED on the front panel (see
Figure 2) blinks rapidly (4 times per second), indicating the power button is not
active yet.

Installing and Configuring the SKM Appliance Servers 3

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Figure 1 SKM Appliance Server The rear of your server looks like one of the drawings below.
Rear Panel
M2 and earlier

Power cord Ethernet Port 1 Ethernet Port 2 

connector (configuration) (network)

M3 and M4

Power cord Ethernet Port 1 Ethernet Port 2 

connector (configuration) (network)

M5

Power cord Ethernet Port 2  Ethernet Port 1

connector (network) (configuration)

M6

Power cord Ethernet Port 2 Ethernet Port 1 

connector (network) (configuration)

4 Observe the power-on LED on the front panel (see Figure 2). Wait until the power-on
LED blinks slowly to indicate that the power button is active.
If the power-on LED is not blinking, there could be a problem with the power supply
or the LED. Check the power connection. If this LED still does not blink, contact
Quantum Support.

4 Installing and Configuring the SKM Appliance Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

5 Power on the SKM appliance server by pressing the power button on the front of
the server (see Figure 2).

Figure 2 Front Panel

M3 and earlier

Power-on LED Power Button

M4 and later

Power Button and LED

M5

Power Button and LED

M6

6 Again, observe the power-on LED on the front panel. Wait until it is illuminated but
not blinking, indicating the server is powered on.
7 Wait about 3 minutes to allow the server to complete startup before you connect via
SSH in the next step.

Configuring the SKM Follow the instructions below for both SKM appliance servers.
Appliance Servers
Note: Both SKM appliance servers must be configured, operational, and connected to
the network before any libraries can be set up to use them.

Configuration requires you to read and accept the end user license agreement, and then
complete a setup wizard to configure the following values. Before beginning, decide
what each value should be. (You can change these values in the future, if desired.)
• Password
• Time zone, date, and time
• IP address, netmask, and gateway
Allow 30 minutes per server to complete the configuration.

Installing and Configuring the SKM Appliance Servers 5

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

1 Set the IP address of the laptop or PC you will use to connect to the SKM appliance
server to 192.168.18.100.
2 Connect a CAT5e crossover Ethernet cable from the laptop or PC to Ethernet Port 1
on the rear of the SKM server (see Figure 1 on page 4).

Note: Ethernet Port 1 is used only for configuration. Once you perform the initial
configuration, you will use Ethernet Port 2 for SKM appliance server
communication via your network.

3 Using SSH, connect to the server using the IP address for Ethernet Port 1:
192.168.18.3.

Note: The IP address of Ethernet Port 1 is a static IP address that cannot be

changed.

4 At the login prompt, type the following (this is the user login ID which will never
change):
akmadmin
5 At the Password prompt, type the default password:
password
6 At the akmadmin@skmserver prompt, type the following:
./skmcmds
7 At the Password prompt, type the default password again:
password
The End User License Agreement displays.
8 Read the license agreement. Press <Enter> to scroll through the agreement. At the
end, type y to accept and continue or n to decline and stop the installation process.
9 Press <Enter> to begin the setup wizard.
10 The first setup wizard task prompts you to change the akmadmin password (see
Figure 3). There is only one password for SKM. It is called the akmadmin password,
and is required for all logins and access to SKM Admin commands, including backup
and restore.

Figure 3 Changing the

Password

6 Installing and Configuring the SKM Appliance Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

Caution: EXTREMELY IMPORTANT: Remember Your

Password!

If you change the password from the default and forget it, there is
no way to retrieve it!

Each SKM server has its own password. If you set them differently,
you must remember both. 

If you forget your password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.

Charges may apply for replacement of an SKM appliance server
required due to changing and then forgetting the password.

CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!

• If you do not wish to change the password at this time, just press <Enter> at the
“change password” prompts and the default password (password) remains.
You can change the password at any time later using SKM Admin Commands.
• If you wish to change the password:
a At the (current) UNIX password prompt, type the default password
(password) and press <Enter>.
b Type a new password and press <Enter>.
c Type the new password again and press <Enter>.
d Press <Enter>.
11 Continue through the setup wizard to configure the rest of the settings: time zone,
date, time, SKM server IP address, netmask, and gateway. If you press <Enter>
without entering a value, the existing value remains.

Note: To ensure proper TLS certificate generation, Quantum recommends setting

both the Primary and Secondary SKM servers to the same date, time and
time zone even if they are in different time zones. (On both servers, use the
date, time and time zone values applicable to the Primary SKM server.) 

Then, 24 hours after TLS certificate generation, you can correctly set the
date, time and time zone for the secondary server.

The IP address you are configuring is for Ethernet Port 2, the port you will be using
for network connection to SKM. 
Ethernet Port 1 IP Address (never changes): 192.168.18.3
Ethernet Port 2 Default IP Address: 192.168.20.4 or 192.168.18.4 depending on
the server version

Installing and Configuring the SKM Appliance Servers 7

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Note: Ports are identified on the back of the server as Port 1 and Port 2, but when
configuring SKM through the console the ports are referred to onscreen as
Ports 0 and 1 respectively. (That is, labeled Port 1 = Port 0 in the console,
and labeled Port 2 = Port 1 in the console.)

Note: The netmask must match the netmask and gateway of the connected
libraries.

12 When the setup wizard is complete, press <Enter>.

The list of SKM Admin commands displays (see Figure 4). If you made any mistakes
during the setup wizard, you can go back and change them by entering the number
corresponding to the item.

Figure 4 SKM Admin

Commands

13 Type q and press <Enter> at the command prompt to quit, save your changes, and
restart the SKM key server. This process takes a few seconds. Wait until the
akmadmin@skmserver prompt appears.

Note: You MUST quit at this point. Otherwise your changes will not be saved and
you will not be able to continue the installation process.

14 Disconnect the CAT5e crossover Ethernet cable from Ethernet Port 1 (see Figure 1
on page 4).
15 On the laptop you are using to configure SKM, change the hard-coded IP address
back to DHCP.

8 Installing and Configuring the SKM Appliance Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

16 Connect a standard CAT5e Ethernet cable from Ethernet Port 2 on the back of the
SKM appliance server to your network (see Figure 1 on page 4). You will connect to
this port using the IP address assigned in Step 11 above.
17 Complete steps 1-16 on the secondary SKM node before proceeding.
18 When you are finished, do one of the following:
• For pre-SKM 2.4 (240Q) systems, proceed to Installing TLS Certificates on the
SKM Server for Pre-SKM 2.4 (240Q) on page 25.
• For SKM 2.4 (240Q) and later systems, proceed to Installing TLS Certificates on
the SKM Server for SKM 2.4 (240Q) or Later on page 28.

Note: You can see the version of software you are running at the top of the SKM
Admin Commands menu. To view the software version without accessing
SKM Admin Commands, refer to “Viewing the SKM Server Software
Version” in the SKM User’s Guide.

Installing and Configuring the SKM VMware Servers

Note: Quantum provides support for SKM, however Quantum does not support the
virtual environment hardware or software (VMware or KVM).

Follow the instructions in this section if you are deploying a pair of SKM VM servers for
installation in a VMware environment.
Perform all the instructions in this section for each SKM VM server. Use a different
installation CD for each VM.

Caution: It is recommended that the two SKM VM servers be installed in different

physical locations to provide better protection in case of disaster.

Caution: Quantum requires that you do not install any software, file, or operating
system on the SKM VM server unless it is an upgrade or patch supplied by
Quantum.

Equipment and You need the following to set up and configure the SKM VM servers:
Software Needed for • Two (2) Scalar Key Manager VM Installation CD packages. You must use a different
VMware CD package for each SKM server. Each CD package contains:
• SKM VM server software (.ova image)
• SKM server Quantum-provided TLS communication certificate bundle (.tgz file)

Installing and Configuring the SKM VMware Servers 9

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

• Printed label on the CD case containing a unique serial number, MAC ID and
license key (required for installation)
• VMware® vSphere™ Client installed on a computer. The computer may be the same
as the server that hosts the VM but it does not have to be. The vSphere Client is
required for initial setup; after that, you can use vSphere Client or another method
to access the SKM VM server.

Note: These instructions in this section use vSphere Client version 5.0. If you use a
different version of vSphere, the instructions may differ.

• Resources required for each SKM VM server:

• (1) Ethernet interface
• (1) CD ROM drive
• 1 GB RAM
• 8 GB of disk space
• VM host software must be one of the following:
• VMware ESX 4.x (64 bit) and higher
• VMware ESXi 4s.x (64 bit) and higher
• Video memory must be set to 3 MB.
• Library firmware must be at the following minimum versions to run SKM. To access
all the features of SKM, the most recent library firmware is recommended.

Library Minimum Firmware Required

Scalar i40/i80 120G

Scalar i500 570G

Scalar i2000 595A

Scalar i6000 600A

Scalar i3 110G
Note: Requires SKM 2.4 (240Q) or
later

Scalar i6 110G
Note: Requires SKM 2.4 (240Q) or
later

• If you plan to connect to the SKM VM server (now or in the future) via a Microsoft
Windows machine, you may need to install utilities to use secure shell (SSH) and
secure file transfer protocol (SFTP). Two such utilities are PuTTY, available at http://
www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP, available at http://
winscp.net.
• The SKM server must have IP connectivity through any firewalls to all Quantum
libraries using the SKM appliance server to obtain encryption keys.

10 Installing and Configuring the SKM VMware Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

• SKM uses TCP ports 80, 6000 and 6001 for SKM server communication. These ports
must all be open on your network in a bi-directional mode in order for SKM
communication between the SKM servers and libraries to work.

Deploying the .ova Follow the instructions below for both SKM VM servers. The .ova installation process is
Image on VMware performed via VMware’s vSphere Client.
1 Insert the Scalar Key Manager VM Installation CD into the your computer’s CD ROM
drive.
2 You may copy the .ova image to a shared network drive for faster deployment if you
wish.
3 Launch vSphere Client.
4 Log on to the VM host.
5 Highlight the IP address of the VM host.
6 Select File > Deploy OVF Template.
The Deploy OVF Template wizard opens.
7 Complete the wizard screens and click Finish when done.
A progress bar displays on the screen. When complete, the SKM VM server name
appears in the list of VMs on the screen. Deployment takes a few minutes to several
hours depending on network speed and location of the .ova image in relation to the
VM host. Wait until the file deploys before continuing.

Configuring the SKM Follow the instructions below for both SKM VM servers.
VM Servers on VMware
Note: Both SKM VM servers must be configured, operational, and connected to the
network before any libraries can be set up to use them.

Caution: You must use a different CD package for each VM server. Keep track of
which CD you use for which SKM server. It is recommended that you keep
each CD in its respective CD case and write on the case which server it
applies to. The TLS certificates and serial number/MAC ID/license key are
unique and you must use the correct ones if you ever need to reinstall the
SKM server. Also, if you accidentally use the same CD package for both VM
servers, you will not be able to complete the configuration.

The configuration process requires you to read and accept the end user license
agreement, and then complete a setup wizard. The setup wizard helps you configure
the following values. Before beginning, decide what you want each of these values to
be. You can also change these values in the future.
• Password
• Time zone, date, and time
• IP address, netmask, and gateway

Installing and Configuring the SKM VMware Servers 11

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Allow 30 minutes per server to complete the configuration.

1 Using vSphere Client, make sure the SKM VM server you just created is powered OFF
(right-click the VM server, select Power, then select Power Off).
2 Right-click the SKM VM server and select Edit Settings.
3 Configure the MAC address as follows (see Figure 5):
a Under the Hardware tab, select Network adapter 1.
b Under MAC Address, select Manual.
c In the MAC Address field, type the MAC ID from the label attached to the CD
case of the CD from which you deployed the .ova image.
d Click OK.

Figure 5 Configuring the MAC

Address (Example)

4 Configure the video memory as follows:

a Right-click the SKM VM server and select Edit Settings.
b Under the Hardware tab, select Video card (see Figure 6).
c On the right side of the screen, under Enter total video RAM, change the
setting to 3 MB.
d Click OK.

12 Installing and Configuring the SKM VMware Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

Figure 6 Video Card Settings

5 Power ON the SKM VM server (right-click the SKM VM server in the left panel, select
Power, then select Power On).
6 Highlight the SKM VM server in the left panel.
7 In the right panel, click the Console tab. Wait a few moments for the software to
load.

Note: When using the console, you will lose the ability to use your mouse/cursor.
To regain the use of the mouse/cursor, press <Ctrl+Alt>.

Note: If you receive the following error message when trying to use the console,
follow the workaround steps listed below. 
Error message: This kernel requires an x86-64 CPU, but only detected an
xxxx CPU. Unable to boot - please use a kernel appropriate for your CPU.
Workaround: First be sure that you are indeed using a 64-bit host server. If
so, change the host BIOS processor settings as follows, then follow the
onscreen instructions:
- 64-bit: Yes
- Virtual Technology: Enable
- Execute Disable: Disable

Installing and Configuring the SKM VMware Servers 13

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

8 At the skmserver login prompt, type the following (this is the user login ID which
will never change):
akmadmin
9 At the Password prompt, type the default password:
password
10 At the akmadmin@skmserver prompt, type:
./skmcmds
11 At the Password prompt, type the default password:
password
12 When prompted for the license, type the 29-digit License Key (including hyphens)
from the label on the CD case of the CD from which you deployed the .ova image,
and press <Enter>. The license is not case sensitive.
The license file is created.
13 When prompted, press <Enter>.
The End User License Agreement displays.
14 Read the license agreement. Press <Enter> to scroll through the agreement. At the
end, type y to accept and continue or n to decline and stop the installation process.
15 When prompted, press <Enter> to set up the server.
16 The first setup wizard task prompts you to change the akmadmin password (see
Figure 7). There is only one password for SKM. It is called the akmadmin password,
and is required for all logins and access to commands, including backup and restore.

Caution: EXTREMELY IMPORTANT: Remember Your

Password!

If you change the password from the default and forget it, there is
no way to retrieve it!

Each SKM server has its own password. If you set them differently,
you must remember both. 

If you forget the password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.

CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!

• If you do not wish to change the password at this time, just press <Enter> at
the password prompt and the default password (password) remains
unchanged. You can change the password at any time later using SKM Admin
Commands.

14 Installing and Configuring the SKM VMware Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

• If you wish to change the password:

a At the (current) UNIX password prompt, type the default password
(password) and press <Enter>.
b Type the new password and press <Enter>.
c Type the new password again and press <Enter>.
d Press <Enter>.

Figure 7 Changing the

Password

17 Continue through the setup wizard to configure the rest of the settings: time zone,
date, time, IP address, netmask, and gateway. If you press <Enter> without
entering a value, the existing value remains.

Note: To ensure proper TLS certificate generation, Quantum recommends setting

both the Primary and Secondary SKM servers to the same date, time and
time zone even if they are in different time zones. (On both servers, use the
date, time and time zone values applicable to the Primary SKM server.) 

Then, 24 hours after TLS certificate generation, you can correctly set the
date, time and time zone for the secondary server.

Note: The default SKM VM server IP address is: 192.168.20.4.

18 When finished press <Enter>.

A message lets you know there are no certificates loaded on the SKM server.
19 Press <Enter>.
The list of SKM Admin commands displays (see Figure 8). If you made any mistakes
during the setup wizard, you can go back and change them by typing the number
corresponding to the item you want to change at the command prompt.

Installing and Configuring the SKM VMware Servers 15

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Figure 8 SKM Admin

Commands

20 At the Command prompt, type q and press <Enter> to quit, save your changes,
and restart the SKM key server. This process takes a few seconds.

Note: You MUST quit at this point. Otherwise your changes will not be saved and
you will not be able to continue the installation process.

21 Complete steps 1-20 on the secondary SKM node before proceeding.

22 When you are finished, do one of the following:
• For pre-SKM 2.4 (240Q) systems, proceed to Installing TLS Certificates on the
SKM Server for Pre-SKM 2.4 (240Q) on page 25.
• For SKM 2.4 (240Q) and later systems, proceed to Installing TLS Certificates on
the SKM Server for SKM 2.4 (240Q) or Later on page 28.

Caution: Do NOT power on the VM instance yet. Wait until you configure the
MAC ID per the instructions below. Otherwise, you will have problems
with the MAC address later.

16 Installing and Configuring the SKM VMware Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

Installing and Configuring the SKM KVM Servers

Note: Quantum provides support for SKM, however Quantum does not support the
virtual environment hardware or software (VMware or KVM).

Follow the instructions in this section if you are deploying a pair of SKM VM servers for
installation in a KVM environment.
Perform all the instructions in this section for each SKM VM server. Use a different
installation CD for each VM.

Caution: It is recommended that the two SKM VM servers be installed in different

physical locations to provide better protection in case of disaster.

Caution: Quantum requires that you do not install any software, file, or operating
system on the SKM VM server unless it is an upgrade or patch supplied by
Quantum.

Equipment and You need the following to set up and configure the SKM VM servers:
Software Needed for • Two (2) Scalar Key Manager VM Installation CD packages. You must use a different
KVM CD package for each SKM server. Each CD package contains:
• SKM VM server software (.raw.bz2 image)
• SKM server Quantum-provided TLS communication certificate bundle (.tgz file)
• Printed label on the CD case containing a unique serial number, MAC ID, and
license key (required for installation)
• QEMU-KVM installed on a computer. The computer may be the same as the server
that hosts the VM but it does not have to be. Access to QEMU-KVM is required for
initial setup.
• Resources required for each SKM VM server:
• (1) Ethernet interface
• (1) CD ROM drive
• 1 GB RAM
• 8 GB of disk space
• KVM host software must Virtual Machine Manager 0.9.0 or higher
• Library firmware must be at the following minimum versions to run SKM. To access
all the features of SKM, the most recent library firmware is recommended.

Library Minimum Firmware Required

Scalar i40/i80 120G

Installing and Configuring the SKM KVM Servers 17

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Library Minimum Firmware Required

Scalar i500 570G

Scalar i2000 595A

Scalar i6000 600A

Scalar i3 110G
Note: Requires SKM 2.4 (240Q) or
later

Scalar i6 110G
Note: Requires SKM 2.4 (240Q) or
later

• The SKM server must have IP connectivity through any firewalls to all Quantum
libraries using the SKM appliance server to obtain encryption keys.
• SKM uses TCP ports 80, 6000 and 6001 for SKM server communication. These ports
must all be open on your network in a bi-directional mode in order for SKM
communication between the SKM servers and libraries to work.

Deploying the .raw Follow the instructions below for both SKM VM servers. The .raw installation process is
Image on KVM performed via QEMU-KVM.
1 Insert the Scalar Key Manager VM Installation CD into the your computer’s CD ROM
drive.
2 Decompress the .raw.bz2 image file to a known location. You may copy the image
to a shared network drive for faster deployment if you wish.
For example: bunzip2 5-01071-01_220Q.GC00300.raw.bz2
3 Launch QEMU-KVM.
4 Log on to the VM host.
5 Under the local host, right-click and select New.
The New VM wizard opens.

18 Installing and Configuring the SKM KVM Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

6 In the Name field, type the name of the new virtual machine.
7 Select Import existing disk image and click Forward.

8 Click Browse and navigate to the .raw file.

9 For OS type select Linux and for Version select Ubuntu [version] (Lucid Lynx).
Click Forward.

Installing and Configuring the SKM KVM Servers 19

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

10 For Memory (RAM) select 1024 and for CPUs select 2. Click Forward.

11 For Advanced Options select the host device which corresponds with your virtual
network interface.

20 Installing and Configuring the SKM KVM Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

12 Select Set a fixed MAC address and enter the MAC address provided on the
installation CD. Ensure Virt Type is set to kvm and the Architecture is set to the
default value.
13 Click Finish when done.
A progress bar displays on the screen. When complete, the SKM VM server name
appears in the list of VMs on the screen. Deployment takes a few minutes to several
hours depending on network speed and location of the .ova image in relation to the
VM host. Wait until the file deploys before continuing.

Caution: Do NOT power on the VM instance yet. Wait until you configure the
MAC ID per the instructions below. Otherwise, you will have problems
with the MAC address later.

Configuring the SKM Follow the instructions below for both SKM VM servers.
VM Servers on KVM
Note: Both SKM VM servers must be configured, operational, and connected to the
network before any libraries can be set up to use them.

Caution: You must use a different CD package for each VM server. Keep track of
which CD you use for which SKM server. It is recommended that you keep
each CD in its respective CD case and write on the case which server it
applies to. The TLS certificates and serial number/MAC ID/license key are
unique and you must use the correct ones if you ever need to reinstall the
SKM server. Also, if you accidentally use the same CD package for both VM
servers, you will not be able to complete the configuration.

The configuration process requires you to read and accept the end user license
agreement, and then complete a setup wizard. The setup wizard helps you configure
the following values. Before beginning, decide what you want each of these values to
be. You can also change these values in the future.
• Password
• Time zone, date, and time
• IP address, netmask, and gateway
Allow 30 minutes per server to complete the configuration.
1 Power ON the SKM VM server (right-click the SKM VM server in the left panel, select
Power, then select Power On).
2 Highlight the SKM VM server in the left panel.
3 In the right panel, click the Console tab. Wait a few moments for the software to
load.

Note: When using the console, you will lose the ability to use your mouse/cursor.
To regain the use of the mouse/cursor, press <Ctrl+Alt>.

Installing and Configuring the SKM KVM Servers 21

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Note: If you receive the following error message when trying to use the console,
follow the workaround steps listed below. 
Error message: This kernel requires an x86-64 CPU, but only detected an
xxxx CPU. Unable to boot - please use a kernel appropriate for your CPU.
Workaround: First be sure that you are indeed using a 64-bit host server. If
so, change the host BIOS processor settings as follows, then follow the
onscreen instructions:
- 64-bit: Yes
- Virtual Technology: Enable
- Execute Disable: Disable

4 At the skmserver login prompt, type the following (this is the user login ID which
will never change):
akmadmin
5 At the Password prompt, type the default password:
password
6 At the akmadmin@skmserver prompt, type:
./skmcmds
7 At the Password prompt, type the default password:
password
8 When prompted for the license, type the 29-digit License Key (including hyphens)
from the label on the CD case of the CD from which you deployed the .ova image,
and press <Enter>. The license is not case sensitive.
The license file is created.
9 When prompted, press <Enter>.
The End User License Agreement displays.
10 Read the license agreement. Press <Enter> to scroll through the agreement. At the
end, type y to accept and continue or n to decline and stop the installation process.
11 When prompted, press <Enter> to set up the server.
12 The first setup wizard task prompts you to change the akmadmin password (see
Figure 7). There is only one password for SKM. It is called the akmadmin password,
and is required for all logins and access to commands, including backup and restore.

22 Installing and Configuring the SKM KVM Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

Caution: EXTREMELY IMPORTANT: Remember Your

Password!

If you change the password from the default and forget it, there is
no way to retrieve it!

Each SKM server has its own password. If you set them differently,
you must remember both. 

If you forget the password, you will lose login access to the SKM
server, including backup and restore capability. Quantum will NOT
be able to restore the password.

CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!

• If you do not wish to change the password at this time, just press <Enter> at
the password prompt and the default password (password) remains
unchanged. You can change the password at any time later using SKM Admin
Commands.
• If you wish to change the password:
a At the (current) UNIX password prompt, type the default password
(password) and press <Enter>.
b Type the new password and press <Enter>.
c Type the new password again and press <Enter>.
d Press <Enter>.

Figure 9 Changing the

Password

13 Continue through the setup wizard to configure the rest of the settings: time zone,
date, time, IP address, netmask, and gateway. If you press <Enter> without
entering a value, the existing value remains.

Note: To ensure proper TLS certificate generation, Quantum recommends setting

both the Primary and Secondary SKM servers to the same date, time and
time zone even if they are in different time zones. (On both servers, use the
date, time and time zone values applicable to the Primary SKM server.) 

Then, 24 hours after TLS certificate generation, you can correctly set the
date, time and time zone for the secondary server.

Installing and Configuring the SKM KVM Servers 23

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Note: The default SKM VM server IP address is: 192.168.20.4.

14 When finished press <Enter>.

A message lets you know there are no certificates loaded on the SKM server.
15 Press <Enter>.
The list of SKM Admin commands displays (see Figure 8). If you made any mistakes
during the setup wizard, you can go back and change them by typing the number
corresponding to the item you want to change at the command prompt.

Figure 10 SKM Admin

Commands

16 At the Command prompt, type q and press <Enter> to quit, save your changes,
and restart the SKM key server. This process takes a few seconds.

Note: You MUST quit at this point. Otherwise your changes will not be saved and
you will not be able to continue the installation process.

17 Complete steps 1-16 on the secondary SKM node before proceeding.

18 When you are finished, do one of the following:
• For pre-SKM 2.4 (240Q) systems, proceed to Installing TLS Certificates on the
SKM Server for Pre-SKM 2.4 (240Q) on page 25.
• For SKM 2.4 (240Q) and later systems, proceed to Installing TLS Certificates on
the SKM Server for SKM 2.4 (240Q) or Later on page 28.
19

24 Installing and Configuring the SKM KVM Servers

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

Installing TLS Certificates on the SKM Server for Pre-SKM 2.4

(240Q)
TLS certificates are required on the SKM server. You can choose to use the Quantum-
provided TLS certificates or install your own, as follows:
• SKM appliance server: The SKM appliance server comes with Quantum-provided
TLS certificates already installed. You can install your own TLS certificates (to
overwrite the installed certificates) if you wish.

Note: This applies only to earlier SKM releases. Beginning with SKM 2.5, TLS
certificates are no longer pre-installed, and must be installed on both the
SKM server and tape library.

• SKM VM server: The Scalar Key Manager VM Installation CD contains Quantum-

provided TLS certificates that you can install on the SKM VM server. Alternatively,
you can install your own TLS certificates on the SKM VM server.
If you install your own TLS certificates, you must make sure that your certificates meet
all of the requirements in Requirements for Installing User-provided TLS Certificates on
page 27.

Note: Any time you install TLS certificates, they will overwrite any TLS certificates
currently installed on the SKM server.

Note: Beginning with SKM 2.4 (240Q), a different procedure is used to install TLS
certificates. Refer to Installing TLS Certificates on the SKM Server for SKM 2.4
(240Q) or Later on page 28.

Installation Process This procedure must be performed on both SKM servers.

1 SSH in to the SKM server. (If you have an SKM VM server, you can SSH in or continue
to use the vSphere console and proceed to Step 4 below.)
2 At the skmserver login prompt, type the login ID:
akmadmin
3 At the Password prompt, type your password.
4 At the akmadmin@skmserver prompt, type:
./skmcmds
5 At the Password prompt, type your password.
A message displays alerting you that the SKM key server will be stopped.
6 Type y to agree to stop the SKM key server and continue.
A message appears stating the SKM key server is being stopped.

Installing TLS Certificates on the SKM Server for Pre-SKM 2.4 (240Q) 25

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

7 Press <Enter> to continue.

The list of SKM Admin Commands displays.
8 At the command prompt, enter d to Display/update TLS communication
certificates.
The Display/update TLS communication certificates menu displays.
9 Using SFTP, transfer the Quantum certificate bundle file or your own certificates to
the /home/akmadmin/certs directory on the SKM server. Be sure to move the
appropriate bundle; there is a primary bundle and a secondary bundle.
10 At the command prompt, enter one of the following:
• If you used the -d or no -d option: i (to Install user provided
communication certificates)
OR
• If you used the -q option: a (to Apply Quantum-provided communication
certificate bundle).

Note: The Quantum certificate bundle is located on the Scalar Key Manager VM
Installation CD and has the file name QKMCertXXXXXXX.tgz (XXXXXXX is
a unique combination of letters and numbers).

11 Once you have transferred the files, press <Enter>.

A list of the certificate/bundle files currently in the /home/akmadmin/certs
directory displays (Figure 11 shows an example).

Figure 11 Example of
Quantum Certificate Bundle
Displayed on Screen

12 Type the file name of the appropriate certificate/bundle and press <Enter>. If you
are installing your own certificates, follow the onscreen instructions to load all three
certificates.
The certificates are installed.
13 Press <Enter>.
14 At the Command prompt, type q and press <Enter> to exit to the Display/update
TLS communication certificates menu.
15 At the Command prompt, type q and press <Enter> to quit, save your changes,
and restart the SKM key server. This process takes a few seconds.

Note: You MUST quit at this point. Otherwise the server will remain stopped and
you will not be able to continue the configuration process on the library.

26 Installing TLS Certificates on the SKM Server for Pre-SKM 2.4 (240Q)

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

Note: Remember, you must repeat all preceding steps on the secondary SKM
server.

16 Proceed to Configuring Your Library For SKM on page 38.

Requirements for When providing your own certificates, it is assumed you understand the concepts of PKI
Installing User-provided and can access the tools or third-party resources needed to generate or obtain
TLS Certificates certificates.

Note: You must be running SKM 1.1 or higher on your SKM servers in order to install
your own TLS certificates.

Note: If you install your own TLS certificates on the SKM server, you must also install
your own certificates on the library. Similarly, if you use the Quantum-provided
TLS certificates on the SKM server, you must also use the Quantum provided TLS
certificates on the library. Some newer libraries come with Quantum-provided
TLS certificates pre-installed, and other newer libraries require certificate
installation. See your library user’s guide for instructions on how to verify
whether TLS certificates are installed on the library and how to install them.

You need to provide the following certificates:

• Root Certificate (also called the CA certificate, or Certificate Authority Certificate)
• Server Certificate
• Admin Certificate
These files must be in the proper format, as follows. If any of the following requirements
is not met, none of the certificates will be imported.
• The Root Certificate must be 2048 bits.
• The Root Certificate must be in PEM format.
• The Admin and Server certificates must be in pkcs12 (.p12) format, with a separate
certificate and private key contained in each.
• The Admin and Server certificates must be signed by the Root Certificate.
• Certificates must have the Organization name (O) set in their Issuer and Subject info.
• The Admin certificate must have its Organizational Unit name (OU) set as
“akm_admin” in its Subject Info.
• The same Root Certificate must be installed on the SKM servers and the library.
• All the certificates must have a valid validity period according to the date and time
settings on the SKM server.

Installing TLS Certificates on the SKM Server for Pre-SKM 2.4 (240Q) 27

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Installing TLS Certificates on the SKM Server for SKM 2.4

(240Q) or Later
Beginning with SKM 2.4 (240Q), it is now possible to self-generate library/SKM TLS
communication certificates using SKM server with version 2.4 (240Q) or greater loaded.
This certificate-generation process generates sets of TLS certificates that can be loaded
onto the primary and secondary SKM servers and all libraries attached to the servers.

Note: The TLS certificate generation process must be run on only one of the SKM
servers, so there is no need to generate TLS Certificates on both SKM servers.
Either the Primary or Secondary SKM server can be used to generate the
certificates.

Specifically, the genSKMcerts script is loaded onto the SKM servers using one of two
ways to generate certificates:
• By executing the script using the “-d” option. Certificates are generated using a set
of default values similar to the certificates currently provided by Quantum.
• By executing the script without using the “-d” option. If the “-d” option is not used,
information used to generate the certificates must be provided.

Begin the Installation 1 SSH in to the SKM server. (If you have an SKM VM server, you can SSH in or continue
to use the vSphere console and proceed to Step 4 below.)
2 At the skmserver login prompt, type the login ID:
akmadmin
3 At the Password prompt, type your password.
A message displays alerting you that the SKM key server will be stopped.
4 Type y to agree to stop the SKM key server and continue.
A message appears stating the SKM key server is being stopped.
5 Do one of the following:
• To execute the script using the -d option, proceed with the steps in Executing
the Script Using the -d Option on page 28.
• To execute the script without using the -d option, proceed with the steps in
Executing the Script Without Using the -d Option on page 31.

Executing the Script Use the following procedure to generate certificates using the -d option, which uses
Using the -d Option default values. The generated certificates are valid for ten years from the date on which
they were generated.
1 Once logged into the SKM server, execute genSKMcerts –d to generate certificates
using the defaults.

28 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

The following illustration shows the default values (in brackets) used:

2 When prompted, enter and re-enter a password that will be used during the pk12
file generation.

TLS certificate generation is completed using the default values. A message informs
you when certificate generation is complete. The location of the certificates (/home/
akmadmin/generatedcerts) is also provided.

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 29

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

3 Complete the process by loading the certificates onto the SKM servers and tape
libraries using the procedures described in the user’s guide for the applicable
libraries.
• For the Scalar i40/i80, refer to “Importing Encryption Certificates” in the Scalar
i40 and Scalar i80 User’s Guide.
• For the Scalar i2000/i6000, refer to “Step 3 — Installing TLS Communication
Certificates on the Library” in the Quantum Scalar i2000/i6000 User’s Guide.
• For the Scalar i3, refer to the topic “Load Certificate - Encryption” in the Scalar i3
Documentation Center: http://qsupport.quantum.com/kb/flare/content/
Scalar_i3/docCenter/Encryption_Load_Certificate.htm
• For the Scalar i6, refer to the topic in the Scalar i3 Documentation Center: http:/
/qsupport.quantum.com/kb/flare/content/Scalar_i6/docCenter/
Encryption_Load_Certificate.htm
Names of the files to copy are listed on the final screen that informs you that
certificate generation is complete.

After you finish loading the certificates onto the SKM servers and tape libraries,
return to this guide and proceed with the steps in Configuring Your Library For SKM
on page 38.
4 (Optional) If desired, you can verify the certificate details by running the ls -R
generatedcerts/ command.

30 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

Executing the Script Use the following procedure to generate certificates without using the -d option. This
Without Using the -d method requires you to enter certificate values. If desired, you can press Enter to accept
Option the default value (displayed in brackets) for any item.
1 Once logged into an SKM server running version 2.4 (240Q) or greater, execute
genSKMcerts to begin entering the values used to generate certificates.

2 Enter the size of the key in bits. Valid key sizes are 1024, 2048 or 4096 bits. The
default size is 2048 bits.

3 Enter the duration in days for which the TLS certificates will be valid. The default
duration is 10 years (3650 days).

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 31

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

4 At this time the only valid certificate digest is “SHA1”, so press Enter to accept the
default value and continue.
5 Enter your two-character country identifier.

6 Enter your state or province name.

7 Enter your locality or city name.

32 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

8 Enter your company or organization name.

9 Enter your organizational unit or section name.

10 The next three entries are common names for the Tape libraries, SKM primary server
and SKM secondary server. The names must be unique because these names will be
used for the different sets of certificates.

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 33

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

11 The last entry is optional: an email address that will be included with the certificate
information.

12 When prompted, confirm that the displayed information is correct.

• Enter y to confirm and begin the certificate-generation process.

• Enter n if you want to change any of the values you entered. Note that the
defaults are now the values you previously entered, so you can easily bypass any
correct values and change only the incorrect values.
After you confirm that the displayed values are correct, certificate generation
begins.

34 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

13 When prompted, enter and re-enter a password that will be used during the pk12
file generation.

A message informs you when certificate generation is complete. The location of the
certificates (/home/akmadmin/generatedcerts) is also provided.
14 Complete the process by loading the certificates onto the SKM servers and tape
libraries using the procedures described in the user’s guide for the applicable
libraries.
• For the Scalar i40/i80, refer to “Importing Encryption Certificates” in the Scalar
i40 and Scalar i80 User’s Guide.
• For the Scalar i2000/i6000, refer to “Step 3 — Installing TLS Communication
Certificates on the Library” in the Quantum Scalar i2000/i6000 User’s Guide.
• For the Scalar i3, refer to the topic “Load Certificate - Encryption” in the Scalar i3
Documentation Center: http://qsupport.quantum.com/kb/flare/content/
Scalar_i3/docCenter/Encryption_Load_Certificate.htm
• For the Scalar i6, refer to the topic in the Scalar i3 Documentation Center: http:/
/qsupport.quantum.com/kb/flare/content/Scalar_i6/docCenter/
Encryption_Load_Certificate.htm

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 35

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Names of the files to copy are listed on the final screen that informs you that
certificate generation is complete.

After you finish loading the certificates onto the SKM servers and tape libraries,
return to this guide and proceed with the steps in Configuring Your Library For SKM
on page 38.
15 If desired, you can verify the certificate details by running the ls -R
generatedcerts/ command.

Generating Quantum After certificates are generated, follow this procedure to generate a set of Quantum
Bundles for Certificates bundles that can be loaded onto the library and SKM servers using the user interface.
1 Enter the command genSKMcerts -Q.

36 Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

2 Onscreen messages provide status as the Quantum certificate bundles are generated
using the default values, so no user input is required. (The generated bundle files are
saved at /home/akmadmin/generatedcerts/qbundles.)

After bundle generation is complete, load the bundles listed on the screen onto the
library and SKM servers using the user interface.
• The TapeLibraryQKMCert_xxxxxxxxxx.tgz bundle may be loaded onto any
library attached to the SKM server pair.
• The QKMPrimaryServerCert_xxxxxx.tgz bundle must be loaded onto the
primary SKM server.
• The QKMSecondaryServerCert_xxxxxxx.tgz bundle must be loaded onto the
secondary SKM server.

Installing TLS Certificates on the SKM Server for SKM 2.4 (240Q) or Later 37

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Configuring Your Library For SKM

All of the steps that follow deal with configuring your library for SKM and generating
data encryption keys. Depending on the size of your library, it may take up to 2.5 hours
to complete all of the following steps.
Also, please note that you cannot perform the following configuration steps until you
have completed all previous steps. Both SKM servers must be fully configured and up
and running.

Caution: Do not perform any library- or host-initiated operations on the library

partitions to be used for SKM until all of the following steps are complete.

Follow the instructions for your library:

• Configuring the Scalar i40/i80 and Scalar i500 Tape Libraries on page 38
• Configuring the Scalar i2000/i6000 Tape Library on page 40
• Configuring the Scalar i3/i6 Tape Library on page 41

Configuring the Perform these steps, in order, on the Scalar i40/i80 and Scalar i500 libraries only.
Scalar i40/i80 and See the library user’s guide or online help for detailed instructions on how to
Scalar i500 Tape complete each of these steps.
Libraries
1 Install the Encryption Key Management (EKM) license on your library.
2 Prepare partitions for library-managed encryption:
a Install HP LTO-4, HP LTO-5, and/or HP LTO-6, or IBM LTO-5, IBM LTO-6, and/or
IBM LTO-7 (i500 only) tape drives in the library, if not already installed. Unload
all tape cartridges from these tape drives.
b On the tape drives, install the latest version of firmware that is qualified for the
library firmware installed on your library. Refer to the library release notes for
the correct version of tape drive firmware.
3 TLS certificates must be installed on the library as well as on the SKM server. Verify
the appropriate TLS communication certificates are installed on the library. If you
installed your own TLS certificates on the SKM servers, you must install your own TLS
certificates on the library. If you used Quantum-supplied TLS certificates on the SKM
servers, you must use Quantum-supplied certificates on the library.
Some newer libraries ship with TLS certificates already installed, , and other newer
libraries require certificate installation. See your library user’s guide for instructions
on how to check whether TLS certificates are installed and how to install them.
Note these general guidelines:
• For pre-2.4 SKM servers, preloaded TLS certificates on the library will work
• For 2.4 (240Q) and later SKM servers, preloaded TLS certificates on the library
will not work, and you must download the generated library TLS certificate onto
the library

38 Configuring Your Library For SKM

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

4 Configure the SKM server IP addresses on the library.

a From the library’s Web client, navigate to the encryption system configuration
screen.
b Enter the primary and secondary SKM server IP addresses or host names in the
fields provided.
c Click Apply.
5 Run EKM Path Diagnostics and make sure all the tests pass. Pass/fail status is
displayed in a progress window after the diagnostics completes (see Figure 12). This
is required to make sure the library is connected properly to both SKM servers. If any
of the tests fail, follow the instructions in the online help or library user’s guide to
troubleshoot and then run EKM Path Diagnostics again.

Figure 12 EKM Path

Diagnostics PASSED Window

6 Configure SKM partitions and generate data encryption keys:

a On the library’s Web client, navigate to the encryption partition configuration
screen.
b For each partition in which you will use SKM, in the Encryption Method drop-
down list, select Enable Library Managed.
c Click Apply.
Data encryption keys are generated. When you enable library managed
encryption on a partition in the library for the first time, the library
automatically triggers each SKM server to generate a set of unique data
encryption keys. The key generation process should take 30 minutes or less to
complete, depending on network performance. The library notifies you when
the process is complete.
d Wait for the process to complete before continuing to the next step.
7 Save the library configuration.
8 Proceed to Backing Up the Servers on page 43.

Configuring Your Library For SKM 39

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Configuring the Perform these steps, in order, on the Scalar i2000/i6000 library only.
Scalar i2000/i6000 Tape See the library user’s guide or online help for detailed instructions on how to
Library complete each of these steps.
1 Install the Encryption Key Management (EKM) license on your library.
2 Prepare partitions for library-managed encryption:
a Install HP LTO-4, HP LTO-5, and/or HP LTO-6, or IBM LTO-5, IBM LTO-6, and/or
IBM LTO-7 tape drives in the library, if not already installed. Unload all tape
cartridges from these tape drives.
b On the tape drives, install the latest version of firmware that is qualified for the
library firmware installed on your library. Refer to the library release notes for
the correct version of tape drive firmware.
3 TLS certificates must be installed on the library as well as on the SKM server. Verify
the appropriate TLS communication certificates are installed on the library. If you
installed your own TLS certificates on the SKM servers, you must install your own TLS
certificates on the library. If you used Quantum-supplied TLS certificates on the SKM
servers, you must use Quantum-supplied certificates on the library.
4 Configure the SKM server IP addresses and generate data encryption keys.
a On the library’s remote Web client, navigate to the EKM server configuration
screen.
b Enter the SKM primary and secondary server IP addresses or hostnames in the
fields provided.
c Click OK.
Data encryption keys are generated. As soon as you apply the SKM server IP
addresses, the library automatically triggers each SKM server to generate a set
of unique data encryption keys. The key generation process should take 30
minutes or less to complete, depending on network performance. The library
generates a RAS ticket when the process is complete. Wait until you receive this
ticket before going to the next step.

Note: If the key generation fails, the library generates a RAS ticket. Follow the
instructions in the ticket to resolve any errors, then initiate manual key
generation by changing the encryption method on an SKM partition to
Enable Library Managed (as described in Step 5 below). If key
generation continues to fail, run EKM Path Diagnostics to help
determine where the problem lies.

5 Configure partitions for library-managed encryption.

a On the library’s remote client, navigate to the EKM partition configuration
screen.
b For each partition in which you will use SKM, in the Encryption Method drop-
down list, select Enable Library Managed.
c Click OK.

40 Configuring Your Library For SKM

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

6 Save the library configuration.

7 Proceed to Backing Up the Servers on page 43.

Configuring the Scalar Perform these steps, in order, on the Scalar i3 or i6 library only.
i3/i6 Tape Library Refer to the i3 or i6 Documentation Center for detailed instructions on how to complete
each of the following steps.
• Scalar i3 Documentation Center: http://www.quantum.com/scalari3docs
• Scalar i6 Documentation Center: http://www.quantum.com/scalari6docs
1 Install the Encryption Key Management (EKM) license on your library.
2 For the Scalar i3, Prepare partitions for library-managed encryption by doing the
following:
a Install the following tape drives in the library, if not already installed. Unload all
tape cartridges from these tape drives.
For the Scalar i3:
• IBM HH SAS LTO6
• IBM HH SAS LTO7
• IBM HH FC LTO6
• IBM HH FC LTO7
For the Scalar i6:
• IBM FH FC LTO6
• IBM FH FC LTO7
b On the tape drives, install the latest version of firmware that is qualified for the
library firmware installed on your library. Refer to the library release notes for
the correct version of tape drive firmware.
3 TLS certificates must be installed on the library as well as on the SKM server. Refer to
the following links to the Scalar i3/i6 Documentation Centers for instructions on
how to install certificates.
• For Scalar i3: http://qsupport.quantum.com/kb/flare/content/Scalar_i3/
docCenter/Encryption_Overview_Quattro.htm
• For Scalar i6: http://qsupport.quantum.com/kb/flare/content/Scalar_i6/
docCenter/Encryption_Overview_Quattro.htm
4 Configure the SKM server IP addresses and generate data encryption keys.
a On the library’s remote Web client, navigate to the EKM server configuration
screen.
b Enter the SKM primary and secondary server IP addresses or hostnames in the
fields provided.
c Click OK.

Configuring Your Library For SKM 41

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

Data encryption keys are generated. As soon as you apply the SKM server IP
addresses, the library automatically triggers each SKM server to generate a set
of unique data encryption keys. The key generation process should take 30
minutes or less to complete, depending on network performance. The library
generates a RAS ticket when the process is complete. Wait until you receive this
ticket before going to the next step.

Note: If the key generation fails, the library generates a RAS ticket. Follow the
instructions in the ticket to resolve any errors, then initiate manual key
generation by changing the encryption method on an SKM partition to
Enable Library Managed (as described in Step 5 below). If key
generation continues to fail, run EKM Path Diagnostics to help
determine where the problem lies.

5 Configure partitions for library-managed encryption.

a From the Navigation panel, select Partitions.
b In the North Panel, select the partition you want to set up.
c From the Operations panel, click EKM.
d At the Enable Library-Managed Encryption (LME) field, select the check box to
enable LME.
e Click Apply to save your settings.
f Click Close to exit the window.
For additional information, refer to these links to the Scalar i3 or Scalar i6
Documentation Center:
• For Scalar i3: http://qsupport.quantum.com/kb/flare/content/Scalar_i3/
docCenter/Partition_EKM.htm
• For Scalar i6: http://qsupport.quantum.com/kb/flare/content/Scalar_i6/
docCenter/Partition_EKM.htm
6 Proceed to Backing Up the Servers on page 43.

Configuring Multiple Libraries

If you will have multiple libraries accessing the same SKM server pair, repeat Configuring
Your Library For SKM on page 38 and Backing Up the Servers on page 43 for each
additional library.

42 Configuring Multiple Libraries

Downloaded from www.Manualslib.com manuals search engine

 Scalar Key Manager 2.5

Backing Up the Servers

Every time you generate new data encryption keys, you must back up both servers
before you begin using the keys to encrypt data. You must back up each server
separately because each contains different data. If a server fails and needs to be
replaced, the backup is required to restore operation.

Caution: EXTREMELY IMPORTANT: Back Up Your Servers!


It is critical that you back up both servers before using the keys to
encrypt data. 

The only way to read encrypted tapes is via the keys in the keystore. If
your servers fail without a backup, you will permanently lose access to
all your encrypted data. 

If both servers are lost, and no backup exists, Quantum will be unable
to restore any data from your encrypted media. 

The backup is required for server hardware replacement or for
restoring a rebuilt SKM VM server.

CAUTION! CAUTION! CAUTION! CAUTION! CAUTION!

Note: For multiple libraries accessing the same SKM server pair: If you are
configuring more than one library to use the same SKM servers, be aware that
each library triggers the SKM servers to create a set of data encryption keys
which are added to the keystore. 

You must make sure all the keys are included in your backup before you start
using those keys. If you are configuring several libraries at the same time, you
can wait until all the keys are generated and then perform a single backup of
each server, provided that you do not use the keys before you back them up.
However, if there is a time delay between the key generation during which you
intend to begin serving keys for encryption, you will need to perform multiple
backups — one after each key generation session.

Perform the following steps for each SKM server separately.

1 Connect to the SKM server using SSH (if you have an SKM VM server, you can use
SSH or continue to use the vSphere Client console).
2 At the skmserver login prompt, enter the login ID:
akmadmin
3 At the Password prompt, enter your password.
4 At the akmadmin@skmserver prompt, enter:
./skmcmds

Backing Up the Servers 43

Downloaded from www.Manualslib.com manuals search engine

 Quantum Scalar Key Manager 2.5 Quick Start Guide

5 At the Password prompt, enter your password. A message displays alerting you that
the SKM key server will be stopped.
6 Type y and press <Enter> to agree to stop the SKM key server. The list of SKM
Admin commands displays.
7 At the command prompt, enter 7 to Back up SKM server.
8 Press <Enter>. Backup files are created and consolidated into a single file, whose
name and location are displayed on the screen.
9 Note the name and location of the backup file:
/home/akmadmin/backups/SKM<version>KeyServer<serial
number><date><time>.tgz
For example:
/home/akmadmin/backups/SKM2_0KeyServerJ1144W802152017123429.tgz
10 Use SFTP to copy the backup files to a desired location.

Caution: You must copy the backup file to another location and not just leave it
on the SKM server. This is so that, if the SKM server fails, you can
restore the backup from the remote location onto the new server.

Keep track of which backup file applies to which server so you know
which one to restore in the event that you lose a server. To further help
you identify the particular server, this backup file also contains the SKM
server’s serial number.

Caution: Do not use SKM to encrypt the sole copy of your SKM server
backup. If both servers were to fail, you would not be able to recover
the encrypted backup and would lose all data you had stored on all
your encrypted tapes.

11 Press <Enter>. The SKM Admin commands menu displays.

12 At the command prompt, type q and press <Enter> to quit SKM Admin commands
and restart the SKM key server.
13 Repeat the above steps on the other server in the SKM server pair.

*6-66532-10 A*
44 6-66532-10 Rev A, May 2017

For assistance, contact the Quantum Customer Support Center: About Quantum
USA: 1-800-284-5101 (toll free) or +1-720-249-5700
EMEA: +800-7826-8888 (toll free) or +49-6131-3241-1164 Quantum is a proven global expert in Data Protection and Big Data
APAC: +800-7826-8887 (toll free) or +603-7953-3010 management, providing specialized storage solutions for physical,
Worldwide: http://www.quantum.com/ServiceandSupport virtual and cloud environments. From small businesses to major
enterprises, more than 50,000 customers trust Quantum to help
maximize the value of their data by protecting and preserving it over
its entire lifecycle. With Quantum, customers can Be Certain they’re
able to adapt in a changing world—keeping more data longer,
bridging from today to tomorrow, and reducing costs. See how at
www.quantum.com/BeCertain.
©2017 Quantum Corporation. All rights reserved. Quantum and the Quantum logo are registered
trademarks of Quantum Corporation and its affliates in the United States and/or other countries. All
other trademarks are the property of their respective owners. Printed in USA.

Downloaded from www.Manualslib.com manuals search engine