Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Dell EMC ML3 Library Tape

Integration of Dell ML3 Library Tape

search

Integration of Dell ML3 Library Tape

This section lists the steps to integrate Dell ML3 Library Tape with CipherTrust Manager.

Prerequisites

This section provides the prerequisites for integration of Dell ML3 Library Tape with CipherTrust Manager.

  • Communication between DELL Device and the KMIP Server (CIPHERTRUST MANAGER) - must be allowed

  • KMIP port (5696) must be opened

  • LME feature must be enabled on the DELL device: Settings > Security > Licensed features

  • There must be as many KMIP licenses in CM as there are Libraries to enable for encryption. For example, two licenses in this case:

Note

  • LME (LIBRARY MANAGED ENCRYPTION) feature is by default embedded in the DELL device

  • Two versions of LME are available

    • KMIP (V1.2)

    • SKLM (Security Key Life Cycle Manager) for z/OS encryption

Configuration on CipherTrust Manager

To configure the CipherTrust Manager, you need to perform the following steps:

To configure the CipherTrust Manager, you need to perform the following steps:

  1. Creating a Domain (optional)

  2. Creating a User

  3. Assigning User to a Group

  4. Creating or Adding a CA (optional)

  5. Registering a KMIP Client

  6. Configuring the KMIP Interface

Creating a Domain (Optional)

Perform the following steps to be performed on CipherTrust Manager:

  1. Navigate to Admin Settings > Domains.

  2. Click Add Domain. The Add Domain page appears.

  3. Specify the following information:

    • Name - Enter the domain name.

    • Admins - Select the admins (one or more) from the list available in the drop down. For example, admin.

    • Parent CA - Select parent CA as root CA.

    • Allow Subdomain User Management - Select this check box if you want to enable the sub-domain user management through this domain.

  4. Click Save.

  5. Switch to the newly created domain by clicking the top right on the current Domain Name.

Creating a User

To create a user, perform the following steps:

  1. Log on to the CipherTrust Manager GUI.

  2. Open the Access Management application.

  3. On the left navigation pane, click Users. The Users page is displayed.

  4. On the Users page, click Add User.

  5. On the Add User page, provide the following details:

    • Select the required Connection Type

    • Select the checkbox against the required Allowed Client Type.

    • Enter Full Name

    • Enter Username

    • Enter the desired Password. Re-enter the password in the Password Match field.

  6. Click Add User. The newly created user will now appear on the Users page.

Note

To create a user in sub-domain, you must enable Allow Subdomain User management.

To create a user, perform the following steps:

  1. Log on to the CipherTrust Manager GUI with the User you created within the sub-domain.

  2. Open the Access Management application.

  3. On the left pane, click Users. The Users page is displayed.

  4. On the Users page, click Add User.

  5. On the Add User page, provide the following details:

    • Select the required Connection Type

    • Select the checkbox against the required Allowed Client Type.

    • Enter Full Name

    • Enter Username

    • Enter Password. Re-enter the password in the Password Match field.

  6. Click Add User. The newly created user will now appear on the Users page.

Assigning User to a Group

Perform the following steps to add user to a group:

  1. Navigate to the Users page.

  2. Click the ellipsis button (...) corresponding to the user that you created in the previous step.

  3. Click Edit/View.

  4. Click Group Memberships > Add Group.

  5. In the search bar, enter the desired Group name and select the check box corresponding to it. For example, Key Admins or Key Users.

  6. Click Add Group.

Creating or Adding a CA (Optional)

Note

Creating a CA is an optional step in this integration. However, it is recommended to select the CA carefully, as it will be used throughout the process.

Select the Local CA tab if you want to create a Local CA OR select the External CA tab if you wish to add the External CA.

To create/add a Self-signed local CA, perform the following steps:

  1. Navigate to CA > Local. Select Add Local CA, the Add Local CA page appears.

  2. Provide the required information and click Add Local CA. The created Local CA will appear under Pending CAs section.

  3. Click the ellipsis against the Local CA that you created and select the option Self-sign.

  4. Select a valid duration for the Local CA. Click Save.

To add an external CA, perform the following steps:

  1. Navigate to CA > External. The External Certificate Authorities page appears. Select Add External CA, the Add External Certificate page appears.

  2. Provide the required information.

  3. If you want to upload the external CA, select the File Upload option and click Upload Certificate. Browse and select the required External CA.

    OR

    Select Text and paste the contents of External Certificate.

  4. Click Add External CA.

Registering a KMIP Client

You can register a KMIP client on the CipherTrust Manager through:

  • Auto Registration

  • Manual Registration

  1. Log on to the CipherTrust Manager.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Navigate to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Click Save. The new profile is created.

  4. Create Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on CA that you created above.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Done.

    Note

    If you are using External CA then you can select the external CA that you created above and uploaded on the CipherTrust Manager.

  5. Turn ON Auto Registration using the following steps:

    1. Go to Admin Settings > Interfaces.

    2. Click the ellipsis button (...) corresponding to the kmip interface.

    3. Click View/Edit.

    4. On the Interface Detail window, perform the following:

      • Select the Interface Mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

      • Select Auto Registration checkbox.

      • Paste the Registration Token.

      • Add the CA (Local or External) to the list of Trusted CAs. The CA will reflect uder the dropdown menu of Local/External Trusted CAs depending upon CA that you created above.

      • Click Update.

  1. Log on to the CipherTrust Manager.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select CN in Username Location in Certificate.

    4. Click Certificate Details.

    5. You can either paste the content of a generated client.csr or you can create one, by filling in the required details.

    6. Click Save.

  4. Create Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on the CA type that you created above.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Done.

    Note

    If you are using External CA then you can select the external CA that you created above and uploaded on the CipherTrust Manager.

  5. Go to Registered Clients and click Add Client.

    • Specify client name and paste the Registration Token that you generated in the above step.

      Note

      If you are using external CA then you can either upload the client certificate as a file using Upload Certificate or paste the signed client certificate in the Client Certificate field.

    • Click Save to save the client certificate.

You can register a KMIP client on the CipherTrust Manager through:

  • Auto Registration

  • Manual Registration

  1. Log on to the CipherTrust Manager into your domain.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Navigate to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Click Save. The new profile is created.

  4. Create Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on CA that you created above.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Done.

    Note

    If you are using External CA then you can select the external CA that you created above and uploaded on the CipherTrust Manager.

  5. Turn ON Auto Registration using the following steps:

    1. Go to Admin Settings > Interfaces.

    2. Click the ellipsis button (...) corresponding to the kmip interface.

    3. Click Edit.

    4. On the Interface Detail window, perform the following:

      • Select the Interface Mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

      • Select Auto Registration checkbox.

      • Paste the Registration Token.

      • Add the CA (Local or External) to the list of Trusted CAs. The CA will reflect uder the dropdown menu of Local/External Trusted CAs depending upon CA that you created above.

      • Click Update.

  1. Log on to the CipherTrust Manager into your domain.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select CN in Username Location in Certificate.

    4. Expand the Certificate Details section.

    5. You can either paste the content of a generated client.csr or you can create one, by filling in the required details.

      For domain, the format to enter the Common Name field of the cert is always: domainName||domainUser

    6. Click Save.

  4. Create a Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on CA that you created above.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Done.

  5. If you are using External CA then you can select the external CA which you created earlier. Refer to External CA under Creating or Adding a CA.

  6. Go to Registered Clients and click Add Client.

    1. Specify client name and paste the Registration Token generated in the above step.

    Note

    If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.

    1. Click Save to save the client certificate.

Configuring the KMIP Interface

The KMIP interface can be configured through:

  1. Go to Admin Settings > Interfaces.

  2. On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.

  3. Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.

    Note

    By default, the Auto Registration is disabled.

  4. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  5. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Note

    In case of External CA, Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA.

  6. Depending upon the CA that you created above, select an option from the following::

    • If you are using Local CA then select the CA under Local Trusted CAs

    • If you are using External CA then select the CA under External Trusted CAs, provided you have the external CA that you created and uploaded on the CipherTrust Manager. For more information on creating or uploading CA, refer to Creating or Adding a CA.

  1. Select the CA according to your preference.

    1. Login to your sub-domain. Go to CA > Local. Click the ellipsis (...) and copy the contents of your CA Certificate.

    2. Logout of your sub-domain and now login to the root domain.

    3. Go to CA > External > Add External CA.

    4. Enter a name for this Domain CA and select the text radio button and paste the certificate contents.

    5. Click Add External CA.

    6. Go to Admin Settings > Interfaces.

    7. Click the Add icon to add the External CA.

    8. Click Update.

    Note

    If you are using an External CA in the Sub-Domain, you need to add the CA as an External CA in both the root domain as well as the sub-domain and modify the interface accordingly.

    1. Login to your sub-domain. Go to CA > Local. Click the ellipsis (...) and copy the contents of your CA Certificate.

    2. Logout of your sub-domain and now login to the root domain.

    3. Go to CA > External > Add External CA.

    4. Enter a name for this Domain CA and select the text radio button and paste the certificate contents.

    5. Click Add External CA.

    6. Go to Admin Settings > Interfaces.

    7. Click the Add icon to add the External CA.

    8. Click Update.

    9. On the KMIP interface, click the ellipsis (...) > Certificate Options > Upload New Certificate > Ok.

    10. Select the Certificate Chain option and click Build Certificate Chain.

    11. Click on Text and paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space, character or symbol between the contents of these files.

    12. Select certificate Format as PEM.

    13. Click on Upload Certificate.

  2. On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.

  3. Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.

    Note

    By default, the Auto Registration is disabled.

  4. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  5. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Note

    In case of External CA, Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA.

Configuration on Dell ML3

To configure the Dell ML3, you need to perform the following steps:

  1. Click on the Settings > Security > Encryption. (It should show Library Managed Encryption (KMIP)Disabled, Licensed)

    Note

    If Encryption setting shows Application Manager Encryption, see Appendix.

  2. Click Actions dropdown and select Manage Encryption to access the Wizard:

  3. Click Clear All Wizard Settings:

  4. Click Proceed:

  5. Click Next.

  6. On single partition library, the dropdown will show Logical Library Default. On multi partition library, the dropdown will have a list of library partitions.

  7. Click Next.

  8. In the Certificate Option, in dropdown, select Generate Certificate Request (CSR).

  9. Click Next.

    Note

    Now, you can either create dedicated credentials per Library or a common one for all Libraries.

  10. Click Next.

  11. Enter the Certificate Authority(CA) from the CipherTrust Manager:

  12. Click Next.

  13. Click Next again.

  14. The CipherTrust Manager KMIP server requires the KMIP credentials for Authentication. Clear the Enable KMIP Certificate-only authentication checkbox to enter the username and password of the KMIP user previously created for the specified Library:

  15. Click Next and copy the Library Certificate.

  16. Paste the copied Library Certificate in the KMIP Certificate field.

  17. Click Next. Select KMIP Compatible and enter CipherTrust nodes IP adresses/ Ports. It allows upto 10 key managers.

  18. Click on 'Connectivity Check' to test the communication. The result should be successful :

  19. Click Next.

  20. Review the summary and click Finish.

  21. Click Exit.

Note

Only one license per library even for multiple partitions (each partition uses same source IP)

On this page