To add data in flight encryption, License requirements, Configuring the client – HP StoreOnce Backup User Manual
Page 213: Configuring the storeonce backup system
The StoreOnce CLI command is in the format:
# net add ipaddr
For the purposes of this example, we shall assume that the configuration now contains a
management subnet, subnet2, a Data subnet, subnet1, on a portset that is not VLAN enabled,
and a Data subnet, subnet_vlan1, on a portset that is VLAN enabled and show the commands
to expand the three subnets for the additional couplet. Remember that VLANs require one IP address
per node and physical data LANs require two IP addresses per node.
# net add ipaddr
# net add ipaddr
# net add ipaddr
To add Data in Flight Encryption
IP packets have no in-built security measures, which means that access to the network enables
packet content to be viewed and, because there is no verification, there is no indication whether
a packet has been viewed or the content modified. IPsec is an OSI layer 3 protocol that provides
encryption and mutual verification at the IP address level. The IPsec protocol is supported for data
subnet encryption on all StoreOnce models running StoreOnce software version 3.11.0 or later.
Data in Flight Encryption uses the IPsec protocol to support data encryption at subnet level. It
requires you to pair the IP addresses of the media server and the subnet that you have configured
on the StoreOnce Backup system and to create a rule that ensures the pair communicate uniquely
with each other based on a password that you configure within the rule. Configuration on the
StoreOnce Backup system is via a single StoreOnce CLI command, net add encryption. It
cannot be configured as part of the wizard. But this is only one half of the configuration. You must
also configure IPsec on the media server that forms the other part of the pair.
NOTE:
On HP StoreOnce 6500 and B6200 Backup systems, the IP address that you specify for
the HP StoreOnce Backup system is the Data Path VIF of the service set at which backups are
targeted from the media server. In the event of failover, the Data Path VIF is automatically failed
over to the other service set in the couplet and Data In Flight Encryption continues to function
normally.
NOTE:
IPsec cannot be configured on a management only subnet in a multi-node system. (Access
to the management GUI is encrypted anyway.) Performance is impacted and is dependent on
model – worst case 40% reduction in throughput.
License requirements
If you wish to use the IPsec feature, you must first install the Security Pack license on all couplets
in the StoreOnce Backup system.
Configuring the client
The IPsec pair and rule must be configured on both the client media server and the StoreOnce
Backup appliance. See the HP StoreOnce Backup system Linux and UNIX Configuration guide for
information about configuring Linux media servers. Configuration of Windows media servers is
via Windows local security policy. (This will be described in more detail in the next edition of this
guide.) For full details of which operating systems are supported go to
.
Configuring the StoreOnce Backup system
IMPORTANT:
If you subsequently change network configuration. you must re-apply the IPsec
encryption.
The syntax for the StoreOnce CLI command is:
net add encryption myconfig mysubnet ipAddr clientip passPhrase mypassword
In the following example, we have created a copy of the configuration called config_with_ipsec
that adds encryption to subnet_2. The IP address is the client’s IP address and the passphrase
must match the passphrase that has been configured on the client.
Worked example
213