beautypg.com

Key managers, Operation, Licensing – HP StoreEver ESL G3 Tape Libraries User Manual

Page 224: Kmip configuration

background image

B Using the Key Management Interoperability Protocol

(KMIP) feature

KMIP is an industry standard protocol for communications between a key management server and
an encryption system. The KMIP specification is developed by the KMIP technical committee of the
OASIS standards body (Organization for the Advancement of Structured Information Standards).
The KMIP feature allows the ESL G3 to obtain encryption keys from selected KMIP-compliant key
managers. These keys can be used to encrypt data as it is written to tape.

Key Managers

To use the KMIP feature, a KMIP key manager must be available. HP can only support ESL G3
KMIP when used with a supported key manager, listed in the EBS Matrix, located at

http://

www.hp.com/go/ebs

.

Operation

When the KMIP feature is enabled and properly configured, tape data will automatically be
encrypted with keys delivered from the KMIP key manager. Tapes are encrypted on a key-per-tape
basis.
Write, and append operations: The tape drive will request a key when data is written. The tape
library, acting as an intermediary, may request the key manager to create a key. The library then
obtains that key and delivers it to the tape drive. The key is identified by a name, which is associated
with the media identifier. The key is not retained in the tape drive any longer than necessary to
perform encryption operations.
Read operations: The tape drive will request a key. The tape library, acting as an intermediary,
obtains the key identifier, requests that key from the key manager, and delivers it to the tape drive.
The key is not retained in the tape drive any longer than necessary to perform decryption operations.

Licensing

The KMIP feature requires an ESL G3 license before the feature can be enabled and configured.

KMIP Configuration

The EBS Matrix lists the compatible KMIP server models, the server vendors, and links to primary
documents those vendors provide.

Table 49 Enrolling ESL G3 with a KMIP Server

Comment

Primary document(s)
providing more detail

Description of task

Step

Collect the IP address of
each server.

Server vendor's product
documentation

Install and configure the key
managers.

1

Collect the account
username, and the account
password.

Server vendor's Integration
Guide for ESL G3

Setup a new client account
for the ESL G3.

2

Collect the filename of the
CA certificate (a file with a
crt

extension).

Server vendor's Integration
Guide for ESL G3

Create and export a CA
certificate.

3

Collect the filename of the
client certificate bundle (a
file with a p12 extension).

Server vendor's Integration
Guide for ESL G3

Create and export a signed
client certificate.

4

The KMIP license SKU for
ESL G3 is B4J73A.

HP StoreEver Enterprise
Systems Library (ESL) G3
Tape Library User Guide

Install the ESL G3 KMIP
license.

1, 2

5

224 Using the Key Management Interoperability Protocol (KMIP) feature

See also other documents in the category HP Storage: