Troubleshooting
Problem
This document is used to update users about encryption when using IBM Security Key Lifecycle Manager (SKLM), formerly Tivoli Key Lifecycle Manager (TKLM) and Encryption Key Manager (EKM).
Resolving The Problem
This document is used to update users about encryption options when using IBM Security Key Lifecycle Manager (SKLM), formerly Tivoli Key Lifecycle Manager (TKLM) and Encryption Key Manager (EKM).
These products are used to save data encrypted on 3494, TS3500, TS4500, TS3400, TS3310, TS3200, TS3100, TS2900 tape libraries with TS1120/TS1130/TS1140/TS1150/TS1155, Fiber-attached LTO4/LTO5/LTO6/LTO7 tape drives or SAS-attached LTO4/LTO5/LTO6/LTO7 drives (R610 IOP-less only).
To use a TS1120/TS1130/TS1140/TS1150/TS1155 (3592) or Fiber/SAS-attached LTO4/LTO5/LTO6/LTO7 (3580) drive to do hardware encryption, the drives must be in a tape library. TS1120/TS1130/TS1140/TS1150/TS1155s can be in a 3494, TS3500, TS4500 or TS3400 while LTO4/LTO5/LTO6/LTO7 can be in a TS3500, TS4500, TS3310, TS3200, TS3100, or TS2900. If using LTO4/LTO5/LTO6/LTO7 drives, the Transparent LME feature is required (FC 5900 and 9900 for TS3310, TS3200 TS3100 and FC 5901 for TS2900).
Notes:
1. SKLM (formerly TKLM) is the currently recommended and shipped product.
2. EKM is a IBM Java Security component that was bundled with IBM's Java product.
3. FC9900 is no longer available as of December 2011, and it is not required for TKLM or SKLM.
(#5900) Transparent LTO Encryption
This feature provides license keys to enable System Managed Encryption and Library Managed Encryption on TS3100 or TS3200 Tape Libraries:
Feature Type: Chargeable
Required Feature: No
Minimum number of features: None
Maximum number of features: One
Initial order only: No
Prerequisites: feature #9900, LTO4/LTO5/LTO6 Drive, feature #8144 or feature #8145
Installation: Plant or Field
(#5901) Transparent LTO Encryption
This feature provides license keys to support System Managed Encryption and Library Managed Encryption on TS2900 Tape Autoloader:
Feature type: Chargeable
Minimum number of features: Zero
Maximum number of features: One
Installation: Plant or Field
(#9900) Encryption Configuration (FC9900 that it is no longer available as of December 2011, and it is not required for TKLM or SKLM)
This feature should be ordered when encryption will be used in a TS3100/TS3200 Tape Library. It includes publication updates with information on enabling and configuring the TS3100/TS3200 Tape Library to support encryption. This feature also provides an EKM publication. Customer-initiated procedures need to be completed for enabling and configuring the TS3100/TS3200 Tape Library to support encryption with the LTO4/LTO5/LTO6/LTO7 SAS or Fibre Channel encryption-capable tape drive:
Feature type: No Charge
Minimum number of features: None
Maximum number of features: 99
Required Feature: No
Prerequisites: Feature code 5900
Installation: Plant or Field
3494 Support
When using a 3494 tape library, LM 535 is required for 3494 LME with TS1120 drives. For TS1130 drives, LM 536 is required.
Notes:
| 1. | When using a 3494 tape library, the 3494 LME requires a special setting in the EKM configuration file. You should change or add the following statement: TransportListener.tcp.timeout=0 |
| 2. 3. | Barcode labels are required on all media when using Library Managed Encryption on any tape library in library mode attached to a System i. Barcode labels are required on all media when using Library Managed Encryption on any TS2900 (3572) tape library in sequential mode attached to a System i. If running the tape drive in sequential mode, barcode labels are not required; however, they are recommended. The TS2900 (3572) tape library in sequential mode and setup as a stand-alone device, using cartridges without barcode labels, will not encrypt the data saved to the cartridge. |
If wanting to save data un-encrypted, encryption needs to be disabled on the tape media library (or logical library) , the IOP IPL'd on the IBM i and then once the save is complete, enable encryption on the tape media library (or logical library) and IPL the IOP on the IBM i.
Refer to the tape library user guide on how to enable or disable encryption.
Error Messages
V5R3M0, V5R4M0, V5R4M5, V6R1M0, V6R1M1 with IOP-based IOAs
CPF5110 and SRC63A09300: When Initializing/using Tapes for Encryption in System i
On the System i, the CPF5110 error message might occur while trying to initialize tapes .This normally occurs if the EKM/TKLM/SKLM server has not being correctly configured. The error message does not indicate that it could be the EKM/TKLM/SKLM server :
Message ID . . . . . . . . . : CPF5110
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message . . . . : Device &4 or an attached gateway device reported a hardware failure.
SRC63A09300 - Tape unit failure
SRC63A09210 or CPF4120 and CPP6308 may be posted during a SAVXXX , RSTXXX , SAVXXXBRM or RSTXXXBRM when the EKM server for the tape library is not active.
Message ID . . . . . . . . . : CPF4120
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message . . . . : Device &4 or an attached gateway device reported a hardware failure.
SRC63A09210 - Illegal or Unsupported Tape Unit Response
V6R1M0, V6R1M1 with IOP-less IOAs
CPF5110 and SRC63A09304: When Initializing/using Tapes for Encryption in System i
On the System i, the CPF5110 error message might occur while trying to initialize tapes .This normally occurs if the EKM/TKLM/SKLM server has not being correctly configured. The error message does not indicate that it could be the EKM/TKLM/SKLM server :
Message ID . . . . . . . . . : CPF5110
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message . . . . : Device &4 or an attached gateway device reported a hardware failure.
Cause . . . . . : One of the following occurred while processing file &2 in library &3:
-- Device hardware error.
-- Media error that the device could not handle.
-- Reflective markers missing at the beginning or end of the tape.
-- Missing tape marks or labels at the end of the volume.
-- Attempting to use a tape that is not initialized.
Recovery . . . : Clean the tape path and heads, then try again.
-- If the problem occurs again, try using another tape volume.
-- If the problem still occurs, start problem analysis (ANZPRB command).
Technical description . . . . . . . . : Product Activity Log ID &22.
SRC63A09304 - Encryption hardware failure
IBM i 7.1 and above with IOP-less IOAs
CPP6315 and SCR63A09304 may be posted when Initializing/Using Tapes for Encryption in System i when there is a configuration or hardware issue with the EKM server ... Contact EKM support for assistance
Message ID . . . . . . . . . : CPP6315
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message . . . . : Hardware encryption error.
Cause . . . . . : The tape device has reported an encryption error while attempting to use the mounted cartridge. The most likely cause is a configuration problem with the EKM server. There may also be a hardware problem with the EKM server.
Recovery . . . : Press F14 to work with the problem.
Technical description . . . . . . . . :
IOP resource . . . . . . . . . . . . : &26
IOA resource . . . . . . . . . . . . : &27
Device type . . . . . . . . . . . . . : &34
Reference code . . . . . . . . . . . : &33
Error log ID . . . . . . . . . . . . : &22
Problem log ID . . . . . . . . . . . : &35
SRC63A09304 - Encryption hardware failure
IBM i V6R1 and V7R1
CPF6772 and SRC63A09355: When trying to DSPTAP an encrypted volume on a non-encrypted tape library ... transfer the encrypted volume to a tape drive/library running encryption.
Message ID . . . . . . . . . : CPF6772
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message text . . . . . . . . : Volume on device &1 cannot be processed.
To resolve any EKM/TKLM/SKLM problems, check the logs of the EKM, TKLM, or SKLM server
References:
IBM Security Key Lifecycle Manager
http://www-03.ibm.com/software/products/en/key-lifecycle-manager
IBM System Storage Tape Encryption Solutions (SG24-7320-02)
http://www.redbooks.ibm.com/abstracts/sg247320.html?Open
Additional EKM Information
The drives in a TS3500/TS4500 choose the EKM/TKLM/SKLM affinity. Therefore, if a library has 4 EKM/TKLM/SKLM servers defined, the drives will talk to the last EKM/TKLM/SKLM server that they had a connection with until that fails. Then, the drives will go to the next EKM/TKLM/SKLM server in the list. The list of EKM/TKLM/SKLM servers available is ordered by the library by IP address. Therefore, it is not possible to specify a specific failover order.
What happens when using multiple EKM/TKLM/SKLM servers is a situation where drive 1 may always go to EKM/TKLM/SKLM 1 server, drive 2 may go to EKM/TKLM/SKLM 2 server, drive 3 could go to EKM/TKLM/SKLM 1 server, and drive 4 goes to EKM/TKLM/SKLM 2 server.
Drives start at the top of the list, if they can communicate with that EKM/TKLM/SKLM server. They talk to it until it fails; however, if any kind of failover testing or any kind of network trouble and so on occurs, it is guaranteed that the drives and EKM/TKLM/SKLM servers will be talking to each other in some completely random order.
Sending Encrypted data to IBM
When encrypted data needs to be sent to IBM, users can use the attached file that has IBM Rochester Support Center's public key.
This key needs to be imported into the EKM/TKLM/SKLM keystore file and then used to save the data.
TS1120/TS1130/TS1140/TS1150/TS1155 Devices
Historical Number
423991279
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1014822