Video Screencast Help

NBU KMS is supported to only selected devices

Created: 07 Oct 2013 • Updated: 19 Feb 2014 | 14 comments
V4's picture
This issue has been solved. See solution.

Was surprised to see only selected devices make model were enlisted under HCL for KMS.

We have Oracle SL 500 and wanted to leverage encryption with NBU KMS. Is it true?

Also pls confirm where do we need to verify if SL 500 is licensed for encryption use of LTO4 drives.

Operating Systems:

Comments 14 CommentsJump to latest comment

Marianne's picture

KMS support is a tape drive attribute - not a library function.

The LTO tape drives in an Oracle/STK libraries are normally HP or IBM. Could also be Quantum.
So, check the Tape Drives section of the HCL. Find the manufacturer of the tape drives in your SL500 library.

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

StefanosM's picture

Marianne is right.

Just to add that SL500 is not a Quantum library, so the drives are from IBM or HP (most probably).

You have to check the libraries’ documentation, how to enable the "inbound encryption" at the menu. Some libraries has to be activated (like IMB, without any cost) and some are already activated (like HPs)

Nicolai's picture

No license needed for NBU KMS.

Some vendors sell a library encryption option. Oracle call it "StorageTek Crypto Key Management system". But NBU KMS is drive encryption.Netbackup KMS control encryption via SCSI commands.

Assumption is the mother of all mess ups.

If this post answered your'e qustion -  Please mark as a soloution.

V4's picture

does tape library requires license from tape drive vendor for enabling encryption feature on tape drives?

How to verify which tape drives are available , i mean IBM or HP in SL500. Can tpconf help here?

Marianne's picture

No - as per Nicolai's post - no license is needed to enable KMS in NBU.

You can use commands such as 'scan -tape' or 'tpautoconf -t' to see drive details.

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

V4's picture

seems my interpretation went wrong here marianne.

I remember KMS is complimentary with NBU, license requirement is highlighted from Tape vendor for tape H/W drives to perform encryption at H/W level. 

Just needed clarification on this. Is it common across all vendors to get it licensed for activating features although drives are capable of performing encryption as per generation.

Thanx for syntax 

StefanosM's picture

If you want to use the libraries' specific KMS server, you must have a license from the library vendor. The KMS server (separate software at most cases) is communicating with the library and share the keys threw IP.

Netbackup use its own KMS server, which is free, and communicates with the drive directly, threw SCSI (FC).
You do not need a separate license from the library vendor to use netbackup KMS. You must only check the appropriate (if any -library specific) option from the libraries' menu.

Nicolai's picture

All LTO4 and newer support hardware encryption out of the box for free.

You just need to ensure - in some cases - the library has 3rd part encryption enabled as StefanosM mentioned earlier.

3rd part encryption mean, you do not want to use the vendor licensed encryption feature but a "other" solution. And this "other" is solution is NBU KMS.

Hope this clarify :-)

Assumption is the mother of all mess ups.

If this post answered your'e qustion -  Please mark as a soloution.

SOLUTION
V4's picture

just re-phrasing query again.

we would be leveraging NBU KMS (which is complimentary of course)

Did asked our tape vendor if it can be used instead of H/W KMS which all tape library (tape drives) has.

For H/W encryption to work needed clarification does SL500 requires license from Sun/Oracle

if not then how to verify Tape drives are encryption enabled and we can move ahead with KMS deployment.

Hope above was pretty clear for understanding

Marianne's picture

If you need to know how to verify KMS encryption, have a look at this discussion:

https://www-secure.symantec.com/connect/forums/verify-kms-encryption-netbackup-75

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

jim dalton's picture

Then give it a try! LTO4 with T10 what you need to look for...nothing to do with robot, he just shifts media about: the encryption is straight down the scsi pipe - tho some robots tell you they are encrypting eg HP 8048 panel. I have that plus SL500, I dont recall seeing SL500 admin gui telling me its encrypting but nevertheless both use LTO4 (HP in one, IBM in the other) , both T10, both encrypt and both can decrpyt eachothers media.

Jim 

V4's picture

concluding my queries and answers to it

KMS = NBU = No License Required (Complementary after NBU 7.x)

Encryption = Done by Tape Drive (H/W) = Encryption License required from Tape H/W vendor

Customer got it licensed from Vendor and is now using it 

Generally Tape Vendors do have their own Key Management built in (again a licensed feature) However freedom of relying on Backup suites KMS is also given. Hence we can choose hybrid mode here (Encryption from Tape vendor and KMS from NBU)

SOLUTION
Marianne's picture

Interesting....

You simply repeat what Nicolai has told you and then mark your own post as solution....
Nice one! indecision

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

V4's picture

Got it corrected marianne...nicolai was correct...