Bill, On AIX you need to do the following: 1. Ensure the java5 SDK is installed
2. Set the environment variables for the user running the ekm process: # java sets for EKM export JAVA_HOME=/usr/java5/jre P8=/usr/java5/jre/bin P9=/usr/java5/bin export CLASSPAT=H/usr/java5/jre/lib export PATH=$JAVA_HOME:$P1:$P2:/etc:$P3:$P4:$P5:$P6:$P7:$P8:$P9:.:$PATH Verify the installation as described in reference: aixserver[/home/]# java -version java version "1.5.0" Java(TM) 2 Runtime Environment, Standard Edition (build pap32dev-20070201 (SR4)) IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 AIX ppc-32 j9vmap3223-20070201 (JIT enabled) J9VM - 20070131_11312_bHdSMR JIT - 20070109_1805ifx1_r8 GC - 200701_09) JCL - 20070126 3. Replace Restricted policy files in /usr/java5/jre/lib/security/ with unrestricted policy files downloaded from IBM - US_export_policy.jar - local_policy.jar Once these have been accomplished, you should be able to unzip the copy from the original EKM server and run it. - make sure you include the encryption keys from the original EKM server. 4. Start the EKM admin session java com.ibm.keymanager.KMSAdminCmd /ekm/KeyManagerConfig.properties *note - make changes to the KeyManagerConfig.properties configuration file as appropriate for the new server 5. Start the ekm server startekm 6. Verify the status with the "status" command Status Now that the EKM is running, set your TS3310 to use the new server for encryption. If the TS3310 interface is the same as a TS3500, it will be under the Cartridges/Barcode Encryption Policy on the left side of the window. Use identical settings as your original library. You will also need to point the library to use the new key manager. This would be under the Access/Key Manager Addresses on the left side of the window. On the Ts3500 you can have 4 managers listed. You could verify the new EKM is operational by pointing your original library to the new EKM and trying to read data from an encrypted tape. Reference: IBM Encryption Key Manager - Introduction, Planning and User's Guide GA76-0418-03 IBM Tape Encryption for TS1120 and Ultrium 4 Tape Drives Tech Doc by Rolf Hahn/IBM Techline Germany IBM System Storage TS1120 Tape Encryption: Planning, Implementation and Usage Guide - RedBook Cheers, Neil Neil Strand Storage Engineer - Legg Mason Baltimore, MD. (410) 580-7491 Whatever you can do or believe you can, begin it. Boldness has genius, power and magic. -----Original Message----- From: ADSM: Dist Stor Manager [mailto:ads...@vm.marist.edu] On Behalf Of Bill Boyer Sent: Tuesday, March 03, 2009 8:19 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Cloning the Encryption Key manager for DR Does anyone have procedures for taking an existing EKM (IBM'S version) and cloning it to take to D/R for testing? I have a client that needs to do this. They had IBM come in and configure a primary and secondary EKM server for their TS3310 library and iSeries servers. Not TSM at this stage although they hope to move TSM to LTO4 and the TS3310 later this year. One of the operations staff that was there for the install (doesn't work here anymore) sorta kinda remembers the IBM'r taking the entire EKM directory, ZIP'ing it up. He then copied this to the 2nd server, unZip'd it and ran a couple commands to install the service. Unfortunately nobody there can remember this or find any notes about it. The IBM'r said they could even take that ZIP file, put it on an encrypted thumb-drive and store it in their D/R box offsite. It's just no one can find the documentation from IBM on how to re-create the EKM from the ZIP file. Bill Boyer IMPORTANT: E-mail sent through the Internet is not secure and timely delivery of Internet mail is not guaranteed. Legg Mason therefore, recommends that you do not send any action-oriented or time-sensitive information to us via electronic mail, or any confidential or sensitive information including: social security numbers, account numbers, or personal identification numbers. This message is intended for the addressee only and may contain privileged or confidential information. Unless you are the intended recipient, you may not use, copy or disclose to anyone any information contained in this message. If you have received this message in error, please notify the author by replying to this message and then kindly delete the message. Thank you.
