Appendix C. Frequently Asked Questions
Can some combination of application-based key management and
library-managed encryption be used?
No. When application-managed encryption is used, the encryption is
transparent at the library layers. Likewise, when library-managed encryption is
used, the process is transparent at the other layers. Each method of encryption
management is exclusive of the others. For library-managed encryption, the
applications need not be changed in any way.
Must the Encryption Key Manager be installed and running on every system
that might generate a request to encrypt or decrypt a tape?
With library-managed encryption, the system from which the tape drive write
request originates need NOT be the system on which the Encryption Key
Manager is running. Furthermore, an instance of Encryption Key Manager
need NOT be running on every system from which an encrypting tape drive is
accessed.
If I include the ″drive.acceptUnknownDrives = True″ parameter, should I still
include the ″config.drivetable.file.url = FILE:/filename″ parameter in the
configuration file?
config.drivetable.file.url must always be specified. It is where the drive
information will be. If you set drive.acceptUnknownDrives = True you also
should specify the drive.default.alias1 and drive.default.alias2 variables
to the correct certificate alias/key label.
Is FILE:/filename the correct syntax for the config.drivetable.file.url
property? FILE:///filename appears in the sample file, and FILE:../ in the
description.
The examples are correct. This is a URL specification and is not what people
normally expect for a directory structure specification
Must I use forward or backward slashes when specifying fully-qualified paths
in the KeyManagerConfig.properties file for an instance of Encryption Key
Manager running on Windows?
Because KeyManagerConfig.properties is a Java properties file, only forward
slashes are recognized in pathnames, even in Windows. If you use back slashes
in the KeyManagerConfig.properties file, errors will occur.
Does the Encryption Key Manager perform any Certificate Revocation List (CRL)
checking?
No, the Encryption Key Manager does not perform any CRL checking
What happens when the certificate being used to encrypt the tapes expires? Will
the Encryption Key Manager read previously encrypted tapes?
It does not matter to Encryption Key Manager if the certificate has expired. It
will continue to honor these certificates and read previously encrypted tapes.
However the expired certificate must remain in the keystore in order for
previously encrypted tapes to be read or appended.
Will the Encryption Key Manager require that a certificate be renamed on
renewal?
The Encryption Key Manager is configured by default to honor new key
requests with expired certificates. When the Encryption Key Manager is
configured this way certificate renewal is not required. If this function is
disabled and this private key/certificate pair must still be used for new key
C-1
To Next Page
Loading...
Need help?
General