Forum Discussion

SYMAJB's avatar
SYMAJB
Level 5
14 years ago
Solved

LTO Encryption - ENCRYPTION UNAVAILABLE FOR ENCR POOL

I have an NBU 701 environment with AIX Master server, AIX media servers and Windows media servers.  All Master and Media's are SAN attached to an IBM tape library, containing 4 x IBM.ULT3580-TD5 (LTO5) direct fibre attached drives.  SSO is running in the environment, and all servers can write to the library drives OK.

I have just configured KMS using the nbkms command to create the DB, then the nbkmsutil command to create a keygroup (ENCR_TapePool) and a key.(testkey).  Pass-phrases used throughout.

I had already created a volume pool named ENCR_TapePool.

When I run a job directed to use the volume pool ENCR_TapePool it mounts a tape from that pool but then reports the following:

Freezing Tape

Encryption Unavailable For An ENCR Pool

It will continue until all the tapes in the pool have been frozen then fail with a 96 error.

 

I am feeling that this could be a driver issue with the IBM tape drives - not being set to allow Application Managed Encryption.  Do I need to load specific IBM drivers for the environments (Windows and AIX), or is there another angle I should look at ?

Thanks,

AJ. 

  • If I get this correct you are using just KMS which does not require a license - this allows hardware encryption.  (if doing media server encryption this does not apply)

    The thing is you must have a tape drive that can do hardware encryption like LTO4

    and If it is in a library you most likely have to go to the library and tell it you want to use hardware encryption.

    In the library I use it was buried in a place I did not think to look and was not in the manual for the library - I had to call support for the library and ask how to turn on hardware encryption. 

    And it was just a matter of saying - yes the tape drives can do hardware encryption - once that is done it should work for you.

  • If I get this correct you are using just KMS which does not require a license - this allows hardware encryption.  (if doing media server encryption this does not apply)

    The thing is you must have a tape drive that can do hardware encryption like LTO4

    and If it is in a library you most likely have to go to the library and tell it you want to use hardware encryption.

    In the library I use it was buried in a place I did not think to look and was not in the manual for the library - I had to call support for the library and ask how to turn on hardware encryption. 

    And it was just a matter of saying - yes the tape drives can do hardware encryption - once that is done it should work for you.

  • I had a similar problem; your IBM library must have Application-Managed encyption enabled.  On a TS3500 you need to be running ALMS and enabled it on a per library basis.

    You can see this on the library Web GUI via Library > ALMS.  If you don't have ALMS enabled it will not do it!  That said, the cost of the ALMS enabler license is quite small and the config is quick and easy.

  • Thanks to the input above by Judy I sorted this one.

    I went into the library admin console, selected manage logical library, and within there you can set the encryption method - set to AME (Application Managed Encryption).

    No other changes to drivers etc. were required - all now works.