05-11-2011 03:54 PM
I have an NBU 701 environment with AIX Master server, AIX media servers and Windows media servers. All Master and Media's are SAN attached to an IBM tape library, containing 4 x IBM.ULT3580-TD5 (LTO5) direct fibre attached drives. SSO is running in the environment, and all servers can write to the library drives OK.
I have just configured KMS using the nbkms command to create the DB, then the nbkmsutil command to create a keygroup (ENCR_TapePool) and a key.(testkey). Pass-phrases used throughout.
I had already created a volume pool named ENCR_TapePool.
When I run a job directed to use the volume pool ENCR_TapePool it mounts a tape from that pool but then reports the following:
Freezing Tape
Encryption Unavailable For An ENCR Pool
It will continue until all the tapes in the pool have been frozen then fail with a 96 error.
I am feeling that this could be a driver issue with the IBM tape drives - not being set to allow Application Managed Encryption. Do I need to load specific IBM drivers for the environments (Windows and AIX), or is there another angle I should look at ?
Thanks,
AJ.
Solved! Go to Solution.
05-11-2011 04:02 PM
If I get this correct you are using just KMS which does not require a license - this allows hardware encryption. (if doing media server encryption this does not apply)
The thing is you must have a tape drive that can do hardware encryption like LTO4
and If it is in a library you most likely have to go to the library and tell it you want to use hardware encryption.
In the library I use it was buried in a place I did not think to look and was not in the manual for the library - I had to call support for the library and ask how to turn on hardware encryption.
And it was just a matter of saying - yes the tape drives can do hardware encryption - once that is done it should work for you.
05-11-2011 04:02 PM
If I get this correct you are using just KMS which does not require a license - this allows hardware encryption. (if doing media server encryption this does not apply)
The thing is you must have a tape drive that can do hardware encryption like LTO4
and If it is in a library you most likely have to go to the library and tell it you want to use hardware encryption.
In the library I use it was buried in a place I did not think to look and was not in the manual for the library - I had to call support for the library and ask how to turn on hardware encryption.
And it was just a matter of saying - yes the tape drives can do hardware encryption - once that is done it should work for you.
05-11-2011 10:56 PM
I had a similar problem; your IBM library must have Application-Managed encyption enabled. On a TS3500 you need to be running ALMS and enabled it on a per library basis.
You can see this on the library Web GUI via Library > ALMS. If you don't have ALMS enabled it will not do it! That said, the cost of the ALMS enabler license is quite small and the config is quick and easy.
05-12-2011 07:45 AM
Thanks to the input above by Judy I sorted this one.
I went into the library admin console, selected manage logical library, and within there you can set the encryption method - set to AME (Application Managed Encryption).
No other changes to drivers etc. were required - all now works.