09-26-2012 12:22 PM
I hope this helps others, I just spent the last 2 weeks searching around trying to find this answer.
Here are steps to verify KMS encryption on tapes with NetBackup 7.5;
Find the jobs on a particular tape you think may be encrypted;
/usr/openv/netbackup/bin/admincmd/bpimmedia -L -mediaid <media name>
get the "Backup-ID" in the first column
then run;
/usr/openv/netbackup/bin/admincmd/bpimagelist -backupid <Backup-ID> -L | grep "Flags:"
if tape is encrypted with KMS this will display;
" Flags: 0x40 (Tape Encrypted)"
and if tape is NOT encrypted this will display;
" Flags: 0x0"
Solved! Go to Solution.
09-28-2012 10:26 AM
Hi Mike,
I JUST learned there's a defect in bpimmedia which you might be hitting. This entry is in the 7.5.0.4 Release Notes (page 48):
Etrack Incident: 2826378
■ Description:
A missing Key Management Server tag in the bpimmedia output has been added.
Is there any chance you could apply 7.5.0.4? (If not, there may be an EEB available under Etrack 2793446 depending on which version you're at.) I believe your "0" will change to a real tag after that, which would make a little more sense, now that I think about it...
09-26-2012 01:38 PM
Thanks for sharing.
09-26-2012 02:29 PM
Many tape libraries also detect the encryption via the firmware and when you view the media in the tape library web GUI it also reports which tapes are encrypted
Hope this also helps
09-26-2012 03:31 PM
Did none of the procedures listed in this TechNote work for you?
(Did you know this TechNote existed?)
There's also this TechNote based on pages 324-325 from the Encryption Guide:
09-27-2012 06:28 AM
Chris,
This is what took me 2 weeks to wade through, and in the TechNote (TECH127166) you provided .
OPTION 1 Was not great (Since I had the KeyGroup / Key / Pool and Policy all called ENCR_tmp), until I looked further down in the output from "bpimagelist" command and seen the light.
OPTION 2 shows me "0" for the "Encryption Key Tag" in the GUI, this is what made it so difficult to track down.
OPTION 3 I had also found a different TechNote that had a different suggestion of removing the Key and try the restore, but again the TechNote had notes saying output should look like this "blah..blah..blah.., and that is not what I see :(
and as far as HOWTO46852 again it points me to OPTION 2 above :(
and of course pages 324-325 from the Encryption Guide are the same as OPTION 2 above.
Are you seeing why it took me 2 weeks to track this down.. to verify.
Regards,
Mike.
09-27-2012 06:31 AM
Mark,
Thanks for the feedback.. as you say "Many tape libraries" detect encryption, mine does not fall into the Many catagory.
Regards,
Mike
09-27-2012 09:41 AM
Thanks for that very valuable feedback, Mike! I'll have to see if we can incorporate your information into our documentation (or at least a TechNote) and try to save other folks a couple weeks.
09-28-2012 10:26 AM
Hi Mike,
I JUST learned there's a defect in bpimmedia which you might be hitting. This entry is in the 7.5.0.4 Release Notes (page 48):
Etrack Incident: 2826378
■ Description:
A missing Key Management Server tag in the bpimmedia output has been added.
Is there any chance you could apply 7.5.0.4? (If not, there may be an EEB available under Etrack 2793446 depending on which version you're at.) I believe your "0" will change to a real tag after that, which would make a little more sense, now that I think about it...
10-01-2012 05:59 AM
Chris,
Where do I download patch releases to apply this, I can only see the 7.5 Base in the Software download area?
When I get access to the patch, I will apply this today and test it.
Mike
10-01-2012 06:08 AM
10-01-2012 06:40 AM
See this 'Featured' post as well:
10-02-2012 09:43 AM
Chris,
It now works as advertised!!
Thanks for the feedback.
Regards,
Mike
10-02-2012 01:27 PM
I'm just sorry I couldn't tell you this two weeks ago!
10-12-2012 04:34 PM
Hello To all,
I got this same issue with the KMS and I applied the service maintenance 7.5.04 and I still have this issue related with the "0" result on the the Encription Key tag Gui, so in my case updating to this latest maintenance pack didn't work, I have already opened a ticket with Symantec support but so far no help was provided, what else can be done to resolve this issue?
in case that any screen shot needs to be uploading for more reference please let me know.
thanks in advance for any help you could provide
10-15-2012 07:41 AM
RReyes76,
Did you test some of the other steps in the Tech Docs above, to verify you really are setup for encryption, first test is the commands I had listed in this original thread, should also work in Windows (except the grep command)
and the 2nd thing to test is outlined in the TechDoc Chris had first posted, it involved deactivating the KMS key (do not delete) and test a restore, if restore still works, then for some reason your KMS install is not fully setup.
Let me know if you need the Step by Step for the KMS setup.
Regards,
Mike.
10-15-2012 11:54 AM
Windows GUI may still be an issue even at 7.5.0.4. Tell your TSE you think you may need the EEB listed under Etrack 2962480 and send them your screen shot.