Managing the token password (pin), Naming key server tokens – HP StoreEver MSL Tape Libraries User Manual
Page 16
Managing the token password (PIN)
The token password, called a PIN, protects access to the data on the key server token.
IMPORTANT:
The PIN is required to write and restore encrypted data. Neither you nor HP can
recover, restore, or reset the PIN if it is lost or forgotten.
The PIN is set and can be changed from the RMI. Setting the PIN the first time also requires the
appropriate RMI password. Changing the PIN requires both the current PIN and the appropriate
RMI password.
•
MSL6480 — Log into the RMI as the security user, which requires the security password.
•
Autoloader and other libraries — Log into the RMI as the administrator, which requires the
administrator password.
You must enter the PIN when:
•
The autoloader or library powers on, cycles power, or is rebooted.
•
The first time a token is inserted since the autoloader was powered on.
•
When a token is inserted after another is removed.
You must enter the PIN each time the autoloader or library cycles power, the first time a token is
inserted since the autoloader or library was powered on, and when a token is inserted after another
is removed. The PIN does not need to be entered again if a token is removed and replaced without
inserting a different token.
HP recommends that you create PIN management policies to ensure that the PIN is stored in a
secure location and that it is only available to authorized personnel. The PIN management policies
should consider:
•
Ensuring that the PIN can be accessed by authorized personnel when necessary, even if the
security officer or administrator is unavailable.
•
Ensuring that the PIN is not accessible by unauthorized personnel.
•
Ensuring that the PIN is not lost, damaged, or destroyed.
•
Enabling, disabling, and configuring encryption requires both the appropriate RMI password
and the token PIN. For increased security, the RMI password and token PIN can be known
by different people, requiring two people to make these critical changes.
Naming key server tokens
The name of the key server token can have up to 126 characters. This is enough space to use a
descriptive name, which can be helpful in determining which token has the encryption key for a
particular tape if the documentation mapping the tokens and tapes is lost. For example, the name
could include dates when the token was used, or the facility or department whose tapes are
encrypted with keys on the token.
You can see the name of the token currently in the autoloader or library in the RMI without the PIN
or a password. For the MSL6480 the token name is displayed on the main screen. For the autoloader
and other libraries you can see the token name on the RMI Status > Security screen.
You can modify the name of the token currently in the autoloader or library from the RMI.
•
MSL6480 — Log into the RMI as the security user, navigate to the Configuration > Encryption
> USB — MSL Encryption Kit screen, and then enter the PIN to modify the token name in the
Pin Management section. You will need the security user password.
•
Autoloader and other libraries — Log into the RMI as the administrator user, navigate to the
Configuration > Security screen, and then enter the PIN to modify the token name. You will
need the administrator user password.
16
Creating your key management processes