[Veritas-bu] KMS encryption
Hi,, Has anyone ever used Netbackup 6.5 internal KMS encryption feature. Pls share the documents link of KMS and also wanted to know merits and demerits of using KMS encryption. Hope some one have used KMS and could help me. Rgds A D Email : abhishek.dhin...@in.ibm.com ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
Yes, I recently started. It is one chapter in the Security and Encryption book, look for the book for the version you are running. In the 6.5 it is chapter 6. I have aix media servers so I cannot do MESO If I wanted to hardware encryption using my IBM library I would have to PAY IBM a lot of money Plus get the Tivoli key management system. Kms comes with NB. I just went to my library and turned on Application Managed Encryption Then I setup the kms database and made my volume pools NOTE: in 6.5.5 you can only use 2 encrypted volume pools. In 7.0 you can use 20. So now I am doing hardware encryption - that is where all the work is done on the tape drive - it also does my compression so no extra over head on my master or media. Read the chapter carefully - Make sure that the kms dir is not put on your catalog tape, and do no encrypt the catalog tape ( that's like locking your keys in the car) I have two sites. I made my kms on one master, then just copied the database to the other master, this way I know all encrypted key tags match and I can read encrypted tapes at both sites. Once reading the chapter I saw how easy it really was. Just make sure you document you password strings and keep them in a secure place - not in just any file on disk where someone else could find them. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Abhishek Dhingra1 Sent: Tuesday, June 15, 2010 12:10 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] KMS encryption Hi,, Has anyone ever used Netbackup 6.5 internal KMS encryption feature. Pls share the documents link of KMS and also wanted to know merits and demerits of using KMS encryption. Hope some one have used KMS and could help me. Rgds A D Email : abhishek.dhin...@in.ibm.com ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
You can have 1 key per volume pool. So on 6.5.5 you can encrypt 2 pools. You can have different encryption keys for each pool. So I have 2 different key tags depending on which pool the tape belongs to. In 7.0 you can have 20 pools, but again you can only have 1 active key per volume pool. Now if you want to change your key, you have those “levels” of a key. You take current key from active to inactive, and create a new active key for that pool. An inactive key can be used to decrypt a tape. So if you have a new active key you can still read the tapes made with the old key. Where a deprecated key will stay in the database if you want it, but you cannot use it to write or read a tape. You said: “in case if we don’t have encryption feature enabled at hardware on another site, is there any way to perform the restore. “ No – that is the whole point of encryption. You must have application managed encryption turned on at the other library ( this cost me nothing on my IBM TS3310) And YOU MUST have the SAME keys on the database at the other site. TEST TEST TEST - before you start doing all your tapes verify that you can tape a tape made here and be able to restore it at your other site. If you cannot read an encrypted tape at your DR site – then what is the point. You want to lock others out of reading your tapes, not yourself. The way to verify is when looking at your tapes and you see the encrypted key tag on the image. Your kms database at your other site must have an exact matching key tag. As kms is just a bunch of file…. You just copy that dir over to the other server. The only issue right now for me is 2 volume pools. I wanted 3, and had to put two groups of tapes into the same pool. When I upgrade to 7.x I will get to break that group out again and have 3 encrypted volume pools. From: Abhishek Dhingra1 [mailto:abhishek.dhin...@in.ibm.com] Sent: Tuesday, June 15, 2010 12:41 PM To: Judy Hinchcliffe Cc: veritas-bu@mailman.eng.auburn.edu Subject: Fw: [Veritas-bu] KMS encryption Thanks for the reply. Today i tried configuring the KMS on my master server(running on AIX). It worked perfectly fine, i took help from veritas support and according to them we can only keep one key in the key database, it will always use the same key for encrypting the data. Every time we need to change the encryption key , we need to define the new key and deactivate the one that is activated. Have you tried configuring more then one key at the same time. Moreover doing restore on another site , will require encryption license to be applied on the tape library at another site, in case if we dont have encryption feature enabled at hardware on another site, is there any way to perform the restore. Rgds A D Email : abhishek.dhin...@in.ibm.com - Forwarded by Abhishek Dhingra1/India/IBM on 06/15/2010 11:05 PM - judy_hinchcli...@administaff.com 06/15/2010 10:51 PM To Abhishek Dhingra1/India/i...@ibmin, veritas-bu@mailman.eng.auburn.edu cc Subject RE: [Veritas-bu] KMS encryption Yes, I recently started. It is one chapter in the Security and Encryption book, look for the book for the version you are running. In the 6.5 it is chapter 6. I have aix media servers so I cannot do MESO If I wanted to hardware encryption using my IBM library I would have to PAY IBM a lot of money Plus get the Tivoli key management system. Kms comes with NB. I just went to my library and turned on “Application Managed Encryption” Then I setup the kms database and made my volume pools NOTE: in 6.5.5 you can only use 2 encrypted volume pools. In 7.0 you can use 20. So now I am doing hardware encryption – that is where all the work is done on the tape drive – it also does my compression so no extra over head on my master or media. Read the chapter carefully – Make sure that the kms dir is not put on your catalog tape, and do no encrypt the catalog tape ( that’s like locking your keys in the car) I have two sites. I made my kms on one master, then just copied the database to the other master, this way I know all encrypted key tags match and I can read encrypted tapes at both sites. Once reading the chapter I saw how easy it really was. Just make sure you document you password strings and keep them in a secure place – not in just any file on disk where someone else could find them. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Abhishek Dhingra1 Sent: Tuesday, June 15, 2010 12:10 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] KMS encryption Hi,, Has anyone ever used Netbackup 6.5 internal KMS encryption feature. Pls share the documents link of KMS and also wanted to know merits and demerits of using KMS encryption. Hope some one have used KMS and could help me. Rgds A D Email : abhishek.dhin...@in.ibm.com ___ Veritas-bu maillist - Veritas-bu
Re: [Veritas-bu] KMS encryption
FYI... I have heard that there is an Engineering Binary that your can request from Symantec to give you more encrypted pools on 6.5.x. Dwayne Adams From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of judy_hinchcli...@administaff.com Sent: Tuesday, June 15, 2010 12:27 PM To: abhishek.dhin...@in.ibm.com Cc: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption You can have 1 key per volume pool. So on 6.5.5 you can encrypt 2 pools. You can have different encryption keys for each pool. So I have 2 different key tags depending on which pool the tape belongs to. In 7.0 you can have 20 pools, but again you can only have 1 active key per volume pool. Now if you want to change your key, you have those levels of a key. You take current key from active to inactive, and create a new active key for that pool. An inactive key can be used to decrypt a tape. So if you have a new active key you can still read the tapes made with the old key. Where a deprecated key will stay in the database if you want it, but you cannot use it to write or read a tape. You said: in case if we don't have encryption feature enabled at hardware on another site, is there any way to perform the restore. No - that is the whole point of encryption. You must have application managed encryption turned on at the other library ( this cost me nothing on my IBM TS3310) And YOU MUST have the SAME keys on the database at the other site. TEST TEST TEST - before you start doing all your tapes verify that you can tape a tape made here and be able to restore it at your other site. If you cannot read an encrypted tape at your DR site - then what is the point. You want to lock others out of reading your tapes, not yourself. The way to verify is when looking at your tapes and you see the encrypted key tag on the image. Your kms database at your other site must have an exact matching key tag. As kms is just a bunch of file You just copy that dir over to the other server. The only issue right now for me is 2 volume pools. I wanted 3, and had to put two groups of tapes into the same pool. When I upgrade to 7.x I will get to break that group out again and have 3 encrypted volume pools. From: Abhishek Dhingra1 [mailto:abhishek.dhin...@in.ibm.com] Sent: Tuesday, June 15, 2010 12:41 PM To: Judy Hinchcliffe Cc: veritas-bu@mailman.eng.auburn.edu Subject: Fw: [Veritas-bu] KMS encryption Thanks for the reply. Today i tried configuring the KMS on my master server(running on AIX). It worked perfectly fine, i took help from veritas support and according to them we can only keep one key in the key database, it will always use the same key for encrypting the data. Every time we need to change the encryption key , we need to define the new key and deactivate the one that is activated. Have you tried configuring more then one key at the same time. Moreover doing restore on another site , will require encryption license to be applied on the tape library at another site, in case if we dont have encryption feature enabled at hardware on another site, is there any way to perform the restore. Rgds A D Email : abhishek.dhin...@in.ibm.com - Forwarded by Abhishek Dhingra1/India/IBM on 06/15/2010 11:05 PM - judy_hinchcli...@administaff.com 06/15/2010 10:51 PM To Abhishek Dhingra1/India/i...@ibmin, veritas-bu@mailman.eng.auburn.edu cc Subject RE: [Veritas-bu] KMS encryption Yes, I recently started. It is one chapter in the Security and Encryption book, look for the book for the version you are running. In the 6.5 it is chapter 6. I have aix media servers so I cannot do MESO If I wanted to hardware encryption using my IBM library I would have to PAY IBM a lot of money Plus get the Tivoli key management system. Kms comes with NB. I just went to my library and turned on Application Managed Encryption Then I setup the kms database and made my volume pools NOTE: in 6.5.5 you can only use 2 encrypted volume pools. In 7.0 you can use 20. So now I am doing hardware encryption - that is where all the work is done on the tape drive - it also does my compression so no extra over head on my master or media. Read the chapter carefully - Make sure that the kms dir is not put on your catalog tape, and do no encrypt the catalog tape ( that's like locking your keys in the car) I have two sites. I made my kms on one master, then just copied the database to the other master, this way I know all encrypted key tags match and I can read encrypted tapes at both sites. Once reading the chapter I saw how easy it really was. Just make sure you document you password strings and keep them in a secure place - not in just any file on disk where someone else could find them. From: veritas-bu-boun...@mailman.eng.auburn.edu
Re: [Veritas-bu] KMS encryption
I just went to my library and turned on Application Managed Encryption Interesting. Since NetBackup doesn't need anything but bptm and an LTO4 to do KMS, do you know if your library somehow blocks that process if that app managed crypto isn't turned on? It's my understanding that the keytags and keys are handled in the SCSI command stream between the media server and the drive. Now I'm wondering if there are libraries that snoop on the data stream and detect/block those commands. In all this, I'm assuming your library and drives aren't set up with the little add-on Ethernet cards that deliver the crypto from other apps. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
Final solution: The solution was to update the firmware on the library and drives, remove all the drive entries in NBU, uninstall/reinstall the tape and changer drivers then rescan for devices in NBU. This was a combination of suggestions from DELL and Symantec. Dwayne Adams From: Adams, Dwayne Sent: Friday, April 02, 2010 9:12 AM To: Adams, Dwayne; Chapman, Scott; Sedeora, Surjit S Mr CTR USA USA Cc: judy_hinchcli...@administaff.com; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption Update: I have talked to both Symantec and Dell. Still trying to figure it out... Check out the difference in the information returned from manage drive attributes Not sure why yet It may be that the output is different because fl1 suggests a LTO3 tape that does not support encryption. The issue seems to be that when LTO4 tapes are mounted they are posted to bptm as LTO3 tapes. The library mount logs show as LTO4 Firmware and drivers are up to date. NO_SIXTEEN_BYTE_CDB was missing on the non-working media server and I added it but still no go Not working 08:43:35.573 [4732.1396] 2 check_touch_file: Found D:\VERITAS\Volmgr\database\NO_SIXTEEN_BYTE_CDB from (roblib.c.6515) 08:43:35.573 [4732.1396] 2 manage_drive_attributes: report_attr, fl1 0x00010849, fl2 0x 08:43:35.573 [4732.1396] 2 send_MDS_msg: MEDIADB 1 51946 001343 4001359 *NULL* 6 1270222961 0 0 0 0 0 0 3 19 0 17 1024 0 0 0 08:43:35.620 [4732.1396] 2 vnet_vnetd_service_socket: vnet_vnetd.c.2046: VN_REQUEST_SERVICE_SOCKET: 6 0x0006 08:43:35.620 [4732.1396] 2 vnet_vnetd_service_socket: vnet_vnetd.c.2060: service: bpdbm Working 06:00:55.819 [3840.3864] 2 io_open: SCSI RESERVE 06:00:55.835 [3840.3864] 2 check_touch_file: Found D:\VERITAS\Volmgr\database\NO_SIXTEEN_BYTE_CDB from (roblib.c.6515) 06:00:55.835 [3840.3864] 2 manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x 06:00:55.835 [3840.3864] 2 manage_drive_attributes: encryption status: nexus scope 1, key scope 1 06:00:55.835 [3840.3864] 2 manage_drive_attributes: encryp mode 0x0, decryp mode 0x0, algorithm index 1, key instance 1459 06:00:55.835 [3840.3864] 2 io_open: file D:\VERITAS\NetBackup\db\media\tpreq\drive_IBM.ULTRIUM-TD4.004 successfully opened (mode 2) 06:00:55.835 [3840.3864] 2 write_backup: media id 001137 mounted on drive index 2, drivepath {2,0,2,0}, drivename IBM.ULTRIUM-TD4.004, copy 1 06:00:55.835 [3840.3864] 4 db_error_add_to_file: VBRT 1 3840 1 1 IBM.ULTRIUM-TD4.004 001137 0 1 0 0 0 Library mount logs... -- Mount History -- : #NO Thread Count Cart. Manu Cart. S/NVolser Lib Volser Host Cart. GEN Code Level DS-WRT DS-RD 1 5518 TDK H9XQL8I414 001342L4 Gen 4 85 1d 38 1 0 2 5510 FUJIFILM 079D106852000492L3 Gen 3 85 1d 38 40987 94 3 5511 FUJIFILM 079D106852000492L3 Gen 3 85 1d 38 83 81 4 5512 FUJIFILM 079D106852000492L3 Gen 3 85 1d 38 27 93 5 5513 FUJIFILM 0796112369000446L3 Gen 3 85 1d 38 11774 6 5514 FUJIFILM 0796112369000446L3 Gen 3 85 1d 38 4 68 7 5515 FUJIFILM 073Q10812549L3 Gen 3 85 1d 38 30 73 8 5516 TDK H9XQL8E086 001343L4 Gen 4 85 1d 38 1 0 9 5517 TDK H9XQL8E086 001343L4 Gen 4 85 1d 38 0 1 Dwayne Adams This email and any attachments are intended only for the named recipient and may contain confidential and/or privileged material. Any unauthorized copying, dissemination or other use by a person other than the named recipient of this communication is prohibited. If you received this in error or are not named as a recipient, please notify the sender and destroy all copies of this email immediately. 2010 Olympic and Paralympic Logo | ICBC Logo http://icbc.com/ ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
Update: I have talked to both Symantec and Dell. Still trying to figure it out... Check out the difference in the information returned from manage drive attributes Not sure why yet It may be that the output is different because fl1 suggests a LTO3 tape that does not support encryption. The issue seems to be that when LTO4 tapes are mounted they are posted to bptm as LTO3 tapes. The library mount logs show as LTO4 Firmware and drivers are up to date. NO_SIXTEEN_BYTE_CDB was missing on the non-working media server and I added it but still no go Not working 08:43:35.573 [4732.1396] 2 check_touch_file: Found D:\VERITAS\Volmgr\database\NO_SIXTEEN_BYTE_CDB from (roblib.c.6515) 08:43:35.573 [4732.1396] 2 manage_drive_attributes: report_attr, fl1 0x00010849, fl2 0x 08:43:35.573 [4732.1396] 2 send_MDS_msg: MEDIADB 1 51946 001343 4001359 *NULL* 6 1270222961 0 0 0 0 0 0 3 19 0 17 1024 0 0 0 08:43:35.620 [4732.1396] 2 vnet_vnetd_service_socket: vnet_vnetd.c.2046: VN_REQUEST_SERVICE_SOCKET: 6 0x0006 08:43:35.620 [4732.1396] 2 vnet_vnetd_service_socket: vnet_vnetd.c.2060: service: bpdbm Working 06:00:55.819 [3840.3864] 2 io_open: SCSI RESERVE 06:00:55.835 [3840.3864] 2 check_touch_file: Found D:\VERITAS\Volmgr\database\NO_SIXTEEN_BYTE_CDB from (roblib.c.6515) 06:00:55.835 [3840.3864] 2 manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x 06:00:55.835 [3840.3864] 2 manage_drive_attributes: encryption status: nexus scope 1, key scope 1 06:00:55.835 [3840.3864] 2 manage_drive_attributes: encryp mode 0x0, decryp mode 0x0, algorithm index 1, key instance 1459 06:00:55.835 [3840.3864] 2 io_open: file D:\VERITAS\NetBackup\db\media\tpreq\drive_IBM.ULTRIUM-TD4.004 successfully opened (mode 2) 06:00:55.835 [3840.3864] 2 write_backup: media id 001137 mounted on drive index 2, drivepath {2,0,2,0}, drivename IBM.ULTRIUM-TD4.004, copy 1 06:00:55.835 [3840.3864] 4 db_error_add_to_file: VBRT 1 3840 1 1 IBM.ULTRIUM-TD4.004 001137 0 1 0 0 0 Library mount logs... -- Mount History -- : #NO Thread Count Cart. Manu Cart. S/NVolser Lib Volser Host Cart. GEN Code Level DS-WRT DS-RD 1 5518 TDK H9XQL8I414 001342L4 Gen 4 85 1d 38 1 0 2 5510 FUJIFILM 079D106852000492L3 Gen 3 85 1d 38 40987 94 3 5511 FUJIFILM 079D106852000492L3 Gen 3 85 1d 38 83 81 4 5512 FUJIFILM 079D106852000492L3 Gen 3 85 1d 38 27 93 5 5513 FUJIFILM 0796112369000446L3 Gen 3 85 1d 38 11774 6 5514 FUJIFILM 0796112369000446L3 Gen 3 85 1d 38 4 68 7 5515 FUJIFILM 073Q10812549L3 Gen 3 85 1d 38 30 73 8 5516 TDK H9XQL8E086 001343L4 Gen 4 85 1d 38 1 0 9 5517 TDK H9XQL8E086 001343L4 Gen 4 85 1d 38 0 1 Dwayne Adams This email and any attachments are intended only for the named recipient and may contain confidential and/or privileged material. Any unauthorized copying, dissemination or other use by a person other than the named recipient of this communication is prohibited. If you received this in error or are not named as a recipient, please notify the sender and destroy all copies of this email immediately. 2010 Olympic and Paralympic Logo | ICBC Logo http://icbc.com/ ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
Hello, Has anyone run into this issue with KMS? I have setup KMS on my Master Server and can encrypt data to the pools from my Master. I get the following error and the tape is frozen when I try to run an encrypted job from my Media Server. The bptm log says the tape is a LTO3 tape but the tape is definitely a LTO4 tape. I have read the Technote on this but that is all I have found. http://seer.entsupport.symantec.com/docs/321244.htm Thanks Dwayne Adams Encryption unavailable for an ENCR pool 4/1/2010 8:41:25 AM - started process bpbrm (1216) 4/1/2010 8:41:36 AM - connecting 4/1/2010 8:41:36 AM - connected; connect time: 00:00:00 4/1/2010 8:41:37 AM - mounting 001343 4/1/2010 8:42:23 AM - Error bptm(pid=3972) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 8:42:24 AM - Warning bptm(pid=3972) media id 001343 load operation reported an error 4/1/2010 8:42:24 AM - current media 001343 complete, requesting next resource Any 4/1/2010 8:42:54 AM - end writing termination requested by administrator(150) Netbackup 6.5.4 Library 1 Media Server Dell ML6000 series 2 LTO4 drives and 4 LTO3 drives (Downed for testing encryption with LTO4 tapes) manage_drive_attributes: report_attr, fl1 0x00010049, fl2 0x0004 Library 2 Master\Media Dell ML6000 series 6 LTO4 drives manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11:16 AM To: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Hello, Has anyone run into this issue with KMS? I have setup KMS on my Master Server and can encrypt data to the pools from my Master. I get the following error and the tape is frozen when I try to run an encrypted job from my Media Server. The bptm log says the tape is a LTO3 tape but the tape is definitely a LTO4 tape. I have read the Technote on this but that is all I have found. http://seer.entsupport.symantec.com/docs/321244.htm Thanks Dwayne Adams Encryption unavailable for an ENCR pool 4/1/2010 8:41:25 AM - started process bpbrm (1216) 4/1/2010 8:41:36 AM - connecting 4/1/2010 8:41:36 AM - connected; connect time: 00:00:00 4/1/2010 8:41:37 AM - mounting 001343 4/1/2010 8:42:23 AM - Error bptm(pid=3972) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 8:42:24 AM - Warning bptm(pid=3972) media id 001343 load operation reported an error 4/1/2010 8:42:24 AM - current media 001343 complete, requesting next resource Any 4/1/2010 8:42:54 AM - end writing termination requested by administrator(150) Netbackup 6.5.4 Library 1 Media Server Dell ML6000 series 2 LTO4 drives and 4 LTO3 drives (Downed for testing encryption with LTO4 tapes) manage_drive_attributes: report_attr, fl1 0x00010049, fl2 0x0004 Library 2 Master\Media Dell ML6000 series 6 LTO4 drives manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
Judy, I have a call in to Symantec now. My environment already has LTO3 and LTO4 media set to HCART3 (not my doing). I am going to change the tapes to HCART as part of this project. I wonder if the fl1 0x00010049 is reported by the drive or Netbackup is providing that information to the drive? I called Dell and they were not much help. Once I said the KMS, I got the we only support our solution line. I am getting my ducks in a row so I can call Dell back if it is not a NBU config issue. My libraries are both setup for application managed encryption. Wish me luck. :-) Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:22 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11:16 AM To: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Hello, Has anyone run into this issue with KMS? I have setup KMS on my Master Server and can encrypt data to the pools from my Master. I get the following error and the tape is frozen when I try to run an encrypted job from my Media Server. The bptm log says the tape is a LTO3 tape but the tape is definitely a LTO4 tape. I have read the Technote on this but that is all I have found. http://seer.entsupport.symantec.com/docs/321244.htm Thanks Dwayne Adams Encryption unavailable for an ENCR pool 4/1/2010 8:41:25 AM - started process bpbrm (1216) 4/1/2010 8:41:36 AM - connecting 4/1/2010 8:41:36 AM - connected; connect time: 00:00:00 4/1/2010 8:41:37 AM - mounting 001343 4/1/2010 8:42:23 AM - Error bptm(pid=3972) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 8:42:24 AM - Warning bptm(pid=3972) media id 001343 load operation reported an error 4/1/2010 8:42:24 AM - current media 001343 complete, requesting next resource Any 4/1/2010 8:42:54 AM - end writing termination requested by administrator(150) Netbackup 6.5.4 Library 1 Media Server Dell ML6000 series 2 LTO4 drives and 4 LTO3 drives (Downed for testing encryption with LTO4 tapes) manage_drive_attributes: report_attr, fl1 0x00010049, fl2 0x0004 Library 2 Master\Media Dell ML6000 series 6 LTO4 drives manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
A side note. Not sure if this make a difference. There is a firewall between my master\media and media server. All the standard ports have been configured and all backups and restores work fine today. Dwayne From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 9:33 AM To: judy_hinchcli...@administaff.com; VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Judy, I have a call in to Symantec now. My environment already has LTO3 and LTO4 media set to HCART3 (not my doing). I am going to change the tapes to HCART as part of this project. I wonder if the fl1 0x00010049 is reported by the drive or Netbackup is providing that information to the drive? I called Dell and they were not much help. Once I said the KMS, I got the we only support our solution line. I am getting my ducks in a row so I can call Dell back if it is not a NBU config issue. My libraries are both setup for application managed encryption. Wish me luck. :-) Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:22 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11:16 AM To: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Hello, Has anyone run into this issue with KMS? I have setup KMS on my Master Server and can encrypt data to the pools from my Master. I get the following error and the tape is frozen when I try to run an encrypted job from my Media Server. The bptm log says the tape is a LTO3 tape but the tape is definitely a LTO4 tape. I have read the Technote on this but that is all I have found. http://seer.entsupport.symantec.com/docs/321244.htm Thanks Dwayne Adams Encryption unavailable for an ENCR pool 4/1/2010 8:41:25 AM - started process bpbrm (1216) 4/1/2010 8:41:36 AM - connecting 4/1/2010 8:41:36 AM - connected; connect time: 00:00:00 4/1/2010 8:41:37 AM - mounting 001343 4/1/2010 8:42:23 AM - Error bptm(pid=3972) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 8:42:24 AM - Warning bptm(pid=3972) media id 001343 load operation reported an error 4/1/2010 8:42:24 AM - current media 001343 complete, requesting next resource Any 4/1/2010 8:42:54 AM - end writing termination requested by administrator(150) Netbackup 6.5.4 Library 1 Media Server Dell ML6000 series 2 LTO4 drives and 4 LTO3 drives (Downed for testing encryption with LTO4 tapes) manage_drive_attributes: report_attr, fl1 0x00010049, fl2 0x0004 Library 2 Master\Media Dell ML6000 series 6 LTO4 drives manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
I seem to remember reading in the book the type HAD to be HCART=lto4 (not sure if I read that somewhere or it just stuck in my head) Try deleting one of your tapes, and get it added back in as an HCART - your lto4 tape drives should already be HCART ( if not you will have to change them as well) Then give it a try - I really think that is the problem. From: Adams, Dwayne [mailto:adam...@medsch.ucsf.edu] Sent: Thursday, April 01, 2010 11:33 AM To: Judy Hinchcliffe; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption Judy, I have a call in to Symantec now. My environment already has LTO3 and LTO4 media set to HCART3 (not my doing). I am going to change the tapes to HCART as part of this project. I wonder if the fl1 0x00010049 is reported by the drive or Netbackup is providing that information to the drive? I called Dell and they were not much help. Once I said the KMS, I got the we only support our solution line. I am getting my ducks in a row so I can call Dell back if it is not a NBU config issue. My libraries are both setup for application managed encryption. Wish me luck. J Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:22 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11:16 AM To: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Hello, Has anyone run into this issue with KMS? I have setup KMS on my Master Server and can encrypt data to the pools from my Master. I get the following error and the tape is frozen when I try to run an encrypted job from my Media Server. The bptm log says the tape is a LTO3 tape but the tape is definitely a LTO4 tape. I have read the Technote on this but that is all I have found. http://seer.entsupport.symantec.com/docs/321244.htm Thanks Dwayne Adams Encryption unavailable for an ENCR pool 4/1/2010 8:41:25 AM - started process bpbrm (1216) 4/1/2010 8:41:36 AM - connecting 4/1/2010 8:41:36 AM - connected; connect time: 00:00:00 4/1/2010 8:41:37 AM - mounting 001343 4/1/2010 8:42:23 AM - Error bptm(pid=3972) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 8:42:24 AM - Warning bptm(pid=3972) media id 001343 load operation reported an error 4/1/2010 8:42:24 AM - current media 001343 complete, requesting next resource Any 4/1/2010 8:42:54 AM - end writing termination requested by administrator(150) Netbackup 6.5.4 Library 1 Media Server Dell ML6000 series 2 LTO4 drives and 4 LTO3 drives (Downed for testing encryption with LTO4 tapes) manage_drive_attributes: report_attr, fl1 0x00010049, fl2 0x0004 Library 2 Master\Media Dell ML6000 series 6 LTO4 drives manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
Judy, I will let you know what I find out. Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:55 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I seem to remember reading in the book the type HAD to be HCART=lto4 (not sure if I read that somewhere or it just stuck in my head) Try deleting one of your tapes, and get it added back in as an HCART - your lto4 tape drives should already be HCART ( if not you will have to change them as well) Then give it a try - I really think that is the problem. From: Adams, Dwayne [mailto:adam...@medsch.ucsf.edu] Sent: Thursday, April 01, 2010 11:33 AM To: Judy Hinchcliffe; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption Judy, I have a call in to Symantec now. My environment already has LTO3 and LTO4 media set to HCART3 (not my doing). I am going to change the tapes to HCART as part of this project. I wonder if the fl1 0x00010049 is reported by the drive or Netbackup is providing that information to the drive? I called Dell and they were not much help. Once I said the KMS, I got the we only support our solution line. I am getting my ducks in a row so I can call Dell back if it is not a NBU config issue. My libraries are both setup for application managed encryption. Wish me luck. :-) Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:22 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11:16 AM To: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Hello, Has anyone run into this issue with KMS? I have setup KMS on my Master Server and can encrypt data to the pools from my Master. I get the following error and the tape is frozen when I try to run an encrypted job from my Media Server. The bptm log says the tape is a LTO3 tape but the tape is definitely a LTO4 tape. I have read the Technote on this but that is all I have found. http://seer.entsupport.symantec.com/docs/321244.htm Thanks Dwayne Adams Encryption unavailable for an ENCR pool 4/1/2010 8:41:25 AM - started process bpbrm (1216) 4/1/2010 8:41:36 AM - connecting 4/1/2010 8:41:36 AM - connected; connect time: 00:00:00 4/1/2010 8:41:37 AM - mounting 001343 4/1/2010 8:42:23 AM - Error bptm(pid=3972) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 8:42:24 AM - Warning bptm(pid=3972) media id 001343 load operation reported an error 4/1/2010 8:42:24 AM - current media 001343 complete, requesting next resource Any 4/1/2010 8:42:54 AM - end writing termination requested by administrator(150) Netbackup 6.5.4 Library 1 Media Server Dell ML6000 series 2 LTO4 drives and 4 LTO3 drives (Downed for testing encryption with LTO4 tapes) manage_drive_attributes: report_attr, fl1 0x00010049, fl2 0x0004 Library 2 Master\Media Dell ML6000 series 6 LTO4 drives manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] KMS encryption
I can confirm that this is not the case. I think your problem is that both of your media types (LTO3 and LTO4) are set to HCART3... you need to have that separated out, and you need to have your drives configured the same. If your LTO3 media is HCART3 and your LTO4 media are HCART, then you need your LTO3 drives to be HCART3 and your LTO4 drives to be HCART. Is your 001343 media an LTO4 cartridge? And was it mounted into an LTO4 drive when you tried to write the encrypted backup? Scott Chapman Senior Technical Specialist Storage and Database Administration ICBC - Victoria Ph: 250.414.7650 Cell: 250.213.9295 From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of judy_hinchcli...@administaff.com Sent: Thursday, April 01, 2010 9:55 AM To: adam...@medsch.ucsf.edu; VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption I seem to remember reading in the book the type HAD to be HCART=lto4 (not sure if I read that somewhere or it just stuck in my head) Try deleting one of your tapes, and get it added back in as an HCART - your lto4 tape drives should already be HCART ( if not you will have to change them as well) Then give it a try - I really think that is the problem. From: Adams, Dwayne [mailto:adam...@medsch.ucsf.edu] Sent: Thursday, April 01, 2010 11:33 AM To: Judy Hinchcliffe; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption Judy, I have a call in to Symantec now. My environment already has LTO3 and LTO4 media set to HCART3 (not my doing). I am going to change the tapes to HCART as part of this project. I wonder if the fl1 0x00010049 is reported by the drive or Netbackup is providing that information to the drive? I called Dell and they were not much help. Once I said the KMS, I got the we only support our solution line. I am getting my ducks in a row so I can call Dell back if it is not a NBU config issue. My libraries are both setup for application managed encryption. Wish me luck. J Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:22 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11:16 AM To: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Hello, Has anyone run into this issue with KMS? I have setup KMS on my Master Server and can encrypt data to the pools from my Master. I get the following error and the tape is frozen when I try to run an encrypted job from my Media Server. The bptm log says the tape is a LTO3 tape but the tape is definitely a LTO4 tape. I have read the Technote on this but that is all I have found. http://seer.entsupport.symantec.com/docs/321244.htm Thanks Dwayne Adams Encryption unavailable for an ENCR pool 4/1/2010 8:41:25 AM - started process bpbrm (1216) 4/1/2010 8:41:36 AM - connecting 4/1/2010 8:41:36 AM - connected; connect time: 00:00:00 4/1/2010 8:41:37 AM - mounting 001343 4/1/2010 8:42:23 AM - Error bptm(pid=3972) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 8:42:24 AM - Warning bptm(pid=3972) media id 001343 load operation reported an error 4/1/2010 8:42:24 AM - current media 001343 complete, requesting next resource Any 4/1/2010 8:42:54 AM - end writing termination requested by administrator(150) Netbackup 6.5.4 Library 1 Media Server Dell ML6000 series 2 LTO4 drives and 4 LTO3 drives (Downed for testing encryption with LTO4 tapes) manage_drive_attributes: report_attr, fl1 0x00010049, fl2 0x0004 Library 2 Master\Media Dell ML6000 series 6 LTO4 drives manage_drive_attributes: report_attr, fl1 0x00030849, fl2 0x This email and any attachments are intended only for the named recipient and may contain confidential and/or privileged material. Any unauthorized copying, dissemination or other use by a person other than the named recipient of this communication is prohibited. If you received this in error or are not named as a recipient, please notify the sender and destroy all copies of this email immediately. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http
Re: [Veritas-bu] KMS encryption
Scott, 1343 is a LTO4 tape. I just made the change and tested. I set one of my LTO4 drives to HCART, created a new HCART Storage Unit, changed the policy to use that storage unit, deleted the tapes and ran an inventory as HCART to the Scratch Pool. Same outcome. 4/1/2010 10:11:01 AM - estimated 0 kbytes needed 4/1/2010 10:11:05 AM - started process bpbrm (3608) 4/1/2010 10:11:17 AM - connecting 4/1/2010 10:11:18 AM - connected; connect time: 00:00:01 4/1/2010 10:11:19 AM - mounting 001343 4/1/2010 10:11:54 AM - Error bptm(pid=4024) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 10:11:55 AM - Warning bptm(pid=4024) media id 001343 load operation reported an error 4/1/2010 10:11:55 AM - current media 001343 complete, requesting next resource Any 4/1/2010 10:12:32 AM - granted resource 001342 4/1/2010 10:12:32 AM - granted resource IBM.ULTRIUM-TD4.001 4/1/2010 10:12:32 AM - granted resource som012-hcart-robot-tld-1 4/1/2010 10:12:34 AM - mounting 001342 4/1/2010 10:13:17 AM - Error bptm(pid=4024) FREEZING media id 001342, Encryption unavailable for an ENCR pool 4/1/2010 10:13:18 AM - Warning bptm(pid=4024) media id 001342 load operation reported an error 4/1/2010 10:13:18 AM - current media 001342 complete, requesting next resource Any 4/1/2010 10:13:58 AM - end writing unable to allocate new media for backup, storage unit has none available(96) termination requested by administrator(150) Dwayne From: Chapman, Scott [mailto:scott.chap...@icbc.com] Sent: Thursday, April 01, 2010 10:06 AM To: judy_hinchcli...@administaff.com; Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I can confirm that this is not the case. I think your problem is that both of your media types (LTO3 and LTO4) are set to HCART3... you need to have that separated out, and you need to have your drives configured the same. If your LTO3 media is HCART3 and your LTO4 media are HCART, then you need your LTO3 drives to be HCART3 and your LTO4 drives to be HCART. Is your 001343 media an LTO4 cartridge? And was it mounted into an LTO4 drive when you tried to write the encrypted backup? Scott Chapman Senior Technical Specialist Storage and Database Administration ICBC - Victoria Ph: 250.414.7650 Cell: 250.213.9295 From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of judy_hinchcli...@administaff.com Sent: Thursday, April 01, 2010 9:55 AM To: adam...@medsch.ucsf.edu; VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption I seem to remember reading in the book the type HAD to be HCART=lto4 (not sure if I read that somewhere or it just stuck in my head) Try deleting one of your tapes, and get it added back in as an HCART - your lto4 tape drives should already be HCART ( if not you will have to change them as well) Then give it a try - I really think that is the problem. From: Adams, Dwayne [mailto:adam...@medsch.ucsf.edu] Sent: Thursday, April 01, 2010 11:33 AM To: Judy Hinchcliffe; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption Judy, I have a call in to Symantec now. My environment already has LTO3 and LTO4 media set to HCART3 (not my doing). I am going to change the tapes to HCART as part of this project. I wonder if the fl1 0x00010049 is reported by the drive or Netbackup is providing that information to the drive? I called Dell and they were not much help. Once I said the KMS, I got the we only support our solution line. I am getting my ducks in a row so I can call Dell back if it is not a NBU config issue. My libraries are both setup for application managed encryption. Wish me luck. :-) Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:22 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11:16 AM To: VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Hello, Has anyone run into this issue with KMS? I have setup KMS on my Master Server and can encrypt data to the pools from my Master. I get the following error and the tape is frozen when I try to run an encrypted job from my Media Server. The bptm log says the tape
Re: [Veritas-bu] KMS encryption
Dwayne, Can you show the errors in the bptm log with verbose set to 5? Also do you have any system errors showing scsi errors for the problem? len From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 1:25 PM To: Chapman, Scott; judy_hinchcli...@administaff.com; VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption Scott, 1343 is a LTO4 tape. I just made the change and tested. I set one of my LTO4 drives to HCART, created a new HCART Storage Unit, changed the policy to use that storage unit, deleted the tapes and ran an inventory as HCART to the Scratch Pool. Same outcome. 4/1/2010 10:11:01 AM - estimated 0 kbytes needed 4/1/2010 10:11:05 AM - started process bpbrm (3608) 4/1/2010 10:11:17 AM - connecting 4/1/2010 10:11:18 AM - connected; connect time: 00:00:01 4/1/2010 10:11:19 AM - mounting 001343 4/1/2010 10:11:54 AM - Error bptm(pid=4024) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 10:11:55 AM - Warning bptm(pid=4024) media id 001343 load operation reported an error 4/1/2010 10:11:55 AM - current media 001343 complete, requesting next resource Any 4/1/2010 10:12:32 AM - granted resource 001342 4/1/2010 10:12:32 AM - granted resource IBM.ULTRIUM-TD4.001 4/1/2010 10:12:32 AM - granted resource som012-hcart-robot-tld-1 4/1/2010 10:12:34 AM - mounting 001342 4/1/2010 10:13:17 AM - Error bptm(pid=4024) FREEZING media id 001342, Encryption unavailable for an ENCR pool 4/1/2010 10:13:18 AM - Warning bptm(pid=4024) media id 001342 load operation reported an error 4/1/2010 10:13:18 AM - current media 001342 complete, requesting next resource Any 4/1/2010 10:13:58 AM - end writing unable to allocate new media for backup, storage unit has none available(96) termination requested by administrator(150) Dwayne From: Chapman, Scott [mailto:scott.chap...@icbc.com] Sent: Thursday, April 01, 2010 10:06 AM To: judy_hinchcli...@administaff.com; Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I can confirm that this is not the case. I think your problem is that both of your media types (LTO3 and LTO4) are set to HCART3... you need to have that separated out, and you need to have your drives configured the same. If your LTO3 media is HCART3 and your LTO4 media are HCART, then you need your LTO3 drives to be HCART3 and your LTO4 drives to be HCART. Is your 001343 media an LTO4 cartridge? And was it mounted into an LTO4 drive when you tried to write the encrypted backup? Scott Chapman Senior Technical Specialist Storage and Database Administration ICBC - Victoria Ph: 250.414.7650 Cell: 250.213.9295 From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of judy_hinchcli...@administaff.com Sent: Thursday, April 01, 2010 9:55 AM To: adam...@medsch.ucsf.edu; VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption I seem to remember reading in the book the type HAD to be HCART=lto4 (not sure if I read that somewhere or it just stuck in my head) Try deleting one of your tapes, and get it added back in as an HCART - your lto4 tape drives should already be HCART ( if not you will have to change them as well) Then give it a try - I really think that is the problem. From: Adams, Dwayne [mailto:adam...@medsch.ucsf.edu] Sent: Thursday, April 01, 2010 11:33 AM To: Judy Hinchcliffe; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption Judy, I have a call in to Symantec now. My environment already has LTO3 and LTO4 media set to HCART3 (not my doing). I am going to change the tapes to HCART as part of this project. I wonder if the fl1 0x00010049 is reported by the drive or Netbackup is providing that information to the drive? I called Dell and they were not much help. Once I said the KMS, I got the we only support our solution line. I am getting my ducks in a row so I can call Dell back if it is not a NBU config issue. My libraries are both setup for application managed encryption. Wish me luck. :) Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:22 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11
Re: [Veritas-bu] KMS encryption
Dwayne, This happens when RObot Device host is not the true EMM server. you can determine the true EMM server by executing nbemmcmd -listhosts (the top host will be the true EMM server). Thank you Surjit Sedeora Sr. Systems Engineer NGIT Adams, Dwayne wrote: Scott, 1343 is a LTO4 tape. I just made the change and tested. I set one of my LTO4 drives to HCART, created a new HCART Storage Unit, changed the policy to use that storage unit, deleted the tapes and ran an inventory as HCART to the Scratch Pool. Same outcome. 4/1/2010 10:11:01 AM - estimated 0 kbytes needed 4/1/2010 10:11:05 AM - started process bpbrm (3608) 4/1/2010 10:11:17 AM - connecting 4/1/2010 10:11:18 AM - connected; connect time: 00:00:01 4/1/2010 10:11:19 AM - mounting 001343 4/1/2010 10:11:54 AM - Error bptm(pid=4024) FREEZING media id 001343, Encryption unavailable for an ENCR pool 4/1/2010 10:11:55 AM - Warning bptm(pid=4024) media id 001343 load operation reported an error 4/1/2010 10:11:55 AM - current media 001343 complete, requesting next resource Any 4/1/2010 10:12:32 AM - granted resource 001342 4/1/2010 10:12:32 AM - granted resource IBM.ULTRIUM-TD4.001 4/1/2010 10:12:32 AM - granted resource som012-hcart-robot-tld-1 4/1/2010 10:12:34 AM - mounting 001342 4/1/2010 10:13:17 AM - Error bptm(pid=4024) FREEZING media id 001342, Encryption unavailable for an ENCR pool 4/1/2010 10:13:18 AM - Warning bptm(pid=4024) media id 001342 load operation reported an error 4/1/2010 10:13:18 AM - current media 001342 complete, requesting next resource Any 4/1/2010 10:13:58 AM - end writing unable to allocate new media for backup, storage unit has none available(96) termination requested by administrator(150) Dwayne From: Chapman, Scott [mailto:scott.chap...@icbc.com] Sent: Thursday, April 01, 2010 10:06 AM To: judy_hinchcli...@administaff.com; Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I can confirm that this is not the case. I think your problem is that both of your media types (LTO3 and LTO4) are set to HCART3 you need to have that separated out, and you need to have your drives configured the same. If your LTO3 media is HCART3 and your LTO4 media are HCART, then you need your LTO3 drives to be HCART3 and your LTO4 drives to be HCART. Is your 001343 media an LTO4 cartridge? And was it mounted into an LTO4 drive when you tried to write the encrypted backup? Scott Chapman Senior Technical Specialist Storage and Database Administration ICBC - Victoria Ph: 250.414.7650 Cell: 250.213.9295 From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of judy_hinchcli...@administaff.com Sent: Thursday, April 01, 2010 9:55 AM To: adam...@medsch.ucsf.edu; VERITAS-BU@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] KMS encryption I seem to remember reading in the book the type HAD to be HCART=lto4 (not sure if I read that somewhere or it just stuck in my head) Try deleting one of your tapes, and get it added back in as an HCART your lto4 tape drives should already be HCART ( if not you will have to change them as well) Then give it a try I really think that is the problem. From: Adams, Dwayne [mailto:adam...@medsch.ucsf.edu] Sent: Thursday, April 01, 2010 11:33 AM To: Judy Hinchcliffe; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption Judy, I have a call in to Symantec now. My environment already has LTO3 and LTO4 media set to HCART3 (not my doing). I am going to change the tapes to HCART as part of this project. I wonder if the fl1 0x00010049 is reported by the drive or Netbackup is providing that information to the drive? I called Dell and they were not much help. Once I said the KMS, I got the we only support our solution line. I am getting my ducks in a row so I can call Dell back if it is not a NBU config issue. My libraries are both setup for application managed encryption. Wish me luck. J Thanks Dwayne Adams From: judy_hinchcli...@administaff.com [mailto:judy_hinchcli...@administaff.com] Sent: Thursday, April 01, 2010 9:22 AM To: Adams, Dwayne; VERITAS-BU@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] KMS encryption I have not had that problem. My thought is what media type is 001343 - it has to be hcart (so nb knows it is a lto4) As you have both types in your library I would check that the media type/barcode say it is a lto4 as well has physically check that it is an lto4. I have a master/media, a media, and 2 SAN Media all encrypting just fine. From: veritas-bu-boun...@mailman.eng.auburn.edu [mailto:veritas-bu-boun...@mailman.eng.auburn.edu] On Behalf Of Adams, Dwayne Sent: Thursday, April 01, 2010 11:16 AM To: VERITAS-BU@mailman.eng.auburn.edu Subject: Re