252 Implementing IBM Tape in i5/OS
7.4.5 Working with encrypted tape cartridges
This section shows some basic examples of working with encrypted tape cartridges, such as
viewing their encryption status or re-keying 3592 tape cartridges.
Viewing tape cartridge encryption status
This example shows how to view the tape cartridge encryption status using the IBM
UltraScalable Specialist GUI on an IBM TS3500 Tape Library.
Selecting the menu Cartridges → Data Cartridges using the option to select a logical
library shows its assigned data cartridges as shown for a 3592 drive logical library in
Figure 7-52 and LTO4 drive logical library in Figure 7-53.
Figure 7-52 IBM Ultra™ Scalable Specialist - 3592 Logical Library Cartridges screen
Chapter 7. Tape encryption with i5/OS 253
Figure 7-53 IBM UltraScalable Specialist - LTO4 Logical Library Cartridges Screen
Adding tape cartridges from the *INSERT category to the *SHARED category to make
them available for usage with the TAPMLB73 3592 logical library and TAPMLB71 LTO4
logical library and initializing a 3592 and LTO4 data cartridges using the new media
density FMT3592A2E for 3592 encryption as follows:
ADDTAPCTG DEV(TAPMLB73) CTG(J1H039 JEX163 JJX283)
ADDTAPCTG DEV(TAPMLB71) CTG(3MC037 3MC055 3SR038)
INZTAP DEV(TAPMLB73) NEWVOL(JBX163) VOL(JBX163) CHECK(*NO)
INZTAP DEV(TAPMLB71) NEWVOL(3MC037) VOL(3MC037) CHECK(*NO)
Unloading the initialized cartridges from the drives using the IBM UltraScalable Specialist
Cartridges Move option from the IBM UltraScalable Specialist “Cartridges” screen the
initialized cartridges now have the encryption status Encrypted as shown for the 3592
cartridge VOLSER JBX163 in Figure 7-54 and for the LTO4 cartridge VOLSER 3MC037 in
Note: The “Encryption” column in the cartridges screen for an encryption-enabled
logical library is not shown before the first data cartridge has been written to and
unloaded from the drive.
Note: Though there are two new media densities FMT3592A1E and FMT3592A2E
available on i5/OS for encryption-enabled 3592 tape drives only the format
FMT3592A2E is supported. FMT3592A1E was originally intended for usage with the
3592-J1A emulation mode of the 3595-E05 drive but IBM made the decision to not
support encryption in the emulation mode.
254 Implementing IBM Tape in i5/OS
Figure 7-54 IBM UltraScalable Specialist - 3592 Cartridges Screen with Encryption Information
Figure 7-55 IBM TS3500 Specialist - LTO4 Cartridges Screen with Encryption Information
Note: The cartridge encryption status displayed in the “Encryption” column is updated
only when the cartridge is unloaded from a drive. The status
Unknown is displayed for
cartridges in an encryption-enabled logical library as long as they have not been
loaded/unloaded from a drive.
Chapter 7. Tape encryption with i5/OS 255
Re-keying encrypted 3592 cartridges
This example shows using the IBM TS3500 Tape Library Specialist Web interface for
re-keying encrypted 3592 tape cartridges that you can use, for example, after having
imported a public key certificate from a business partner for sharing already encrypted tape
cartridges. Use the Enterprise Tape Library Specialist for re-keying of cartridges residing in a
3494 Tape Library.
For the TS3500, follow these steps:
1. Encrypted 3592 tape cartridges loaded into a Library-managed Encryption-enabled drive
re-keyed via the IBM Tape Library Specialist Web GUI Manage Cartridges → Data
Cartridges menu option Rekey Encryption shown in Figure 7-56.
Figure 7-56 IBM TS3500 Specialist - Cartridges screen with selected ReKey Encryption option
2. After clicking Go, new key settings can be specified for the Key Mode and Key Label for
each of the two key labels used to refer to EEDK1 and EEDK2 shown in Figure 7-57.
In the example, a
hash label key mode was chosen for a new EEDK2 so that a hash
computed value of the public key part of the specified “tape_certificate2” key label, for
example, which refers to the imported public key certificate from the business partner, is
stored within the EEDK2 instead of the clear label itself.
Note: The cartridge must have been mounted into the drive prior to the sequence
Note: Using a hash label is recommended for sharing tape cartridges with business
partners because it eliminates the requirement of using the same key label as the