KMS backups are failing with status 86 (media position error)

Article: 100013383
Last Published: 2015-01-02
Ratings: 0 0
Product(s): NetBackup

Problem

KMS backups are failing with status 86  (media position error)

Error Message

Bptm shows this error. 
 
10:12:51.470 [3752.6508] <2> write_data: completed writing backup header, start writing data when first buffer is available, copy 1 
10:12:51.470 [3752.6508] <2> KMSCLIB::kmsDecryptKey: Entering function....(KMSClib.cpp:699) 
10:12:51.470 [3752.6508] <2> KMSCLIB::kmsTransformKey: Entering function....(KMSClib.cpp:357) 
10:12:51.470 [3752.6508] <2> manage_drive_encryption: encryption status: nexus scope 1, key scope 1 
10:12:51.470 [3752.6508] <2> manage_drive_encryption: encryp mode 0x0, decryp mode 0x0, algorithm index 2, key instance 20 
10:12:51.470 [3752.6508] <2> manage_drive_encryption: Kad length Mismatch, reported Kad length 0 Kad [] 
10:12:51.486 [3752.6508] <2> wait_for_sigcld: waiting for child 3452 to exit, timeout is 300 
10:12:51.486 [3752.6508] <2> check_error_history: just tpunmount: called from bptm line 19204, EXIT_Status = 86 

Cause

1-> Confirm that the following files exist on the server: 

/opt/openv/kms/db/KMS_DATA.dat 

/opt/openv/kms/key/KMS_HMKF.dat 

/opt/openv/kms/key/KMS_KPKF.dat 

 

2-> Confirm that the media being used on the drives is encryption capable media. 

Example: LTO4 Media for the LTO4 Drives. 

4-> Got the output of the following command: 

On Windows systems, the directory path to this command is <install_path>\NetBackup\bin\admincmd\ 

nbkmsutil -listkeys -kgname ENCR_xxxx

This showed using 128 bit encyrption

s per article below IBM stated that IBM LTO-4 drives are required to use 256-bit Advanced Encryption. 

 

IBM Ultrium Generation 4 (LTO-4) drive and drive encryption support 

https://www-304.ibm.com/support/docview.wss?uid=swg27009625

 

 

IBM LTO-4 drive encryption support 

 

Encrypting Data 

 

It is often critical to secure client data, especially when that data may be of a sensitive nature. To ensure that data for off-site volumes is protected, IBM tape encryption technology is available. This technology utilizes a stronger level of encryption by requiring 256-bit Advanced Encryption Standard (AES) encryption keys. Keys are passed to the drive by a key manager in order to encrypt and decrypt data.

> "C:\Program Files\Veritas\volmgr\bin\tpautoconf" -t 

TPAC60 IBM ULT3580-HH5 B6W1 1068027975 3 0 3 0 Tape0 - - 

TPAC60 IBM ULT3580-HH5 B6W1 1068027756 3 0 4 0 Tape1 - - 

TPAC60 IBM ULT3580-HH5 B6W1 1068027677 4 0 3 0 Tape3 - - 

TPAC60 IBM ULT3580-HH5 B6W1 1068027283 4 0 4 0 Tape2 - 

IBM LT0-4 drives needing to use 256 bit encryption and were only set for 128 bit encrption
 
 

Solution

After deleting the AES_128 Keygroup and recreating it to use AES_256  got a successful encrypted backup.

 

 

Was this content helpful?