must be 256. The filename specified in the config.keystore.file should match thename specified in the –keystore in the KeyTool invocation:symmetricKeySet = AES01-FF,abcfrgconfig.keystore.file = .jceksOnly those keys named in the symmetricKeySet will be validated (checked for anexisting alias and a symmetric key of the proper size and algorithm). If an invalidkey is specified in this property, the Encryption Key Manager will not start and anaudit record will be created.Creating and Managing Key GroupsThe Encryption Key Manager gives you the ability to organize your symmetrickeys for LTO 4 and LTO 5 encryption into key groups. In this way, you can groupkeys according to the type of data they encrypt, the users who have access tothem, or by any other meaningful characteristic. Once a key group is created, youcan associate it with a specific tape drive using the -symrec keyword in theadddrive command. See “adddrive” on page 5-8 for syntax.In order to build a key group, you must define it in the KeyGroups.xml file. If youfollowed the procedure in “Using the GUI to Create a Configuration File, Keystore,and Certificates” on page 3-5, the location of this file was specified on the EKMConfiguration page. If you are creating the configuration file manually, the locationof the KeyGroups.xml file is specified in the configuration properties file asfollows:config.keygroup.xml.file = FILE:KeyGroups.xmlIf this parameter is not specified, then the default behavior is to use theKeyGroups.xml file from the the Encryption Key Manager launching location’sworking directory. If this file does not exist, an empty KeyGroups.xml file iscreated. On subsequent starts of the Encryption Key Manager Server, the followingmessage may appear in the native_stderr.log: [Fatal Error] :-1:-1: Prematureend of file. This is an error in parsing the empty KeyGroups.xml file and it doesnot prevent the Encryption Key Manager Server from starting unless theEncryption Key Manager Server has been configured to use keygroups.Key groups are built using the Dell Encryption Key Manager Server GUI or usingthe following CLI client commands (see “CLI Commands” on page 5-7 for syntax):Using the GUI to Define Key Groups and Create KeysYou can use the GUI to perform all tasks necessary for managing key groups. Youcan also use it to create additional keys.Note: When you click Submit Changes while performing any of the followingtasks, a backup dialog window (Figure 3-6 on page 3-8) opens remindingyou to back up your Encryption Key Manager data files. Enter a path wherebackup data is to be saved. Click Submit. Then verify the backup path andclick OK.To create a key group and populate it with keys, or to add keys to an existingkeygroup:1. Open the GUI if it is not yet started:3-14 Dell Encryption Key Mgr User's Guide|