53-1001201-04 May 1, 2009 Fabric OS Encryption Administrator’s Guide Supporting Fabric OS v6.2.
Copyright © 2008-2009 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Document History Title Publication number Summary of changes Date Fabric OS Encryption Administrator’s Guide 53-1001114-01 New document. August 2008 Fabric OS Encryption Administrator’s Guide 53-1001114-02 Revised document to include additional best practices. September 2008 Fabric OS Encryption Administrator’s Guide 53-1001114-03 Revised document to include new performance licensing information.
iv Encryption Administrator’s Guide 53-1001201-04
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Encryption configuration using DCFM In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Gathering information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 User privileges overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Configure Encryption features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating high availability (HA) clusters . . . . . . . . . . . . . . . . . . . . . . . 60 Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . . 61 Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . . 61 Failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Adding encryption targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Configuring hosts for encryption targets . . . . . . . . . . . . .
Basic encryption group configuration . . . . . . . . . . . . . . . . . . . . . . .103 Creating an encryption group . . . . . . . . . . . . . . . . . . . . . . . . . .104 Adding a member node to an encryption group . . . . . . . . . . .104 Group-wide policy configuration . . . . . . . . . . . . . . . . . . . . . . . .106 Key vault configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Setting up an LKM key vault . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data re-keying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Resource Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Re-keying modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Configuring a LUN for automatic re-keying. . . . . . . . . . . . . . . .162 Initiating a manual re-key session . . . . . . . . . . . . . . . . . . . . . .163 Suspension and resumption of re-keying operations . . . . . . .
DF compatibility for tapes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 DF compatibility for disk LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Key vault high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Configuring CryptoTarget containers and LUNs . . . . . . . . . . . . . . .195 Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Deployment with Admin Domains (AD) . . . . . . . .
Management application encryption wizard troubleshooting . . . .210 Errors related to adding a switch to an existing group . . . . . . . . . .210 Errors related to adding a switch to a new group . . . . . . . . . .211 General errors related to the Configure Switch Encryption wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 LUN policy troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Loss of encryption group leader after power outage . . . . . .
xii Encryption Administrator’s Guide 53-1001201-04
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Notice to the reader . . . . . . . . . . . .
• Appendix E, “FIPS Specifications,” lists the FIPS compliance level and evaluation assurance level for the Brocade encryption engine. Supported hardware and software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX and DCX-4S with an FS8-18 encryption blade. • Brocade Encryption Switch. What’s new in this document Information about the Hewlett Packard Secure Key Manager (HP SKM, or SKM in this manual) is new in this document.
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. --option, option Command options are printed in bold. -argument, arg Arguments. [] Optional element. variable Variables are printed in italics. In the help pages, values are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font.
For definitions specific to this document, see “Terminology” on page 3. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.org/education/dictionary Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only.
Other industry resources • White papers, online demos, and data sheets are available through the Brocade Web site at http://www.brocade.com/products-solutions/products/index.page. • Best practice guides, white papers, data sheets, and other documentation is available through the Brocade Partner Web site. For additional resource information, visit the Technical Committee T11 Web site.
If you cannot use the wwn command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX and DCX-4S. For the Brocade DCX and DCX-4S, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis. Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document.
Chapter Encryption overview 1 In this chapter • Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Encryption configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 • The Brocade encryption switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • The FS8-18 blade .
1 Encryption configuration tasks Encryption configuration tasks Table 1 provides a high level overview and checklist of encryption configuration tasks. These tasks must be done in the order presented in the table. If the tasks are done out of order, unexpected errors may be encountered, and the results may be unpredictable. Some tasks can be done only at the command line interface (CLI). Other tasks may be done at the CLI, or at the Data Center Fabric Manager (DCFM) management program.
Terminology 1 Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule An alternative term for encryption engine. The term CryptoModule is used primarily in the context of FIPS authentication. Data Encryption Key (DEK) An encryption key generated by the encryption engine.
1 4 Terminology Re-keying Re-keying refers to decrypting data with the current Data Encryption Key (DEK), and encrypting it with a new DEK. This is done when the security of the current key is compromised, or when a DEK is configured to expire in a specific time frame. The re-keying operation can be used to encrypt existing data currently stored as cleartext. In that case, there is no existing DEK, and the data does not have to be decrypted before it is encrypted using the new DEK.
The Brocade encryption switch 1 The Brocade encryption switch The Brocade encryption switch (Figure 1) is a high performance 32 port auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data, using Advanced Encryption Standard (AES) 256-bit algorithms.
1 The FS8-18 blade The FS8-18 blade The FS8-18 blade provides the same features and functionality as the encryption switch. The FS8-18 blade installs on the Brocade DCX and DCX-4S. Four FS8-18 blades may be installed in a single DCX or DCX-4S. Performance licensing Encryption processing power is scalable, and may be increased by purchasing and installing an encryption performance license.
Recommendation for connectivity 1 Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms this is achieved by encrypting the data in data frames on a per frame basis. This enables the encryption engine to buffer only a frame, encrypt it and send the frame out to the target on write I/Os. For read I/Os the reverse is done.
1 Brocade encryption solution overview Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
Brocade encryption solution overview 1 Data flow from server to storage The Brocade encryption switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host to a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
1 Data encryption key life cycle management Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed.
Data encryption key life cycle management FIGURE 5 Encryption Administrator’s Guide 53-1001201-04 1 DEK life cycle 11
1 Key management systems Key management systems Key management systems are available from several vendors. This release supports three leading key management systems: • The NetApp LIfetime Key Manager (LKM) version 4.0 or later. • The RSA Key Manager (RKM) version 2.1.3 or later, available through EMC. • The HP Secure Key Manager (SKM) version 1.1 or later, available through Hewlett Packard.
Master key management 1 Master key management Communications with The RKM and SKM key management systems are encrypted using a master key that is created by the encryption engine on the encryption switch. Master key generation A master key must be generated by the group leader encryption engine. The master key can be generated once by the group leader, and propagated to the other members of an encryption group.
1 14 Encryption switch initialization Encryption Administrator’s Guide 53-1001201-04
Chapter 2 Encryption configuration using DCFM In this chapter • Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • User privileges overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configure Encryption features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configure Encryption features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Gathering information Gathering information Before you use the encryption setup wizard for the first time, gather the following information: • The type of key vault you are using — RSA Key Manager (RKM), NetApp Lifetime Key Management appliance (LKM), or HP Secure Key Manager (SKM). • The IP address or host name for the primary key vault, and the name of the file holding the primary key vault’s public key certificate.
User privileges overview TABLE 2 2 Role-based access control privileges and descriptions Privilege Description No Privilege Read-Only Read/Write Storage Encryption Configuration Allows you to configure storage encryption configuration, including selecting storage devices and LUNs, viewing and editing switch, group, or engine properties, viewing and editing storage device encryption properties, and initiating manual LUN re-keying.
2 Configure Encryption features Configure Encryption features The Configure Encryption dialog box (Figure 6) displays the status of all encryption-related hardware and functions at a glance. It is the single launching point for all encryption-related configuration in DCFM. FIGURE 6 Configure Encryption dialog box The following encryption features can be launched by clicking the appropriate button from the Configure Encryption dialog box.
Configure Encryption features 2 Properties The Properties button launches either the Switch Encryption Properties dialog box, if a switch or encryption engine is selected, or the Encryption Group Properties dialog box, if a group is selected.
2 Viewing switch encryption properties Smart Cards Smart Cards are credit card-sized cards that contain a CPU and persistent memory. Smart cards are used as security devices, since they can generate private and public key pairs internally. The private key is never exposed. You configure a recovery card (smart card) using the Master Key Backup and Master Key Restore dialog boxes. The Smart Card Asset Tracking dialog box lists known smart cards and the details of the smart cards.
Viewing and editing group properties FIGURE 7 2 Encryption Group Properties dialog box General tab The properties displayed in the General tab are described below. • Encryption group name - the name of the encryption group. • Group status - the status of the encryption group, which can be OK-Converged or Degraded. Degraded means the group leader cannot contact all of the configured group members. • Deployment mode - the group’s deployment mode, which is transparent.
2 Viewing and editing group properties Members tab The Group Members tab lists group switches, their role, and their connection status with the group leader. The tab displays the configured membership for the group (none of the table columns are editable). The list can be different from the members displayed in the Configure Encryption dialog box if some configured members are unmanaged, missing, or in a different group.
Viewing and editing group properties 2 Consequences of removing an encryption switch Table 3 explains the impact of removing switches. TABLE 3 Switch removal warnings Switch configuration Impact of removal The switch is the only switch in the encryption group. The encryption group is also removed. The switch has configured encryption targets on encryption engines. • The switch is configured to encrypt traffic to one or more encryption targets. • The target container configuration is removed.
2 Viewing and editing group properties Figure 9 shows the warning message that displays if you click Remove to remove an encryption group. FIGURE 9 Removal of switch in encryption group warning Security tab The Security tab (Figure 10) displays the status of the master key for the encryption group. NOTE You must enable encryption engines before you back up or restore master keys.
Viewing and editing group properties FIGURE 10 2 Encryption Group Properties - Security tab HA Clusters tab HA clusters are groups of encryption engines that provide high availability features. If one of the engines in the group fails or becomes unreachable, the other cluster member takes over the encryption and decryption tasks of the failed encryption engine. An HA cluster consists of exactly two encryption engines. See “Creating high availability (HA) clusters” on page 60.
2 Viewing and editing group properties Engine Operations tab The Engine Operations tab (Figure 12) enables you to replace an encryption engine in an encryption group with another encryption engine within a DEK Cluster environment. A DEK Cluster is a set of encryption engines that encrypt the same target storage device. DEK Clusters do not display in DCFM, they are an internal implementation feature and have no user-configurable properties.
Viewing and editing group properties 2 Link Keys tab Connections between a switch and an NetApp LKM key vault require a shared link key. Link keys are used only with LKM key vaults. They are used to protect data encryption keys in transit to and from the key vault. There is a separate link key for each key vault for each switch. The link keys are configured for a switch but are stored in the encryption engines, and all the encryption engines in a switch share the same link keys.
2 Viewing and editing group properties Tape pools overview Tape cartridges and volumes may be organized into a tape pool (a collection of tape media). The same data encryption keys are used for all cartridges and volumes in the pool. Tape pools are used by backup application programs to group all the tape volumes used in a single backup or in a backup plan. The tape pool name or number is set by a backup application.
Viewing and editing group properties FIGURE 14 Add Tape Pool by name dialog box FIGURE 15 Add Tape Pool by number dialog box 2 6. Specify the Tape Pool Label Type. Tape pools can be identified by either a name or a number, shown in Figure 14 and Figure 15. 7. Enter a name for the tape pool. If you selected Number as the Tape Pool Label Type, the name must match the tape pool label or tape ID/number that is configured on the tape backup/restore application. 8. Select the Encryption Mode.
2 Encryption Targets dialog box Encryption Targets dialog box The Encryption Targets dialog box enables you to send outbound data that you want to store as ciphertext to an encryption device. The encryption device acts as a virtual target when receiving data from a host, and as a virtual initiator when writing the encrypted data to storage. To access the Encryption Targets dialog box, complete the following steps. 1. Select Configure > Encryption from the menu bar.
Encryption Targets dialog box TABLE 4 2 Encryption Targets dialog box functionality Feature Description Add button Launches the Storage Encryption Setup Wizard, which enables you to configure a new target for encryption. It is the first step in configuring encryption for a storage device. It is recommended that you zone the host and target together before you add container information. • Note: If the group is in OK-Converged mode, the group leader can communicate with all members.
2 Encryption Targets dialog box Redirection zones It is recommended that you zone the host and target together before configuring them for encryption. Configuring a host/target pair for encryption normally creates a re-direction zone to redirect the host-target traffic through the encryption engine. But redirection zones can only be created if the host and target are already zoned.
Configure Encryption for RKM key vaults 2 Configure Encryption for RKM key vaults This section describes how to create a new encryption group for the RKM key vault. Obtaining RKM key vault public key certificates Before creating a new encryption group, you need to export RKM public key certificates for the primary key vault, and, if implemented, the secondary key vault, to a secure location. The path and file name are a required parameter on the Create a New Encryption Group dialog box.
2 Configure Encryption for RKM key vaults Create a new encryption group containing just this switch is pre-selected. This is the correct selection for creating a new group. If you are running the wizard to add a switch to an existing group, follow the steps in “Adding a switch to an encryption group” on page 57. FIGURE 18 Designate Switch Membership dialog box 5. Click Next. The Create a New Encryption Group dialog box displays.
Configure Encryption for RKM key vaults 2 6. Enter an Encryption Group Name for the encryption group (the maximum length of the group name is 15 characters; letters, digits, and underscores are allowed) and select the Automatic failback mode. NOTE If the name you enter for the encryption group already exists, a pop-up warning message displays. Although unique group names avoid confusion while managing multiple groups, you are not prevented from using duplicate group names.
2 Configure Encryption for RKM key vaults FIGURE 21 Specify Public Key Certificate filename dialog box 9. Specify the name of the file where you want to store the public key certificate that is used to authenticate connections to the key vault, and click Next. The certificate stored in this file is the switch’s public key certificate. You will need to know the path and file name to install the switch’s public key certificate on the RSA key management appliance later in step 16. 10. Click Next.
Configure Encryption for RKM key vaults 2 11. Enter a file name, or browse to the desired location. 12. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 13. Re-type the passphrase for verification. 14. Click Next. The Confirm Configuration panel displays the encryption group name and switch public key certificate file name you specified, shown in Figure 23.
2 Configure Encryption for RKM key vaults FIGURE 24 Configuration Status dialog box DCFM sends API commands to verify the switch configuration. The CLI commands are detailed in Chapter 3, “Encryption configuration using the CLI”. • Initialize the switch If the switch is already in the initiated state, DCFM performs the cryptocfg --initnode command.
Configure Encryption for RKM key vaults 2 The Read Instructions dialog box displays instructions for installing public key certificates for the encryption switch. These instructions are specific to the key vault type. Copy or print these instructions. FIGURE 25 Read Instructions dialog box 17. Click Finish to exit the Configure Switch Encryption wizard.
2 Configure Encryption for RKM key vaults Uploading the KAC and CA certificates onto the RKM appliance After the Encryption Group is created, you need to install the switch public key certificate on the RSA server. 1. Start a web browser, and connect to the RKM appliance setup page. You will need the URL, and have the proper authority level, a user name, and a password. 2. Select the Operations tab. 3. Select Certificate Upload. 4.
Configure Encryption for RKM key vaults j. 2 Click Finish. 9. For each node, create an identity as follows. a. Select the Identities tab. b. Click Create. c. Enter a label for the node in the Name field. This is a user-defined identifier. d. Select the Hardware Retail Group in the Identity Groups field. e. Select the Operational User role in the Authorization field. f. Click Browse and select the imported certificate _kac_cert.pem> as the Identity certificate. g. Click Save.
2 Configure Encryption for LKM key vaults Configure Encryption for LKM key vaults This section describes how to configure encryption on the Netapp Lifetime Key Manager (LKM). Use the switch CLI to establish shared secrets between the LKM key vault and each switch in the encryption group (NetApp LKM key vaults only). To create the automatic trusted links between the switch and key vault, see the Fabric OS Encryption Administrator’s Guide.
Configure Encryption for LKM key vaults 2 Obtaining the key vault certificate 1. Select Utilities > Command Line from the DataFort Management Console. The Command Line dialog box displays. 2. Enter the following command in the Command text box: sys cert getcert -v2 3. Click Execute. The certificate content displays in the certificate text box. 4. Copy and paste the certificate content and save into a file.
2 Configure Encryption for LKM key vaults FIGURE 26 Select Key Vault dialog box a. Select NetApp Lifetime Key Manager (LKM) as the Key Vault Type. b. Enter the IP address or host name for the primary key vault. When a new key vault IP address or host name is entered, you must also enter the name of the file that holds the primary key vault’s public key certificate (or browse to the location by clicking the Browse button). c.
Configure Encryption for LKM key vaults 2 10. Click Next. The Confirm Configuration panel displays the encryption group name and switch public key certificate file name you specified, shown in Figure 23. FIGURE 28 Confirm Configuration dialog box 11. Click Next to confirm the displayed information. The Configuration Status displays, as shown in Figure 24. The configuration status steps vary slightly depending on the key vault type. • A progress indicator shows that a configuration step is in progress.
2 Configure Encryption for LKM key vaults FIGURE 29 Configuration Status dialog box DCFM sends API commands to verify the switch configuration. • Initialize the switch If the switch is already in the initiated state, DCFM performs the cryptocfg --initnode command. • Create encryption group on the switch DCFM creates a new group using the cryptocfg --create -encgroup command, and sets the key vault type using the cryptocfg --set -keyvault command.
Configure Encryption for LKM key vaults FIGURE 30 2 Read Instructions dialog box 13. Click Finish to exit the Configure Switch Encryption wizard. Establishing the trusted link You must generate the trusted link establishment package (TEP) on all nodes to establish a trusted link between each node and the NetApp LKM appliance. NOTE Complete all steps required to establish a trusted link between LKM and the encryption group members for each node before proceeding to the next node. 1.
2 Configure Encryption for HP SKM key vaults Configure Encryption for HP SKM key vaults Setting up an HP Secure Key Manager (SKM) key vault consists of registering the encryption group leader and group member nodes with the HP SKM key vault by exporting their KAC certificates, and then taking steps on the HP SKM appliance that allow the certificates to be signed by a local certificate authority (CA) on the HP SKM appliance.
Configure Encryption for HP SKM key vaults 2 The Designate Switch Membership panel displays. Create a new encryption group containing just this switch is pre-selected. This is the correct selection for creating a new group. If you are running the wizard to add a switch to an existing group, follow the steps in “Adding a switch to an encryption group” on page 57. FIGURE 31 Designate Switch Membership dialog box 5. Click Next. The Create a New Encryption Group dialog box displays.
2 Configure Encryption for HP SKM key vaults 6. Enter a name for the encryption group. The maximum length of the group name is 15 characters. Letters, digits, and underscores are allowed. 7. Click Next. The Select Key Vault dialog box displays. FIGURE 33 Select Key Vault dialog box a. Select HP Secure Key Manager (SKM) from the Key Vault Type list. b. Enter the IP address or host name for the primary key vault.
Configure Encryption for HP SKM key vaults FIGURE 34 2 Specify Public Key Certificate File Name dialog box 9. Specify the name of the file where you want to store the public key certificate that is used to authenticate connections to the key vault, and click Next. NOTE The certificate stored in this file is the switch’s public key certificate, which you must manually add to the key vault.
2 Configure Encryption for HP SKM key vaults FIGURE 35 Specify Master Key File Name dialog box 13. Click Next. The Confirm Configuration panel displays the encryption group name and switch public key certificate file name you specified, shown in Figure 36.
Configure Encryption for HP SKM key vaults 2 14. Click Next to confirm the displayed information. The Configuration Status displays, as shown in Figure 37. • A progress indicator shows that a configuration step is in progress. A green check mark indicates successful completion of all steps for that Configuration Item. A red stop sign indicates a failed step. • All Configuration Items have green check marks if the configuration is successful.
2 Configure Encryption for HP SKM key vaults FIGURE 38 Next Steps dialog box 16. Click Finish to exit the Configure Switch Encryption wizard. Obtaining a signed certificate from the HP SKM appliance software The following steps describe how to get a signed certificate from the Hewlett Packard Secure Key Manager (HP SKM) appliance. You will need this information when you create a new encryption group with the HP SKM key vault, and you must obtain a signed certificate for all switches. 1.
Configure Encryption for HP SKM key vaults 2 2. Log in to the HP StorageWorks Secure Key Manager appliance using a browser and https protocol: https://:9443 where 10.32.45.13 is the IP address. The HP StorageWorks Secure Key Manager Administrator Authentication dialog box displays. 3. Enter the user name and password: Username: admin Password: hpskm028 The Home and Security Summary page displays. 4. Click the Security tab. 5. Select Local CAs. 6. Select the correct CA and click Sign Request.
2 Configure Encryption for HP SKM key vaults Importing a signed certificate into a switch Use the following procedure to import the signed certificate described in “Obtaining a signed certificate from the HP SKM appliance software” on page 54 into an encryption switch. 1. Select the switch from the Configure Encryption dialog box, and click the Properties button. FIGURE 40 Switch Properties dialog box 2. Click the Import button. The Import Signed Certificate dialog box displays.
Adding a switch to an encryption group 2 Adding a switch to an encryption group The setup wizard allows you to either create a new encryption group, or add an encryption switch to an existing encryption group. Use the following procedure to add a switch to an encryption group. 1. Select Configure > Encryption from the menu bar. The Configure Encryption dialog box displays. 2. Select the switch to be to be added to the group. The switch must not already be in an encryption group. 3. Click Setup.
2 Adding a switch to an encryption group FIGURE 43 Add Switch to Existing Encryption Group dialog box 5. Select the group to which you want to add the switch, and click Next. The Specify Public Key Certificate Filename panel displays. FIGURE 44 Add switch to an encryption group - Specify Public Key Certificate filename dialog box 6. Specify the name of the file where you want to store the public key certificate that is used to authenticate connections to the key vault, and click Next.
Adding a switch to an encryption group FIGURE 45 7. 2 Add switch to an encryption group - Confirm Configuration dialog box Click Next to confirm the displayed information. The Configuration Status displays. • A progress indicator shows that a configuration step is in progress. A green check mark indicates successful completion of all steps for that Configuration Item. A red stop sign indicates a failed step. • All Configuration Items have green check marks if the configuration is successful.
2 Creating high availability (HA) clusters 8. Note Important Next Steps! below this message, and click Next. Instructions for installing public key certificates for the encryption switch are displayed. These instructions are specific to the key vault type. Copy or print these instructions. FIGURE 47 Add switch to an encryption group - Next Steps dialog box 9. Click Finish to exit the Configure Switch Encryption wizard.
Creating high availability (HA) clusters 2 4. Select an available encryption engine, and a destination HA cluster under High-Availability Clusters. Select New HA Cluster if you are creating a new cluster. 5. Click the right arrow to add the encryption engine to the selected HA cluster. FIGURE 48 HA Clusters tab NOTE If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster. HA Cluster names can have up to 31 characters.
2 Adding encryption targets Failback The Failback option determines the behavior when a failed encryption engine is restarted. • When the first encryption engine comes back online, the encryption group’s failback setting (auto or manual) determines whether the first encryption engine automatically resumes encrypting and decrypting traffic to its encryption targets.
Adding encryption targets FIGURE 49 2 Configure Storage Encryption welcome panel 5. Click Next to begin. The Select Encryption Engine dialog box displays. The list of engines depends on the scope being viewed. • If the Targets dialog box is showing all targets in an encryption group, the list includes all engines in the group. • If the Targets dialog box is showing all targets for a switch, the list includes all encryption engines for the switch.
2 Adding encryption targets FIGURE 50 Select Encryption Engine dialog box 6. Select the encryption engine (blade or switch) you want to configure, and click Next. The Select Target panel displays. This panel lists all target ports and target nodes in the same fabric as the encryption engine. The Select Target list does not show targets that are already configured in an encryption group.
Adding encryption targets 7. 2 a. Select a target from the list. (The Target Port WWN and Target Node WWN fields contain all the target information that displays using the nsshow command.) You can also enter WWNs manually if you prefer, or if you want to specify a target that is not on the list. b. Select a Target Type. Disk is selected and cannot be changed. If the target node is disk storage, choose Disk. If the target port is tape storage, choose Tape. Click Next. The Select Hosts panel displays.
2 Adding encryption targets FIGURE 53 Name Container dialog box 10. Click Next. The Confirmation panel displays. FIGURE 54 Confirmation dialog box 11. Click Next to confirm the displayed information. The Configuration Status displays the target and host that are configured in the target container, as well as the virtual targets (VT) and virtual initiators (VI).
Adding encryption targets 2 NOTE If you can view the VI/VT Port WWNs and VI/VT Node WWNs, the container has been successfully added to the switch. FIGURE 55 Configuration Status dialog box 12. Review the configuration. If you want to save a copy of the instructions, click the Copy to Clipboard button.
2 Adding encryption targets 13. Click Next to confirm the configuration. The Important Instructions dialog box displays. FIGURE 56 Important Instructions dialog box 14. Review the instructions about post-configuration tasks you must complete after you close the wizard. 15. Click Finish to exit the Configure Storage Encryption wizard.
Configuring hosts for encryption targets 2 Configuring hosts for encryption targets Use the Encryption Target Hosts dialog box to edit (add or remove) hosts for an encrypted target. NOTE Hosts are normally selected as part of the Configure Storage Encryption wizard but you can also edit hosts later using the Encryption Target Hosts dialog box. 1. Select Configure > Encryption from the menu bar. The Configure Encryption dialog box displays. 2.
2 Adding Target Disk LUNs for encryption Adding Target Disk LUNs for encryption The Encryption Target LUNs dialog box lists configured LUNs. The displayed information is different for disk and tape devices. For example, tape volume and label information is included for tape devices. Initially, this list is empty. NOTE If you are using VMware virtualization software or any other configuration that involves mounted file systems on the LUN, you must enable first-time encryption when you create the LUN.
Adding Target Disk LUNs for encryption FIGURE 58 2 Encryption Target Disk LUNs dialog box 5. Click Add. The Add LUNs dialog box displays. This dialog box includes a table of all LUNs in the storage device that are visible to hosts. LUNs are identified by serial number, or by host WWN and LUN number. The LUN numbers may be different for different hosts.
2 Adding Target Disk LUNs for encryption 6. Select a host from the Host list. There are two possible sources for the list of LUNs: • Specify a range of LUN numbers and click Show LUNs. This fills the table with dummy LUN information. This method works even if the target is offline. You can specify a range of LUN numbers only if a host is chosen from the list. If All Hosts is selected, you will not be able to specify a range but can discover LUNs. • Request discovery and click Show LUNs.
Adding Target Tape LUNs for encryption 2 Adding Target Tape LUNs for encryption You configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN. You must add LUNs manually. After you add the LUNs, you must specify the encryption settings. When configuring a LUN with multiple paths, the same LUN policies must be configured on all the LUN’s paths.
2 Configuring encrypted storage in a multi-path environment NOTE The Re-keying interval can only be changed for disk LUNs. For tape LUNs, expiration of the re-keying interval simply triggers the generation of a new key, to be used on future tape volumes. Tapes that are already made are not re-keyed. To re-key a tape, you would need to read the tape contents using a host application that decrypts the tape contents using the old key, and then re-write the tape, which re-encrypts the data with the new key.
Master keys 2 NOTE There is a limit of 25 uncommitted LUN configuration changes. When adding more than 12 LUNs in a multi-path environment, repeat steps step 8 through step 10 above, adding only 12 LUNs to each target container at a time. Each commit operation, then, will commit 24 LUNs, 12 in each path. Master keys When an RKM or SKM key vault is used, a master key is used to encrypt the data encryption keys.
2 Master keys Master key actions Master key actions are as follows: • Backup master key, which is enabled any time a master key exists when using an RKM or HP SKM key vault. • Restore master key, which is enabled when using an RKM or HP SKM key vault and either no master key exists or the previous master key has been backed up. • Create new master key, which is enabled when using an RKM or HP SKM key vault and either no master key exists or the previous master key has been backed up.
Master keys FIGURE 60 2 Backup Destination (to file) dialog box 5. Select File as the Backup Destination. 6. Enter a file name, or browse to the desired location. 7. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 8. Re-type the passphrase for verification. 9. Click OK. ATTENTION Save the passphrase. This passphrase is required if you ever need to restore the master key from the file.
2 Master keys Saving a master key to a key vault You can back up the master key to the key vault, to a file, or to a smart card set. The passphrase that is used to back up the master key must be used to restore the master key. Use the following procedure to save the master key to a key vault. 1. Select Configure > Encryption from the menu bar. The Configure Encryption dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4.
Master keys 2 Saving a master key to a smart card set You can back up the master key to the key vault, to a file, or to a smart card set. Use the following procedure to save the master key to a recovery (smart card) set. The passphrase that is used to back up the master key must be used to restore the master key. This method requires a locally attached card reader. Recovery cards can only be written once to back up a single master key.
2 Master keys FIGURE 62 Backup Destination (to smart cards) dialog box 5. Select A Recovery Set of Smart Cards as the Backup Destination. 6. Enter the recovery card set size. 7. Insert the first blank card and wait for the card serial number to appear. 8. Run the additional cards needed for the set through the reader. As you read each card, the card ID displays in the Card Serial# field. Be sure to wait for the ID to appear. 9.
Master keys 2 Restoring a master key from a file You may restore a master key from a file, a key vault, or a set of smart cards. The passphrase that is used to back up the master key must be used to restore the master key. Use the following procedure to restore the master key from a file. 1. Select Configure > Encryption from the menu bar. The Configure Encryption dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4.
2 Master keys Restoring a master key from a key vault You may restore a master key from a file, a key vault, or a set of smart cards. Use the following procedure to restore the master key from a key vault. 1. Select Configure > Encryption from the menu bar. The Configure Encryption dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Restore Master Key as the Master Key Action.
Master keys 2 Restoring a master key from a smart card set You may restore a master key from a file, a key vault, or a set of smart cards. Use the following procedure to restore the master key from a set of smart cards, using a locally attached card reader. 1. Select Configure > Encryption from the menu bar. The Configure Encryption dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Restore Master Key as the Master Key Action.
2 Master keys Creating a new master key Though it is generally not necessary to create a new master key, you may be required to create one due to circumstances such as the following: • The previous master key has been compromised. • Corporate policy might require a new master key every year for security purposes. When you create a new master key, the former active master key automatically becomes the alternate master key.
Zeroizing an encryption engine 2 Zeroizing an encryption engine Zeroizing is the process of erasing all data encryption keys and other sensitive encryption information in an encryption engine. You can zeroize an encryption engine manually to protect encryption keys. No data is lost because the data encryption keys for the encryption targets are stored in the key vault. You can zeroize an encryption engine only if it is enabled (running) or disabled, but ready to be enabled.
2 Zeroizing an encryption engine FIGURE 67 86 Switch Encryption Properties dialog box c. Select Enabled (New State) from the Set State To list for each encryption engine. d. Click OK.
Tracking Smart Cards 2 Tracking Smart Cards Smart Cards, which are credit card-sized cards that contain a CPU and persistent memory, are a secure way to back up and restore a master key. Using Smart Cards is optional. Master keys can also be backed up to a file or key vaults and are only used for encryption groups using RKM or HP SKM key vaults. Even if an encryption group is deleted, the smart cards are still displayed. You must manually delete them.
2 Encryption-related acronyms in log messages Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms embedded that require interpretation. Table 5 lists some of those acronyms.
Chapter Encryption configuration using the CLI 3 In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 • Command validation checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 • Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . . . . . . . . 91 • Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Command validation checks Command validation checks Before a command is executed, it is validated against the following checks. 1. Active or Standby availability: on enterprise-class platforms, checks that the command is available on the Control Processor (CP). 2. Role Based Access Control (RBAC) availability: checks that the invoking user’s role is permitted to invoke the command. If the command modifies system state, the user's role must have modify permission for the command.
Command RBAC permissions and AD types 3 Command RBAC permissions and AD types There are two RBAC roles that are permitted to perform Encryption operations. 1. Admin and SecurityAdmin Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic functions assigned to the FIPS Crypto Officer including the following: • • • • • • • • • Perform encryption node initialization. Enable cryptographic operations. Manage input/output functions of critical security parameters (CSPs).
3 Command RBAC permissions and AD types TABLE 6 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain createtapepool N OM N N N OM N O Disallowed deletecontainer N OM N N N OM N O Disallowed deleteencgroup N OM N N N O N OM Disallowed deletefile N OM N N N O N OM Disallowed deletehacluster N OM N N N OM N O Disal
Command RBAC permissions and AD types TABLE 6 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain reggroupleader N OM N N N O N OM Disallowed regkeyvault N OM N N N O N OM regmembernode N OM N N N O N OM removehaclustermember N OM N N N OM N O removeinitiator N OM N N N OM N O removeLUN N OM N N N OM N O r
3 Cryptocfg Help command output Cryptocfg Help command output All encryption operations are done using the cryptocfg command. The cryptocfg command has an help output that lists all options. switch:admin> cryptocfg --help Usage: cryptocfg --help -nodecfg: Display the synopsis of node parameter configuration. --help -groupcfg: Display the synopsis of group parameter configuration. --help -hacluster: Display the synopsis of hacluster parameter configuration.
Setting default zoning to no access 3 Setting default zoning to no access Initially, default zoning for all Brocade switches is set to All Access. This is generally the default zoning setting within a fabric. The All Access setting allows the Brocade Encryption Switch, DCX, or DCX-4S to join the fabric (If there is a difference in this setting within the fabric, the fabric will segment). Before committing an encryption configuration in a fabric, default zoning must be set to No Access within the fabric.
3 I/O sync link configuration I/O sync link configuration Each encryption switch or FS8-18 blade has two GbE ports labeled Ge0 and Ge1. The Ge0 and Ge1 ports connect encryption switches and FS8-18 blades to other encryption switches and FS8-18 blades. These two ports provide link layer redundancy rather than being used for the IP network redundancy. The the ports are bonded together as a single virtual network interface, and are collectively referred to as the I/O sync link. Only one IP address is used.
I/O sync link configuration 3 There are additional considerations if blades are removed and replaced, or moved to a different slot. On chassis-based systems, IP addresses are assigned to the slot rather than the blade, and are saved in non-volatile storage on the control processor blades. IP addresses may be assigned even if no blade is present.
3 Encryption switch initialization Encryption switch initialization When setting up a Brocade Encryption Switch or FS8-18 blade for the first time during deployment for encryption services, and before encryption can be enabled on the switch or blade, you must perform a series of initialization steps. These steps are performed only once and must be executed in the order indicated below. Initialization must be performed on every node that is expected to perform encryption within the fabric.
Encryption switch initialization 3 • FIPS crypto officer • FIPS user NOTE Node initialization overwrites any existing authentication data on the node. SecurityAdmin:switch>cryptocfg --initnode This will overwrite all identification and authentication data ARE YOU SURE (yes, y, no, n): [no] y Notify SPM of Node Cfg Operation succeeded. 6. Initialize the encryption engine by entering the cryptocfg --initEE command. Provide a slot number if the encryption engine is a blade.
3 Encryption switch initialization Checking encryption engine status You can verify the encryption engine status at any point in the setup process and get information about the next required configuration steps or to troubleshoot an encryption engine that behaves in unexpected ways. Use the cryptocfg --show -localEE command to check the encryption engine status. SecurityAdmin:switch>cryptocfg --show -localEE EE Slot: 0 SP state: Waiting for initEE EE key status not available: SP TLS connection is not up.
Encryption switch initialization • • • • • 3 After issuing regEE. After issuing enableEE. After power cycling an FS8-18 blade. After power cycling a DCX or DCX-4S with one or more FS8-18 blades To diagnose a “split group” condition where the encryption group status shows DEGRADED but the encryption engine shows online status. Refer to the section “Encryption group merge and split use cases” on page 168 for more information.
3 Encryption switch initialization Exporting a certificate 1. Log into the switch on which the certificate was generated as Admin or SecurityAdmin. 2. Export the certificate from the local switch to an SCP-capable external host or to a mounted USB device. The target server must be SCP-enabled. Enter the cryptocfg --export command with the appropriate parameters. The following example exports a CP certificate from an encryption group member to an external SCP-capable host.
Basic encryption group configuration 3 Viewing imported certificates 1. Log into the switch to which you imported the certificates. 2. Enter the cryptocfg --show -file -all command to view all imported certificates. The following example shows the member node CP certificate that was imported earlier to the group leader. SecurityAdmin:switch>cryptocfg --show -file -all File name: enc_switch1_cp_cert.
3 Basic encryption group configuration Creating an encryption group 1. Identify one node (a Brocade Encryption Switch or a Brocade DCX or Brocade DCX-4S with an FS8-18 blade) as the designated group leader. 2. Log into the switch as Admin or SecurityAdmin. 3. Enter the cryptocfg --create -encgroup command followed by a name of your choice. The name can be up to 15 characters long, and it can include any alphanumeric characters and underscores. White space or other special characters are not permitted.
Basic encryption group configuration 3 6. Display encryption group member information. This example shows the encryption group "brocade" with two member nodes, one group leader and one regular member. No key vault or HA cluster is configured, and the values for master key IDs are zero.
3 Basic encryption group configuration Group-wide policy configuration The group-wide policy parameters as outlined in Table 8 can be set for the entire encryption group on the group leader. Use the cryptocfg --set command with the appropriate parameter to set the values for the policy. Policies are automatically propagated to all member nodes in the encryption group.
Key vault configuration 3 Key vault configuration Fabric OS 6.2.0 supports three third-party key management and archival solutions, the NetApp Lifetime Key Management (LKM) appliance, the RSA Key Manager (RKM), and the Hewlett Packard Secure Key Manager (SKM). Key vault configuration is performed on the group leader. Once the key vault is set up, it is shared among all members of the encryption group. You must complete the basic encryption group configuration before setting up a key vault.
3 Key vault configuration 4. Log into the NetApp LKM appliance from the DMC as follows: a. Launch the DMC. b. Click the Appliance tab on the top panel. c. Add the NetApp LKM appliance IP address or hostname. d. Right-click the added IP address and log into the NetApp LKM key vault. 5. Exchange certificates between the member node and the NetApp LKM appliance. This exchange is performed for each member node in the encryption group. Begin with the group leader. a.
Key vault configuration f. 3 On the group leader, import the previously saved LKM certificate from the SCP-capable host. SecurityAdmin:switch>cryptocfg --import -scp lkmcert.pem 192.168.38.245 \ mylogin /tem/certs/lkmcert.pem Password: Operation succeeded. g. From the external host, register the KAC LKM certificate you exported from the group leader in step a. with the NetApp LKM appliance. host$echo lkmserver certificate set 10.32.244.71 \ ‘cat kac_lkm_cert.pem‘ | ssh -l admin 10.33.54.
3 Key vault configuration j. Display the registered key vault on the member node. The LKM key vault is shown as "not responding" because certificates have not been exchanged. SecurityAdmin:enc1_switch>cryptocfg --show -groupcfg Encryption Group Name: brocade Failback mode: Manual Heartbeat misses: 3 Heartbeat timeout: 2 Key Vault Type: LKM Primary Key Vault: IP address: 10.33.54.
Key vault configuration n. 3 Enter the cryptocfg --show -groupcfg command on the member node. The display now shows the LKM as connected. SecurityAdmin:enc1_switch>cryptocfg --show -groupcfg Encryption Group Name: brocade Failback mode: Manual Heartbeat misses: 3 Heartbeat timeout: 2 Key Vault Type: LKM Primary Key Vault: IP address: 10.33.54.231 Certificate ID: lkm-1 Certificate label: LKM1 State: Connected Type: LKM Secondary Key Vault not configured [output truncated] 6.
3 Key vault configuration i. Issue the DH response on the same node you issued the DH challenge in step a. to retrieve the TAP from the NetApp LKM appliance. This step completes the LKM setup for a given node. SecurityAdmin:switch>cryptocfg --dhresponse 10.33.54.231 Operation succeeded. j. 7. Repeat steps 6 a. to i. for the each of the remaining member nodes. Display encryption group member information.
Key vault configuration 3 LKM Key vault High Availability handling The NetApp LKM key vault supports HA capability where multiple LKM appliances can be clustered together to provide HA failover/failback capabilities. This capability is not supported. The LKMs should not be clustered, and if they are configured in cluster, that cluster should be broken. Both LKMs must be registered and configured with the link keys before starting any crypto operations.
3 Key vault configuration Setting up an RKM key vault At a high level, setting up an RKM key vault consists of the following steps: • Registering the encryption group leader and group member nodes with the RKM key vault by registering their KAC certificates. • Registering the RKM key vault with the group leader by registering the key vault’s certificate with the group leader. • Generating and exporting the master key to a secure location.
Key vault configuration 3 13. In the SSLCAcertificateFile field, enter the full local path of the CA certificate. Do not use the UNC naming convention format. If the appliance is being shared, be sure to append the CA cert to the existing uploaded cert. You may inadvertently overwrite existing certificates if this is not done. 14. Select Upload, Configure SSL, and Restart Webserver. 15. After the web server restarts, enter the root password. 16.
3 Key vault configuration d. Select the Hardware Retail Group in the Identity Groups field. e. Select the Operational User role in the Authorization field. f. Click Browse and select the imported certificate _kac_cert.pem> as the Identity certificate. g. Click Save. NOTE KAC certificates are listed as issued to and issued by kac.000000aabbccddee where aabbccddee are the last five portions of the switch WWN.
Key vault configuration 3 Failback mode: Manual Heartbeat misses: 3 Heartbeat timeout: 2 Key Vault Type: RKM Primary Key Vault: IP address: 10.33.54.160 Certificate ID: PE-Lab Certificate label: RSA_CA State: Connected Type: RKM Secondary Key Vault not configured NODE LIST Total Number of defined nodes: 2 Group Leader Node Name: 10:00:00:05:1e:41:9a:7e Encryption Group state: CLUSTER_STATE_CONVERGED Node Name IP address Role 10:00:00:05:1e:41:9a:7e 10.32.244.
3 Key vault configuration RKM key vault High Availability handling It is strongly recommended that you deploy two RKM key vaults, a primary and a secondary key vault, for redundancy purposes, However, the RKM key vault has no notion of High Availability, which means, archival and retrieval operations may be performed on redundant key vaults under normal operating conditions, but the systems have no knowledge of each other and can fall out of sync under error conditions.
Key vault configuration 3 Setting up an HP SKM key vault Setting up an HP SKM key vault consists of the registering the encryption group leader and group member nodes with the HP SKM key vault by exporting their KAC certificates, and taking steps on the HP SKM appliance that allow the certificates to be signed by a local certificate authority (CA) on the HP SKM appliance. These steps can be broken down into the following tasks.
3 Key vault configuration 13. Select Save. The Brocade user is now configured on SKM. Setting up the local certificate authority The local certificate authority is set up by adding Brocade to the Local Certificate Authority List. After establishing the local certificate authority for Brocade, Brocade is then added and accepted as a trusted user of SKM. 1. Select the Security tab on the SKM key manager. 2. Select Local CAs under Certificates and CAs. The Certificate and CA Configuration page is displayed.
Key vault configuration 3 Adding the local CA to the trusted CAs list You must now update the Trusted CAs list with the local CA name you created in step 3 of “Setting up the local certificate authority”. 1. Select the Security tab on the SKM key manager. 2. Select Trusted CA Lists under Certificates and CAs. The Trusted CA Lists page is displayed. 3. Select Default under Profile Name. 4. Click Properties. A properties dialog box is displayed. 5. Click Edit.
3 Key vault configuration 5. Select the pending server certificate from the list. 6. Select Properties. A Certificate Request Information dialog box is displayed. 7. Copy the key contents, beginning with ---BEGIN CERTIFICATE REQUEST--- and ending with ---END CERTIFICATE REQUEST---. Be careful not to include any extra characters. 8. Select Local CAs under Certificates and CAs. The Certificate and CA Configuration page is displayed. 9. Select the local certificate name from the CA Name column. 10.
Key vault configuration 3 8. Select Edit under KMS Server Settings. 9. Select the check boxes for the following: - Use SSL Allow Key and Policy Configuration Operations Allow Key Export 10. Type in the server certificate name in the Server Certificate field. 11. Select Save to save these settings. 12. Select Edit under KMS Server Authentication Settings. Select Required for Password Authentication. 13. Select Save to save these settings.
3 Key vault configuration Creating an SKM Key vault High Availability cluster The HP SKM key vault supports clustering of HP SKM appliances for high availability. NOTE Fabric OS version 6.2.0 supports only one HP SKM key vault. Registering of a second HP SKM key vault is blocked. Multiple HP SKM key vaults can be clustered at HP SKM server level.
Key vault configuration 3 Adding an HP SKM appliance to a cluster 1. Open a new browser window, while keeping the browser window from“Copying the local CA certificate” open. 2. Log in to the HP SKM Key Manager console of the HP SKM appliance that is being added. 3. Select the Security tab. 4. Select Known CAs under Certificates & CAs. The Certificate and CA Configuration page is displayed. 5. Type the certificate name in the Certificate Name field under Install CA certificate. 6.
3 Key vault configuration The Certificate and CA Configuration page is displayed. 5. Under Local Certificate Authority List, select the CA Name for the CA created in “Setting up the local certificate authority”. 6. Select Sign Request. The Sign Certificate Request page is displayed. 7. Select Sign with Certificate Authority using the CA name with maximum of 3649 days option. 8. Select Client as Certificate Purpose. 9. Allow Certificate Duration to default to 3649. 10.
Key vault configuration 3 Generating and exporting the master key You must generate a master key on the group leader, and export it to a backup location. This may be on the SKM key vault, or on an SCP-capable host. 1. Generate the master key on the group leader. SecurityAdmin:switch>cryptocfg --genmasterkey Master key generated. The master key should be exported before further operations are performed. 2. Export the master key to the key vault. Make a note of the key ID and the passphrase.
3 Key vault configuration Node Name: 10:00:00:05:1e:41:9a:7e (current node) State: DEF_NODE_STATE_DISCOVERED Role: GroupLeader IP Address: 10.32.244.71 Certificate: GL_cpcert.
High Availability (HA) cluster configuration 3 High Availability (HA) cluster configuration An HA cluster consists of two encryption engines configured to host the same CryptoTargets and to provide Active/Standby failover and failback capabilities in a single fabric. Failover is automatic (not configurable). Failback occurs automatically by default, but is configurable with a manual failback option. All encryption engines in an HA cluster share the same DEK for a disk or tape LUN.
3 High Availability (HA) cluster configuration Creating an HA cluster 1. Log into the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --create -hacluster command. Specify a name for the HA cluster and optionally add the node WWN of the encryption engine you wish to include in the HA cluster. Provide a slot number if the encryption engine is a blade. The following example creates an HA cluster named “HAC1” with two encryption engines.
High Availability (HA) cluster configuration 3 Removing an HA cluster member Removing an encryption engine from an HA cluster “breaks” the HA cluster by removing the failover/failback capability for the removed encryption engines, However, the removal of an encryption engine does not affect the relationship between configured containers and the encryption engine that is removed from the HA cluster. The containers still belong to this encryption engine and encryption operations continue.
3 High Availability (HA) cluster configuration Replacing an HA cluster member 1. Log into the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haclustermember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine. Provide a slot number if the encryption engine is a blade. The replacement encryption engine must be part of the same encryption group as the encryption engine that is replaced.
High Availability (HA) cluster configuration FIGURE 69 Encryption Administrator’s Guide 53-1001201-04 3 Replacing a failed encryption engine in an HA cluster 133
3 High Availability (HA) cluster configuration Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
High Availability (HA) cluster configuration 3 Deleting an HA cluster member This command dissolves the HA cluster and removes failover capability from the participating encryption engines. 1. Log into the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --delete -hacluster command. Specify the name of the HA cluster you wish to delete. SecurityAdmin:switch>cryptocfg --delete -hacluster HAC1 Delete HA cluster status: Operation succeeded. 3.
3 CryptoTarget container configuration • The failed EE2 has come back online, Failover is still active: SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade Number of HA Clusters: 1 HA cluster name: HAC3 - 2 EE entries Status: Committed WWN Slot Number EE1 => 10:00:00:05:1e:53:89:dd 0 EE2 => 10:00:00:05:1e:53:fc:8a 0 Status Online - Failover active Online • A manual failback is issued.
CryptoTarget container configuration FIGURE 71 3 Relationship between initiator, virtual target, virtual initiator and target CryptoTarget container configuration is performed by the Admin or FabricAdmin role. CryptoTarget container configuration uses a transaction model. Configuration changes must be committed before they take effect.
3 CryptoTarget container configuration NOTE It is recommended you complete the encryption group and HA cluster configuration before configuring the CryptoTarget containers. Frame redirection Name Server-based frame redirection enables the Brocade encryption switch or blade to be deployed transparently to hosts and Targets in the fabric. NS-based frame redirection is enabled as follows: • You first create a zone that includes host (H) and target (T).
CryptoTarget container configuration 3 Creating an initiator - target zone 1. Log into the group leader as Admin or FabricAdmin. 2. Determine the initiator PWWN. Enter the nsshow command to view the devices connected to this switch. In the following example, the port name 10:00:00:00:c9:2b:c9:3a is the initiator PWWN. FabricAdmin:switch>nsshow { Type Pid COS PortName NodeName TTL(sec) N 010600; 2,3;10:00:00:00:c9:2b:c9:3a;20:00:00:00:c9:2b:c9:3a; na NodeSymb: [35] "Emulex LP9002 FV3.82A1 DV5-4.
3 CryptoTarget container configuration 4. Create a zone that includes the initiator and a LUN target. Enter the zonecreate command followed by a zone name, the initiator PWWN and the target PWWN. FabricAdmin:switch>zonecreate itzone, "10:00:00:00:c9:2b:c9:3a; \ 20:0c:00:06:2b:0f:72:6d" 5. Create a zone configuration that includes the zone you created in step 4. Enter the cfgcreate command followed by a configuration name and the zone member name. FabricAdmin:switch>cfgcreate itcfg, itzone 6.
CryptoTarget container configuration 3 CAUTION When configuring a multi-path LUN, you must complete the CryptoTarget container configuration for ALL target ports in sequence and add the hosts that should gain access to these ports before committing the container configuration. Failure to do so results in data corruption. Refer to the section “Configuring a multi-path Crypto LUN” on page 152 for specific instructions. 5. Display the CryptoTarget container configuration.
3 CryptoTarget container configuration Removing an initiator from a CryptoTarget container You may remove one or more initiators from a given CryptoTarget container. This operation removes the initiators’ access to the target port. If the initiator has access to multiple targets and you wish to remove access to all targets, follow the procedure described to remove the initiator from every CryptoTarget container that is configured with this initiator.
CryptoTarget container configuration 3 1. Log into the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --delete -container command followed by the CryptoTarget container name. The following example removes the CryptoTarget container “my_disk_tgt”. FabricAdmin:switch>cryptocfg --delete -container my_disk_tgt Operation Succeeded 3. Commit the transaction.
3 Crypto LUN configuration Crypto LUN configuration A Crypto LUN is the LUN of a target disk or tape storage device that is enabled for and capable of data-at-rest encryption. Crypto LUN configuration is done on a per-LUN basis. You configure the LUN for encryption by explicitly adding the LUN to the CryptoTarget container and turning on the encryption property and policies on the LUN.
Crypto LUN configuration 3 CAUTION When configuring a LUN with multiple paths, perform the LUN discovery on each of the Crypto Target containers for each of the paths accessing the LUN and verify that the serial number for these LUNs discovered from these Crypto Target containers are the same. This indicates and validates that these Crypto Target containers are indeed paths to the same LUN. Refer to the section “Configuring a multi-path Crypto LUN” on page 152 for more information.
3 Crypto LUN configuration 4. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Operation Succeeded CAUTION When configuring a LUN with multiple paths, do not commit the configuration before you have added all the LUNs with identical policy settings and in sequence to each of the Crypto Target containers for each of the paths accessing the LUNs. Failure to do so results in data corruption. Refer to the section “Configuring a multi-path Crypto LUN” on page 152. 5.
Crypto LUN configuration 3 CAUTION In case of multiple paths for a LUN, each path is exposed as a CryptoTarget container in the same encryption switch or blade or on different encryption switches or blades within the encryption group. In this scenario you must remove the LUNs from all exposed CryptoTarget containers before you commit the transaction.
3 Crypto LUN configuration TABLE 9 LUN parameters and policies (Continued) Policy name Command parameters Description Encryption format Disk LUN: yes Tape LUN: yes Modify? Yes -encryption_format native | DF_compatible • Sets the encryption format. Valid values are: Native - The LUN is encrypted or decrypted using the Brocade encryption format (metadata format and algorithm). This is the default setting.
Crypto LUN configuration 3 Modifying Crypto LUN parameters You can modify one or more policies of an existing Crypto LUN with the cryptocfg --modify -LUN command. If the modification applies to multiple LUNs, you may specify a LUN number range. NOTE A maximum of 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations or modifications that exceed this maximum fail with a warning. Note that there is a five second delay before the commit operation takes effect.
3 Crypto LUN configuration For specific handling of encryption policy changes when using DF-compatible encryption format, refer to Appendix D “DF-compatibility support for disk LUNs” on page 217 and “DF-compatibility support for tape LUNs” on page 221. Force-enabling a disabled LUN for encryption You can force a LUN to become enabled for encryption when encryption is disabled on the LUN.
Crypto LUN configuration a. 3 Discover the LUN. FabricAdmin:switch>cryptocfg --discoverLUN my_tape_tgt Container name: my_tape_tgt Number of LUN(s): 1 Host: 10:00:00:00:c9:2b:c9:3a LUN number: 0x0 LUN serial number: Key ID state: Key ID not Applicable b. Add the LUN to the tape CryptoTarget container. The following example enables the LUN for encryption and sets the key expiration to 90 days.
3 Configuring a multi-path Crypto LUN Configuring a multi-path Crypto LUN A single LUN may be accessed over multiple paths. A multi-path LUN is exposed and configured on multiple CryptoTarget Containers located on the same encryption switch or blade or on different encryption switches or blades.
Configuring a multi-path Crypto LUN c. 3 Add host port 1 to the container CTC1. FabricAdmin:switch>cryptocfg --add -initiator \ d. Add host port 2 to the container CTC2. FabricAdmin:switch>cryptocfg --add -initiator e. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Upon commit, redirection zones are created for target port 1, host port 1 and target port 2, host port 2.
3 Configuring a multi-path Crypto LUN 6. Validate the LUN policies for all containers. Display the LUN configuration for ALL CryptoTarget containers to confirm that the LUN policy settings are the same for all CryptoTarget containers.
Tape pool configuration FIGURE 72 3 A LUN accessible through multiple paths Tape pool configuration Tape pools are used by tape backup application programs to group all configured tape volumes into a single backup to facilitate their management within a centralized backup plan. A tape pool is identified by either a name or a number, depending on the backup application. Tape pools have the following properties: • They are configured and managed per encryption group at the group leader level.
3 Tape pool configuration LUN policies versus tape pool policies The Brocade encryption platform supports tape encryption configuration at the tape pool level and at the LUN (tape drive) level. Tape drive (LUN) policies serve as a fallback mechanism in the event that no tape pools are created or a given tape volume does not belong to any configured tape pools.
Tape pool configuration 3 • The tape pool label created on the encryption switch or blade must be the be same Tape pool label that is configured on the tape backup application. It is recommended that you check for any labeling restrictions specific to your backup application before creating a tape pool on the encryption switch. NOTE Check your backup application before choosing a label. Some applications, such as NetWorker do not support underscore characters in tape pool labels.
3 Tape pool configuration NetBackup labeling NetBackup uses numbers to label tape pools. If you are using NetBackup as your application, follow these steps to obtain the tape pool number. 1. Log into the NetBackup application Windows host. 2. Select Start > run, and type cmd in the dialog box. 3.
Tape pool configuration 3 FabricAdmin:switch>cryptocfg --create -tapepool -label my_tapepool -encrypt -key_lifespan 90 Operation succeeded. 3. Commit the transaction. FabricAdmin:switch>cryptocfg --commit Operation succeeded. 4. Display the configuration. Enter the cryptocfg --show -tapepool command followed by the tape pool number or label and the -cfg parameter.
3 Tape pool configuration Modifying a tape pool 1. Log into the group leader as FabricAdmin. 2. Enter the cryptocfg --modify -tapepool command followed by a tape pool label or number. Then specify a new policy, encryption format, or both. The following example changes the encryption format from Brocade native to DF-compatible. FabricAdmin:switch>cryptocfg --modify -tapepool -label my_tapepool -encryption_format DF_compatible Operation succeeded. 3. Commit the transaction.
Data re-keying 3 Migrating an existing Tape Pool If you have a configured tape backup application and a pre-existing tape pool before you deploy the Brocade encryption platform, you can integrate the pre-existing tape pool into the encryption platform with the following procedure. 1. On the encryption group leader configure the tape pool with the --create -tapepool command. Refer to the section “Creating a tape pool” on page 158 for detailed instructions. a.
3 Data re-keying The system checks once every hour to determine, if there are any re-key or first time encryption sessions pending. If resources are available, the next session in the queue is processed. There may be up to an hour lag before the next session in the queue is processed. It is therefore recommended that you do not schedule more than 12 re-key or first time encryption sessions.
Data re-keying 3 Initiating a manual re-key session If auto re-keying is disabled, you can still initiate a re-keying session manually at your own convenience. All encryption engines in a given HA cluster, DEK cluster, or encryption group must be online for this operation to succeed, The manual re-keying feature is useful when the key is compromised and you want to re-encrypt existing data on the LUN before taking action on the compromised key.
3 Data re-keying Suspension and resumption of re-keying operations A re-key may be suspended or fail to start for several reasons: • The LUN goes offline or the encryption switch fails and reboots. Re-key operations are resumed automatically when the target comes back online or the switch comes back up. You cannot abort an in-progress re-key operation. • An unrecoverable error is encountered on the LUN and the in-progress re-key operation halts.
First time encryption 3 First time encryption First time encryption, also referred to as encryption of existing data, is similar to the re-keying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first time encryption operation, cleartext data is read from a LUN, encrypted with the current key and written back to the same LUN at the same logical block address (LBA) location.
3 Advanced encryption group configuration Advanced encryption group configuration This section describes advanced configuration options that you can use to modify existing encryption groups and to recover from problems with one or more member nodes in the group. All group-wide configuration commands are executed on the group leader. Commands that clear group-related states from an individual node are executed on the node.
Advanced encryption group configuration 3 1. Log into the group leader as Admin or SecurityAdmin. 2. If the node is part of an HA cluster, perform the following steps: a. Remove the node from the HA cluster with the cryptocfg --rem -haclustermember command. Refer to the section “High Availability (HA) cluster configuration” on page 129 for instructions. b. Clear all CryptoTarget configurations from the member node with the cryptocfg --delete -container command.
3 Advanced encryption group configuration Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes. Before deleting the encryption group, it is highly recommended to remove the group leader from the HA cluster and clear all CryptoTarget and tape pool configurations for the group.
Advanced encryption group configuration 3 Recovery 1. Configure the IP address 0f the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. Refer to the section “Encryption switch initialization” on page 98 for instructions. 2. Register the new node IP address and CP certificate with the group leader node.
3 Advanced encryption group configuration A member node reboots and comes back up Assumptions N1, N2 and N3 form an encryption group and N2 is the group leader node. N3 and N1 are part of an HA cluster. Assume that N3 reboots and comes back up. Impact When N3 reboots, all devices hosted on the encryption engines of this node automatically fail over to the peer encryption engine N1, and N1 now performs all of the rebooted node’s encryption services. Any re-key sessions in progress continue.
Advanced encryption group configuration 3 A member node lost connection to all other nodes in the encryption group Assumptions N1, N2 and N3 form an encryption group and N2 is the group leader node. N3 and N1 are part of an HA cluster. Assume that N3 lost connection with all other nodes in the group. Node N3 finds itself isolated from the encryption group and, following the group leader succession protocol, elects itself as group leader.
3 Advanced encryption group configuration • Each encryption group registers the missing members as “offline”. • The isolation of N3 from the original encryption group breaks the HA cluster and failover capability between N3 and N1. • You cannot configure any CryptoTargets, LUN policies, tape pools, or security parameters on any of the group leaders. This would require communication with the “offline” member nodes. You cannot start any re-key operations (auto or manual) on any of the nodes.
Advanced encryption group configuration 3 Configuration impact of encryption group split or node isolation When a node is isolated from the encryption group or the encryption group is split to form separate encryption group islands, the defined or registered node list in the encryption group is not equal to the current active node list, and the encryption group is in a DEGRADED state rather than in a CONVERGED state.
3 174 Advanced encryption group configuration Encryption Administrator’s Guide 53-1001201-04
Chapter 4 Deployment Scenarios In this chapter • Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dual fabric deployment - HA and DEK cluster . . . . . . . . . . . . . . . . . . . . . . . • Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . . . . . . . . • Multiple paths, DEK cluster, no HA cluster . . . . . . . . . . . . . . . . . . . . . .
4 Single fabric deployment - HA cluster Single fabric deployment - HA cluster Figure 74 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology.
Single fabric deployment - DEK cluster 4 In Figure 74, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN.
4 Dual fabric deployment - HA and DEK cluster In Figure 75, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths.
Multiple paths, one DEK cluster, and two HA clusters 4 failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2. All four encryption switches provide an encryption path to the same LUN, and use the same DEK for that LUN, forming a DEK cluster.
4 Multiple paths, one DEK cluster, and two HA clusters The configuration details shown in Figure 77 are as follows: • • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port 1 is zoned to target port 1 and target port 2 in fabric 1. Host port 2 is zoned to target port 3and target port 4 in fabric 2. There are four Brocade encryption switches organized in HA clusters.
Multiple paths, DEK cluster, no HA cluster 4 Multiple paths, DEK cluster, no HA cluster Figure 78 shows a configuration with a DEK cluster with multiple paths to the same target device. There is one encryption switch in each fabric..
4 Multiple paths, DEK cluster, no HA cluster Use the following procedure to set up encryption for the LUNs on the Target from these four paths using two encryption switches and two host ports: 1. Disable all four target ports. 2. Configure Encryption Switch 1 and Encryption Switch 2 to form Encryption Group 3. Enable the Target Port1 and Target Port3 only. 4. On Encryption Switch 1, configure CTC1 (crypto target container) for target port1. Add Host Port1 to the CTC1. 5.
Deployment in Fibre Channel routed fabrics 4 Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 79), or it may form the backbone fabric and directly provide the EX_port connections (Figure 80). The encryption resources can be shared with the host and target edge fabrics using device sharing between backbone and edge fabrics.
4 Deployment in Fibre Channel routed fabrics The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
Deployment as part of an edge fabric 4 Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7500 extension switch or FR4-18i blade in a 48000 director, DCX, or DCX-4S, or an FCR-capable switch or blade. The encryption resources of the encryption switch can be shared with the other edge fabrics using FCR in the backbone fabric (Figure 81). .
4 Deployment with FCIP extension switches Deployment with FCIP extension switches Encryption switches may be deployed in configurations that use extension switches or extension blades within a DCX, DCX-4S or 48000 chassis to enable long distance connections. Figure 82 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator’s Guide for information about creating FCIP configurations.
Data mirroring deployment 4 Data mirroring deployment Figure 83 shows a data mirroring deployment. In this configuration, the host only knows about target1 and LUN1, and the I/O path to target1 and LUN1. When data is sent to target1, it is written to LUN1, and also sent on to LUN2 for replication. Target1 acts as an initiator to enable the replication I/O path.
4 Data mirroring deployment If metadata is not present on the LUN In very rare cases, metadata may not be present on the LUN. The record archived in the key vault refers only to the primary LUN, and not to the LUN replication. With no metadata present in the replicated blocks, there is no key ID to use to retrieve the DEK from the key vault. User intervention is needed to query the key vault to get the key ID. 1. Map the primary LUN to the replicated or snapshot LUN. 2.
Chapter 5 Best Practices and Special Topics In this chapter • Firmware download considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enable of a disabled LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Disk metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Tape metadata. . . . . . .
5 Firmware download considerations Firmware download considerations The encryption engine and the control processor or blade processor are reset after a firmware upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If encryption engines are configured in an HA cluster, perform firmware upgrades one encryption engine at a time so that the partner switch in the HA cluster can take over I/O by failover during firmware upgrade.
Firmware download considerations 5 Specific guidelines and procedures The following are specific guidelines for a firmware upgrade of the encryption switch or blade when deployed in HA cluster. The guidelines are based on the following scenario: • There are 2 nodes (BES1 and BES2) in the HA cluster. • Each node hosts certain number of CryptoTarget containers and associated LUNs. • node 1 (BES1) needs to be upgraded first. 1.
5 HP-UX considerations HP-UX considerations The HP-UX OS requires LUN 0 to be present. LUNs are scanned differently based on the type value returned for LUN 0 by the target device. • If the type is 0, then HP-UX only scans LUNs from 0 to 7. That is the maximum limit allowed by HP-UX for device type for type 0. • If the type is 0xC, then HP-UX scans all LUNs. Best practices are as follows: • Create a cryptoTarget container for the target WWN. • Add the HP-UX initiator WWN to the container.
Tape data compression 5 Tape data compression Data is compressed by the encryption switch or blade before encrypting only if the tape device supports compression, and compression is explicitly enabled by the host backup application. That means if the tape device supports compression, but is not enabled by the host backup application, then compression is not performed by the encryption switch or blade before encrypting the data.
5 DF compatibility for tapes Tape key expiry When the tape key expires in the middle of a write operation on the tape, the key is used for the duration of that write operation to append the data on the tape media. When the backup application rewinds the media and starts writing to block zero again, a new key is created and used for subsequent operations. The expired key thereafter is marked as read only and used only for restore of data from already encrypted tapes.
Configuring CryptoTarget containers and LUNs 5 Configuring CryptoTarget containers and LUNs The following are best practices to follow when configuring CryptoTarget containers and crypto LUNs: • Host a target port on only one encryption switch, or one HA cluster. All LUNs visible through the target port are hosted on the same encryption switch, and are available for storing cipher text. • Be sure all nodes in a given DEK or HA cluster are up and enabled before creating an encrypted LUN.
5 Redirection zones Redirection zones Redirection zones should not be deleted. If a redirection zone is accidentally deleted, I/O traffic cannot be redirected to encryption devices, and encryption is disrupted. To recover, re-enable the existing device configuration by invoking the cryptocfg --commit command. If no changes have taken place since the last commit, you should use the cryptocfg --commit -force command.
Turn off host-based encryption 5 In tape libraries where the media changer unit is addressed by separate LUN at the same target port as the actual tape SCSI I/O LUN, create a CryptoTarget container for the target port, and add both the media changer unit LUN and one or more tape SCSI I/O LUNs to that CryptoTarget container. If only a media changer unit LUN is added to the CryptoTarget container, no encryption is performed on this device.
5 Re-keying best practices and policies Re-keying best practices and policies Re-keying should be done only when necessary. In key management systems, DEKs are never exposed in an unwrapped or unencrypted state. When using RKM or SKM as the key management system, you must re-key if the master key is compromised. The practice of re-keying should be limited to the following cases: • Master key compromise in the case of RKM and SKM. • Insider security breaches.
Changing IP addresses in encryption groups 5 Do not change LUN configuration while re-keying Never change the configuration of any LUN that belongs to a Crypto Target Container/LUN configuration while the re-keying process for that LUN is active. If you change the LUN’s settings during manual or auto, re-keying or first time encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect.
5 Recommendations for Initiator Fan-Ins Recommendations for Initiator Fan-Ins For optimal performance at reasonable scaling factors of initiators, targets, and LUNs accessed, Brocade Encryption Engines (EEs) are designed to support a fan-In ratio of between four and eight initiator ports to one target port, in terms of the number of distinct initiator ports to a Crypto Container (i.e., a virtual target port corresponding to the physical target port).
Appendix A State and Status Information In this appendix • Encryption engine security processor (SP) states . . . . . . . . . . . . . . . . . . . . 201 • Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 • Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Encryption engine security processor (SP) states Table 12 lists the encryption engine security processor (SP) states.
A Security processor KEK status TABLE 12 Encryption engine security processor (SP) states Encryption engine security processor (SP) state Description Zeroized Encryption engine is zeroized INVALID Encryption engine is invalid Security processor KEK status Table 13 lists security processor KEK status information. TABLE 13 Security processor KEK status KEK type KEK status1 Description Primary KEK (current MK or primary KV link key) None Primary KEK is not configured.
Encrypted LUN states TABLE 14 A Encrypted LUN states (Continued) LUN_ENCRYPT Encryption enabled. LUN_READONLY_1 Read only (found native metadata while LUN is in DF mode). LUN_READONLY_2 Read only (found DF metadata while LUN is in native mode). LUN_READONLY_3 Read only (metadata key is in read-only state). LUN_WR_META_IN_PROG Write metadata is in progress. LUN_1ST_TIME_REKEY_IN_PROG First time re-key is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired re-key is in progress.
A Encrypted LUN states TABLE 14 204 Encrypted LUN states (Continued) LUN_DIS_ADD_KEY_API_ERR Disabled (Add new key API returns error). LUN_DIS_ADD_KEY_CB_ERR Disabled (Add new key failure). LUN_DIS_REKEY_ACK_ERR Disabled (Re-key back with failure). LUN_DIS_REKEY_DONE_ERR Disabled (Re-key done with failure). LUN_DIS_WR_META_ACK_ERR Disabled (Write metadata back with failure). LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure).
Appendix B Maintenance and Troubleshooting In this Appendix • General encryption troubleshooting using the CLI . . . . . . . . . . . . . . . . . . . • Troubleshooting examples using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management application encryption wizard troubleshooting . . . . . . . . . . • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . • LUN policy troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B General encryption troubleshooting using the CLI TABLE 15 General troubleshooting tips using the CLI (Continued) Command Activity switch:SecurityAdmin> cryptocfg --show -groupcfg Check key vault connection status. Check encryption group/cluster status. Note: CONVERGED status means the cluster is formed successfully. switch:SecurityAdmin> cryptocfg --show -groupmember -all 1 2 TABLE 16 Check encryption group/cluster member status.
General encryption troubleshooting using the CLI TABLE 16 B General errors related to using the CLI (Continued) Problem Resolution “Temporarily out of resources” message received during re-key or first time encryption. Re-key or first time encryption sessions are pending due to resource unavailability. A maximum of twelve sessions including rekey (manual or auto) and first time encryption sessions are supported per encryption switch or blade and two sessions per target.
B Troubleshooting examples using the CLI Troubleshooting examples using the CLI Encryption Enabled Crypto Target LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN.
Troubleshooting examples using the CLI B Encryption Disabled Crypto Target LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN.
B Management application encryption wizard troubleshooting Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . 210 • Errors related to adding a switch to a new group . . . . . . . . . . . . . . . . . . . . 211 • General errors related to the Configure Switch Encryption wizard . . . . . .
Errors related to adding a switch to an existing group B Errors related to adding a switch to a new group Table 18 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 18 Error recovery instructions for adding a switch to a new group Configuration task Error description Instructions Initialize the switch Unable to initialize the switch due to an error response from the switch.
B Errors related to adding a switch to an existing group TABLE 18 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (if the key vault type is not NetApp) A failure occurred while attempting to create a new master key. 1 Save the switch’s public key certificate to a file. The switch’s public key certificate could not be saved to a file.
Errors related to adding a switch to an existing group B General errors related to the Configure Switch Encryption wizard Table 19 provides additional information for failures you might encounter while configuring switches using the Configure Switch Encryption wizard. TABLE 19 General errors related to the Configure Switch Encryption wizard Problem Resolution Initialization fails on the encryption engine after the encryption engine is zeroized. Reboot the switch.
B LUN policy troubleshooting LUN policy troubleshooting Table 20 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 20 LUN policy troubleshooting Case Reasons for the LUN getting disabled by the encryption switch Action taken If you do not need to save the data: If you need to save the data: 1 The LUN was modified from encrypt policy to cleartext policy but metadata exists. LUN is disabled. Reason code: Metadata exists but the LUN policy is cleartext.
Loss of encryption group leader after power outage B Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes lose information and knowledge about the encryption group.
B MPIO and internal LUN states MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg -show -LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine. Due to the transparent and embedded nature of this encryption solution, the host-to-storage array LUN path status can only be displayed by using host MPIO software.
Appendix C LUN Policies In this appendix The following topics are covered in this appendix: • DF-compatibility support for disk LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 • DF-compatibility support for tape LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 DF-compatibility support for disk LUNs Table 21 and Table 22 may be used as a reference for establishing disk LUN policies in support of DataFort firmware versions.
C DF-compatibility support for disk LUNs TABLE 22 Support matrix for disk LUNs for various configuration and modify options LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results Native (Brocade) Encrypted Encrypt NA when LUN State = encrypt NA Yes No error.
DF-compatibility support for disk LUNs TABLE 22 C Support matrix for disk LUNs for various configuration and modify options (Continued) LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results Native (Brocade) Cleartext Cleartext NA in case of cleartext policy NA Yes The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state.
C DF-compatibility support for disk LUNs TABLE 22 Support matrix for disk LUNs for various configuration and modify options (Continued) LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results DF compatible Cleartext Encrypt Yes NA Yes The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state.
DF-compatibility support for tape LUNs C DF-compatibility support for tape LUNs Table 23 and Table 24 may be used as a reference for establishing tape LUN policies in support of DataFort firmware versions. NOTE On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt files with a block size of one MB or greater.
C TABLE 24 DF-compatibility support for tape LUNs Compatibility support matrix for tape pools (Continued) Tape pool encryption format Tape pool policy Metadata present Results DF-compatible Encrypt No (new tape) No error. A new key is generated and both read and write are allowed in DF-compatible format. DF-compatible Cleartext Brocade metadata Reads are allowed in Brocade format using the key from the metadata. Writes are rejected if the tape is not positioned at the beginning of the tape.
Appendix D NS-Based Transparent Frame Redirection Table 25 provides the NS-based transparent frame redirection interoperability matrix. TABLE 25 Frame redirection support NS-based transparent frame redirection interoperability matrix1 FOS version Host and target edge switches/directors FOS only Layer 2 SAN FOS 6.2.0 FOS 5.3.1x for legacy Bloom-based switches and directors. FOS and EOSc and EOSn interop mode 2 “native FOS and EOSc and EOSn interop mode 3 “open” EOSc and EOSn only FOS 6.1.
D 224 NS-Based Transparent Frame Redirection Encryption Administrator’s Guide 53-1001201-04
Appendix E FIPS Specifications The FIPS-140 standard The official title for the standard Federal Information Processing Standard 140 (FIPS-140) is Security Requirements for Cryptographic Modules. FIPS 140-2 is the second revision of the standard, and was released in 2001. FIPS compliance Table 26 gives a brief overview of FIPS security levels. Each level of security requires complete satisfaction of the lower levels to claim compliance.
E 226 The FIPS-140 standard Encryption Administrator’s Guide 53-1001201-04
A Ind ex access levels defined, 16 roles, 16 add commands --add -haclustermember, 130 --add -initiator, 140, 150, 153 --add -LUN, 145, 153, 162, 165 --add -membernode, 169 B Brocade Encryption Switch See switch C certificates exporting using the CLI, 102 exporting, importing, and loading, 13 file names, 101 importing using the CLI, 102 purpose for encryption, 13 storing the public key, 18, 36, 44, 51 viewing imported, 103 CLI general errors and resolution, 206 using to configure encryption switch or bl
configuring backup RKM key vault, 118 Crypto LUNs, 144 CryptoTarget container, 136 encrypted storage in a multi-path environment, 66 HA clusters using the CLI, 129 key vaults, 107 smart cards, 20 tape LUNs using the CLI, 150 tape pools using the CLI, 155 tasks to complete before encryption, 89 configuring target ports, 195 connections between a switch and an LKM key vault, 27 container adding a LUN to CryptoTarget using the CLI, 144, 145 creating a CryptoTarget, 140 deleting a CryptoTarget using the CLI, 14
cryptocfg command --add -haclustermember, 130 --add -initiator, 140, 150, 153 --add -LUN, 145, 153, 162, 165 --add -membernode, 169 --commit, 135 --create -container, 140, 150, 152 --create -encgroup, 104 --create -hacluster, 130 --create -tapepool, 158, 161 --delete -container, 143, 167 --delete -encgroup, 168 --delete -hacluster, 135 --delete -tapepool, 159 --dereg -membernode, 167 --discover -LUN, 153 --discoverLUN, 144, 151 --eject -membernode, 167 --enable -LUN, 150 --enable -rekey, 162 --enable_rekey,
--show -tapepool, 159 --zeroize, 98 cryptoCfg commands, permissions for, 91 CryptoTarget container adding a LUN, 144, 145 configuring, 136 creating, 140 deleting, 142 discovering a LUN, 144 moving, 143 removing a LUN, 146 removing an initiator from, 142 D data re-keying, 161 DEK (data encryption keys), 10 DEK life cycle, 11 delete commands --delete -container, 143, 167 --delete -encgroup, 168 --delete -hacluster, 135 --delete -tapepool, 159 deployment scenarios data mirroring deployment, 187 deployment as
enable a disabled LUN using the CLI, 192 enable commands --enable -LUN, 150 --enable -rekey, 162 --enable_rekey, 165 --enableEE, 169 enableEE, 99 encrypted LUN states, 202 encryption adding a license, 6 adding a target, 31 adding new LUNs, 31 best practices for licensing, 6 configuration planning for the management application, 16 configure dialog box, 18 configuring LUNs for first-time encryption, 165 configuring hosts to access encryption targets, 31 configuring in a multi-path environment, 66 definition
encryption group adding a member node to using the CLI, 104 adding a switch using the management application, 57 advanced configuration, 166 allowed configuration changes, 173 basic configuration, 103 configuration impact of split or node isolation, 173 confirming configuration status, 37, 45, 53 creating using the CLI, 104 creating using the encryption setup wizard, 33, 43, 48 deleting using the CLI, 168 diagnosis DEGRADED status, 101 disallowed configuration changes, 173 group-wide policy configuration, 1
error recovery instructions for adding a switch to a new group, 211 for adding a switch to an existing group, 210 error recovery instructions for adding a switch to an existing group, 210 errors related to the CLI, 206 export commands --export, 102, 108 --exportmasterkey, 116, 127 F failback command, --failback -EE, 135 failover and failback, states of encryption engines during, 135 Federal Information Processing Standard 140 (FIPS-140) standards, 225 field replaceable unit See FRU file names, certificates
H HA clusters adding an encryption engine using the CLI, 130 configuration rules, 129 configuring using the CLI, 129 creating, 60 deleting a member using the CLI, 135 displaying configuration using the CLI, 131 limitations, 129 performing a manual failback of an encryption engine using the CLI, 135 removing an encryption engine using the CLI, 131 removing engines from, 61 replacing a member using the CLI, 132 requirements for, 60 swapping engines in, 61 HP Secure Key Manager, 48, 119 HP SKM, 48, 119 HP-UX c
key vaults adding or changing using the management application, 41 configuration, 107 configuring for HP SKM, 48 configuring for RSA key vaults, 33 configuring LKM, 42 connection from switch, 27 connections between encryption nodes, 10 entering the IP address or host name for, 35, 44, 50 entering the name of the file holding the certificate, 35, 44, 50 LKM configuration using the CLI, 107 removing using the management application, 41 RKM configuration using the CLI, 114 setting up LKM, 107 setting up RKM, 1
LUN adding Crypto LUN to CryptoTarget container, 145 adding to a CryptoTarget container, 144 choosing to be added to an encryption target container, 73 configuration warning, 137, 141, 142, 143, 144, 145, 146, 147, 149, 152 configuring for first-time encryption, 165 configuring for multi-path example, 152 configuring policies using the CLI, 147 editing a re-keying interval, 72 force-enabling for encryption, 150 impact of policy changes, 160 modifying parameters using the CLI, 149 multi-path configuration re
multi-path configuring Crypto LUN configuring for multi-path, 152 LUN configuration example, 152 LUN configuration warning, 149, 152 multi-path configuration for encrypted storage using the Management application, 66 multi-path LUN configuration requirements, 137 multi-path LUN configuration warning, 137, 141, 142, 143, 144, 145, 146, 147 N NetApp Lifetime Key Manager (LKM), description of, 12 NetApp LKM key vaults effects of zeroizing, 85 NetBackup labeling, 158 NetWorker labeling, 158 NS-based transpare
re-keying configuring a LUN using the CLI, 162 definition of offline, 162 definition of online, 162 encrypted data on a LUN, 161 initiating a manual session, 163 modes, 162 reasons for suspension or failure, 164 restrictions, 161 warning, 163 rekeying policies, 198 remove commands --rem -haclustermember, 167 --rem -LUN, 146 --remove -haclustermember, 131 --remove -initiator, 142 replace commands --replace -haclustermember, 132 --replaceEE, 166, 169 restore master key wizard, 85 resume commands --resume_reke
set commands --set -failback, 106 --set -keyvault, 114, 119 --set -keyvault LKM, 107 show commands --show, 100, 103 --show -container, 141 --show -groupmember, 105, 117, 127, 137, 167 --show groupmember, 163 --show -hacluster, 131, 136 --show -tapepool, 159 show commands --show -groupcfg, 111 SKM, 48, 119 SKM key vaults configuring, 48 smart cards configuring, 20 removing using the management application, 87 saving to a file, 87 tracking using the management application, 87 states encrypted LUN, 202 storage
tape pools, 193 adding, 28 CommVault Galaxy labeling using the CLI, 157 configuring, 155 creating using the CLI, 158 deleting using the CLI, 159 description of, 28 differences in policies versus LUN policies, 156 identifying using a name or a number, 29 labeling rules, 156 migrating, 161 modifying, 27 modifying using the CLI, 160 NetBackup labeling using the CLI, 158 NetWorker labeling using the CLI, 158 removing, 27 tape block zero handling, 193 tape key expiry, 194 terminology for encryption, 3 troublesho
Z zeroize command --zeroize, 98 zeroizing effects of using on encryption engine, 19 zone creating an initiator-target using the CLI, 139 Encryption Administrator’s Guide 53-1001201-04 241
242 Encryption Administrator’s Guide 53-1001201-04