53-1002159-03 28 July 2011 Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) Environments and HP Enterprise Secure Key Manager (ESKM) Environments Supporting Fabric OS v7.0.
Copyright © 2010-2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Fabric OS Encryption Administrator’s Guide 53-1002159-03 iii
iv Fabric OS Encryption Administrator’s Guide 53-1002159-03
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Encryption configuration In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Registering authentication cards from a card reader . . . . . . . .
Creating high availability (HA) clusters . . . . . . . . . . . . . . . . . . . . . . . 54 Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . . 55 Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . . 55 Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Invoking failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Adding encryption targets. . . . . . . . . . . . . . . . . . . . . . .
Viewing and editing group properties . . . . . . . . . . . . . . . . . . . . . . . . 98 General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Consequences of removing an encryption switch . . . . . . . . . .101 Security tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 HA Clusters tab. . . . . . . . . . . . . . . . . . . . . . . . . . .
Re-exporting a master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Exporting an additional key ID . . . . . . . . . . . . . . . . . . . . . . . . . 141 Viewing the master key IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Enabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Checking encryption engine status . . . . . . . . . . . . . . . . . . . . .143 Zoning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 4 Deployment Scenarios In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Single encryption switch, two paths from host to target . . . . . . . . 176 Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . 177 Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . .178 Dual fabric deployment - HA and DEK cluster. . . . . . . . . . . . . . . . .
Do not use DHCP for IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .199 Ensure uniform licensing in HA clusters . . . . . . . . . . . . . . . . . . . . .199 Tape library media changer considerations . . . . . . . . . . . . . . . . . .199 Turn off host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Avoid double encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 PID failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption group merge and split use cases . . . . . . . . . . . . . . . . .213 A member node failed and is replaced . . . . . . . . . . . . . . . . . .213 A member node reboots and comes back up . . . . . . . . . . . . .214 A member node lost connection to the group leader . . . . . . .215 A member node lost connection to all other nodes in the encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Several member nodes split off from an encryption group . .
Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xiv Fabric OS Encryption Administrator’s Guide 53-1002159-03
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Text formatting . . . . . . . . . . . . . . .
• Chapter 6, “Maintenance and Troubleshooting,” provides information on troubleshooting and the most common commands and procedures to use to diagnose and recover from problems. • Appendix A, “State and Status Information,” lists the encryption engine security processor (SP) states, security processor key encryption key (KEK) status information, and encrypted LUN states. Supported hardware and software . The following hardware platforms support data encryption as described in this manual.
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. --option, option Command options are printed in bold. -argument, arg Arguments. [] Optional element. variable Variables are printed in italics. In the help pages, variables are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font.
For definitions specific to this document, see “Terminology” on page 2. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.org/education/dictionary Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only.
Release notes are available on the MyBrocade website and are also bundled with the Fabric OS firmware. Other industry resources • White papers, online demos, and data sheets are available through the Brocade website at http://www.brocade.com/products-solutions/products/index.page. • Best practice guides, white papers, data sheets, and other documentation is available through the Brocade Partner website. For additional resource information, visit the Technical Committee T11 Web site.
The serial number label is located as follows: • Brocade Encryption Switch—On the switch ID pull-out tab located inside the chassis on the port side of the switch on the left. • Brocade DCX—On the bottom right on the port side of the chassis • Brocade DCX-4S—On the bottom right on the port side of the chassis, directly above the cable management comb. 3. World Wide Name (WWN) Use the licenseIdShow command to display the WWN of the chassis.
Chapter Encryption Overview 1 In this chapter • Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • FIPS mode .
1 Terminology Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication. Data Encryption Key (DEK) An encryption key generated by the encryption engine.
Terminology 1 Opaque Key Vault A storage location that provides untrusted key management functionality. Its contents may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a master key to protect them. Recovery cards A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key.
1 The Brocade Encryption Switch The Brocade Encryption Switch The Brocade Encryption Switch (BES) is a high performance 32 port auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption Standard (AES) 256-bit algorithms.
The FS8-18 blade 1 The FS8-18 blade The FS8-18 blade provides the same features and functionality as the encryption switch. The FS8-18 blade installs on the Brocade DCX and DCX-4S. Four FS8-18 blades may be installed in a single DCX or DCX-4S. FIPS mode Both the BES and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled. In this mode, only FIPS-compliant algorithms are allowed.
1 Recommendation for connectivity Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in data frames on a per-frame basis. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done.
Brocade encryption solution overview 1 Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
1 Brocade encryption solution overview Data flow from server to storage The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
Data encryption key life cycle management 1 Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed.
1 Master key management FIGURE 5 DEK life cycle Master key management Communications with opaque key vaults are encrypted using a master key that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM. Master key generation A master key must be generated by the group leader encryption engine.
Support for Virtual Fabrics 1 • A set of recovery smart cards. This option is only available if the switch is managed by the Data Center Fabric Manager (DFCM), and if a card reader is available for attachment to the DCFM workstation. The use of smart cards provides the highest level of security. When smart cards are used, the key is split and written on up to 10 cards. Each card may be kept and stored by a different individual. A quorum of key holders is needed to restore the key.
1 12 Cisco Fabric Connectivity support Fabric OS Encryption Administrator’s Guide 53-1002159-03
Chapter Encryption configuration 2 In this chapter • Encryption Center features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 • Encryption user privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 • Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 • Network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Encryption Center features Encryption Center features The Encryption Center dialog box is the single launching point for all encryption-related configuration in the Management application. It also provides a table that shows the general status of all encryption-related hardware and functions at a glance. FIGURE 6 Encryption Center dialog box Beginning with Fabric OS 6.
Encryption user privileges 2 Encryption user privileges In the Management application, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time. The Management application provides three pre-configured roles: • Storage encryption configuration. • Storage encryption key operations. • Storage encryption security.
2 Smart card usage Smart card usage Smart cards are credit card-sized cards that contain a CPU and persistent memory. Smart cards can be used as security devices. You must have Storage Encryption Security user privileges to activate, register, and configure smart cards. Smart cards can be used to do the following: • Control user access to the Management application security administrator roles. • Control activation of encryption engines. • Securely store backup copies of master keys.
Smart card usage 2 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select an encryption group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click an encryption group and select Security. The Encryption Group Properties dialog box displays, with the Security tab selected. FIGURE 7 Encryption Group Properties dialog box - registering authentication cards 3.
2 Smart card usage FIGURE 8 Add Authentication Card dialog box 5. Insert a smart card into the card reader. Wait for the card serial number to appear, then enter card assignment information as directed. 6. Click OK. 7. Wait for the confirmation dialog box indicating initialization is done, then click OK. The card is added to the Registered Authentication Cards table in the Encryption Group Properties dialog box. 8. Repeat step 5 through step 7 until you have successfully registered all cards.
Smart card usage FIGURE 9 2 Authentication Cards dialog box - registering smart cards from archive 4. Select a card from the table, then click OK. 5. Wait for the confirmation dialog box indicating initialization is done, then click OK. The card is added to the Registered Authentication Cards table in the Encryption Group Properties dialog box. Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them.
2 Smart card usage Using authentication cards When a quorum of authentication cards is registered for use, an Authenticate dialog box is displayed to grant access to the following: • The Encryption Group Properties dialog box Link Keys tab (for NetApp LKM only). • The Encryption Group Properties dialog box Security tab, which provides access to the following: - Master Key Actions, which includes Backup Master Key, Restore Master Key, and Create Master Key.
Smart card usage 2 Registering system cards from a card reader System cards are smart cards that can be used to control activation of encryption engines. Encryption switches and blades have a card reader that enables the use of a system card. System cards discourage theft of encryption switches or blades by requiring the use of a system card at the switch or blade to enable the encryption engine.
2 Smart card usage 2. Select the switch from the Encryption Center Devices table, then select Switch > System Cards from the menu task bar, or right-click the switch and select System Cards. The System Cards dialog box displays. 3. Select the system card to deregister. 4. Click Deregister. 5. A confirmation dialog box displays. Click OK to confirm deregistration. The card is removed from the Registered System Cards table.
Smart card usage 2 Editing smart cards Use the Edit Smart Card dialog box to edit smart card details. 1. From the Encryption Center dialog box, select Smart Card > Edit Smart Card from the menu task bar. The Edit Smart Card dialog box displays. FIGURE 12 Edit Smart Card dialog box 2. Insert the smart card into the card reader. 3. After the card’s ID is displayed in the Card ID field, enter the Card Password, then click Login. 4. Edit the card assignment user information as needed. 5. Click OK.
2 Network connections Network connections Before you use the encryption setup wizard for the first time, you must have the following required network connections: • The management ports on all devices that will perform encryption (Brocade Encryption Switches, or DCX and DCX-4S chassis with encryption blades installed) must have a LAN connection to the SAN management program, and must be available for discovery.
Encryption node initialization and certificate generation 2 3. Enter the link IP address and mask, and the gateway IP address. 4. Click OK. The Blade Processor Link dialog box can also be launched from the following locations: - Select an encryption group from the Encryption Center Devices table, then select Group > HA Clusters from the menu task bar, or right-click a group and select HA Clusters. The Properties dialog box displays with the HA Clusters tab selected.
2 Steps for connecting to an SKM or ESKM appliance FIGURE 14 Warning message 2. Select Yes to initialize the node. Steps for connecting to an SKM or ESKM appliance The SKM and Enterprise SKM (ESKM) management web console can be accessed from any web browser with Internet access to the SKM/ESKM appliance. Both SKM and ESKM are supported, but combining them in a single encryption group is not supported.
Steps for connecting to an SKM or ESKM appliance 2 These steps are described in more detail in the following sections: • • • • • • • • “Registering authentication cards from the database” on page 18 “Registering the SKM or ESKM Brocade group user name and password” on page 28 “Setting up the local Certificate Authority (CA) on SKM or ESKM” on page 29 “Downloading the local CA certificate from SKM or ESKM” on page 30 “Creating and installing the SKM or ESKM server certificate” on page 30 “Enabling SSL on
2 Steps for connecting to an SKM or ESKM appliance Registering the SKM or ESKM Brocade group user name and password The Brocade group user name and password you created when configuring a Brocade group on SKM/ESKM must also be registered on each Brocade encryption node. NOTE This operation can be performed only after the switch is added to the encryption group. 1. Select Configure > Encryption from the menu task bar. 2. The Encryption Center dialog box displays. 3.
Steps for connecting to an SKM or ESKM appliance 2 Setting up the local Certificate Authority (CA) on SKM or ESKM To create and install a local CA, complete the following steps: 1. Log in to the SKM/ESKM management web console using the admin password. 2. Select the Security tab. 3. Under Certificates & CAs, click Local CAs. 4. Enter information required by the Create Local Certificate Authority section of the window to create your local CA. - Enter a Certificate Authority Name and Common Name.
2 Steps for connecting to an SKM or ESKM appliance 6. Under Certificates & CAs, select Trusted CA Lists to display the Trusted Certificate Authority List Profiles. 7. Click on Default under Profile Name. 8. In the Trusted Certificate Authority List, click Edit. 9. From the list of Available CAs in the right panel, select the CA you just created. Repeat these steps any time another local CA is needed.
Steps for connecting to an SKM or ESKM appliance 2 10. Click Sign Request. 11. Enter the required data in the Sign Certificate Request section of the window. Select the CA name from the Sign with Certificate Authority drop-down list. 12. Paste the copied certificate request data into the Certificate Request box. 13. Click Sign Request. The signed certificate request data displays under Sign Certificate Request. 14. Click Download to download the signed certificate to your local system. 15.
2 Steps for connecting to an SKM or ESKM appliance FIGURE 17 SKM Key Management Services Configuration window 3. In the KMS Server Settings section of the window, select the following check boxes: • Use SSL • Allow Key and Policy Configuration Operations • Allow Key Export 4. Click Edit. A warning message might display explaining that if you disable SSL, you must have TLS enabled for your web browser. 5. Configure the KMS Server Settings.
Steps for connecting to an SKM or ESKM appliance 2 To create a cluster, perform the following steps on one of the HP SKM/ESKM appliances that is to be a member of the cluster. 1. From the SKM/ESKM management console, click the Device tab. 2. In the Device Configuration menu, click Cluster. The Create Cluster section displays. 3. Select and note the Local IP address. You will need this address when you add an appliance to the cluster. 4.
2 Steps for connecting to an SKM or ESKM appliance Enter information required in the Install CA Certificate section near the bottom of the page. - Enter the Certificate Name of the certificate being transferred from the first cluster member. - Paste the copied certificate data into the Certificate box. 4. Click Install. 5. In the Certificates & CA menu, click Trusted CA Lists. 6. Click on the Default Profile Name. 7. Click Edit. 8.
Steps for connecting to an SKM or ESKM appliance 2 Alternatively, you may select a switch, then select Switch > Properties. Click the Export button beside the Public Key Certificate Request, or copy the CSR for pasting into the Certificate Request Copy area on the SKM/ESKM Sign Certificate Request page. 4. Launch the SKM/ESKM administration console in a web browser and log in. 5. Select the Security tab. 6. Select Local CAs under Certificates & CAs. The Certificate and CA Configuration page displays. 7.
2 Steps for Migrating from SKM to ESKM SKM or ESKM key vault high availability deployment The SKM/ESKM key vault has high availability clustering capability. SKM/ESKM appliances can be clustered together in a transparent manner to the end user. Encryption keys saved to one key vault are synchronously hardened to the cluster pairs. Please refer to the HP SKM/ESKM appliance user documentation for configuration requirements and procedures.
Steps for Migrating from SKM to ESKM 2 NOTE If the earlier configuration was done for SKM using CLI and if the previously imported CA certificate was not deleted (using the command cryptocfg --file -delete), the CA file that was previously imported can be reused, and importing the CA certificate is not required. 3. Register ESKM using the command cryptocfg --reg –keyvault. Steps required using Brocade Management application 1. Select Configure > Encryption from the menu task bar.
2 Encryption preparation c. Click Download, and save the certificate file on your local system. d. Rename the downloaded file, changing the .cert extension to a .pem extension. 5. From the Encryption Group Properties dialog box, click Load from File to upload the new ESKM certificate to the switch, then click OK. The switch is now ready to connect securely to the key vault. The encryption dialog takes a few minutes to update the connected status.
Creating a new encryption group FIGURE 20 2 Encryption Center - No Group Defined dialog box 2. Select a switch from the encryption group. (The switch must not be assigned to an encryption group.) 3. Select Encryption > Create/Add to Group, from the menu task bar, or right-click the switch and select Create/Add to Group. The Configure Switch Encryption wizard welcome panel displays. FIGURE 21 Configure Switch Encryption wizard - welcome panel 4. Click Next.
2 Creating a new encryption group FIGURE 22 Designate Switch Membership dialog box 5. Verify that Create a new encryption group containing just this switch is selected. 6. Click Next. The Create a New Encryption Group dialog box displays. FIGURE 23 7. 40 Create a New Encryption Group dialog box Enter an Encryption Group Name for the encryption group and select Automatic failback mode. Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed.
Creating a new encryption group 2 If the name for the encryption group already exists, a pop-up warning message displays. Although unique group names avoid confusion while managing multiple groups, you are not prevented from using duplicate group names. Click Yes to use the same name for the new encryption group, or click No to enter another name. 8. Click Next. The Select Key Vault dialog box displays. FIGURE 24 Select Key Vault dialog box for SKM/ESKM 9.
2 Creating a new encryption group FIGURE 25 Specify Public Key Certificate filename dialog box 11. Enter the location of the file where you want to store the certificate information, or browse to the desired location. 12. Click Next. The Specify Master Key File Name dialog box displays.
Creating a new encryption group 2 13. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 14. Re-enter the passphrase for verification. 15. Click Next. The Select Security Settings dialog box displays. FIGURE 27 Select Security Settings dialog box 16. Set quorum size and system card requirements.
2 Creating a new encryption group FIGURE 28 Confirm Configuration dialog box 18. Verify the information, then click Next. The Configuration Status dialog box displays.
Creating a new encryption group FIGURE 29 2 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified.
2 Creating a new encryption group FIGURE 30 Next Steps dialog box 20. Review post-configuration instructions, which you can copy to a clipboard or print for later. 21. Click Finish to exit the Configure Switch Encryption wizard. 22. Review “Understanding configuration status results”. Understanding configuration status results After configuration of the encryption group is completed, the Management application sends API commands to verify the switch configuration.
Adding a switch to an encryption group 2 • Back up the master key to a file. (Opaque key vaults only). The Management application saves the master key into the specified file. • Enable the encryption engines initializes an encryption switch using the cryptocfg --initEE [] and cryptocfg --regEE [] commands. • Create a new master key The Management application checks for a new master key. New master keys are generated from the Encryption Group Properties dialog box, Security tab.
2 Adding a switch to an encryption group FIGURE 31 Configure Switch Encryption wizard - welcome panel 3. Click Next. The Designate Switch Membership dialog box displays. FIGURE 32 48 Designate Switch Membership dialog box a. Select Add this switch to an existing encryption group. b. Click Next.
Adding a switch to an encryption group 2 The Add Switch to Existing Encryption Group dialog box displays. FIGURE 33 Add Switch to Existing Encryption Group dialog box 4. Select the group in which to add the switch, then click Next. The Specify Public Key Certificate Filename dialog box displays.
2 Adding a switch to an encryption group 5. Specify the name of the file in which to store the public key certificate that is used to authenticate connections to the key vault, then click Next. The Confirm Configuration panel displays. The dialog box shows the encryption group name and switch public key certificate file name you specified. FIGURE 35 Confirm Configuration dialog box 6. Click Next. The Configuration Status dialog box displays.
Adding a switch to an encryption group FIGURE 36 2 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified. 7. Review important messages, then click Next. The Error Instructions dialog box displays.
2 Adding a switch to an encryption group FIGURE 37 Error Instructions dialog box 8. Review the post-configuration instructions, which you can copy to a clipboard or print for later. 9. Click Finish to exit the Configure Switch Encryption wizard. 10. Review “Understanding configuration status results” on page 46. NOTES: • If any configuration item is unsuccessful, instructions for providing the remedy can be found in the Next Steps dialog box in the Configure Switch Encryption wizard.
Replacing an encryption engine in an encryption group 2 Replacing an encryption engine in an encryption group To replace an encryption engine in an encryption group with another encryption engine within the same DEK Cluster, complete the following steps. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 1.
2 Creating high availability (HA) clusters Creating high availability (HA) clusters A high availability (HA) cluster is a group of exactly two encryption engines. One encryption engine can take over encryption and decryption tasks for the other encryption engine, if that member fails or becomes unreachable. When creating a new HA Cluster, add one engine to create the cluster, then add the second engine.
Creating high availability (HA) clusters 2 NOTE If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster. HA Cluster names can have up to 31 characters. Letters, digits, and underscores are allowed. Removing engines from an HA cluster Removing the last engine from an HA cluster also removes the HA cluster. If only one engine is removed from a two-engine cluster, you must either add another engine to the cluster, or remove the other engine. 1.
2 Creating high availability (HA) clusters 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select an encryption group from the Encryption Center Devices table, then select Group > HA Cluster from the menu task bar, or right-click an encryption group and select HA Cluster. The Encryption Group Properties dialog box displays, with the HA Clusters tab selected.
Adding encryption targets 2 Invoking failback To invoke failback to the restarted encryption engine from the Management application, complete the following steps. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select an encryption group from the Encryption Center Devices table to which the encryption engine belongs, then click Group > HA Clusters, or right-click the group and select HA Clusters.
2 Adding encryption targets FIGURE 42 Encryption Targets dialog box 3. Click Add. The Configure Storage Encryption wizard dialog box displays. The dialog box explains the wizard’s purpose, which is to configure encryption for a storage device (target). FIGURE 43 Configure Storage Encryption wizard dialog box 4. Click Next to begin. The Select Encryption Engine dialog box displays.
Adding encryption targets FIGURE 44 2 Select Encryption Engine dialog box The list of engines depends on the scope being viewed. • If the Targets dialog box is showing all targets in an encryption group, the list includes all engines in the group. • If the Targets dialog box is showing all targets for a switch, the list includes all encryption engines for the switch. • If the Targets dialog box is showing targets for a single encryption engine, the list contains only that engine. 5.
2 Adding encryption targets FIGURE 45 Select Target dialog box a. Select a target from the list. (The Target Port WWN and Target Node WWN fields contain all target information that displays when using the nsshow command.) You can also enter WWNs manually, for example, to specify a target that is not on the list. b. Select a target type from the Type list. If the target node is disk storage, choose Disk. If the target node is tape storage, choose Tape. 6. Click Next.
Adding encryption targets 7. 2 Select hosts using either of the following methods: a. Select a maximum of 1024 hosts from the Hosts in Fabric table, then click the right arrow to move the hosts to the Selected Hosts table. (The Port WWN column contains all target information that displays when using the nsshow command.) b. Manually enter world wide names in the Port WWN and Node WWN text boxes if the hosts are not included in the table. You must fill in both the Port WWN and the Node WWN.
2 Adding encryption targets FIGURE 48 Confirmation dialog box 10. Click Next after you have verified the contents. Clicking Next creates the configuration. The Configuration Status dialog box displays. The dialog box lists the target and host that are configured in the target container, as well as the virtual targets (VT) and virtual initiators (VI). NOTE If you can view the VI/VT Port WWNs and VI/VT Node WWNs, the container has been successfully added to the switch.
Adding encryption targets 2 11. Review any post-configuration instructions or messages, which you can copy to a clipboard or print for later. 12. Click Next. The Next Steps dialog box displays. Instructions for installing public key certificates for the encryption switch are displayed. FIGURE 50 Next Steps dialog box 13. Review the post-configuration instructions, which you can copy to a clipboard or print for later. 14. Click Finish to exit the Configure Switch Encryption wizard. 15.
2 Configuring hosts for encryption targets Configuring hosts for encryption targets Use the Encryption Target Hosts dialog box to edit (add or remove) hosts for an encrypted target. NOTE Hosts are normally selected as part of the Configure Storage Encryption wizard but you can also edit hosts later using the Encryption Target Hosts dialog box. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2.
Adding target disk LUNs for encryption 2 Adding target disk LUNs for encryption You can add a new path to an existing disk LUN or add a new LUN and path by launching the Add New Path wizard. Take the following steps to launch the Add New Path wizard. Before You Begin Before you can add a target disk LUN for encryption, you must first configure the Storage Arrays. For more information, see “Configuring Storage Arrays” on page 68. 1. Select Configure > Encryption from the menu task bar.
2 Adding target disk LUNs for encryption 4. Select the target port from the Target Port table. 5. Click Next. The Select Initiator Port dialog box displays. FIGURE 54 Select Initiator Port dialog box 6. Select the initiator port from the Initiator Port table. 7. Click Next. LUN discovery is launched and a progress bar displays. There are four possible outcomes: - A message displays indicating no LUNs were discovered. Click OK to dismiss the message and exit the wizard.
Adding target disk LUNs for encryption FIGURE 55 2 Correcting an Encryption Mode mismatch 9. Select the LUN from LUN list. 10. Set the LUN state to Encrypted or Clear Text as required. If the LUN already has an existing key ID, the State field is automatically set to Encrypted. You can accept this state or change it as desired. If the LUN does not have an existing key ID, you must select the LUN state. When you correct a policy on a LUN, it is automatically selected for all paths to the selected LUN.
2 Adding target tape LUNs for encryption Configuring Storage Arrays The Storage Array contains a list of storage ports that will be used later in the LUN centric view. You must assign storage ports from the same storage array for multi-path I/O purposes. On the LUN centric view, storage ports in the same storage array are used to get the associated CryptoTarget containers and initiators from the database.
Adding target tape LUNs for encryption FIGURE 56 2 Encryption Targets dialog box 3. Select a target storage device from the Encryption Targets table, then click LUNs. The Encryption Target LUNs dialog box displays. FIGURE 57 Encryption Target Tape LUNs dialog box 4. Click Add. The Add Encryption Target Tape LUNs dialog box displays. The dialog box includes a table of all LUNs in the storage device that are visible to hosts.
2 Adding target tape LUNs for encryption FIGURE 58 Add Encryption Target Tape LUNs dialog box 5. Select a host from the Host list. Before you encrypt a LUN, you must select a host, then either discover LUNs that are visible to the virtual initiator representing the selected host, or enter a range of LUN numbers to be configured for the selected host. 6. Choose a LUN to be added to an encryption target container using one of the two following methods: • Discover.
Tape LUN write early and read ahead 2 Tape LUN write early and read ahead Tape LUN write early and read ahead feature uses tape pipelining and prefetch to speed serial access to tape. These features are particularly useful for performing backup and restore operations, especially over long distances. You can enable tape LUN write early or read ahead while adding the tape LUN for encryption, or you can enable or disable these features after the tape LUN has been added for encryption.
2 Tape LUN write early and read ahead FIGURE 60 Encryption Target Tape LUNs dialog box - Setting tape LUN read ahead and write early 4. In the EnableWriteEarlyAck and EnableRead/Ahead columns, set these features as desired for each LUN: • • • • To enable write early for a specific tape LUN, check Enable Write Early Ack for that LUN. To enable read ahead for a specific LUN, check Enable Read Ahead for that LUN. To disable write early for a specific tape LUN, clear Enable Write Early Ack for that LUN.
Tape LUN statistics 2 Tape LUN statistics This feature enables you to view and clear statistics for tape LUNs. These statistics include the number of compressed blocks, uncompressed blocks, compressed bytes and uncompressed bytes written to a tape LUN. The tape LUN statistics are cumulative and change as the host writes more data on tape. You can clear the statistics to monitor compression ratio of ongoing host I/O.
2 Tape LUN statistics FIGURE 62 Tape LUN Statistics dialog box 5. To clear the tape LUN statistics for all member LUNs for the container, click Clear. 6. When prompted with a confirmation dialog box, click Yes. 7. To update the tape LUN statistics, click Refresh. Viewing and clearing tape LUN statistics for a container To view or clear statistics for tape LUNs in a container, follow these steps: 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2.
Tape LUN statistics 2 3. Select the container of type Tape for which to display or clear statistics. 4. Click Statistics. The Tape LUN Statistics dialog box displays. The dialog box lists the statistics for all LUNs that are members of the selected tape container. FIGURE 64 Tape LUN Statistics dialog box 5. To clear the tape LUN statistics, select one or more LUNs from the table, and then click Clear. 6. In the confirmation dialog box, click Yes. 7.
2 Tape LUN statistics FIGURE 65 Target Tape LUNs dialog box 4. Select the LUN or LUNs for which to display or clear statistics. 5. Click Statistics. The Tape LUN Statistics dialog box displays. The dialog box displays the statistic results based on the LUN or LUNs you selected. FIGURE 66 Tape LUN Statistics dialog box 6. To clear the tape LUN statistics, click Clear. 7. When prompted with a confirmation dialog box, click Yes. 8. To update the tape LUN statistics, click Refresh.
Re-balancing the encryption engine 2 Re-balancing the encryption engine If you are currently using encryption and running Fabric OS 6.3.x or earlier, you are hosting tape and disk target containers on different encryption switches or blades. Beginning with Fabric OS 6.4, disk and tape target containers can be hosted on the same switch or blade.
2 Master keys Master keys When an opaque key vault is used, a master key is used to encrypt the data encryption keys. The master key status indicates whether a master key is used and whether it has been backed up. Encryption is not allowed until the master key has been backed up. Only the active master key can be backed up, and multiple backups are recommended. You can back up or restore the master key to the key vault, to a file, or to a recovery card set. A recovery card set is set of smart cards.
Master keys 2 Master key actions Master key actions are as follows: • Backup master key, which is enabled any time a master key exists. You can back up the master key to a file, to a key vault, or to a smart card. You can back up the master key multiple times to any of these media in case you forget the passphrase you originally used to back up the master key, or if multiple administrators each needs a passphrase for recovery.
2 Master keys 4. Select Backup Master Key as the Master Key Action. The Master Key Backup dialog box displays, but only if the master key has already been generated. FIGURE 67 Backup Destination (to file) dialog box 5. Select File as the Backup Destination. 6. Enter a file name, or browse to the desired location. 7. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 8.
Master keys 2 Saving a master key to a key vault Use the following procedure to save the master key to a key vault. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click a group and select Security. The Encryption Group Properties dialog box displays with the Security tab selected. 3. Select Backup Master Key as the Master Key Action.
2 Master keys Saving a master key to a smart card set A card reader must be attached to the SAN Management application PC to complete this procedure. Recovery cards can only be written once to back up a single master key. Each master key backup operation requires a new set of previously unused smart cards. NOTE Windows operating systems do not require smart card drivers to be installed separately; the driver is bundled with the operating system.
Master keys FIGURE 69 2 Backup Destination (to smart cards) dialog box 4. Select A Recovery Set of Smart Cards as the Backup Destination. 5. Enter the recovery card set size. 6. Insert the first blank card and wait for the card serial number to appear. 7. Run the additional cards needed for the set through the reader. As you read each card, the card ID displays in the Card Serial# field. Be sure to wait for the ID to appear. 8.
2 Master keys Restoring a master key from a file Use the following procedure to restore the master key from a file. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click a group and select Security. The Encryption Group Properties dialog box displays with the Security tab selected. 3.
Master keys 2 Restoring a master key from a key vault Use the following procedure to restore the master key from a key vault: 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar, or right-click a group and select Properties. The Encryption Center Properties dialog box displays. 3. Select the Security tab. 4.
2 Master keys Restoring a master key from a smart card set A card reader must be attached to the SAN Management application PC to complete this procedure. Use the following procedure to restore the master key from a set of smart cards. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click a group and select Security.
Master keys 2 10. Click OK. For related information, see the following topics: • “Active master key” on page 78 • “Alternate master key” on page 78 Creating a new master key Although it is generally not necessary to create a new master key, you might be required to create one due to the following: • The previous master key has been compromised. • Corporate policy might require a new master key every year for security purposes.
2 Zeroizing an encryption engine Viewing master key IDs When the master key has been backed up multiple times, you can use this feature to view the associated key IDs. To view master key IDs, follow these steps: 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click a group and select Security.
Zeroizing an encryption engine 2 • If the encryption engine was part of an HA cluster, targets fail over to the peer which assumes the encryption of all storage targets. Data flow will continue to be encrypted. • If there is no HA backup, host traffic to the target will fail as if the target has gone offline. The host will not have unencrypted access to the target. There will be no data flow at all because the encryption virtual targets will be offline.
2 Using the Encryption Targets dialog box 4. Click Yes to zeroize the encryption engine. • For an encryption blade, after the zeroize operation is successful, a message displays noting that the encryption blade will be powered off and powered on to make it operational again. Click OK to close the message. After the encryption blade is powered on, click Refresh in the Encryption Center dialog box to update the status of the encryption blade and perform any operations.
Re-keying all disk LUNs manually 2 The Encryption Targets dialog box enables you to launch a variety of wizards and other related dialog boxes. Redirection zones It is recommended that you configure the host and target in the same zone before you configure them for encryption. Doing so creates a redirection zone to redirect the host/target traffic through the encryption engine; however, a redirection zone can only be created if the host and target are in the same zone.
2 Re-keying all disk LUNs manually FIGURE 76 Selecting the Re-Key All operation If REPL support is enabled on the encryption group, a confirmation dialog box appears asking you if you want mirror LUNs to be rekeyed also. 3. Click Yes to includes mirror LUNs. Click No to exclude mirror LUNs. A critical warning message appears, requesting confirmation to proceed with the re-key operation. 4. Click Yes. Rekeying operations begin on up to 10 LUNs.
Re-keying all disk LUNs manually FIGURE 77 2 Pending manual re-key operations For related information, refer to the following topics: • “Re-keying all disk LUNs manually” on page 91 • “Viewing the progress of manual re-key operations” on page 93 Viewing the progress of manual re-key operations To monitor the progress of manual re-key operations, complete these steps: 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 1.
2 Viewing time left for auto re-key Viewing time left for auto re-key You can view the time remaining until auto re-key is no longer active for a disk LUN. The information is expressed as the difference between the next re-key date and the current date and time, and is measured in days, hours, and minutes. Although you cannot make changes directly to the table, you can modify the time left using CLI. For more information, see Chapter 3, “Configuring Brocade encryption using the CLI.
Viewing and editing switch encryption properties 2 Viewing and editing switch encryption properties To view switch encryption properties, complete the following steps. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. The dialog box shows the status of all encryption-related hardware and functions at a glance. It is the single launching point for all encryption-related configuration. 2.
2 Viewing and editing switch encryption properties • Switch Status - the health status of the switch. Possible values are Healthy, Marginal, Down, Unknown, Unmonitored, and Unreachable. • Switch Membership Status - the alert or informational message description which details the health status of the switch. Possible values are Group Member, Leader-Member Comm, Error, Discovering, and Not a member. • Encryption Group - the name of the encryption group to which the switch belongs.
Viewing and editing switch encryption properties 2 • Re-Balance Recommended - A value of Yes or No indicating whether or not LUN re-balancing is recommended for an encryption engine that is hosting both disk and tape LUNs. • System Card - the current status of system card information for the encryption engine. (registered or not registered). Exporting the public key certificate signing request (CSR) from Properties To export the CSR under Public Key Certificate Request, complete the following steps. 1.
2 Viewing and editing group properties 2. Select an encryption engine from the Encryption Center Devices table, then select Engine > Properties from the menu task bar, or right-click an encryption engine and select Properties. The Encryption Properties dialog box displays. 3. In the Encryption Engine Properties table, locate Set State To. 4. Click the adjacent Engine field and select Enabled or Disabled accordingly. 5. Click OK.
Viewing and editing group properties 2 • “HA Clusters tab” on page 104 • “Tape Pools tab” on page 105 • “Engine Operations tab” on page 107 General tab The General tab is viewed from the Encryption Group Properties dialog box. To access the General tab, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar, or right-click a group and select Properties.
2 Viewing and editing group properties • Primary key vault certificate - the details of the primary vault certificate; for example, version and signature information. • Backup key vault certificate - the details of the backup vault certificate; for example, version and signature information. Members tab The Members tab is viewed from the Encryption Group Properties dialog box.
Viewing and editing group properties 2 • OK - the member switch is responding to the group leader switch. • Not Available - the group leader is not a managed switch, so connection statuses are not being collected from the group leader. Members tab Remove button You can click the Remove button to remove a selected switch or an encryption group from the encryption group table. • You cannot remove the group leader unless it is the only switch in the group.
2 Viewing and editing group properties FIGURE 84 Removal of switch warning A warning message displays when you attempt to remove an encryption group. Click Yes to proceed.
Viewing and editing group properties 2 Security tab The Security tab is viewed from the Encryption Group Properties dialog box. To access the Security tab, select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click a group and select Security. NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon.
2 Viewing and editing group properties For related information, see the following topics: • See “Master keys” on page 78 • See “Smart card usage” on page 16 HA Clusters tab The HA Clusters tab allows you to create and delete HA clusters, add encryption engines to and remove encryption engines from HA clusters, and failback an engine. The HA Clusters tab is viewed from the Encryption Group Properties dialog box.
Viewing and editing group properties 2 Tape Pools tab Tape pools are managed from the Tape Pools tab. From the Tape Pools tab, you can add, modify, and remove tape pools. • To add a tape pool, click Add, then complete the Add Tape Pool dialog box. • To remove a tape pool, simply select one or more tape pools listed in the table, then click Remove. • To modify a tape pool, you must remove the entry, then add a new tape pool. The Tape Pools tab is viewed from the Encryption Group Properties dialog box.
2 Viewing and editing group properties Encryption switches and encryption blades support tape encryption at the tape pool level (for most backup applications) and at the LUN (tape drive) level. Since Tape Pool policies override the LUN (tape drive) policies, the LUN pool policies are used only if no tape pools exist, or if the tape media/volume does not belong to any configured tape pools. All encryption engines in the encryption group share the tape pool definitions.
Viewing and editing group properties 2 3. Based on your selection, enter a name or number for the tape pool. If you selected Number as the Tape Pool Label Type, the name must match the tape pool label or tape ID/number that is configured on the tape backup/restore application. 4. Select the Encryption Mode. Options include Clear Text, DF-Compatible Encryption, and Native Encryption. • The Key Lifespan (days) field is editable only if the tape pool is encrypted.
2 Viewing and editing group properties FIGURE 91 Encryption Group Properties Dialog Box - Engine Operations Tab NOTE You cannot replace an encryption engine if it is part of an HA Cluster. For information about HA Clusters, refer to “HA Clusters tab” on page 104. For related information, see “Replacing an encryption engine in an encryption group” on page 53.
Encryption-related acronyms in log messages 2 Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms embedded that require interpretation. Table 3 lists some of those acronyms.
2 110 Encryption-related acronyms in log messages Fabric OS Encryption Administrator’s Guide 53-1002159-03
Chapter 3 Configuring Brocade Encryption Using the CLI In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command validation checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . . . . . . . • Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management LAN configuration. .
3 Overview Overview This chapter explains how to use the command line interface (CLI) to configure a Brocade Encryption Switch, or an FS8-18 Encryption blade in a DCX or DCX-4S to perform data encryption. This chapter assumes that the basic setup and configuration of the Brocade Encryption Switch (BES), DCX, or DCX-4S has been done as part of the initial hardware installation, including setting the management port IP address.
Command RBAC permissions and AD types 3 Command RBAC permissions and AD types Two RBAC roles are permitted to perform Encryption operations. • Admin and SecurityAdmin Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic functions assigned to the FIPS Crypto Officer, including the following: • • • • • • • • • Perform encryption node initialization. Enable cryptographic operations. Manage I/O functions for critical security parameters (CSPs). Zeroize encryption CSPs.
3 Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain delete --container N OM N N N OM N O Disallowed delete --encgroup N OM N N N O N OM Disallowed delete --file N OM N N N O N OM Disallowed delete --hacluster N OM N N N OM N O Disallowed delete --tapepool N OM N N N
Cryptocfg Help command output TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain recovermasterkey N OM N N N O N OM Disallowed regEE N OM N N N O N OM Disallowed reggroupleader N OM N N N O N OM Disallowed regkeyvault N OM N N N O N OM regmembernode N OM N N N O N OM removehaclustermember N OM N N N
3 Management LAN configuration --initnode: Initialize the node for configuration of encryption options. --initEE []: Initialize the specified encryption engine. --regEE []: Register a previously initialized encryption blade. --reg -membernode : Register a member node with the system. (output truncated) Management LAN configuration Each encryption switch has one GbE management port.
Configuring cluster links 3 Special consideration for blades HA clusters of FS8-18 blades should not include blades in the same DCX chassis. For FS8-18 blades, the slot number must also be included in the ipaddrset command, for example: switch:admin> ipaddrset -slot 7 -eth0 --add 10.32.33.34/23 switch:admin> ipaddrset -slot 7 -gate --add 10.32.1.1 There are additional considerations if blades are removed and replaced, or moved to a different slot.
3 Configuring cluster links Node is a group leader node 1. Log in to the group leader as Admin or SecurityAdmin. 2. Reboot the encryption switch/DCX (both active and standby central processors) so the existing Group Leader fails over and one of the member nodes assumes the role of Group Leader. a.
Steps for connecting to an SKM or ESKM appliance 3 Steps for connecting to an SKM or ESKM appliance The following configuration steps are performed from the SKM/ESKM management web console, which can be accessed from any web browser with Internet access to the SKM/ESKM appliance. The same procedure is used for creating both SKM and ESKM encryption groups. NOTE An encryption group containing both SKM and ESKM key vault types is not supported.
3 Steps for connecting to an SKM or ESKM appliance The Brocade user name and password are now configured on SKM/ESKM. NOTE Fabric OS v6.2.x uses brcduser1 as a standard user name when creating a Brocade group on SKM/ESKM. If you downgrade to version 6.2.x, the user name is overwritten to brcduser1, and the Brocade group user name must be changed to brcduser1. Also, the password must be changed to !Brocade@3.
Steps for connecting to an SKM or ESKM appliance 3 The new local CA displays under Local Certificate Authority List (Figure 92). FIGURE 92 Creating an HP SKM/ESKM Local CA 5. Under Certificates & CAs, select Trusted CA Lists to display the Trusted Certificate Authority List Profiles. 6. Click on Default under Profile Name. 7. In the Trusted Certificate Authority List, click Edit. 8. From the list of Available CAs in the right panel, select the CA you just created. 9.
3 Steps for connecting to an SKM or ESKM appliance Creating and installing the SKM or ESKM server certificate To create the SKM/ESKM server certificate, complete the following steps: 1. Click the Security tab. 2. Under Certificates and CAs, select Certificates. 3. Enter the required information under Create Certificate Request. - Enter a Certificate Name and Common Name. The same name may be used for both. Enter your organizational information.
Steps for connecting to an SKM or ESKM appliance 3 18. Click Install Certificate. The Certificate Installation window displays. 19. Paste the signed certificate data you copied under Certificate Response and click Save. The status of the server certificate should change from Request Pending to Active. Enabling SSL on the Key Management System (KMS) Server The KMS Server provides the interface to the client. Secure Sockets Layer (SSL) must be enabled on the KMS Server before this interface will operate.
3 Steps for connecting to an SKM or ESKM appliance 5. Configure the KMS Server Settings. Ensure that the port and connection timeout settings are 9000 and 3600, respectively. For Server Certificate, select the name of the certificate you created in “Creating and installing the SKM or ESKM server certificate” on page 122. 6. Click Save. Creating an SKM or ESKM high availability cluster The HP SKM/ESKM key vault supports clustering of HP SKM/ESKM appliances for high availability.
Steps for connecting to an SKM or ESKM appliance 3 4. Copy the certificate request, beginning with ---BEGIN CERTIFICATE REQUEST--- and ending with ---END CERTIFICATE REQUEST---. Be careful not to include any extra characters. Adding SKM or ESKM appliances to the cluster If you are adding an appliance to an existing cluster, select Cluster Settings, click Download Cluster Key, and save the key to a convenient location, such as your computer's desktop.
3 Steps for connecting to an SKM or ESKM appliance NOTE An SKM/ESKM cluster may have many members, but the Brocade encryption products support only two as primary and secondary key vaults. Initializing the Brocade encryption engines You must perform a series of encryption engine initialization steps on every Brocade encryption node (switch or blade) that is expected to perform encryption within the fabric.
Steps for connecting to an SKM or ESKM appliance 3 6. Initialize the encryption engine using the cryptocfg --initEE command. Provide a slot number if the encryption engine is a blade. This step generates critical security parameters (CSPs) and certificates in the CryptoModule’s security processor (SP). The CP and the SP perform a certificate exchange to register respective authorization data.
3 Steps for connecting to an SKM or ESKM appliance Upon success, you are presented with the option of downloading the signed certificate. 13. Download the signed certificate to your local system as signed_kac_skm_cert.pem. 14. Import the signed certificate from its location, or from a USB storage device. SecurityAdmin:switch>cryptocfg --import -scp signed_kac_skm_cert.pem \ 192.168.38.245 mylogin /tmp/certs/kac_skm_cert.pem Password: Operation succeeded.
Steps for connecting to an SKM or ESKM appliance 3 The switch on which you create the encryption group becomes the designated group leader. Once you have created an encryption group, all group-wide configurations, including key vault configuration, adding member nodes, configuring failover policy settings, and setting up storage devices, as well as all encryption management operations, are performed on the group leader. 3.
3 Steps for connecting to an SKM or ESKM appliance Client SDK Version: Client Username: Client Usergroup: Connection Timeout: Response Timeout: Connection Idle Timeout: 4.8.2.000017 brcduser1 brocade 10 seconds 10 seconds N/A Key Vault configuration and connectivity checks successful, ready for key operations. Authentication Quorum Size: 0 Authentication Cards: Certificate ID / label : qc.4250420d02048578 / sumita:gorla:qc.4250420d02048578 Certificate ID / label : qc.4250420d02047881 / sumita:gorla:qc.
Steps for connecting to an SKM or ESKM appliance 3 • Different user names and passwords can never be used within the same encryption group, but each encryption group may have its own user name and password. • If you change the user name and password using the -KAClogin option, the keys created by the previous user become inaccessible. The Brocade group user name and password must also be changed to the same values on the SKM/ESKM to make the keys accessible.
3 Steps for connecting to an SKM or ESKM appliance Tape LUN support • DEK Creation - The DEK is created and archived to the SKM/ESKM cluster using the cluster’s virtual IP address. The DEK is synchronized with other SKMs/ESKMs in the cluster. Upon successful archival of the DEK to the SKM/ESKM cluster, the DEK can be used for encryption of the tape LUN. If archival of the DEK to the SKM/ESKM cluster fails, an error is logged and the operation is retried.
Steps for connecting to an SKM or ESKM appliance 3 CAUTION After adding the member node to the encryption group, you should not use the cryptocfg --zeroizeEE command on that node. Doing so removes critical information such as CP certificates from the node and makes it necessary to reinitialize the node and export the new CP certificates and KAC certificates to the group leader and the key vault. To add a member node to an encryption group, follow these steps: 1.
3 Steps for connecting to an SKM or ESKM appliance NOTE If the maximum number of certificates is exceeded, the following message is displayed. Maximum number of certificates exceeded. Delete an unused certificate with the ‘cryptocfg –delete –file’ command and then try again. 6. Enter the cryptocfg --show -file -all command on the group leader to verify that you have imported all necessary certificates.
Generating and backing up the master key 3 Role: MemberNode IP Address: 10.32.244.60 Certificate: enc1_cpcert.
3 Generating and backing up the master key Total Number of defined nodes:2 Group Leader Node Name: 10:00:00:05:1e:41:9a:7e Encryption Group state: CLUSTER_STATE_CONVERGED Node Name: 10:00:00:05:1e:41:9a:7e (current node) State: DEF_NODE_STATE_DISCOVERED Role: GroupLeader IP Address: 10.32.244.71 Certificate: GL_cpcert.
High availability cluster configuration 3 No HA cluster membership Node Name: 10:00:00:05:1e:39:14:00 State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.244.60 Certificate: enc1_cpcert.
3 High availability cluster configuration • It is recommended that the HA cluster configuration be completed before you configure storage devices for encryption. • It is mandatory that the two encryption engines in the HA cluster belong to two different nodes for true redundancy. This is always the case for Brocade encryption switches, but is not true if two FS8-18 blades in the same DCX or DCX-4S chassis are configured in the same HA cluster. In Fabric OS v6.3.
High availability cluster configuration 3 Adding an encryption engine to an HA cluster 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --add -haclustemember command. Specify the HA cluster name and the encryption engine node WWN. Provide a slot number if the encryption engine is a blade. The following example adds a Brocade FS8-18 in slot 5 to the HA cluster HAC2.
3 Re-exporting a master key Policy Configuration Examples The following examples illustrate the setting of group-wide policy parameters. To set the failback mode to manual failback: SecurityAdmin:switch>cryptocfg --set -failbackmode manual Set failback policy status: Operation Succeeded. To set the Heartbeat misses value to 3: SecurityAdmin:switch>cryptocfg --set -hbmisses 3 Set heartbeat miss status: Operation Succeeded.
Re-exporting a master key 3 The following example lists the exported master key IDs for a given master key ID: cryptocfg --show –mkexported_keyids e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:92 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:92 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:93 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:94 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:95 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:96 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:97 e3:ae:aa:89:ec:12:0c:04:29:
3 Re-exporting a master key Viewing the master key IDs The show localEE command shows the actual master key IDs, along with the new master key IDs. Also shown are all exported master key IDs associated with a given (actual) master key. NOTE You will need to remember the exported master key ID and passphrase you used while exporting the master key ID. A new subcommand is available to support exporting master key IDs for a given master key.
Enabling the encryption engine 3 MasterKey ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:7e Exported Key ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:80 Example: Recovering a master key using master key ID from the second master key export cryptocfg --recovermasterkey currentMK -keyID 15:30:f0:f3:5c:2b:28:ce:cc:a7:b4:cd:7d:2a:91:fc Enter passphrase: Recover master key status: Operation Succeeded.
3 Zoning considerations Current Master KeyID: a3:d7:57:c7:54:66:65:05:61:7a:35:2c:59:af:a5:dc Alternate Master KeyID: e9:e4:3a:f8:bc:4e:75:44:81:35:b8:90:d0:1f:6f:4d No HA cluster membership EE Attributes: Media Type : DISK EE Slot: 10 SP state: Online Current Master KeyID: a3:d7:57:c7:54:66:65:05:61:7a:35:2c:59:af:a5:dc Alternate Master KeyID: e9:e4:3a:f8:bc:4e:75:44:81:35:b8:90:d0:1f:6f:4d No HA cluster membership EE Attributes: Media Type : DISK EE Slot: 12 SP state: Online Current Master KeyID: a3:d7:
Zoning considerations 3 2. From any configured primary FCS switch, change the default zoning setting to No Access. switch:admin> defzone --noaccess switch:admin> cfgfsave The change will be applied within the entire fabric. Frame redirection zoning Name Server-based frame redirection enables the Brocade Encryption Switch or blade to be deployed transparently to hosts and targets in the fabric.
3 Zoning considerations Permanent Port Name: 10:00:00:00:c9:2b:c9:3a Port Index: 6 Share Area: No Device Shared in Other AD: No Redirect: No The Local Name Server has 1 entry } The nsshow command shows all devices on the switch, and the output can be lengthy. To retrieve only the initiator PWWN, do a pattern search of the output based on the initiator Port ID (a hex number). In the following example, The PID is 010600, where 01 indicates the domain and 06 the port number.
CryptoTarget container configuration 7. 3 Create a zone that includes the initiator and a LUN target. Enter the zonecreate command followed by a zone name, the initiator PWWN and the target PWWN. FabricAdmin:switch>zonecreate itzone, "10:00:00:00:c9:2b:c9:3a; \ 20:0c:00:06:2b:0f:72:6d" 8. Create a zone configuration that includes the zone you created in step 4. Enter the cfgcreate command followed by a configuration name and the zone member name. FabricAdmin:switch>cfgcreate itcfg, itzone 9.
3 CryptoTarget container configuration FIGURE 94 Relationship between initiator, virtual target, virtual initiator and target CAUTION When configuring a LUN with multiple paths, there is a considerable risk of ending up with potentially catastrophic scenarios where different policies exist for each path of the LUN, or a situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the secured realm of the encryption plat
CryptoTarget container configuration 3 To determine if rebalancing is recommended for an encryption engine, check the encryption engine properties. Beginning with Fabric OS v6.4, a field is added that indicates whether or not re-balancing is recommended You may be prompted to rebalance during the following operations: • • • • When adding a new disk or tape target container. When removing an existing disk or tape target container. After failover to a backup encryption engine in an HA cluster.
3 CryptoTarget container configuration • The CryptoTarget container name can be up to 31 characters in length and may include any alphanumeric characters, hyphens, and underscore characters. • You may add initiators at this point or after you create the container. The following example creates a disk container named my_disk_tgt1. The initiator is added in step 3.
CryptoTarget container configuration 3 cfg: cfg: itcfg itzone r_e_d_i_r_c__fg red_1109_brcd200c00062b0f726d200200051e414e1d; red_______base zone: itzone 10:00:00:00:c9:2b:c9:3a; 20:0c:00:06:2b:0f:72:6d zone: red_1109_brcd200c00062b0f726d200200051e414e1d 10:00:00:00:c9:2b:c9:3a; 20:0c:00:06:2b:0f:72:6d; 20:02:00:05:1e:41:4e:1d; 20:00:00:05:1e:41:4e:1d zone: red_______base 00:00:00:00:00:00:00:01; 00:00:00:00:00:00:00:02; 00:00:00:00:00:00:00:03; 00:00:00:00:00:00:00:04 Effective configuration: cfg: itcfg
3 CryptoTarget container configuration switch and another path has direct access to the device from a host outside the protected realm of the encryption platform. Refer to the section “Configuring a multi-path Crypto LUN” on page 166 for more information. Deleting a CryptoTarget container You may delete a CryptoTarget container to remove the target port from a given encryption switch or blade. Deleting a CryptoTarget container removes the virtual target and all associated LUNs from the fabric.
Crypto LUN configuration 3 Moving a CryptoTarget container You can move a CryptoTarget container from one encryption engine to another. The encryption engines must be part of the same fabric and the same encryption group, and the encryption engines must be online for this operation to succeed. This operation permanently transfers the encryption engine association of a given CryptoTarget container from an existing encryption engine to an alternate encryption engine.
3 Crypto LUN configuration you are configuring multi-path LUNs as part of a HA cluster or DEK cluster or as a stand-alone LUN accessed by multiple hosts, follow the instructions described in the section “Configuring a multi-path Crypto LUN” on page 166. Discovering a LUN When adding a LUN to a CryptoTarget container, you must specify a LUN Number. The LUN Number needed for configuring a given Crypto LUN is the LUN Number as exposed to a particular initiator.
Crypto LUN configuration 3 NOTE LUN configurations and modifications must be committed to take effect. There is an upper limit of 25 on the number of LUNs you can add or modify in a single commit operation. Attempts to commit a configuration that exceeds this maximum will fail. Note that there is also a five second delay before the commit operation takes effect.
3 Crypto LUN configuration Number of host(s): 1 Configuration status: committed Host: 10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a VI: 20:02:00:05:1e:41:4e:1d 20:03:00:05:1e:41:4e:1d LUN number: 0x0 LUN type: disk LUN status: 0 Encryption mode: encrypt Encryption format: native Encrypt existing data: enabled Rekey: disabled Key ID: not available Operation Succeeded Crypto LUN parameters and policies Table 6 shows the encryption parameters and policies that can be specified for a disk or tape LUN, duri
Crypto LUN configuration TABLE 6 3 LUN parameters and policies (Continued) Policy name Command parameters Encryption format Disk LUN: yes Tape LUN: yes Modify? Yes -encryption_format native Encryption policy Disk LUN: yes Tape LUN: Yes Modify? Yes -encrypt | -cleartext Enables or disables a LUN for encryption. Valid values are: • cleartext - Encryption is disabled. This is the default setting.
3 Crypto LUN configuration Configuring a tape LUN This example shows how to configure a tape storage device. The basic setup procedure is the same as for disk devices. Only a subset of configuration options and policy settings are available for tape LUNs. Refer to Table 6 on page 156 for tape LUN configuration options. 1. Create a zone that includes the initiator (host) and the target port. Refer to the section “Creating an initiator - target zone” on page 145 for instructions. 2.
Crypto LUN configuration c. 3 Commit the configuration. FabricAdmin:switch>cryptocfg --commit Operation Succeeded d. Display the LUN configuration.
3 Crypto LUN configuration has direct access to the device from a host outside the protected realm of the encryption platform. Refer to the section “Configuring a multi-path Crypto LUN” on page 166 for more information. Modifying Crypto LUN parameters You can modify one or more policies of an existing Crypto LUN with the cryptocfg --modify -LUN command. NOTE A maximum of 25 LUNs can be added or modified in a single commit operation.
Impact of tape LUN configuration changes 3 LUN modification considerations Make sure you understand the ramifications of modifying LUN policy parameters (such as encrypt/cleartext) for LUNs that are online and already being utilized. The following restrictions apply when modifying LUN policy parameters for disk LUNs: • When you change LUN policy from encrypt to cleartext, you wipe out all encrypted data stored on the LUN the next time data is written to that LUN.
3 Tape pool configuration Force-enabling a disabled disk LUN for encryption You can force a disk LUN to become enabled for encryption when encryption is disabled on the LUN. A LUN may become disabled for various reasons, such as a change in policy from encrypt to cleartext when encrypted data (and metadata) exist on the LUN, a conflict between LUN policy and LUN state, or a missing DEK in the key vault.
Tape pool configuration 3 The following rules apply when creating a tape pool label: • Tape pool names are limited in length to 63 characters. They may contain alphanumeric characters, and in some cases, underscores (_) and dashes (-). • Tape pool numbers are limited to eight hex digits. Valid characters for tape pool numbers are 0-9, A-F, and a-f. • The tape pool label created on the encryption switch or blade must be the be same tape pool label configured on the tape backup application.
3 Tape pool configuration NetBackup labeling NetBackup uses numbers to label tape pools. If you are using NetBackup as your application, follow these steps to obtain the tape pool number. 1. Log into the NetBackup application Windows host. 2. Select Start > run, and type cmd in the dialog box. 3.
Tape pool configuration 3 4. Display the configuration. Enter the cryptocfg --show -tapepool command followed by the tape pool number or label and the -cfg parameter. FabricAdmin:switch>cryptocfg --show -tapepool -label my_tapepool -stat Number of tapepool session(s): 1 Tapepool 1: Tapepool label: my_tapepool Encryption mode: encrypted Encryption format: native Number of sessions: 0 Tape sessions within the pool: Operation succeeded. 5.
3 Configuring a multi-path Crypto LUN Impact of tape pool configuration changes Tape pool-level policies overrule policy configurations at the LUN level, when no policies are configured at the tape pool level.
Configuring a multi-path Crypto LUN FIGURE 95 3 A LUN accessible through multiple paths The following steps may be used to configure multiple path access to the LUN in Figure 95. 1. Create zoning between host port 1 and target port 1. Refer to the section “Creating an initiator - target zone” on page 145 for instructions. 2. Create zoning between host port 2 and target port 2. Refer to the section “Creating an initiator - target zone” on page 145 for instructions. 3.
3 Configuring a multi-path Crypto LUN c. Add host port 1 to the container CTC1. FabricAdmin:switch>cryptocfg --add -initiator \ d. Add host port 2 to the container CTC2. FabricAdmin:switch>cryptocfg --add -initiator e. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Upon commit, redirection zones are created for target port 1, host port 1 and target port 2, host port 2.
First-time encryption 3 NOTE The LUN policies must be exactly the same on both CTC1 and CTC2. Failure to do so results in undefined behavior and data corruption. 6. Validate the LUN policies for all containers. Display the LUN configuration for ALL CryptoTarget containers to confirm that the LUN policy settings are the same for all CryptoTarget containers.
3 Data re-keying Resource allocation System resources for first time encryption sessions are shared with re-key sessions. There is an upper limit of 10 sessions with two concurrent sessions per target. Refer to the re-key “Resource allocation” on page 170 section for details. First time encryption modes First-time encryption can be performed under the following conditions: • Offline encryption - The hosts accessing the LUN are offline or host I/O is halted while encryption is in process.
Data re-keying 3 Re-keying is only applicable to disk array LUNs or fixed block devices. There is no re-keying support for tape media. If there is a need to re-encrypt encrypted tape contents with a new key, the process is equivalent to restoring the data from tape backup. You decrypt the data with the old DEK and subsequently back up the tape contents to tape storage, which will have the effect of encrypting the data with the new DEK.
3 Data re-keying NOTE For a scheduled re-keying session to proceed, all encryption engines in a given HA cluster, DEK cluster, or encryption group must be online, and I/O sync links must be configured. Refer to the section “Management LAN configuration” on page 116 for more information. 1. Log in to the group leader as FabricAdmin. 2. Enable automatic re-keying by setting the -enable_rekey parameter followed by a time period (in days).
Data re-keying 3 5. Check the status of the re-keying session.
3 Data re-keying 1. Enter the cryptocfg --resume_rekey command, followed by the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch>cryptocfg --resume_rekey my_disk_tgt 0x0 \ 10:00:00:05:1e:53:37:99 Operation Succeeded 2. Check the status of the resumed re-key session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN.
Chapter 4 Deployment Scenarios In this chapter • Single encryption switch, two paths from host to target. . . . . . . . . . . . . . . • Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dual fabric deployment - HA and DEK cluster . . . . . . . . . . . . . . . . . . . . . . . • Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . . . . . . . .
4 Single encryption switch, two paths from host to target Single encryption switch, two paths from host to target Figure 96 shows a basic configuration with a single encryption switch providing encryption between one host and one storage device over two the following two paths: • Host port 1 to target port 1, redirected through CTC T1. • Host port 2 to target port 2, redirected through CTC T2.
Single fabric deployment - HA cluster 4 Single fabric deployment - HA cluster Figure 97 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology.
4 Single fabric deployment - DEK cluster In Figure 97, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN.
Dual fabric deployment - HA and DEK cluster 4 In Figure 98, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths.
4 Multiple paths, one DEK cluster, and two HA clusters failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2. All four encryption switches provide an encryption path to the same LUN, and use the same DEK for that LUN, forming a DEK cluster.
Multiple paths, one DEK cluster, and two HA clusters 4 The configuration details shown in Figure 100 are as follows: • • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port 1 is zoned to target port 1 and target port 2 in fabric 1. Host port 2 is zoned to target port 3and target port 4 in fabric 2. There are four Brocade encryption switches organized in HA clusters.
4 Multiple paths, DEK cluster, no HA cluster Multiple paths, DEK cluster, no HA cluster Figure 101 shows a configuration with a DEK cluster with multiple paths to the same target device. There is one encryption switch in each fabric.
Deployment in Fibre Channel routed fabrics 4 Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 102), or it may form the backbone fabric and directly provide the EX_port connections (Figure 103). The encryption resources can be shared with the host and target edge fabrics using device sharing between backbone and edge fabrics.
4 Deployment in Fibre Channel routed fabrics The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
Deployment as part of an edge fabric 4 Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7500 extension switch or FR4-18i blade in a 48000 director, DCX, or DCX-4S, or an FCR-capable switch or blade. The encryption resources of the encryption switch can be shared with the other edge fabrics using FCR in the backbone fabric (Figure 104). .
4 Deployment with FCIP extension switches Deployment with FCIP extension switches Encryption switches may be deployed in configurations that use extension switches or extension blades within a DCX, DCX-4S or 48000 chassis to enable long distance connections. Figure 105 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator’s Guide for information about creating FCIP configurations.
VMware ESX server deployments 4 VMware ESX server deployments VMware ESX servers may host multiple guest operating systems. A guest operating system may have its own physical HBA port connection, or it may use a virtual port and share a physical HBA port with other guest operating systems. Figure 106 shows a VMware ESX server with two guest operating systems where each guest accesses a fabric over separate host ports.
4 VMware ESX server deployments Figure 107 shows a VMware ESX server with two guest operating systems where two guests access a fabric over a shared port. To enable this, both guests are assigned a virtual port. There are two paths to a target storage device: • Virtual host port 1, through the shared host port, to target port 1, redirected through CTC T1. • Virtual host port 2, through the shared host port, to target port 2, redirected through CTC T2.
Chapter 5 Best Practices and Special Topics In this chapter • Firmware download considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration upload and download considerations . . . . . . . . . . . . . . . . . • HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • AIX Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enable of a disabled LUN . . . . . . . . . . . .
5 Firmware download considerations Firmware download considerations The encryption engine and the control processor or blade processor are reset after a firmware upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If encryption engines are configured in an HA cluster, perform firmware upgrades one encryption engine at a time so that the partner switch in the HA cluster can take over I/O by failover during firmware upgrade.
Firmware download considerations 5 • In the case of active/active arrays, upgrade order of nodes does not matter, but you still must upgrade one node at a time. The Host MPIO ensures that I/O fails over and fails back from one active path to another active path during this firmware upgrade process. All nodes in an encryption group must be at the same firmware level before starting a re-key or first-time encryption operation. A firmware consistency check for Fabric OS v6.4.
5 Configuration upload and download considerations cryptocfg --disableEE 3. Make sure that these Crypto Target Containers and LUNs actually failover to node 2 (BES2) in the HA cluster. Check for all LUNs in encryption enabled state on node 2 (BES2). This ensures that I/O also fails over to node 2 (BES2) and continues during this process. 4. On node 1 (BES1) enable the Encryption Engine, by issuing the following command. cryptocfg --enableEE 5. Start firmware download (upgrade) on the node 1 (BES1).
Configuration upload and download considerations 5 Configuration upload at an encryption group member node A configuration upload at an individual encryption group member node contains the following: • The local switch configuration. • Encryption group-related configuration. • Encryption group-wide configuration of Crypto Targets, disk and tape LUNs, tape pools, HA clusters, security, and key vaults.
5 Configuration upload and download considerations Configuration download at the encryption group leader The configuration download contains the encryption group-wide configuration information about Crypto Targets, disk and tape LUNs, tape pools, HA clusters, security, and key vaults. The encryption group leader first applies the encryption group-wide configuration information to the local configuration database and then distributes the configuration to all members in the encryption group.
HP-UX considerations 5 HP-UX considerations The HP-UX OS requires LUN 0 to be present. LUNs are scanned differently based on the type value returned for LUN 0 by the target device. • If the type is 0, then HP-UX only scans LUNs from 0 to 7. That is the maximum limit allowed by HP-UX for device type for type 0. • If the type is 0xC, then HP-UX scans all LUNs. Best practices are as follows: • Create a cryptoTarget container for the target WWN. • Add the HP-UX initiator WWN to the container.
5 Tape metadata Tape metadata One kilobyte of metadata is added per tape block for both the native Brocade format and DF-compatible formats. Tape block size (as configured by host) is modified by the encryption device to accommodate 1K metadata per block. A given tape can have a mix of compressed and uncompressed blocks. Block lengths are as follows. Encrypted/Compressed Tape Block Format Compressed and encrypted tape block data + 1K metadata + ASCII 0 pad = block length of tape.
Tape block zero handling 5 Tape pool configuration is used only when labeling of tape media is done on the first write for the tape media. After tape labeling is done and metadata written, the tape pool configuration is no longer used. Tape pool configuration is not required for restoring data from the encrypted tape belonging to the tape pool, because the key ID is present in the metadata.
5 Redirection zones • Before committing CryptoTarget container or LUN configurations or modifications on an encryption switch or FS8-18 blade, make sure that there are no outstanding zoning transactions in the switch or fabric. If there is an outstanding zoning transaction, the commit operation will fail and result in disabling the LUN. You can check for outstanding zoning transactions by issuing cfgtransshow CLI command.
Deployment with Admin Domains (AD) 5 Deployment with Admin Domains (AD) Virtual devices created by the encryption device do not support the AD feature in this release. All virtual devices are part of AD0 and AD255. Targets for which virtual targets are created and hosts for which virtual initiators are created must also be in AD0 and AD255. If they are not, access from the hosts and targets to the virtual targets and virtual initiators is denied, leading to denial of encryption services.
5 PID failover PID failover Virtual device PIDs do not persist upon failover within a single fabric HA cluster. Upon failover, the virtual device is s assigned a different PID on the standby encryption switch or blade. Some operating systems view the PID change as an indication of path failure, and will switch over to redundant path in another fabric. In these cases, HA clusters should not be implemented. These operating systems include the following: • HP-UX prior to 11.x.
KAC certificate registration expiry 5 Allow re-key to complete before deleting a container Do not delete a crypto container while re-key is in session or if re-key is not completed. If you want to delete a container, use the command cryptocfg --show -rekey –all to display the status of re-key sessions. If any re-key session is not 100% completed, do not delete the container.
5 Changing IP addresses in encryption groups NOTE In the event that the signed KAC certificate must be re-registered, you will need to log in to the key vault web interface and upload the new signed KAC certificate for the corresponding Brocade Encryption Switch Identity. You can change the value of the certificate expiration date using the following command: openssl x509 -req -sha1 -CAcreateserial -in certs/ -days 365 -CA cacert.pem -CAkey private/cakey.
Recommendations for Initiator Fan-Ins 5 An encryption engine has 6 distinct encryption blocks with 4 ports each port operating at 4Gbps. The architecture of the encryption blocks provides the potential for an aggregate 96 Gbps of full duplex encryption bandwidth, if the performance license is installed. Figure 108 shows the encryption blocks within an encryption engine, and the host initiator to target port fan-ins.
5 Best practices for host clusters in an encryption environment Best practices for host clusters in an encryption environment When host clusters are deployed in a encryption environment, please follow these recommendations: • If two encryption engines are part of an HA cluster, configure the host/target pair so they have different paths from both encryption engines. Avoid connecting both the host/target pairs to the same encryption engine.
Chapter 6 Maintenance and Troubleshooting In this chapter • Encryption group and HA cluster maintenance . . . . . . . . . . . . . . . . . . . . . . • Encryption group merge and split use cases. . . . . . . . . . . . . . . . . . . . . . . . • Encryption group database manual operations . . . . . . . . . . . . . . . . . . . . . • Key vault diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • General encryption troubleshooting. . . . . . . . . . . . . . . . . .
6 Encryption group and HA cluster maintenance Removing a member node from an encryption group This procedure permanently removes a member node from an encryption group, as shown in Figure 109. Upon removal, the HA cluster failover capability and target associations pertaining to the node are no longer present. To remove a node from a group without disrupting these relationships, use the cryptocfg --replace command. Refer to the section “Replacing an HA cluster member” on page 209 for instructions.
Encryption group and HA cluster maintenance 6 3. Determine the state of the node. Log in to the member node and enter the cryptocfg --show -groupmember command followed by the node WWN. Provide a slot number if the encryption engine is a blade. SecurityAdmin:switch>cryptocfg --show -groupmember \ 10:00:00:05:1e:41:99:bc Node Name: 10:00:00:05:1e:41:99:bc (current node) State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.33.145 Certificate: 10.32.33.145_my_cp_cert.
6 Encryption group and HA cluster maintenance Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes. Before deleting the encryption group, it is highly recommended that you remove the Group Leader from the HA cluster and clear all CryptoTarget and tape pool configurations for the group.
Encryption group and HA cluster maintenance HA cluster name: HAC1 - 2 EE entries Status: Committed WWN Slot Number 11:22:33:44:55:66:77:00 0 10:00:00:05:1e:53:74:87 3 Status Online Online HA cluster name: HAC2 - 1 EE entry Status: Defined WWN Slot Number 10:00:00:05:1e:53:4c:91 0 Status Online 6 In the following example, the encryption group brocade has one HA cluster HAC3.
6 Encryption group and HA cluster maintenance 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the failed encryption engine (EE2) with another encryption engine (EE3). This operation effectively removes the failed encryption engine (EE2) from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster. The target associations (T2) from the failed encryption engine (EE2) are transferred to the replacement encryption engine (EE3). 2.
Encryption group and HA cluster maintenance 6 Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
6 Encryption group and HA cluster maintenance Performing a manual failback of an encryption engine By default, failback occurs automatically if an encryption engine that failed was replaced or comes back online. When manual failback policy is set in the encryption group, you must invoke a manual failback of the encryption engine after the failing encryption engine was restored or replaced. Failback includes all of the encryption engine’s target associations.
Encryption group merge and split use cases 6 SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade_1 Number of HA Clusters: 1 HA cluster name: HAC3 - 2 EE entries Status: Committed WWN Slot Number EE1 => 10:00:00:05:1e:53:89:dd 0 EE2 => 10:00:00:05:1e:53:fc:8a 0 Status Online Online Encryption group merge and split use cases This section describes the following recovery scenarios and related operations: • • • • • • • “A member node failed and is replaced” on page 213 “A
6 Encryption group merge and split use cases 4. Set up the member node: Configure the IP address of the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. 5. On the new node that is to be added, invoke cryptocfg --reclaimWWN -cleanup. 6. Export the CP certificate from the member node. 7. Import the member node CP certificate into the group leader. 8.
Encryption group merge and split use cases 6 A member node lost connection to the group leader AssumeN1, N2 and N3 form an encryption group, and N2 is the group leader node. N3 and N1 are part of an HA cluster. Assume that N3 lost connection to the group leader node N2 but still maintains communications with other nodes in the encryption group. Impact Failover to N1 does not occur, because the isolated node and the encryption engines’ encryption services continue to function normally.
6 Encryption group merge and split use cases Recovery 1. Restore connectivity between the two separate encryption group islands. When the lost connection is restored, an automatic split recovery process begins. The current group leader and the former group leader (N3 and N2 in this example) arbitrate the recovery, and the group leader with the majority number of members (N2) becomes group leader. If the number of member nodes is the same, the group leader node with the highest WWN becomes group leader. 2.
Encryption group merge and split use cases 6 Adjusting heartbeat signaling values Encryption group nodes use heartbeat signaling to communicate to one another and to their associated key vaults. A configurable threshold of heartbeat misses determined how long an encryption group leader will wait before declaring a member node unreachable. The default heartbeat signaling values are three heartbeat misses, each followed by a two second heartbeat time-out.
6 Encryption group merge and split use cases Given that you may have up to four nodes per encryption group, an EG split may leave you with any of the following possible EG split combinations: • Two node EG split - resulting in two single node encryption groups. Each node is a group leader node. • Three node EG split - resulting in one of two outcomes: - A two node encryption group with a single group leader node, and one single node encryption group where the node is a group leader.
Encryption group merge and split use cases 6 Two node EG split manual recovery example The following example is a case where you have an EG split of a two node encryption group with nodes named Node181 and Node182. Node181 has WWN 10:00:00:00:05:1e:33:33 and Node182 has WWN 10:00:00:05:1e:55:55:55. 1. Perform the cryptocfg --show -groupcfg command from every node in your setup. If the EG is split, the Encryption Group state from each node will show up as CLUSTER_STATE_DEGRADED.
6 Encryption group merge and split use cases …Output truncated… 4. Go to every other encryption group island to delete the encryption group. NOTE If you have four encryption nodes that have split into a pair of two node encryption groups, refer to “The 2:2 EG split exception” on page 220 for a description of an additional step to take before deleting the encryption group. In this example, the encryption group island consists only of Node181.
Encryption group merge and split use cases 6 Eject the node shown above which is in the DEF_NODE_STATE_DISCOVERED state using the following command: EGisland2GLNode:admin->cryptocfg --eject -membernode 10:00:00:05:1e:c1:9b:91 You can now delete the encryption group from the member node using the admin->cryptocfg --delete -encgroup command, and perform a cryptocfg --show -groupcfg command to verify that no encryption group is defined on the member node as was done for Node181 in the two node example, as s
6 Encryption group merge and split use cases Configuration impact of encryption group split or node isolation When a node is isolated from the encryption group or the encryption group is split to form separate encryption group islands, the defined or registered node list in the encryption group is not equal to the current active node list, and the encryption group is in a DEGRADED state rather than in a CONVERGED state.
Encryption group database manual operations 6 Encryption group database manual operations Manual intervention may be necessary if the encryption group databases or security databases of encryption group members are not synchronized. The following sections describe manual operations that enable you to do the following: • synchronize the encryption group database. • synchronize the security database. • abort a pending database transaction.
6 Key vault diagnostics If an encryption switch is part of an EG, the diagnostic testing is performed on that switch only and not the entire group. If multiple nodes in an encryption group have different Fabric OS versions, only those nodes running Fabric OS 7.0.0 and later can be configured for periodic key vault diagnostic testing. You can set the diagnostic tests to run at regular intervals. When incidents occur, the findings are collected in log reports.
Key vault diagnostics 6 This check indicates only the synchronization capability at a given point of time, and does not mean all keys on the vault are synchronized. The need for manual synchronization of keys depends on the point of key vault connectivity failure or user-initiated operations (for example, reboot) and is not identified by the KV diagnostics report. However if such a failure occurs when diagnostics tests are run, failures will be identified and indicated.
6 General encryption troubleshooting General encryption troubleshooting Table 9 lists the commands you can use to check the health of your encryption setup. Table 10 provides additional information for failures you might encounter while configuring switches using the CLI. TABLE 9 General troubleshooting tips using the CLI Command Activity supportsave Check whole system configuration. Run RAS logs. Run RAS traces. Run Security Processor (SP) logs (mainly kpd.log).
General encryption troubleshooting TABLE 10 6 General errors and conditions Problem Resolution A backup fails because the LUN is always in the initialize state for the tape container. Use one of two resolutions: Tape media is encrypted and gets a key which is archived in the key vault. The key is encrypted with a master key. At a later point in time you generate a new master key. You decide to use this tape media to back up other data.
6 TABLE 10 General encryption troubleshooting General errors and conditions Problem Resolution A performance drop occurs when using DPM on a Microsoft Windows system to back up to a Scalar 500i tape library. Change the DPM behavior to send one request at a time by adding DWORD “BufferQueueSize” under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent, and set the value to 1. Then restart DPM servers: MSDPM, DPMLA, DPMRA.
Troubleshooting examples using the CLI 6 Troubleshooting examples using the CLI Encryption Enabled Crypto Target LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN.
6 Troubleshooting examples using the CLI Encryption Disabled Crypto Target LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN.
Management application encryption wizard troubleshooting 6 Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . 231 • Errors related to adding a switch to a new group . . . . . . . . . . . . . . . . . . . . 232 • General errors related to the Configure Switch Encryption wizard . . . . . .
6 Management application encryption wizard troubleshooting Errors related to adding a switch to a new group Table 12 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 12 Error recovery instructions for adding a switch to a new group Configuration task Error description Instructions Initialize the switch Unable to initialize the switch due to an error response from the switch.
Management application encryption wizard troubleshooting TABLE 12 6 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (opaque key vaults only) A failure occurred while attempting to create a new master key. 1 Save the switch’s public key certificate to a file. The switch’s public key certificate could not be saved to a file.
6 LUN policy troubleshooting LUN policy troubleshooting Table 14 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by the encryption switch Action taken If you do not need to save the data: If you need to save the data: 1 The LUN was modified from encrypt policy to cleartext policy but metadata exists. LUN is disabled. Reason code: Metadata exists but the LUN policy is cleartext.
Loss of encryption group leader after power outage 6 Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes lose information and knowledge about the encryption group.
6 MPIO and internal LUN states MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg --show -LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine. Due to the transparent and embedded nature of this encryption solution, the host-to-storage array LUN path status can only be displayed by using host MPIO software.
FS8-18 blade removal and replacement 6 2. Check the status of the resumed re-key session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN. In this case, you can cancel the re-key session by removing the LUN from its container and force committing the transaction. Stop all traffic I/O from the initiators accessing the LUN before removing the LUN to avoid I/O failure between the initiators and the LUN.
6 BES removal and replacement 7. Zeroize the new encryption engine. cryptocfg --zeroizeEE 4 The new encryption engine will power off and power on again automatically. 8. If a system card authentication is needed to enable the encryption engine, re-register the system card through the Management application client for the new encryption engine. 9. Initialize the new encryption engine. cryptocfg --initEE 4 10. Register the new encryption engine. cryptocfg --regEE 4 11. Enable the new encryption engine.
BES removal and replacement 6 2. Reclaim the WWN base of BES3. cryptocfg --reclaimWWN –membernode [-list] 3. Synchronize the crypto configurations across all member nodes. cryptocfg –-commit NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg –-transabort. Doing so will cause subsequent reclaim attempts to fail. When BES3 has not failed, complete the following steps: 1.
6 BES removal and replacement 9. Set the IP address for the new Brocade Encryption Switch using the ipaddrset command for the Mgmt Link and IO link. Check that the switch name and domain ID associated with the replacement switch matches that of the original. 10. Zeroize the new Brocade Encryption Switch. cryptocfg --zeroizeEE The Brocade Encryption Switch reboots automatically. 11.
BES removal and replacement 6 23. Register the new node KAC Certificate with the HP SKM/ESKM appliances and create a username and password for this node on the HP SKM Appliances under the group “Brocade.” 24. Create the username and password on the new node same as created on the HP SKM/ESKM appliances. Use the following command: cryptocfg --reg -KACLogin 25.
6 BES removal and replacement b. Issue commit. cryptocfg --commit 30. Check the encryption group state to ensure that the entire encryption group is in the converged and In Sync state: cryptocfg --show -groupcfg Single Node EG Replacement 1. Upload the configuration stored on the Brocade Encryption Switch you are replacing using the FOS configupload command. 2. Power off the Brocade Encryption Switch. 3.
BES removal and replacement 6 14. Check the encryption engine state using following command to ensure encryption engine is online: cryptocfg --show -localEE 15. Export the KAC CSR from the new node and sign the CSR from the HP SKM/ESKM Local CA. 16. Import the signed CSR/Certificate onto the new node. 17. Register back the signed KAC CSR/Certificate onto the new node. cryptocfg --reg -KACcert 18.
6 Reclaiming the WWN base of a failed Brocade Encryption Switch Reclaiming the WWN base of a failed Brocade Encryption Switch When a Brocade Encryption Switch fails, to reclaim the WWN base, follow these steps: 1. Locate the Brocade Encryption Switch that has failed and deregister from the encryption group. cryptocfg –-dereg –membernode 2. Reclaim the WWN base of the failed Brocade Encryption Switch. cryptocfg --reclaimWWN –membernode [-list] 3.
Moving a blade from one EG to another EG in the same fabric 6 4. Enter the following command on BES1 to deregister the ejected node from the encryption group: cryptocfg --dereg -membernode 5. Enter the following command on BES3 to clean up the encryption configuration on the deregistered node: cryptocfg –-reclaimWWN –cleanup When prompted, enter yes to each prompt. 6. Repeat steps 1-5 for BES4. 7. Create a new EG on BES3: a. Create the group: cryptocfg --create -encgroup BES3 b.
6 Moving a BES from one EG to another EG in the same fabric 2. Enter the following command to propagate the change throughout the EG: cryptocfg --commit 3. Remove the blade from DCX1, slot 4 and plug into DCX2, slot 3. 4. Add the moved blade as a member node to EG2. Moving a BES from one EG to another EG in the same fabric In this example, which is represented in Table 17, you have two EGs, each containing two nodes. You want to move BES2 from EG1 to EG2.
Removing stale rekey information for a LUN 6 Removing stale rekey information for a LUN To clean up stale rekey information for a LUN, complete one of the following procedures: Procedure 1: 1. Modify the LUN policy from “encrypt” to “cleartext” and commit. The LUN will become disabled. 2. Enable the LUN using the following command: cryptocfg --enable –LUN 2. Modify the LUN policy from “cleartext” to “encrypt” with the enable_encexistingdata command to enable the first-time encryption, then commit.
6 248 Removing stale rekey information for a LUN Fabric OS Encryption Administrator’s Guide 53-1002159-03
Appendix A State and Status Information In this appendix • Encryption engine security processor (SP) states . . . . . . . . . . . . . . . . . . . . 249 • Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 • Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Encryption engine security processor (SP) states Table 18 lists the encryption engine security processor (SP) states.
A Security processor KEK status Security processor KEK status Table 19 lists security processor KEK status information. TABLE 19 Security processor KEK status KEK type KEK status1 Description Primary KEK (current MK or primary KV link key) None Primary KEK is not configured. Mismatch Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK at CP matches the one in the SP and is valid. Secondary KEK (alternate None MK or secondary KV link key) Mismatch Group KEK 1.
Encrypted LUN states TABLE 20 A Encrypted LUN states (Continued) LUN_1ST_TIME_REKEY_IN_PROG First time re-key is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired re-key is in progress. LUN_MANUAL_REKEY_IN_PROG Manual re-key is in progress. LUN_DECRYPT_IN_PROG Data decryption is in progress. LUN_WR_META_PENDING Write metadata is pending. LUN_1ST_TIME_REKEY_PENDING First time re-key is pending. LUN_KEY_EXPR_REKEY_PENDING Key expired re-key is pending.
A Encrypted LUN states TABLE 20 252 Encrypted LUN states (Continued) LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure). LUN_DIS_LUN_REMOVED Disabled (LUN re-discovery detects LUN is removed). LUN_DIS_LSN_MISMATCH Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate LUN SN found). LUN_DIS_DISCOVERY_FAIL Disabled (LUN discovery failure). LUN_DIS_NO_LICENSE Disabled (Third party license is required).
Encrypted LUN states TABLE 21 A Tape LUN states Internal Names Console String Explanation LUN_DIS_LUN_NOT_FOUND Disabled (LUN not found) No logical unit structure in tape module. This is an internal software error. If it occurs, contact Brocade support. LUN_TGT_OFFLINE Target Offline Target port is not currently in the fabric. Check connections and L2 port state.
A Encrypted LUN states TABLE 21 254 Tape LUN states LUN_ENCRYPT Encryption enabled The tape medium is present, and is in ciphertext (encrypted). The encryption switch or blade has full read/write access, because its current tape policy for the medium is also encrypted. See the Encryption Format field to find out if tape is encrypted in native mode or DataFort-compatible mode.
Index A add commands --add -haclustermember, 139 --add -initiator, 150, 158, 168 --add -LUN, 155, 168, 170, 171 B Brocade Encryption Switch See switch C CLI general errors and resolution, 226 using to configure encryption switch or blade, 112 command RBAC permissions, 113 command validation checks, 112 commands ipaddrset, 116 ipaddrshow, 117 commit command, --commit, 211 CommVault Galaxy labeling, 163 configuration of encryption group-wide policies, 139 storage encryption privileges, 15 warnings about mu
cryptocfg command --add -haclustermember, 139 --add -initiator, 150, 158, 168 --add -LUN, 155, 168, 170, 171 --commit, 211 --create -container, 149, 158, 167 --create -encgroup, 128 --create -hacluster, 138 --create -tapepool, 164 --delete -container, 152, 206 --delete -encgroup, 208 --delete -hacluster, 211 --delete -tapepool, 165 --dereg -membernode, 207 --discover -LUN, 168 --discoverLUN, 154, 158 --eject -membernode, 207 --enable -LUN, 162 --enable -rekey, 171 --enable_rekey, 170 --enableEE, 143, 214 --
encryption adding a license, 5 best practices for licensing, 5 configuration planning for the management application, 24, 38 configure dialog box, 14 configuring LUNs for first-time encryption, 170 configuring in a multi-path environment, 62 definition of terms, 2 description of blade, 5 engines, 4 first-time encryption modes, 169 frame redirection diagram, 8 gathering information before using the setup wizard, 24, 38 host and LUN considerations, 1 launching the encryption targets dialog box, 90 overview di
F I failback command, --failback -EE, 212 failover and failback, states of encryption engines during, 212 field replaceable unit See FRU firmware download considerations, 190 frame redirection creating and enabling in an FCR configuration (edge to edge), 185 deploying the encryption switch or blade to hosts and targets, 145 enabling, 145 prerequesites, 145 viewing the zone using the CLI, 151 frame redirection zoning creating and enabled in a FCR configuration, 184 import commands, --import, 128, 133 init
155, 159, 160, 166 configuring for first-time encryption, 170 configuring for multi-path example, 166 configuring policies using the CLI, 156 force-enabling for encryption, 162 impact of policy changes, 161 modifying parameters using the CLI, 160 multi-path configuration requirements, 149 policy parameters, 161 removing Crypto LUN to CryptoTarget container, 159 setting policy for automatic re-keying, 171 M manual command, --manual_rekey, 172 manual re-key, 200 master key active, 78 alternate, 78 backing up
cryptoCfg commands, 113 S security processor (SP) KEK status, 250 states for encryption engines, 249 security tab on management application using to back up a master key, 103 using to create a master key, 103 using to restore a master key, 103 set commands --set -failback, 140 --set -keyvault LKM, 129 show commands --show, 134, 143 --show -container, 150 --show -groupmember, 134, 135, 136, 149, 207 --show groupmember, 172 --show -hacluster, 208, 212 --show -tapepool, 165 smart cards configuring, 16 removin
configuration, 147 virtual targets, description of in an encryption configuration, 147 Z zeroize command --zeroize, 126 zeroizing effects of using on encryption engine, 88 zone creating an initiator-target using the CLI, 145 Fabric OS Encryption Administrator’s Guide 53-1002159-03 261
262 Fabric OS Encryption Administrator’s Guide 53-1002159-03
