53-1002720-02 25 Month 2013 Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments Supporting Fabric OS v7.1.
Copyright © 2013 Brocade Communications Systems, Inc. All Rights Reserved. ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Support for virtual fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Cisco Fabric Connectivity support . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 2 Configuring Encryption Using the Management Application In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Encryption user privileges . . . . . . . . . . . . . . . . . .
High availability (HA) clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HA cluster configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . . Creating HA clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disk device decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Decommissioning disk LUNs. . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Displaying and deleting decommissioned key IDs. . . . . . . . . . 98 Displaying Universal IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Rekeying all disk LUNs manually . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Setting disk LUN Re-key All . . . . . . . . . . . . . . . . . . . . . . . . . . .
Steps for connecting to a DPM appliance . . . . . . . . . . . . . . . . . . . Initializing the Fabric OS encryption engines . . . . . . . . . . . . . Exporting the KAC certificate signing request (CSR) . . . . . . . Submitting the CSR to a CA. . . . . . . . . . . . . . . . . . . . . . . . . . . Importing the signed KAC certificate . . . . . . . . . . . . . . . . . . . Uploading the CA certificate onto the DPM appliance (and first-time configurations). . . . . . . . . . . . . . . . . . . . . . . . .
Impact of tape LUN configuration changes. . . . . . . . . . . . . . . . . . 175 Decommissioning LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Decommissioning replicated LUNs . . . . . . . . . . . . . . . . . . . . . . . . Decommissioning primary R1 LUNs only . . . . . . . . . . . . . . . . Decommissioning mirror R2 LUNs only . . . . . . . . . . . . . . . . . Decommissioning primary R1 and mirror R2 LUN pairs . . . .
Thin provisioned LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Space reclamation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Data rekeying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resource allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rekeying modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a LUN for automatic rekeying . . . . . . . . .
Decommissioning in an EG containing mixed modes . . . . . . . . . 232 Decommissioning a multi-path LUN . . . . . . . . . . . . . . . . . . . . . . . 232 Disk metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Tape metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Tape data compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Tape pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 6 Maintenance and Troubleshooting In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . Displaying encryption group configuration or status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing a member node from an encryption group. . . . . . Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . . . .
Brocade Encryption Switch removal and replacement. . . . . . . . . 281 Multi-node EG Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Single-node EG Replacement . . . . . . . . . . . . . . . . . . . . . . . . . 284 Deregistering a DPM key vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Reclaiming the WWN base of a failed Brocade Encryption Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Text formatting . . . . . . . . . . . . . . .
Supported hardware and software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX Backbone series chassis with an FS8-18 encryption blade. • Brocade Encryption Switch. • If you are upgrading your Fabric OS installation to v7.1.0, you must first update your key management server from RKM 2.x to DPM 3.x. (DPM 3.2.1 is currently supported with Fabric OS 7.1.0.
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. --option, option Command options are printed in bold. -argument, arg Arguments. [] Optional element. variable Variables are printed in italics. In the help pages, variables are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font.
Key terms For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See “Brocade resources” on page xvi for instructions on accessing MyBrocade. For definitions specific to this document, see “Terminology” on page 2. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.
For information about the Key Management Interoperability Protocol standard, visit the OASIS KMIP Technical Committee website: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip Getting technical help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: 1.
If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis. Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document.
Chapter Encryption Overview 1 In this chapter • Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • FIPS mode .
1 Terminology Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication. Data Encryption Key (DEK) An encryption key generated by the encryption engine.
Terminology 1 Opaque Key Vault A storage location that provides untrusted key management functionality. Its contents may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a master key to protect them. Recovery cards A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the BNA client to restore the master key.
1 The Brocade Encryption Switch The Brocade Encryption Switch The Brocade Encryption Switch is a high-performance, 32-port, auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption Standard (AES) 256-bit algorithms.
The FS8-18 blade 1 The FS8-18 blade The FS8-18 blade provides the same features and functionality as the Brocade Encryption Switch. The FS8-18 blade installs on the Brocade DCX Backbone chassis, which include the DCX, DCX-4S, DCX 8510-8, and DCX 8510-4 chassis. FIPS mode Both the Brocade Encryption Switch and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled. In this mode, only FIPS-compliant algorithms are allowed.
1 Recommendation for connectivity Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in data frames on a per-frame basis. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done.
Brocade encryption solution overview 1 Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft, or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
1 Brocade encryption solution overview Data flow from server to storage The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
Data encryption key life cycle management 1 Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed.
1 Data encryption key life cycle management FIGURE 5 10 DEK life cycle Fabric OS Encryption Administrator’s Guide (DPM) 53-1002720-02
Master key management 1 Master key management Communications with opaque key vaults are encrypted using a master key that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM. Master key generation A master key must be generated by the group leader encryption engine. The master key can be generated once by the group leader, then propagated to the other members of an encryption group.
1 Cisco Fabric Connectivity support Cisco Fabric Connectivity support The Brocade Encryption Switch provides NPIV mode connectivity to Cisco fabrics. Connectivity is supported for Cisco SAN OS 3.3 and later versions. Cisco fabric connectivity is provided only on the Brocade Encryption Switch. The FS8-18 blade for the Brocade DCX Backbone chassis does not support this feature.
Chapter Configuring Encryption Using the Management Application 2 In this chapter • Encryption Center features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 • Encryption user privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 • Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 • Network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Encryption Center features • Viewing and editing encryption group properties . . . . . . . . . . . . . . . . . . . . 111 • Encryption-related acronyms in log messages . . . . . . . . . . . . . . . . . . . . . . 124 Encryption Center features The Encryption Center dialog box is the single launching point for all encryption-related configuration in the Brocade Network Advisor (BNA) Management application (Figure 6).
Encryption user privileges 2 Encryption user privileges In BNA, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time.
2 Smart card usage TABLE 1 Encryption privileges (Continued) Privilege Read/Write Storage Encryption Security • • • • • • • • • • • • Launch the Encryption center dialog box. View switch, group, or engine properties. View Encryption Group Properties Security tab. View LUN centric view. View all rekey sessions. View encryption targets, hosts, and LUNs. Create a master key. Backup a master key. Edit smart card.
Smart card usage 2 • Establishing a trusted link with the NetApp LKM key vault. • Decommissioning a LUN. When a quorum of authentication cards is registered for use, authentication must be provided before you are granted access. Registering authentication cards from a card reader To register an authentication card or a set of authentication cards from a card reader, have the cards physically available.
2 Smart card usage 3. Locate the Authentication Card Quorum Size and select the quorum size from the list. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Smart card usage 2 Registering authentication cards from the database Smart cards that are already in the Management program’s database can be registered as authentication cards. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select an encryption group from the Encryption Center Devices table, then select Group > Security from the menu task bar to display the Encryption Group Properties dialog box.
2 Smart card usage Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them. Complete the following procedure to deregister an authentication card. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Smart card usage 2 Using system cards System cards are smart cards that can be used to control activation of encryption engines. You can choose whether the use of a system card is required or not. Encryption switches and blades have a card reader that enables the use of a system card. System cards discourage theft of encryption switches or blades by requiring the use of a system card at the switch or blade to enable the encryption engine after a power off.
2 Smart card usage Enabling or disabling the system card requirement To use a system card to control activation of an encryption engine on a switch, you must enable the system card requirement. If a system card is required, it must be read by the card reader on the switch. You access the system card GUI from the Security tab. Complete the following procedure to enable or disable the system card requirement. 1.
Smart card usage 2 Deregistering system cards System cards can be removed from the database by deregistering them. Use the following procedure to deregister a system card: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select the switch from the Encryption Center Devices table, then select Switch > System Cards from the menu task bar. The System Cards dialog box displays. (Refer to Figure 11 on page 21.) 3.
2 Smart card usage Tracking smart cards 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select Smart Card > Smart Card Tracking from the menu task bar to display the Smart Card Asset Tracking dialog box (Figure 12). The Smart Cards table lists the known smart cards and the details for the smart cards.
Smart card usage FIGURE 12 2 Smart Card asset tracking dialog box 3. Select a smart card from the table, then do one of the following: • Click Delete to remove the smart card from the BNA database. Deleting smart cards from the BNA database keeps the Smart Cards table at a manageable size, but does not invalidate the smart card. The smart card can still be used. You must deregister a smart card to invalidate its use. NOTE The Delete operation applies only to recovery cards.
2 Smart card usage Editing smart cards Smart cards can be used for user authentication, master key storage and backup, and as a system card for authorizing use of encryption operations. 1. From the Encryption Center dialog box, select Smart Card > Edit Smart Card from the menu task bar to display the Edit Smart Card dialog box (Figure 13). FIGURE 13 Edit Smart Card dialog box 2. Insert the smart card into the card reader. 3.
Network connections 2 Network connections Before you use the encryption setup wizard for the first time, you must have the following required network connections: • The management ports on all encryption switches and 8-slot Backbone Chassis CPs that have encryption blades installed must have a LAN connection to the SAN management program, and must be available for discovery.
2 Encryption node initialization and certificate generation Configuring blade processor links To configure blade processor links, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select the encryption engine from the Encryption Center Devices table, then select Engine > Blade Processor Link from the menu task bar to display the Blade Processor Link dialog box (Figure 14).
Steps for connecting to a DPM appliance 2 Setting encryption node initialization Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a configuration. Encryption nodes may also be initialized from the Encryption Center dialog box. 1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from the menu task bar. 2. Select Yes after reading the warning message to initialize the node.
2 Steps for connecting to a DPM appliance Exporting the KAC certificate signing request (CSR) 1. Export the KAC CSR to a temporary location prior to submitting the KAC CSR to a CA for signing. 2. Synchronize the time on the switch and the key manager appliance. Time settings should be within one minute of each other. Differences in time can invalidate certificates and cause key vault operations to fail. 3.
Steps for connecting to a DPM appliance 2 KAC certificate registration expiry It is important to keep track as to when your signed KAC certificates will expire. Failure to work with valid certificates causes certain commands to not work as expected. If you are using the certificate expiry feature and the certificate expires, the key vault server will not respond as expected.
2 Steps for connecting to a DPM appliance Uploading the CA certificate onto the DPM appliance (and first-time configurations) After an encryption group is created, you need to install the signing authority certificate (CA certificate) onto the DPM appliance. 1. Open a web browser and connect to the DPM appliance setup page. You will need the URL and have the proper authority level, user name, and password. 2. Select the Operations tab. 3. Select Certificate Upload. 4.
Steps for connecting to a DPM appliance h. Click Next. i. Repeat step a through step h for each key class. j. Click Finish. 2 Uploading the KAC certificate onto the DPM appliance (manual identity enrollment) NOTE The Brocade Encryption Switch will not use the Identity Auto Enrollment feature supported with DPM 3.x servers. You must complete the identity enrollment manually to configure the DPM 3.x server with the Brocade Encryption Switch as described in this section.
2 Steps for connecting to a DPM appliance Loading the CA certificate onto the encryption group leader The certificate for the CA that signed the switch KAC CSRs must be loaded onto the encryption group leader. The group leader can then distribute the CA certificate to the encryption group members. 1. From the Encryption Center, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar to display the Encryption Group Properties dialog box.
Encryption preparation 2 Encryption preparation Before you use the encryption setup wizard for the first time, you should have a detailed configuration plan in place and available for reference. The encryption setup wizard assumes the following: • You have a plan in place to organize encryption devices into encryption groups.
2 Creating an encryption group 2. Select a switch from the encryption group. (The switch must not be assigned to an encryption group.) 3. Select Encryption > Create/Add to Group, from the menu task bar. The Configure Switch Encryption wizard welcome screen displays (Figure 18). The wizard enables you to create a new encryption group, or add an encryption switch to an existing encryption group. The wizard also enables you to configure switch encryption.
Creating an encryption group 2 4. From the Configure Switch Encryption welcome screen, click Next to begin. The Designate Switch Membership dialog box displays (Figure 19). The dialog box contains the following options: • Create a new encryption group containing just the switch: Creates an encryption group for the selected switch • Add this switch to an existing encryption group: Adds the selected switch to an encryption group that already exists FIGURE 19 Designate Switch Membership dialog box 5.
2 Creating an encryption group FIGURE 20 Create a New Encryption Group dialog box The dialog box contains the following information: • Encryption Group Name text box: Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed. The group name is case-sensitive. • Failback mode: Selects whether or not storage targets should be automatically transferred back to an encryption engine that comes online after being unavailable. Options are Automatic or Manual.
Creating an encryption group FIGURE 21 2 Select Key Vault dialog box Using this dialog box, you can select a key vault for the encryption group that contains the selected switch. Prior to selecting your Key Vault Type, the selection is shown as None. The dialog box contains the following information: • Key Vault Type: If an encryption group contains mixed firmware nodes, the Encryption Group Properties Key Vault Type name is based on the firmware version of the group leader.
2 Creating an encryption group Configuring key vault settings for RSA Data Protection Manager (DPM) The following procedure assumes you have already configured the initial steps in the Configure Switch Encryption wizard. If you have not already done so, go to “Creating an encryption group” on page 35. Figure 22 shows the key vault selection dialog box for DPM. FIGURE 22 Select Key Vault dialog box for DPM 1. Enter the IPv4 IP address or host name for the primary key vault.
Creating an encryption group FIGURE 23 2 Specify Certificate Signing Request File Name dialog box 5. Enter the filename in which you want to store the certificate information, or browse to the file location. The certificate stored in this file is the switch’s Switch Certificate Signing file. You will need to know this path and file name to install the switch’s Switch Certificate Signing file on the key management appliance. 6. Click Next. The Specify Master Key File Name dialog box displays (Figure 24).
2 Creating an encryption group FIGURE 24 7. Specify Master Key File Name dialog box Enter the location of the file where you want to store back up master key information, or browse to the desired location. 8. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 9. Re-enter the passphrase for verification, then click Next. The Select Security Settings dialog box displays (Figure 25).
Creating an encryption group FIGURE 25 2 Select Security Settings dialog box 10. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards.
2 Creating an encryption group FIGURE 26 Confirm Configuration dialog box The Configuration Status dialog box displays (Figure 27). FIGURE 27 Configuration Status dialog box 12. Review the post-configuration instructions, which you can copy to a clipboard or print for later, then click Next. The Next Steps dialog box displays (Figure 28). Instructions for installing public key certificates for the encryption switch are displayed.
Creating an encryption group FIGURE 28 2 Next Steps dialog box 13. Review the post-configuration instructions, which you can copy to a clipboard or print for later, then click Finish to exit the wizard. Understanding configuration status results After configuration of the encryption group is completed, BNA sends API commands to verify the switch configuration. The CLI commands are detailed in the encryption administrator’s guide for your key vault management system. 1. Initialize the switch.
2 Adding a switch to an encryption group Adding a switch to an encryption group The setup wizard allows you to either create a new encryption group, or add an encryption switch to an existing encryption group. Use the following procedure to add a switch to an encryption group: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Adding a switch to an encryption group FIGURE 30 2 Designate Switch Membership dialog box 4. For this procedure, select Add this switch to an existing encryption group, then click Next. The Add Switch to Existing Encryption Group dialog box displays (Figure 31). The dialog box contains the following information: • Encryption Groups table: Enables you to select an encryption group in which to add a switch. • Member Switches table: Lists the switches in the selected encryption group.
2 Adding a switch to an encryption group FIGURE 31 Add Switch to Existing Encryption Group dialog box 5. Select the group in which to add the switch, then click Next. The Specify Public Key Certificate (KAC) File Name dialog box displays (Figure 32).
Adding a switch to an encryption group 2 6. Enter the location where you want to store the public key certificate that is used to authenticate connections to the key vault, or browse to the desired location, then click Next. The Confirm Configuration dialog box displays (Figure 33). Confirm the encryption group name and switch public key certificate file name you specified are correct, then click Next. FIGURE 33 Confirm Configuration dialog box The Configuration Status dialog box displays (Figure 34).
2 Replacing an encryption engine in an encryption group All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified. 7. Review important messages, then click Next. The Error Instructions dialog box displays (Figure 35).
High availability (HA) clusters FIGURE 36 2 Engine Operations tab 3. Select the engine to replace from the Engine list. 4. Select the engine to use as the replacement from the Replacement list, then click Replace. All containers hosted by the current engine (Engine list) are replaced by the new engine (Replacement list). High availability (HA) clusters A high availability (HA) cluster is a group of exactly two encryption engines (EEs).
2 High availability (HA) clusters NOTE In Fabric OS 6.3.0 and later, HA cluster creation is blocked when encryption engines belonging to FS8-18 blades in the same DCX Backbone chassis are specified. • Cluster links must be configured before creating an HA cluster. Refer to the section “Configuring cluster links” on page 135 for instructions. • It is recommended that the HA cluster configuration be completed before you configure storage devices for encryption.
High availability (HA) clusters FIGURE 37 2 Encryption Group Properties dialog box - HA Clusters tab To add the second encryption node to the HA cluster, perform the following procedure. 1. Select the desired HA cluster from the right panel. 2. Select the desired encryption engine to be added from the left panel. 3. Click the right arrow to add the encryption engine to the selected HA cluster. 4. Click OK.
2 High availability (HA) clusters Swapping engines in an HA cluster Swapping engines is useful when replacing hardware. Swapping engines is different from removing an engine and adding another because when you swap engines, the configured targets on the former HA cluster member are moved to the new HA cluster member. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. 2.
Configuring encryption storage targets 2 Configuring encryption storage targets Adding an encryption target maps storage devices and hosts to virtual targets and virtual initiators within the encryption switch. The storage encryption wizard enables you to configure encryption for a storage device (target). NOTE It is recommended that you configure the host and target in the same zone before configuring them for encryption.
2 Configuring encryption storage targets FIGURE 38 Encryption Targets dialog box 3. Click Add. The Configure Storage Encryption welcome screen displays (Figure 39). FIGURE 39 Configure Storage Encryption welcome screen 4. Click Next. The Select Encryption Engine dialog box displays (Figure 40).
Configuring encryption storage targets FIGURE 40 2 Select Encryption Engine dialog box The dialog box contains the following information: • Encryption engine: The name of the encryption engine. The list of engines depends on the scope being viewed: • If an encryption group was selected, the list includes all engines in the group. • If a switch was selected, the list includes all encryption engines for the switch. • If a single encryption engine was selected, the list contains only that engine.
2 Configuring encryption storage targets FIGURE 41 Select Target dialog box The dialog box contains the following information: • Target Port WWN: The world wide name of the target port in the same fabric as the encryption engine. • Target Port Name: The name of the target port in the same fabric as the encryption engine. • Target Node WWN: The world wide name of the target node in the same fabric as the encryption engine. • Target Node Name: The name of the target device.
Configuring encryption storage targets FIGURE 42 2 Select Hosts dialog box The dialog box contains the following information: • Hosts in Fabric table: Lists the available hosts in the fabric. • Selected Hosts table: Lists the hosts that have been selected to access the target. • Port WWN: The world wide name of the host ports that are in the same fabric as the encryption engine. • Node WWN: The world wide name of the host nodes that are in the same fabric as the encryption engine.
2 Configuring encryption storage targets • Right arrow button: Moves a host from the Host in Fabric table to the Selected Hosts table. • Left arrow button: Removes a host from the Selected Hosts table. • Add button: Click to manually add host port world wide names or host node world wide names to the Selected Hosts table. 8. Select hosts using either of the following methods: a.
Configuring encryption storage targets FIGURE 44 2 Confirmation dialog box The screen contains the following information: • Encryption Engine: The slot location of the encryption engine. • Container Name: The logical encryption name used to map storage targets and hosts to virtual targets and virtual initiators. • • • • Target Device Port: The world wide name of the target device port. Host Node WWN: The world wide name of the host node. Host Port WWN: The world wide name of the host port.
2 Configuring encryption storage targets FIGURE 45 Configuration Status screen The screen contains the following information: • Device: The device type (target or host). • Device Port WWN: The port world wide name. • Represented by VI/VT: The virtual target (VT) mapped to the physical target or virtual initiator (VI) representing the host. • VI/VT Port WWN: The port world wide name of the virtual target or virtual initiator.
Configuring hosts for encryption targets FIGURE 46 2 Next Steps screen The screen contains the following information: • Important Instructions: Instructions about post-configuration tasks you must complete after you close the wizard. For example, you must zone the physical hosts and the target together and then you encrypt the LUNs using the Storage Device LUNs dialog box. • Copy to Clipboard button: Saves a copy of the instructions. • Print button: Prints the configuration. 14.
2 Configuring hosts for encryption targets NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays (Figure 47). FIGURE 47 Encryption Targets dialog box 3. Select a target storage device from the list, then click Hosts. The Encryption Target Hosts dialog box displays (Figure 48). The Hosts in Fabric table lists the configured hosts in a fabric.
Configuring hosts for encryption targets 2 NOTE Both the Host Ports in Fabric table and the Selected Hosts table now contain a Port ID column to display the 24-bit PID of the host port. 4. Select one or more hosts in a fabric using either of the following methods: a. Select a maximum of 1024 hosts from the Hosts in Fabric table, then click the right arrow to move the hosts to the Selected Hosts table. (The Port WWN column contains all target information that displays when using the nsshow command.) b.
2 Adding target disk LUNs for encryption Adding target disk LUNs for encryption You can add a new path to an existing disk LUN or add a new LUN and path by launching the Add New Path wizard. NOTE Before you can add a target disk LUN for encryption, you must first configure the Storage Arrays. For more information, see “Configuring storage arrays” on page 71. Complete the following steps to add a target disk LUN: 1.
Adding target disk LUNs for encryption • • • • • • 2 Fabric State Thin Provision LUN Encryption Mode Encrypt Existing Data Key ID • Remove button: Removes a selected entry from the table. 3. Click Add to launch the Add New Path wizard. The Select Target Port dialog box displays (Figure 50). FIGURE 50 Select Target Port dialog box The dialog box is used to select a target port when configuring multiple I/O paths to a disk LUN.
2 Adding target disk LUNs for encryption FIGURE 51 Select Initiator Port dialog box The dialog box is used to select an initiator port when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: Displays the storage array that was selected from the LUN view prior to launching the wizard. • Host: The host selected from the LUN view prior to launching the wizard.
Adding target disk LUNs for encryption FIGURE 52 2 Select LUN dialog box The dialog box is used to select a LUN when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: The Storage Array selected from the LUN view prior to launching the Add New Path wizard. • Host: The host elected from the LUN view prior to launching the Add New Path wizard.
2 Adding target disk LUNs for encryption 9. Click Finish. The new LUN path is added to the Encryption Disk LUN View table. 10. Click OK on the LUN view to commit the operation. NOTE With the introduction of Fabric OS v7.1.0, the maximum number of uncommitted configuration changes per disk LUN (or maximum paths to a LUN) is 512 transactions. The 512 LUN operations can be for the same LUN or be subjected to 25 distinct LUNs. This change of restriction in commit limit is applicable when using BNA only.
Adding target disk LUNs for encryption 2 Configuring storage arrays The Storage Array contains a list of storage ports that will be used later in the LUN centric view. You must assign storage ports from the same storage array for multi-path I/O purposes. On the LUN centric view, storage ports in the same storage array are used to get the associated CryptoTarget containers and initiators from the database.
2 Adding target disk LUNs for encryption SRDF pairs Remote replication is implemented by establishing a synchronized pair of SRDF devices connected by FC or IP links. A local source device is paired with a remote target device while data replication is taking place. While the SRDF devices are paired, the remote target device is not locally accessible for read or write operations. When the data replication operation completes, the pair may be split to enable normal read/write access to both devices.
Adding target tape LUNs for encryption 2 Note the following when using the New LUN option: • Both LUNs that form an SRDF pair must be added to their containers using the New LUN option. • For any site, all paths to a given SRDF device must be configured with the New LUN option. • All LUNs configured with the New LUN option will report three blocks less than the actual size when host performs READ CAPACITY 10/READ CAPACITY 16.
2 Adding target tape LUNs for encryption FIGURE 55 Encryption Targets dialog box 3. Select a target tape storage device from the Encryption Targets table, then click LUNs. The Encryption Target Tape LUNs dialog box displays (Figure 56). FIGURE 56 Encryption Target Tape LUNs dialog box 4. Click Add. The Add Encryption Target Tape LUNs dialog box displays (Figure 57). A table of all LUNs in the storage device that are visible to hosts is displayed.
Adding target tape LUNs for encryption FIGURE 57 2 Add Encryption Target Tape LUNs dialog box 5. Select a host from the Host list. Before you encrypt a LUN, you must select a host, then either discover LUNs that are visible to the virtual initiator representing the selected host, or enter a range of LUN numbers to be configured for the selected host. When you select a specific host, only the LUNs visible to that host are displayed.
2 Moving targets • Enable Read Ahead: When selected, enables read pre-fetching on this tape LUN. Use this option to speed long serial read operations from tape, especially for remote restore operations. NOTE The Select/Deselect All button allows you to select or deselect all available LUNs. 8. Select the desired encryption mode. Options are: Native Encryption, DF-Compatible Encryption, and Cleartext.
Configuring encrypted tape storage in a multi-path environment 2 Configuring encrypted tape storage in a multi-path environment This example assumes one host is accessing one storage device using two paths: • The first path is from Host Port A to Target Port A, using Encryption Engine A for encryption. • The second path is from Host Port B to Target Port B, using Encryption Engine B for encryption. Encryption Engines A and B are in switches that are already part of Encryption Group X.
2 Tape LUN write early and read ahead Tape LUN write early and read ahead The tape LUN write early and read ahead feature uses tape pipelining and prefetch to speed serial access to tape storage. These features are particularly useful when performing backup and restore operations, especially over long distances. You can enable tape LUN write early and read ahead while adding the tape LUN for encryption, or you can enable or disable these features after the tape LUN has been added for encryption.
Tape LUN statistics FIGURE 59 2 Encryption Target Tape LUNs dialog box - Setting tape LUN read ahead and write early 4. In the Enable Write EarlyAck and Enable Read Ahead columns, when the table is populated, you can set these features as desired for each LUN: • • • • To enable write early for a specific tape LUN, select Enable Write Early Ack for that LUN. To enable read ahead for a specific LUN, select Enable Read Ahead for that LUN.
2 Tape LUN statistics Viewing and clearing tape container statistics You can view LUN statistics for an entire crypto tape container or for specific LUNs. To view or clear statistics for tape LUNs in a container, follow these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select a group from the Encryption Center Devices table, then select Group > Targets from the menu task bar.
Tape LUN statistics • • • • • • • 2 Uncompressed blocks: The number of uncompressed blocks written to tape. Compressed blocks: The number of compressed blocks written to tape. Uncompressed Bytes: The number of uncompressed bytes written to tape. Compressed Bytes: The number of compressed bytes written to tape. Host Port WWN: The WWN of the host port that is being used for the write operation. A Refresh button updates the statistics on the display since the last reset.
2 Tape LUN statistics 4. Select the LUN or LUNs for which to display or clear statistics, then click Statistics. The Tape LUN Statistics dialog box displays (Figure 63). The statistic results based on the LUN or LUNs you selected is displayed. Tape LUN statistics are cumulative. FIGURE 63 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed.
Tape LUN statistics 2 NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays (Figure 64). A list of configured crypto target containers is displayed. FIGURE 64 Encryption Targets dialog box 3. Select Tape as the container of type for which to display or clear statistics, then click Statistics. The Tape LUN Statistics dialog box displays (Figure 65).
2 Encryption engine rebalancing • Uncompressed Bytes: The number of uncompressed bytes written to tape. • Compressed Bytes: The number of compressed bytes written to tape. • Host Port WWN: The WWN of the host port that is being used for the write operation. 4. Do either of the following: • Click Clear to clear the tape LUN statistics for member LUNs in the container, then click Yes to confirm. • Click Refresh to update the tape LUN statistics on the display.
Master keys 2 Rebalancing an encryption engine To rebalance an encryption engine, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select an engine, then select Engine > Re-Balance from the menu task bar. A warning message displays, noting the potential disruption of disk and tape I/O, and that the operation may take several minutes. 3. Click Yes to begin rebalancing.
2 Master keys Active master key The active master key is used to encrypt newly created data encryption keys (DEKs) prior to sending them to a key vault to be stored. You can restore the active master key under the following conditions: • The active master key has been lost, which happens if all encryption engines in the group have been zeroized or replaced with new hardware at the same time. • You want multiple encryption groups to share the same active master key.
Master keys 2 • Create new master key: Enabled when no master key exists, or the previous master key has been backed up. Refer to “Creating a master key” on page 93. You must create a new master key when the status is Required but not created. NOTE If a master key was not created, Not Used is displayed as the status and the Master Key Actions list is grayed out. In this case, you must create a new master key. Additional master key statuses are: Backed up but not propagated and Created and backed up.
2 Master keys 6. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 7. Re-enter the passphrase for verification, then click OK. ATTENTION Save the passphrase. This passphrase is required if you ever need to restore the master key from the file. Saving a master key to a key vault Use the following procedure to save the master key to a key vault. 1.
Master keys 2 6. Re-enter the passphrase for verification, then click OK. A dialog box displays that shows the Key ID. The Key ID identifies the storage location in the key vault. 7. Store both the Key ID and the passphrase in a secure place. Both will be required to restore the master key in the future. 8. Click OK. after you have copied the Key ID. Saving a master key to a smart card set 1.
2 Master keys 8. Enter the mandatory last name and first name of the person to whom the card is assigned. 9. Enter a Card Password. 10. Re-enter the password for verification. 11. Record and store the password in a secure location. 12. Click Write Card. You are prompted to insert the next card, up to the number of cards specified in step 5. 13. Repeat step 6 through step 12 for each card in the set. 14. After the last card is written, click OK in the Master Key Backup dialog box to finish the operation.
Master keys FIGURE 69 2 Select a Master Key to Restore (from file) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select File as the Restore From location. 6. Enter a file name, or browse to the desired location. 7. Enter the passphrase. The passphrase that was used to back up the master key must be used to restore the master key. 8. Click OK. Restoring a master key from a key vault Use the following procedure to restore the master key from a key vault: 1.
2 Master keys FIGURE 70 Select a Master Key to Restore (from key vault) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select Key Vault as the Restore From location. 6. Enter the key ID of the master key that was backed up to the key vault. 7. Enter the passphrase. The passphrase that was used to back up the master key must be used to restore the master key. 8. Click OK.
Master keys FIGURE 71 2 Select a Master Key to Restore (from a recovery set of smart cards) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select A Recovery Set of Smart Cards as the Restore From location. 6. Insert the recovery card containing a share of the master key that was backed up earlier, and wait for the card serial number to appear. 7. Enter the password that was used to create the card.
2 Security Settings Security Settings Security settings help you identify if system cards are required to initialize an encryption engine and also determine the number of authentication cards needed for a quorum. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar. The Select Security Settings dialog box displays.
Zeroizing an encryption engine 2 NOTE Zeroizing an engine affects the I/Os, but all target and LUN configuration remain intact. Encryption target configuration data is not deleted. You can zeroize an encryption engine only if it is enabled (running), or disabled but ready to be enabled. If the encryption engine is not in one of these states, an error message results.
2 Using the Encryption Targets dialog box Using the Encryption Targets dialog box The Encryption Targets dialog box enables you to send outbound data that you want to store as ciphertext to an encryption device. The encryption target acts as a virtual target when receiving data from a host, and as a virtual initiator when writing the encrypted data to storage. NOTE The Encryption Targets dialog box enables you to launch a variety of wizards and other related dialog boxes.
Redirection zones 2 Redirection zones It is recommended that you configure the host and target in the same zone before you configure them for encryption. Doing so creates a redirection zone to redirect the host/target traffic through the encryption engine; however, a redirection zone can only be created if the host and target are in the same zone.
2 Disk device decommissioning Provided that the crypto configuration is not left uncommitted because of any crypto configuration changes or a failed device decommission operation issued on a encryption group leader node, this error message will not be seen for any device decommission operation issued serially on an encryption group member node.
Disk device decommissioning 2 In order to delete keys from the key vault, you need to know the Universal ID (UUID). To display vendor-specific UUIDs of decommissioned key IDs, complete the following procedure: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select a switch from the Encryption Center Devices table, then select Switch > Decommissioned key IDs from the menu task bar.
2 Rekeying all disk LUNs manually Displaying Universal IDs In order to delete keys from the key vaults, you need to know the Universal ID (UUID) associated with the decommissioned disk LUN key IDs. To display the Universal IDs, complete the following procedure: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Rekeying all disk LUNs manually 2 Setting disk LUN Re-key All To rekey all disk LUNs on an encryption node, complete these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select the switch on which to perform a manual re-key from the Encryption Center Devices table, then select Switch > Re-Key All from the menu task bar (Figure 75).
2 Rekeying all disk LUNs manually . FIGURE 76 Pending manual rekey operations Viewing disk LUN rekeying details You can view details related to the rekeying of a selected target disk LUN from the LUN Re-keying Details dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Rekeying all disk LUNs manually FIGURE 77 2 Encryption Target Disk LUNs dialog box 4. Click Add. The Add Disk LUNs dialog box displays. This dialog box includes a table of all LUNs in the storage device that are visible to the hosts. 5. Click Re-keying Details. The LUN Re-keying Details dialog box displays. The dialog box contains the following information: • • • • • • Key ID: The LUN key identifier. Key ID State: The state of the LUN rekeying operation.
2 Rekeying all disk LUNs manually Viewing the progress of manual rekey operations To monitor the progress of manual rekey operations, complete these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 1. Select an encryption group from the Encryption Center Devices table, then select Group > Re-Key Sessions from the menu task bar.
Thin provisioned LUNs 2 • Current LBA: The Logical Block Address (LBA) of the block that is currently being written. • Number of Blocks: The number of blocks written. • Thin Provision LUN: Identifies if the new LUN is a thin provisioned LUN. Options are: • Yes: Thin provision support is limited to Brocade-tested storage arrays. The thin provision LUN status will be displayed as Yes for supported storage arrays only. • No: Shown as No if the LUN is not a thin provisioned LUN.
2 Viewing time left for auto rekey Thin Provisioning support Thin-provisioned logical unit numbers (LUNs) are increasingly used to support a pay-as-you-grow strategy for data storage capacity. Also known as dynamic provisioning, virtual LUNs, or thin LUNs, the same technology that allows storage administrators to allocate physical disk space to LUNs on an as-needed basis creates limitations around certain data-at-rest encryption operations that use the Brocade Encryption Switch or blade.
Viewing time left for auto rekey FIGURE 79 2 Time left for auto rekey Fabric OS Encryption Administrator’s Guide (DPM) 53-1002720-02 107
2 Viewing and editing switch encryption properties Viewing and editing switch encryption properties To view switch encryption properties, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2.
Viewing and editing switch encryption properties 2 • Switch Status: The health status of the switch. Options are: • Healthy • Marginal • Down • Unknown • Unmonitored • Unreachable • Switch Membership Status: The alert or informational message description, which details the health status of the switch. Options are: • • • • • Group Member Leader-Member Comm Error Discovering Not a member • Encryption Group: The name of the encryption group to which the switch belongs.
2 Viewing and editing switch encryption properties • Key Vault User Name button: (TEKA key vault only.) Shown as inactive. • Public Key Certificate Request text box: The switch’s KAC certificate signing request, which must be signed by a certificate authority (CA). The signed certificate must then be imported onto the switch and onto the primary and backup key vaults. • Export button: Exports the public key certificate in CSR format to an external file for signing by a certificate authority (CA).
Viewing and editing encryption group properties 2 Importing a signed public key certificate from properties To import a signed public key certificate, complete the following steps. 1. Click Import. The Import Signed Certificate dialog box displays (Figure 81). FIGURE 81 Import Signed Certificate dialog box 2. Enter or browse to the file containing the signed certificate, then click OK. The file is imported onto the switch.
2 Viewing and editing encryption group properties NOTE If groups are not visible in the Encryption Center Devices table, select View > Groups from the menu task bar. The Encryption Group Properties dialog box includes several tabs that are used to configure the various functions for encryption groups. All tabs are visible for all key vault types with one exception; the Link Keys tab is visible only if the key vault type is NetApp LKM.
Viewing and editing encryption group properties 2 General tab The General tab (Figure 83) is viewed from the Encryption Group Properties dialog box. To access the General tab, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar. NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon.
2 Viewing and editing encryption group properties When the first encryption engine comes back online, the encryption group’s failback setting determines whether the first encryption engine automatically resumes encrypting and decrypting traffic to its encryption targets. In manual mode, the second encryption engine continues handling the traffic until you manually invoke failback using the CLI, or until the second encryption engine fails.
Viewing and editing encryption group properties 2 Members tab The Members tab lists group switches, their role, and their connection status with the group leader. The table columns are not editable. The tab displays the configured membership for the group and includes the following: • • • • Node WWN: The member switch’s world wide name. IP Address: The switch’s IP address or host name. Node Name: The switch’s node name, if known. If unknown, this field is blank.
2 Viewing and editing encryption group properties FIGURE 84 Encryption Group Properties dialog box - Members tab Members tab Remove button You can click the Remove button to remove a selected switch or group from the encryption group table. • You cannot remove the group leader unless it is the only switch in the group. If you remove the group leader, BNA also removes the HA cluster, the target container, and the tape pool (if configured) that are associated with the switch.
Viewing and editing encryption group properties 2 Table 2 explains the impact of removing switches. TABLE 2 Switch removal impact Switch configuration Impact of removal The switch is the only switch in the encryption group. The encryption group is also removed. The switch has configured encryption targets on encryption engines. • • • The switch is configured to encrypt traffic to one or more encryption targets. The target container configuration is removed.
2 Viewing and editing encryption group properties FIGURE 85 Encryption Group Properties dialog box - Security tab The dialog box contains the following information: • Master Key Status: Displays the status of the master key. Possible values are: - Not used: Displays when LKM is the key vault. - Required but not created: Displays when a master key needs to be created. - Created but not backed up: Displays when the master key needs to be backed up.
Viewing and editing encryption group properties 2 • Registered Authentication Cards table: Lists the registered authentication cards by Group Card number, Card ID, the name of the person to which the card is assigned, and optional notes. • Register from Card Reader button: Launches the Add Authentication Card dialog box. • Register from Archive button: Launches the Add Authentication Card dialog box.
2 Viewing and editing encryption group properties • Right- and Left-arrow buttons: You can select an encryption engine in the Non-HA Encryption Engines table and click the Right-arrow button to add the encryption engine to the High-Availability Clusters. (If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster.) Similarly, you can select an encryption engine in the High-Availability Clusters table and click the Left-arrow button to remove it from a cluster.
Viewing and editing encryption group properties 2 Tape Pools tab Tape pools are managed from the Tape Pools tab. From the Tape Pools tab, you can add, modify, and remove tape pools. • To add a tape pool, click Add, then complete the Add Tape Pool dialog box. • To remove an encryption switch or engine from a tape pool, select one or more tape pools listed in the table, then click Remove. • To modify a tape pool, you must remove the entry, then add a new tape pool.
2 Viewing and editing encryption group properties All encryption engines in the encryption group share the tape pool definitions. Tapes can be encrypted by any encryption engine in the group where the container for the tape target LUN is hosted. The tape media is mounted on the tape target LUN. Tape pool definitions are not needed to read a tape. The tape contains enough information (encryption method and key ID) to read the tape. Tape pool definitions are only used when writing to tape.
Viewing and editing encryption group properties 2 4. Based on your selection, do one of the following: • If you selected Name as the Tape Pool Label Type, enter a name for the tape pool. This name must match the tape pool label or tape ID that is configured on the tape backup/restore application. • If you selected Number as the Tape Pool Label Type, enter a (hex) number for the tape pool. This number must match the tape pool label or tape number that is configured on the tape backup/restore application.
2 Encryption-related acronyms in log messages FIGURE 90 Encryption Group Properties Dialog Box - Engine Operations Tab NOTE You cannot replace an encryption engine if it is part of an HA Cluster. Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms embedded that require interpretation. Table 3 lists some of those acronyms.
Chapter 3 Configuring Encryption Using the CLI In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command validation checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . . . . . . . • Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management LAN configuration. . . . . .
3 Overview Overview This chapter explains how to use the command line interface (CLI) to configure a Brocade Encryption Switch, or an FS8-18 Encryption blade in a DCX Backbone chassis to perform data encryption. This chapter assumes that the basic setup and configuration of the Brocade Encryption Switch, and DCX Backbone chassis have been done as part of the initial hardware installation, including setting the management port IP address.
Command RBAC permissions and AD types 3 5. PortMember: allows all control operations only if the port or the local switch is part of the current AD. View access is allowed if the device attached to the port is part of the current AD. Command RBAC permissions and AD types Two RBAC roles are permitted to perform Encryption operations.
3 Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain createhacluster N OM N N N OM N N Disallowed createtapepool N OM N N N OM N N Disallowed decommission N OM N N N OM N N Disallowed deletecontainer N OM N N N OM N N Disallowed deletedecommissionedkeyids N OM N N N O
Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain rebalance N OM N N N OM N N Disallowed reclaim N OM N N N OM N N Disallowed recovermasterkey N OM N N N N N OM Disallowed refreshdek N OM N N N N N OM Disallowed regEE N OM N N N N N OM Disallowed regKACcert N OM
3 Cryptocfg Help command output Cryptocfg Help command output All encryption operations are done using the cryptocfg command. The cryptocfg command has a help output that lists all options. switch:admin> cryptocfg --help Usage: cryptocfg --help -nodecfg: Display the synopsis of --help -groupcfg: Display the synopsis of --help -hacluster: Display the synopsis of --help -devicecfg: Display the synopsis of --help -transcfg: Display the synopsis of node parameter configuration. group parameter configuration.
Configuring cluster links 3 Configuring cluster links Each encryption switch or FS8-18 blade has two gigabit Ethernet ports labeled Ge0 and Ge1. The Ge0 and Ge1 ports connect encryption switches and FS8-18 blades to other encryption switches and FS8-18 blades. These two ports are bonded together as a single virtual network interface. Only one IP address is used. The ports provide link layer redundancy, and are collectively referred to as the cluster link.
3 Configuring cluster links DHCP: Off eth0: 10.33.54.208/20 eth1: none/none Gateway: 10.33.48.1 NOTE The IP address of the cluster link should be configured before enabling the encryption engine for encryption.
Setting encryption node initialization 3 5. Reregister the node with the group leader using new IP address.
3 Steps for connecting to a DPM appliance Steps for connecting to a DPM appliance All switches you plan to include in an encryption group must have a secure connection to the Data Protection Manager (DPM). The following procedure is a suggested order of steps for creating a secure connection to DPM. NOTE The Brocade Encryption Switch will not use the Identity Auto Enrollment feature supported with DPM 3.x servers. You must complete the identity enrollment manually to configure the DPM 3.
Steps for connecting to a DPM appliance 3 Initializing the Fabric OS encryption engines You must perform a series of encryption engine initialization steps on every Fabric OS encryption node (switch or blade) that is expected to perform encryption within the fabric. NOTE The initialization process overwrites any authentication data and certificates that reside on the node and the security processor.
3 Steps for connecting to a DPM appliance 6. Register the encryption engine by entering the cryptocfg --regEE command. Provide a slot number if the encryption engine is a blade. This step registers the encryption engine with the CP or chassis. Successful execution results in a certificate exchange between the encryption engine and the CP through the FIPS boundary. SecurityAdmin:switch> cryptocfg --regEE Operation succeeded. 7. Enable the encryption engine by entering the cryptocfg --enableEE command.
Steps for connecting to a DPM appliance 3 3. Request the signed certificate. Generally, a public key, the signed KAC certificate, and a signed CA certificate are returned. 4. Download and store the signed certificates. The following example submits a CSR to the demoCA from RSA. cd /opt/CA/demoCA openssl x509 -req -sha1 -CAcreateserial -in certs/ -days 365 -CAcacert.pem -CAkey private/cakey.
3 Steps for connecting to a DPM appliance Uploading the CA certificate onto the DPM appliance (and first-time configurations) Install the signing authority certificate (CA certificate) on the DPM appliance. 1. Start a web browser and connect to the DPM appliance setup page. You will need the URL, and have the proper authority level, a user name, and a password. 2. Select the Operations tab. 3. Select Certificate Upload. 4. In the SSLCAcertificateFile field, enter the full local path of the CA certificate.
Steps for connecting to a DPM appliance i. Repeat step a through step h for each key class. j. Click Finish. 3 Uploading the KAC certificate onto the DPM apliance (manual identity enrollment) NOTE The Brocade Encryption Switch will not use the identity auto enrollment feature that is supported with DPM 3.x servers. You must complete the identity enrollment manually to configure the DPM 3.x server with the Brocade Encryption Switch.
3 Steps for connecting to a DPM appliance To create a Brocade encryption group, complete the following steps: 1. Identify one node (a Brocade Encryption Switch or DCX Backbone chassis with an FS8-18 blade) as the designated group leader and log in as Admin or SecurityAdmin. 2. Enter the cryptocfg --create -encgroup command followed by a name of your choice. The name can be up to 15 characters long, and can include any alphanumeric characters and underscores.
Steps for connecting to a DPM appliance 3 • Registration File: This file is created as /etc/fabos/certs/sw0/DpmReg_. The registration file contains the current registration status of the client. A sample registration file before successful registration with the DPM server is provided. client.registration_state = 0 client.actmgmt_enable = 0 client.app_name = B10_00_00_05_1e_53_89_eb client.
3 Steps for connecting to a DPM appliance Setting heartbeat signaling values Encryption group nodes use heartbeat signaling to communicate to one another and to their associated key vaults. The default heartbeat signaling values are three retries (heartbeat misses) with a two-second timeout (heartbeat timeout) between each retry.
Adding a member node to an encryption group 3 Adding a member node to an encryption group During the initialization phase, a set of key pairs and certificate is generated on every node. The certificates are used for mutual identification and authentication with other group members and with DPM. Every device must have a certificate to participate in the deployment of encryption services. Some devices must have each other’s certificates in order to communicate.
3 Adding a member node to an encryption group 5. Use the cryptocfg --import command to import the CP certificates to the group leader node. You must import the CP certificate of each node you wish to add to the encryption group. The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was previously exported to the external host 192.168.38.245. Certificates are imported to a predetermined directory on the group leader.
Adding a member node to an encryption group Encryption Group state: 3 CLUSTER_STATE_CONVERGED Node Name: 10:00:00:05:1e:41:9a:7e (current node) State: DEF_NODE_STATE_DISCOVERED Role: GroupLeader IP Address: 10.32.244.71 Certificate: GL_cpcert.
3 Generating and backing up the master key SecurityAdmin:switch> cryptocfg --reg -keyvault primary NOTE If you are using an DPM cluster for high availability, the IP address specified as is the virtual IP address of the DPM cluster. 4. As the switches come up, enable the encryption engines. SecurityAdmin:switch> cryptocfg --enableEE Operation succeeded.
Generating and backing up the master key 3 Key Vault Type: DPM Primary Key Vault: IP address: 10.33.54.160 Certificate ID: HPDPM_CA1 Certificate label: DPMCERT State: Connected Type: DPM Secondary Key Vault not configured NODE LIST Total Number of defined nodes: 2 Group Leader Node Name: 10:00:00:05:1e:41:9a:7e Encryption Group state: CLUSTER_STATE_CONVERGED Node Name IP address Role 10:00:00:05:1e:41:9a:7e 10.32.244.71 GroupLeader(current node) 10:00:00:05:1e:39:14:00 10.32.244.60 MemberNode 6.
3 High availability clusters SecurityAdmin:switch> cryptocfg --show -groupmember -all NODE LIST Total Number of defined nodes:2 Group Leader Node Name: 10:00:00:05:1e:41:9a:7e Encryption Group state: CLUSTER_STATE_CONVERGED Node Name: 10:00:00:05:1e:41:9a:7e (current node) State: DEF_NODE_STATE_DISCOVERED Role: GroupLeader IP Address: 10.32.244.71 Certificate: GL_cpcert.
High availability clusters 3 • HA clusters of FS8-18 blades should not include blades in the same DCX Backbone chassis. NOTE In Fabric OS 6.3.0 and later, HA cluster creation is blocked when encryption engines belonging to FS8-18 blades in the same DCX Backbone Chassis are specified. • Cluster links must be configured before creating an HA cluster. Refer to the section “Configuring cluster links” on page 131 for instructions. • Configuration changes must be committed before they take effect.
3 High availability clusters NOTE An HA cluster configuration must have two encryption engines before you can commit the transaction with the cryptocfg --commit command. To commit an incomplete HA cluster, you have the option to force the commit operation by issuing cryptocfg --commit -force. Use the forced commit with caution, because the resulting configuration will not be functional and provide no failover/failback capabilities. Adding an encryption engine to an HA cluster 1.
High availability clusters 3 < [old slot number]> < [new slot number]>: HA cluster name: dthac - 2 EE entries Status: Committed HAC State: Converged WWN 10:00:00:05:1e:39:a6:7e 10:00:00:05:1e:c1:06:63 Slot Number 4 0 Status Online Online sw153114:FID128:admin> cryptocfg --replace -haclustermember dthac 10:00:00:05:1e:39:a6:7e 4 10:00:00:05:1e:39:a6:7e 12 Slot Local/ EE Node WWN Number Remote 10:00:00:05:1e:39:a6:7e 12 Local Operation succeeded.
3 High availability clusters TABLE 5 Group-wide policies Policy name cryptocfg --set parameters Description Failover policy -failbackmode auto | manual • Heartbeat misses -hbmisses value Sets the number of Heartbeat misses allowed in a node that is part of an encryption group before the node is declared unreachable and the standby takes over. The default value is 3. The range is 3-14 in integer increments only.
Re-exporting a master key 3 Re-exporting a master key With the introduction of Fabric OS v7.0.0, you can export master keys to the key vault multiple times instead of only once. The ability to export the master key more than once enables you to recover the master key when needed. For example, prior to Fabric OS 7.0.0, if you forgot your passphrase that was used to export the master key, you were not able to recover the master key from the key vault.
3 Re-exporting a master key Enter passphrase: Confirm passphrase: Master key exported. MasterKey ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:7e Exported Key ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:7e Exporting an additional key ID Example: Subsequent master key exports. SecurityAdmin:switch> cryptocfg --exportmasterkey Enter passphrase: Confirm passphrase: Master key exported.
Re-exporting a master key 3 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:93 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:94 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:95 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:96 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:97 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:98 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:99 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:9a e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:9b Operation succeeded.
3 Enabling the encryption engine Enabling the encryption engine Enable the encryption engine by entering the cryptocfg --enableEE command. Provide a slot number if the encryption engine is a blade.
Zoning considerations 3 No HA cluster membership EE Attributes: Media Type : DISK EE Slot: 12 SP state: Online Current Master KeyID: a3:d7:57:c7:54:66:65:05:61:7a:35:2c:59:af:a5:dc Alternate Master KeyID: e9:e4:3a:f8:bc:4e:75:44:81:35:b8:90:d0:1f:6f:4d HA Cluster Membership: hacDcx3 EE Attributes: Media Type : DISK Zoning considerations When encryption is implemented, frames sent between a host and a target LUN are redirected to a virtual target within an encryption switch or blade.
3 Zoning considerations Frame redirection zoning Name Server-based frame redirection enables the Brocade Encryption Switch or blade to be deployed transparently to hosts and targets in the fabric. NS-based frame redirection is enabled as follows: • You first create a zone that includes host (H) and target (T). This may cause temporary traffic disruption to the host. • You then create a CryptoTarget container for the target and configure the container to allow access to the initiator.
Zoning considerations 3 Redirect: No The Local Name Server has 1 entry } The nsshow command shows all devices on the switch, and the output can be lengthy. To retrieve only the initiator PWWN, do a pattern search of the output based on the initiator Port ID (a hex number). In the following example, The PID is 010600, where 01 indicates the domain and 06 the port number. FabricAdmin:switch> nsshow | grep 0106 N 010600; 2,3;10:00:00:00:c9:2b:c9:3a;20:00:00:00:c9:2b:c9:3a; na 3. Determine the target PWWN.
3 CryptoTarget container configuration 7. Create a zone that includes the initiator and a LUN target. Enter the zonecreate command followed by a zone name, the initiator PWWN and the target PWWN. FabricAdmin:switch> zonecreate itzone, "10:00:00:00:c9:2b:c9:3a; \ 20:0c:00:06:2b:0f:72:6d" 8. Create a zone configuration that includes the zone you created in step 4. Enter the cfgcreate command followed by a configuration name and the zone member name. FabricAdmin:switch> cfgcreate itcfg, itzone 9.
CryptoTarget container configuration FIGURE 91 3 Relationship between initiator, virtual target, virtual initiator and target CAUTION When configuring a LUN with multiple paths, there is a considerable risk of ending up with potentially catastrophic scenarios where different policies exist for each path of the LUN, or a situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the secured realm of the encryption plat
3 CryptoTarget container configuration You may be prompted to rebalance during the following operations: • • • • When adding a new disk or tape target container. When removing an existing disk or tape target container. After failover to a backup encryption engine in an HA cluster. After an failed encryption engine in an HA cluster is recovered, and failback processing has taken place. To rebalance an encryption engine, do the following. 1. Log in to the switch as Admin or FabricAdmin. 2.
CryptoTarget container configuration 3 The following example creates a disk container named my_disk_tgt1. The initiator is added in step 3. FabricAdmin:switch> cryptocfg --create -container disk my_disk_tgt \ 10:00:00:00:05:1e:41:9a:7e 20:0c:00:06:2b:0f:72:6d 20:00:00:06:2b:0f:72:6d Operation Succeeded 3. Add an initiator to the CryptoTarget container. Enter the cryptocfg --add -initiator command followed by the initiator port WWN and the node WWN.
3 CryptoTarget container configuration zone: red_1109_brcd200c00062b0f726d200200051e414e1d 10:00:00:00:c9:2b:c9:3a; 20:0c:00:06:2b:0f:72:6d; 20:02:00:05:1e:41:4e:1d; 20:00:00:05:1e:41:4e:1d zone: red_______base 00:00:00:00:00:00:00:01; 00:00:00:00:00:00:00:02; 00:00:00:00:00:00:00:03; 00:00:00:00:00:00:00:04 Effective configuration: cfg: itcfg zone: itzone 10:00:00:00:c9:2b:c9:3a 20:0c:00:06:2b:0f:72:6d NOTE You may view the frame redirection zone with the cfgshow command, but you cannot use the zone f
CryptoTarget container configuration 3 Deleting a CryptoTarget container You may delete a CryptoTarget container to remove the target port from a given encryption switch or blade. Deleting a CryptoTarget container removes the virtual target and all associated LUNs from the fabric. Before deleting a container, be aware of the following: • Stop all traffic to the target port for which the CryptoTarget container is being deleted.
3 Crypto LUN configuration Moving a CryptoTarget container You can move a CryptoTarget container from one encryption engine to another. The encryption engines must be part of the same fabric and the same encryption group, and the encryption engines must be online for this operation to succeed. This operation permanently transfers the encryption engine association of a given CryptoTarget container from an existing encryption engine to an alternate encryption engine.
Crypto LUN configuration 3 CAUTION When configuring a LUN with multiple paths (which means the LUN is exposed and configured on multiple CryptoTarget containers located on the same Encryption switch or blade, or on different encryption switches or blades), the same LUN policies must be configured on all LUN paths. Failure to configure all LUN paths with the same LUN policies results in data corruption.
3 Crypto LUN configuration Configuring a Crypto LUN You configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN. The LUNs of the target that are not enabled for encryption must still be added to the CryptoTarget container with the cleartext policy option. You can add a single LUN to a CryptoTarget container, or you can add multiple LUNs by providing a range of LUN Numbers.
Crypto LUN configuration 3 3. Commit the configuration. FabricAdmin:switch> cryptocfg --commit Operation Succeeded CAUTION When configuring a LUN with multiple paths, do not commit the configuration before you have added all the LUNs with identical policy settings and in sequence to each of the CryptoTarget containers for each of the paths accessing the LUNs. Failure to do so results in data corruption. Refer to the section “Configuring a multi-path Crypto LUN” on page 198. 4.
3 Crypto LUN configuration The tape policies specified at the LUN configuration level take effect if you do not create tape pools or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1 MB block size for tape encryption. Also, the Logical Block Address (LBA) 0 block size (I/O size from the host) must be at least 1 K less than the maximum supported backend block size (usually 1 MB). This is typically the case, as label operations are small I/O operations.
Crypto LUN configuration TABLE 6 3 LUN parameters and policies (Continued) Policy name Command parameters Description Write Early Ack Disk LUN: No Tape LUN: Yes Modify? Tape Only. Disk: No -write_early_ack disable|enable Specifies the Tape Write pipelining mode of the LUN. Two Write Pipelining modes are supported: • disable - Early acknowledgement of commands (internal buffering) for a tape lun is disabled. • enable - Early acknowledgement of commands (internal buffering) for a tape lun is enabled.
3 Crypto LUN configuration a. Discover the LUN. FabricAdmin:switch> cryptocfg --discoverLUN my_tape_tgt Container name: my_tape_tgt Number of LUN(s): 1 Host: 10:00:00:00:c9:2b:c9:3a LUN number: 0x0 LUN serial number: Key ID state: Key ID not Applicable b. Add the LUN to the tape CryptoTarget container. The following example enables the LUN for encryption. There is a maximum of eight tape LUNs per Initiator in a container.
Crypto LUN configuration 3 Removing a LUN from a CryptoTarget container You can remove a LUN from a given CryptoTarget container if it is no longer needed. Stop all traffic I/O from the initiators accessing the LUN before removing the LUN to avoid I/O failure between the initiators and the LUN. If the LUN is exposed to more than one initiator under different LUN Numbers, remove all exposed LUN Numbers. 1. Log in to the group leader as Admin or FabricAdmin. 2.
3 Crypto LUN configuration Operation Succeeded 3. Commit the configuration. FabricAdmin:switch> cryptocfg --commit Operation Succeeded CAUTION When configuring a LUN with multiple paths, do not commit the configuration before you have modified all the LUNs with identical policy settings and in sequence for each of the CryptoTarget containers for each of the paths accessing the LUNs. Failure to do so results in data corruption. Refer to the section “Configuring a multi-path Crypto LUN” on page 198.
Impact of tape LUN configuration changes 3 Impact of tape LUN configuration changes LUN-level policies apply when no policies are configured at the tape pool level.
3 Decommissioning LUNs If a LUN is removed when undergoing decommission or is in a decommission failed state, or if a container hosting the LUN is deleted, you must use the -force option on the commit operation (cryptocfg --commit -force). Failure to do so causes the commit operation to fail and a decommission in progress error displays. Upon a successful completion of a decommissioning operation, the LUN is deleted from all containers hosting it, and all active paths to the LUNs are lost.
Decommissioning replicated LUNs 3 • If you are running Fabric OS 7.1.0, and you want to downgrade to an earlier Fabric OS version, (for example, Fabric OS 7.0.x), after decommissioning a disk LUN, it is recommended that you remove the decommissioned key ID from the key vault before performing the downgrade. Otherwise, if the LUN is added back for encryption, the LUN will go to the disabled state as the key state is decommissioned in the key vault.
3 Decommissioning replicated LUNs NOTE Failure to rekey the secondary LUN might result in loss of data on the secondary LUN after the primary LUN is decommissioned. Decommissioning mirror R2 LUNs only To decommission the secondary LUN, complete the following steps: 1. Log in as Admin or FabricAdmin. 2. Split the R1/R2 sync. 3. Make the R2 LUN write-enabled. 4. Decommission the R2 LUN.
Force-enabling a decommissioned disk LUN for encryption 3 Force-enabling a decommissioned disk LUN for encryption When trying to re-use primary or secondary replicated LUNs, you must first decommission the LUNs. When trying to re-use a decommissioned LUN, you must: 1. Delete the keys from the key vault. 2. Log in as Admin or FabricAdmin. 3. Delete the decommissioned LUN IDs from the Brocade Encryption Switch. e. Display the decommissioned key IDs.
3 SRDF LUNs 1. Log in to the switch that hosts the LUN as Admin or FabricAdmin. 2. Enter the cryptocfg --enable -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN. FabricAdmin:switch> cryptocfg --enable -LUN my_disk_tgt 0x0 \ 10:00:00:00:c9:2b:c9:3a Operation Succeeded SRDF LUNs The Symmetrix Remote Data Facility (SRDF) transmits data that is being written to a local Symmetrix array to a remote symmetrix array.
SRDF LUNs 3 vault, the key vaults must be synchronized to ensure the availability of the DEK at the remote site. Both sites may share the same key vault, which eliminates the need for synchronization across sites. Depending on distance between sites, sharing a key vault might add some latency when retrieving a key.
3 SRDF LUNs CAUTION Do not add a node running an earlier Fabric OS version to an encryption group that is running version 6.4.0 or later if remote replication is enabled. Also, be aware that a Fabric OS 6.4.0 configuration file is not blocked from being downloaded to a node running an earlier Fabric OS version. Adding replication LUNs Replication LUNs must be added to the container with the -newLUN option.
Using SRDF, TimeFinder and RecoverPoint with encryption 3 Using SRDF, TimeFinder and RecoverPoint with encryption The EMC Symmetrix Remote Data Facility (SRDF), TimeFinder (TF), and RecoverPoint (RP) work together to provide reliable and efficient data recovery from a remote data facility: • SRDF transmits data that is being written to a local Symmetrix array to a remote Symmetrix array. The replicated data facilitates a fast switchover to the remote site for data recovery.
3 Configuring LUNs for SRDF/TF or RP deployments 4. Make a note of the master key's ID. The master key ID can be obtained by running the following command: SecurityAdmin:switch> cryptocfg --show -localEE NOTE The master key is being exported from the local site so it can be recovered and utilized by the EG at the remote site. If the local and remote sites are both part of the same encryption group and therefore share the same DPM cluster, this step is not required.
Configuring LUNs for SRDF/TF or RP deployments 3 Steps for dealing with these scenarios are described in the following sections devoted to using SRDF, TimeFinder (TF) and RecoverPoint (RP) with the Brocade encryption solution. Creating new source LUNs that can later be replicated Use the following command to create a new source LUN capable of later replication. This command must be completed once for every path/container that has access to the source LUN: 1. Log in as Admin or FabricAdmin. 2.
3 Configuring LUNs for SRDF/TF or RP deployments NOTE All paths to the new SRDF/TF/RP source LUN must be added to their containers with the -newLUN option. 3. Commit the configuration. 4. Wait until the LUN is in encryption enabled state. 5. Copy the data from the old LUN to the new LUN using the EMC host-based PPME (PowerPath Migration Enabler) application. Information on PPME can be found on the EMC Powerlink website: http://powerlink.emc.com OPTION 2 (data migration for cleartext source LUNs) 1.
Configuring LUNs for SRDF/TF or RP deployments 3 Synchronizing source and target LUN SRDF/RP pairs This section describes the proper procedure for establishing the local/remote LUN pair in a SRDF or RP environment. NOTE The remote/target LUNs must be added to their CryptoTarget Containers (CTCs) only after the local site LUNs' encryption setup has been completed. 1. If necessary, create the remote/R2 LUN at the remote site ensuring that it is identical in size to the local/R1 site LUN.
3 Configuring LUNs for SRDF/TF or RP deployments 7. Verify that the Replication LUN type of the local/R1 LUNs is “Primary” and that of the remote/R1 LUNs is “Mirror.” 8. Take all remote target ports associated with CTCs through which the remote LUNs are accessible offline. NOTE If the DEK is not synchronized between the local/R1 site and the remote/R2 site, the remote/R2 LUN will automatically become disabled.
SRDF/TF/RP manual rekeying procedures 3 Configuring SRDF Gatekeeper LUNs Gatekeeper LUNs used by SYMAPI on the host for configuring SRDF using in-band management must be added to their containers with a LUN state of cleartext, encryption policy of cleartext, and without the -newLUN option. SRDF/TF/RP manual rekeying procedures The following topics describe encryption rekeying procedures relative to SRDF, TF, and RP.
3 SRDF/TF/RP manual rekeying procedures 5. Wait until the rekey operation on the source LUN has completed. If the source LUN has a rekeying error of any type, the TF source/target LUN pair should not be established/synchronized. The source LUN rekey must complete successfully before the source/target pair is re-established. 6.
SRDF/TF/RP manual rekeying procedures 3 6. After confirming that the rekey has completed on the source LUN, perform the following to re-establish the source-to-target LUN replication: a. Remove the target LUN access by disabling all remote site target ports with access to the target LUN.
3 SRDF/TF/RP manual rekeying procedures 3. During the rekeying operation, if desired, you can enable the remote targets ports so the target LUNs can be accessed by the remote hosts in read-only mode. 4. Issue a manual rekey request for the source LUN. FabricAdmin:switch> cryptocfg --manual_rekey 5. Wait until the rekey operation on the source LUN has completed.
SRDF/TF/RP manual rekeying procedures 3 Rekeying remote site (R2) SRDF LUNs To rekey an R2 LUN, you must first do an SRDF role reversal. Complete the following steps to reverse the R1/R2 LUN functional roles: 1. Issue the SRDF role swap command to change the old R1 LUN to the new R2 LUN and old R2 LUN to the new R1 LUN. 2. Split the SRDF pair. 3. Issue the cryptocfg --manual_rekey -include_mirror command on the new R1 LUN (old R2 LUN).
3 Tape pool configuration 6. Verify that the DEKs are synched up from local site DPM cluster to the remote site DPM cluster. NOTE In all operations prior to enabling the RP source/target LUN consistency group, ensure that the DEKs are synchronized between the local and remote site key vaults. Behavior with Hosts writing beyond reported capacity If a host writes beyond the reported capacity of a source or destination LUN, it can cause the LUN to become disabled when exposed.
Tape pool configuration 3 • The tape pool label created on the encryption switch or blade must be the be same tape pool label configured on the tape backup application. • Refer to the tape backup product documentation for detailed instructions for creating tape pool labels and numbers.
3 Tape pool configuration =========================================================== pool number: 0 pool name: None description: the None pool pool host: ANYHOST pool user: ANY pool group: NONE =========================================================== 4. Use the pool number as the tape pool number on the encryption switch or blade. NetWorker labeling NetWorker does not allow underscore characters in tape pool names.
Tape pool configuration 3 5. Configure the tape pool on your backup application with the same tape pool label you used to create the tape pool on the encryption switch or blade. Refer to the manufacturer’s product documentation for instructions. 6. On your backup application, label the tape media to assign to the tape pool. Refer to the manufacturer’s product documentation for instructions.
3 Configuring a multi-path Crypto LUN Impact of tape pool configuration changes Tape pool-level policies overrule policy configurations at the LUN level, when no policies are configured at the tape pool level.
Configuring a multi-path Crypto LUN 3 Multi-path LUN configuration example Figure 93 on page 199 shows a single LUN on a dual-port target that is accessed over two paths by a dual-port host. The two encryption switches form an encryption group and an HA cluster. The following example illustrates a simplified version of a multi-path LUN configuration. FIGURE 93 A LUN accessible through multiple paths The following steps may be used to configure multiple path access to the LUN in Figure 93. 1.
3 Configuring a multi-path Crypto LUN b. Create a CryptoTarget container (CTC2) for target port 2 to be hosted on the encryption engine of encryption switch 2. FabricAdmin:switch> cryptocfg --create -container disk 0 c. CTC2 \ Add host port 1 to the container CTC1. FabricAdmin:switch> cryptocfg --add -initiator \ d. Add host port 2 to the container CTC2.
Configuring a multi-path Crypto LUN b. 3 Add the same LUN to the CryptoTarget container CTC2. Use exactly the same LUN state and policy settings that you used for the LUN added to CTC1. FabricAdmin:switch> cryptocfg --add -LUN CTC2 0 \ -lunstate cleartext -encryption_format native -encrypt \ -enable_encexistingdata -enable_rekey 10 NOTE The LUN policies must be exactly the same on both CTC1 and CTC2. Failure to do so results in undefined behavior and data corruption. 6.
3 First-time encryption First-time encryption First-time encryption, also referred to as encryption of existing data, is similar to the rekeying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first-time encryption operation, cleartext data is read from a LUN, encrypted with the current key, and written back to the same LUN at the same logical block address (LBA) location.
Thin provisioned LUNs 3 Thin provisioned LUNs With the introduction of Fabric OS 7.1.0, the Brocade Encryption Switch can discover if a disk LUN is thin provisioned LUN. Support for a thin provisioned LUN is limited to disk containers only. NOTE Currently, thin provisioned LUN support is limited to Brocade-tested storage arrays. The thin provisioned LUN status will be displayed as Yes for supported storage arrays running specific supported firmware versions only.
3 Thin provisioned LUNs LUN serial number: 50002AC000BC0A50 TP LUN: Yes LUN connectivity state: Connected Key ID state: Key ID not Applicable FabricAdmin:switch> cryptocfg --show -rekey –all LUN number: 0x0 LUN serial number: 50002AC002E70A50 TP LUN:Yes Rekey session number: 0 Percentage complete: 98 Rekey state: Read Phase Rekey role: Primary/Active Block size: 512 Number of blocks: 4194304 Current LBA: 4141617 FabricAdmin:switch> cryptocfg –-show –LUN tpdisk 0 10:00:00:00:c9:29:0f:01 – stat LUN number:
Data rekeying 3 Data rekeying In a rekeying operation, encrypted data on a LUN is decrypted with the current key, re-encrypted with a new key and written back to the same LUN at the same logical block address (LBA) location. This process effectively re-encrypts the LUN and is referred to as “in-place rekeying.” It is recommended that you limit the practice of rekeying to the following situations: • Key compromise as a result of a security breach.
3 Data rekeying Configuring a LUN for automatic rekeying Rekeying options are configured at the LUN level either during LUN configuration with the cryptocfg --add -LUN command, or at a later time with the cryptocfg --modify -LUN command. For rekeying of a disk array LUN, the Crypto LUN is configured in the following way: • Set LUN policy as either cleartext or encrypt. • If cleartext is enabled (default), all encryption-related options are disabled and no DEK is associated with the LUN.
Data rekeying 3 Initiating a manual rekey session You can initiate a rekeying session manually at your own convenience. All encryption engines in a given HA cluster, DEK cluster, or encryption group must be online for this operation to succeed. The manual rekeying feature is useful when the key is compromised and you want to re-encrypt existing data on the LUN before taking action on the compromised key.
3 Data rekeying Current LBA: Operation succeeded. 488577 Suspension and resumption of rekeying operations A rekey may be suspended or fail to start for several reasons: • The LUN goes offline or the encryption switch fails and reboots. Rekey operations are resumed automatically when the target comes back online or the switch comes back up. You cannot abort an in-progress rekey operation. • An unrecoverable error is encountered on the LUN and the in-progress rekey operation halts.
Chapter 4 Deployment Scenarios In this chapter • Single encryption switch, two paths from host to target. . . . . . . . . . . . . . . • Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dual fabric deployment - HA and DEK cluster . . . . . . . . . . . . . . . . . . . . . . . • Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . . . . . . . .
4 Single encryption switch, two paths from host to target Single encryption switch, two paths from host to target Figure 94 shows a basic configuration with a single encryption switch providing encryption between one host and one storage device over two the following two paths: • Host port 1 to target port 1, redirected through CTC T1. • Host port 2 to target port 2, redirected through CTC T2.
Single fabric deployment - HA cluster 4 Single fabric deployment - HA cluster Figure 95 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology.
4 Single fabric deployment - DEK cluster In Figure 95, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN.
Dual fabric deployment - HA and DEK cluster 4 In Figure 96, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths.
4 Multiple paths, one DEK cluster, and two HA clusters failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2. All four encryption switches provide an encryption path to the same LUN, and use the same DEK for that LUN, forming a DEK cluster.
Multiple paths, DEK cluster, no HA cluster 4 The configuration details shown in Figure 98 are as follows: • • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port 1 is zoned to target port 1 and target port 2 in fabric 1. Host port 2 is zoned to target port 3and target port 4 in fabric 2. There are four Fabric OS encryption switches organized in HA clusters.
4 Multiple paths, DEK cluster, no HA cluster The configuration details are as follows: • • • • • • • 216 There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port1 is zoned to target port1 and target port2 in fabric 1. Host port2 is zoned with target port 3 and target port 4 in fabric 2. There are two encryption switches, one in each fabric (no HA cluster). There is one DEK Cluster and one encryption group.
Deployment in Fibre Channel routed fabrics 4 Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 100), or it may form the backbone fabric and directly provide the EX_port connections (Figure 101). The encryption resources can be shared with the host and target edge fabrics using device sharing between backbone and edge fabrics.
4 Deployment in Fibre Channel routed fabrics The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
Deployment as part of an edge fabric 4 Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7800 extension switch or FX8-24 blade in a DCX or DCX 8510 Backbone, or an FCR-capable switch or blade. The encryption resources of the encryption switch can be shared with the other edge fabrics using FCR in the backbone fabric (Figure 102). .
4 Deployment with FCIP extension switches Deployment with FCIP extension switches Encryption switches may be deployed in configurations that use extension switches or extension blades within a DCX or DCX 8510 Backbone to enable long distance connections. Figure 103 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator’s Guide for information about creating FCIP configurations.
Data mirroring deployment 4 Data mirroring deployment Figure 104 shows a data mirroring deployment. In this configuration, the host only knows about target1 and LUN1, and the I/O path to target1 and LUN1. When data is sent to target1, it is written to LUN1, and also sent on to LUN2 for replication. Target1 acts as an initiator to enable the replication I/O path.
4 Data mirroring deployment If metadata is not present on the LUN Beginning with Fabric OS version 6.4.0, this problem is eliminated by enabling the remote replication mode. Remote replication mode may be enabled from either BNA (refer to “Remote replication LUNs” on page 71) or from the command line interface (refer to “Enabling remote replication mode” on page 181). In very rare cases, when remote replication mode is not enabled, metadata may not be present on the LUN.
VMware ESX server deployments 4 VMware ESX server deployments VMware ESX servers may host multiple guest operating systems. A guest operating system may have its own physical HBA port connection, or it may use a virtual port and share a physical HBA port with other guest operating systems. Figure 105 shows a VMware ESX server with two guest operating systems where each guest accesses a fabric over separate host ports.
4 VMware ESX server deployments Figure 106 shows a VMware ESX server with two guest operating systems where two guests access a fabric over a shared port. To enable this, both guests are assigned a virtual port. There are two paths to a target storage device: • Virtual host port 1, through the shared host port, to target port 1, redirected through CTC T1. • Virtual host port 2, through the shared host port, to target port 2, redirected through CTC T2.
Chapter 5 Best Practices and Special Topics In this chapter • Firmware upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . • Configuration upload and download considerations . . . . . . . . . . . . . . . . . • HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • AIX Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling a disabled LUN . . . . . . . . . . . . . . . . . .
5 Firmware upgrade and downgrade considerations Firmware upgrade and downgrade considerations Before upgrading or downgrading firmware, consider the following: • The encryption engine and the control processor or blade processor are reset after a firmware upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured.
Firmware upgrade and downgrade considerations 5 • Guidelines for firmware upgrade of encryption switches and a DCX Backbone chassis with encryption blades deployed in DEK cluster with No HA cluster (each node hosting one path). - Upgrade one node at a time. - In the case of active/active arrays, upgrade order of nodes does not matter, but you still must upgrade one node at a time.
5 Configuration upload and download considerations 5. Start firmware download (upgrade) on the node 1 (BES1). Refer to the Fabric OS Administrator’s Guide to review firmware download procedures. 6. After firmware download is complete and node 1 (BES1) is back up, make sure the encryption engine is online. 7. On node 1 (BES1) initiate manual failback of CryptoTarget containers and associated LUNs from node 2 (BES2) to node 1 (BES1) by issuing the following command.
Configuration upload and download considerations 5 Information not included in an upload The following certificates will be not be present when the configuration is downloaded: • External certificates imported on the switch: - key vault certificate - peer node/switch certificate - authentication card certificate • Certificates generated internally: - KAC certificate - CP certificate - FIPS officer and user certificates The Authentication Quorum size is included in the configuration upload for read-only p
5 HP-UX considerations Configuration download at an encryption group member Switch specific configuration information pertaining to the member switch or blade is applied. Information specific to the encryption group leader is filtered out. Steps after configuration download For all opaque key vaults, restore or generate and backup the master key. In a multiple node encryption group, the master key is propagated from the group leader node. 1. Use the following command to enable the encryption engine.
AIX Considerations 5 For HP-UX multi-path configurations: • Add LUN 0 as a cleartext LUN. • Make sure to configure a dummy LUN 0 for each host accessing multi-path LUNs through CTCs in the encryption switch. cryptocfg -–add –LUN 0 Best practices are as follows: • Create a cryptoTarget container for the target WWN. • Add the HP-UX initiator WWN to the container.
5 Decommissioning in an EG containing mixed modes Decommissioning in an EG containing mixed modes If you have an encryption group (EG) that contains mixed nodes, (for example, one member node is running Fabric OS 7.0.0 and another member node is running Fabric OS 6.4.2), you might notice that after you decommission a LUN, the decommissioned Key IDs might not be displayed on the node running v6.4.2, even though the decommission operation was successful.
Tape data compression 5 Tape data compression Data is compressed by the encryption switch or blade before encrypting only if the tape device supports compression, and compression is explicitly enabled by the host backup application. That means if the tape device supports compression, but is not enabled by the host backup application, then compression is not performed by the encryption switch or blade before encrypting the data.
5 Tape block zero handling Tape block zero handling The block zero of the tape media is not encrypted and the data in the block zero is sent as cleartext along with the block zero metadata header prefixed to the data to the tape device. Tape key expiry When the tape key of native pools expires in the middle of a write operation on the tape, the key is used for the duration of any write operation to append the data on the tape media.
Redirection zones 5 • To enable host MPIO, LUNs must also be available through a second target port, hosted on a second encryption switch, the same encryption switch or encryption engine. The second encryption switch could be in the same fabric, or a different fabric. • Hosts should be able to access LUNs through multiple ports for redundancy.
5 Ensure uniform licensing in HA clusters Ensure uniform licensing in HA clusters Licenses installed on the nodes should allow for identical performance numbers between HA cluster members. Tape library media changer considerations In tape libraries where the media changer unit is addressed by a target port that is separate from the actual tape SCSI I/O ports, create a CryptoTarget container for the media changer unit and CryptoTarget containers for the SCSI I/O ports.
Turn off compression on extension switches 5 Turn off compression on extension switches We recommend disabling data compression on FCIP links that might carry encrypted traffic to avoid potential performance issues as compression of encrypted data might not yield desired compression ratio. We also recommend that tape pipelining and fastwrite also be disabled on the FCIP link if it is transporting encrypted traffic. Rekeying best practices and policies Rekeying should be done only when necessary.
5 KAC certificate registration expiry Do not change LUN configuration while rekeying Never change the configuration of any LUN that belongs to a CryptoTarget container/LUN configuration while the rekeying process for that LUN is active. If you change the LUN’s settings during manual or auto, rekeying or first-time encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect.
Changing IP addresses in encryption groups 5 Changing IP addresses in encryption groups Generally, when IP addresses are assigned to the Ge0 and Ge1 ports, they should not be changed. If an encryption group member node IP address must be changed, refer to “IP Address change of a node within an encryption group” on page 132.
5 Recommendations for Initiator Fan-Ins FIGURE 107 Fan-in ratios with performance license installed The fan-in ratio for a target can be higher depending on the maximum bandwidth accepted by the target. If the I/O throughput across all initiator ports accessing the target port is well balanced, it is recommended that the maximum fan-in ratio be kept to 8 Initiator ports to 1 target port for optimal performance. Note that this recommendation holds for initiators running at 4 Gbps or less.
Best practices for host clusters in an encryption environment 5 Best practices for host clusters in an encryption environment When host clusters are deployed in a encryption environment, please follow these recommendations: • If two encryption engines are part of an HA cluster, configure the host/target pair so they have different paths from both encryption engines. Avoid connecting both the host/target pairs to the same encryption engine.
5 242 Tape Device LUN Mapping Fabric OS Encryption Administrator’s Guide (DPM) 53-1002720-02
Chapter 6 Maintenance and Troubleshooting In this chapter • Encryption group and HA cluster maintenance . . . . . . . . . . . . . . . . . . . . . . . • Encryption group merge and split use cases. . . . . . . . . . . . . . . . . . . . . . . . . • Encryption group database manual operations . . . . . . . . . . . . . . . . . . . . . . • Key vault diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Measuring encryption performance. . . . . . . . . . . . . . .
6 Encryption group and HA cluster maintenance Encryption group and HA cluster maintenance This section describes advanced configuration options that you can use to modify existing encryption groups and HA clusters, and to recover from problems with one or more member nodes in the group. All group-wide configuration commands are executed on the group leader. Commands that clear group-related states from an individual node are executed on the node. The commands require Admin or SecurityAdmin permissions.
Encryption group and HA cluster maintenance 6 FIGURE 108 Removing a node from an encryption group The procedure for removing a node depends on the node’s status within an encryption group. HA cluster membership and Crypto LUN configurations must be cleared before you can permanently remove a member node from an encryption group. To remove a node from an encryption group, complete the following steps: 1. Log in to the group leader as Admin or SecurityAdmin. 2.
6 Encryption group and HA cluster maintenance IP Address: 10.32.33.145 Certificate: 10.32.33.145_my_cp_cert.
Encryption group and HA cluster maintenance 6 Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes. Before deleting the encryption group, it is highly recommended that you remove the group leader from the HA cluster and clear all CryptoTarget and tape pool configurations for the group.
6 Encryption group and HA cluster maintenance Displaying the HA cluster configuration NOTE The correct failover status of an HA cluster will only be displayed on the HA cluster member nodes in the encryption group. 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --show -hacluster -all command. In the following example, the encryption group brocade has two HA clusters. HAC 1 is committed and has two members.
Encryption group and HA cluster maintenance 6 Replacing an HA cluster member 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haClusterMember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine. Provide a slot number if the encryption engine is a blade. The replacement encryption engine must be part of the same encryption group as the encryption engine that is replaced.
6 Encryption group and HA cluster maintenance FIGURE 109 Replacing a failed encryption engine in an HA cluster 250 Fabric OS Encryption Administrator’s Guide (DPM) 53-1002720-02
Encryption group and HA cluster maintenance 6 Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
6 Encryption group and HA cluster maintenance Performing a manual failback of an encryption engine By default, failback occurs automatically if an encryption engine that failed was replaced or comes back online. When manual failback policy is set in the encryption group, you must invoke a manual failback of the encryption engine after the failing encryption engine was restored or replaced. Failback includes all of the encryption engine’s target associations.
Encryption group merge and split use cases 6 • After the failback completes, the cryptocfg --show -hacluster -all command no longer reports active failover.
6 Encryption group merge and split use cases NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg --transabort. Doing so will cause subsequent reclaim attempts to fail. 4. Set up the member node: Configure the IP address of the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. 5.
Encryption group merge and split use cases 6 Recovery If auto failback policy is set, no intervention is required. After the node has come back up, all devices and associated configurations and services that failed over earlier to N1 fail back to N3. The node resumes its normal function. If auto failback policy is not set, invoke a manual failback if required. Refer to the section “Performing a manual failback of an encryption engine” on page 252 for instructions.
6 Encryption group merge and split use cases • The isolation of N3 from the group leader breaks the HA cluster and failover capability between N3 and N1. • You cannot configure any CryptoTargets, LUN policies, tape pools, or security parameters on any of the group leaders. This would require communication with the “offline” member nodes. You cannot start any rekey operations (auto or manual) on any of the nodes.
Encryption group merge and split use cases 6 Recovery 1. Restore the connection between the nodes in the separate encryption group islands, that is, between nodes N3, N4 and between nodes N1 and N2. When the lost connection is restored, an automatic split recovery process begins. The two group leaders (N3 and N2 in this example) arbitrate the recovery, and the group leader node with the highest WWN becomes group leader.
6 Encryption group merge and split use cases NOTE The collective time allowed (the heartbeat time-out value multiplied by the heartbeat misses) cannot exceed 30 seconds (enforced by Fabric OS). The relationship between -hbmisses and -hbtimeout determines the total amount of time allowed before a node is declared unreachable. If a switch does not sense a heartbeat within the heartbeat timeout value, it is counted as a heartbeat miss.
Encryption group merge and split use cases 6 NOTE If one or more EG status displays as CONVERGED contact technical support as the following procedure will not work. To re-converge the EG, you will need to perform a series of steps. The following is a listing of the basic steps involved - this listing is followed by an example with the details of each step: 1. Confirm that your EG is not in a CONVERGED state. 2. Determine which GL Node will remain the GL Node once the EG is re-converged.
6 Encryption group merge and split use cases Display the encryption group state again. Node182:admin-> cryptocfg --show -groupcfg Node182 should now show up with an Encryption Group state of CLUSTER_STATE_CONVERGED. In this two node example, there is only one other node in the encryption group, and therefore the is only one node to deregister. When you have a 3:1 split or a 2:2 split, issue the following command from the group leader node you are keeping.
Encryption group merge and split use cases 6 Encryption group not defined: Cluster DB and Persistent DB not present, No Encryption Group Created or Defined. The 2:2 EG split exception The encryption group deletion procedure may be done directly in every scenario except when there has been a 2:2 split. In that special case, the other encryption group island consists of one group leader and one member node.
6 Encryption group merge and split use cases The above manual configuration recovery procedure will work nearly identically for all combinations of EG split scenarios. Simply perform the following steps for the other scenarios: • Pick one EG/EG Leader to be maintained. • Using that GL Node, deregister all Nodes which are in a DISCOVERING state as determined by the output of the cryptocfg --show -groupmember -all command. • Go to the other EG islands and delete the EGs.
Encryption group database manual operations TABLE 8 6 Disallowed Configuration Changes Configuration Type Disallowed configuration changes Crypto Device (target/LUN/tape) • • • • • • • • • Creating a CryptoTarget container Adding initiators or LUNs to a CryptoTarget container Removing initiators or LUNS from a CryptoTarget container Modifying LUNs or LUN policies Creating or deleting a tape pool Modifying a tape pool policy Starting a manual rekeying session Performing a manual failback of container
6 Key vault diagnostics Aborting a pending database transaction You can abort a pending database transaction for any device configurations invoked earlier through the CLI or BNA interfaces by completing the following steps. 1. Use the --transshow command to determine the currently pending transaction ID. The --transshow command displays the pending database transaction for any device configurations invoked earlier through the CLI or BNA interfaces.
Measuring encryption performance 6 • Time of day on the switch • Key Vault client SDK version • Timeout and retry policy for the client SDK The key vault client SDK version, and timeout and retry policy for the client SDK could differ across encryption nodes, depending on the firmware versions they are running. This feature also reports the results of a vault connectivity check and the results of a validation check on key operations. These results are specific to each encryption node.
6 Measuring encryption performance • -tx -rx displays the transmit and receive throughputs of the redirected I/O. • Interval represents a numeric value (in seconds) between refreshes. Examples of the command output are shown below. The port number mentioned is the user port number corresponding to the 8G capable FC platform/port facing towards the Encryption FPGA. NOTE For accurate results, ensure that the encryption engines (EEs) are online before executing the command.
General encryption troubleshooting 6 General encryption troubleshooting Table 9 lists the commands you can use to check the health of your encryption setup. Table 10 provides additional information for failures you might encounter while configuring switches using the CLI. TABLE 9 General troubleshooting tips using the CLI Command Activity supportsave Check whole system configuration. Run RAS logs. Run RAS traces. Run Security Processor (SP) logs (mainly kpd.log).
6 TABLE 10 General encryption troubleshooting General errors and conditions Problem Resolution A backup fails because the LUN is always in the initialize state for the tape container. Use one of two resolutions: Tape media is encrypted and gets a key which is archived in the key vault. The key is encrypted with a master key. At a later point in time you generate a new master key. You decide to use this tape media to back up other data.
General encryption troubleshooting TABLE 10 6 General errors and conditions Problem Resolution Decommissioning an R2 LUN (remote replication LUN) fails with a “Decommission LUN failed because of failure in over-writing metadata” error message. Check the R2 LUN (remote replication LUN) state. If it is in “Disabled (Data Decommissioning Failed” state, it indicates that the partner R1 (local) LUN was decommissioned with the R1 and R2 LUNs in sync.
6 Troubleshooting examples using the CLI Troubleshooting examples using the CLI Encryption Enabled CryptoTarget LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN.
Troubleshooting examples using the CLI 6 Encryption Disabled CryptoTarget LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN.
6 Management application encryption wizard troubleshooting Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . 272 • Errors related to adding a switch to a new group . . . . . . . . . . . . . . . . . . . . 273 • General errors related to the Configure Switch Encryption wizard . . . . . .
Management application encryption wizard troubleshooting 6 Errors related to adding a switch to a new group Table 12 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 12 Error recovery instructions for adding a switch to a new group Configuration task Error description Instructions Initialize the switch Unable to initialize the switch due to an error response from the switch.
6 Management application encryption wizard troubleshooting TABLE 12 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (opaque key vaults only) A failure occurred while attempting to create a new master key. 1 Save the switch’s public key certificate to a file. The switch’s public key certificate could not be saved to a file.
LUN policy troubleshooting 6 LUN policy troubleshooting Table 14 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by the encryption switch Action taken If you do not need to save the data: If you need to save the data: 1 The LUN was modified from encrypt policy to cleartext policy but metadata exists. LUN is disabled. Reason code: Metadata exists but the LUN policy is cleartext.
6 Loss of encryption group leader after power outage Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes might lose information and knowledge about the encryption group.
MPIO and internal LUN states 6 5. Synchronize the crypto configurations across all member nodes. FabricAdmin:switch> cryptocfg –-commit MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg --show -LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine.
6 FS8-18 blade removal and replacement 1. Enter the cryptocfg --resume_rekey command, followed by the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch> cryptocfg --resume_rekey my_disk_tgt 0x0 \ 10:00:00:05:1e:53:37:99 Operation Succeeded 2. Check the status of the resumed rekey session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN.
FS8-18 blade removal and replacement 6 3. If the replaced FS8-18 blade is in member node, invoke the following command to reclaim the base WWN. FabricAdmin:switch> cryptocfg --reclaimWWN –EE 4. Issue commit. FabricAdmin:switch> cryptocfg --commit 5. Replace the old FS8-18 blade with the new FS8-18 blade and reconnect the FC cables and I/O Link cables. 6. Insert the new FS8-18 blade in the same slot of the chassis that was used by the old FS8-18 blade.
6 FS8-18 blade removal and replacement NOTE Because the FS8-18 blade was inserted in the same slot as the previous blade, no change of HA cluster container ownership is required; the HA cluster configuration is retained. 16. If “manual” failback was set on the HA cluster, you must manually fail back the LUNs owned by the newly replaced EE. 17. Check the EG state using the following command to ensure that the entire EG is in a converged and In Sync state.
Brocade Encryption Switch removal and replacement 6 11. If a master key is not present, restore the master key from a backed up copy. Procedures will differ depending on the backup media used (for example, recovery smart cards, from the key vault, from a file on the network, or a file on a USB-attached device). Refer to Chapter 2, Configuring Encryption Using the Management Application.” 12. Check the EE state using the following command to ensure the EE is online.
6 Brocade Encryption Switch removal and replacement 8. Power on the new Brocade Encryption Switch. Note that the FC cables have not yet been plugged in. 9. Set the IP address for the new Brocade Encryption Switch using the ipAddrSet command for the Mgmt and I/O links. Check that the switch name and domain ID associated with the replacement switch match that of the original. 10. Zeroize the new Brocade Encryption Switch using the following command. Admin:switch> cryptocfg –-zeroizeEE 11.
Brocade Encryption Switch removal and replacement 6 21. Import the signed CSR/Cert onto the new node. 22. Register back the signed KAC CSR/Cert onto the new node using the following command. Admin:switch> cryptocfg --reg –KACcert 23. Remove the existing identity of the failed node from the DPM appliance. 24. Create an identity for the new node, and upload the new node KAC certificate to the DPM appliance. 25. Check the EE state using the following command to ensure that the EE is online.
6 Brocade Encryption Switch removal and replacement 32. If HA cluster membership for the old Brocade Encryption Switch was not in place, move container movement to the new Brocade Encryption Switch using the following procedure. a. Replace the old EE with the new EE using following command on the group leader. Admin:switch> cryptocfg –-replace b. Issue commit. Admin:switch> cryptocfg --commit 33.
Brocade Encryption Switch removal and replacement 6 11. Invoke the following command to cleanup any WWN entries which are used earlier. Admin:switch> cryptocfg --reclaim -cleanup 12. Recreate the EG with the same name as before using the following command. Admin:switch> cryptocfg –-create –encgroup 13. Invoke configdownload from the previous uploaded configuration. 14. Enable the switch using the switchenable command. 15. Deregister both key vaults using the following command.
6 Brocade Encryption Switch removal and replacement 27. Invoke the following command on the new Brocade Encryption Switch: Admin:switch> cfgsave 28. Reconnect the FC Cables to the new Brocade Encryption Switch. 29. Invoke the cfgsave command on any switch in that fabric. The fabric configuration from the existing fabric is merged into the new Brocade Encryption Switch. 30. Verify that defzone is set as no access. 31. If HA cluster membership for the old Brocade Encryption Switch was in place.
Deregistering a DPM key vault 6 Deregistering a DPM key vault Each Brocade Encryption Switch is associated with an identity and a client on the DPM 3.2 server. Before reregistering the DPM server on the Brocade Encryption Switch, make sure the previous client entry is removed from the DPM server. You can identify the client name of the Brocade Encryption Switch on the DPM Key Vault using the cryptocfg --show -groupcfg command, which displays the Client Username. A sample output is provided.
6 Reclaiming the WWN base of a failed Brocade Encryption Switch Reclaiming the WWN base of a failed Brocade Encryption Switch When a Brocade Encryption Switch fails, to reclaim the WWN base, follow these steps: 1. Locate the Brocade Encryption Switch that has failed and deregister from the encryption group. Admin:switch> cryptocfg –-dereg –membernode 2. Reclaim the WWN base of the failed Brocade Encryption Switch. Admin:switch> cryptocfg --reclaimWWN –membernode [-list] 3.
Downgrading firmware from Fabric OS 7.1.0 6 Downgrading firmware from Fabric OS 7.1.0 NOTE When disabling the firmware consistency check, there should be no LUNs with pending decommission or in a failed state. If the firmware download to a version earlier than Fabric OS 7.1.
6 Fabric OS and DPM Compatibility Matrix Fabric OS and DPM Compatibility Matrix DPM 3.1 introduces the GKA feature, which is incompatible with the RKM 2.1.1 client. DPM 3.2 offers a solution to resolve this incompatiability issue with the RKM 2.1.1 client. DPM 3.1 client is compatible with DPM 3.x servers, but is not compatible with RKM 2.x servers. Because of the limitations associated with the RKM 2.1.1 client and the DPM 3.1 server, it is recommended that you move to DPM 3.2 server instead of v3.1.
Moving an encryption blade from one EG to another in the same fabric 6 Admin:switch> cryptocfg --dereg -membernode 5. Enter the following command on FOS3 to clean up the encryption configuration on the deregistered node: Admin:switch> cryptocfg –-reclaimWWN –cleanup When prompted, enter yes to each prompt. 6. Repeat steps 1–5 for FOS4. 7. Create a new EG on FOS3: a. Create the group: Admin:switch> cryptocfg --create -encgroup FOS3 b. Set the key vault type.
6 Moving an encryption switch from one EG to another in the same fabric 4. Add the moved blade as a member node to EG2. Moving an encryption switch from one EG to another in the same fabric In this example, which is represented in Table 18, you have two EGs, each containing two nodes. You want to move FOS2 from EG1 to EG2.
Appendix A State and Status Information In this appendix • Encryption engine security processor (SP) states . . . . . . . . . . . . . . . . . . . . 293 • Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 • Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Encryption engine security processor (SP) states Table 19 lists the encryption engine security processor (SP) states.
A Security processor KEK status Security processor KEK status Table 20 lists security processor KEK status information. TABLE 20 Security processor KEK status KEK type KEK status1 Description Primary KEK (current MK or primary KV link key) None Primary KEK is not configured. Mismatch Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK at CP matches the one in the SP and is valid. Secondary KEK (alternate None MK or secondary KV link key) Mismatch Group KEK 1.
Encrypted LUN states TABLE 21 A Encrypted LUN states (Continued) LUN_1ST_TIME_REKEY_IN_PROG First time rekey is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired rekey is in progress. LUN_MANUAL_REKEY_IN_PROG Manual rekey is in progress. LUN_DECRYPT_IN_PROG Data decryption is in progress. LUN_WR_META_PENDING Write metadata is pending. LUN_1ST_TIME_REKEY_PENDING First time rekey is pending. LUN_KEY_EXPR_REKEY_PENDING Key expired rekey is pending.
A Encrypted LUN states TABLE 21 296 Encrypted LUN states (Continued) LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure). LUN_DIS_LUN_REMOVED Disabled (LUN re-discovery detects LUN is removed). LUN_DIS_LSN_MISMATCH Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate LUN SN found). LUN_DIS_DISCOVERY_FAIL Disabled (LUN discovery failure). LUN_DIS_NO_LICENSE Disabled (Third party license is required).
Encrypted LUN states TABLE 22 A Tape LUN states Internal Names Console String Explanation LUN_DIS_LUN_NOT_FOUND Disabled (LUN not found) No logical unit structure in tape module. This is an internal software error. If it occurs, contact Brocade support. LUN_TGT_OFFLINE Target Offline Target port is not currently in the fabric. Check connections and L2 port state.
A Encrypted LUN states TABLE 22 298 Tape LUN states LUN_ENCRYPT Encryption enabled The tape medium is present, and is in ciphertext (encrypted). The encryption switch or blade has full read/write access, because its current tape policy for the medium is also encrypted. See the Encryption Format field to find out if tape is encrypted in native mode or DataFort-compatible mode.
Index A add commands --add -haclustermember, 150 --add -initiator, 163, 171, 200 --add -LUN, 168, 201, 202, 206 authentication cards deregistering, 20 register from database, 19 registering from card reader, 17 setting a quorum, 20 using with a card reader, 16 auto rekey viewing time left, 106 B blade processor links, 27 blade processors configuring links, 28 blade removal and replacement multi-node EG replacement, 278 single-node EG replacement, 280 Brocade encryption group creating, 139 Brocade Encrypti
create commands --create -container, 162, 171, 199 --create -encgroup, 140 --create -hacluster, 149 --create -tapepool, 196 creating a CryptoTarget container using the CLI, 162 Crypto LUN adding to CryptoTarget container using the CLI, 166 configuring, 166, 168 modifying parameters, 173 parameters and policies, 169 removing, 173 300 cryptocfg command --add -haclustermember, 150 --add -initiator, 163, 171, 200 --add -LUN, 168, 201, 202, 206 --commit, 251 --create -container, 162, 171, 199 --create -encgrou
cryptocfg help command output, 130 CryptoTarget container adding a LUN, 167, 168 configuring, 160 creating, 162 deleting, 165 discovering a LUN, 166 moving, 166 removing a LUN, 173 removing an initiator from, 164 CryptoTarget containers deleting, 165 moving, 166 removing an initiator, 164 cryptotargets configuration, 160 CSR exporting from properties, 110 submitting to a CA, 30, 136 D data rekeying, 205 resource allocation, 205 database transactions aborting, 264 decommissioned IDs deleting, 98 displaying,
27, 35 host and LUN considerations, 1 launching the encryption targets dialog box, 96 limitations, 6 node initialization, 28 overview diagram, 7 performance licensing for switch, 5 physical view of switch, 4 preparation, 35 selecting mode for LUNs, 76 solution overview, 7 viewing and editing group properties, 112 encryption blades port labeling, 131 special configuration considerations, 131 encryption center features, 14 encryption engine rebalancing, 84 encryption engines adding to HA clusters, 119 checkin
F failback invoking, 54 modes, 54 failback command, --failback -EE, 252 failover and failback, states of encryption engines during, 252 field replaceable unit See FRU file names, certificates, 143 FIPS mode, 5 firmware download considerations, 226 first-time configurations, 32 frame redirection creating and enabling in an FCR configuration (edge to edge), 219 deploying the encryption switch or blade to hosts and targets, 158 enabling, 158 prerequesites, 158 viewing the zone using the CLI, 164 frame redirect
KEK security processor status, 294 Key IDs exporting, 154 key vault deregistration, 287 key vault diagnostics connectivity, 264 key vault settings configuring, 40 key vaults connections between encryption nodes, 9 entering the IP address or host name for, 40 L labeling CommVault Galaxy, 195 NetBackup, 195 NetWorker, 196 LAN management configuration, 130 latency in re-key operations, 237 license, adding, 5 licensing best practices, 5 LUN adding Crypto LUN to CryptoTarget container, 168 adding to a CryptoTar
Management application, 61 multi-path environments configuring encrypted tape storage, 77 multi-path LUN configuration requirements, 162 multi-path LUN configuration warning, 161, 163, 164, 165, 167, 169, 173 N NetBackup labeling, 195 network connections requirements, 27 NetWorker labeling, 196 P PID failover, 236 policies configuration examples, 152 for Crypto LUN, 169 impact of LUN policy changes, 175 impact of tape pool policy changes, 198 modifying for LUNs using the CLI, 174 setting for LUN re-keying
show commands --show, 144, 156 --show -container, 163 --show -groupmember, 144, 147, 148, 162, 245 --show groupmember, 207 --show -hacluster, 248, 253 --show -tapepool, 196 smart card set overview, 90 smart cards configuring, 16 editing, 26 removing using the management application, 25 saving to a file, 25 tracking, 24 using, 16, 23 SRDF luns, 180 SRDF pairs, 72, 180 states encrypted LUN, 294 storage arrays configuring, 71 storage encryption configuration privileges, 15 configuring, 56 confirming the config
troubleshooting cfgshow command, 267 configshow, 267 cryptocfg --show -groupcfg command, 267 cryptocfg --show -groupmember command, 267 general encryption using the CLI, 267 general errors related to the Configure Switch Encryption wizard, 274 management application wizard, 272 nsshow command, 267 supportsave command, 267 troubleshooting examples using the CLI, 270 turn off compression on extension switches, 236 turn off host-based encryption, 236 zeroizing effects of using on encryption engine, 94 zone cr
308 Fabric OS Encryption Administrator’s Guide (DPM) 53-1002720-02
