53-1002923-01 26 July 2013 ® Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments Supporting Fabric OS v7.2.
Copyright © 2012 - 2013 Brocade Communications Systems, Inc. All Rights Reserved. ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Document Title 53-1002923-01 iii
iv Document Title 53-1002923-01
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Configuring Encryption Using the Management Application Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Using authentication cards with a card reader . . . . . . . . . . . . . 16 Registering authentication cards from a card reader . . . . . . . .
High availability clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 HA cluster configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Creating HA clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . . 59 Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . . 59 Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rekeying all disk LUNs manually . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Setting disk LUN Re-key All . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Viewing disk LUN rekeying details . . . . . . . . . . . . . . . . . . . . . .104 Viewing the progress of manual rekey operations. . . . . . . . . .106 Thin provisioned LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Thin provisioning support . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Steps for connecting to an SKM or ESKM appliance . . . . . . . . . . .136 Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .136 Setting up the local Certificate Authority (CA) . . . . . . . . . . . . .137 Downloading the local CA certificate . . . . . . . . . . . . . . . . . . . .138 Creating and installing the SKM or ESKM server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Crypto LUN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Discovering a LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Configuring a Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Crypto LUN parameters and policies . . . . . . . . . . . . . . . . . . . . 176 Configuring a tape LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Removing a LUN from a CryptoTarget container . . . . . . . . . . .
Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . .208 Multiple paths, DEK cluster, no HA cluster . . . . . . . . . . . . . . . . . . .209 Deployment in Fibre Channel routed fabrics. . . . . . . . . . . . . . . . . .211 Deployment as part of an edge fabric . . . . . . . . . . . . . . . . . . . . . . .213 Deployment with FCIP extension switches . . . . . . . . . . . . . . . . . . .215 VMware ESX server deployments. . . . . . . . . . . . . . . . . . . . . . . . . . .
Rekeying best practices and policies. . . . . . . . . . . . . . . . . . . . . . . .233 Manual rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Latency in rekey operations . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Allow rekey to complete before deleting a container. . . . . . . .233 Rekey operations and firmware upgrades . . . . . . . . . . . . . . . .233 Do not change LUN configuration while rekeying . . . . . . . . . .
Encryption group database manual operations . . . . . . . . . . . . . . .259 Manually synchronizing the encryption group database. . . . .259 Manually synchronizing the security database . . . . . . . . . . . .259 Aborting a pending database transaction . . . . . . . . . . . . . . . .260 Key vault diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Measuring encryption performance . . . . . . . . . . . . . . . . . . . . . . . .261 General encryption troubleshooting . . . .
xii Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002923-01
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Additional information . . . . . . . . . . .
Supported hardware and software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX Backbone series chassis with an FS8-18 encryption blade. • Brocade Encryption Switch. What’s new in this document This document identifies any encryption changes that support Fabric OS 7.2.0. Document conventions This section describes text formatting conventions and important notice formats used in this document.
variable Variables are printed in italics. In the help pages, variables are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font. For example, --show WWN | Boolean. Elements are exclusive. Example: --show -mode egress | ingress \ Backslash. Indicates that the line continues through the line break. For command line input, type the entire line without the backslash.
Key terms For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See “Brocade resources” on page xvi for instructions on accessing MyBrocade. For definitions specific to this document, see “Terminology” on page 2. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.
For information about the Key Management Interoperability Protocol standard, visit the OASIS KMIP Technical Committee website: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip Getting technical help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: 1.
If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis. Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document.
Chapter Encryption Overview 1 In this chapter • Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • FIPS mode .
1 Terminology Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication. Data Encryption Key (DEK) An encryption key generated by the encryption engine.
Terminology 1 Opaque Key Vault A storage location that provides untrusted key management functionality. Its contents may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a master key to protect them. Recovery cards A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the BNA client to restore the master key.
1 The Brocade Encryption Switch The Brocade Encryption Switch The Brocade Encryption Switch is a high-performance, 32-port, auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption Standard (AES) 256-bit algorithms.
The FS8-18 blade 1 The FS8-18 blade The FS8-18 blade provides the same features and functionality as the Brocade Encryption Switch. The FS8-18 blade installs on the Brocade DCX Backbone chassis, which include the DCX, DCX-4S, DCX 8510-8, and DCX 8510-4 chassis. FIPS mode Both the Brocade Encryption Switch and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled. In this mode, only FIPS-compliant algorithms are allowed.
1 Recommendation for connectivity Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in data frames on a per-frame basis. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done.
Brocade encryption solution overview 1 Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft, or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
1 Brocade encryption solution overview Data flow from server to storage The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
Data encryption key life cycle management 1 Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed.
1 Data encryption key life cycle management FIGURE 5 10 DEK life cycle Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002923-01
Master key management 1 Master key management Communications with opaque key vaults are encrypted using a master key that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems (except NetApp LKM) and includes Key Management Internet Protocol (KMIP) with SafeNet KeySecure in native KMIP mode. Master key generation A master key must be generated by the group leader encryption engine.
1 Cisco Fabric Connectivity support Cisco Fabric Connectivity support The Brocade Encryption Switch provides NPIV mode connectivity to Cisco fabrics. Connectivity is supported for Cisco SAN OS 3.3 and later versions. Cisco fabric connectivity is provided only on the Brocade Encryption Switch. The FS8-18 blade for the Brocade DCX Backbone chassis does not support this feature.
Chapter Configuring Encryption Using the Management Application 2 • Encryption Center features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 • Encryption user privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 • Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 • Network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Encryption Center features Encryption Center features The Encryption Center dialog box is the single launching point for all encryption-related configuration in the Brocade Network Advisor Management application (Figure 1). It also provides a table that shows the general status of all encryption-related hardware and functions at a glance. To open the dialog box, select Configure > Encryption. FIGURE 1 Encryption Center dialog box Beginning with Fabric OS 6.
Encryption user privileges 2 Encryption user privileges In Brocade Network Advisor, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time.
2 Smart card usage TABLE 1 Encryption privileges (Continued) Privilege Read/Write Storage Encryption Security • • • • • • • • • • • • Launch the Encryption center dialog box. View switch, group, or engine properties. View Encryption Group Properties Security tab. View LUN centric view. View all rekey sessions. View encryption targets, hosts, and LUNs. Create a master key. Backup a master key. Edit smart card.
Smart card usage 2 • Establishing a trusted link with the NetApp LKM key vault. • Decommissioning a LUN. When a quorum of authentication cards is registered for use, authentication must be provided before you are granted access. Registering authentication cards from a card reader To register an authentication card or a set of authentication cards from a card reader, have the cards physically available.
2 Smart card usage 3. Locate the Authentication Card Quorum Size and select the quorum size from the list. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed in the previous steps. The maximum quorum size is five cards.
Smart card usage 2 Registering authentication cards from the database Smart cards that are already in the Management program’s database can be registered as authentication cards. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2. Select an encryption group from the Encryption Center Devices table, then select Group > Security from the menu task bar to display the Encryption Group Properties dialog box.
2 Smart card usage Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them. Complete the following procedure to deregister an authentication card. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
Smart card usage 2 Using system cards System cards are smart cards that can be used to control activation of encryption engines. You can choose whether the use of a system card is required or not. Encryption switches and blades have a card reader that enables the use of a system card. System cards discourage theft of encryption switches or blades by requiring the use of a system card at the switch or blade to enable the encryption engine after a power off.
2 Smart card usage Enabling or disabling the system card requirement To use a system card to control activation of an encryption engine on a switch, you must enable the system card requirement. If a system card is required, it must be read by the card reader on the switch. You access the system card GUI from the Security tab. Complete the following procedure to enable or disable the system card requirement. 1.
Smart card usage 2 Deregistering system cards System cards can be removed from the database by deregistering them. Use the following procedure to deregister a system card: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2. Select the switch from the Encryption Center Devices table, then select Switch > System Cards from the menu task bar. The System Cards dialog box displays. (Refer to Figure 6 on page 21.) 3.
2 Smart card usage FIGURE 7 Smart Card asset tracking dialog box The Smart Cards table lists the known smart cards and the details for the smart cards. These details include the following: • Card ID: Lists the smart card ID, prefixed with an ID that identifies how the card id used. For example, rc.123566b700017818, where rc stands for recovery card. • Card Type: Options are: System card, Authentication card, and Recovery set. • Usage: Usage content varies based on the card type.
Smart card usage 2 NOTE You can remove smart cards from the table to keep the Smart Cards table at a manageable size, but removing the card from the table does not invalidate it; the smart card can still be used. • Save As button: Saves the entire list of smart cards to a file. The available formats are comma-separated values (.csv) and HTML (.html). • Card Details table: Card details vary based on the card type.
2 Smart card usage Editing smart cards Smart cards can be used for user authentication, master key storage and backup, and as a system card for authorizing use of encryption operations. 1. From the Encryption Center dialog box, select Smart Card > Edit Smart Card from the menu task bar to display the Edit Smart Card dialog box. (Refer to Figure 8.) FIGURE 8 Edit Smart Card dialog box 2. Insert the smart card into the card reader. 3.
Network connections 2 Network connections Before you use the encryption setup wizard for the first time, you must have the following required network connections: • The management ports on all encryption switches and DCX Backbone Chassis CPs that have encryption blades installed must have a LAN connection to the SAN management program, and must be available for discovery.
2 Encryption node initialization and certificate generation Configuring blade processor links To configure blade processor links, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2. Select the encryption engine from the Encryption Center Devices table, then select Engine > Blade Processor Link from the menu task bar to display the Blade Processor Link dialog box. (Refer to Figure 9.
Steps for connecting to an ESKM/SKM appliance 2 Setting encryption node initialization Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a configuration. Encryption nodes may also be initialized from the Encryption Center dialog box. 1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from the menu task bar. 2. Select Yes after reading the warning message to initialize the node.
2 Steps for connecting to an ESKM/SKM appliance Configuring a Brocade group on ESKM/SKM A Brocade group is configured on ESKM/SKM for all keys created by encryption switches and blades. This needs to be done only once for each key vault. 1. Log in to the ESKM/SKM management web console using the admin password. 2. Select the Security tab. 3. Select Local Users & Groups under Users and Groups. 4. Select Add under Local Users. 5. Create a Brocade user name and password. 6.
Steps for connecting to an ESKM/SKM appliance FIGURE 10 2 Key Vault Credentials dialog box The dialog box contains the following information: • Primary Key Vault: Primary Key Vault is preselected. ESKM/SKM key vaults are clustered, so only one set of credentials is needed. • • • • • Secondary Key Vault: (TEKA key vault only). Shown as inactive. User Name: Enter a user name for the group leader. User Group Name: Displays the selected User Group Name. Password: Enter a password for the group leader.
2 Steps for connecting to an ESKM/SKM appliance Setting up the local Certificate Authority (CA) on ESKM/SKM To create and install a local CA, complete the following steps: 1. Log in to the ESKM/SKM management web console using the admin password. 2. Select the Security tab. 3. Under Certificates & CAs, click Local CAs. 4. Enter information required by the Create Local Certificate Authority section of the window to create your local CA. • • • • • • Enter a Certificate Authority Name and Common Name.
Steps for connecting to an ESKM/SKM appliance 2 5. Under Certificates & CAs, select Trusted CA Lists to display the Trusted Certificate Authority List Profiles. 6. Click on Default under Profile Name. 7. In the Trusted Certificate Authority List, click Edit. 8. From the list of Available CAs in the right panel, select the CA you just created. Repeat these steps any time another local CA is needed.
2 Steps for connecting to an ESKM/SKM appliance 10. Click Sign Request. 11. Enter the required data in the Sign Certificate Request section of the window. - Select the CA name from the Sign with Certificate Authority drop-down list. Select Server as the Certificate Purpose. Enter the number of days before the certificate must be renewed based on your site's security policies. The default value is 3649 or 10 years. 12. Paste the copied certificate request data into the Certificate Request box. 13.
Steps for connecting to an ESKM/SKM appliance 2 Creating an ESKM/SKM high availability cluster The HP ESKM/SKM key vault supports clustering of HP ESKM/SKM appliances for high availability. If two ESKM/SKM key vaults are configured, they must be clustered. If only a single ESKM/SKM appliance is configured, it may be clustered for backup purposes, but the backup appliance will not be directly used by the switch.
2 Steps for connecting to an ESKM/SKM appliance Adding ESKM/SKM appliances to the cluster If you are adding an appliance to an existing cluster, select the Cluster Settings section of the window, click Download Cluster Key, then save the key to a convenient location, such as your computer's desktop.
Steps for connecting to an ESKM/SKM appliance 2 Signing the encryption node KAC certificates The KAC certificate signing request generated when the encryption node is initialized must be exported for each encryption node and signed by the Brocade local CA on ESKM/SKM. The signed certificate must then be imported back into the encryption node. 1. Select Configure > Encryption from the menu task bar to display the The Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
2 Steps for connecting to an ESKM/SKM appliance Importing a signed KAC certificate into a switch After a KAC CSR has been submitted and signed by a CA, the signed certificate must be imported into the switch. NOTE This operation can be performed only after the switch is added to the encryption group. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
Steps for connecting to an ESKM/SKM appliance 2 Data Encryption Keys The following sections describe Data Encryption Key (DEK) behavior during DEK creation, retrieval, and updates as they relate to disk keys and tape pool keys, and tape LUN and DF-compatible tape pool support: Disk keys and tape pool keys support Data Encryption Key (DEK) creation, retrieval, and update for disk and tape pool keys are as follows: • DEK creation: The DEK is first archived using the session list available for the configur
2 Encryption preparation ESKM/SKM key vault deregistration Deregistration of either the primary or secondary ESKM/SKM key vault from an encryption switch or blade is allowed independently. • Deregistration of Primary ESKM: You can deregister the primary ESKM/SKM from an encryption switch or blade without deregistering the backup or secondary ESKM/SKM for maintenance or replacement purposes.
Creating an encryption group 2 Creating an encryption group The following steps describe how to start and run the encryption setup wizard and create a new encryption group. NOTE When a new encryption group is created, any existing tape pools in the switch are removed. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 13.) FIGURE 13 Encryption Center dialog box - No group defined 2.
2 Creating an encryption group g. Configuration Status. h. Read Instructions. FIGURE 14 Configure Switch Encryption wizard - welcome screen 4. From the Configure Switch Encryption welcome screen, click Next to begin. The Designate Switch Membership dialog box displays. (Refer to Figure 15.
Creating an encryption group FIGURE 15 2 Designate Switch Membership dialog box 5. For this procedure, verify that Create a new encryption group containing just this switch is selected, then click Next. NOTE If you are adding a switch to an encryption, refer to “Adding a switch to an encryption group” on page 51. The Create a New Encryption Group dialog box displays. (Refer to Figure 16.
2 Creating an encryption group The dialog box contains the following information: • Encryption Group Name text box: Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed. The group name is case-sensitive. • Failback mode: Selects whether or not storage targets should be automatically transferred back to an encryption engine that comes online after being unavailable. Options are Automatic or Manual.
Creating an encryption group 2 Using this dialog box, you can select a key vault for the encryption group that contains the selected switch. Prior to selecting your Key Vault Type, the selection is shown as None. The dialog box contains the following information: • Key Vault Type: If an encryption group contains mixed firmware nodes, the Encryption Group Properties Key Vault Type name is based on the firmware version of the group leader.
2 Creating an encryption group 1. Enter the IP address or host name for the primary key vault. 2. Enter the name of the file that holds the primary key vault’s CA key certificate, or browse to the desired location. This file can be generated from the key vault’s administrative console. 3. Enter the key vault user name. 4. Enter the password you established for the Brocade user group. 5. Re-enter the password for verification. 6.
Creating an encryption group FIGURE 20 2 Specify Master Key File Name dialog box 9. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 10. Re-enter the passphrase for verification, then click Next. The Select Security Settings dialog box displays. (Refer to Figure 21.
2 Creating an encryption group 11. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Creating an encryption group FIGURE 23 2 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified. After configuration of the encryption group is completed, Brocade Network Advisor sends API commands to verify the switch configuration.
2 Creating an encryption group FIGURE 24 Next Steps dialog box 14. Review post-configuration instructions, which you can copy to a clipboard or print for later. 15. Click Finish to exit the Configure Switch Encryption wizard. Refer to “Understanding configuration status results” on page 50. Understanding configuration status results After configuration of the encryption group is completed, Brocade Network Advisor sends API commands to verify the switch configuration.
Adding a switch to an encryption group 7. 2 Back up the master key to a file. (Opaque key vaults only). Brocade Network Advisor saves the master key in the specified file. Adding a switch to an encryption group The setup wizard allows you to either create a new encryption group, or add an encryption switch to an existing encryption group. Use the following procedure to add a switch to an encryption group: 1.
2 Adding a switch to an encryption group FIGURE 26 Designate Switch Membership dialog box 4. For this procedure, select Add this switch to an existing encryption group, then click Next. The Add Switch to Existing Encryption Group dialog box displays. (Refer to Figure 27.) The dialog box contains the following information: • Encryption Groups table: Enables you to select an encryption group in which to add a switch. • Member Switches table: Lists the switches in the selected encryption group.
Adding a switch to an encryption group FIGURE 27 2 Add Switch to Existing Encryption Group dialog box 5. Select the group in which to add the switch, then click Next. The Specify Public Key Certificate (KAC) File Name dialog box displays. (Refer to Figure 28.
2 Adding a switch to an encryption group 6. Enter the location where you want to store the public key certificate that is used to authenticate connections to the key vault, or browse to the desired location, then click Next. The Confirm Configuration dialog box displays. (Refer to Figure 29.) Confirm the encryption group name and switch public key certificate file name you specified are correct, then click Next. FIGURE 29 Confirm Configuration dialog box The Configuration Status dialog box displays.
Adding a switch to an encryption group 2 All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified. 7. Review important messages, then click Next. The Error Instructions dialog box displays. (Refer to Figure 31.
2 Replacing an encryption engine in an encryption group Replacing an encryption engine in an encryption group To replace an encryption engine in an encryption group with another encryption engine within the same DEK Cluster, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
High availability clusters 2 High availability clusters A high availability (HA) cluster consists of exactly two encryption engines configured to host the same CryptoTargets and to provide Active/Standby failover and failback capabilities in a single fabric. One encryption engine can take over encryption and decryption tasks for the other encryption engine if that member fails or becomes unreachable.
2 High availability clusters Creating HA clusters For the initial encryption node, perform the following procedure. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2. Select an encryption group from the Encryption Center Devices table, then select Group > HA Cluster from the menu task bar. NOTE If groups are not visible in the Encryption Center Devices table, select View > Groups from the menu task bar.
High availability clusters 2 3. Click the right arrow to add the encryption engine to the selected HA cluster. 4. Click OK. Removing engines from an HA cluster Removing the last engine from an HA cluster also removes the HA cluster. If only one engine is removed from the cluster, you must either add another engine to the cluster, or remove the other engine. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
2 Configuring encryption storage targets Failback option The Failback option determines the behavior when a failed encryption engine is restarted. When the first encryption engine comes back online, the encryption group’s failback setting (auto or manual) determines how the encryption engine resumes encrypting and decrypting traffic to its encryption targets. • In auto mode, when the first encryption engine restarts, it automatically resumes encrypting and decrypting traffic to its encryption targets.
Configuring encryption storage targets 2 5. Confirmation 6. Configuration Status 7. Important Instructions Adding an encryption target 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2. Select a group, switch, or engine from the Encryption Center Devices table to which to add the target, then select Group/Switch/Engine > Targets from the menu task bar.
2 Configuring encryption storage targets FIGURE 35 Configure Storage Encryption - welcome screen 4. Click Next. The Select Encryption Engine dialog box displays. (Refer to Figure 36.
Configuring encryption storage targets 2 The dialog box contains the following information: • Encryption engine: The name of the encryption engine. The list of engines depends on the scope being viewed: - If an encryption group was selected, the list includes all engines in the group. If a switch was selected, the list includes all encryption engines for the switch. If a single encryption engine was selected, the list contains only that engine.
2 Configuring encryption storage targets 6. Select a target from the list. (The Target Port WWN and Target Node WWN fields contain all target information that displays when using the nsShow command.) You can also enter WWNs manually, for example, to specify a target that is not on the list. 7. Select a target type from the Type list, then click Next. The Select Hosts dialog box displays. (Refer to Figure 38.) You can configure hosts for selected target device ports.
Configuring encryption storage targets 2 NOTE You must enter the host node world wide name before clicking Add, to add the WWN to the Selected Hosts table. • Node WWN text box: Type a world wide name for a host node. NOTE You must also enter the host port world wide name before clicking Add to add the WWN to the Selected Hosts table. • Device Type: The device type indicated by the fabric’s name service. The value is either Initiator or Initiator + Target.
2 Configuring encryption storage targets FIGURE 39 Name Container dialog box 10. Enter the container name. The container name is a logical encryption name to specify a name other than the default. You can use a maximum of 31 characters. Letters, digits, and underscores are allowed. 11. Click Next. The Confirmation screen displays. (Refer to Figure 40.) The confirmation screen confirms and completes configuration of encryption engines, targets, and hosts.
Configuring encryption storage targets 2 The screen contains the following information: • Encryption Engine: The slot location of the encryption engine. • Container Name: The logical encryption name used to map storage targets and hosts to virtual targets and virtual initiators. • • • • Target Device Port: The world wide name of the target device port. Host Node WWN: The world wide name of the host node. Host Port WWN: The world wide name of the host port. Host Name: The name of the host. 12.
2 Configuring encryption storage targets 13. Review any post-configuration instructions or messages, which you can copy to a clipboard or print for later, then click Next. The Next Steps screen displays. (Refer to Figure 42.) Post-configuration instructions for installing public key certificates for the encryption switch are displayed.
Configuring hosts for encryption targets 2 Configuring hosts for encryption targets Use the Encryption Target Hosts dialog box to edit (add or remove) hosts for an encrypted target. NOTE Hosts are normally selected as part of the Configure Switch Encryption wizard, but you can also edit hosts later using the Encryption Target Hosts dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
2 Configuring hosts for encryption targets FIGURE 44 Encryption Target Hosts dialog box NOTE Both the Hosts in Fabric table and the Selected Hosts table now contain a Port ID column to display the 24-bit PID of the host port. 4. Select one or more hosts in a fabric using either of the following methods: a. Select a maximum of 1024 hosts from the Hosts in Fabric table, then click the right arrow to move the hosts to the Selected Hosts table.
Adding target disk LUNs for encryption 2 Adding target disk LUNs for encryption You can add a new path to an existing disk LUN or add a new LUN and path by launching the Add New Path wizard. NOTE Before you can add a target disk LUN for encryption, you must first configure the Storage Arrays. For more information, see “Configuring storage arrays” on page 75. Complete the following steps to add a target disk LUN: 1.
2 Adding target disk LUNs for encryption • Encryption path table: Should be LUN/Path identified by the following: - LUN Path Serial # - Target Port - Initiator Port - Container Name - Switch Name - Fabric - State - Thin Provision LUN - Encryption Mode - Encrypt Existing Data - Key ID • Remove button: Removes a selected entry from the table. 3. Click Add to launch the Add New Path wizard. The Select Target Port dialog box displays. (Refer to Figure 46.
Adding target disk LUNs for encryption 2 4. Select the target port from the Target Port table, then click Next. The Select Initiator Port dialog box displays. (Refer to Figure 47.) FIGURE 47 Select Initiator Port dialog box The dialog box is used to select an initiator port when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: Displays the storage array that was selected from the LUN view prior to launching the wizard.
2 Adding target disk LUNs for encryption FIGURE 48 Select LUN dialog box The dialog box is used to select a LUN when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: The Storage Array selected from the LUN view prior to launching the Add New Path wizard. • Host: The host elected from the LUN view prior to launching the Add New Path wizard.
Adding target disk LUNs for encryption 2 NOTE The maximum number of uncommitted configuration changes per disk LUN (or maximum paths to a LUN) is 512 transactions. The 512 LUN operations can be for the same LUN or be subjected to 25 distinct LUNs. This change of restriction in commit limit is applicable when using Brocade Network Advisor only. Earlier Fabric OS versions allowed a maximum of 25 uncommitted changes per disk LUN.
2 Adding target tape LUNs for encryption NOTE The controller LUN (LUN 0) must be added to the container as clear text in order for the host to see the LUNs in the container. For more detailed information on creating a CryptoTarget container, refer to the chapter describing storage arrays in this administrator’s guide. Adding target tape LUNs for encryption You can configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN.
Adding target tape LUNs for encryption FIGURE 51 2 Encryption Target Tape LUNs dialog box 4. Click Add. The Add Encryption Target Tape LUNs dialog box displays. (Refer to Figure 52.) A table of all LUNs in the storage device that are visible to hosts is displayed. LUNs are identified by the Host world wide name, LUN number, Volume Label Prefix number, and Enable Write Early ACK and Enable Read Ahead status. The LUN numbers may be different for different hosts.
2 Adding target tape LUNs for encryption When you select a specific host, only the LUNs visible to that host are displayed. If you select All Hosts, LUNs visible to all configured hosts are displayed. If a LUN is visible to multiple hosts, it is listed once for each host. 6. Choose a LUN to be added to an encryption target container using one of the two following methods: • Discover: Identifies the exposed logical unit number for a specified initiator.
Moving targets 2 Moving targets The Move Targets dialog box is used to redistribute which engine encrypts which targets. It is also useful for transferring all targets to another engine before replacing or removing engine hardware. Moving targets to another engine may be done while traffic is flowing between the host and target. Traffic is interrupted for a short time but resumes before the host applications are affected. 1. Select Configure > Encryption. The Encryption Center dialog box displays. 2.
2 Tape LUN write early and read ahead FIGURE 53 Encryption Targets dialog box 3. Select a target tape storage device from the table, then click LUNs. The Encryption Target Tape LUNs dialog box displays. (Refer to Figure 54.) FIGURE 54 Encryption Target Tape LUNs dialog box - Setting tape LUN read ahead and write early 4.
Tape LUN statistics 2 NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. c. Select the appropriate CryptoTarget container, then click Commit. Tape LUN statistics This feature enables you to view and clear statistics for tape LUNs. These statistics include the number of compressed blocks, uncompressed blocks, compressed bytes and uncompressed bytes written to a tape LUN.
2 Tape LUN statistics FIGURE 56 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed. • Tape Volume/Pool: The tape volume label of the currently-mounted tape, if a tape session is currently in progress. • • • • • • • • Tape Session #: The number of the ongoing tape session. Uncompressed blocks: The number of uncompressed blocks written to tape.
Tape LUN statistics 2 3. Select a tape target storage device, then click LUNs. The Target Tape LUNs dialog box displays. (Refer to Figure 57.) A list of the configured tape LUNs is listed in the table. FIGURE 57 Target Tape LUNs dialog box 4. Select the LUN or LUNs for which to display or clear statistics, then click Statistics. The Tape LUN Statistics dialog box displays. (Refer to Figure 58.) The statistic results based on the LUN or LUNs you selected are listed in the table.
2 Tape LUN statistics • • • • Compressed Bytes: The number of compressed bytes written to tape. Host Port WWN: The WWN of the host port that is being used for the write operation. A Refresh button updates the statistics on the display since the last reset. A Clear button resets all statistics in the display. 5. Do either of the following: a. Click Clear to clear the tape LUN statistics, then click Yes to confirm. b. Click Refresh to view the current statistics cumulative since the last reset.
Encryption engine rebalancing FIGURE 60 2 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed. • Tape Volume/Pool: The tape volume label of the currently-mounted tape, if a tape session is currently in progress. • • • • • • Tape Session #: The number of the ongoing tape session. Uncompressed blocks: The number of uncompressed blocks written to tape.
2 Master keys During rebalancing operations, be aware of the following: • You might notice a slight disruption in Disk I/O. In some cases, manual intervention may be needed. • Backup jobs to tapes might need to be restarted after rebalancing is completed. To determine if rebalancing is recommended for an encryption engine, check the encryption engine properties. Beginning with Fabric OS 6.4, a field is added that indicates whether or not rebalancing is recommended.
Master keys 2 The new master key cannot be used (no new data encryption keys can be created, so no new encrypted LUNs can be configured), until you back up the new master key. After you have backed up the new master key, it is strongly recommended that all encrypted disk LUNs be rekeyed. rekeying causes a new data encryption key to be created and encrypted using the new active master key, thereby removing any dependency on the old master key.
2 Master keys Master key actions NOTE Master keys belong to the group and are managed from Group Properties. Master key actions are as follows: • Backup master key: Enabled any time a master key exists. Selecting this option launches the Backup Master Key for Encryption Group dialog box. You can back up the master key to a file, to a key vault, or to a smart card.
Master keys 2 3. Select Backup Master Key as the Master Key Action. The Master Key Backup dialog box displays, but only if the master key has already been generated. (Refer to Figure 61.) FIGURE 61 Master key backup dialog box - Backup Destination (to file) 4. Select File as the Backup Destination. 5. Enter a file name, or browse to the desired location. 6. Enter the passphrase, which is required for restoring the master key.
2 Master keys 3. Select Backup Master Key as the Master Key Action. The Backup Master Key for Encryption Group dialog box displays. (Refer to Figure 62.) FIGURE 62 Master key backup dialog box - Backup Destination (to key vault) 4. Select Key Vault as the Backup Destination. 5. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 6. Re-enter the passphrase for verification, then click OK.
Master keys FIGURE 63 2 Master key backup dialog box - Backup Destination (to smart cards) 4. Select A Recovery Set of Smart Cards as the Backup Destination. 5. Enter the recovery card set size. 6. Insert the first blank card and wait for the card serial number to appear. 7. Run the additional cards through the reader that are needed for the set. As you read each card, the card ID displays in the Card Serial# field. Be sure to wait for the ID to appear. 8.
2 Master keys Overview of Saving a master key to a smart card set A card reader must be attached to the SAN Management application PC to save a master key to a recovery card. Recovery cards can only be written once to back up a single master key. Each master key backup operation requires a new set of previously unused smart cards. NOTE Windows operating systems do not require smart card drivers to be installed separately; the driver is bundled with the operating system.
Master keys FIGURE 64 2 Restore Master Key for Encryption Group dialog box - Restore from file 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select File as the Restore From location. 6. Enter a file name, or browse to the desired location. 7. Enter the passphrase. The passphrase that was used to back up the master key must be used to restore the master key. 8. Click OK.
2 Master keys FIGURE 65 Restore Master Key for Encryption Group dialog box - Restore from key vault 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select Key Vault as the Restore From location. 6. Enter the key ID of the master key that was backed up to the key vault. 7. Enter the passphrase. The passphrase that was used to back up the master key must be used to restore the master key. 8. Click OK.
Master keys FIGURE 66 2 Restore Master Key for Encryption Group dialog box - Restore from a recovery set of smart cards 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select A Recovery Set of Smart Cards as the Restore From location. 6. Insert the recovery card containing a share of the master key that was backed up earlier, and wait for the card serial number to appear. 7. Enter the password that was used to create the card.
2 Security settings Security settings Security settings help you identify if system cards are required to initialize an encryption engine and also determine the number of authentication cards needed for a quorum. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2. Select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar. The Select Security Settings dialog box displays.
Zeroizing an encryption engine 2 NOTE Zeroizing an engine affects the I/Os, but all target and LUN configurations remain intact. Encryption target configuration data is not deleted. You can zeroize an encryption engine only if it is enabled (running), or disabled but ready to be enabled. If the encryption engine is not in one of these states, an error message results.
2 Using the Encryption Targets dialog box Using the Encryption Targets dialog box The Encryption Targets dialog box enables you to send outbound data that you want to store as ciphertext to an encryption device. The encryption target acts as a virtual target when receiving data from a host, and as a virtual initiator when writing the encrypted data to storage. NOTE The Encryption Targets dialog box enables you to launch a variety of wizards and other related dialog boxes.
Redirection zones 2 Redirection zones It is recommended that you configure the host and target in the same zone before you configure them for encryption. Doing so creates a redirection zone to redirect the host/target traffic through the encryption engine; however, a redirection zone can only be created if the host and target are in the same zone.
2 Disk device decommissioning Provided that the crypto configuration is not left uncommitted because of any crypto configuration changes or a failed device decommission operation issued on a encryption group leader node, this error message will not be seen for any device decommission operation issued serially on an encryption group member node.
Disk device decommissioning 2 If a rekey operation is currently in progress on a selected LUN, a message is displayed that gives you a choice of doing a Forced Decommission, or to Cancel and try later after the rekey operation is complete. 6. To check on the progress of the decommissioning operation, click Refresh. When decommissioning is complete, the LUNs are removed from the Encryption Target LUNs table.
2 Rekeying all disk LUNs manually 3. Click Delete All to delete the decommissioned keys from the switch. As a precaution, copy the keys to a secure location before deleting them from the switch. Right-click on an entry in the table to individually select a key ID. You may also copy or export a single row within the table or the entire table. To export the keys, right-click and select Export, which will export the key IDs.
Rekeying all disk LUNs manually 2 The following conditions must be satisfied for the manual rekey operation to run successfully: • The node on which you perform the manual rekey operation must be a member of an encryption group, and that encryption group must have a key vault configured. • The node must be running Fabric OS 7.0.0 or later. • The encryption group must be in the converged state. • The target container that hosts the LUN must be online.
2 Rekeying all disk LUNs manually . FIGURE 72 Pending manual rekey operations Viewing disk LUN rekeying details You can view details related to the rekeying of a selected target disk LUN from the LUN Re-keying Details dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
Rekeying all disk LUNs manually FIGURE 73 2 Encryption Target Disk LUNs dialog box 4. Click Add. The Add Disk LUNs dialog box displays. This dialog box includes a table of all LUNs in the storage device that are visible to the hosts. 5. Click Re-keying Details. The LUN Re-keying Details dialog box displays. The dialog box contains the following information: • • • • • • Key ID: The LUN key identifier. Key ID State: The state of the LUN rekeying operation.
2 Rekeying all disk LUNs manually Viewing the progress of manual rekey operations To monitor the progress of manual rekey operations, complete these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 1. Select an encryption group from the Encryption Center Devices table, then select Group > Re-Key Sessions from the menu task bar.
Thin provisioned LUNs 2 • Current LBA: The Logical Block Address (LBA) of the block that is currently being written. • Number of Blocks: The number of blocks written. • Thin Provision LUN: Identifies if the new LUN is a thin provisioned LUN. Options are: - Yes: Thin provision support is limited to Brocade-tested storage arrays. The thin provisioned LUN status will be displayed as Yes for supported storage arrays only. - No: Shown as No if the LUN is not a thin provisioned LUN.
2 Viewing time left for auto rekey • If you are running a Fabric OS version earlier than v7.1.0, LUN status is shown as Not Applicable. • Zero detect with encryption is not supported. Thin provisioning support Thin-provisioned logical unit numbers (LUNs) are increasingly used to support a pay-as-you-grow strategy for data storage capacity.
Viewing and editing switch encryption properties 2 The Encryption Target Disk LUNs dialog box displays. The time left for auto rekey information is listed in the table. (Refer to Figure 75.) FIGURE 75 Time left for auto rekey Viewing and editing switch encryption properties To view switch encryption properties, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
2 Viewing and editing switch encryption properties FIGURE 76 Encryption Switch Properties dialog box The dialog box contains the following information: • Switch Properties table: A list of properties associated with the selected switch. - Name: The name of the selected switch - Node WWN: The world wide name of the node - Switch Status: The health status of the switch.
Viewing and editing switch encryption properties 2 • Discovering • Not a member - Encryption Group: The name of the encryption group to which the switch belongs Encryption Group Status: Status options are: • OK/Converged: the group leader can communicate with all members. • Degraded: the group leader cannot communicate with one or more members.
2 Viewing and editing switch encryption properties • need master/link key • Online - Set State To: Identifies if the state is enabled or disabled. You can click the line item in the table to change the value, then click OK to apply the change. - Total Targets: The number of encrypted target devices. - HA Cluster Name: The name of the HA cluster (for example, Cluster1), if in an HA configuration. HA cluster names can have up to 31 characters. Letters, digits, and underscores are allowed.
Viewing and editing encryption group properties FIGURE 77 2 Import Signed Certificate dialog box 4. Enter or browse to the file containing the signed certificate, then click OK. The file is imported onto the switch. Enabling and disabling the encryption engine state from properties To enable the encryption engine, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
2 Viewing and editing encryption group properties The Encryption Group Properties dialog box includes several tabs that are used to configure the various functions for encryption groups. All tabs are visible for all key vault types. Unless otherwise specified, the Encryption Group Properties dialog box opens with the General tab displayed. (Refer to Figure 78.
Viewing and editing encryption group properties 2 General tab The General tab is viewed from the Encryption Group Properties dialog box. (Refer to Figure 79.) To access the General tab, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar. NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon.
2 Viewing and editing encryption group properties When the first encryption engine comes back online, the encryption group’s failback setting determines whether the first encryption engine automatically resumes encrypting and decrypting traffic to its encryption targets. In manual mode, the second encryption engine continues handling the traffic until you manually invoke failback using the CLI, or until the second encryption engine fails. • Key Vault Type: HP Secure Key Manager (SKM).
Viewing and editing encryption group properties 2 Members tab The Members tab lists group switches, their role, and their connection status with the group leader. The table columns are not editable. The Members tab is viewed from the Encryption Group Properties dialog box. (Refer to Figure 80.) To access the General tab, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar.
2 Viewing and editing encryption group properties The Members table might not match the list of members displayed in the Encryption Center dialog box if some configured members are unmanaged, missing, or in a different group. NOTE When the encryption group is in the Degraded state, the Members tab indicates the group member that the leader cannot contact. If the non-responding switch should no longer be included in the encryption group, it can be removed using the Remove button.
Viewing and editing encryption group properties 2 Table 2 explains the impact of removing switches. TABLE 2 Switch removal impact Switch configuration Impact of removal The switch is the only switch in the encryption group. The encryption group is also removed. The switch has configured encryption targets on encryption engines. • • • The switch is configured to encrypt traffic to one or more encryption targets. The target container configuration is removed.
2 Viewing and editing encryption group properties FIGURE 81 Encryption Group Properties dialog box - Security tab The Security tab box contains the following information: • Master Key Status: Displays the status of the master key. Possible values are: - Required but not created: Displays when a master key needs to be created. - Created but not backed up: Displays when the master key needs to be backed up. For safety, the master key cannot be used until it is backed up.
Viewing and editing encryption group properties 2 • Registered Authentication Cards table: Lists the registered authentication cards by Group Card number, Card ID, the name of the person to which the card is assigned, and optional notes. • Register from Card Reader button: Launches the Add Authentication Card dialog box. • Register from Archive button: Launches the Add Authentication Card dialog box.
2 Viewing and editing encryption group properties FIGURE 82 Encryption Group Properties dialog box - HA Clusters tab The HA Clusters tab displays the includes the following information: • Non-HA Encryption Engines table: Displays a list of encryption engines that are not configured for high-availability clustering • High-Availability Clusters table: A list of encryption engines that have been selected for high-availability clustering.
Viewing and editing encryption group properties 2 • Configure Blade Processor Link button: When active, clicking the button displays the Configure Blade Processor Link dialog box. Blade processor links must be configured and functioning to enable the failover/failback capabilities of a high availability cluster. For more information, refer to “Configuring blade processor links” on page 28.
2 Viewing and editing encryption group properties Tape pools overview Tape cartridges and volumes can be organized into a tape pool (a collection of tape media). The same data encryption keys are used for all cartridges and volumes in the pool. Tape pools are used by backup application programs to group all tape volumes used in a single backup or in a backup plan. The tape pool name or number used must be the same name or number used by the host backup application.
Viewing and editing encryption group properties FIGURE 85 2 Add Tape Pool by number dialog box 4. Based on your selection, do one of the following: • If you selected Name as the Tape Pool Label Type, enter a name for the tape pool. This name must match the tape pool label or tape ID that is configured on the tape backup/restore application. • If you selected Number as the Tape Pool Label Type, enter a (hex) number for the tape pool.
2 Encryption-related acronyms in log messages NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon. You simply select the encryption engine you want to replace from the Engine list, select the encryption engine to use for the group from the Replacement list, then click Replace. FIGURE 86 Encryption Group Properties Dialog Box - Engine Operations Tab NOTE You cannot replace an encryption engine if it is part of an HA Cluster.
Chapter 3 Configuring Encryption Using the CLI • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command validation checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . . . . . . . • Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management LAN configuration. . . . . . . . . . . . . .
3 Overview Overview This chapter explains how to use the command line interface (CLI) to configure a Brocade Encryption Switch, or an FS8-18 Encryption blade in a DCX Backbone chassis to perform data encryption. This chapter assumes that the basic setup and configuration of the Brocade Encryption Switch and DCX Backbone chassis have been done as part of the initial hardware installation, including setting the management port IP address.
Command RBAC permissions and AD types 3 4. PortMember: allows all control operations only if the port or the local switch is part of the current AD. View access is allowed if the device attached to the port is part of the current AD. Command RBAC permissions and AD types Two RBAC roles are permitted to perform Encryption operations.
3 Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain createhacluster N OM N N N OM N N Disallowed createtapepool N OM N N N OM N N Disallowed decommission N OM N N N OM N N Disallowed deletecontainer N OM N N N OM N N Disallowed deletedecommissionedkeyids N OM N N N O
Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain rebalance N OM N N N OM N N Disallowed reclaim N OM N N N OM N N Disallowed recovermasterkey N OM N N N N N OM Disallowed refreshdek N OM N N N N N OM Disallowed regEE N OM N N N N N OM Disallowed regKACcert N OM
3 Cryptocfg Help command output Cryptocfg Help command output All encryption operations are done using the cryptocfg command. The cryptocfg command has a help output that lists all options. switch:admin> cryptocfg --help Usage: cryptocfg --help -nodecfg: Display the synopsis of --help -groupcfg: Display the synopsis of --help -hacluster: Display the synopsis of --help -devicecfg: Display the synopsis of --help -transcfg: Display the synopsis of node parameter configuration. group parameter configuration.
Configuring cluster links 3 Configuring cluster links Each encryption switch or FS8-18 blade has two gigabit Ethernet ports labeled Ge0 and Ge1. The Ge0 and Ge1 ports connect encryption switches and FS8-18 blades to other encryption switches and FS8-18 blades. These two ports are bonded together as a single virtual network interface. Only one IP address is used. The ports provide link layer redundancy, and are collectively referred to as the cluster link.
3 Configuring cluster links DHCP: Off eth0: 10.33.54.208/20 eth1: none/none Gateway: 10.33.48.1 NOTE The IP address of the cluster link should be configured before enabling the encryption engine for encryption.
Setting encryption node initialization 3 4. Reboot the member node (the node on which the IP address has been modified). 5. Register the node with the group leader using new IP address.
3 Steps for connecting to an SKM or ESKM appliance Steps for connecting to an SKM or ESKM appliance The following configuration steps are performed from the SKM/ESKM management web console, which can be accessed from any web browser with Internet access to the SKM/ESKM appliance. The same procedure is used for creating both SKM and ESKM encryption groups. NOTE An encryption group containing both SKM and ESKM key vault types is not supported.
Steps for connecting to an SKM or ESKM appliance 3 13. Select Save. The Brocade user name and password are now configured on SKM/ESKM. NOTE Fabric OS v6.2.x uses brcduser1 as a standard user name when creating a Brocade group on SKM/ESKM. If you downgrade to version 6.2.x, the user name is overwritten to brcduser1, and the Brocade group user name must be changed to brcduser1. Also, the password must be changed to !Brocade@3.
3 Steps for connecting to an SKM or ESKM appliance FIGURE 87 Creating an HP SKM/ESKM Local CA 5. Under Certificates & CAs, select Trusted CA Lists to display the Trusted Certificate Authority List Profiles. 6. Click on Default under Profile Name. 7. In the Trusted Certificate Authority List, click Edit. 8. From the list of Available CAs in the right panel, select the CA you just created. 9. Click Add to add the local CA to the Trusted CAs list. 10. Click Save.
Steps for connecting to an SKM or ESKM appliance 3 Creating and installing the SKM or ESKM server certificate To create the SKM/ESKM server certificate, complete the following steps: 1. Click the Security tab. 2. Under Certificates and CAs, select Certificates. 3. Enter the required information under Create Certificate Request. - Enter a Certificate Name and Common Name. The same name may be used for both. Enter your organizational information.
3 Steps for connecting to an SKM or ESKM appliance 17. Select the server certificate name you just created from the certificate list, and select Properties. The Certificate Request Information window displays. 18. Click Install Certificate. The Certificate Installation window displays. 19. Paste the signed certificate data you copied under Certificate Response and click Save. The status of the server certificate should change from Request Pending to Active.
Steps for connecting to an SKM or ESKM appliance 3 4. Click Edit. A warning message might display explaining that if you disable SSL, you must have TLS enabled for your web browser. 5. Configure the KMS Server Settings. Ensure that the port and connection timeout settings are 9000 and 3600, respectively. For Server Certificate, select the name of the certificate you created in “Creating and installing the SKM or ESKM server certificate” on page 139. 6. Click Save.
3 Steps for connecting to an SKM or ESKM appliance 3. Select the name of the local CA from the Local Certificate Authority list. The CA Certificate Information is displayed. 4. Copy the certificate request, beginning with ---BEGIN CERTIFICATE REQUEST--- and ending with ---END CERTIFICATE REQUEST---. Be careful not to include any extra characters.
Steps for connecting to an SKM or ESKM appliance 3 20. Create and install an SKM/ESKM certificate. Refer to “Creating and installing the SKM or ESKM server certificate” on page 139 for a description of this procedure. NOTE An SKM/ESKM cluster may have many members, but the Brocade encryption products support only two as primary and secondary key vaults.
3 Steps for connecting to an SKM or ESKM appliance 5. Initialize the encryption engine using the cryptocfg --initEE command. Provide a slot number if the encryption engine is a blade. This step generates critical security parameters (CSPs) and certificates in the CryptoModule’s security processor (SP). The CP and the SP perform a certificate exchange to register respective authorization data.
Steps for connecting to an SKM or ESKM appliance 3 10. Allow Certificate Duration to default to 3649 days. 11. Paste the file contents that you copied in step 3 in the Certificate Request Copy area. 12. Select Sign Request. Upon success, you are presented with the option of downloading the signed certificate. 13. Download the signed certificate to your local system as signed_kac_skm_cert.pem. 14. Import the signed certificate from its location, or from a USB storage device.
3 Steps for connecting to an SKM or ESKM appliance The following example creates the encryption group “brocade”. SecurityAdmin:switch> cryptocfg --create -encgroup brocade Encryption group create status: Operation Succeeded. The switch on which you create the encryption group becomes the designated group leader.
Steps for connecting to an SKM or ESKM appliance Server SDK Version: 3 4.8.1 Encryption Node (Key Vault Client) Information: Node KAC Certificate Validity: Yes Time of Day on the Switch: 2010-03-17 17:22:05 Client SDK Version: 4.8.2.000017 Client Username: brcduser1 Client Usergroup: brocade Connection Timeout: 10 seconds Response Timeout: 10 seconds Connection Idle Timeout: N/A Key Vault configuration and connectivity checks successful, ready for key operations.
3 Steps for connecting to an SKM or ESKM appliance • The user name and password must match the user name and password specified for the Brocade group. • The same user name and password must be configured on all nodes in an encryption group. This is not enforced or validated by the encryption group members, so care must be taken when configuring the user name and password to ensure they are the same on each node.
Steps for connecting to an SKM or ESKM appliance 3 cluster fails, an error is logged and the operation is retried. If the failure occurs during DEK retrieval after successful archival to one of the ESKMs/SKMs, or synchronization to any ESKMS/SKMs in the cluster times out, an error is logged and the operation is retried. Any DEK archived in this case is not used.
3 Steps for connecting to an SKM or ESKM appliance When the secondary SKM/ESKM is replaced with a different SKM/ESKM, you must first synchronize the DEKs from primary SKM/ESKM before reregistering the secondary SKM/ESKM. Adding a member node to an encryption group Before adding a member node to an encryption group, ensure that the node has been properly initialized and that all encryption engines are in an enabled state. See “Initializing the Fabric OS encryption engines” on page 143.
Steps for connecting to an SKM or ESKM appliance 3 5. Use the cryptocfg --import command to import the CP certificates to the group leader node. You must import the CP certificate of each node you want to add to the encryption group. The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was previously exported to the external host 192.168.38.245. Certificates are imported to a predetermined directory on the group leader.
3 Generating and backing up the master key Node Name: 10:00:00:05:1e:41:9a:7e (current node) State: DEF_NODE_STATE_DISCOVERED Role: GroupLeader IP Address: 10.32.244.71 Certificate: GL_cpcert.
Generating and backing up the master key 3 3. Save the master key to a file. SecurityAdmin:switch> cryptocfg --exportmasterkey -file Master key file generated. 4. Export the master key to an SCP-capable external host: SecurityAdmin:switch> cryptocfg --export -scp -currentMK \ 192.168.38.245 mylogin GL_MK.mk Password: Operation succeeded. 5. Display the group membership information. Verify the master key ID for all member nodes is the same.
3 High availability clusters Group Leader Node Name: Encryption Group state: 10:00:00:05:1e:41:9a:7e CLUSTER_STATE_CONVERGED Node Name: 10:00:00:05:1e:41:9a:7e (current node) State: DEF_NODE_STATE_DISCOVERED Role: GroupLeader IP Address: 10.32.244.71 Certificate: GL_cpcert.
High availability clusters 3 NOTE In Fabric OS 6.3.0 and later, HA cluster creation is blocked when encryption engines belonging to FS8-18 blades in the same DCX Backbone Chassis are specified. • Cluster links must be configured before creating an HA cluster. Refer to the section “Configuring cluster links” on page 133 for instructions. • Configuration changes must be committed before they take effect.
3 High availability clusters NOTE An HA cluster configuration must have two encryption engines before you can commit the transaction with the cryptocfg --commit command. To commit an incomplete HA cluster, you have the option to force the commit operation by issuing cryptocfg --commit -force. Use the forced commit with caution, because the resulting configuration will not be functional and provide no failover/failback capabilities. Adding an encryption engine to an HA cluster 1.
High availability clusters 3 < [old slot number]> < [new slot number]>: Sample output is shown below.
3 High availability clusters TABLE 5 Group-wide policies Policy name cryptocfg --set parameters Description Failover policy -failbackmode auto | manual • Heartbeat misses -hbmisses value Sets the number of Heartbeat misses allowed in a node that is part of an encryption group before the node is declared unreachable and the standby takes over. The default value is 3. The range is 3-14 in integer increments only.
Re-exporting a master key 3 Re-exporting a master key With the introduction of Fabric OS v7.0.0, you can export master keys to the key vault multiple times instead of only once. The ability to export the master key more than once enables you to recover the master key when needed. For example, prior to Fabric OS 7.0.0, if you forgot your passphrase that was used to export the master key, you were not able to recover the master key from the key vault.
3 Re-exporting a master key The exported key ID is displayed with the master key ID, as shown in the examples to follow: Example: Initial master key export SecurityAdmin:switch> cryptocfg --exportmasterkey Enter passphrase: Confirm passphrase: Master key exported.
Re-exporting a master key 3 The following example lists the exported master key IDs for a given master key ID: SecurityAdmin:switch> cryptocfg --show –mkexported_keyids e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:92 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:92 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:93 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:94 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:95 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:96 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:97 e3:ae
3 Enabling the encryption engine Enabling the encryption engine Enable the encryption engine by entering the cryptocfg --enableEE command. Provide a slot number if the encryption engine is a blade.
Zoning considerations 3 No HA cluster membership EE Attributes: Media Type : DISK EE Slot: 12 SP state: Online Current Master KeyID: a3:d7:57:c7:54:66:65:05:61:7a:35:2c:59:af:a5:dc Alternate Master KeyID: e9:e4:3a:f8:bc:4e:75:44:81:35:b8:90:d0:1f:6f:4d HA Cluster Membership: hacDcx3 EE Attributes: Media Type : DISK Zoning considerations When encryption is implemented, frames sent between a host and a target LUN are redirected to a virtual target within an encryption switch or blade.
3 Zoning considerations Frame redirection zoning Name Server-based frame redirection enables the Brocade Encryption Switch or blade to be deployed transparently to hosts and targets in the fabric. NS-based frame redirection is enabled as follows: • You first create a zone that includes host (H) and target (T). This may cause temporary traffic disruption to the host. • You then create a CryptoTarget container for the target and configure the container to allow access to the initiator.
Zoning considerations 3 The Local Name Server has 1 entry } The nsshow command shows all devices on the switch, and the output can be lengthy. To retrieve only the initiator PWWN, do a pattern search of the output based on the initiator Port ID (a hex number). In the following example, The PID is 010600, where 01 indicates the domain and 06 the port number. FabricAdmin:switch> nsshow | grep 0106 N 010600; 2,3;10:00:00:00:c9:2b:c9:3a;20:00:00:00:c9:2b:c9:3a; na 3. Determine the target PWWN.
3 CryptoTarget container configuration 7. Create a zone that includes the initiator and a LUN target. Enter the zonecreate command followed by a zone name, the initiator PWWN and the target PWWN. FabricAdmin:switch> zonecreate itzone, "10:00:00:00:c9:2b:c9:3a; \ 20:0c:00:06:2b:0f:72:6d" 8. Create a zone configuration that includes the zone you created in step 4. Enter the cfgcreate command followed by a configuration name and the zone member name. FabricAdmin:switch> cfgcreate itcfg, itzone 9.
CryptoTarget container configuration FIGURE 89 3 Relationship between initiator, virtual target, virtual initiator and target CAUTION When configuring a LUN with multiple paths, there is a considerable risk of ending up with potentially catastrophic scenarios where different policies exist for each path of the LUN, or a situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the secured realm of the encryption plat
3 CryptoTarget container configuration To determine if rebalancing is recommended for an encryption engine, check the encryption engine properties. Beginning with Fabric OS v6.4, a field is added that indicates whether or not rebalancing is recommended. You may be prompted to rebalance during the following operations: • • • • When adding a new disk or tape target container. When removing an existing disk or tape target container. After failover to a backup encryption engine in an HA cluster.
CryptoTarget container configuration 3 Creating a CryptoTarget container 1. Log in to the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --create -container command. Specify the type of container, (disk or tape), followed by a name for the CryptoTarget container, the encryption engine’s node WWN, and the target’s Port WWN and node WWN. Provide a slot number if the encryption engine is a blade.
3 CryptoTarget container configuration Number of LUN(s): Operation Succeeded 0 6. Display the redirection zone. It includes the host, the target, the virtual initiator, and the virtual target.
CryptoTarget container configuration 3 CAUTION When configuring a multi-path LUN, you must remove all initiators from all CryptoTarget containers in sequence before committing the transaction. Failure to do so may result in a potentially catastrophic situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the protected realm of the encryption platform.
3 CryptoTarget container configuration CAUTION When configuring a multi-path LUN, you must remove all necessary CryptoTarget containers in sequence before committing the transaction. Failure to do so may result in a potentially catastrophic situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the protected realm of the encryption platform.
Crypto LUN configuration 3 Crypto LUN configuration A Crypto LUN is the LUN of a target disk or tape storage device that is enabled for and capable of data-at-rest encryption. Crypto LUN configuration is done on a per-LUN basis. You configure the LUN for encryption by explicitly adding the LUN to the CryptoTarget container and turning on the encryption property and policies on the LUN.
3 Crypto LUN configuration CAUTION When configuring a LUN with multiple paths, perform the LUN discovery on each of the CryptoTarget containers for each of the paths accessing the LUN and verify that the serial number for these LUNs discovered from these CryptoTarget containers are the same. This indicates and validates that these CryptoTarget containers are indeed paths to the same LUN. Refer to the section “Configuring a multi-path Crypto LUN” on page 181 for more information.
Crypto LUN configuration 3 NOTE If you are using VMware virtualization software or any other configuration that involves mounted file systems on the LUN, you must enable first-time encryption at the time when you create the LUN by setting the –-enable_encexistingdata option with the –-add -LUN command. Failure to do so permanently disconnects the LUN from the host and causes data to be lost and unrecoverable. 1. Log in to the group leader as Admin or FabricAdmin. 2.
3 Crypto LUN configuration Crypto LUN parameters and policies Table 6 shows the encryption parameters and policies that can be specified for a disk or tape LUN, during LUN configuration (with the cryptocfg --add -LUN command). Some policies are applicable only to disk LUNs, and some policies are applicable only to tape LUNs. It is recommended that you plan to configure all the LUN state and encryption policies with the cryptocfg --add -LUN command.
Crypto LUN configuration TABLE 6 3 LUN parameters and policies (Continued) Policy name Command parameters Description Existing data encryption Disk LUN: yes Tape LUN: No Modify? Yes -enable_encexistingdata | -disable_encexistingdata Specifies whether or not existing data on the LUN should be encrypted. By default, encryption of existing data is disabled. Encryption policy must be set to -enable_encexistingdata, and the LUN state must be set to cleartext (default).
3 Crypto LUN configuration b. Add an initiator to the CryptoTarget container “my_tape_tgt”. FabricAdmin:switch> cryptocfg --add -initiator my_tape_tgt \ 10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a Operation Succeeded c. Commit the transaction. FabricAdmin:switch> cryptocfg --commit Operation Succeeded 3. Configure the Crypto tape LUN. Refer to the section “Configuring a Crypto LUN” on page 174 for instructions. a. Discover the LUN.
Crypto LUN configuration Encryption format: Tape type: Key life: Volume/Pool label: Operation succeeded. 3 DF_compatible tape 90 (day) NOTE The “–key_lifespan” command option has no effect for “cryptocfg –-add –LUN”, and only has an effect for “cryptocfg --create –tapepool” for tape pools declared “-encryption_format native”. For all other encryption cases, a new key is generated each time a medium is rewound and block zero is either written or overwritten.
3 Crypto LUN configuration Modifying Crypto LUN parameters You can modify one or more policies of an existing Crypto LUN with the cryptocfg --modify -LUN command. A maximum of 25 disk LUNs can be added or modified in a single commit operation. Attempts to commit configurations or modifications that exceed the maximum commit allowed will fail with a warning. There is a five second delay before the commit operation takes effect.
Impact of tape LUN configuration changes 3 For tape LUNs, the -enable_encexistingdata, -enable_rekey, and -key_lifespan options are not valid and therefore cannot be modified. When you attempt to execute these parameters while modifying a tape LUN, the system returns an error. Disabling -write_early ack or -read_ahead for tape LUN will result in lower total throughput depending on the number of flows per encryption engine.
3 Configuring a multi-path Crypto LUN To avoid the risk of data corruption, you must observe the following rules when configuring multi-path LUNs: • During the initiator-target zoning phase, complete in sequence all zoning for ALL hosts that should gain access to the targets before committing the zoning configuration. • Complete the CryptoTarget container configuration for ALL target ports in sequence and add the hosts that should gain access to these ports before committing the container configuration.
Configuring a multi-path Crypto LUN 3 3. On the group leader encryption switch (switch 1), create a CryptoTarget container for each target port and add the hosts in sequence. Do NOT commit the configuration until you have created all CryptoTarget containers and added all hosts to the respective containers. a. Log in as Admin or FabricAdmin. b. Create a CryptoTarget container (CTC1) for target port 1 to be hosted on the encryption engine of encryption switch 1.
3 Configuring a multi-path Crypto LUN c. Review the output of the LUN discovery to ensure that the LUN serial number for ALL LUNs are the same as seen from target-port 1 to host-Port 1 path and from target-port 2 to host-port 2. Identical LUN serial numbers validate the multi-path configuration. 5. Configure the LUN for all CryptoTarget containers in sequence by adding the LUN to each CryptoTarget container with identical policy settings.
Decommissioning LUNs 3 Make sure the LUNs in previously committed LUN configurations and LUN modifications have a LUN state of Encryption Enabled before creating and committing another batch of LUN configurations or modifications. NOTE A maximum of 25 disk LUNs can be added or modified in a single commit operation. The maximum commit for tape LUNs is eight. Attempts to commit configurations or modifications that exceed the maximum commit allowed will fail with a warning.
3 Decommissioning LUNs If a LUN is removed when undergoing decommission or is in a decommission failed state, or if a container hosting the LUN is deleted, you must use the -force option on the commit operation (cryptocfg --commit -force). Failure to do so causes the commit operation to fail and a decommission in progress error displays. Upon a successful completion of a decommissioning operation, the LUN is deleted from all containers hosting it, and all active paths to the LUNs are lost.
Decommissioning replicated LUNs 3 Decommissioning replicated LUNs The following scenarios are provided: • “Decommissioning primary LUNs only” • “Decommissioning secondary LUNs only” • “Decommissioning primary and secondary LUN pairs” Decommissioning primary LUNs only To decommission the primary LUN and make the secondary LUN the primary LUN, complete the following steps. Failure to do so could result in the LUN state showing as Disabled. 1. Log in as Admin or FabricAdmin. 2. Split the copy pairs. 3.
3 Force-enabling a decommissioned disk LUN for encryption NOTE Do not delete the key from the key vault. Decommissioning primary and secondary LUN pairs To decommission both the primary and secondary LUNs, complete the following steps: 1. Log in as Admin or FabricAdmin. 2. Split the copy pairs. 3. Independently decommission the primary and secondary LUNs. a. Decommission the primary LUN.
Force-enabling a disabled disk LUN for encryption 7. 3 Enable the LUN. FabricAdmin:switch> cryptocfg --enable -LUN 8. Modify the LUN to encrypted. FabricAdmin:switch> cryptocfg --modify -LUN 0 -lunstate encrypted -encryption_format native -encrypt 9. Enter the cryptocfg --enable -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN.
3 Tape pool configuration Tape pool configuration Tape pools are used by tape backup application programs to group all configured tape volumes into a single backup to facilitate their management within a centralized backup plan. A tape pool is identified by either a name or a number, depending on the backup application. Tape pools have the following properties: • They are configured and managed per encryption group at the group leader level.
Tape pool configuration 3 CommVault Galaxy labeling CommVault uses a storage policy for each backup. When configuring a tape pool to work with CommVault Galaxy, first create a storage policy on CommVault and then use the storage_policy_id (sp_id) as the label when creating the tape pool on the encryption switch or blade. 1. Open CommCellExplorer Views by selecting Start > Programs >Microsoft SQL Server 2005 > SQL ServerManagement Studio. 2.
3 Tape pool configuration Creating a tape pool Take the following steps to create a tape pool: 1. Log in to the group leader as FabricAdmin. 2. Create a tape pool by entering the cryptocfg --create -tapepool command. Provide a label or numeric ID for the tape pool and specify the encryption policies. For policies not specified at this time, LUN-level settings apply. • Set the tape pool policy to either encrypt or cleartext (default).
Tape pool configuration 3 Deleting a tape pool This command does not issue a warning if the tape pool being deleted has tape media or volumes that are currently accessed by the host. Be sure the tape media is not currently in use. 1. Log in to the group leader as FabricAdmin. 2. Enter the cryptocfg --delete -tapepool command followed by a tape pool label or number. Use cryptocfg --show -tapepool -all to display all configured tape pool names and numbers.
3 First-time encryption First-time encryption First-time encryption, also referred to as encryption of existing data, is similar to the rekeying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first-time encryption operation, cleartext data is read from a LUN, encrypted with the current key, and written back to the same LUN at the same logical block address (LBA) location.
Thin provisioned LUNs 3 Thin provisioned LUNs With the introduction of Fabric OS 7.1.0, the Brocade Encryption Switch can discover if a disk LUN is a thin provisioned LUN. Support for a thin provisioned LUN is limited to disk containers only. The Brocade Encryption Switch will support thin provisioning of an array only if it satisfies the SCSI requirements, for example, supporting the GET_LBA_STATUS command.
3 Thin provisioned LUNs Encryption format: Encrypt existing data: Rekey: Internal EE LUN state: Encryption algorithm: Key ID state: New LUN: TP LUN: Key ID: Key creation time: native disabled disabled Encryption enabled AES256-XTS Read write No Yes 4b:d9:4d:12:93:67:0e:0d:d1:e0:ca:aa:ba:34:29:db Thu Sep 15 18:01:01 2011 FabricAdmin:switch> cryptocfg –discoverLUN -container Host: 21:00:00:e0:8b:90:7c:c0 LUN number: 0xd LUN serial number: 50002AC000BC0A50 TP LUN: Yes LUN connectivity state: Connected Key
Data rekeying 3 • The WRITE_SAME command will not be supported for the unmap operation. • Changing a LUN from thin provisioned to non-thin provisioned (and vice versa) is not allowed during the rekey operation. After changing the LUN type from thin provisioned to non-thin provisioned (or vice versa), LUN discovery should be done for the Brocade Encryption Switch to know about the change of type.
3 Data rekeying • Rekey temporarily uses the last 512 blocks. As a result, these blocks will be marked as provisioned by the thin provisioned LUN. • The first 16 blocks of the LUN will be mapped automatically (if it was unmapped), after the LUN has been configured as an encrypted LUN.
Data rekeying 3 1. Log in to the group leader as FabricAdmin. 2. Enable automatic rekeying by setting the -enable_rekey parameter followed by a time period (in days). The following example enables the automatic rekeying feature on an existing LUN with a 90-day rekeying interval. The data will automatically be re-encrypted every 90 days. FabricAdmin:switch> cryptocfg --modify -LUN my_disk_tgt 0x0 \ 10:00:00:00:c9:2b:c9:3a -enable_rekey 90 Operation Succeeded 3. Commit the configuration.
3 Data rekeying Target: 50:06:01:60:30:20:db:34 50:06:01:60:b0:20:db:34 Target PID: 022900 VT: 20:00:00:05:1e:53:8d:cd 20:01:00:05:1e:53:8d:cd VT PID: 06c001 Host: 10:00:00:00:c9:56:e4:7b 20:00:00:00:c9:56:e4:7b Host PID: 066000 VI: 20:02:00:05:1e:53:8d:cd 20:03:00:05:1e:53:8d:cd VI PID: 06c201 LUN number: 0x1 LUN serial number: 600601603FE2120014FC89130295DF1100010000000000000008000000000000 Rekey session number: 0 Percentage complete: 23 Rekey state: Write Phase Rekey role: Primary/Active Block size: 51
Data rekeying 3 2. Check the status of the resumed rekey session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN. In this case, you can cancel the rekey session by removing the LUN from its container and force-committing the transaction. See “Removing a LUN from a CryptoTarget container” on page 179 for instructions on how to remove a LUN by force.
3 202 Data rekeying Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002923-01
Chapter 4 Deployment Scenarios In this chapter • Single encryption switch, two paths from host to target. . . . . . . . . . . . . . . • Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dual fabric deployment - HA and DEK cluster . . . . . . . . . . . . . . . . . . . . . . . • Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . . . . . . . .
4 Single encryption switch, two paths from host to target Single encryption switch, two paths from host to target Figure 91 shows a basic configuration with a single encryption switch providing encryption between one host and one storage device over two the following two paths: • Host port 1 to target port 1, redirected through CTC T1. • Host port 2 to target port 2, redirected through CTC T2.
Single fabric deployment - HA cluster 4 Single fabric deployment - HA cluster Figure 92 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology.
4 Single fabric deployment - DEK cluster In Figure 92, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN.
Dual fabric deployment - HA and DEK cluster 4 In Figure 93, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths.
4 Multiple paths, one DEK cluster, and two HA clusters failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2. All four encryption switches provide an encryption path to the same LUN, and use the same DEK for that LUN, forming a DEK cluster.
Multiple paths, DEK cluster, no HA cluster 4 The configuration details shown in Figure 95 are as follows: • • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port 1 is zoned to target port 1 and target port 2 in fabric 1. Host port 2 is zoned to target port 3and target port 4 in fabric 2. There are four Fabric OS encryption switches organized in HA clusters.
4 Multiple paths, DEK cluster, no HA cluster The configuration details are as follows: • • • • • • • 210 There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port1 is zoned to target port1 and target port2 in fabric 1. Host port2 is zoned with target port 3 and target port 4 in fabric 2. There are two encryption switches, one in each fabric (no HA cluster). There is one DEK Cluster and one encryption group.
Deployment in Fibre Channel routed fabrics 4 Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 97), or it may form the backbone fabric and directly provide the EX_port connections (Figure 98). The encryption resources can be shared with the host and target edge fabrics using device sharing between backbone and edge fabrics.
4 Deployment in Fibre Channel routed fabrics The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
Deployment as part of an edge fabric 4 Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7800 extension switch or FX8-24 blade in a DCX or DCX 8510 Backbone, or an FCR-capable switch or blade. The encryption resources of the encryption switch can be shared with the other edge fabrics using FCR in the backbone fabric (Figure 99).
4 Deployment as part of an edge fabric • The encryption device creates the frame redirection zone automatically, consisting of host, target, virtual target, and virtual initiator. when the target and host are configured on the encryption device. In Figure 99, the encryption device is connected to the host edge fabric. • Create the frame redirection one consisting of host, target, virtual target, and virtual initiator in the target edge fabric.
Deployment with FCIP extension switches 4 Deployment with FCIP extension switches Encryption switches may be deployed in configurations that use extension switches or extension blades within a DCX or DCX 8510 Backbone to enable long distance connections. Figure 100 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator’s Guide for information about creating FCIP configurations.
4 VMware ESX server deployments VMware ESX server deployments VMware ESX servers may host multiple guest operating systems. A guest operating system may have its own physical HBA port connection, or it may use a virtual port and share a physical HBA port with other guest operating systems. Figure 101 shows a VMware ESX server with two guest operating systems where each guest accesses a fabric over separate host ports.
4 VMware ESX server deployments Key Management Appliance or Key Vault Management Network LAN DCFM Guest OS1 Guest OS2 Host Port1 (I1) CTC1 (T1) Host Port2 (I2) Management Link Management Link VMware ESX Server CTC2 (T2) Fabric 1 BES1 Target Port1 (T1) DEK C luster yption Group BES4 Target Port2 (T2) Target Encr Io Sync Link Dedicated Cluster Network LAN IO Sync Link CTC1 - CTC for Target Port T1 hosted on BES1 in DEK Cluster CTC2 - CTC for Target Port T2 hosted on BES2 in DEK Cluste
4 VMware ESX server deployments Figure 102 shows a VMware ESX server with two guest operating systems where two guests access a fabric over a shared port. To enable this, both guests are assigned a virtual port. There are two paths to a target storage device: • Virtual host port 1, through the shared host port, to target port 1, redirected through CTC T1. • Virtual host port 2, through the shared host port, to target port 2, redirected through CTC T2.
4 VMware ESX server deployments Key Management Appliance or Key Vault Management Network LAN DCFM VMware ESX Server Guest OS2 V-Port1 Management Link Management Link Guest OS1 V-Port2 FC HBA Host Port1 (I1) CTC1 (T1) CTC2 (T2) Fabric 1 BES1 Target Port1 (T1) DEK C luster yption Group BES4 Target Port2 (T2) Target Encr Io Sync Link Dedicated Cluster Network LAN IO Sync Link CTC1 - CTC for Target Port T1 hosted on BES1 in DEK Cluster CTC2 - CTC for Target Port T2 hosted on BES2 in DEK
4 220 VMware ESX server deployments Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002923-01
Chapter 5 Best Practices and Special Topics • Firmware upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . • Configuration upload and download considerations . . . . . . . . . . . . . . . . . • HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • AIX Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling a disabled LUN . . . . . . . . . . . . . . . . . . . . . . . . . .
5 Firmware upgrade and downgrade considerations Firmware upgrade and downgrade considerations Before upgrading or downgrading firmware, consider the following: • The encryption engine and the control processor or blade processor are reset after a firmware upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured.
Firmware upgrade and downgrade considerations 5 • When doing a firmware upgrade to Fabric OS 7.0.0 or downgrade from Fabric OS 7.0.0, the message SPM-1016 will be observed on v7.0.0 nodes in the encryption group (EG) when other nodes in that EG that are still running versions earlier than Fabric OS 7.0.0. Although this is a warning message, it is transient and is only observed during a firmware upgrade or downgrade operation. The message can be ignored. • Fabric OS 6.2.
5 Firmware upgrade and downgrade considerations • Do not try registering a node running Fabric OS 6.3.x or earlier to an encryption group when all nodes are running Fabric OS 6.4.0(x) with one or more Fabric OS 6.4.0(x) features enabled. • Disable all Fabric OS 6.4.0(x) features before ejecting a node running Fabric OS 6.4.0(x) and registering the node as a member of an encryption group with nodes running Fabric OS 6.3.x or earlier.
Configuration upload and download considerations 5 Configuration upload and download considerations Security information is not included when you upload a configuration from an encryption switch or blade. Extra steps are necessary before and after download to re-establish that information.
5 Configuration upload and download considerations Steps before configuration download The configuration download does not have any certificates, public or private keys, master key, or link keys included. Perform following steps prior to configuration download to generate and obtain the necessary certificates and keys: 1.
HP-UX considerations 5 3. If there are containers that belonged to the old encryption switch or blade, then after configdownload is run, use the following command to change the ownership of containers to the new encryption switch or blade, assuming the host and target physical zone exists. Admin:switch> cryptocfg --replace 4. Commit the configuration. Admin:switch> cryptocfg --commit 5. Use the following command to check if the switch or blade has the master key.
5 AIX Considerations NOTE When an EMC-CX3 storage array is used with HP-UX the CX3 array exposes both 0x0 and 0x4000 LUNs to the HP-UX host. 0x0 and 0x4000 LUNs have the same LSN. Both must be added as cleartext. AIX Considerations For AIX-based PowerHA SystemMirror host clusters, the cluster repository disk should be defined outside of the encryption environment. Ensure that Dynamic Tracking is set to “Yes” for all Fibre Channel adapters on the AIX system.
Tape data compression 5 Tape data compression Data is compressed by the encryption switch or blade before encrypting only if the tape device supports compression, and compression is explicitly enabled by the host backup application. That means if the tape device supports compression, but is not enabled by the host backup application, then compression is not performed by the encryption switch or blade before encrypting the data.
5 Tape block zero handling Tape block zero handling The block zero of the tape media is not encrypted and the data in the block zero is sent as cleartext along with the block zero metadata header prefixed to the data to the tape device. Tape key expiry When the tape key of native pools expires in the middle of a write operation on the tape, the key is used for the duration of any write operation to append the data on the tape media.
Redirection zones 5 • To enable host MPIO, LUNs must also be available through a second target port, hosted on a second encryption switch, the same encryption switch or encryption engine. The second encryption switch could be in the same fabric, or a different fabric. • Hosts should be able to access LUNs through multiple ports for redundancy.
5 Ensure uniform licensing in HA clusters Ensure uniform licensing in HA clusters Licenses installed on the nodes should allow for identical performance numbers between HA cluster members. Tape library media changer considerations In tape libraries where the media changer unit is addressed by a target port that is separate from the actual tape SCSI I/O ports, create a CryptoTarget container for the media changer unit and CryptoTarget containers for the SCSI I/O ports.
Turn off compression on extension switches 5 Turn off compression on extension switches We recommend disabling data compression on FCIP links that might carry encrypted traffic to avoid potential performance issues as compression of encrypted data might not yield desired compression ratio. We also recommend that tape pipelining and fastwrite also be disabled on the FCIP link if it is transporting encrypted traffic. Rekeying best practices and policies Rekeying should be done only when necessary.
5 KAC certificate registration expiry Do not change LUN configuration while rekeying Never change the configuration of any LUN that belongs to a CryptoTarget container/LUN configuration while the rekeying process for that LUN is active. If you change the LUN’s settings during manual or auto, rekeying or first-time encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect.
Disabling the encryption engine 5 Disabling the encryption engine The disable encryption engine interface command cryptocfg --disableEE [slot number] should be used only during firmware download, and when the encryption and security capabilities of the encryption engine have been compromised. When disabling the encryption capabilities of the encryption engine, be sure the encryption engine is not hosting any CryptoTarget containers.
5 Best practices for host clusters in an encryption environment The fan-in ratio for a target can be higher depending on the maximum bandwidth accepted by the target. If the I/O throughput across all initiator ports accessing the target port is well balanced, it is recommended that the maximum fan-in ratio be kept to 8 Initiator ports to 1 target port for optimal performance. Note that this recommendation holds for initiators running at 4 Gbps or less.
Tape device LUN mapping 5 Tape device LUN mapping When performing LUN mapping, ensure that a given LUN number from a backend physical target is the same across all initiators in the container. Failure to do so can result in unpredictable switch behavior including blade/switch faults. Use the following command to list the LUNs in the target.
5 238 Special notes for HP Data Protector backup and restore application Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002923-01
Chapter 6 Maintenance and Troubleshooting • Encryption group and HA cluster maintenance . . . . . . . . . . . . . . . . . . . . . . . • Encryption group merge and split use cases. . . . . . . . . . . . . . . . . . . . . . . . . • Encryption group database manual operations . . . . . . . . . . . . . . . . . . . . . . • Key vault diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Measuring encryption performance. . . . . . . . . . . . . . . . . . . . . . .
6 Encryption group and HA cluster maintenance Encryption group and HA cluster maintenance This section describes advanced configuration options that you can use to modify existing encryption groups and HA clusters, and to recover from problems with one or more member nodes in the group. All group-wide configuration commands are executed on the group leader. Commands that clear group-related states from an individual node are executed on the node. The commands require Admin or SecurityAdmin permissions.
Encryption group and HA cluster maintenance 6 FIGURE 104 Removing a node from an encryption group The procedure for removing a node depends on the node’s status within an encryption group. HA cluster membership and Crypto LUN configurations must be cleared before you can permanently remove a member node from an encryption group. To remove a node from an encryption group, complete the following steps: 1. Log in to the group leader as Admin or SecurityAdmin. 2.
6 Encryption group and HA cluster maintenance IP Address: 10.32.33.145 Certificate: 10.32.33.145_my_cp_cert.
Encryption group and HA cluster maintenance 6 Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes. Before deleting the encryption group, it is highly recommended that you remove the group leader from the HA cluster and clear all CryptoTarget and tape pool configurations for the group.
6 Encryption group and HA cluster maintenance Displaying the HA cluster configuration NOTE The correct failover status of an HA cluster will only be displayed on the HA cluster member nodes in the encryption group. 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --show -hacluster -all command. In the following example, the encryption group brocade has two HA clusters. HAC 1 is committed and has two members.
Encryption group and HA cluster maintenance 6 Replacing an HA cluster member 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haClusterMember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine. Provide a slot number if the encryption engine is a blade. The replacement encryption engine must be part of the same encryption group as the encryption engine that is replaced.
6 Encryption group and HA cluster maintenance FIGURE 105 Replacing a failed encryption engine in an HA cluster 246 Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002923-01
Encryption group and HA cluster maintenance 6 Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
6 Encryption group and HA cluster maintenance Performing a manual failback of an encryption engine By default, failback occurs automatically if an encryption engine that failed was replaced or comes back online. When manual failback policy is set in the encryption group, you must invoke a manual failback of the encryption engine after the failing encryption engine was restored or replaced. Failback includes all of the encryption engine’s target associations.
Encryption group merge and split use cases 6 • After the failback completes, the cryptocfg --show -hacluster -all command no longer reports active failover.
6 Encryption group merge and split use cases NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg --transabort. Doing so will cause subsequent reclaim attempts to fail. 4. Set up the member node: Configure the IP address of the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. 5.
Encryption group merge and split use cases 6 Recovery If auto failback policy is set, no intervention is required. After the node has come back up, all devices and associated configurations and services that failed over earlier to N1 fail back to N3. The node resumes its normal function. If auto failback policy is not set, invoke a manual failback if required. Refer to the section “Performing a manual failback of an encryption engine” on page 248 for instructions.
6 Encryption group merge and split use cases • The isolation of N3 from the group leader breaks the HA cluster and failover capability between N3 and N1. • You cannot configure any CryptoTargets, LUN policies, tape pools, or security parameters on any of the group leaders. This would require communication with the “offline” member nodes. You cannot start any rekey operations (auto or manual) on any of the nodes.
Encryption group merge and split use cases 6 Recovery 1. Restore the connection between the nodes in the separate encryption group islands, that is, between nodes N3, N4 and between nodes N1 and N2. When the lost connection is restored, an automatic split recovery process begins. The two group leaders (N3 and N2 in this example) arbitrate the recovery, and the group leader node with the highest WWN becomes group leader.
6 Encryption group merge and split use cases NOTE The collective time allowed (the heartbeat time-out value multiplied by the heartbeat misses) cannot exceed 30 seconds (enforced by Fabric OS). The relationship between -hbmisses and -hbtimeout determines the total amount of time allowed before a node is declared unreachable. If a switch does not sense a heartbeat within the heartbeat timeout value, it is counted as a heartbeat miss.
Encryption group merge and split use cases 6 NOTE If one or more EG status displays as CONVERGED contact technical support as the following procedure will not work. To re-converge the EG, you will need to perform a series of steps. The following is a listing of the basic steps involved - this listing is followed by an example with the details of each step: 1. Confirm that your EG is not in a CONVERGED state. 2. Determine which GL Node will remain the GL Node once the EG is re-converged.
6 Encryption group merge and split use cases Display the encryption group state again. Node182:admin-> cryptocfg --show -groupcfg Node182 should now show up with an Encryption Group state of CLUSTER_STATE_CONVERGED. In this two node example, there is only one other node in the encryption group, and therefore the is only one node to deregister. When you have a 3:1 split or a 2:2 split, issue the following command from the group leader node you are keeping.
Encryption group merge and split use cases 6 If you now perform a cryptocfg --show -groupcfg, you will see that no encryption group on Node181 is defined: Node181:admin-> cryptocfg --show -groupcfg Encryption group not defined: Cluster DB and Persistent DB not present, No Encryption Group Created or Defined. The 2:2 EG split exception The encryption group deletion procedure may be done directly in every scenario except when there has been a 2:2 split.
6 Encryption group merge and split use cases 6. Verify your encryption group is re-converged. Node181:admin-> cryptocfg --show -groupcfg Node182:admin-> cryptocfg --show -groupcfg Both nodes will now show a two node CONVERGED EG in which Node182 is the group leader ode and Node181 is a member Node. The above manual configuration recovery procedure will work nearly identically for all combinations of EG split scenarios.
Encryption group database manual operations TABLE 8 6 Disallowed Configuration Changes Configuration Type Disallowed configuration changes Security & key vault • • • • • • • • • • • • • • • • • HA cluster Crypto Device (target/LUN/tape) Register or modify key vault settings Generating a master key Exporting a master key Restoring a master key Enabling or disabling encryption on an encryption engine Creating an HA cluster Adding an encryption engine to an HA cluster Modifying the failback mode Crea
6 Key vault diagnostics Use the --sync -securitydb command to distribute the security database from the group leader node to all member nodes. This command is valid only on the group leader. In scenarios where this master key propagation issue still persists, exporting the master key to a file and recovering it resolves the issue. To do this, use the following commands: • Use the cryptocfg • Use the cryptocfg --exportmasterkey -file option to export the master key to a file.
Measuring encryption performance 6 • Key class and format on the KV configured for the user group • Client session timeout • Encryption node scope • Node KAC certificate and its validity (for example, valid header and expiry date) • Username/password • User group • Time of day on the switch • Key Vault client SDK version • Timeout and retry policy for the client SDK The key vault client SDK version, and timeout and retry policy for the client SDK could differ across encryption nodes, depending on the firm
6 Measuring encryption performance For example: FabricAdmin:switch> cryptocfg --perfshow [slot] [-rx | -tx | -tx -rx] [-interval
6 Measuring encryption performance b. The user port on which a particular virtual entity is hosted can be identified from the Port Index of the corresponding name server entry. For example, the port on which virtual target 20:00:00:05:1e:55:4d:61 has been hosted can be identified by the following command. FabricAdmin:switch> nsshow | grep -A 6 20:00:00:05:1e:55:4d:61 N c.
6 Measuring encryption performance In a DCX Backbone, the slot number is also displayed, along with the performance. dcx:Admin> cryptocfg –-perfshow slot2: 80 81 82 83 84 85 ===== ===== ===== ===== ==== ==== ==== ==== ==== ==== ==== ==== 5.4m 5.1m 0 0 0 0 5.4m 47.5m 0 0 0 0 92 93 94 95 95 97 98 100 101 102 103 ===== ===== ===== ===== ==== ==== ==== ==== ==== ==== ==== ==== 0 0 0 0 0 0 0 86 0 87 99 0 88 89 0 90 0 91 0 Total 75.6m 3.
General encryption troubleshooting 6 General encryption troubleshooting Table 9 lists the commands you can use to check the health of your encryption setup. Table 10 provides additional information for failures you might encounter while configuring switches using the CLI. TABLE 9 General troubleshooting tips using the CLI Command Activity supportsave Check whole system configuration. Run RAS logs. Run RAS traces. Run Security Processor (SP) logs (mainly kpd.log).
6 TABLE 10 General encryption troubleshooting General errors and conditions Problem Resolution A backup fails because the LUN is always in the initialize state for the tape container. Use one of two resolutions: Tape media is encrypted and gets a key which is archived in the key vault. The key is encrypted with a master key. At a later point in time you generate a new master key. You decide to use this tape media to back up other data.
General encryption troubleshooting TABLE 10 6 General errors and conditions Problem Resolution A performance drop occurs when using DPM on a Microsoft Windows system to back up to a Scalar 500i tape library. Change the DPM behavior to send one request at a time by adding DWORD “BufferQueueSize” under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent, and set the value to 1. Then restart DPM servers: MSDPM, DPMLA, DPMRA.
6 Troubleshooting examples using the CLI Troubleshooting examples using the CLI Encryption Enabled CryptoTarget LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN.
Troubleshooting examples using the CLI 6 Encryption Disabled CryptoTarget LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN.
6 Management application encryption wizard troubleshooting Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . 270 • Errors related to adding a switch to a new group . . . . . . . . . . . . . . . . . . . . 271 • General errors related to the Configure Switch Encryption wizard . . . . . .
Management application encryption wizard troubleshooting 6 Errors related to adding a switch to a new group Table 12 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 12 Error recovery instructions for adding a switch to a new group Configuration task Error description Instructions Initialize the switch Unable to initialize the switch due to an error response from the switch.
6 Management application encryption wizard troubleshooting TABLE 12 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (opaque key vaults only) A failure occurred while attempting to create a new master key. 1 Save the switch’s public key certificate to a file. The switch’s public key certificate could not be saved to a file.
LUN policy troubleshooting 6 LUN policy troubleshooting Table 14 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by the encryption switch Action taken If you do not need to save the data: If you need to save the data: 1 The LUN was modified from encrypt policy to cleartext policy but metadata exists. LUN is disabled. Reason code: Metadata exists but the LUN policy is cleartext.
6 Loss of encryption group leader after power outage Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes might lose information and knowledge about the encryption group.
MPIO and internal LUN states 6 5. Synchronize the crypto configurations across all member nodes. FabricAdmin:switch> cryptocfg –-commit MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg --show -LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine.
6 FS8-18 blade removal and replacement 1. Enter the cryptocfg --resume_rekey command, followed by the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch> cryptocfg --resume_rekey my_disk_tgt 0x0 \ 10:00:00:05:1e:53:37:99 Operation Succeeded 2. Check the status of the resumed rekey session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN.
FS8-18 blade removal and replacement 6 3. If the replaced FS8-18 blade is in member node, invoke the following command to reclaim the base WWN. FabricAdmin:switch> cryptocfg --reclaimWWN –EE 4. Issue commit. FabricAdmin:switch> cryptocfg --commit 5. Replace the old FS8-18 blade with the new FS8-18 blade and reconnect the FC cables and I/O Link cables. 6. Insert the new FS8-18 blade in the same slot of the chassis that was used by the old FS8-18 blade.
6 FS8-18 blade removal and replacement NOTE Because the FS8-18 blade was inserted in the same slot as the previous blade, no change of HA cluster container ownership is required; the HA cluster configuration is retained. 16. If “manual” failback was set on the HA cluster, you must manually fail back the LUNs owned by the newly replaced EE. 17. Check the EG state using the following command to ensure that the entire EG is in a converged and In Sync state.
Brocade Encryption Switch removal and replacement 6 11. If a master key is not present, restore the master key from a backed up copy. Procedures will differ depending on the backup media used (for example, recovery smart cards, from the key vault, from a file on the network, or a file on a USB-attached device). Refer to Chapter 2, Configuring Encryption Using the Management Application.” 12. Check the EE state using the following command to ensure the EE is online.
6 Brocade Encryption Switch removal and replacement 6. Replace the old Brocade Encryption Switch with the new Brocade Encryption Switch and reconnect the Mgmt link, I/O links, and FC cables. 7. Reconnect the I/O sync ports to the same private LAN as the I/O sync ports of the failed node. 8. Power on the new Brocade Encryption Switch. Note that the FC cables have not yet been plugged in. 9. Set the IP address for the new Brocade Encryption Switch using the ipAddrSet command for the Mgmt and I/O links.
Brocade Encryption Switch removal and replacement 6 21. Import the signed CSR/Cert onto the new node. 22. Register back the signed KAC CSR/Cert onto the new node using the following command. Admin:switch> cryptocfg --reg –KACcert 23. Register the username and password on the new node with the same username and password as those used by the other nodes in the EG (created on the HP SKM/ESKM appliance) using the following command. Admin:switch> cryptocfg --reg –KACLogin 24.
6 Brocade Encryption Switch removal and replacement 31. If HA cluster membership for the old Brocade Encryption Switch was not in place, move container movement to the new Brocade Encryption Switch using the following procedure. a. Replace the old EE with the new EE using following command on the group leader. Admin:switch> cryptocfg –replace b. Issue commit. Admin:switch> cryptocfg --commit 32.
Brocade Encryption Switch removal and replacement 6 12. Recreate the EG with the same name as before using the following command. Admin:switch> cryptocfg –create –encgroup 13. Invoke configdownload from the previous uploaded configuration. 14. Enable the switch using the switchenable command. 15. Deregister both key vaults using the following command. Admin:switch> crypocfg –-dereg –keyvault
6 Reclaiming the WWN base of a failed Brocade Encryption Switch b. Issue commit. Admin:switch> cryptocfg --commit c. Replace the HAC membership from the old EE to the new EE using the following command on the group leader. Admin:switch> cryptocfg –-replace –haclustermember d. Issue commit. Admin:switch> cryptocfg –-commit e.
Removing stale rekey information for a LUN 6 Removing stale rekey information for a LUN To clean up stale rekey information for a LUN, complete one of the following procedures: Procedure 1: 1. Modify the LUN policy from “encrypt” to “cleartext” and commit. The LUN will become disabled. 2. Enable the LUN using the following command: Admin:switch> cryptocfg --enable –LUN 2.
6 Fabric OS and ESKM compatibility matrix NOTE When disabling the firmware consistency check, there should be no LUNs with pending decommission or in a failed state. If the firmware download to a version earlier than Fabric OS v7.2.0 is disallowed because of any LUNs under decommission or in a failed state, you must either complete decommissioning, or remove the offending LUNs before retrying cryptocfg --delete -decommissionedkeyids to disable the firmware consistency check.
Splitting an encryption group into two encryption groups 6 Splitting an encryption group into two encryption groups In this example, which is represented in Table 16, you have one encryption group with four nodes from which you want to remove two of the nodes and add them to a new encryption group. TABLE 16 Splitting an encryption group Encryption group Nodes Original EG FOS1 (Group Leader) FOS2 FOS3 FOS4 New EG1 FOS1 (Group Leader) FOS2 New EG2 FOS3 (Group Leader) FOS4 1.
6 Moving an encryption blade from one EG to another in the same fabric When prompted, enter yes to each prompt. 8. Add FOS4 as a member node to the new EG. • For details about adding member nodes to an EG, see“Adding a member node to an encryption group” on page 150. • For details about creating encryption groups, see “Creating an encryption group” on page 41.
Moving an encryption switch from one EG to another in the same fabric 6 Moving an encryption switch from one EG to another in the same fabric In this example, which is represented in Table 18, you have two EGs, each containing two nodes. You want to move FOS2 from EG1 to EG2. TABLE 18 Moving a Brocade Encryption Switch from one EG to another EG Encryption group Nodes (before move) Nodes (after move) EG1 FOS1 (GL) FOS2 FOS1 (GL) EG2 FOS3 (GL) FOS4 FOS3 (GL) FOS4 FOS2 1.
6 290 Moving an encryption switch from one EG to another in the same fabric Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002923-01
Appendix A State and Status Information In this appendix • Encryption engine security processor (SP) states . . . . . . . . . . . . . . . . . . . . 291 • Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 • Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Encryption engine security processor (SP) states Table 19 lists the encryption engine security processor (SP) states.
A Security processor KEK status Security processor KEK status Table 20 lists security processor KEK status information. TABLE 20 Security processor KEK status KEK type KEK status1 Description Primary KEK (current MK or primary KV link key) None Primary KEK is not configured. Mismatch Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK at CP matches the one in the SP and is valid. Secondary KEK (alternate None MK or secondary KV link key) Mismatch Group KEK 1.
Encrypted LUN states TABLE 21 A Encrypted LUN states (Continued) LUN_1ST_TIME_REKEY_IN_PROG First time rekey is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired rekey is in progress. LUN_MANUAL_REKEY_IN_PROG Manual rekey is in progress. LUN_DECRYPT_IN_PROG Data decryption is in progress. LUN_WR_META_PENDING Write metadata is pending. LUN_1ST_TIME_REKEY_PENDING First time rekey is pending. LUN_KEY_EXPR_REKEY_PENDING Key expired rekey is pending.
A Encrypted LUN states TABLE 21 294 Encrypted LUN states (Continued) LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure). LUN_DIS_LUN_REMOVED Disabled (LUN re-discovery detects LUN is removed). LUN_DIS_LSN_MISMATCH Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate LUN SN found). LUN_DIS_DISCOVERY_FAIL Disabled (LUN discovery failure). LUN_DIS_NO_LICENSE Disabled (Third party license is required).
Encrypted LUN states TABLE 22 A Tape LUN states Internal Names Console String Explanation LUN_DIS_LUN_NOT_FOUND Disabled (LUN not found) No logical unit structure in tape module. This is an internal software error. If it occurs, contact Brocade support. LUN_TGT_OFFLINE Target Offline Target port is not currently in the fabric. Check connections and L2 port state.
A Encrypted LUN states TABLE 22 296 Tape LUN states LUN_ENCRYPT Encryption enabled The tape medium is present, and is in ciphertext (encrypted). The encryption switch or blade has full read/write access, because its current tape policy for the medium is also encrypted. See the Encryption Format field to find out if tape is encrypted in native mode or DataFort-compatible mode.
Index A add commands --add -haclustermember, 156 --add -initiator, 169, 178, 183 --add -LUN, 175, 184, 194, 198 authentication cards deregistering, 20 register from database, 19 registering from card reader, 17 setting a quorum, 20 using with card reader, 16 auto rekey viewing time left, 108 B blade processor links, 27 blade processors configuring links, 28 Brocade Encryption Switch See switch Brocade group configuring, 30 registering, 30 C cards, 23 CLI general errors and resolution, 265 using to config
cryptocfg command --add -haclustermember, 156 --add -initiator, 169, 178, 183 --add -LUN, 175, 184, 194, 198 --commit, 247 --create -container, 169, 177, 183 --create -encgroup, 146 --create -hacluster, 155 --create -tapepool, 192 --delete -container, 171, 241 --delete -encgroup, 243 --delete -hacluster, 247 --delete -tapepool, 193 --dereg -membernode, 242 --discover -LUN, 183 --discoverLUN, 173, 178 --eject -membernode, 242 --enable -LUN, 189 --enable -rekey, 198 --enable_rekey, 194 --enableEE, 162, 250 --
disk devices decommissioning, 99 disk luns decommissioning, 100 rekeying manually, 102 setting rekey all, 103 viewing rekey details, 104 disk metadata, 228 E EE state disabling from properties, 113 enabling from properties, 113 eject commands -eject -membernode, 242 enable a disabled LUN using the CLI, 228 enable commands --enable -LUN, 189 --enable -rekey, 198 --enable_rekey, 194 --enableEE, 250 enableEE, 162 encrypted LUN states, 292 encryption adding a license, 5 best practices for licensing, 5 certific
encryption group properties editing, 113 using the restore master key, 97 viewing, 113 viewing encryption group properties, 113 encryption group properties dialog box HA Clusters tab, 58, 121 Members tab, 117 encryption groups creating, 41 replacing an EE, 56 encryption node setting initialization, 29 encryption properties viewing properties, 109 encryption switch definition of, 4 initialization, 143 port labeling, 133 encryption switch or group, removing using the management application, 118 encryption tar
using the CLI, 248 removing an encryption engine using the CLI, 243 removing engines, 59, 156 removing engines from, 59 replacing a member using the CLI, 245 requirements for, 57 rules, 57, 154 swapping engines, 59, 156 HA clusters tab encryption group properties HA clusters tab, 121 high availability deployment, 38 high availability cluster adding an appliance, 36 creating, 35 hosts configuring for encryption targets, 69 HP-UX considerations, 227 http //www.gemalto.com/readers/index.
M N manual command, --manual_rekey, 199 manual re-key, 233 manual rekey viewing progress, 106 master key active, 87 alternate, 87 backing up, 11 backup, 88 create new master key, 88 creating a new, 86 description of, 86 generating, 11 reasons they are disabled, 87 restore master key, 88 viewing IDs, 160 master keys actions, 88 active, 87 alternate, 87 creating, 95 overview, 86 re-exporting, 159 restoring from a file, 92 restoring from a key vault, 93 restoring from a smart card set, 94 saving to a file, 8
remove commands --rem -haclustermember, 241 --rem -LUN, 179, 276 --remove -haclustermember, 243 --remove -initiator, 170 replace commands --replace -haclustermember, 245 --replaceEE, 240, 250 restore master key wizard, 97 resume commands --resume_rekey, 200, 276 role based access control (RBAC) permissions for cryptoCfg commands, 129 S security processor (SP) KEK status, 292 states for encryption engines, 291 security tab encryption group properties security tab, 119 security tab on management application
tape pools, 229 adding, 124 CommVault Galaxy labeling using the CLI, 191 configuring, 190 creating using the CLI, 192 deleting using the CLI, 193 description of, 124 identifying using a name or a number, 124 labeling rules, 190 modifying, 123 modifying using the CLI, 193 NetBackup labeling using the CLI, 191 NetWorker labeling using the CLI, 191 overview, 124 removing, 123 tape block zero handling, 230 tape key expiry, 230 tape pools tab encryption group properties tape pools tab, 123 target disk luns addin
