53-1002747-02 25 March 2013 ® Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments Supporting Fabric OS v7.1.
Copyright © 2012- 2013 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, MLX, NetIron, SAN Health, ServerIron, TurboIron, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Support for virtual fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Cisco Fabric Connectivity support . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 2 Configuring Encryption Using the Management Application In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Encryption user privileges . . . . . . . . . . . . . . .
High availability (HA) clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 HA cluster configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Creating HA clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . . 70 Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . . 70 Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disk device decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112 Decommissioning disk LUNs. . . . . . . . . . . . . . . . . . . . . . . . . . .113 Displaying and deleting decommissioned key IDs. . . . . . . . . .113 Displaying Universal IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Rekeying all disk LUNs manually . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Setting disk LUN Re-key All . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Steps for connecting to a KMIP appliance (SafeNet KeySecure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Setting FIPS compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Creating a local CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Creating a server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Creating a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Crypto LUN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Discovering a LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Configuring a Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Crypto LUN parameters and policies . . . . . . . . . . . . . . . . . . . .185 Configuring a tape LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Removing a LUN from a CryptoTarget container . . . . . . . . . . .
Deployment in Fibre Channel routed fabrics. . . . . . . . . . . . . . . . . .220 Deployment as part of an edge fabric . . . . . . . . . . . . . . . . . . . . . . .222 Deployment with FCIP extension switches . . . . . . . . . . . . . . . . . . .223 VMware ESX server deployments. . . . . . . . . . . . . . . . . . . . . . . . . . .224 Chapter 5 Best Practices and Special Topics In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rekeying best practices and policies. . . . . . . . . . . . . . . . . . . . . . . .238 Manual rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Latency in rekey operations . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Allow rekey to complete before deleting a container. . . . . . . .239 Rekey operations and firmware upgrades . . . . . . . . . . . . . . . .239 Do not change LUN configuration while rekeying . . . . . . . . . .
General encryption troubleshooting . . . . . . . . . . . . . . . . . . . . . . . .267 Troubleshooting examples using the CLI . . . . . . . . . . . . . . . . . . . . .270 Encryption Enabled CryptoTarget LUN . . . . . . . . . . . . . . . . . . .270 Encryption Disabled CryptoTarget LUN. . . . . . . . . . . . . . . . . . . 271 Management application encryption wizard troubleshooting . . . .272 Errors related to adding a switch to an existing group . . . . . .
xii Fabric OS Encryption Administrator’s Guide (KMIP) 53-1002747-02
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Text formatting . . . . . . . . . . . . . . .
• Chapter 6, “Maintenance and Troubleshooting,” provides information on troubleshooting and the most common commands and procedures to use to diagnose and recover from problems. • Appendix A, “State and Status Information,” lists the encryption engine security processor (SP) states, security processor key encryption key (KEK) status information, and encrypted LUN states. Supported hardware and software . The following hardware platforms support data encryption as described in this manual.
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. --option, option Command options are printed in bold. -argument, arg Arguments. [] Optional element. variable Variables are printed in italics. In the help pages, variables are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font.
Key terms For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See “Brocade resources” on page xvi for instructions on accessing MyBrocade. For definitions specific to this document, see “Terminology” on page 2. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.
For information about the Key Management Interoperability Protocol standard, visit the OASIS KMIP Technical Committee website: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip Getting technical help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: 1.
3. World Wide Name (WWN) Use the licenseIdShow command to display the WWN of the chassis. If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis.
Chapter Encryption Overview 1 In this chapter • Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • FIPS mode .
1 Terminology Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication. Data Encryption Key (DEK) An encryption key generated by the encryption engine.
Terminology 1 Opaque Key Vault A storage location that provides untrusted key management functionality. Its contents may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a master key to protect them. Recovery cards A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the BNA client to restore the master key.
1 The Brocade Encryption Switch The Brocade Encryption Switch The Brocade Encryption Switch is a high-performance, 32-port, auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption Standard (AES) 256-bit algorithms.
The FS8-18 blade 1 The FS8-18 blade The FS8-18 blade provides the same features and functionality as the Brocade Encryption Switch. The FS8-18 blade installs on the Brocade DCX Backbone chassis, which include the DCX, DCX-4S, DCX 8510-8, and DCX 8510-4 chassis. FIPS mode Both the Brocade Encryption Switch and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled. In this mode, only FIPS-compliant algorithms are allowed.
1 Recommendation for connectivity Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in data frames on a per-frame basis. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done.
Brocade encryption solution overview 1 Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft, or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
1 Brocade encryption solution overview Data flow from server to storage The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
Data encryption key life cycle management 1 Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed.
1 Data encryption key life cycle management FIGURE 5 10 DEK life cycle Fabric OS Encryption Administrator’s Guide (KMIP) 53-1002747-02
Master key management 1 Master key management Communications with opaque key vaults are encrypted using a master key that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM. Master key generation A master key must be generated by the group leader encryption engine. The master key can be generated once by the group leader, then propagated to the other members of an encryption group.
1 Cisco Fabric Connectivity support Cisco Fabric Connectivity support The Brocade Encryption Switch provides NPIV mode connectivity to Cisco fabrics. Connectivity is supported for Cisco SAN OS 3.3 and later versions. Cisco fabric connectivity is provided only on the Brocade Encryption Switch. The FS8-18 blade for the Brocade DCX Backbone chassis does not support this feature.
Chapter Configuring Encryption Using the Management Application 2 In this chapter • Encryption Center features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 • Encryption user privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 • Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 • Network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Encryption Center features • Viewing and editing encryption group properties . . . . . . . . . . . . . . . . . . . . 126 • Encryption-related acronyms in log messages . . . . . . . . . . . . . . . . . . . . . . 140 Encryption Center features The Encryption Center dialog box is the single launching point for all encryption-related configuration in the Brocade Network Advisor (BNA) Management application (Figure 6).
Encryption user privileges 2 Encryption user privileges In BNA, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time.
2 Smart card usage TABLE 1 Encryption privileges (Continued) Privilege Read/Write Storage Encryption Security • • • • • • • • • • • • Launch the Encryption center dialog box. View switch, group, or engine properties. View Encryption Group Properties Security tab. View LUN centric view. View all rekey sessions. View encryption targets, hosts, and LUNs. Create a master key. Backup a master key. Edit smart card.
Smart card usage 2 • Establishing a trusted link with the NetApp LKM key vault. • Decommissioning a LUN. When a quorum of authentication cards is registered for use, authentication must be provided before you are granted access. Registering authentication cards from a card reader To register an authentication card or a set of authentication cards from a card reader, have the cards physically available.
2 Smart card usage 3. Locate the Authentication Card Quorum Size and select the quorum size from the list. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Smart card usage 2 Registering authentication cards from the database Smart cards that are already in the Management program’s database can be registered as authentication cards. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select an encryption group from the Encryption Center Devices table, then select Group > Security from the menu task bar to display the Encryption Group Properties dialog box.
2 Smart card usage Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them. Complete the following procedure to deregister an authentication card. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Smart card usage 2 Using system cards System cards are smart cards that can be used to control activation of encryption engines. You can choose whether the use of a system card is required or not. Encryption switches and blades have a card reader that enables the use of a system card. System cards discourage theft of encryption switches or blades by requiring the use of a system card at the switch or blade to enable the encryption engine after a power off.
2 Smart card usage Enabling or disabling the system card requirement To use a system card to control activation of an encryption engine on a switch, you must enable the system card requirement. If a system card is required, it must be read by the card reader on the switch. You access the system card GUI from the Security tab. Complete the following procedure to enable or disable the system card requirement. 1.
Smart card usage 2 Deregistering system cards System cards can be removed from the database by deregistering them. Use the following procedure to deregister a system card: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select the switch from the Encryption Center Devices table, then select Switch > System Cards from the menu task bar. The System Cards dialog box displays. (Refer to Figure 11 on page 21.) 3.
2 Smart card usage FIGURE 12 Smart Card asset tracking dialog box The Smart Cards table lists the known smart cards and the details for the smart cards. These details include the following: • Card ID: Lists the smart card ID, prefixed with an ID that identifies how the card id used. For example, rc.123566b700017818, where rc stands for recovery card. • Card Type: Options are: System card, Authentication card, and Recovery set. • Usage: Usage content varies based on the card type.
Smart card usage 2 • Save As button: Saves the entire list of smart cards to a file. The available formats are comma-separated values (.csv) and HTML (.html). • Card Details table: Card details vary based on the card type. • For Authentication cards, the Card Details table shows all group names for which the card is registered. • For System cards, the Card Details table shows all encryption engines for which the card is registered by switch name and, for encryption blades, slot number.
2 Network connections 2. Insert the smart card into the card reader. 3. After the card’s ID is displayed by the card reader in the Card ID field, enter the security administrator password used to allow editing of the smart card, then click Login. NOTE The Card Password field is activated after the card ID is read, and the Login button is activated after the password is entered in the Card Password field. 4. Edit the card as needed.
Blade processor links 2 Blade processor links Each encryption switch or blade has two GbE ports labeled Ge0 and Ge1. The Ge0 and Ge1 ports are Ethernet ports that connect encryption switches and blades to other encryption switches and blades. Both ports of each encryption switch or blade must be connected to the same IP network and the same subnet. Static IP addresses should be assigned. Neither VLANs nor DHCP should be used.
2 Encryption node initialization and certificate generation 3. Enter the link IP address and mask, and the gateway IP address. • Eth0 IP /Mask identifies the Ge0 interface IP address and mask. • Eth1 IP /Mask identifies the Ge1 interface IP address and mask. • The Gateway IP address is optional. 4. Click OK.
Key Management Interoperability Protocol 2 Key Management Interoperability Protocol The Key Management Interoperability Protocol (KMIP) standardizes the communication between an Enterprise key management system and an encryption device. The same key vault servers can be used, only in a different mode. Currently, KMIP versions 1.0 and 1.1 are supported. NOTE Currently, only KMIP with SafeNet KeySecure 6.1 in native KMIP mode is supported. The KMIP KAC adapter provides configurable HA support.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) NOTE If you are configuring two KeyServer nodes, you must complete step 1 through step 6 on the primary node, then complete step 7 on the secondary node. If only a single node is being configured, step 7 is not needed. The following is a suggested order of steps that must be completed to create a secure connection to the SafeNet KeySecure. 1. Set FIPS compliance. Refer to “Setting FIPS compliance” on page 31. 2. Create a local CA.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) 2 Setting FIPS compliance 1. From the KeySecure Management Console, select the Security tab, then select Advanced Security, > High Security. The High Security Configuration page displays (Figure 15). FIGURE 15 KeySecure High Security Configuration page 2. Under FIPS Compliance, set FIPS Compliance to Yes. This ensures that only TLS 1.0 connections are supported between the Brocade Encryption Switch and the KeySecure.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) Creating a local CA 1. From the KeySecure Management Console, select the Security tab, then select CAs & SSL Certificates > Local CAs. The Certificate and CA Configuration page displays (Figure 16). FIGURE 16 KeySecure Certificate and CA Configuration - Create Local Certificate Authority 2. Under Create Local Certificate Authority, enter the organization information in the fields provided, then click Create.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) 2 Creating a server certificate 1. From the Security tab, select CAs & SSL Certificates > SSL Certificates (Figure 18). The Certificate and CA Configuration page displays. FIGURE 18 KeySecure Certificate and CA Configuration page 2. Under Create Certificate Request, enter your organization information in the fields provided, then click Create Certificate Request. (The example is using “Safenet75ServerCert” as the server certificate name.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 19 KeySecure Certificate and CA Configuration - Certificate List 3. Verify the server certificate status is shown as Request Pending. 4. Click on the server certificate name that you just created (Safenet75ServerCert), which displays the certificate contents (Figure 20).
Steps for connecting to a KMIP appliance (SafeNet KeySecure) 2 5. Copy the certificate contents. 6. From the Security tab, select CAs & SSL Certificates > Local CAs. The Certificate and CA Configuration page displays. 7. Under Local Certificate Authority List, select the local CA certificate you just created (SafeNetCA), then click Sign Request (Figure 21).
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) 8. Select Server as the Certificate Purpose and verify the Certificate Duration length. The default is 3649 days. 9. Paste the server certificate contents that you copied (refer to step 5) in the Certificate Request text box, then click Sign Request.. The Certificate and CA Configuration page refreshes and the certificate information is displayed under Certificate Request Information (Figure 23).
Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 24 2 KeySecure Certificate and CA Configuration - Certificate Installation 14. After the page refreshes, the new certificate information is displayed in the Certificate List table (Figure 25). FIGURE 25 KeySecure Certificate and CA Configuration - Certificate List 15. Verify the server certificate status is shown as Active.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) Creating a cluster 1. From the KeySecure Management Console, select the Device tab, then select Device Configuration > Cluster. The Cluster Configuration page displays (Figure 26). FIGURE 26 KeySecure Cluster Configuration page 2. Under Create Cluster, enter a user-defined password in the fields provided, then click Create.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 27 2 KeySecure Cluster Configuration page 4. Under Cluster Settings, click Download Cluster Key (Figure 28). You will be prompted to enter a local file name.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) Configuring a Brocade group on the KeySecure appliance A Brocade group is configured on KeySecure appliance for all keys created by encryption switches and blades. This needs to be done only once for each key vault. 1. Log in to the KeySecure web management console using the admin password. 2. Select the Security tab. 3. Select Local Users & Groups under Users & Groups. 4. Select Add under Local Users. 5.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) 2 Registering the KeySecure Brocade group user name and password The Brocade group user name and password you created when configuring a Brocade group on the KeySecure appliance must also be registered on each encryption node. NOTE This operation can be performed during or after the creation of the encryption group. During the creation of an encryption group, the key vault step will prompt for a user name and password. 1.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) Signing the encryption node KAC CSR on KMIP The KAC certificate signing request generated when the encryption node is initialized must be exported for each encryption node and signed by the Brocade local CA on KMIP. The signed certificate must then be imported back into the encryption node. 1. Select Configure > Encryption from the menu task bar to display the The Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 31 2 Certificate and CA Configuration page - Sign Certificate Request 9. Select the local CA from the Sign with Certificate Authority drop-down list. The example is using “SafeNetCA”. 10. Select Client as Certificate Purpose. 11. Set Certificate Duration. (Default is 3649 days.) 12. Paste the file contents that you copied in step 3 in the Certificate Request area. 13. Click Sign Request. 14.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 32 Import Signed Certificate dialog box 3. Browse to the location where the signed certificate is stored, then click OK. The signed certificate is stored on the switch. Backing up the certificates 1. From the KeySecure Management Console, select the Device tab, then select Maintenance > Backup & Restore > Create Backup. The Backup and Restore page displays (Figure 33). FIGURE 33 KeySecure Backup and Restore page 2.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 34 2 Backup and Restore - Device items 5. Select the items for backup, then click Continue. The Create Backup dialog box displays (Figure 35), which is used for setting backup details. FIGURE 35 Backup and Restore - Backup details 6. Enter backup details in the fields provided, then click Backup to initiate the backup process. 7. Restore this backup file on the Secondary clustered SSKM server.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) Configuring the KMIP server 1. From the KeySecure Management Console, select the Device tab, then select Device Configuration > Key Server > Key Server. The Cryptographic Key Server Configuration page displays (Figure 36). FIGURE 36 KeySecure Cryptographic Key Server Configuration page 2. Under Cryptographic Key Server Settings, select KMIP as the protocol. 3. Ensure that the Use SSL check box is selected. 4.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) 2 Adding a node to the cluster Perform the following steps on the secondary KeySecure node when adding it to the cluster. 1. From the KeySecure Management Console, select the Device tab, then select Device Configuration > Cluster. The Cluster Configuration page displays (Figure 37). FIGURE 37 KeySecure Cluster Configuration page 2. Under Join Cluster, enter the cluster information that you configured for the primary KeySecure node.
2 Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 38 KeySecure Cluster Configuration - Cluster Members 6. Verify that both KeySecure nodes are shown as Active. 7. From the Devices tab, select Maintenance > Backup and Restore > Restore Backup. The Backup and Restore page displays (Figure 39).
Encryption preparation 2 8. Under Restore Backup, select Upload from browser, then enter a file name or browse to the file location. 9. Enter the Backup Password in the field provided, then click Restore. 10. After the certificate is restored to the secondary node from the previously backed-up primary node, select Maintenance > Services. The Services Configuration page displays (Figure 40). NOTE A message displays, advising that the secondary node requires a restart.
2 Creating an encryption group • An external host is available on the LAN to facilitate certificate exchange. • Switch KAC certificates have been signed by a CA and stored in a known location. • Key management system (key vault) certificates have been obtained and stored in a known location. Creating an encryption group The following steps describe how to start and run the encryption setup wizard and create a new encryption group.
Creating an encryption group 2 5. Select Security Settings. 6. Confirm the configuration. 7. Configuration Status. 8. Read Instructions. FIGURE 42 Configure Switch Encryption wizard - welcome screen 4. From the Configure Switch Encryption welcome screen, click Next to begin. The Designate Switch Membership dialog box displays (Figure 43).
2 Creating an encryption group FIGURE 43 Designate Switch Membership dialog box 5. For this procedure, verify that Create a new encryption group containing just this switch is selected, then click Next. NOTE If you are adding a switch to an encryption, refer to “Adding a switch to an encryption group” on page 61. The Create a New Encryption Group dialog box displays (Figure 44).
Creating an encryption group 2 The dialog box contains the following information: • Encryption Group Name text box: Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed. The group name is case-sensitive. • Failback mode: Selects whether or not storage targets should be automatically transferred back to an encryption engine that comes online after being unavailable. Options are Automatic or Manual.
2 Creating an encryption group Using this dialog box, you can select a key vault for the encryption group that contains the selected switch. Prior to selecting your Key Vault Type, the selection is shown as None. The dialog box contains the following information: • Key Vault Type: If an encryption group contains mixed firmware nodes, the Encryption Group Properties Key Vault Type name is based on the firmware version of the group leader.
Creating an encryption group 2 Configuring key vault settings for Key Management Interoperability Protocol (KMIP) The following procedure assumes you have already configured the initial steps in the Configure Switch Encryption wizard. If you have not already done so, go to “Creating an encryption group” on page 50. NOTE Before selecting KMIP as the key vault type, ensure that all nodes in an encryption group are running Fabric OS 7.1.0 or later.
2 Creating an encryption group 4. (Optional) Enter a Backup Key Vault IP address or hostname, and port number, and Backup Certificate File, or browse to the desired location. 5. Select the method for user authentication. Options are: • Username and Password: Activates the Primary and Backup Key Vault User Names and password fields for completion. • Username: Activates the Primary and Backup Key Vault User Names for completion.
Creating an encryption group FIGURE 48 2 Specify Master Key File Name dialog box 9. Enter the name of the file used for backing up the master key, or browse to the desired location. 10. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 11. Re-enter the passphrase for verification, then click Next. The Select Security Settings dialog box displays (Figure 49).
2 Creating an encryption group FIGURE 49 Select Security Settings dialog box 12. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards.
Creating an encryption group FIGURE 50 2 Confirm Configuration dialog box 14. Confirm the encryption group name and switch public key certificate file name you specified are correct, then click Next. The Configuration Status dialog box displays (Figure 51).
2 Creating an encryption group All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified. After configuration of the encryption group is completed, BNA sends API commands to verify the switch configuration. 15. Click Next. The Next Steps dialog box displays (Figure 52).
Adding a switch to an encryption group 2 3. Register the key vault. BNA registers the key vault using the cryptocfg --reg keyvault command. 4. Enable the encryption engines. BNA initializes an encryption switch using the cryptocfg --initEE [] and cryptocfg --regEE [] commands. 5. Create a new master key. (Opaque key vaults only). BNA checks for a new master key. New master keys are generated from the Security tab located in the Encryption Group Properties dialog box.
2 Adding a switch to an encryption group FIGURE 53 Configure Switch Encryption wizard - welcome screen 3. Click Next. The Designate Switch Membership dialog box displays (Figure 54). FIGURE 54 Designate Switch Membership dialog box 4. For this procedure, select Add this switch to an existing encryption group, then click Next. The Add Switch to Existing Encryption Group dialog box displays (Figure 55).
Adding a switch to an encryption group 2 The dialog box contains the following information: • Encryption Groups table: Enables you to select an encryption group in which to add a switch. • Member Switches table: Lists the switches in the selected encryption group. NOTE If you are creating a new encryption group, refer to “Creating an encryption group” on page 50. FIGURE 55 Add Switch to Existing Encryption Group dialog box 5. Select the group in which to add the switch, then click Next.
2 Adding a switch to an encryption group FIGURE 56 Specify Public Key Certificate (KAC) File Name dialog box 6. Enter the location where you want to store the public key certificate that is used to authenticate connections to the key vault, or browse to the desired location, then click Next. The Confirm Configuration dialog box displays (Figure 57). Confirm the encryption group name and switch public key certificate file name you specified are correct, then click Next.
Adding a switch to an encryption group FIGURE 58 2 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified. 7. Review important messages, then click Next. The Error Instructions dialog box displays (Figure 59).
2 Adding a switch to an encryption group FIGURE 59 Error Instructions dialog box 8. Review the post-configuration instructions, which you can copy to a clipboard or print for later. 9. Click Finish to exit the Configure Switch Encryption wizard.
Replacing an encryption engine in an encryption group 2 Replacing an encryption engine in an encryption group To replace an encryption engine in an encryption group with another encryption engine within the same DEK Cluster, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2.
2 High availability (HA) clusters High availability (HA) clusters A high availability (HA) cluster cluster consists of exactly two encryption engines configured to host the same CryptoTargets and to provide Active/Standby failover and failback capabilities in a single fabric. One encryption engine can take over encryption and decryption tasks for the other encryption engine if that member fails or becomes unreachable.
High availability (HA) clusters 2 Creating HA clusters For the initial encryption node, perform the following procedure. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select an encryption group from the Encryption Center Devices table, then select Group > HA Cluster from the menu task bar. NOTE If groups are not visible in the Encryption Center Devices table, select View > Groups from the menu task bar.
2 High availability (HA) clusters 3. Click the right arrow to add the encryption engine to the selected HA cluster. 4. Click OK. Removing engines from an HA cluster Removing the last engine from an HA cluster also removes the HA cluster. If only one engine is removed from the cluster, you must either add another engine to the cluster, or remove the other engine. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Configuring encryption storage targets 2 Failback option The Failback option determines the behavior when a failed encryption engine is restarted. When the first encryption engine comes back online, the encryption group’s failback setting (auto or manual) determines how the encryption engine resumes encrypting and decrypting traffic to its encryption targets. • In auto mode, when the first encryption engine restarts, it automatically resumes encrypting and decrypting traffic to its encryption targets.
2 Configuring encryption storage targets 6. Configuration Status 7. Important Instructions Adding an encryption target 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select a group, switch, or engine from the Encryption Center Devices table to which to add the target, then select Group/Switch/Engine > Targets from the menu task bar.
Configuring encryption storage targets FIGURE 63 2 Configure Storage Encryption welcome screen 4. Click Next. The Select Encryption Engine dialog box displays (Figure 64).
2 Configuring encryption storage targets The dialog box contains the following information: • Encryption engine: The name of the encryption engine. The list of engines depends on the scope being viewed: • If an encryption group was selected, the list includes all engines in the group. • If a switch was selected, the list includes all encryption engines for the switch. • If a single encryption engine was selected, the list contains only that engine.
Configuring encryption storage targets 2 6. Select a target from the list. (The Target Port WWN and Target Node WWN fields contain all target information that displays when using the nsShow command.) You can also enter WWNs manually, for example, to specify a target that is not on the list. 7. Select a target type from the Type list, then click Next. The Select Hosts dialog box displays (Figure 66). You can configure hosts for selected target device ports.
2 Configuring encryption storage targets NOTE Note: You must enter the host node world wide name before clicking Add, to add the WWN to the Selected Hosts table. • Node WWN text box: Type a world wide name for a host node. NOTE Note: You must also enter the host port world wide name before clicking Add to add the node WWN to the Selected Hosts table. • Device Type: The device type indicated by the fabric’s name service. The value is either Initiator or Initiator + Target.
Configuring encryption storage targets FIGURE 67 2 Name Container dialog box 10. Enter the container name. The container name is a logical encryption name to specify a name other than the default. You can use a maximum of 31 characters. Letters, digits, and underscores are allowed. 11. Click Next. The Confirmation screen displays (Figure 68). The confirmation screen confirms and completes configuration of encryption engines, targets, and hosts.
2 Configuring encryption storage targets The screen contains the following information: • Encryption Engine: The slot location of the encryption engine. • Container Name: The logical encryption name used to map storage targets and hosts to virtual targets and virtual initiators. • • • • Target Device Port: The world wide name of the target device port. Host Node WWN: The world wide name of the host node. Host Port WWN: The world wide name of the host port. Host Name: The name of the host. 12.
Configuring encryption storage targets 2 13. Review any post-configuration instructions or messages, which you can copy to a clipboard or print for later, then click Next. The Next Steps screen displays (Figure 70). Post-configuration instructions for installing public key certificates for the encryption switch are displayed. These instructions are specific to the key vault type.
2 Configuring hosts for encryption targets Configuring hosts for encryption targets Use the Encryption Target Hosts dialog box to edit (add or remove) hosts for an encrypted target. NOTE Hosts are normally selected as part of the Configure Switch Encryption wizard, but you can also edit hosts later using the Encryption Target Hosts dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Configuring hosts for encryption targets FIGURE 72 2 Encryption Target Hosts dialog box NOTE Both the Host Ports in Fabric table and the Selected Hosts table now contain a Port ID column to display the 24-bit PID of the host port. 4. Select one or more hosts in a fabric using either of the following methods: a. Select a maximum of 1024 hosts from the Hosts in Fabric table, then click the right arrow to move the hosts to the Selected Hosts table.
2 Adding target disk LUNs for encryption Adding target disk LUNs for encryption You can add a new path to an existing disk LUN or add a new LUN and path by launching the Add New Path wizard. To launch the wizard, complete the following steps: Before you can add a target disk LUN for encryption, you must first configure storage arrays. For more information, refer to “Configuring storage arrays” on page 87. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box.
Adding target disk LUNs for encryption 2 • Encryption Mode • Encrypt Existing Data • Key ID • Remove button: Removes a selected entry from the table. 3. Click Add to launch the Add New Path wizard. The Select Target Port dialog box displays (Figure 74). FIGURE 74 Select Target Port dialog box The dialog box is used to select a target port when configuring multiple I/O paths to a disk LUN.
2 Adding target disk LUNs for encryption FIGURE 75 Select Initiator Port dialog box The dialog box is used to select an initiator port when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: Displays the storage array that was selected from the LUN view prior to launching the wizard. • Host: The host selected from the LUN view prior to launching the wizard.
Adding target disk LUNs for encryption FIGURE 76 2 Select LUN dialog box The dialog box is used to select a LUN when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: The Storage Array selected from the LUN view prior to launching the Add New Path wizard. • Host: The host elected from the LUN view prior to launching the Add New Path wizard.
2 Adding target disk LUNs for encryption NOTE With the introduction of Fabric OS v7.1.0, the maximum number of uncommitted configuration changes per disk LUN (or maximum paths to a LUN) is 512 transactions. The 512 LUN operations can be for the same LUN or be subjected to 25 distinct LUNs. This change of restriction in commit limit is applicable when using BNA only. Earlier Fabric OS versions allowed a maximum of 25 uncommitted changes per disk LUN.
Adding target tape LUNs for encryption 2 Configuring storage arrays The Storage Array contains a list of storage ports that will be used later in the LUN centric view. You must assign storage ports from the same storage array for multi-path I/O purposes. On the LUN centric view, storage ports in the same storage array are used to get the associated CryptoTarget containers and initiators from the database.
2 Adding target tape LUNs for encryption FIGURE 78 Encryption Targets dialog box 3. Select a target tape storage device from the Encryption Targets table, then click LUNs. The Encryption Target Tape LUNs dialog box displays (Figure 79). FIGURE 79 Encryption Target Tape LUNs dialog box 4. Click Add. The Add Encryption Target Tape LUNs dialog box displays (Figure 80). All LUNs in the storage device that are visible to hosts are listed in the table.
Adding target tape LUNs for encryption FIGURE 80 2 Add Encryption Target Tape LUNs dialog box 5. Select a host from the Host list. Before you encrypt a LUN, you must select a host, then either discover LUNs that are visible to the virtual initiator representing the selected host, or enter a range of LUN numbers to be configured for the selected host. When you select a specific host, only the LUNs visible to that host are displayed.
2 Moving Targets • Enable Read Ahead: When selected, enables read pre-fetching on this tape LUN. Use this option to speed long serial read operations from tape, especially for remote restore operations. NOTE The Select/Deselect All button allows you to select or deselect all available LUNs. 8. Select the desired encryption mode. Options are: Native Encryption, DF-Compatible Encryption, and Cleartext.
Configuring encrypted tape storage in a multi-path environment 2 Configuring encrypted tape storage in a multi-path environment This example assumes one host is accessing one storage device using two paths: • The first path is from Host Port A to Target Port A, using Encryption Engine A for encryption. • The second path is from Host Port B to Target Port B, using Encryption Engine B for encryption. Encryption Engines A and B are in switches that are already part of Encryption Group X.
2 Tape LUN write early and read ahead Tape LUN write early and read ahead The tape LUN write early and read ahead feature uses tape pipelining and prefetch to speed serial access to tape storage. These features are particularly useful when performing backup and restore operations, especially over long distances. You can enable tape LUN write early and read ahead while adding the tape LUN for encryption, or you can enable or disable these features after the tape LUN has been added for encryption.
Tape LUN statistics FIGURE 82 2 Encryption Target Tape LUNs dialog box - Setting tape LUN read ahead and write early 4. In the Enable Write EarlyAck and Enable Read Ahead columns, when the table is populated, you can set these features as desired for each LUN: • • • • To enable write early for a specific tape LUN, select Enable Write Early Ack for that LUN. To enable read ahead for a specific LUN, select Enable Read Ahead for that LUN.
2 Tape LUN statistics Viewing and clearing tape container statistics You can view LUN statistics for an entire crypto tape container or for specific LUNs. To view or clear statistics for tape LUNs in a container, follow these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select a group from the Encryption Center Devices table, then select Group > Targets from the menu task bar.
Tape LUN statistics • • • • • • • • 2 Tape Session #: The number of the ongoing tape session. Uncompressed blocks: The number of uncompressed blocks written to tape. Compressed blocks: The number of compressed blocks written to tape. Uncompressed Bytes: The number of uncompressed bytes written to tape. Compressed Bytes: The number of compressed bytes written to tape. Host Port WWN: The WWN of the host port that is being used for the write operation.
2 Tape LUN statistics FIGURE 85 Target Tape LUNs dialog box 4. Select the LUN or LUNs for which to display or clear statistics, then click Statistics. The Tape LUN Statistics dialog box displays (Figure 86). The statistic results based on the LUN or LUNs you selected are listed in the table. Tape LUN statistics are cumulative. FIGURE 86 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed.
Tape LUN statistics 2 • A Refresh button updates the statistics on the display since the last reset. • A Clear button resets all statistics in the display. 5. Do either of the following: • Click Clear to clear the tape LUN statistics, then click Yes to confirm. • Click Refresh to view the current statistics cumulative since the last reset. Viewing and clearing statistics for tape LUNs in a container To view or clear statistics for tape LUNs in a container, follow these steps: 1.
2 Encryption engine rebalancing FIGURE 88 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed. • Tape Volume/Pool: The tape volume label of the currently-mounted tape, if a tape session is currently in progress. • • • • • • Tape Session #: The number of the ongoing tape session. Uncompressed blocks: The number of uncompressed blocks written to tape.
Master keys 2 During rebalancing operations, be aware of the following: • You might notice a slight disruption in Disk I/O. In some cases, manual intervention may be needed. • Backup jobs to tapes might need to be restarted after rebalancing is completed. To determine if rebalancing is recommended for an encryption engine, check the encryption engine properties. Beginning with Fabric OS 6.4, a field is added that indicates whether or not rebalancing is recommended.
2 Master keys The new master key cannot be used (no new data encryption keys can be created, so no new encrypted LUNs can be configured), until you back up the new master key. After you have backed up the new master key, it is strongly recommended that all encrypted disk LUNs be rekeyed. rekeying causes a new data encryption key to be created and encrypted using the new active master key, thereby removing any dependency on the old master key.
Master keys 2 Refer to the following procedures for more information: - “Saving the master key to a file” on page 101 “Saving a master key to a key vault” on page 102 “Saving a master key to a smart card set” on page 103 You must back up the master key when the status is Created but not backed up. • Restore master key: Enabled when no master key exists or the previous master key has been backed up. This option is also enabled when using a DPM key vault.
2 Master keys FIGURE 89 Backup Destination (to file) dialog box 4. Select File as the Backup Destination. 5. Enter a file name, or browse to the desired location. 6. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 7. Re-enter the passphrase for verification, then click OK. ATTENTION Save the passphrase. This passphrase is required if you ever need to restore the master key from the file.
Master keys FIGURE 90 2 Backup Destination (to key vault) dialog box 4. Select Key Vault as the Backup Destination. 5. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 6. Re-enter the passphrase for verification, then click OK. A dialog box displays that shows the Key ID. The Key ID identifies the storage location in the key vault. 7. Store both the Key ID and the passphrase in a secure place.
2 Master keys FIGURE 91 Backup Destination (to smart cards) dialog box 4. Select A Recovery Set of Smart Cards as the Backup Destination. 5. Enter the recovery card set size. 6. Insert the first blank card and wait for the card serial number to appear. 7. Run the additional cards through the reader that are needed for the set. As you read each card, the card ID displays in the Card Serial# field. Be sure to wait for the ID to appear. 8.
Master keys 2 Saving a master key to a smart card set - Overview A card reader must be attached to the SAN Management application PC to save a master key to a recovery card. Recovery cards can only be written once to back up a single master key. Each master key backup operation requires a new set of previously unused smart cards. NOTE Windows operating systems do not require smart card drivers to be installed separately; the driver is bundled with the operating system.
2 Master keys FIGURE 92 Select a Master Key to Restore (from file) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select File as the Restore From location. 6. Enter a file name, or browse to the desired location. 7. Enter the passphrase. The passphrase that was used to back up the master key must be used to restore the master key. 8. Click OK. Restoring a master key from a key vault Use the following procedure to restore the master key from a key vault: 1.
Master keys FIGURE 93 2 Select a Master Key to Restore (from key vault) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select Key Vault as the Restore From location. 6. Enter the key ID of the master key that was backed up to the key vault. 7. Enter the passphrase. The passphrase that was used to back up the master key must be used to restore the master key. 8. Click OK.
2 Master keys FIGURE 94 Select a Master Key to Restore (from a recovery set of smart cards) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select A Recovery Set of Smart Cards as the Restore From location. 6. Insert the recovery card containing a share of the master key that was backed up earlier, and wait for the card serial number to appear. 7. Enter the password that was used to create the card.
Security Settings 2 Security Settings Security settings help you identify if system cards are required to initialize an encryption engine and also determine the number of authentication cards needed for a quorum. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar. The Select Security Settings dialog box displays.
2 Zeroizing an encryption engine NOTE Zeroizing an engine affects the I/Os, but all target and LUN configuration remain intact. Encryption target configuration data is not deleted. You can zeroize an encryption engine only if it is enabled (running), or disabled but ready to be enabled. If the encryption engine is not in one of these states, an error message results.
Using the Encryption Targets dialog box 2 Using the Encryption Targets dialog box The Encryption Targets dialog box enables you to send outbound data that you want to store as ciphertext to an encryption device. The encryption target acts as a virtual target when receiving data from a host, and as a virtual initiator when writing the encrypted data to storage. NOTE The Encryption Targets dialog box enables you to launch a variety of wizards and other related dialog boxes.
2 Redirection zones Redirection zones It is recommended that you configure the host and target in the same zone before you configure them for encryption. Doing so creates a redirection zone to redirect the host/target traffic through the encryption engine; however, a redirection zone can only be created if the host and target are in the same zone.
Disk device decommissioning 2 Provided that the crypto configuration is not left uncommitted because of any crypto configuration changes or a failed device decommission operation issued on a encryption Group Leader node, this error message will not be seen for any device decommission operation issued serially on an encryption group member node.
2 Disk device decommissioning In order to delete keys from the key vault, you need to know the Universal ID (UUID) . To display vendor-specific UUIDs of decommissioned key IDs, complete the following procedure: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select a switch from the Encryption Center Devices table, then select Switch > Decommissioned key IDs from the menu task bar.
Rekeying all disk LUNs manually 2 Displaying Universal IDs In order to delete keys from the key vaults, you need to know the Universal ID (UUID) associated with the decommissioned disk LUN key IDs. To display the Universal IDs, complete the following procedure: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
2 Rekeying all disk LUNs manually Setting disk LUN Re-key All To rekey all disk LUNs on an encryption node, complete these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select the switch on which to perform a manual rekey from the Encryption Center Devices table, then select Switch > Re-Key All from the menu task bar (Figure 98).
Rekeying all disk LUNs manually 2 . FIGURE 99 Pending manual rekey operations Viewing disk LUN rekeying details You can view details related to the rekeying of a selected target disk LUN from the LUN Re-keying Details dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
2 Rekeying all disk LUNs manually FIGURE 100 Encryption Target Disk LUNs dialog box 4. Click Add. The Add Disk LUNs dialog box displays. This dialog box includes a table of all LUNs in the storage device that are visible to the hosts. 5. Click Re-keying Details. The LUN Re-keying Details dialog box displays. The dialog box contains the following information: • • • • • • Key ID: The LUN key identifier. Key ID State: The state of the LUN rekeying operation.
Rekeying all disk LUNs manually 2 Viewing the progress of manual rekey operations To monitor the progress of manual rekey operations, complete these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2. Select an encryption group from the Encryption Center Devices table, then select Group > Re-Key Sessions from the menu task bar.
2 Thin provisioned LUNs • Current LBA: The Logical Block Address (LBA) of the block that is currently being written. • Number of Blocks: The number of blocks written. • Thin Provision LUN: Identifies if the new LUN is a thin provisioned LUN. Options are: • Yes: Thin provision support is limited to Brocade-tested storage arrays. The thin provisioned LUN status will be displayed as Yes for supported storage arrays only. • No: Shown as No if the LUN is not a thin provisioned LUN.
Viewing time left for auto rekey 2 • If you are running a Fabric OS version earlier than v7.1.0, LUN status is shown as Not Applicable. • Zero detect with encryption is not supported. Thin provisioning support Thin-provisioned logical unit numbers (LUNs) are increasingly used to support a pay-as-you-grow strategy for data storage capacity.
2 Viewing and editing switch encryption properties The Encryption Target Disk LUNs dialog box displays. The time left for auto rekey information is listed in the table (Figure 102). FIGURE 102 Encryption Targets Disk LUNs dialog box - Time left for auto rekey Viewing and editing switch encryption properties To view switch encryption properties, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.
Viewing and editing switch encryption properties 2 FIGURE 103 Encryption Switch Properties dialog box The dialog box contains the following information: • Switch Properties table: A list of properties associated with the selected switch. • Name: The name of the selected switch • Node WWN: The world wide name of the node • Switch Status: The health status of the switch.
2 Viewing and editing switch encryption properties • Encryption Group: The name of the encryption group to which the switch belongs • Encryption Group Status: Status options are: • OK/Converged: the Group Leader can communicate with all members • Degraded: the Group Leader cannot communicate with one or more members.
Viewing and editing switch encryption properties 2 • Online • Set State To: Identifies if the state is enabled or disabled. You can click the line item in the table to change the value, then click OK to apply the change. • Total Targets: The number of encrypted target devices. • HA Cluster Peer: The name and location of the high-availability (HA) cluster peer (another encryption engine in the same group), if in an HA configuration. If no peer is configured, No Peer is displayed.
2 Viewing and editing encryption group properties FIGURE 104 Import Signed Certificate dialog box 4. Enter or browse to the file containing the signed certificate, then click OK. The file is imported onto the switch. Enabling and disabling the encryption engine state from properties To enable the encryption engine, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 6 on page 14). 2.
Viewing and editing encryption group properties 2 The Encryption Group Properties dialog box includes several tabs that are used to configure the various functions for encryption groups. All tabs are visible for all key vault types with one exception; the Link Keys tab is visible only if the key vault type is NetApp LKM. Unless otherwise specified, the Encryption Group Properties dialog box opens with the General tab displayed.
2 Viewing and editing encryption group properties General tab The General tab (Figure 106) is viewed from the Encryption Group Properties dialog box. To access the General tab, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar. NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon.
Viewing and editing encryption group properties 2 When the first encryption engine comes back online, the encryption group’s failback setting determines whether the first encryption engine automatically resumes encrypting and decrypting traffic to its encryption targets. In manual mode, the second encryption engine continues handling the traffic until you manually invoke failback using the CLI, or until the second encryption engine fails.
2 Viewing and editing encryption group properties • Not responding • Failed authentication • High Availability Mode: Options are: • Opaque: Both the primary and secondary key vaults are registered on the Brocade Encryption Switch. The client archives the key to a single (primary) key vault. For disk operations, an additional key hardening check is done on the secondary key vault before the key is used for encryption. • Transparent: A single key vault should be registered on the Brocade Encryption Switch.
Viewing and editing encryption group properties 2 • Connection Status: The switch’s connection status. Possible values are: - Group Leader: The switch designated as the Group Leader, so there is no connection status. - Trying to Contact: The member is not responding to the Group Leader. This might occur if the member switch is not reachable by way of the management port, or if the member switch does not believe it is part of the encryption group.
2 Viewing and editing encryption group properties Members tab Remove button You can click the Remove button to remove a selected switch or group from the encryption group table. • You cannot remove the Group Leader unless it is the only switch in the group. If you remove the Group Leader, BNA also removes the HA cluster, the target container, and the tape pool (if configured) that are associated with the switch.
Viewing and editing encryption group properties TABLE 2 2 Switch removal impact Switch configuration Impact of removal The switch has configured encryption targets on encryption engines. • • • The switch is configured to encrypt traffic to one or more encryption targets. The target container configuration is removed. The encrypted data remains on the encryption target but is not usable until the encryption target is manually configured on another encryption switch.
2 Viewing and editing encryption group properties FIGURE 108 Encryption Group Properties dialog box - Security tab The dialog box contains the following information: • Master Key Status: Displays the status of the master key. Possible values are: • Not used: Displays when LKM is the key vault. • Required but not created: Displays when a master key needs to be created. • Created but not backed up: Displays when the master key needs to be backed up.
Viewing and editing encryption group properties 2 • Registered Authentication Cards table: Lists the registered authentication cards by Group Card number, Card ID, the name of the person to which the card is assigned, and optional notes. • Register from Card Reader button: Launches the Add Authentication Card dialog box. • Register from Archive button: Launches the Add Authentication Card dialog box.
2 Viewing and editing encryption group properties • Right- and Left-arrow buttons: You can select an encryption engine in the Non-HA Encryption Engines table and click the Right-arrow button to add the encryption engine to the High-Availability Clusters. (If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster.) Similarly, you can select an encryption engine in the High-Availability Clusters table and click the Left-arrow button to remove it from a cluster.
Viewing and editing encryption group properties 2 Tape Pools tab Tape pools are managed from the Tape Pools tab. From the Tape Pools tab, you can add, modify, and remove tape pools. • To add a tape pool, click Add, then complete the Add Tape Pool dialog box. • To remove an encryption switch or engine from a tape pool, select one or more tape pools listed in the table, then click Remove. • To modify a tape pool, you must remove the entry, then add a new tape pool.
2 Viewing and editing encryption group properties All encryption engines in the encryption group share the tape pool definitions. Tapes can be encrypted by any encryption engine in the group where the container for the tape target LUN is hosted. The tape media is mounted on the tape target LUN. Tape pool definitions are not needed to read a tape. The tape contains enough information (encryption method and key ID) to read the tape. Tape pool definitions are only used when writing to tape.
Viewing and editing encryption group properties 2 4. Based on your selection, do one of the following: • If you selected Name as the Tape Pool Label Type, enter a name for the tape pool. This name must match the tape pool label or tape ID that is configured on the tape backup/restore application. • If you selected Number as the Tape Pool Label Type, enter a (hex) number for the tape pool. This number must match the tape pool label or tape number that is configured on the tape backup/restore application.
2 Encryption-related acronyms in log messages FIGURE 113 Encryption Group Properties Dialog Box - Engine Operations Tab NOTE You cannot replace an encryption engine if it is part of an HA Cluster. Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms embedded that require interpretation. Table 3 lists some of those acronyms.
Chapter Configuring Encryption Using the CLI 3 In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command validation checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Overview Overview This chapter explains how to use the command line interface (CLI) to configure a Brocade Encryption Switch, or an FS8-18 Encryption blade in a DCX Backbone chassis to perform data encryption. This chapter assumes that the basic setup and configuration of the Brocade Encryption Switch and DCX Backbone chassis have been done as part of the initial hardware installation, including setting the management port IP address.
Command RBAC permissions and AD types 3 4. PortMember: allows all control operations only if the port or the local switch is part of the current AD. View access is allowed if the device attached to the port is part of the current AD. Command RBAC permissions and AD types Two RBAC roles are permitted to perform Encryption operations.
3 Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain createhacluster N OM N N N OM N N Disallowed createtapepool N OM N N N OM N N Disallowed decommission N OM N N N OM N N Disallowed deletecontainer N OM N N N OM N N Disallowed deletedecommissionedkeyids N OM N N N O
Cryptocfg Help command output TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain rebalance N OM N N N OM N N Disallowed reclaim N OM N N N OM N N Disallowed recovermasterkey N OM N N N N N OM Disallowed regKACcert N OM N N N N N OM Disallowed regKAClogin N OM N N N N N OM Disallowed regkeyvault N OM
3 Management LAN configuration switch:admin> cryptocfg --help -nodecfg Usage: cryptocfg --help -nodecfg: Display the synopsis of node parameter configuration. --initnode: Initialize the node for configuration of encryption options. --initEE []: Initialize the specified encryption engine. --regEE []: Register a previously initialized encryption blade. --reg -membernode : Register a member node with the system.
Configuring cluster links 3 The following example configures a static IP address and gateway address for the bonded interface. switch:admin> ipaddrset -eth0 --add 10.32.33.34/23 switch:admin> ipaddrset -gate --add 10.32.1.1 Special consideration for blades HA clusters of FS8-18 blades should not include blades in the same DCX Backbone chassis. For FS8-18 blades, the slot number must also be included in the ipAddrSet command, for example: switch:admin> ipaddrset -slot 7 -eth0 --add 10.32.33.
3 Setting encryption node initialization IP Address change of a node within an encryption group Modifying the IP address of a node that is part of an encryption group is disruptive in terms of cluster operation. The change causes the encryption group to split, and if the node was part of an HA cluster, failover/failback capability is lost. The ipAddrSet command issues no warning and you are not prevented from changing a node IP address that is part of a configured encryption group or HA cluster.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) 3 From the standpoint of external SAN management application operations, the FIPS crypto officer, FIPS user, and node CP certificates are transparent to users. The KAC certificates are required for operations with key managers. In most cases, KAC certificate signing requests must be sent to a Certificate Authority (CA) for signing to provide authentication before the certificate can be used.
3 Steps for connecting to a KMIP appliance (SafeNet KeySecure) 6. Configure the KMIP server. (Refer to “Configuring the KMIP server” on page 151.) 7. Add a secondary node to the cluster. (Refer to “Adding a node to the cluster” on page 151.) Setting FIPS compliance 1. From the KMIP Server Security tab, go to Advanced Security, then select High Security. 2. Set FIPS Compliance to Yes. This ensures that only TLS 1.0 connections are supported between the Brocade Encryption Switch and the KMIP appliance.
Steps for connecting to a KMIP appliance (SafeNet KeySecure) 3 3. Verify the cluster status is shown as Active. 4. Under Cluster Settings, click Download Cluster Key. Backing up the certificates 1. From the SSKM Management Console, select the Device tab, then select Maintenance > Backup & Restore > Create Backup. 2. Select the server certificate. 3. Select the local CA. 4. Select the High Security and FIPS Status Server check boxes. Configuring the KMIP server 1.
3 Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure) h. After the restore of the certificate to the secondary node from the previously backed-up primary node certificate is done, select Services under Maintenance. The Services Configuration page displays. i. Under Restart/Halt, select Restart, then click Commit.
Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure) 3 Signing the KAC CSR using the Local CA In this procedure, you are signing the KAC csr using the local CA of the KeySecure key vault from the Web GUI, then downloading the signed certificate to the desktop. 1. Using a TLS connection, enter the IP address of the KeySecure key vault, for example, https://10.38.145.10:9443. The initial login page displays security and system summary information (Figure 114).
3 Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure) 3. Under Local Certificate Authority List, select the desired local CA name and verify that its CA Status is shown as Active. 4. Click Sign Request. The CA Certificate Information dialog box displays. 5. Select the local CA from the Sign with Certificate Authority drop-down list. 6. Select Client as Certificate Purpose. 7. Set Certificate Duration. (Default is 3649 days.) 8. Click Sign Request. 9.
Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure) 3 2. On the KeySecure, enter the same user name and password that was used in step 1. FIGURE 116 KeySecure User & Group Configuration page 3. If no “brocade” group has already been configured, create a “brocade” group and add the new user name to the group.
3 Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure) Register the KAC certificate 1. Enter the following command for the primary KeySecure node. helium_mace190:root> cryptocfg --reg -KACcert helsinki_190_sskm_10.pem primary Register KAC status: Operation Succeeded. 2. Enter the following command for the secondary KeySecure node. (if a secondary KeySecure node is being used). helium_mace190:root> cryptocfg --reg -KACcert helsinki_190_sskm_10.
Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure) 3 Time of Day on Key Server: N/A Server SDK Version: N/A Encryption Node (Key Vault Client) Information: Node KAC Certificate Validity: Yes Time of Day on the Switch: 2012-05-23 02:45:09 Client SDK Version: N/A Client Username: N/A Client Usergroup: N/A Connection Timeout: 10 seconds Response Timeout: 10 seconds Connection Idle Timeout: N/A Key Vault configuration and connectivity checks successful, ready for key operations.
3 Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure) Notify SPM of Node Cfg Operation succeeded. 5. Initialize the encryption engine using the cryptocfg --initEE command. Provide a slot number if the encryption engine is a blade. This step generates critical security parameters (CSPs) and certificates in the CryptoModule’s security processor (SP). The CP and the SP perform a certificate exchange to register respective authorization data.
Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure) 3 The following example creates the encryption group "brocade". SecurityAdmin:switch> cryptocfg --create -encgroup brocade Encryption group create status: Operation Succeeded. The switch on which you create the encryption group becomes the designated group leader.
3 Adding a member node to an encryption group Server SDK Version: 4.8.1 Encryption Node (Key Vault Client) Information: Node KAC Certificate Validity: Time of Day on the Switch: Client SDK Version: Client Username: Client Usergroup: Connection Timeout: Response Timeout: Connection Idle Timeout: Yes 2010-03-17 17:22:05 4.8.2.000017 brcduser1 brocade 10 seconds 10 seconds N/A Key Vault configuration and connectivity checks successful, ready for key operations.
Adding a member node to an encryption group 3 CAUTION After adding the member node to the encryption group, you should not use the cryptocfg --zeroizeEE command on that node. Doing so removes critical information from the node and makes it necessary to re-initialize the node and export the new KAC certificate to the group leader and the key vault. To add a member node to an encryption group, follow these steps: 1. Log in to the switch on which the certificate was generated as Admin or FabricAdmin. 2.
3 Adding a member node to an encryption group NOTE If the maximum number of certificates is exceeded, the following message is displayed. Maximum number of certificates exceeded. Delete an unused certificate with the ‘cryptocfg –-delete –file’ command and then try again. 6. Enter the cryptocfg --show -file -all command on the group leader to verify that you have imported all necessary certificates. The following example shows the member node CP certificate that was imported earlier to the group leader.
Generating and backing up the master key 3 Additional Secondary Key Vault Information: Key Vault/CA Certificate Validity: Yes Port for Key Vault Connection: N/A Time of Day on Key Server: N/A Server SDK Version: N/A Encryption Node (Key Vault Client) Information: Node KAC Certificate Validity: Yes Time of Day on the Switch: 2010-10-22 10:25:22 Client SDK Version: N/A Client Username: N/A Client Usergroup: N/A Connection Timeout: 10 seconds Response Timeout: 10 seconds Connection Idle Timeout: N/A Key Vaul
3 High availability clusters 2. Export the master key to the key vault. Make a note of the key ID and the passphrase. You will need the Key ID and passphrase should you have to restore the master key from the key vault. SecurityAdmin:switch> cryptocfg --exportmasterkey Enter the passphrase: passphrase Master key exported. Key ID: 8f:88:45:32:8e:bf:eb:44:c4:bc:aa:2a:c1:69:94:2 3. Save the master key to a file. SecurityAdmin:switch> cryptocfg --exportmasterkey -file Master key file generated. 4.
High availability clusters 3 • It is recommended that the HA cluster configuration be completed before you configure storage devices for encryption. • It is mandatory that the two encryption engines in the HA cluster belong to two different nodes for true redundancy. This is always the case for Brocade Encryption Switches, but is not true if two FS8-18 blades in the same DCX Backbone Chassis are configured in the same HA cluster. In Fabric OS v6.3.
3 High availability clusters Adding an encryption engine to an HA cluster 1. Log in to the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --add -haclustemember command. Specify the HA cluster name and the encryption engine node WWN. Provide a slot number if the encryption engine is a blade. The following example adds a Brocade FS8-18 in slot 5 to the HA cluster HAC2.
High availability clusters 3 Number of HA Clusters: 1 HA cluster name: dthac - 2 EE entries Status: Committed HAC State: Converged WWN 10:00:00:05:1e:39:a6:7e 10:00:00:05:1e:c1:06:63 Slot Number 4 0 Status Online Online sw153114:FID128:admin> cryptocfg --replace -haclustermember dthac 10:00:00:05:1e:39:a6:7e 4 10:00:00:05:1e:39:a6:7e 12 Slot Local/ EE Node WWN Number Remote 10:00:00:05:1e:39:a6:7e 12 Local Operation succeeded.
3 High availability clusters TABLE 5 Group-wide policies Policy name cryptocfg --set parameters Description Failover policy -failbackmode auto | manual • Heartbeat misses -hbmisses value Sets the number of Heartbeat misses allowed in a node that is part of an encryption group before the node is declared unreachable and the standby takes over. The default value is 3. The range is 3-14 in integer increments only.
Re-exporting a master key 3 Re-exporting a master key You can export master keys to the key vault multiple times instead of only once. The ability to export the master key more than once enables you to recover the master key when needed. When the master key is exported to the key vault for the first time, it is stored with the actual master key ID. Subsequent exports are provided with additional exported key IDs that are generated by the Brocade Encryption Switch.
3 Re-exporting a master key Exporting an additional key ID Example: Subsequent master key exports SecurityAdmin:switch> cryptocfg --exportmasterkey Enter passphrase: Confirm passphrase: Master key exported. MasterKey ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:7e Exported Key ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:7f SecurityAdmin:switch> cryptocfg --exportmasterkey Enter passphrase: Confirm passphrase: Master key exported.
Re-exporting a master key 3 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:9a e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:9b Operation succeeded. The exported key ID is displayed with the master key ID, as shown in the examples to follow: Example: Initial master key export SecurityAdmin:switch> cryptocfg --exportmasterkey Enter passphrase: Confirm passphrase: Master key exported.
3 Enabling the encryption engine Enabling the encryption engine Enable the encryption engine by entering the cryptocfg --enableEE command. Provide a slot number if the encryption engine is a blade.
Zoning considerations 3 No HA cluster membership EE Attributes: Media Type : DISK EE Slot: 12 SP state: Online Current Master KeyID: a3:d7:57:c7:54:66:65:05:61:7a:35:2c:59:af:a5:dc Alternate Master KeyID: e9:e4:3a:f8:bc:4e:75:44:81:35:b8:90:d0:1f:6f:4d HA Cluster Membership: hacDcx3 EE Attributes: Media Type : DISK Zoning considerations When encryption is implemented, frames sent between a host and a target LUN are redirected to a virtual target within an encryption switch or blade.
3 Zoning considerations Frame redirection zoning Name Server-based frame redirection enables the Brocade Encryption Switch or blade to be deployed transparently to hosts and targets in the fabric. NS-based frame redirection is enabled as follows: • You first create a zone that includes host (H) and target (T). This may cause temporary traffic disruption to the host. • You then create a CryptoTarget container for the target and configure the container to allow access to the initiator.
Zoning considerations 3 Redirect: No The Local Name Server has 1 entry } The nsshow command shows all devices on the switch, and the output can be lengthy. To retrieve only the initiator PWWN, do a pattern search of the output based on the initiator Port ID (a hex number). In the following example, The PID is 010600, where 01 indicates the domain and 06 the port number. FabricAdmin:switch> nsshow | grep 0106 N 010600; 2,3;10:00:00:00:c9:2b:c9:3a;20:00:00:00:c9:2b:c9:3a; na 3. Determine the target PWWN.
3 CryptoTarget container configuration 7. Create a zone that includes the initiator and a LUN target. Enter the zonecreate command followed by a zone name, the initiator PWWN and the target PWWN. FabricAdmin:switch> zonecreate itzone, "10:00:00:00:c9:2b:c9:3a; \ 20:0c:00:06:2b:0f:72:6d" 8. Create a zone configuration that includes the zone you created in step 4. Enter the cfgcreate command followed by a configuration name and the zone member name. FabricAdmin:switch> cfgcreate itcfg, itzone 9.
CryptoTarget container configuration 3 FIGURE 118 Relationship between initiator, virtual target, virtual initiator and target CAUTION When configuring a LUN with multiple paths, there is a considerable risk of ending up with potentially catastrophic scenarios where different policies exist for each path of the LUN, or a situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the secured realm of the encryption plat
3 CryptoTarget container configuration • When removing an existing disk or tape target container. • After failover to a backup encryption engine in an HA cluster. • After an failed encryption engine in an HA cluster is recovered, and failback processing has taken place. To rebalance an encryption engine, do the following. 1. Log in to the switch as Admin or FabricAdmin. 2. Issue the cryptocfg --show -localEE command. 3. Look for Rebalance recommended under EE Attributes in the output. 4.
CryptoTarget container configuration 3 FabricAdmin:switch> cryptocfg --create -container disk my_disk_tgt \ 10:00:00:00:05:1e:41:9a:7e 20:0c:00:06:2b:0f:72:6d 20:00:00:06:2b:0f:72:6d Operation Succeeded 3. Add an initiator to the CryptoTarget container. Enter the cryptocfg --add -initiator command followed by the initiator port WWN and the node WWN. Note that the initiator port WWN must also be added to the LUN when the LUN is added to the CryptoTarget container.
3 CryptoTarget container configuration zone: red_______base 00:00:00:00:00:00:00:01; 00:00:00:00:00:00:00:02; 00:00:00:00:00:00:00:03; 00:00:00:00:00:00:00:04 Effective configuration: cfg: itcfg zone: itzone 10:00:00:00:c9:2b:c9:3a 20:0c:00:06:2b:0f:72:6d NOTE You may view the frame redirection zone with the cfgshow command, but you cannot use the zone for any other applications that use frame redirection.
CryptoTarget container configuration 3 Deleting a CryptoTarget container You may delete a CryptoTarget container to remove the target port from a given encryption switch or blade. Deleting a CryptoTarget container removes the virtual target and all associated LUNs from the fabric. Before deleting a container, be aware of the following: • Stop all traffic to the target port for which the CryptoTarget container is being deleted.
3 Crypto LUN configuration NOTE If a CryptoTarget container is moved in a configuration involving FCR, the LSAN zones and manually created redirect zones will need to be reconfigured with new VI and VT WWNs. Refer to the section “Deployment in Fibre Channel routed fabrics” on page 220 for instructions on configuring encryption in an FCR deployment scenario. 1. Log in to the group leader as Admin or FabricAdmin. 2.
Crypto LUN configuration 3 Discovering a LUN When adding a LUN to a CryptoTarget container, you must specify a LUN Number. The LUN Number needed for configuring a given Crypto LUN is the LUN Number as exposed to a particular initiator. The Brocade Encryption platform provides LUN discovery services through which you can identify the exposed LUN number for a specified initiator.
3 Crypto LUN configuration NOTE There is a maximum of 512 disk LUNs per Initiator in a container. With the introduction of Fabric OS 7.1.0, the maximum number of uncommitted configuration changes per disk LUN (or maximum paths to a LUN) is 512 transactions. This change in commit limit is applicable only when using BNA.The commit limit when using the CLI remains unchanged at 25. NOTE The maximum of number of tape LUNs that can be added or modfied in a single commit operation remains unchanged at eight.
Crypto LUN configuration 3 VT: 20:00:00:05:1e:41:4e:1d 20:01:00:05:1e:41:4e:1d Number of host(s): 1 Configuration status: committed Host: 10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a VI: 20:02:00:05:1e:41:4e:1d 20:03:00:05:1e:41:4e:1d LUN number: 0x0 LUN type: disk LUN status: 0 Encryption mode: encrypt Encryption format: native Encrypt existing data: enabled Rekey: disabled Key ID: not available Operation Succeeded Crypto LUN parameters and policies Table 6 shows the encryption parameters and policie
3 Crypto LUN configuration TABLE 6 186 LUN parameters and policies Policy name Command parameters Description LUN state Disk LUN: yes Tape LUN: No Modify? No -lunstate encrypted | cleartext Sets the Encryption state for the LUN. Valid values are: • cleartext - Default LUN state. Refer to policy configuration considerations for compatibility with other policy settings.
Crypto LUN configuration TABLE 6 3 LUN parameters and policies (Continued) Policy name Command parameters Description Write Early Ack Disk LUN: No Tape LUN: Yes Modify? Tape Only. Disk: No -write_early_ack disable|enable Specifies the Tape Write pipelining mode of the LUN. Two Write Pipelining modes are supported: • disable - Early acknowledgement of commands (internal buffering) for a tape lun is disabled. • enable - Early acknowledgement of commands (internal buffering) for a tape lun is enabled.
3 Crypto LUN configuration LUN serial number: Key ID state: b. Key ID not Applicable Add the LUN to the tape CryptoTarget container. The following example enables the LUN for encryption. There is a maximum of eight tape LUNs per Initiator in a container.
Crypto LUN configuration 3 FabricAdmin:switch> cryptocfg --remove -LUN my_disk_tgt 0x0 10:00:00:00:c9:2b:c9:3a Operation Succeeded 3. Commit the configuration with the -force option to completely remove the LUN and all associated configuration data in the configuration database. The data remains on the removed LUN in an encrypted state.
3 Crypto LUN configuration CAUTION When configuring a LUN with multiple paths, do not commit the configuration before you have modified all the LUNs with identical policy settings and in sequence for each of the CryptoTarget containers for each of the paths accessing the LUNs. Failure to do so results in data corruption. Refer to the section “Configuring a multi-path Crypto LUN” on page 191.
Impact of tape LUN configuration changes 3 Impact of tape LUN configuration changes LUN-level policies apply when no policies are configured at the tape pool level.
3 Configuring a multi-path Crypto LUN Multi-path LUN configuration example Figure 119 on page 188 shows a single LUN on a dual-port target that is accessed over two paths by a dual-port host. The two encryption switches form an encryption group and an HA cluster. The following example illustrates a simplified version of a multi-path LUN configuration. FIGURE 119 A LUN accessible through multiple paths The following steps may be used to configure multiple path access to the LUN in Figure 119. 1.
Configuring a multi-path Crypto LUN c. Create a CryptoTarget container (CTC2) for target port 2 to be hosted on the encryption engine of encryption switch 2. FabricAdmin:switch> cryptocfg --create -container disk 0 d. 3 CTC2 \ Add host port 1 to the container CTC1. FabricAdmin:switch> cryptocfg --add -initiator \ e. Add host port 2 to the container CTC2.
3 Configuring a multi-path Crypto LUN b. Add the same LUN to the CryptoTarget container CTC2. Use exactly the same LUN state and policy settings that you used for the LUN added to CTC1. FabricAdmin:switch> cryptocfg --add -LUN CTC2 0 \ -lunstate cleartext -encryption_format native -encrypt \ -enable_encexistingdata -enable_rekey 10 NOTE The LUN policies must be exactly the same on both CTC1 and CTC2. Failure to do so results in undefined behavior and data corruption. 6.
Decommissioning LUNs 3 Decommissioning LUNs A disk device needs to be decommissioned when any of the following occur: • The storage lease expires for an array, and devices must be returned or exchanged. • Storage is reprovisioned for movement between departments. • An array or device is removed from service. In all cases, all data on the disk media must be rendered inaccessible.
3 Decommissioning LUNs 3. Enter cryptocfg --show -decommissionedkeyids to obtain a list of all currently decommissioned key IDs to be deleted after decommissioning key IDs manually from the key vault. FabricAdmin:switch> cryptocfg -show -decommissionedkeyids 4. Enter the cryptocfg --show -vendorspecific_keyid command to list the vendor-specific key information for a given key ID.
Decommissioning replicated LUNs 3 Decommissioning replicated LUNs The following scenarios are provided: • “Decommissioning primary LUNs only” • “Decommissioning secondary LUNs only” • “Decommissioning primary and secondary LUN pairs” Decommissioning primary LUNs only To decommission the primary LUN and make the secondary LUN the primary LUN, complete the following steps. Failure to do so could result in the LUN state showing as Disabled. 1. Log in as Admin or FabricAdmin. 2. Split the copy pairs. 3.
3 Force-enabling a decommissioned disk LUN for encryption NOTE Do not delete the key from the key vault. Decommissioning primary and secondary LUN pairs To decommission both the primary and secondary LUNs, complete the following steps: 1. Log in as Admin or FabricAdmin. 2. Split the copy pairs. 3. Independently decommission the primary and secondary LUNs. a. Decommission the primary LUN.
Force-enabling a disabled disk LUN for encryption 7. 3 Enable the LUN. FabricAdmin:switch> cryptocfg --enable -LUN 8. Modify the LUN to encrypted. FabricAdmin:switch> cryptocfg --modify -LUN 0 -lunstate encrypted -encryption_format native -encrypt 9. Enter the cryptocfg --enable -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN.
3 Tape pool configuration Tape pool configuration Tape pools are used by tape backup application programs to group all configured tape volumes into a single backup to facilitate their management within a centralized backup plan. A tape pool is identified by either a name or a number, depending on the backup application. Tape pools have the following properties: • They are configured and managed per encryption group at the group leader level.
Tape pool configuration 3 CommVault Galaxy labeling CommVault uses a storage policy for each backup. When configuring a tape pool to work with CommVault Galaxy, first create a storage policy on CommVault and then use the storage_policy_id (sp_id) as the label when creating the tape pool on the encryption switch or blade. 1. Open CommCellExplorer Views by selecting Start > Programs >Microsoft SQL Server 2005 >SQL ServerManagement Studio. 2.
3 Tape pool configuration Creating a tape pool Take the following steps to create a tape pool: 1. Log in to the group leader as FabricAdmin. 2. Create a tape pool by entering the cryptocfg --create -tapepool command. Provide a label or numeric ID for the tape pool and specify the encryption policies. For policies not specified at this time, LUN-level settings apply. • Set the tape pool policy to either encrypt or cleartext (default).
Tape pool configuration 3 Deleting a tape pool This command does not issue a warning if the tape pool being deleted has tape media or volumes that are currently accessed by the host. Be sure the tape media is not currently in use. 1. Log in to the group leader as FabricAdmin. 2. Enter the cryptocfg --delete -tapepool command followed by a tape pool label or number. Use cryptocfg --show -tapepool -all to display all configured tape pool names and numbers.
3 First-time encryption First-time encryption First-time encryption, also referred to as encryption of existing data, is similar to the rekeying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first-time encryption operation, cleartext data is read from a LUN, encrypted with the current key, and written back to the same LUN at the same logical block address (LBA) location.
Thin provisioned LUNs 3 Thin provisioned LUNs With the introduction of Fabric OS 7.1.0, the Brocade Encryption Switch can discover if a disk LUN is thin provisioned LUN. Support for a thin provisioned LUN is limited to disk containers only. NOTE Currently, thin provisioned LUN support is limited to Brocade-tested storage arrays. The thin provisioned LUN status will be displayed as Yes for supported storage arrays running specific supported firmware versions only.
3 Thin provisioned LUNs Encryption algorithm: Key ID state: New LUN: TP LUN: Yes Key ID: Key creation time: AES256-XTS Read write No 4b:d9:4d:12:93:67:0e:0d:d1:e0:ca:aa:ba:34:29:db Thu Sep 15 18:01:01 2011 FabricAdmin:switch> cryptocfg –discoverLUN -container Host: 21:00:00:e0:8b:90:7c:c0 LUN number: 0xd LUN serial number: 50002AC000BC0A50 TP LUN: Yes LUN connectivity state: Connected Key ID state: Key ID not Applicable FabricAdmin:switch> cryptocfg --show -rekey –all LUN number: 0x0 LUN serial number:
Data rekeying 3 • Because windows host utility “sdelete –c” sends WRITE command with zeros to unmap LBAs, and which is currently not supported on the Brocade Encryption Switch, this utility will not be able to unmap LBAs. • Rekey temporarily uses the last 512 blocks. As a result, these blocks will be marked as provisioned by the thin provisioned LUN. • The first 16 blocks of the LUN will be mapped automatically (if it was unmapped), after the LUN has been configured as an encrypted LUN.
3 Data rekeying Configuring a LUN for automatic rekeying Rekeying options are configured at the LUN level either during LUN configuration with the cryptocfg --add -LUN command, or at a later time with the cryptocfg --modify -LUN command. For rekeying of a disk array LUN, the Crypto LUN is configured in the following way: • Set LUN policy as either cleartext or encrypt. • If cleartext is enabled (default), all encryption-related options are disabled and no DEK is associated with the LUN.
Data rekeying 3 Initiating a manual rekey session You can initiate a rekeying session manually at your own convenience. All encryption engines in a given HA cluster, DEK cluster, or encryption group must be online for this operation to succeed. The manual rekeying feature is useful when the key is compromised and you want to re-encrypt existing data on the LUN before taking action on the compromised key.
3 Data rekeying Current LBA: Operation succeeded. 488577 Suspension and resumption of rekeying operations A rekey may be suspended or fail to start for several reasons: • The LUN goes offline or the encryption switch fails and reboots. Rekey operations are resumed automatically when the target comes back online or the switch comes back up. You cannot abort an in-progress rekey operation. • An unrecoverable error is encountered on the LUN and the in-progress rekey operation halts.
Chapter 4 Deployment Scenarios In this chapter • Single encryption switch, two paths from host to target. . . . . . . . . . . . . . . • Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dual fabric deployment - HA and DEK cluster . . . . . . . . . . . . . . . . . . . . . . . • Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . . . . . . . .
4 Single encryption switch, two paths from host to target Single encryption switch, two paths from host to target Figure 120 shows a basic configuration with a single encryption switch providing encryption between one host and one storage device over two the following two paths: • Host port 1 to target port 1, redirected through CTC T1. • Host port 2 to target port 2, redirected through CTC T2.
Single fabric deployment - HA cluster 4 Single fabric deployment - HA cluster Figure 121 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology.
4 Single fabric deployment - DEK cluster In Figure 121, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN.
Dual fabric deployment - HA and DEK cluster 4 In Figure 122, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths.
4 Multiple paths, one DEK cluster, and two HA clusters failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2. All four encryption switches provide an encryption path to the same LUN, and use the same DEK for that LUN, forming a DEK cluster.
Multiple paths, one DEK cluster, and two HA clusters 4 The configuration details shown in Figure 124 are as follows: • • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port 1 is zoned to target port 1 and target port 2 in fabric 1. Host port 2 is zoned to target port 3and target port 4 in fabric 2. There are four Fabric OS encryption switches organized in HA clusters.
4 Multiple paths, DEK cluster, no HA cluster Multiple paths, DEK cluster, no HA cluster Figure 125 shows a configuration with a DEK cluster with multiple paths to the same target device. There is one encryption switch in each fabric.
Multiple paths, DEK cluster, no HA cluster 4 The configuration details are as follows: • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port1 is zoned to target port1 and target port2 in fabric 1. Host port2 is zoned with target port 3 and target port 4 in fabric 2. There are two encryption switches, one in each fabric (no HA cluster). There is one DEK Cluster and one encryption group.
4 Deployment in Fibre Channel routed fabrics Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 126), or it may form the backbone fabric and directly provide the EX_port connections (Figure 127). The encryption resources can be shared with the host and target edge fabrics using device sharing between backbone and edge fabrics.
Deployment in Fibre Channel routed fabrics 4 The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
4 Deployment as part of an edge fabric Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7800 extension switch or FX8-24 blade in a DCX or DCX 8510 Backbone, or an FCR-capable switch or blade. The encryption resources of the encryption switch can be shared with the other edge fabrics using FCR in the backbone fabric (Figure 128). .
Deployment with FCIP extension switches 4 Deployment with FCIP extension switches Encryption switches may be deployed in configurations that use extension switches or extension blades within a DCX or DCX 8510 Backbone to enable long distance connections. Figure 129 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator’s Guide for information about creating FCIP configurations.
4 VMware ESX server deployments VMware ESX server deployments VMware ESX servers may host multiple guest operating systems. A guest operating system may have its own physical HBA port connection, or it may use a virtual port and share a physical HBA port with other guest operating systems. Figure 130 shows a VMware ESX server with two guest operating systems where each guest accesses a fabric over separate host ports.
VMware ESX server deployments 4 Figure 131 shows a VMware ESX server with two guest operating systems where two guests access a fabric over a shared port. To enable this, both guests are assigned a virtual port. There are two paths to a target storage device: • Virtual host port 1, through the shared host port, to target port 1, redirected through CTC T1. • Virtual host port 2, through the shared host port, to target port 2, redirected through CTC T2.
4 226 VMware ESX server deployments Fabric OS Encryption Administrator’s Guide (KMIP) 53-1002747-02
Chapter 5 Best Practices and Special Topics In this chapter • Firmware upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . • Configuration upload and download considerations . . . . . . . . . . . . . . . . . • HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • AIX Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling a disabled LUN . . . . . . . . . . . . . . . . . .
5 Firmware upgrade and downgrade considerations Firmware upgrade and downgrade considerations Before upgrading or downgrading firmware, consider the following: • The encryption engine and the control processor or blade processor are reset after a firmware upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured.
Firmware upgrade and downgrade considerations 5 • Guidelines for firmware upgrade of encryption switches and a DCX Backbone chassis with encryption blades deployed in DEK cluster with No HA cluster (each node hosting one path). - Upgrade one node at a time. - In the case of active/active arrays, upgrade order of nodes does not matter, but you still must upgrade one node at a time.
5 Configuration upload and download considerations 8. Check that CryptoTarget Containers and associated LUNs fail back successfully on node 1 (BES1), and host I/O also moves from node 2 (BES2) to node 1 (BES1) and continues during the failback process. 9. To upgrade node 2 (BES2), Repeat steps 2 to 8. 10. After all nodes in the Encryption Group have been upgraded, change back the failback mode to auto from manual, if required, by issuing the following command.
Configuration upload and download considerations 5 • Certificates generated internally: - KAC certificate - CP certificate - FIPS officer and user certificates The Authentication Quorum size is included in the configuration upload for read-only purposes, but is not set by a configuration download. Steps before configuration download The configuration download does not have any certificates, public or private keys, master key, or link keys included.
5 HP-UX considerations Steps after configuration download For all opaque key vaults, restore or generate and backup the master key. In a multiple node encryption group, the master key is propagated from the group leader node. 1. Use the following command to enable the encryption engine. Admin:switch> cryptocfg --enableEE [slot num] 2. Commit the configuration. Admin:switch> cryptocfg --commit 3.
AIX Considerations 5 Best practices are as follows: • Create a cryptoTarget container for the target WWN. • Add the HP-UX initiator WWN to the container. • Issue the discover LUN CLI command on the container to discover the LUNs present in the target. • Based on the LUN list returned as part of LUN discovery, add the LUN 0 if LUN 0 is present in the target (which is usually the case).
5 Tape metadata Tape metadata One kilobyte of metadata is added per tape block for both the native Brocade format and DF-compatible formats. Tape block size (as configured by host) is modified by the encryption device to accommodate 1K metadata per block. A given tape can have a mix of compressed and uncompressed blocks. Block lengths are as follows. Encrypted/Compressed Tape Block Format Compressed and encrypted tape block data + 1K metadata + ASCII 0 pad = block length of tape.
Tape block zero handling 5 Tape pool configuration is used only when labeling of tape media is done on the first write for the tape media. After tape labeling is done and metadata written, the tape pool configuration is no longer used. Tape pool configuration is not required for restoring data from the encrypted tape belonging to the tape pool, because the key ID is present in the metadata.
5 Redirection zones • Before committing CryptoTarget container or LUN configurations or modifications on an encryption switch or FS8-18 blade, make sure that there are no outstanding zoning transactions in the switch or fabric. If there is an outstanding zoning transaction, the commit operation will fail and result in disabling the LUN. You can check for outstanding zoning transactions by issuing the cfgtransshow command.
Deployment with Admin Domains (AD) 5 Deployment with Admin Domains (AD) Virtual devices created by the encryption device do not support the AD feature in this release. All virtual devices are part of AD0 and AD255. Targets for which virtual targets are created and hosts for which virtual initiators are created must also be in AD0 and AD255. If they are not, access from the hosts and targets to the virtual targets and virtual initiators is denied, leading to denial of encryption services.
5 PID failover PID failover Virtual device PIDs do not persist upon failover within a single fabric HA cluster. Upon failover, the virtual device is s assigned a different PID on the standby encryption switch or blade. Some operating systems view the PID change as an indication of path failure, and will switch over to redundant path in another fabric. In these cases, HA clusters should not be implemented. These operating systems include the following: • HP-UX prior to 11.x.
KAC certificate registration expiry 5 Allow rekey to complete before deleting a container Do not delete a crypto container while rekey is in session or if rekey is not completed. If you want to delete a container, use the command cryptocfg --show -rekey –all to display the status of rekey sessions. If any rekey session is not 100% completed, do not delete the container.
5 Changing IP addresses in encryption groups Changing IP addresses in encryption groups Generally, when IP addresses are assigned to the Ge0 and Ge1 ports, they should not be changed. If an encryption group member node IP address must be changed, refer to “IP Address change of a node within an encryption group” on page 148.
Best practices for host clusters in an encryption environment 5 FIGURE 132 Fan-in ratios with performance license installed The fan-in ratio for a target can be higher depending on the maximum bandwidth accepted by the target. If the I/O throughput across all initiator ports accessing the target port is well balanced, it is recommended that the maximum fan-in ratio be kept to 8 Initiator ports to 1 target port for optimal performance.
5 HA Cluster deployment considerations and best practices • For AIX-based Power HA System Mirror host clusters, the cluster repository disk should be defined outside of the encryption environment. HA Cluster deployment considerations and best practices It is mandatory that the two encryption engines in the HA cluster belong to two different nodes for true redundancy.
Chapter 6 Maintenance and Troubleshooting In this chapter • Encryption group and HA cluster maintenance . . . . . . . . . . . . . . . . . . . . . . . . . • Encryption group merge and split use cases. . . . . . . . . . . . . . . . . . . . . . . . . . . • Encryption group database manual operations . . . . . . . . . . . . . . . . . . . . . . . . • Key vault diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Measuring encryption performance. . . . . . .
6 Encryption group and HA cluster maintenance Encryption group and HA cluster maintenance This section describes advanced configuration options that you can use to modify existing encryption groups and HA clusters, and to recover from problems with one or more member nodes in the group. All group-wide configuration commands are executed on the group leader. Commands that clear group-related states from an individual node are executed on the node. The commands require Admin or SecurityAdmin permissions.
Encryption group and HA cluster maintenance 6 FIGURE 133 Removing a node from an encryption group The procedure for removing a node depends on the node’s status within an encryption group. HA cluster membership and Crypto LUN configurations must be cleared before you can permanently remove a member node from an encryption group. To remove a node from an encryption group, complete the following steps: 1. Log in to the group leader as Admin or SecurityAdmin. 2.
6 Encryption group and HA cluster maintenance IP Address: 10.32.33.145 Certificate: 10.32.33.145_my_cp_cert.
Encryption group and HA cluster maintenance 6 Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes. Before deleting the encryption group, it is highly recommended that you remove the group leader from the HA cluster and clear all CryptoTarget and tape pool configurations for the group.
6 Encryption group and HA cluster maintenance Displaying the HA cluster configuration NOTE The correct failover status of an HA cluster will only be displayed on the HA cluster member nodes in the encryption group. 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --show -hacluster -all command. In the following example, the encryption group brocade has two HA clusters. HAC 1 is committed and has two members.
Encryption group and HA cluster maintenance 6 Replacing an HA cluster member 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haClusterMember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine. Provide a slot number if the encryption engine is a blade. The replacement encryption engine must be part of the same encryption group as the encryption engine that is replaced.
6 Encryption group and HA cluster maintenance FIGURE 134 Replacing a failed encryption engine in an HA cluster 250 Fabric OS Encryption Administrator’s Guide (KMIP) 53-1002747-02
Encryption group and HA cluster maintenance 6 Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
6 Encryption group and HA cluster maintenance Performing a manual failback of an encryption engine By default, failback occurs automatically if an encryption engine that failed was replaced or comes back online. When manual failback policy is set in the encryption group, you must invoke a manual failback of the encryption engine after the failing encryption engine was restored or replaced. Failback includes all of the encryption engine’s target associations.
Encryption group merge and split use cases 6 • After the failback completes, the cryptocfg --show -hacluster -all command no longer reports active failover.
6 Encryption group merge and split use cases NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg --transabort. Doing so will cause subsequent reclaim attempts to fail. 4. Set up the member node: Configure the IP address of the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. 5.
Encryption group merge and split use cases 6 Recovery If auto failback policy is set, no intervention is required. After the node has come back up, all devices and associated configurations and services that failed over earlier to N1 fail back to N3. The node resumes its normal function. If auto failback policy is not set, invoke a manual failback if required. Refer to the section “Performing a manual failback of an encryption engine” on page 252 for instructions.
6 Encryption group merge and split use cases • The isolation of N3 from the group leader breaks the HA cluster and failover capability between N3 and N1. • You cannot configure any CryptoTargets, LUN policies, tape pools, or security parameters on any of the group leaders. This would require communication with the “offline” member nodes. You cannot start any rekey operations (auto or manual) on any of the nodes.
Encryption group merge and split use cases 6 Recovery 1. Restore the connection between the nodes in the separate encryption group islands, that is, between nodes N3, N4 and between nodes N1 and N2. When the lost connection is restored, an automatic split recovery process begins. The two group leaders (N3 and N2 in this example) arbitrate the recovery, and the group leader node with the highest WWN becomes group leader.
6 Encryption group merge and split use cases NOTE The collective time allowed (the heartbeat time-out value multiplied by the heartbeat misses) cannot exceed 30 seconds (enforced by Fabric OS). The relationship between -hbmisses and -hbtimeout determines the total amount of time allowed before a node is declared unreachable. If a switch does not sense a heartbeat within the heartbeat timeout value, it is counted as a heartbeat miss.
Encryption group merge and split use cases 6 NOTE If one or more EG status displays as CONVERGED contact technical support as the following procedure will not work. To re-converge the EG, you will need to perform a series of steps. The following is a listing of the basic steps involved - this listing is followed by an example with the details of each step: 1. Confirm that your EG is not in a CONVERGED state. 2. Determine which GL Node will remain the GL Node once the EG is re-converged.
6 Encryption group merge and split use cases Display the encryption group state again. Node182:admin-> cryptocfg --show -groupcfg Node182 should now show up with an Encryption Group state of CLUSTER_STATE_CONVERGED. In this two node example, there is only one other node in the encryption group, and therefore the is only one node to deregister. When you have a 3:1 split or a 2:2 split, issue the following command from the group leader node you are keeping.
Encryption group merge and split use cases 6 If you now perform a cryptocfg --show -groupcfg, you will see that no encryption group on Node181 is defined: Node181:admin-> cryptocfg --show -groupcfg Encryption group not defined: Cluster DB and Persistent DB not present, No Encryption Group Created or Defined. The 2:2 EG split exception The encryption group deletion procedure may be done directly in every scenario except when there has been a 2:2 split.
6 Encryption group merge and split use cases 6. Verify your encryption group is re-converged. Node181:admin-> cryptocfg --show -groupcfg Node182:admin-> cryptocfg --show -groupcfg Both nodes will now show a two node CONVERGED EG in which Node182 is the group leader ode and Node181 is a member Node. The above manual configuration recovery procedure will work nearly identically for all combinations of EG split scenarios.
Encryption group database manual operations TABLE 8 6 Disallowed Configuration Changes Configuration Type Disallowed configuration changes Security & key vault • • • • • • • • • • • • • • • • • HA cluster Crypto Device (target/LUN/tape) Register or modify key vault settings Generating a master key Exporting a master key Restoring a master key Enabling or disabling encryption on an encryption engine Creating an HA cluster Adding an encryption engine to an HA cluster Modifying the failback mode Crea
6 Key vault diagnostics Use the --sync -securitydb command to distribute the security database from the group leader node to all member nodes. This command is valid only on the group leader. In scenarios where this master key propagation issue still persists, exporting the master key to a file and recovering it resolves the issue. To do this, use the following commands: • Use the cryptocfg • Use the cryptocfg --exportmasterkey -file option to export the master key to a file.
Measuring encryption performance 6 • Key class and format on the KV configured for the user group • Client session timeout • Encryption node scope • Node KAC certificate and its validity (for example, valid header and expiry date) • Username/password • User group • Time of day on the switch • Key Vault client SDK version • Timeout and retry policy for the client SDK The key vault client SDK version, and timeout and retry policy for the client SDK could differ across encryption nodes, depending on the firm
6 Measuring encryption performance FabricAdmin:switch> cryptocfg --perfshow [slot] [-rx | -tx | -tx -rx] [-interval
General encryption troubleshooting 6 General encryption troubleshooting Table 9 lists the commands you can use to check the health of your encryption setup. Table 10 provides additional information for failures you might encounter while configuring switches using the CLI. TABLE 9 General troubleshooting tips using the CLI Command Activity supportsave Check whole system configuration. Run RAS logs. Run RAS traces. Run Security Processor (SP) logs (mainly kpd.log).
6 TABLE 10 General encryption troubleshooting General errors and conditions Problem Resolution A backup fails because the LUN is always in the initialize state for the tape container. Use one of two resolutions: Tape media is encrypted and gets a key which is archived in the key vault. The key is encrypted with a master key. At a later point in time you generate a new master key. You decide to use this tape media to back up other data.
General encryption troubleshooting TABLE 10 6 General errors and conditions Problem Resolution A performance drop occurs when using DPM on a Microsoft Windows system to back up to a Scalar 500i tape library. Change the DPM behavior to send one request at a time by adding DWORD “BufferQueueSize” under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent, and set the value to 1. Then restart DPM servers: MSDPM, DPMLA, DPMRA.
6 Troubleshooting examples using the CLI Troubleshooting examples using the CLI Encryption Enabled CryptoTarget LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN.
Troubleshooting examples using the CLI 6 Encryption Disabled CryptoTarget LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN.
6 Management application encryption wizard troubleshooting Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . 272 • Errors related to adding a switch to a new group . . . . . . . . . . . . . . . . . . . . 273 • General errors related to the Configure Switch Encryption wizard . . . . . .
Management application encryption wizard troubleshooting 6 Errors related to adding a switch to a new group Table 12 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 12 Error recovery instructions for adding a switch to a new group Configuration task Error description Instructions Initialize the switch Unable to initialize the switch due to an error response from the switch.
6 Management application encryption wizard troubleshooting TABLE 12 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (opaque key vaults only) A failure occurred while attempting to create a new master key. 1 Save the switch’s public key certificate to a file. The switch’s public key certificate could not be saved to a file.
LUN policy troubleshooting 6 LUN policy troubleshooting Table 14 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by the encryption switch Action taken If you do not need to save the data: If you need to save the data: 1 The LUN was modified from encrypt policy to cleartext policy but metadata exists. LUN is disabled. Reason code: Metadata exists but the LUN policy is cleartext.
6 Loss of encryption group leader after power outage Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes might lose information and knowledge about the encryption group.
MPIO and internal LUN states 6 5. Synchronize the crypto configurations across all member nodes. FabricAdmin:switch> cryptocfg –-commit MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg --show -LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine.
6 FS8-18 blade removal and replacement 1. Enter the cryptocfg --resume_rekey command, followed by the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch> cryptocfg --resume_rekey my_disk_tgt 0x0 \ 10:00:00:05:1e:53:37:99 Operation Succeeded 2. Check the status of the resumed rekey session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN.
FS8-18 blade removal and replacement 6 3. If the replaced FS8-18 blade is in member node, invoke the following command to reclaim the base WWN. FabricAdmin:switch> cryptocfg --reclaimWWN –EE 4. Issue commit. FabricAdmin:switch> cryptocfg --commit 5. Replace the old FS8-18 blade with the new FS8-18 blade and reconnect the FC cables and I/O Link cables. 6. Insert the new FS8-18 blade in the same slot of the chassis that was used by the old FS8-18 blade.
6 FS8-18 blade removal and replacement NOTE Because the FS8-18 blade was inserted in the same slot as the previous blade, no change of HA cluster container ownership is required; the HA cluster configuration is retained. 16. If “manual” failback was set on the HA cluster, you must manually fail back the LUNs owned by the newly replaced EE. 17. Check the EG state using the following command to ensure that the entire EG is in a converged and In Sync state.
Brocade Encryption Switch removal and replacement 6 11. If a master key is not present, restore the master key from a backed up copy. Procedures will differ depending on the backup media used (for example, recovery smart cards, from the key vault, from a file on the network, or a file on a USB-attached device). Refer to Chapter 2, “Configuring Encryption Using the Management Application.” 12. Check the EE state using the following command to ensure the EE is online.
6 Brocade Encryption Switch removal and replacement 8. Power on the new Brocade Encryption Switch. Note that the FC cables have not yet been plugged in. 9. Set the IP address for the new Brocade Encryption Switch using the ipAddrSet command for the Mgmt and I/O links. Check that the switch name and domain ID associated with the replacement switch match that of the original. 10. Zeroize the new Brocade Encryption Switch using the following command. Admin:switch> cryptocfg –-zeroizeEE 11.
Brocade Encryption Switch removal and replacement 6 21. Import the signed CSR/Cert onto the new node. 22. Register back the signed KAC CSR/Cert onto the new node using the following command. Admin:switch> cryptocfg --reg –KACcert 23. Register the username and password on the new node that are used by the other nodes in the EG (created on the SafeNet KeySecure appliance) using the following command. Admin:switch> cryptocfg --reg –KACLogin 24.
6 Brocade Encryption Switch removal and replacement 31. If HA cluster membership for the old Brocade Encryption Switch was not in place, move container movement to the new Brocade Encryption Switch using the following procedure. a. Replace the old EE with the new EE using following command on the group leader. Admin:switch> cryptocfg –-replace b. Issue commit. Admin:switch> cryptocfg --commit 32.
Brocade Encryption Switch removal and replacement 6 11. Invoke the following command to cleanup any WWN entries which are used earlier. Admin:switch> cryptocfg --reclaim -cleanup 12. Recreate the EG with the same name as before using the following command. Admin:switch> cryptocfg –-create –encgroup 13. Invoke configdownload from the previous uploaded configuration. 14. Enable the switch using the switchenable command. 15. Deregister both key vaults using the following command.
6 Reclaiming the WWN base of a failed Brocade Encryption Switch 27. Verify that defzone is set as no access. 28. If HA cluster membership for the old Brocade Encryption Switch was in place move container movement to the new Brocade Encryption Switch using the following procedure. a. Replace the old EE with the new EE using the following command on the group leader. Admin:switch> cryptocfg -–replace b. Issue commit. Admin:switch> cryptocfg --commit c.
Removing stale rekey information for a LUN 6 NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg –-transabort. Doing so will cause subsequent reclaim attempts to fail. Removing stale rekey information for a LUN To clean up stale rekey information for a LUN, complete one of the following procedures: Procedure 1: 1. Modify the LUN policy from “encrypt” to “cleartext” and commit. The LUN will become disabled. 2.
6 Splitting an encryption group into two encryption groups NOTE You should not join a Fabric OS 7.0.1(x) node into an encryption group or eject a node with Fabric OS 7.1.0 or later when the firmware consistency check for the device decommission feature is enabled in the encryption group.
Moving an encryption blade from one EG to another in the same fabric a. 6 Create the group: Admin:switch> cryptocfg --create -encgroup FOS3 b. Set the key vault type. Admin:switch> cryptocfg --set -keyvault KMIP When prompted, enter yes to each prompt. 8. Add FOS4 as a member node to the new EG. • For details about adding member nodes to an EG, see“Adding a member node to an encryption group” on page 160. • For details about creating encryption groups, see “Creating an encryption group” on page 50.
6 Moving an encryption switch from one EG to another in the same fabric Moving an encryption switch from one EG to another in the same fabric In this example, which is represented in Table 17, you have two EGs, each containing two nodes. You want to move FOS2 from EG1 to EG2. TABLE 17 Moving a Brocade Encryption Switch from one EG to another EG Encryption group Nodes (before move) Nodes (after move) EG1 FOS1 (GL) FOS2 FOS1 (GL) EG2 FOS3 (GL) FOS4 FOS3 (GL) FOS4 FOS2 1.
Appendix A State and Status Information In this appendix • Encryption engine security processor (SP) states . . . . . . . . . . . . . . . . . . . . 291 • Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 • Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Encryption engine security processor (SP) states Table 18 lists the encryption engine security processor (SP) states.
A Security processor KEK status Security processor KEK status Table 19 lists security processor KEK status information. TABLE 19 Security processor KEK status KEK type KEK status1 Description Primary KEK (current MK or primary KV link key) None Primary KEK is not configured. Mismatch Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK at CP matches the one in the SP and is valid. Secondary KEK (alternate None MK or secondary KV link key) Mismatch Group KEK 1.
Encrypted LUN states TABLE 20 A Encrypted LUN states (Continued) LUN_1ST_TIME_REKEY_IN_PROG First time rekey is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired rekey is in progress. LUN_MANUAL_REKEY_IN_PROG Manual rekey is in progress. LUN_DECRYPT_IN_PROG Data decryption is in progress. LUN_WR_META_PENDING Write metadata is pending. LUN_1ST_TIME_REKEY_PENDING First time rekey is pending. LUN_KEY_EXPR_REKEY_PENDING Key expired rekey is pending.
A Encrypted LUN states TABLE 20 294 Encrypted LUN states (Continued) LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure). LUN_DIS_LUN_REMOVED Disabled (LUN re-discovery detects LUN is removed). LUN_DIS_LSN_MISMATCH Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate LUN SN found). LUN_DIS_DISCOVERY_FAIL Disabled (LUN discovery failure). LUN_DIS_NO_LICENSE Disabled (Third party license is required).
Encrypted LUN states TABLE 21 A Tape LUN states Internal Names Console String Explanation LUN_DIS_LUN_NOT_FOUND Disabled (LUN not found) No logical unit structure in tape module. This is an internal software error. If it occurs, contact Brocade support. LUN_TGT_OFFLINE Target Offline Target port is not currently in the fabric. Check connections and L2 port state.
A Encrypted LUN states TABLE 21 296 Tape LUN states LUN_ENCRYPT Encryption enabled The tape medium is present, and is in ciphertext (encrypted). The encryption switch or blade has full read/write access, because its current tape policy for the medium is also encrypted. See the Encryption Format field to find out if tape is encrypted in native mode or DataFort-compatible mode.
Index A add commands --add -haclustermember, 166 --add -initiator, 179, 187, 193 --add -LUN, 184, 194, 204, 208 adding a node to a cluster, 47 authentication cards deregistering, 20 register from database, 19 registering from card reader, 17 setting a quorum, 20 auto rekey viewing time left, 121 B blade processor links, 27 blade processors configuring links, 27 Brocade Encryption Switch See switch C cards, 23 cartificates backing up, 44 certificates backing up, 151 file names, 160 CLI general errors and
Crypto LUN adding to CryptoTarget container using the CLI, 182 configuring, 182, 183 modifying parameters, 189 parameters and policies, 185 removing, 188 cryptocfg command --add -haclustermember, 166 --add -initiator, 179, 187, 193 --add -LUN, 184, 194, 204, 208 --commit, 251 --create -container, 178, 187, 192 --create -encgroup, 159 --create -hacluster, 165 --create -tapepool, 202 --delete -container, 181, 245 --delete -encgroup, 247 --delete -hacluster, 251 --delete -tapepool, 203 --dereg -membernode, 246
disk luns decommissioning, 113 rekeying manually, 115 setting rekey all, 116 viewing rekey details, 117 disk metadata, 233 E EE state disabling from properties, 126 enabling from properties, 126 eject commands -eject -membernode, 246 enable a disabled LUN using the CLI, 233 enable commands --enable -LUN, 199 --enable -rekey, 208 --enable_rekey, 204 --enableEE, 254 enableEE, 172 encrypted LUN states, 292 encryption adding a license, 5 best practices for licensing, 5 certificate generation, 28 configuration
encryption node setting initialization, 28 encryption nodes setting initialization, 148 encryption properties viewing properties, 122 encryption switch definition of, 4 initialization, 157 port labeling, 146 encryption switch or group, removing using the management application, 132 encryption targets adding, 72 adding to virtual targets and virtual initiators within the encryption switch, 71 configuring hosts for, 80 using the dialog box, 111 using the dialog box to add Disk LUNs, 113 engine operations tab,
I import commands, --import, 161 initialize commands --initEE, 254 initEE, 158 --initnode, 157, 254 initializing encryption switch using the CLI, 157 initiators, removing from CryptoTarget container, 180 initiator-target zone, creating, 174 K KAC importing signed certificate, 43 KAC certificates registering, 156 KAC CSR exporting to a local machine, 152 signing using the local CA, 153 KEK security processor status, 292 key pair certificates, 160 key vault setting parameters, 152 setting type, 152 key vault
member nodes adding to an encryption group, 160 members tab, 130 remove button, 132 modify commands --modify -LUN, 189, 204, 208 --modify -tapepool, 203 move commands, --move -container, 182 multi-path configuring Crypto LUN configuring for multi-path, 191 LUN configuration example, 192 LUN configuration warning, 190, 191 multi-path configuration for encrypted storage using the Management application, 78 multi-path environments configuring encrypted tape storage, 91 multi-path LUN configuration requirements
set commands --set -failback, 168 --set -keyvault LKM, 159 show commands --show, 162, 172 --show -container, 179 --show -groupmember, 162, 178, 245 --show groupmember, 209 --show -hacluster, 248, 253 --show -tapepool, 202 smart card set overview, 105 smart cards configuring, 16 editing, 25 removing using the management application, 25 saving to a file, 25 tracking, 23 using, 16, 23 states encrypted LUN, 292 storage arrays configuring, 87 storage encryption configuration privileges, 15 configuring, 73 confir
troubleshooting cfgshow command, 267 configshow, 267 cryptocfg --show -groupcfg command, 267 cryptocfg --show -groupmember command, 267 general encryption using the CLI, 267 general errors related to the Configure Switch Encryption wizard, 274 management application wizard, 272 nsshow command, 267 supportsave command, 267 troubleshooting examples using the CLI, 270 turn off compression on extension switches, 238 turn off host-based encryption, 237 U universal IDs displaying, 115 user name configuring, 154
