53-1002925-01 26 July 2013 ® Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments Supporting Fabric OS v7.2.
Copyright © 2012 - 2013 Brocade Communications Systems, Inc. All Rights Reserved. ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Document How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xii What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Configuring Encryption Using the Management Application Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Using authentication cards with a card reader . . . . . . . . . . . . . 16 Registering authentication cards from a card reader . . . . . . . .
Configuring encryption storage targets . . . . . . . . . . . . . . . . . . . . . . . 53 Adding an encryption target . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Configuring hosts for encryption targets . . . . . . . . . . . . . . . . . . . . . . 62 Adding target disk LUNs for encryption . . . . . . . . . . . . . . . . . . . . . . . 64 Configuring storage arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Adding target tape LUNs for encryption. . . . . . . . . . . . . . . . . .
Viewing and editing encryption group properties . . . . . . . . . . . . . . . 97 General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Consequences of removing an encryption switch . . . . . . . . . .102 Security tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 HA Clusters tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . .138 LUN rebalancing when hosting both disk and tape targets . .139 Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . 141 Removing an initiator from a CryptoTarget container . . . . . . .142 Deleting a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .143 Moving a CryptoTarget container . . . . .
Chapter 4 Deployment Scenarios Single encryption switch, two paths from host to target . . . . . . . . 176 Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . 177 Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . .178 Dual fabric deployment - HA and DEK cluster. . . . . . . . . . . . . . . . .179 Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . .180 Multiple paths, DEK cluster, no HA cluster . . . . . . . . . . . . . . . .
Configuring CryptoTarget containers and LUNs . . . . . . . . . . . . . . .201 Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Deployment with Admin Domains (AD) . . . . . . . . . . . . . . . . . . . . . .202 Do not use DHCP for IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .202 Ensure uniform licensing in HA clusters . . . . . . . . . . . . . . . . . . . . .202 Tape library media changer considerations . . . . . . . . . . . . . . . . . .
Encryption group merge and split use cases . . . . . . . . . . . . . . . . .219 A member node failed and is replaced . . . . . . . . . . . . . . . . . .219 A member node reboots and comes back up . . . . . . . . . . . . .220 A member node lost connection to the group leader . . . . . . .221 A member node lost connection to all other nodes in the encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 Several member nodes split off from an encryption group. . . . . . . . . . . . . .
Moving an encryption blade from one EG to another in the same fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259 Moving an encryption switch from one EG to another in the same fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Appendix A State and Status Information Encryption engine security processor (SP) states. . . . . . . . . . . . . .261 Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xii Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii • Additional information . . . . . . . . . . .
Supported hardware and software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX Backbone series chassis with an FS8-18 encryption blade. • Brocade Encryption Switch. What’s new in this document This document identifies any encryption changes that support Fabric OS 7.2.0. Document conventions This section describes text formatting conventions and important notice formats used in this document.
variable Variables are printed in italics. In the help pages, variables are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font. For example, --show WWN | Boolean. Elements are exclusive. Example: --show -mode egress | ingress \ Backslash. Indicates that the line continues through the line break. For command line input, type the entire line without the backslash.
Key terms For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See “Brocade resources” on page xiv for instructions on accessing MyBrocade. For definitions specific to this document, see “Terminology” on page 2. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.
For information about the Key Management Interoperability Protocol standard, visit the OASIS KMIP Technical Committee website: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip Getting technical help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: 1.
If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis. Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document.
Chapter Encryption Overview 1 In this chapter • Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • FIPS mode .
1 Terminology Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication. Data Encryption Key (DEK) An encryption key generated by the encryption engine.
Terminology 1 Recovery cards A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the BNA client to restore the master key. Recovery cards may be stored in different locations, making it very difficult to steal the master key. The cards should not be stored together, as that defeats the purpose.
1 The Brocade Encryption Switch The Brocade Encryption Switch The Brocade Encryption Switch is a high-performance, 32-port, auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption Standard (AES) 256-bit algorithms.
The FS8-18 blade 1 The FS8-18 blade The FS8-18 blade provides the same features and functionality as the Brocade Encryption Switch. The FS8-18 blade installs on the Brocade DCX Backbone chassis, which include the DCX, DCX-4S, DCX 8510-8, and DCX 8510-4 chassis. FIPS mode Both the Brocade Encryption Switch and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled. In this mode, only FIPS-compliant algorithms are allowed.
1 Recommendation for connectivity Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in data frames on a per-frame basis. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done.
Brocade encryption solution overview 1 Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft, or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
1 Brocade encryption solution overview Data flow from server to storage The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
Data encryption key life cycle management 1 Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed.
1 Data encryption key life cycle management FIGURE 5 10 DEK life cycle Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
Support for virtual fabrics 1 Support for virtual fabrics The Brocade Encryption Switch does not support the logical switch partitioning capability and, thus, cannot be partitioned, but the switch can be connected to any Logical Switch partition or Logical Fabric using an E_Port. The FS8-18 Encryption Blades are supported only in a default switch partition. All FS8-18 blades must be placed in a default switch partition in a DCX Backbone chassis.
1 12 Cisco Fabric Connectivity support Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
Chapter Configuring Encryption Using the Management Application 2 • Encryption Center features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 • Encryption user privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 • Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 • Network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Encryption Center features Encryption Center features The Encryption Center dialog box is the single launching point for all encryption-related configuration in Brocade Network Advisor Management application. (Refer to Figure 6.) It also provides a table that shows the general status of all encryption-related hardware and functions at a glance. To open the dialog box, select Configure > Encryption. FIGURE 6 Encryption Center dialog box Beginning with Fabric OS 6.
Encryption user privileges 2 Encryption user privileges In Brocade Network Advisor, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time.
2 Smart card usage TABLE 1 Encryption privileges (Continued) Privilege Read/Write Storage Encryption Security • • • • • • • • • • • • Launch the Encryption center dialog box. View switch, group, or engine properties. View Encryption Group Properties Security tab. View LUN centric view. View all rekey sessions. View encryption targets, hosts, and LUNs. Create a master key. Backup a master key. Edit smart card.
Smart card usage 2 • Establishing a trusted link with the NetApp LKM/SSKM key vault. • Decommissioning a LUN. When a quorum of authentication cards is registered for use, authentication must be provided before you are granted access. Registering authentication cards from a card reader To register an authentication card or a set of authentication cards from a card reader, have the cards physically available.
2 Smart card usage 3. Locate the Authentication Card Quorum Size and select the quorum size from the list. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Smart card usage 2 Registering authentication cards from the database Smart cards that are already in the Management program’s database can be registered as authentication cards. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select an encryption group from the Encryption Center Devices table, then select Group > Security from the menu task bar to display the Encryption Group Properties dialog box.
2 Smart card usage Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them. Complete the following procedure to deregister an authentication card. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2.
Smart card usage 2 Using system cards System cards are smart cards that can be used to control activation of encryption engines. You can choose whether the use of a system card is required or not. Encryption switches and blades have a card reader that enables the use of a system card. System cards discourage theft of encryption switches or blades by requiring the use of a system card at the switch or blade to enable the encryption engine after a power off.
2 Smart card usage Enabling or disabling the system card requirement To use a system card to control activation of an encryption engine on a switch, you must enable the system card requirement. If a system card is required, it must be read by the card reader on the switch. You access the system card GUI from the Security tab. Complete the following procedure to enable or disable the system card requirement. 1.
Smart card usage 2 Deregistering system cards System cards can be removed from the database by deregistering them. Use the following procedure to deregister a system card: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select the switch from the Encryption Center Devices table, then select Switch > System Cards from the menu task bar. The System Cards dialog box displays. (Refer to Figure 11 on page 21.) 3.
2 Smart card usage FIGURE 12 Smart Card Asset Tracking dialog box The Smart Cards table lists the known smart cards and the details for the smart cards. These details include the following: • Card ID: Lists the smart card ID, prefixed with an ID that identifies how the card id used. For example, rc.123566b700017818, where rc stands for recovery card. • Card Type: Options are: System card, Authentication card, and Recovery set. • Usage: Usage content varies based on the card type.
Smart card usage 2 NOTE You can remove smart cards from the table to keep the Smart Cards table at a manageable size, but removing the card from the table does not invalidate it; the smart card can still be used. • Save As button: Saves the entire list of smart cards to a file. The available formats are comma-separated values (.csv) and HTML (.html). • Card Details table: Card details vary based on the card type.
2 Smart card usage Editing smart cards Smart cards can be used for user authentication, master key storage and backup, and as a system card for authorizing use of encryption operations. 1. From the Encryption Center dialog box, select Smart Card > Edit Smart Card from the menu task bar to display the Edit Smart Card dialog box. (Refer to Figure 13.) FIGURE 13 Edit Smart Card dialog box 2. Insert the smart card into the card reader. 3.
Network connections 2 Network connections Before you use the encryption setup wizard for the first time, you must have the following required network connections: • The management ports on all encryption switches and DCX Backbone Chassis CPs that have encryption blades installed must have a LAN connection to the SAN management program, and must be available for discovery.
2 Encryption node initialization and certificate generation Configuring blade processor links To configure blade processor links, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select the encryption engine from the Encryption Center Devices table, then select Engine > Blade Processor Link from the menu task bar to display the Blade Processor Link dialog box. (Refer to Figure 14.
Steps for connecting to an LKM/SSKM appliance 2 Setting encryption node initialization Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a configuration. Encryption nodes may also be initialized from the Encryption Center dialog box. 1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from the menu task bar. 2. Select Yes after reading the warning message to initialize the node.
2 Steps for connecting to an LKM/SSKM appliance Establishing the trusted link You must generate the trusted link establishment package (TEP) on all nodes to obtain a trusted acceptance package (TAP) before you can establish a trusted link between each node and the NetApp LKM/SSKM appliance. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2.
Steps for connecting to an LKM/SSKM appliance 2 Copyright (c) 2001-2009 NetApp, Inc. All rights reserved +--------------------------------+ | NetApp Appliance Management CLI | | Authorized use only! | +--------------------------------+ Cannot read termcapdatabase; using dumb terminal settings. Checking system tamper status: No physical intrusion detected. 2. Add the group leader to the LKM/SSKM key sharing group.
2 Steps for connecting to an LKM/SSKM appliance FIGURE 15 Export switch certificate dialog box 3. Select Signed switch certificate (X.509), which allows you to export a signed switch certificate to a location of your choosing. The default location is My Documents on your client PC. In most cases, this certificate file should be in privacy email (.pem) format. 4. Click OK. You are prompted to save the CSR, which can be saved to your SAN Management Program client PC, or an external host of your choosing.
Steps for connecting to an LKM/SSKM appliance 2 Disk keys and tape pool keys (Brocade native mode support) DEK creation, retrieval, and update for disk and tape pool keys in Brocade native mode are as follows: • DEK creation: The DEK is archived into the primary LKM/SSKM. Upon successful archival of the DEK onto the primary LKM/SSKM, the DEK is read from the secondary LKM/SSKM until it is either synchronized to the secondary LKM/SSKM, or a timeout of 10 seconds occurs (2 seconds with 5 retries).
2 Encryption preparation Encryption preparation Before you use the encryption setup wizard for the first time, you should have a detailed configuration plan in place and available for reference. The encryption setup wizard assumes the following: • You have a plan in place to organize encryption devices into encryption groups.
Creating an encryption group 2 2. Select a switch from the encryption group. (The switch must not be assigned to an encryption group.) 3. Select Encryption > Create/Add to Group, from the menu task bar. The Configure Switch Encryption wizard welcome screen displays. (Refer to Figure 17.) The wizard enables you to create a new encryption group, or add an encryption switch to an existing encryption group. The wizard also enables you to configure switch encryption.
2 Creating an encryption group 4. From the Configure Switch Encryption welcome screen, click Next to begin. The Designate Switch Membership dialog box displays. (Refer to Figure 18.
Creating an encryption group FIGURE 19 2 Create a New Encryption Group dialog box The dialog box contains the following information: • Encryption Group Name text box: Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed. The group name is case-sensitive. • Failback mode: Selects whether or not storage targets should be automatically transferred back to an encryption engine that comes online after being unavailable. Options are Automatic or Manual.
2 Creating an encryption group FIGURE 20 Select Key Vault dialog box Using this dialog box, you can select a key vault for the encryption group that contains the selected switch. Prior to selecting your Key Vault Type, the selection is shown as None. The dialog box contains the following information: • Key Vault Type: If an encryption group contains mixed firmware nodes, the Encryption Group Properties Key Vault Type name is based on the firmware version of the group leader.
Creating an encryption group FIGURE 21 2 Select Key Vault dialog box for LKM 1. Enter the IP address or host name for the primary key vault. 2. Enter the name of the file that holds the primary key vault’s public key certificate, or browse to the desired location. 3. If you are using a backup key vault, enter the IP address or host name, and the name of the file holding the backup key vault’s public key certificate, then click Next. The Specify Public Key Certificate (KAC) File Name dialog box displays.
2 Creating an encryption group FIGURE 22 Specify Public Key Certificate (KAC) File Name dialog box 4. Specify the location of the file where you want to store the public key certificate that is used to authenticate connections to the key vault. The certificate stored in this file is the switch’s public key certificate. You will need to know this path and file name to install the switch’s public key certificate on the key management appliance. 5. Click Next.
Creating an encryption group FIGURE 23 2 Select Security Settings dialog box 6. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards.
2 Creating an encryption group FIGURE 24 Confirm Configuration dialog box The Configuration Status dialog box displays. (Refer to Figure 25.) FIGURE 25 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified.
Creating an encryption group 2 After configuration of the encryption group is completed, Brocade Network Advisor sends API commands to verify the switch configuration. See “Understanding configuration status results” on page 43 for more information. 8. Verify the information is correct, then click Next. The Next Steps dialog box displays. (Refer to Figure 26.) Instructions for installing public key certificates for the encryption switch are displayed. These instructions are specific to the key vault type.
2 Adding a switch to an encryption group 5. Create a new master key. (Opaque key vaults only). Brocade Network Advisor checks for a new master key. New master keys are generated from the Security tab located in the Encryption Group Properties dialog box. NOTE A master key is not generated if the key vault type is LKM. LKM manages DEK exchanges through a trusted link, and the LKM appliance uses its own master key to encrypt DEKs. 6. Save the switch’s public key certificate to a file.
Adding a switch to an encryption group FIGURE 28 2 Designate Switch Membership dialog box 4. For this procedure, select Add this switch to an existing encryption group, then click Next. The Add Switch to Existing Encryption Group dialog box displays. (Refer to Figure 29.) The dialog box contains the following information: • Encryption Groups table: Enables you to select an encryption group in which to add a switch. • Member Switches table: Lists the switches in the selected encryption group.
2 Adding a switch to an encryption group FIGURE 29 Add Switch to Existing Encryption Group dialog box 5. Select the group in which to add the switch, then click Next. The Specify Public Key Certificate (KAC) File Name dialog box displays. (Refer to Figure 30.
Adding a switch to an encryption group 2 6. Enter the location where you want to store the public key certificate that is used to authenticate connections to the key vault, or browse to the desired location, then click Next. The Confirm Configuration dialog box displays. (Refer to Figure 31.) Confirm the encryption group name and switch public key certificate file name you specified are correct, then click Next. FIGURE 31 Confirm Configuration dialog box The Configuration Status dialog box displays.
2 Adding a switch to an encryption group All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified. 7. Review important messages, then click Next. The Error Instructions dialog box displays. (Refer to Figure 33.
Replacing an encryption engine in an encryption group 2 Replacing an encryption engine in an encryption group To replace an encryption engine in an encryption group with another encryption engine within the same DEK Cluster, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2.
2 High availability clusters High availability clusters A high availability (HA) cluster consists of exactly two encryption engines configured to host the same CryptoTargets and to provide Active or Standby failover and failback capabilities in a single fabric. One encryption engine can take over encryption and decryption tasks for the other encryption engine if that member fails or becomes unreachable.
High availability clusters 2 Creating HA clusters For the initial encryption node, perform the following procedure. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select an encryption group from the Encryption Center Devices table, then select Group > HA Cluster from the menu task bar. NOTE If groups are not visible in the Encryption Center Devices table, select View > Groups from the menu task bar.
2 High availability clusters 3. Click the right arrow to add the encryption engine to the selected HA cluster. 4. Click OK. Removing engines from an HA cluster Removing the last engine from an HA cluster also removes the HA cluster. If only one engine is removed from a two-engine cluster, you must either add another engine to the cluster, or remove the other engine. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2.
Configuring encryption storage targets 2 Failback option The Failback option determines the behavior when a failed encryption engine is restarted. When the first encryption engine comes back online, the encryption group’s failback setting (auto or manual) determines how the encryption engine resumes encrypting and decrypting traffic to its encryption targets. • In auto mode, when the first encryption engine restarts, it automatically resumes encrypting and decrypting traffic to its encryption targets.
2 Configuring encryption storage targets 5. Confirmation 6. Configuration Status 7. Important Instructions Adding an encryption target 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select a group, switch, or engine from the Encryption Center Devices table to which to add the target, then select Group/Switch/Engine > Targets from the menu task bar.
Configuring encryption storage targets FIGURE 37 2 Configure Storage Encryption welcome screen 4. Click Next. The Select Encryption Engine dialog box displays. (Refer to Figure 38.
2 Configuring encryption storage targets The dialog box contains the following information: • Encryption engine: The name of the encryption engine. The list of engines depends on the scope being viewed: - If an encryption group was selected, the list includes all engines in the group. If a switch was selected, the list includes all encryption engines for the switch. If a single encryption engine was selected, the list contains only that engine.
Configuring encryption storage targets 2 6. Select a target from the list. (The Target Port WWN and Target Node WWN fields contain all target information that displays when using the nsShow command.) You can also enter WWNs manually, for example, to specify a target that is not on the list. 7. Select a target type from the Type list, then click Next. The Select Hosts dialog box displays. (Refer to Figure 40.) You can configure hosts for selected target device ports.
2 Configuring encryption storage targets NOTE You must enter the host node world wide name before clicking Add, to add the WWN to the Selected Hosts table. • Node WWN text box: Type a world wide name for a host node. NOTE You must also enter the host port world wide name before clicking Add to add the node WWN to the Selected Hosts table. • Device Type: The device type indicated by the fabric’s name service. The value is either Initiator or Initiator + Target.
Configuring encryption storage targets FIGURE 41 2 Name Container dialog box 10. Enter the container name. The container name is a logical encryption name to specify a name other than the default. You can use a maximum of 31 characters. Letters, digits, and underscores are allowed. 11. Click Next. The Confirmation screen displays. (Refer to Figure 42.) The confirmation screen confirms and completes configuration of encryption engines, targets, and hosts.
2 Configuring encryption storage targets The screen contains the following information: • Encryption Engine: The slot location of the encryption engine. • Container Name: The logical encryption name used to map storage targets and hosts to virtual targets and virtual initiators. • • • • Target Device Port: The world wide name of the target device port. Host Node WWN: The world wide name of the host node. Host Port WWN: The world wide name of the host port. Host Name: The name of the host. 12.
Configuring encryption storage targets 2 13. Review any post-configuration instructions or messages, which you can copy to a clipboard or print for later, then click Next. The Next Steps screen displays. (Refer to Figure 44.) Post-configuration instructions for installing public key certificates for the encryption switch are displayed.
2 Configuring hosts for encryption targets Configuring hosts for encryption targets Use the Encryption Target Hosts dialog box to edit (add or remove) hosts for an encrypted target. NOTE Hosts are normally selected as part of the Configure Switch Encryption wizard, but you can also edit hosts later using the Encryption Target Hosts dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2.
Configuring hosts for encryption targets FIGURE 46 2 Encryption Target Hosts dialog box NOTE Both the Host Ports in Fabric table and the Selected Hosts table now contain a Port ID column to display the 24-bit PID of the host port. 4. Select one or more hosts in a fabric using either of the following methods: a. Select a maximum of 1024 hosts from the Hosts in Fabric table, then click the right arrow to move the hosts to the Selected Hosts table.
2 Adding target disk LUNs for encryption Adding target disk LUNs for encryption You can add a new path to an existing disk LUN or add a new LUN and path by launching the Add New Path wizard. To launch the wizard, complete the following steps: NOTE Before you can add a target disk LUN for encryption, you must first configure the storage arrays. For more information, refer to “Configuring storage arrays” on page 69. 1.
Adding target disk LUNs for encryption 2 • Encryption path table: Should be LUN/Path identified by the following: - LUN Path Serial # - Target Port - Initiator Port - Container Name - Switch Name - Fabric - State - Thin Provision LUN - Encryption Mode - Encrypt Existing Data - Key ID • Remove button: Removes a selected entry from the table. 3. Click Add to launch the Add New Path wizard. The Select Target Port dialog box displays. (Refer to Figure 48.
2 Adding target disk LUNs for encryption 4. Select the target port from the Target Port table, then click Next. The Select Initiator Port dialog box displays. (Refer to Figure 49.) FIGURE 49 Select Initiator Port dialog box The dialog box is used to select an initiator port when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: Displays the storage array that was selected from the LUN view prior to launching the wizard.
Adding target disk LUNs for encryption FIGURE 50 2 Select LUN dialog box The Select LUN dialog box is used to select a LUN when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: The storage array selected from the LUN view prior to launching the Add New Path wizard. • Host: The host elected from the LUN view prior to launching the Add New Path wizard.
2 Adding target disk LUNs for encryption NOTE The maximum number of uncommitted configuration changes per disk LUN (or maximum paths to a LUN) is 512 transactions. The 512 LUN operations can be for the same LUN or be subjected to 25 distinct LUNs. This change of restriction in commit limit is applicable when using Brocade Network Advisor only. Earlier Fabric OS versions allowed a maximum of 25 uncommitted changes per disk LUN.
Adding target tape LUNs for encryption 2 Configuring storage arrays The storage array contains a list of storage ports that will be used later in the LUN centric view. You must assign storage ports from the same storage array for multi-path I/O purposes. On the LUN centric view, storage ports in the same storage array are used to get the associated CryptoTarget containers and initiators from the database.
2 Adding target tape LUNs for encryption FIGURE 52 Encryption Targets dialog box 3. Select a target tape storage device from the Encryption Targets table, then click LUNs. The Encryption Target Tape LUNs dialog box displays. (Refer to Figure 53.) FIGURE 53 Encryption Target Tape LUNs dialog box 4. Click Add. The Add Encryption Target Tape LUNs dialog box displays. (Refer to Figure 54.) All LUNs in the storage device that are visible to hosts are listed in the table.
Adding target tape LUNs for encryption FIGURE 54 2 Add Encryption Target Tape LUNs dialog box 5. Select a host from the Host list. Before you encrypt a LUN, you must select a host, then either discover LUNs that are visible to the virtual initiator representing the selected host, or enter a range of LUN numbers to be configured for the selected host. When you select a specific host, only the LUNs visible to that host are displayed.
2 Moving targets • Enable Write Early Ack: When selected, enables tape write pipelining on this tape LUN. Use this option to speed long serial writes to tape, especially for remote backup operations. • Enable Read Ahead: When selected, enables read pre-fetching on this tape LUN. Use this option to speed long serial read operations from tape, especially for remote restore operations. NOTE The Select/Deselect All button allows you to select or deselect all available LUNs. 8.
Tape LUN write early and read ahead 2 Tape LUN write early and read ahead The tape LUN write early and read ahead feature uses tape pipelining and prefetch to speed serial access to tape storage. These features are particularly useful when performing backup and restore operations, especially over long distances. You can enable tape LUN write early and read ahead while adding the tape LUN for encryption, or you can enable or disable these features after the tape LUN has been added for encryption.
2 Tape LUN statistics FIGURE 56 Encryption Target Tape LUNs dialog box - Setting tape LUN read ahead and write early 4. In the Enable Write EarlyAck and Enable Read Ahead columns, when the table is populated, you can set these features as desired for each LUN: • • • • To enable write early for a specific tape LUN, select Enable Write Early Ack for that LUN. To enable read ahead for a specific LUN, select Enable Read Ahead for that LUN.
Tape LUN statistics 2 Viewing and clearing tape container statistics You can view LUN statistics for an entire crypto tape container or for specific LUNs. To view or clear statistics for tape LUNs in a container, follow these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select a group from the Encryption Center Devices table, then select Group > Targets from the menu task bar.
2 Tape LUN statistics • • • • • • • • Tape Session #: The number of the ongoing tape session. Uncompressed blocks: The number of uncompressed blocks written to tape. Compressed blocks: The number of compressed blocks written to tape. Uncompressed Bytes: The number of uncompressed bytes written to tape. Compressed Bytes: The number of compressed bytes written to tape. Host Port WWN: The WWN of the host port that is being used for the write operation.
Tape LUN statistics FIGURE 59 2 Target Tape LUNs dialog box 4. Select the LUN or LUNs for which to display or clear statistics, then click Statistics. The Tape LUN Statistics dialog box displays. (Refer to Figure 60.) The statistic results based on the LUN or LUNs you selected is displayed. Tape LUN statistics are cumulative.
2 Tape LUN statistics • A Refresh button updates the statistics on the display since the last reset. • A Clear button resets all statistics in the display. 5. Do either of the following: a. Click Clear to clear the tape LUN statistics, then click Yes to confirm. b. Click Refresh to view the current statistics cumulative since the last reset. Viewing and clearing statistics for tape LUNs in a container To view or clear statistics for tape LUNs in a container, follow these steps: 1.
Encryption engine rebalancing FIGURE 62 2 Tape LUN Statistics dialog box The Tape LUN Statistics dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed. • Tape Volume/Pool: The tape volume label of the currently-mounted tape, if a tape session is currently in progress. • • • • • • Tape Session #: The number of the ongoing tape session. Uncompressed blocks: The number of uncompressed blocks written to tape.
2 Security settings During rebalancing operations, be aware of the following: • You might notice a slight disruption in Disk I/O. In some cases, manual intervention may be needed. • Backup jobs to tapes might need to be restarted after rebalancing is completed. To determine if rebalancing is recommended for an encryption engine, check the encryption engine properties. Beginning with Fabric OS 6.4, a field is added that indicates whether or not rebalancing is recommended.
Zeroizing an encryption engine 2 NOTE The Select Security Settings dialog box only sets a quorum number for authentication cards. To register authentication cards, click Next to display the Authentication Cards dialog box. Zeroizing an encryption engine Zeroizing is the process of erasing all data encryption keys and other sensitive encryption information in an encryption engine. You can zeroize an encryption engine manually to protect encryption keys.
2 Using the Encryption Targets dialog box 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select an encryption engine from the Encryption Center Devices table, then select Engine > Zeroize from the menu task bar. A warning describes the consequences and actions required to recover. 3. Click Yes to zeroize the encryption engine.
Redirection zones FIGURE 63 2 Encryption Targets dialog box Redirection zones It is recommended that you configure the host and target in the same zone before you configure them for encryption. Doing so creates a redirection zone to redirect the host/target traffic through the encryption engine; however, a redirection zone can only be created if the host and target are in the same zone.
2 Disk device decommissioning NOTE The key IDs that were used for encrypting the data are returned. When disk LUNs are decommissioned, the decommissioned keys are still stored on the switch. In order to delete them from the switch, you must view them from the Decommissioned Key IDs dialog box. (Refer to Figure 65.
Disk device decommissioning FIGURE 64 2 Encryption Target Disk LUNs dialog box 4. Select the LUNs associated with the device, then click Decommission. A warning displays. 5. Click Yes to proceed with the decommissioning process. A LUN Decommission Status dialog box is displayed while the LUNs are being decommissioned. Click OK to close the dialog box.
2 Disk device decommissioning FIGURE 65 Decommissioned Key IDs dialog box The dialog box contains the following information: • Decommissioned key IDs that have been decommissioned at the key vault are listed in a table. • Universal ID button: Launches the Universal ID dialog box to display the universal ID for each selected decommissioned key. You need to know the Universal ID (UUID) associated with the decommissioned disk LUN key IDs in order to delete keys from the key vault.
Rekeying all disk LUNs manually FIGURE 66 2 Universal IDs dialog box 4. Click Close. NOTE You will need to export the decommissioned key ID to the key vault. Rekeying all disk LUNs manually Brocade Network Advisor allows you to perform a manual rekey operation on all encrypted primary disk LUNs and all non-replicated disk LUNs hosted on the encryption node that are in the read-write state. Manual rekeying of all LUNs might take an extended period of time.
2 Rekeying all disk LUNs manually FIGURE 67 Selecting the Re-Key All operation A warning displays, requesting confirmation to proceed with the rekey operation. 3. Click Yes. Rekeying operations begin on up to 10 LUNs. If more than 10 LUNs are configured on the switch, the remaining rekey operations are held in the pending state. 4. Open the Encryption Target Disk LUNs dialog box to see LUNs being rekeyed and LUNs pending. a.
Rekeying all disk LUNs manually 2 Viewing disk LUN rekeying details You can view details related to the rekeying of a selected target disk LUN from the LUN Re-keying Details dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2. Select a group, switch, or engine from the Encryption Center Devices table, then select Group/Switch/Engine > Targets, or right-click the group, switch, or engine and select Targets.
2 Rekeying all disk LUNs manually • Re-key State: The state of a manual LUN rekeying operation. Options are: - Read Phase - Write Phase - Pending - Disabled • Block Size: The block size used on the LUN. • Number of Blocks: The number of blocks written. • Current LBA: The Logical Block Address (LBA) of the block that is currently being written. • Re-key Completion: The status of the LUN rekeying operation’s progress.
Thin provisioned LUNs 2 • Re-Key State: Options are: - Re-Key Setup - LUN Prep - LUN Clean-up - Key Update - Read Phase - Write Phase - HA Sync Phase • Re-Key Role: Options are: - Primary/Active - Backup/Active • Block Size: The block size used on the LUN. • Container Name: The CryptoTarget container name. • Host Port WWN: The WWN of the host port that is being used for the write operation. • Current LBA: The Logical Block Address (LBA) of the block that is currently being written.
2 Thin provisioned LUNs NOTE: • For thin provisioned LUNs that were previously full provisioned then converted to thin, a discoverLUN command must be performed prior to any rekeying operations. Failure to do so results in the full capacity of the LUN to be encrypted as if it were not thin provisioned. Updated thin provisioned status can be verified using the cryptocfg --show -container -all -stat command and checking the output for “Thin Provision LUN: Yes”.
Viewing time left for auto rekey 2 Viewing time left for auto rekey You can view the time remaining until auto rekey is no longer active for a disk LUN. The information is expressed as the difference between the next rekey date and the current date and time, and is measured in days, hours, and minutes. Although you cannot make changes directly to the table, you can modify the time left using CLI. For more information, refer to Chapter 3, “Configuring Encryption Using the CLI”.
2 Viewing and editing switch encryption properties NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Properties icon. The Encryption Switch Properties dialog box displays. (Refer to Figure 72.
Viewing and editing switch encryption properties • • • • • - 2 Group Member Leader-Member Comm Error Discovering Not a member Encryption Group: The name of the encryption group to which the switch belongs Encryption Group Status: Status options are: • OK/Converged: The group leader can communicate with all members • Degraded: The group leader cannot communicate with one or more members.
2 Viewing and editing switch encryption properties • • • • • Not Available (the engine is not initialized) Disabled Operational need master/link key Online - Set State To: Identifies if the state is enabled or disabled. You can click the line item in the table to change the value, then click OK to apply the change. - Total Targets: The number of encrypted target devices. - HA Cluster Name: The name of the HA cluster (for example, Cluster1), if in an HA configuration.
Viewing and editing encryption group properties 2 2. Enter or browse to the file containing the signed certificate, then click OK. The file is imported onto the switch. Enabling and disabling the encryption engine state from properties To enable the encryption engine, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 6 on page 14.) 2.
2 Viewing and editing encryption group properties FIGURE 74 Encryption Group Properties dialog box The Encryption Group Properties dialog box contains the following information: • • • • • • • 98 General tab: For a description of the dialog box, refer to “General tab” on page 99. Members tab: For a description of the dialog box, refer to “Members tab” on page 100. Security tab: For a description of the dialog box, refer to “Security tab” on page 103.
Viewing and editing encryption group properties 2 General tab The General tab is viewed from the Encryption Group Properties dialog box. (Refer to Figure 75.) To access the General tab, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar. NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon.
2 Viewing and editing encryption group properties When the first encryption engine comes back online, the encryption group’s failback setting determines whether the first encryption engine automatically resumes encrypting and decrypting traffic to its encryption targets. In manual mode, the second encryption engine continues handling the traffic until you manually invoke failback using the CLI, or until the second encryption engine fails.
Viewing and editing encryption group properties 2 NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon. FIGURE 76 Encryption Group Properties dialog box - Members tab The Members tab displays the configured membership for the group and includes the following: • • • • Node WWN: The member switch’s world wide name. IP Address: The switch’s IP address or host name. Node Name: The switch’s node name, if known. If unknown, this field is blank.
2 Viewing and editing encryption group properties Members tab Remove button You can click the Remove button to remove a selected switch or group from the encryption group table. • You cannot remove the group leader unless it is the only switch in the group. If you remove the group leader, Brocade Network Advisor also removes the HA cluster, the target container, and the tape pool (if configured) that are associated with the switch.
Viewing and editing encryption group properties 2 Table 2 explains the impact of removing switches. TABLE 2 Switch removal impact Switch configuration Impact of removal The switch is the only switch in the encryption group. The encryption group is also removed. The switch has configured encryption targets on encryption engines. • • • The switch is configured to encrypt traffic to one or more encryption targets. The target container configuration is removed.
2 Viewing and editing encryption group properties FIGURE 77 Encryption Group Properties dialog box - Security tab The Security tab contains the following information: • Master Key Status: Shown as Not used when LKM/SSKM is the key vault type. • System Cards: Identifies if the use of a system card is required for controlling activation of the encryption engine. You must indicate if cards are required or not required. If a system card is required, it must be read by the card reader on the switch.
Viewing and editing encryption group properties 2 HA Clusters tab The HA Clusters tab allows you to create and delete HA clusters, add encryption engines to and remove encryption engines from HA clusters, and failback an engine. Changes are not applied to the encryption group until you click OK. Each HA cluster must have exactly two encryption engines.
2 Viewing and editing encryption group properties • Right and left arrow buttons: You can select an encryption engine in the Non-HA Encryption Engines table and click the right arrow button to add the encryption engine to the High-Availability Clusters. (If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster.) Similarly, you can select an encryption engine in the High-Availability Clusters table and click the left arrow button to remove it from a cluster.
Viewing and editing encryption group properties 2 NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon. FIGURE 79 Encryption Group Properties dialog box - Link Keys tab A table displays link key status for each switch in an encryption group, which includes the following information: • Switch: The name of the selected switch in the encryption group. • Key Vault: The type of key vault, either Primary or Secondary.
2 Viewing and editing encryption group properties Tape Pools tab Tape pools are managed from the Tape Pools tab. From the Tape Pools tab, you can add, modify, and remove tape pools. • To add a tape pool, click Add, then complete the Add Tape Pool dialog box. • To remove an encryption switch or engine from a tape pool, select one or more tape pools listed in the table, then click Remove. • To modify a tape pool, you must remove the entry, then add a new tape pool.
Viewing and editing encryption group properties 2 All encryption engines in the encryption group share the tape pool definitions. Tapes can be encrypted by any encryption engine in the group where the container for the tape target LUN is hosted. The tape media is mounted on the tape target LUN. Tape pool definitions are not needed to read a tape. The tape contains enough information (encryption method and key ID) to read the tape. Tape pool definitions are only used when writing to tape.
2 Viewing and editing encryption group properties 4. Based on your selection, do one of the following: • If you selected Name as the Tape Pool Label Type, enter a name for the tape pool. This name must match the tape pool label or tape ID that is configured on the tape backup/restore application. • If you selected Number as the Tape Pool Label Type, enter a (hex) number for the tape pool. This number must match the tape pool label or tape number that is configured on the tape backup/restore application.
Encryption-related acronyms in log messages FIGURE 83 2 Encryption Group Properties Dialog Box - Engine Operations Tab NOTE You cannot replace an encryption engine if it is part of an HA cluster. Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms embedded that require interpretation. Table 3 lists some of those acronyms.
2 112 Encryption-related acronyms in log messages Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
Chapter 3 Configuring Encryption Using the CLI In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command validation checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . . . . . . . • Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management LAN configuration. . . . . .
3 Overview Overview This chapter explains how to use the command line interface (CLI) to configure a Brocade Encryption Switch, or an FS8-18 Encryption blade in a DCX Backbone chassis to perform data encryption. This chapter assumes that the basic setup and configuration of the Brocade Encryption Switch and DCX Backbone chassis have been done as part of the initial hardware installation, including setting the management port IP address.
Command RBAC permissions and AD types 3 4. PortMember: allows all control operations only if the port or the local switch is part of the current AD. View access is allowed if the device attached to the port is part of the current AD. Command RBAC permissions and AD types Two RBAC roles are permitted to perform Encryption operations.
3 Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain createhacluster N OM N N N OM N N Disallowed createtapepool N OM N N N OM N N Disallowed decommission N OM N N N OM N N Disallowed deletecontainer N OM N N N OM N N Disallowed deletedecommissionedkeyids N OM N N N O
Cryptocfg Help command output TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain move N OM N N N OM N N Disallowed perfshow N OM N N N OM N O Disallowed rebalance N OM N N N OM N N Disallowed reclaim N OM N N N OM N N Disallowed recovermasterkey N OM N N N N N OM Disallowed refreshdek N OM N N N
3 Management LAN configuration Display the synopsis of hacluster parameter configuration. --help -devicecfg: Display the synopsis of device container parameter configuration. --help -transcfg: Display the synopsis of transaction management. switch:admin> cryptocfg --help -nodecfg Usage: cryptocfg --help -nodecfg: Display the synopsis of node parameter configuration. --initnode: Initialize the node for configuration of encryption options. --initEE []: Initialize the specified encryption engine.
Configuring cluster links 3 1. Log in to the switch as Admin or FabricAdmin. 2. Configure the IP address using the ipAddrSet command. Only Ge0 needs to be configured. Always use ipAddrSet -eth0 to configure the address. If an address is assigned to ge1 (-eth1), it is accepted and stored, but it is ignored. Only IPv4 addresses are supported for cluster links. The following example configures a static IP address and gateway address for the bonded interface. switch:admin> ipaddrset -eth0 --add 10.32.33.
3 Setting encryption node initialization IP Address change of a node within an encryption group Modifying the IP address of a node that is part of an encryption group is disruptive in terms of cluster operation. The change causes the encryption group to split, and if the node was part of an HA cluster, failover/failback capability is lost. The ipAddrSet command issues no warning and you are not prevented from changing a node IP address that is part of a configured encryption group or HA cluster.
Steps for connecting to an LKM/SSKM appliance 3 From the standpoint of external SAN management application operations, the FIPS crypto officer, FIPS user, and node CP certificates are transparent to users. The KAC certificates are required for operations with key managers. In most cases, KAC certificate signing requests must be sent to a Certificate Authority (CA) for signing to provide authentication before the certificate can be used. In all cases, signed KACs must be present on each switch. 1.
3 Steps for connecting to an LKM/SSKM appliance To connect to an LKM/SSKM appliance, you must complete the following steps: 1. Initialize the Brocade encryption engines. Refer to “Initializing the Fabric OS encryption engines” on page 122. 2. Obtain and import the LKM/SSKM certificate. Refer to “Obtaining and importing the LKM/SSKM certificate” on page 123. 3. Export and register the encryption node certificates on LKM/SSKM. Refer to “Exporting and registering the switch KAC certificates” on page 124. 4.
Steps for connecting to an LKM/SSKM appliance 3 4. Zeroize all critical security parameters (CSPs) on the switch by entering the cryptocfg --zeroizeEE command. Provide a slot number if the encryption engine is a blade. SecurityAdmin:switch> cryptocfg --zeroizeEE This will zeroize all critical security parameters ARE YOU SURE (yes, y, no, n): [no]y Operation succeeded. Zeroization leaves the switch or blade in the fault state. The switch or blade is rebooted automatically. 5.
3 Steps for connecting to an LKM/SSKM appliance using dumb terminal settings. Checking system tamper status: No physical intrusion detected. 2. Add the group leader to the LKM/SSKM key sharing group. Enter lkmserver add --type third-party --key-sharing-group "/" followed by the group leader IP address. lkm-1>lkmserver add --type third-party --key-sharing-group \ "/" 10.32.244.71 NOTICE: LKM Server third-party 10.32.244.71 added. Cleartext connections not allowed. 3.
Steps for connecting to an LKM/SSKM appliance 3 Registering LKM/SSKM on the encryption group leader The LKM/SSKM CA certificate must be registered on the encryption group leader. The encryption group leader sends this certificate to the encryption group members. 1. Set the key vault type to LKM. SecurityAdmin:switch> cryptocfg --set -keyvault LKM Set key vault status: Operation Succeeded 2. Register the key vault’s certificate on the group leader.
3 Steps for connecting to an LKM/SSKM appliance Encryption Node (Key Vault Client) Information: Node KAC Certificate Validity: Yes Time of Day on the Switch: Wed Mar 17 08:14:36.881902 GMT 2 010 Client SDK Version: OpenKey Reference Lib 2.0.9 Client Username: N/A Client Usergroup: N/A Connection Timeout: 20 seconds Response Timeout: 20 seconds Connection Idle Timeout: N/A Key Vault(s) is/are connected. Key retrieval and archival verified through direct link.
Steps for connecting to an LKM/SSKM appliance 3 Establishing the trusted link You must generate the trusted link establishment package (TEP) on all nodes to obtain a trusted acceptance package (TAP) before you can establish a trusted link between each node and the NetApp LKM/SSKM appliance. NOTE Complete all steps required to establish a trusted link between LKM/SSKM and the encryption group members for each node before proceeding to the next node. 1.
3 Steps for connecting to an LKM/SSKM appliance Secondary Key Vault not configured [output truncated] LKM/SSKM key vault high availability deployment Two LKM/SSKM appliances can be used together to provide high availability capabilities. Both LKM/SSKMs in the must be registered and configured with the link keys before starting any crypto operations.
Steps for connecting to an LKM/SSKM appliance 3 LKM/SSKM Key Vault Deregistration Deregistration of either Primary or Secondary LKM/SSKM key vault from an encryption switch or blade is allowed independently. • Deregistration of Primary LKM/SSKM: You can deregister the primary LKM/SSKM from an encryption switch or blade without deregistering the backup or secondary LKM/SSKM for maintenance or replacement purposes.
3 Steps for connecting to an LKM/SSKM appliance Adding a member node to an encryption group During the initialization phase a set of key pairs and certificates are generated on every node. These certificates are used for mutual identification and authentication with other group members and with LKM/SSKM. Every device must have a certificate in order to participate in a deployment of encryption services. Some devices must have each other’s certificates in order to communicate.
Steps for connecting to an LKM/SSKM appliance 3 NOTE If the maximum number of certificates is exceeded, the following message is displayed. Maximum number of certificates exceeded. Delete an unused certificate with the ‘cryptocfg –-delete –file’ command and then try again. 7. Enter the cryptocfg --show -file -all command on the group leader to verify that you have imported all necessary certificates.
3 High availability cluster configuration State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.244.60 Certificate: enc1_cpcert.
High availability cluster configuration 3 • Configuration changes must be committed before they take effect. Any operation related to an HA cluster that is performed without a commit operation will not survive across switch reboots, power cycles, CP failover, or HA reboots. • It is recommended that the HA cluster configuration be completed before you configure storage devices for encryption.
3 High availability cluster configuration Adding an encryption engine to an HA cluster 1. Log in to the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --add -haclustemember command. Specify the HA cluster name and the encryption engine node WWN. Provide a slot number if the encryption engine is a blade. The following example adds a Brocade FS8-18 in slot 5 to the HA cluster HAC2.
Enabling the encryption engine 3 Policy Configuration Examples The following examples illustrate the setting of group-wide policy parameters. To set the failback mode to manual failback: SecurityAdmin:switch> cryptocfg --set -failbackmode manual Set failback policy status: Operation Succeeded. To set the Heartbeat misses value to 3: SecurityAdmin:switch> cryptocfg --set -hbmisses 3 Set heartbeat miss status: Operation Succeeded.
3 Zoning considerations Setting default zoning to no access Initially, default zoning for all Brocade Encryption Switches is set to All Access. The All Access setting allows the Brocade Encryption Switch and DCX Backbone chassis to join the fabric and be discovered before zoning is applied. If there is a difference in this setting within the fabric, the fabric will segment. Before committing an encryption configuration in a fabric, default zoning must be set to No Access within the fabric.
Zoning considerations 3 Creating an initiator - target zone NOTE: • NWWN based zoning of initiator and targets is not supported with Frame redirection. • The Initiator-Target zone should be created before you create the container. Otherwise, the frame redirection zone creation for the Initiator-Target pair will fail during a commit. 1. Log in to the group leader as Admin or FabricAdmin. 2. Determine the initiator PWWN. Enter the nsshow command to view the devices connected to this switch.
3 CryptoTarget container configuration NL 0208d3; 3;20:0c:00:06:2b:0f:72:6d;20:00:00:06:2b:0f:72:6d; 4. Create a zone that includes the initiator and a target. Enter the zonecreate command followed by a zone name, the initiator PWWN and the target PWWN. FabricAdmin:switch> zonecreate itzone, "10:00:00:00:c9:2b:c9:3a; \ 20:0c:00:06:2b:0f:72:6d" 5. Create a zone configuration that includes the zone you created in step 4.
CryptoTarget container configuration 3 • Virtual targets: Any given physical target port is hosted on one encryption switch or blade. If the target LUN is accessible from multiple target ports, each target port is hosted on a separate encryption switch or blade. There is a one-to-one mapping between virtual target and physical target to the fabric whose LUNs are being enabled for cryptographic operations.
3 CryptoTarget container configuration All nodes within an encryption group must be upgraded to Fabric OS v6.4 or a later release to support hosting disk and tape target containers on the same encryption engine. If any node within an encryption group is running an earlier release, disk and tape containers must continue to be hosted on separate encryption engines.
CryptoTarget container configuration 3 NOTE It is recommended you complete the encryption group and HA cluster configuration before configuring the CryptoTarget containers. Creating a CryptoTarget container 1. Log in to the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --create -container command. Specify the type of container, (disk or tape), followed by a name for the CryptoTarget container, the encryption engine’s node WWN, and the target’s Port WWN and node WWN.
3 CryptoTarget container configuration Target: VT: Number of host(s): Configuration status: Host: VI: Number of LUN(s): Operation Succeeded 20:0c:00:06:2b:0f:72:6d 20:00:00:05:1e:41:4e:1d 1 committed 10:00:00:00:c9:2b:c9:3a 20:02:00:05:1e:41:4e:1d 0 20:00:00:06:2b:0f:72:6d 20:01:00:05:1e:41:4e:1d 20:00:00:00:c9:2b:c9:3a 20:03:00:05:1e:41:4e:1d 6. Display the redirection zone. It includes the host, the target, the virtual initiator, and the virtual target.
CryptoTarget container configuration 3 Operation Succeeded 3. Commit the transaction. FabricAdmin:switch> cryptocfg --commit Operation Succeeded CAUTION When configuring a multi-path LUN, you must remove all initiators from all CryptoTarget containers in sequence before committing the transaction.
3 Crypto LUN configuration another path has direct access to the device from a host outside the protected realm of the encryption platform. Refer to the section “Configuring a multi-path Crypto LUN” on page 153 for more information. Moving a CryptoTarget container You can move a CryptoTarget container from one encryption engine to another. The encryption engines must be part of the same fabric and the same encryption group, and the encryption engines must be online for this operation to succeed.
Crypto LUN configuration 3 CAUTION When configuring a LUN with multiple paths (which means the LUN is exposed and configured on multiple CryptoTarget containers located on the same Encryption switch or blade, or on different encryption switches or blades), the same LUN policies must be configured on all LUN paths. Failure to configure all LUN paths with the same LUN policies results in data corruption.
3 Crypto LUN configuration Configuring a Crypto LUN You configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN. The LUNs of the target that are not enabled for encryption must still be added to the CryptoTarget container with the cleartext policy option. You can add a single LUN to a CryptoTarget container, or you can add multiple LUNs by providing a range of LUN Numbers.
Crypto LUN configuration 3 Operation Succeeded 3. Commit the configuration. FabricAdmin:switch> cryptocfg --commit Operation Succeeded CAUTION When configuring a LUN with multiple paths, do not commit the configuration before you have added all the LUNs with identical policy settings and in sequence to each of the CryptoTarget containers for each of the paths accessing the LUNs. Failure to do so results in data corruption. Refer to the section “Configuring a multi-path Crypto LUN” on page 153. 4.
3 Crypto LUN configuration The tape policies specified at the LUN configuration level take effect if you do not create tape pools or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1 MB block size for tape encryption. Also, the Logical Block Address (LBA) 0 block size (I/O size from the host) must be at least 1 K less than the maximum supported backend block size (usually 1 MB). This is typically the case, as label operations are small I/O operations.
Crypto LUN configuration TABLE 6 3 LUN parameters and policies (Continued) Policy name Command parameters Description Rekey policy Disk LUN: yes Tape LUN: No Modify? Yes -enable_rekey time_period | -disable_rekey Enables or disables the auto rekeying feature on a specified disk LUN. This policy is not valid for tape LUNs. By Default, the automatic rekey feature is disabled. Enabling automatic rekeying is valid only if the LUN policy is set to -encrypt.
3 Crypto LUN configuration Operation Succeeded 3. Configure the Crypto tape LUN. Refer to the section “Configuring a Crypto LUN” on page 146 for instructions. a. Discover the LUN. FabricAdmin:switch> cryptocfg --discoverLUN my_tape_tgt Container name: my_tape_tgt Number of LUN(s): 1 Host: 10:00:00:00:c9:2b:c9:3a LUN number: 0x0 LUN serial number: Key ID state: Key ID not Applicable b. Add the LUN to the tape CryptoTarget container. The following example enables the LUN for encryption.
Crypto LUN configuration 3 NOTE The “–key_lifespan” command option has no effect for “cryptocfg –-add –LUN”, and only has an effect for “cryptocfg --create –tapepool” for tape pools declared “-encryption_format native”. For all other encryption cases, a new key is generated each time a medium is rewound and block zero is either written or overwritten.
3 Crypto LUN configuration Modifying Crypto LUN parameters You can modify one or more policies of an existing Crypto LUN with the cryptocfg --modify -LUN command. A maximum of 25 disk LUNs can be added or modified in a single commit operation. Attempts to commit configurations or modifications that exceed the maximum commit allowed will fail with a warning. There is a five second delay before the commit operation takes effect.
Impact of tape LUN configuration changes 3 For tape LUNs, the -enable_encexistingdata, -enable_rekey, and -key_lifespan options are not valid and therefore cannot be modified. When you attempt to execute these parameters while modifying a tape LUN, the system returns an error. Disabling -write_early ack or -read_ahead for tape LUN will result in lower total throughput depending on the number of flows per encryption engine.
3 Configuring a multi-path Crypto LUN To avoid the risk of data corruption, you must observe the following rules when configuring multi-path LUNs: • During the initiator-target zoning phase, complete in sequence all zoning for ALL hosts that should gain access to the targets before committing the zoning configuration. • Complete the CryptoTarget container configuration for ALL target ports in sequence and add the hosts that should gain access to these ports before committing the container configuration.
Configuring a multi-path Crypto LUN 3 3. On the group leader encryption switch (switch 1), create a CryptoTarget container for each target port and add the hosts in sequence. Do NOT commit the configuration until you have created all CryptoTarget containers and added all hosts to the respective containers. a. Create a CryptoTarget container (CTC1) for target port 1 to be hosted on the encryption engine of encryption switch 1.
3 Configuring a multi-path Crypto LUN 5. Configure the LUN for all CryptoTarget containers in sequence by adding the LUN to each CryptoTarget container with identical policy settings. Refer to the sections “Configuring a Crypto LUN” on page 146 and “Crypto LUN parameters and policies” on page 147 for more information. a. Add the LUN to the CryptoTarget container CTC1 with policies.
Decommissioning LUNs 3 Make sure the LUNs in previously committed LUN configurations and LUN modifications have a LUN state of Encryption Enabled before creating and committing another batch of LUN configurations or modifications. NOTE A maximum of 25 disk LUNs can be added or modified in a single commit operation. The maximum commit for tape LUNs is eight. Attempts to commit configurations or modifications that exceed the maximum commit allowed will fail with a warning.
3 Decommissioning LUNs Upon a successful completion of a decommissioning operation, the LUN is deleted from all containers hosting it, and all active paths to the LUNs are lost. NOTE In a mixed encryption group consisting of nodes running Fabric OS 7.0.0 and an earlier Fabric OS version (for example, Fabric OS 6.4.
Decommissioning replicated LUNs 3 Decommissioning replicated LUNs • “Decommissioning primary LUNs only” • “Decommissioning secondary LUNs only” • “Decommissioning primary and secondary LUN pairs” Decommissioning primary LUNs only To decommission the primary LUN and make the secondary LUN the primary LUN, complete the following steps. Failure to do so could result in the LUN state showing as Disabled. 1. Log in as Admin or FabricAdmin. 2. Split the copy pairs. 3. Make the secondary LUN write-enabled. 4.
3 Force-enabling a decommissioned disk LUN for encryption NOTE Do not delete the key from the key vault. Decommissioning primary and secondary LUN pairs To decommission both the primary and secondary LUNs, complete the following steps: 1. Log in as Admin or FabricAdmin. 2. Split the copy pairs. 3. Independently decommission the primary and secondary LUNs. a. Decommission the primary LUN.
Force-enabling a disabled disk LUN for encryption 7. 3 Enable the LUN. FabricAdmin:switch> cryptocfg --enable -LUN 8. Modify the LUN to encrypted. FabricAdmin:switch> cryptocfg --modify -LUN 0 -lunstate encrypted -encryption_format native -encrypt 9. Enter the cryptocfg --enable -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN.
3 Tape pool configuration • If a given tape volume belongs to a tape pool, tape pool-level policies (defaults or configured values) are applied and override any LUN-level policies. • Tape drive (LUN) policies are used if no tape pools are created or if a given tape volume does not belong to any configured tape pools. NOTE Tape pool configurations must be committed to take effect. Expect a five second delay before the commit operation takes effect.
Tape pool configuration 3 3. Edit the dbo.CommCellStoragePolicyquery as follows: a. Right-click the view and select Edit. b. Add the following (sp_id= ARG.id) as follows: • SELECT Distinct • storagepolicy= ARG.name, • sp_id= ARG.id, 4. Save the query by selecting File > Save SQLQuery1.sql 5. Execute the query by right-clicking the query window and selecting Execute. 6. Open the dbo.CommCellStoragePolicy view. 7. Right-click the view dbo.CommCellStoragePolicy and select Open View. 8.
3 Tape pool configuration Creating a tape pool Complete the following steps to create a tape pool: 1. Log in to the group leader as FabricAdmin. 2. Create a tape pool by entering the cryptocfg --create -tapepool command. Provide a label or numeric ID for the tape pool and specify the encryption policies. For policies not specified at this time, LUN-level settings apply. • Set the tape pool policy to either encrypt or cleartext (default).
Tape pool configuration 3 Deleting a tape pool This command does not issue a warning if the tape pool being deleted has tape media or volumes that are currently accessed by the host. Be sure the tape media is not currently in use. 1. Log in to the group leader as FabricAdmin. 2. Enter the cryptocfg --delete -tapepool command followed by a tape pool label or number. Use cryptocfg --show -tapepool -all to display all configured tape pool names and numbers.
3 First-time encryption First-time encryption First-time encryption, also referred to as encryption of existing data, is similar to the rekeying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first-time encryption operation, cleartext data is read from a LUN, encrypted with the current key, and written back to the same LUN at the same logical block address (LBA) location.
Thin provisioned LUNs 3 Thin provisioned LUNs With the introduction of Fabric OS 7.1.0, the Brocade Encryption Switch can discover if a disk LUN is a thin provisioned LUN. Support for a thin provisioned LUN is limited to disk containers only. The Brocade Encryption Switch will support thin provisioning of an array only if it satisfies the SCSI requirements, for example, supporting the GET_LBA_STATUS command.
3 Thin provisioned LUNs Encryption mode: Encryption format: Encrypt existing data: Rekey: Internal EE LUN state: Encryption algorithm: Key ID state: New LUN: TP LUN: Key ID: Key creation time: encrypt native disabled disabled Encryption enabled AES256-XTS Read write No Yes 4b:d9:4d:12:93:67:0e:0d:d1:e0:ca:aa:ba:34:29:db Thu Sep 15 18:01:01 2011 FabricAdmin:switch> cryptocfg –discoverLUN -container Host: 21:00:00:e0:8b:90:7c:c0 LUN number: 0xd LUN serial number: 50002AC000BC0A50 TP LUN: Yes LUN connectiv
Data rekeying 3 Space reclamation When a block that was provisioned is no longer needed, it can be reclaimed. The Brocade Encryption Switch supports the following methods to reclaim the provisioned blocks: • Sending the UNMAP SCSI command Note the following limitations: • The Host will get garbled data while trying to read an unmapped region. • The WRITE_SAME command will not be supported for the unmap operation.
3 Data rekeying Thin provisioned LUN limitations during rekey • The WRITE_SAME command will not be supported for the unmap operation. • The UNMAP command will be rejected during a rekey. • Rekey temporarily uses the last 512 blocks. As a result, these blocks will be marked as provisioned by the thin provisioned LUN. • The first 16 blocks of the LUN will be mapped automatically (if it was unmapped), after the LUN has been configured as an encrypted LUN.
Data rekeying 3 NOTE For a scheduled rekeying session to proceed, all encryption engines in a given HA cluster, DEK cluster, or encryption group must be online, and I/O sync links must be configured. Refer to the section “Management LAN configuration” on page 118 for more information. 1. Log in to the group leader as FabricAdmin. 2. Enable automatic rekeying by setting the -enable_rekey parameter followed by a time period (in days).
3 Data rekeying 5. Check the status of the rekeying session.
Data rekeying 3 1. Log in as Admin or FabricAdmin. 2. Enter the cryptocfg --resume_rekey command, followed by the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch> cryptocfg --resume_rekey my_disk_tgt 0x0 \ 10:00:00:05:1e:53:37:99 Operation Succeeded 3. Check the status of the resumed rekey session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN.
3 174 Data rekeying Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
Chapter 4 Deployment Scenarios In this chapter • Single encryption switch, two paths from host to target. . . . . . . . . . . . . . . • Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dual fabric deployment - HA and DEK cluster . . . . . . . . . . . . . . . . . . . . . . . • Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . . . . . . . .
4 Single encryption switch, two paths from host to target Single encryption switch, two paths from host to target Figure 86 shows a basic configuration with a single encryption switch providing encryption between one host and one storage device over two the following two paths: • Host port 1 to target port 1, redirected through CTC T1. • Host port 2 to target port 2, redirected through CTC T2.
Single fabric deployment - HA cluster 4 Single fabric deployment - HA cluster Figure 87 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology.
4 Single fabric deployment - DEK cluster In Figure 87, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN.
Dual fabric deployment - HA and DEK cluster 4 In Figure 88, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths.
4 Multiple paths, one DEK cluster, and two HA clusters failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2. All four encryption switches provide an encryption path to the same LUN, and use the same DEK for that LUN, forming a DEK cluster.
Multiple paths, DEK cluster, no HA cluster 4 The configuration details shown in Figure 90 are as follows: • • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port 1 is zoned to target port 1 and target port 2 in fabric 1. Host port 2 is zoned to target port 3and target port 4 in fabric 2. There are four Fabric OS encryption switches organized in HA clusters.
4 Multiple paths, DEK cluster, no HA cluster The configuration details are as follows: • • • • • • • 182 There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port1 is zoned to target port1 and target port2 in fabric 1. Host port2 is zoned with target port 3 and target port 4 in fabric 2. There are two encryption switches, one in each fabric (no HA cluster). There is one DEK Cluster and one encryption group.
Deployment in Fibre Channel routed fabrics 4 Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 92), or it may form the backbone fabric and directly provide the EX_port connections (Figure 93). The encryption resources can be shared with the host and target edge fabrics using device sharing between backbone and edge fabrics.
4 Deployment in Fibre Channel routed fabrics The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
Deployment as part of an edge fabric 4 Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7800 extension switch or FX8-24 blade in a DCX or DCX 8510 Backbone, or an FCR-capable switch or blade. The encryption resources of the encryption switch can be shared with the other edge fabrics using FCR in the backbone fabric (Figure 94). .
4 Deployment with FCIP extension switches The following is a summary of steps for creating and enabling the frame redirection features in the FCR configuration (edge to edge): • The encryption device creates the frame redirection zone automatically, consisting of host, target, virtual target, and virtual initiator. when the target and host are configured on the encryption device. In Figure 94, the encryption device is connected to the host edge fabric.
VMware ESX server deployments FIGURE 95 4 FCIP deployment VMware ESX server deployments VMware ESX servers may host multiple guest operating systems. A guest operating system may have its own physical HBA port connection, or it may use a virtual port and share a physical HBA port with other guest operating systems. Figure 96 shows a VMware ESX server with two guest operating systems where each guest accesses a fabric over separate host ports.
4 VMware ESX server deployments FIGURE 96 188 VMware ESX server, One HBA per guest OS Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
VMware ESX server deployments 4 Figure 97 shows a VMware ESX server with two guest operating systems where two guests access a fabric over a shared port. To enable this, both guests are assigned a virtual port. There are two paths to a target storage device: • Virtual host port 1, through the shared host port, to target port 1, redirected through CTC T1. • Virtual host port 2, through the shared host port, to target port 2, redirected through CTC T2.
4 190 VMware ESX server deployments Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
Chapter 5 Best Practices and Special Topics In this chapter • Firmware upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . • Configuration upload and download considerations . . . . . . . . . . . . . . . . . • HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • AIX Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling a disabled LUN . . . . . . . . . . . . . . . . . .
5 Firmware upgrade and downgrade considerations • Key Vault Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 • Tape Device LUN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Firmware upgrade and downgrade considerations Before upgrading or downgrading firmware, consider the following: • The encryption engine and the control processor or blade processor are reset after a firmware upgrade.
Firmware upgrade and downgrade considerations 5 • Guidelines for firmware upgrade of encryption switches and a DCX Backbone chassis with encryption blades deployed in DEK cluster with No HA cluster (each node hosting one path). - Upgrade one node at a time. - In the case of active/active arrays, upgrade order of nodes does not matter, but you still must upgrade one node at a time.
5 Configuration upload and download considerations 5. Start firmware download (upgrade) on the node 1 (BES1). Refer to the Fabric OS Administrator’s Guide to review firmware download procedures. 6. After firmware download is complete and node 1 (BES1) is back up, make sure the encryption engine is online. 7. On node 1 (BES1) initiate manual failback of CryptoTarget containers and associated LUNs from node 2 (BES2) to node 1 (BES1) by issuing the following command.
Configuration upload and download considerations 5 Information not included in a download The following certificates will be not be present when the configuration is downloaded: • External certificates imported on the switch: - key vault certificate - peer node/switch certificate - authentication card certificate • Certificates generated internally: - KAC certificate - CP certificate - FIPS officer and user certificates NOTE The Authentication Quorum size is included in the configuration upload for read-
5 HP-UX considerations Configuration download at an encryption group member node Switch specific configuration information pertaining to the member switch or blade is applied. Information specific to the encryption group leader is filtered out. Steps after configuration download For all opaque key vaults, restore or generate and backup the master key. In a multiple node encryption group, the master key is propagated from the group leader node. 1. Use the following command to enable the encryption engine.
AIX Considerations 5 For HP-UX multi-path configurations: • Add LUN 0 as a cleartext LUN. • Make sure to configure a dummy LUN 0 for each host accessing multi-path LUNs through CTCs in the encryption switch. cryptocfg -–add –LUN 0 Best practices are as follows: • Create a cryptoTarget container for the target WWN. • Add the HP-UX initiator WWN to the container.
5 Decommissioning in an EG containing mixed modes Decommissioning in an EG containing mixed modes If you have an encryption group (EG) that contains mixed nodes, (for example, one member node is running Fabric OS 7.0.0 and another member node is running Fabric OS 6.4.2), you might notice that after you decommission a LUN, the decommissioned Key IDs might not be displayed on the node running v6.4.2, even though the decommission operation was successful.
Tape data compression 5 Tape data compression Data is compressed by the encryption switch or blade before encrypting only if the tape device supports compression, and compression is explicitly enabled by the host backup application. That means if the tape device supports compression, but is not enabled by the host backup application, then compression is not performed by the encryption switch or blade before encrypting the data.
5 Tape block zero handling Tape block zero handling The block zero of the tape media is not encrypted and the data in the block zero is sent as cleartext along with the block zero metadata header prefixed to the data to the tape device. Tape key expiry When the tape key of native pools expires in the middle of a write operation on the tape, the key is used for the duration of any write operation to append the data on the tape media.
Configuring CryptoTarget containers and LUNs 5 Configuring CryptoTarget containers and LUNs The following are best practices to follow when configuring CryptoTarget containers and crypto LUNs: • Host a target port on only one encryption switch, or one HA cluster. All LUNs visible through the target port are hosted on the same encryption switch, and are available for storing cipher text. • Be sure all nodes in a given DEK or HA cluster are up and enabled before creating an encrypted LUN.
5 Redirection zones Redirection zones Redirection zones should not be deleted. If a redirection zone is accidentally deleted, I/O traffic cannot be redirected to encryption devices, and encryption is disrupted. To recover, re-enable the existing device configuration by invoking the cryptocfg --commit command on the group leader. If no changes have taken place since the last commit, you should use the cryptocfg --commit -force command.
Turn off host-based encryption 5 Turn off host-based encryption If a host has an encryption capability of any kind, be sure it is turned it off before using the encryption engine on the encryption switch or blade. Encryption and decryption at the host may make it impossible to successfully decrypt the data. Avoid double encryption Encryption and decryption at tape drives does not affect the encryption switch or blade capabilities, and does not cause problems with decrypting the data.
5 Rekeying best practices and policies Manual rekey Ensure that the link to the key management system is up and running before you attempt a manual rekey. Latency in rekey operations Host I/O for regions other than the current rekey region has no latency during a rekey operation. Host I/O for the region where the current rekey is happening has minimal latency (a few milliseconds) because I/O is held until the rekey is complete.
KAC certificate registration expiry 5 Recommendation for Host I/O traffic during online rekeying and firsttime encryption You may see failed I/Os if writes are done to a LUN that is undergoing first-time encryption or rekeying. It is recommended that host I/O operations are quiesced and not started again until rekey operations or first-time encryption operations for the LUN are complete. KAC certificate registration expiry It is important to keep track as to when your signed KAC certificates will expire.
5 Recommendations for Initiator Fan-Ins Recommendations for Initiator Fan-Ins For optimal performance at reasonable scaling factors of initiators, targets, and LUNs accessed, Brocade Encryption Engines (EEs) are designed to support a fan-in ratio of between four and eight initiator ports to one target port, in terms of the number of distinct initiator ports to a Crypto Container (i.e., a virtual target port corresponding to the physical target port).
Best practices for host clusters in an encryption environment 5 Best practices for host clusters in an encryption environment When host clusters are deployed in a encryption environment, please follow these recommendations: • If two encryption engines are part of an HA cluster, configure the host/target pair so they have different paths from both encryption engines. Avoid connecting both the host/target pairs to the same encryption engine.
5 208 Tape Device LUN Mapping Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
Chapter Maintenance and Troubleshooting 6 In this chapter • Encryption group and HA cluster maintenance . . . . . . . . . . . . . . . . . . . . . . . 210 • Encryption group merge and split use cases. . . . . . . . . . . . . . . . . . . . . . . . . 219 • Encryption group database manual operations . . . . . . . . . . . . . . . . . . . . . . 229 • Key vault diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 • Measuring encryption performance. . . . . . .
6 Encryption group and HA cluster maintenance Encryption group and HA cluster maintenance This section describes advanced configuration options that you can use to modify existing encryption groups and HA clusters, and to recover from problems with one or more member nodes in the group. All group-wide configuration commands are executed on the group leader. Commands that clear group-related states from an individual node are executed on the node. The commands require Admin or SecurityAdmin permissions.
Encryption group and HA cluster maintenance FIGURE 99 6 Removing a node from an encryption group The procedure for removing a node depends on the node’s status within an encryption group. HA cluster membership and Crypto LUN configurations must be cleared before you can permanently remove a member node from an encryption group. To remove a node from an encryption group, complete the following steps: 1. Log in to the group leader as Admin or SecurityAdmin. 2.
6 Encryption group and HA cluster maintenance IP Address: 10.32.33.145 Certificate: 10.32.33.145_my_cp_cert.
Encryption group and HA cluster maintenance 6 Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes. Before deleting the encryption group, it is highly recommended that you remove the group leader from the HA cluster and clear all CryptoTarget and tape pool configurations for the group.
6 Encryption group and HA cluster maintenance Displaying the HA cluster configuration NOTE The correct failover status of an HA cluster will only be displayed on the HA cluster member nodes in the encryption group. 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --show -hacluster -all command. In the following example, the encryption group brocade has two HA clusters. HAC 1 is committed and has two members.
Encryption group and HA cluster maintenance 6 Replacing an HA cluster member 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haClusterMember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine. Provide a slot number if the encryption engine is a blade. The replacement encryption engine must be part of the same encryption group as the encryption engine that is replaced.
6 Encryption group and HA cluster maintenance FIGURE 100 Replacing a failed encryption engine in an HA cluster 216 Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
Encryption group and HA cluster maintenance 6 Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
6 Encryption group and HA cluster maintenance Performing a manual failback of an encryption engine By default, failback occurs automatically if an encryption engine that failed was replaced or comes back online. When manual failback policy is set in the encryption group, you must invoke a manual failback of the encryption engine after the failing encryption engine was restored or replaced. Failback includes all of the encryption engine’s target associations.
Encryption group merge and split use cases 6 • After the failback completes, the cryptocfg --show -hacluster -all command no longer reports active failover.
6 Encryption group merge and split use cases NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg --transabort. Doing so will cause subsequent reclaim attempts to fail. 4. Set up the member node: Configure the IP address of the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. 5.
Encryption group merge and split use cases 6 Recovery If auto failback policy is set, no intervention is required. After the node has come back up, all devices and associated configurations and services that failed over earlier to N1 fail back to N3. The node resumes its normal function. If auto failback policy is not set, invoke a manual failback if required. Refer to the section “Performing a manual failback of an encryption engine” on page 218 for instructions.
6 Encryption group merge and split use cases • The isolation of N3 from the group leader breaks the HA cluster and failover capability between N3 and N1. • You cannot configure any CryptoTargets, LUN policies, tape pools, or security parameters on any of the group leaders. This would require communication with the “offline” member nodes. You cannot start any rekey operations (auto or manual) on any of the nodes.
Encryption group merge and split use cases 6 Recovery 1. Restore the connection between the nodes in the separate encryption group islands, that is, between nodes N3, N4 and between nodes N1 and N2. When the lost connection is restored, an automatic split recovery process begins. The two group leaders (N3 and N2 in this example) arbitrate the recovery, and the group leader node with the highest WWN becomes group leader.
6 Encryption group merge and split use cases NOTE The collective time allowed (the heartbeat time-out value multiplied by the heartbeat misses) cannot exceed 30 seconds (enforced by Fabric OS). The relationship between -hbmisses and -hbtimeout determines the total amount of time allowed before a node is declared unreachable. If a switch does not sense a heartbeat within the heartbeat timeout value, it is counted as a heartbeat miss.
Encryption group merge and split use cases 6 NOTE If one or more EG status displays as CONVERGED contact technical support as the following procedure will not work. To reconverge the EG, you will need to perform a series of steps. The following is a listing of the basic steps involved - this listing is followed by an example with the details of each step: 1. Confirm that your EG is not in a CONVERGED state. 2. Determine which GL Node will remain the GL Node once the EG is reconverged.
6 Encryption group merge and split use cases Display the encryption group state again. Node182:admin-> cryptocfg --show -groupcfg Node182 should now show up with an Encryption Group state of CLUSTER_STATE_CONVERGED. In this two node example, there is only one other node in the encryption group, and therefore the is only one node to deregister. When you have a 3:1 split or a 2:2 split, issue the following command from the group leader node you are keeping.
Encryption group merge and split use cases 6 If you now perform a cryptocfg --show -groupcfg, you will see that no encryption group on Node181 is defined: Node181:admin-> cryptocfg --show -groupcfg Encryption group not defined: Cluster DB and Persistent DB not present, No Encryption Group Created or Defined. The 2:2 EG split exception The encryption group deletion procedure may be done directly in every scenario except when there has been a 2:2 split.
6 Encryption group merge and split use cases 6. Verify your encryption group is re-converged. Node181:admin-> cryptocfg --show -groupcfg Node182:admin-> cryptocfg --show -groupcfg Both nodes will now show a two node CONVERGED EG in which Node182 is the group leader ode and Node181 is a member Node. The above manual configuration recovery procedure will work nearly identically for all combinations of EG split scenarios.
Encryption group database manual operations TABLE 8 6 Disallowed Configuration Changes Configuration Type Disallowed configuration changes Security & key vault • • • • • • • • • • • • • • • • • HA cluster Crypto Device (target/LUN/tape) Register or modify key vault settings Generating a master key Exporting a master key Restoring a master key Enabling or disabling encryption on an encryption engine Creating an HA cluster Adding an encryption engine to an HA cluster Modifying the failback mode Crea
6 Key vault diagnostics Use the --sync -securitydb command to distribute the security database from the group leader node to all member nodes. This command is valid only on the group leader. In scenarios where this master key propagation issue still persists, exporting the master key to a file and recovering it resolves the issue. To do this, use the following commands: • Use the cryptocfg • Use the cryptocfg --exportmasterkey -file option to export the master key to a file.
Key vault diagnostics 6 This feature reports the following types of configuration information: • Key Vault/Cluster scope: - CA Certificate and its validity (for example, valid header and expiry date) - Key Vault IP/Port - KV firmware version - Time of day on the KV - Key class and format on the KV configured for the user group - Client session timeout • Encryption node scope - Node KAC certificate and its validity (for example, valid header and expiry date) - Username/password - User group - Time of day
6 Measuring encryption performance Measuring encryption performance With the introduction of Fabric OS v7.1.0, you can monitor the throughput of redirected I/O flow through an encryption engine (EE). In support of this functionality, the cryptocfg --perfshow command is used.
Measuring encryption performance 6 Number of host(s): 1 Number of tape session(s): 0 Host: 10:00:00:05:1e:c3:2d:9b 20:00:00:05:1e:c3:2d:9b Host PID: 000000 VI: 20:02:00:05:1e:55:4d:61 20:03:00:05:1e:55:4d:61 VI PID: 012401 Number of LUN(s): 1 LUN number: 0x0 LUN type: tape drive b. The user port on which a particular virtual entity is hosted can be identified from the Port Index of the corresponding name server entry.
6 Enabling encrypted LUNs in the disabled state following zeroization FabricAdmin:switch> cryptocfg --perfshow 32 33 34 35 36 37 ===== ===== ===== ===== ==== ==== ==== ==== ==== ==== ==== ==== 5.4m 5.1m 0 0 0 0 5.4m 47.5m 0 0 0 0 44 45 46 47 48 49 50 52 53 54 55 ===== ===== ===== ===== ==== ==== ==== ==== ==== ==== ==== ==== 0 0 0 0 0 0 0 38 0 39 51 0 40 41 0 42 0 43 0 Total 75.
Enabling encrypted LUNs in the disabled state following zeroization 6 Following the encryption engine zeroization, and encryption engine cryptocfg commands (initEE, regEE, enableEE), and with the SSKM key vault(s) link key re-established using the DH challenge and response process, the SSKM key vault(s) should be in a connected status and the encryption engine should be online. You can verify the status using the crypto --show -groupcfg command.
6 General encryption troubleshooting Encrypt existing data: enabled Rekey: disabled Key ID: not available Operation Succeeded General encryption troubleshooting Table 9 lists the commands you can use to check the health of your encryption setup. Table 10 provides additional information for failures you might encounter while configuring switches using the CLI. TABLE 9 General troubleshooting tips using the CLI Command Activity supportsave Check whole system configuration. Run RAS logs.
General encryption troubleshooting TABLE 10 6 General errors and conditions Problem Resolution A backup fails because the LUN is always in the initialize state for the tape container. Use one of two resolutions: Tape media is encrypted and gets a key which is archived in the key vault. The key is encrypted with a master key. At a later point in time you generate a new master key. You decide to use this tape media to back up other data.
6 TABLE 10 SSKM recommendations General errors and conditions Problem Resolution If a key query is made on the LKM/SSKM servers using the DataFort Management Console (DMC), any putkey or getkey operations from this LKM/SSKM KV timeout. As a result, you might observe the errors on an FS8-18 or Brocade Encryption Switch during rekey/add/modify LUN operations. If the LUN comes online, you can ignore the error, because an automatic retry will correct the problem.
Troubleshooting examples using the CLI 6 Troubleshooting examples using the CLI Encryption Enabled CryptoTarget LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN.
6 Troubleshooting examples using the CLI Encryption Disabled CryptoTarget LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN.
Management application encryption wizard troubleshooting 6 Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . 241 • Errors related to adding a switch to a new group . . . . . . . . . . . . . . . . . . . . 242 • General errors related to the Configure Switch Encryption wizard . . . . . .
6 Management application encryption wizard troubleshooting Errors related to adding a switch to a new group Table 12 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 12 Error recovery instructions for adding a switch to a new group Configuration task Error description Instructions Initialize the switch Unable to initialize the switch due to an error response from the switch.
Management application encryption wizard troubleshooting TABLE 12 6 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (opaque key vaults only) A failure occurred while attempting to create a new master key. 1 Save the switch’s public key certificate to a file. The switch’s public key certificate could not be saved to a file.
6 LUN policy troubleshooting LUN policy troubleshooting Table 14 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by the encryption switch Action taken If you do not need to save the data: If you need to save the data: 1 The LUN was modified from encrypt policy to cleartext policy but metadata exists. LUN is disabled. Reason code: Metadata exists but the LUN policy is cleartext.
Loss of encryption group leader after power outage 6 Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes might lose information and knowledge about the encryption group.
6 MPIO and internal LUN states 5. Synchronize the crypto configurations across all member nodes. FabricAdmin:switch> cryptocfg –-commit MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg --show -LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine.
FS8-18 blade removal and replacement 6 1. Enter the cryptocfg --resume_rekey command, followed by the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch> cryptocfg --resume_rekey my_disk_tgt 0x0 \ 10:00:00:05:1e:53:37:99 Operation Succeeded 2. Check the status of the resumed rekey session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN.
6 FS8-18 blade removal and replacement 3. If the replaced FS8-18 blade is in member node, invoke the following command to reclaim the base WWN. FabricAdmin:switch> cryptocfg --reclaimWWN –EE 4. Issue commit. FabricAdmin:switch> cryptocfg --commit 5. Replace the old FS8-18 blade with the new FS8-18 blade and reconnect the FC cables and I/O Link cables. 6. Insert the new FS8-18 blade in the same slot of the chassis that was used by the old FS8-18 blade.
FS8-18 blade removal and replacement d. 6 Invoke the following command on the DCX Backbone after approval of the trustee on LKM/SSKM. Admin:switch> cryptocfg --dhresponse e. Remove the trustee link for the failed blade from the LKM/SSKM appliance. f. Go to step 19. 15. If the new blade is not the only EE in the DCX backbone chassis: a.
6 FS8-18 blade removal and replacement 6. If the encryption group (EG) has a system card authentication enabled, you need to reregister the system card through the BNA client for the new EE. Refer to Chapter 2, Configuring Encryption Using the Management Application.” 7. Initialize the new EE using the following command: FabricAdmin:switch> cryptocfg –-initEE [slotnumber] 8. Register the new EE using the following command: FabricAdmin:switch> cryptocfg –-regEE [slotnumber] 9.
Brocade Encryption Switch removal and replacement 6 14. If “manual” failback was set on the HA cluster, you must manually fail back the LUNs owned by the newly replaced EE. Brocade Encryption Switch removal and replacement The following procedures identify steps for removing and replacing a Brocade Encryption Switch. • For a multi-node replacement, refer to “Multi-node EG Case” on page 251. • For a single-node replacement, refer to “Single-node EG Replacement” on page 254. Multi-node EG Case 1.
6 Brocade Encryption Switch removal and replacement 11. Initialize the new Brocade Encryption Switch node using following command. Admin:switch> cryptocfg –-initnode 12. Zeroize the new Brocade Encryption Switch using the following command. Admin:switch> cryptocfg –-zeroizeEE 13. Initialize the new EE using the following command. Admin:switch> cryptocfg –-initEE 14. Register the new EE using the following command. Admin:switch> cryptocfg –-regEE 15. Enable the new EE using the following command.
Brocade Encryption Switch removal and replacement 6 Admin:switch> cryptocfg -–show –localEE 27. From the new Brocade Encryption Switch, invoke the following command to set the default zone as allAccess so the configuration from the existing Fabric is pushed to the new Brocade Encryption Switch. Admin:switch> defzone –allaccess 28. Invoke the following command on the new Brocade Encryption Switch. Admin:switch> cfgsave 29. Replace the FC Cables to the new Brocade Encryption Switch. 30.
6 Brocade Encryption Switch removal and replacement Single-node EG Replacement 1. Upload the configuration stored on the Brocade Encryption Switch you are replacing using the FOS configupload command. 2. Power off the Brocade Encryption Switch. Remove the Mgmt Link, I/O links, and FC cables from the Brocade Encryption Switch, noting where each was attached so that the replacement Brocade Encryption Switch can be cabled properly. 3. Power on the new Brocade Encryption Switch.
Brocade Encryption Switch removal and replacement b. Approve the TEP for this node on the LKM/SSKM. c. Invoke the following command on the new node after approval of the trustee on LKM/SSKM. 6 Admin:switch> cryptocfg --dhresponse d. Remove the trustee link for the failed node from the LKM/SSKM appliances. 17. Check the encryption engine (EE) state using following command to ensure that the encryption engine is online. Admin:switch> cryptocfg --show -localEE 18.
6 Reclaiming the WWN base of a failed Brocade Encryption Switch 25. Check the EG state using the following command to ensure that the entire EG is in a converged and In Sync state. Admin:switch> cryptocfg –-show –groupcfg Reclaiming the WWN base of a failed Brocade Encryption Switch When a Brocade Encryption Switch fails, to reclaim the WWN base, follow these steps: 1. Locate the Brocade Encryption Switch that has failed and deregister from the encryption group.
Downgrading firmware from Fabric OS 7.1.0 6 Downgrading firmware from Fabric OS 7.1.0 If you are attempting to download firmware to a Fabric OS version earlier than v6.4.0, for example, v6.3.0(x), you might be prompted with the following error message, even if there are no failed decommissioned LUNs, and even if no decommissioned key ID list exists on a node: "Downgrade is not allowed for this key vault type, as device decommission feature is in use.
6 Splitting an encryption group into two encryption groups Splitting an encryption group into two encryption groups In this example, which is represented in Table 15, you have one encryption group with four nodes from which you want to remove two of the nodes and add them to a new encryption group. TABLE 15 Splitting an encryption group Encryption group Nodes Original EG FOS1 (Group Leader) FOS2 FOS3 FOS4 New EG1 FOS1 (Group Leader) FOS2 New EG2 FOS3 (Group Leader) FOS4 1.
Moving an encryption blade from one EG to another in the same fabric 6 When prompted, enter yes to each prompt. 8. Add FOS4 as a member node to the new EG. • For details about adding member nodes to an EG, see“Adding a member node to an encryption group” on page 130. • For details about creating encryption groups, see “Creating an encryption group” on page 34.
6 Moving an encryption switch from one EG to another in the same fabric Moving an encryption switch from one EG to another in the same fabric In this example, which is represented in Table 17, you have two EGs, each containing two nodes. You want to move FOS2 from EG1 to EG2. TABLE 17 Moving a Brocade Encryption Switch from one EG to another EG Encryption group Nodes (before move) Nodes (after move) EG1 FOS1 (GL) FOS2 FOS1 (GL) EG2 FOS3 (GL) FOS4 FOS3 (GL) FOS4 FOS2 1.
Appendix A State and Status Information In this appendix • Encryption engine security processor (SP) states . . . . . . . . . . . . . . . . . . . . 261 • Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 • Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Encryption engine security processor (SP) states Table 18 lists the encryption engine security processor (SP) states.
A Security processor KEK status Security processor KEK status Table 19 lists security processor KEK status information. TABLE 19 Security processor KEK status KEK type KEK status1 Description Primary KEK (current MK or primary KV link key) None Primary KEK is not configured. Mismatch Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK at CP matches the one in the SP and is valid. Secondary KEK (alternate None MK or secondary KV link key) Mismatch Group KEK 1.
Encrypted LUN states TABLE 20 A Encrypted LUN states (Continued) LUN_1ST_TIME_REKEY_IN_PROG First time rekey is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired rekey is in progress. LUN_MANUAL_REKEY_IN_PROG Manual rekey is in progress. LUN_DECRYPT_IN_PROG Data decryption is in progress. LUN_WR_META_PENDING Write metadata is pending. LUN_1ST_TIME_REKEY_PENDING First time rekey is pending. LUN_KEY_EXPR_REKEY_PENDING Key expired rekey is pending.
A Encrypted LUN states TABLE 20 264 Encrypted LUN states (Continued) LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure). LUN_DIS_LUN_REMOVED Disabled (LUN re-discovery detects LUN is removed). LUN_DIS_LSN_MISMATCH Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate LUN SN found). LUN_DIS_DISCOVERY_FAIL Disabled (LUN discovery failure). LUN_DIS_NO_LICENSE Disabled (Third party license is required).
Encrypted LUN states TABLE 21 A Tape LUN states Internal Names Console String Explanation LUN_DIS_LUN_NOT_FOUND Disabled (LUN not found) No logical unit structure in tape module. This is an internal software error. If it occurs, contact Brocade support. LUN_TGT_OFFLINE Target Offline Target port is not currently in the fabric. Check connections and L2 port state.
A Encrypted LUN states TABLE 21 266 Tape LUN states LUN_ENCRYPT Encryption enabled The tape medium is present, and is in ciphertext (encrypted). The encryption switch or blade has full read/write access, because its current tape policy for the medium is also encrypted. See the Encryption Format field to find out if tape is encrypted in native mode or DataFort-compatible mode.
Appendix B LUN Policies In this appendix The following topics are covered in this appendix: • DF-compatibility support for disk LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 • DF-compatibility support for tape LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 DF-compatibility support for disk LUNs Table 22 and Table 23 may be used as a reference for establishing disk LUN policies in support of DataFort firmware versions.
B DF-compatibility support for disk LUNs TABLE 23 Support matrix for disk LUNs for various configuration and modify options LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results Native (Brocade) Encrypted Encrypt NA when LUN State = encrypt NA Yes No error.
DF-compatibility support for disk LUNs TABLE 23 B Support matrix for disk LUNs for various configuration and modify options (Continued) LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results Native (Brocade) Cleartext Cleartext NA in case of cleartext policy NA Yes The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state.
B DF-compatibility support for disk LUNs TABLE 23 Support matrix for disk LUNs for various configuration and modify options (Continued) LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results DF compatible Cleartext Encrypt Yes NA Yes The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state.
DF-compatibility support for tape LUNs B DF-compatibility support for tape LUNs Table 24 and Table 25 may be used as a reference for establishing tape LUN policies in support of DataFort firmware versions. NOTE On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt files with a block size of one MB or greater.
B DF-compatibility support for tape LUNs TABLE 25 Compatibility support matrix for tape pools (Continued) Tape pool encryption format Tape pool policy Metadata present Results DF-compatible Encrypt No (new tape) No error. A new key is generated and both read and write are allowed in DF-compatible format. DF-compatible Cleartext Brocade metadata Reads are allowed in Brocade format using the key from the metadata. Writes are rejected if the tape is not positioned at the beginning of the tape.
Index A acronyms in log messages, 111 add commands --add -haclustermember, 134 --add -initiator, 141, 149, 155 --add -LUN, 146, 156, 166, 170 AIX considerations, 197 authentication cards deregistering, 20 register from database, 19 registering from card reader, 17 setting a quorum, 20 using with card reader, 16 auto rekey viewing time, 93 viewing time left, 93 B blade processor links, 27 blade processors configuring links, 28 Brocade Encryption Switch See switch C certificate KAC registration expiry, 205
Index Control Processor, 114 and RBAC, 114 create commands --create -container, 141, 149, 155 --create -encgroup, 129 --create -hacluster, 133 --create -tapepool, 164 creating a CryptoTarget container using the CLI, 141 Crypto LUN adding to CryptoTarget container using the CLI, 144 configuring, 144, 146 modifying parameters, 152 parameters and policies, 147 removing, 151 cryptocfg command --add -haclustermember, 134 --add -initiator, 141, 149, 155 --add -LUN, 146, 156, 166, 170 --commit, 217 --create -cont
Index single encryption switch and two paths from host to target, 176 single fabric deployment, 177, 178 single fabric deployment DEK cluster, 178 single fabric deployment HA cluster, 177 VMware ESX server deployments, 187 deployment with admin domains (AD), 202 deregister command,--dereg -membernode, 212 DF compatibility for disk LUNs, 200 DF compatibility for tapes, 200 DF-compatibility for disk LUNs, 267 DF-compatibility for tape LUNs, 271 DF-compatibility for tape pools, 271 DHCP for IP interfaces, 202
Index encryption group adding a member node to using the CLI, 130 adding a switch using the management application, 44 advanced configuration, 210 allowed configuration changes, 228 basic configuration, 129 configuration impact of split or node isolation, 228 creating using the CLI, 129 creating using the encryption setup wizard, 34 deleting using the CLI, 213 disallowed configuration changes, 229 group-wide policy configuration, 134 merge and split use cases, 219 removing a node using the CLI, 210 replaci
Index H K HA clusters adding an encryption engine using the CLI, 134 best practices, 207 configuration rules, 50, 132 configuring using the CLI, 132 creating using BNA, 50 deleting a member using the CLI, 217 deployment considerations, 207 displaying configuration using the CLI, 214 guidelines, 193 limitations, 132 performing a manual failback of an encryption engine using the CLI, 218 removing an encryption engine using the CLI, 213 removing engines from, 52 replacing a member using the CLI, 215 require
Index 152, 153 configuring for first-time encryption, 166 configuring for multi-path example, 154 configuring policies using the CLI, 147 force-enabling for encryption, 160, 161 impact of policy changes, 153 modifying parameters using the CLI, 152 multi-path configuration requirements, 140 policy for DF-compatibility disk LUNs, 267 policy for DF-compatibility tape LUNs, 271 policy for DF-compatibility tape pools, 271 policy parameters, 152 removing Crypto LUN to CryptoTarget container, 151 setting policy f
Index rekey and changing LUN configuration, 204 rekey and deleting a container, 204 rekey and host I/O traffic, 205 rekey operations and firmware upgrades, 204 re-keying configuring a LUN using the CLI, 170 definition of offline, 170 definition of online, 170 initiating a manual session, 171 modes, 170 reasons for suspension or failure, 172, 246 warning, 171 rekeying encrypted data on a LUN, 169 restrictions, 169 rekeying policies, 203 remove commands --rem -haclustermember, 211 --rem -LUN, 151, 247 --remo
Index T tape compression, 199 tape devices LUN mapping, 207 tape library media changer considerations, 202 tape lun statistics clearing, 75 clearing for specific tape luns, 76 clearing for tape luns in a container, 78 viewing, 75 viewing for specific tape luns, 76 viewing for tape luns in a container, 78 tape LUN, configuring, 149 tape metadata, 198 tape pool impact of policy changes, 165 tape pools, 199 adding, 109 CommVault Galaxy labeling using the CLI, 162 configuring, 161 creating using the CLI, 164 d
Index Z zeroization setting, 81 zeroize command --zeroize, 123 zeroizing effects of using on encryption engine, 81 zone creating an initiator-target using the CLI, 137 Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01 281
Index 282 Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 53-1002925-01
