Configuring For Encryption (Optional); Summary Of Procedure - IBM SAN768B Installation, Service And User Manual

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|

Configuring for encryption (optional)

|

Summary of procedure

|
|
|
|
|
|
|
|
|
|
|
42
SAN768B Installation, Service, and User Guide
v There is no support of Cisco switches at this time by IBM. The section in the
Fabric OS Encryption Administrator's Guide Supporting Tivoli Key Lifecycle Manager
(TKLM) Environments related to Cisco Fabric connectivity does not currently
apply.
v The use of Smart Cards provides additional encryption security management,
and is highly recommended. Smart cards can be ordered as FRUs through IBM.
v The Top Talker feature is not compatible with redirection zones. The Top Talker
feature should not be enabled when an encryption switch or blade is present in
the fabric.
v Alias zoning is not supported in encryption environments. You must use the real
WWPN.
v Refer to the "Steps for connecting to a TKLM appliance" section of the Fabric OS
Encryption Administrator's Guide Supporting Tivoli Key Lifecycle Manager (TKLM)
Environments for detailed information on initial setup. That section includes the
following information:
– All switches you plan to include in an encryption group must have a secure
connection to the Tivoli Key Lifecycle Manager (TKLM). A local LINUX host
must be available to transfer certificates.
– Be sure that the clock time on the TKLM server and on the Brocade
encryption nodes are the same. A difference of only a few minutes can cause
the TLS connectivity to fail.
– Repeat the same steps for configuring both the primary and the secondary
key vault.
– Both the primary and secondary key vaults should be registered before
exporting MK or encrypting LUNs. If the secondary key vault is registered
midway after encryption is done for some of the LUNs, then the key database
should be backed up and restored on the secondary TKLM from the already
registered primary TKLM before registering the secondary TKLM.
– The following is a suggested order for the initial steps needed to create a
secure connection to TKLM. (Refer to the "Steps for connecting to a TKLM
appliance" section of the Fabric OS Encryption Administrator's Guide Supporting
Tivoli Key Lifecycle Manager (TKLM) Environments for additional steps.)
1. Initialize all encryption nodes to generate Key authentication center (KAC)
certificates and export the signed KAC certificates to a local LINUX host.
2. Obtain the necessary user credentials and log in to the TKLM server
appliance from the TKLM management web console.
The optional FS8-18 encryption blade requires configuration to enable the
configuration functions. This section provides a brief overview of those
configuration steps. Refer to the Fabric OS Encryption Administrator's Guide
Supporting Tivoli Key Lifecycle Manager (TKLM) Environments for the detailed
procedures to configure the encryption functions.
Note:
If the encryption blade (FS8-18) is being configured for the first time for encryption
services, you will need to perform several pre-initialization tasks related to
configuring the encryption node (switch), including:
v Generating the Critical Security Parameters (CSPs) and certificates