Planning For Encryption (Optional) - IBM System Storage SAN384B-2 Installation, Service And User Manual

v If ISL Trunking is in use, group the cables by trunking group. The ports are
v Use only hook-and-loop fasteners for securing optical cables. Do not use cable
v For easier maintenance, label the fiber optic cables and record the devices to
v Use the cable management fingers attached to the rack rails to organize the
v Keep LEDs visible by routing port cables and other cables away from the LEDs.
For the procedure to install the ICL cables see "Removing and replacing
inter-chassis link (QSFP) cables" on page 93.

Planning for encryption (optional)

Encryption is an optional feature available on the SAN384B-2 through the
installation and use of the FS8-18 encryption blade. Advance planning is essential
to achieve a successful implementation of encryption.
Attention: Setup of the FS8-18 blade for encryption requires the use of this
document for the physical installation of the blade. Critical information required
for enabling and managing encryption is contained in the Fabric OS Encryption
Administrator's Guide Supporting Tivoli Key Lifecycle Manager (TKLM) Environments,
which is included on the documentation CD-ROM that is shipped with the
product. You must use both documents in order to successfully set up the switch
for encryption.
Careful attention to details of setup and configuration are essential to enabling a
secure encryption functionality. The guidelines should be followed when planning
for encryption with the 16-port encryption blade (FS8-18), which is available for
the SAN768B, SAN768B-2, SAN384B, and SAN384B-2 products, or the SAN32B-E4.
v Redundancy of hardware is essential because if the encryption path is disrupted,
v Cable planning for the encryption switch and its backup and for a primary and
v Begin with a limited application of encryption in a test environment and once an
v Avoid dual encryption (Fabric encryption and device encryption). While this
color-coded to indicate which ports can be used in the same ISL Trunking group:
eight ports marked with solid black ovals alternate with eight ports marked with
oval outlines.
ties. They can be easily overtightened and can damage the optical cables.
which they are connected.
cables off to the side of the chassis, and away from the chassis exhaust vents.
access to the encrypted data will be lost with a single encryption device. You
must have two encryption devices to ensure backup and access in the event that
one of the devices goes down. If one of the devices in the encryption pair is not
functioning, you will only have read access to the encrypted data on the
functioning device until the non-functioning device is restored. Redundancy of
hardware for encryption can be accomplished with the :
– Two Key Vault locations on different devices
– Two encryption devices in any combination of encryption switches
(SAN32B-E4) and FS8-18 encryption blades (in SAN768B, SAN768B-2,
SAN384B, or SAN384B-2 chassis)
secondary key vault manager is critical. These devices can be separated by
distance as long as they can maintain constant communication contact. One
device must back up the other to ensure access to encrypted data. Refer to the
Fabric OS Encryption Administrator's Guide Supporting Tivoli Key Lifecycle Manager
(TKLM) Environments for more information on Master Keys (MK).
expanded encryption test is successful, move the encryption into production
should not cause any encryption errors, it will degrade performance.
Chapter 3. Starting and configuring the SAN384B-2
45