Planning For Encryption (Optional) - IBM SAN384B-2 Installation, Service And User Manual

Planning for encryption (optional)

Encryption is an optional feature available on the SAN384B-2 through the
installation and use of the FS8-18 encryption blade. Advance planning is essential
to achieve a successful implementation of encryption.
Attention: Setup of the FS8-18 blade for encryption requires the use of this
document for the physical installation of the blade. Critical information required
for enabling and managing encryption is contained in the Fabric OS Encryption
Administrator's Guide Supporting Tivoli Key Lifecycle Manager (TKLM) Environments,
which is included on the documentation CD-ROM that is shipped with the
product. You must use both documents in order to successfully set up the switch
for encryption.
Careful attention to details of setup and configuration are essential to enabling a
secure encryption functionality. The following guidelines should be followed when
planning for encryption with the 16-port encryption blade (FS8-18), which is
available for the SAN768B, SAN768B-2, SAN384B, and SAN384B-2 products, or the
SAN32B-E4.
v Redundancy of hardware is essential because if the encryption path is disrupted,
v Cable planning for the encryption switch and its back-up and for a primary and
v Begin with a limited application of encryption in a test environment and once an
v Avoid dual encryption (Fabric encryption and device encryption). While this
v There is no support of Cisco switches at this time by IBM. The section in the
v The use of Smart Cards provides additional encryption security management,
v The Top Talker feature is not compatible with redirection zones. The Top Talker
v Alias zoning is not supported in encryption environments. You must use the real
access to the encrypted data will be lost with a single encryption device. You
must have two encryption devices to ensure backup and access in the event that
one of the devices goes down. If one of the devices in the encryption pair is not
functioning, you will only have read access to the encrypted data on the
functioning device until the non-functioning device is restored. Redundancy of
hardware for encryption can be accomplished with the following:
– Two Key Vault locations on different devices
– Two encryption devices in any combination of encryption switches
(SAN32B-E4) and FS8-18 encryption blades (in SAN768B, SAN768B-2,
SAN384B, or SAN384B-2 chassis)
secondary key vault manager is critical. These devices can be separated by
distance as long as they can maintain constant communication contact. One
device must back up the other to ensure access to encrypted data. Refer to the
Fabric OS Encryption Administrator's Guide Supporting Tivoli Key Lifecycle Manager
(TKLM) Environments for more information on Master Keys (MK).
expanded encryption test is successful, move the encryption into production
should not cause any encryption errors, it will degrade performance.
Fabric OS Encryption Administrator's Guide Supporting Tivoli Key Lifecycle Manager
(TKLM) Environments related to Cisco Fabric connectivity does not currently
apply.
and is highly recommended. Smart cards can be ordered as FRUs through IBM.
feature should not be enabled when an encryption switch or blade is present in
the fabric.
WWPN.
Chapter 3. Starting and configuring the SAN384B-2
45