Page 1 S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide, Release Cisco MDS NX-OS Release 4.1(3)
Page 2 S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE.
Page 3: Table Of Contents
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C O N T E N T S New and Changed Information Preface...
Page 4 Contents S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Software Requirements 1-10 Hardware Requirements...
Page 5 Contents S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Initial Cisco SME Configuration 2-18 Saving Cisco SME Cluster Configurations...
Page 6 Contents S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Deactivating a Cisco SME Cluster 4-21 Purging a Cisco SME Cluster...
Page 7 Contents S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Key Management Settings Tape Recycling High Availability Key Management Center...
Page 8 Contents S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Setting Up the Cisco SME Administrator and Recovery Officer Roles Adding an SME Interface from a Local or Remote Switch Configuring Unique or Shared Key Mode...
Page 9 Contents S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Offline Data Recovery in Cisco SME A P P E N D I X About Offline Data Restore Tool...
Page 10 Contents S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Creating Cisco SME Fabrics Installing SSL Certificates Provisioning Cisco SME...
Page 11: New And Changed Information
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m New and Changed Information This document provides release-specific information for each new and changed feature in Cisco Storage Media Encryption.
Page 12 New and Changed Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Table 1 New and Changed Features for Cisco Storage Media Encryption (continued) Changed...
Page 13: Security
New and Changed Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Table 1 New and Changed Features for Cisco Storage Media Encryption (continued) Changed...
Page 14 New and Changed Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Table 1 New and Changed Features for Cisco Storage Media Encryption (continued) Changed...
Page 15 S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Preface This preface describes the audience, organization, and conventions of the Cisco MDS 9000 Family Storage Media Encryption Configuration Guide.
Page 16: Document Conventions
Preface S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Chapter Title Description...
Page 17: Related Documentation
Preface S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Means reader be careful.
Page 18: Intelligent Storage Networking Services Configuration Guides
Preface S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Command-Line Interface •...
Page 19: About Cisco Storage Media Encryption
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Product Overview This chapter provides an overview of the Storage Media Encryption (SME) and the hardware and software...
Page 20: Chapter 1 Product Overview
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Figure 1-1 shows the integration of Cisco SME with SAN fabrics to offer seamless management of data encryption.
Page 21: Transparent Fabric Service
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Transparent Fabric Service Cisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an MSM-18/4 module or an MDS 9222i switch anywhere in the fabric.
Page 22: Key Management
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Key Management Cisco Key Management Center (KMC) provides essential features such as key archival, secure export and import, and key shredding.
Page 23: Clustering
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Figure 1-2 Multisite Setup in Cisco KMC.
Page 24: Fc-Redirect
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m FC-Redirect Cisco SME performance can easily be scaled up by adding more Cisco MDS 9000 family switches or modules.
Page 25: Cisco Sme Terminology
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The affinity-based load balancing feature reduces the FC redirect interactions, which reduces the •...
Page 26: Supported Topologies
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Supported Topologies Cisco SME supports a single-fabric topology.
Page 27: In-Service Software Upgrade In Cisco Sme
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Figure 1-3 Cisco Storage Media Encryption: Single-Fabric Topology Application servers...
Page 28: Software And Hardware Requirements
Chapter 1 Product Overview Software and Hardware Requirements S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m This feature is tied to the internals of ISSU logic and no additional command needs to be executed for Note this purpose.
Page 29: Cisco Mds 9222I Multiservice Modular Switch
Chapter 1 Product Overview Software and Hardware Requirements S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The MSM-18/4 module provides 18 4-Gbps Fibre Channel interfaces for high-performance SAN and mainframe connectivity and four Gigabit Ethernet ports for FCIP and iSCSI storage services.
Page 30: Smart Card Readers
Chapter 1 Product Overview Cisco SME Prerequisites S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Smart Card Readers To employ standard and advanced security levels, Cisco SME requires the following: Smart Card Reader for Cisco SME (DS-SCR-K9)
Page 31: Cisco Storage Media Encryption Security Overview
Chapter 1 Product Overview Cisco Storage Media Encryption Security Overview S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Each FC-redirected target can be zoned to 16 hosts or less.
Page 32 Chapter 1 Product Overview Cisco Storage Media Encryption Security Overview S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 1-14 OL-18091-01, Cisco MDS NX-OS Release 4.x...
Page 33: Chapter 2 Getting Started
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Getting Started This chapter includes information about Cisco SME installation and the preliminary tasks that you must...
Page 34: Cisco Mds 9000 Fabric Manager
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Fabric Manager The Cisco Fabric Manager is a set of network management tools that supports Secure Simple Network Management Protocol version 3 (SNMPv3).
Page 35: Enabling Clustering
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Creating and Assigning Cisco SME Roles and Cisco SME Users, page 2-9 •...
Page 36 Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m In the Physical Attributes pane, select End Devices >...
Page 37: Enabling Clustering Using Device Manager
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Apply.
Page 38: Enabling Cisco Sme
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enabling Cisco SME You can enable Cisco SME using Fabric Manager or Device Manager.
Page 39: Enabling Cisco Sme Using Device Manager
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m You can select enable on multiple switches, and then click Apply.
Page 40: Enabling Dns
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Apply.
Page 41: Sme.useip For Ip Address Or Name Selection
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m sme.useIP for IP Address or Name Selection If you do not have DNS configured on all switches in the cluster, you can use sme.useIP.
Page 42 Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Table 2-1 shows a description of the Cisco SME roles and the number of users that should be considered for each role.
Page 43: Configuring The Aaa Roles
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Configuring the AAA Roles For information on configuring the AAA roles for the Cisco SME Administrator and the Cisco SME Recovery Officer, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
Page 44: Creating And Assigning Cisco Sme Roles Using The Cli
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m From the role drop-down menu, select either sme-admin, sme-kmc-admin, sme-stg-admin, or Step 4 sme-recovery.
Page 45: Adding A Fabric And Changing The Fabric Name
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m To configure Cisco SME in a dual fabric environment, all the switches in the cluster should have the same Note credentials for SME user.
Page 46 Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the fabric seed switch name or IP address and enter the community.
Page 47 Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Step 8 Select the fabric and click Edit.
Page 48: Choosing A Key Manager
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Choosing a Key Manager Before configuring Cisco SME, you need to choose a key manager.
Page 49: Using Fc-Redirect With Cfs Regions
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click on Submit Settings to save changes.
Page 50: Obtaining And Installing Licenses
Chapter 2 Getting Started Before You Begin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m When connecting a new smart card reader after the installation of smart card drivers, you may be required to restart the computer.
Page 51: Saving Cisco Sme Cluster Configurations
Chapter 2 Getting Started Cisco SME Configuration Restrictions S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco SME configuration tasks listed below provide an overview of the basic Cisco SME configuration process.
Page 52: Fc-Redirect Restrictions
Chapter 2 Getting Started Cisco SME Configuration Restrictions S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m FC-Redirect Restrictions FC-Redirect is not supported on the following switches: Cisco MDS 9120 switch...
Page 53: Configuring And Starting The Cisco Sme Interface
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Cisco SME Interface Configuration This chapter describes how to configure and start Cisco SME interfaces using Fabric Manager and...
Page 54: C H A P T E R 3 Cisco Sme Interface Configuration
Chapter 3 Cisco SME Interface Configuration Configuring and Starting the Cisco SME Interface S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Create.
Page 55: Viewing Cisco Sme Interfaces In Fabric Manager Web Client
Chapter 3 Cisco SME Interface Configuration Saving Your Interface Configurations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Viewing Cisco SME Interfaces in Fabric Manager Web Client To view the newly created Cisco SME interfaces, follow these steps: In the Physical Attributes pane of the Fabric Manager Web Client, select Interfaces >...
Page 56: Adding Cisco Sme Interfaces To A Cisco Sme Configuration
Chapter 3 Cisco SME Interface Configuration Adding Cisco SME Interfaces to a Cisco SME Configuration S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Adding Cisco SME Interfaces to a Cisco SME Configuration Cisco SME includes an Add Interface Wizard to simplify the process of adding interfaces to an existing cluster.
Page 57 Chapter 3 Cisco SME Interface Configuration Adding Cisco SME Interfaces to a Cisco SME Configuration S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Select the fabrics you want to add interfaces from.
Page 58: Viewing Cisco Sme Interface Information Using The Cli
Chapter 3 Cisco SME Interface Configuration Viewing Cisco SME Interface Information Using the CLI S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m View the interface information.
Page 59: Removing (Unbinding) Cisco Sme Interfaces From A Cisco Sme Cluster
Chapter 3 Cisco SME Interface Configuration Removing (Unbinding) Cisco SME Interfaces from a Cisco SME Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Removing (Unbinding) Cisco SME Interfaces from a Cisco SME Cluster Removing a Cisco SME interface from a cluster means that the interface is still up but it is not bound to...
Page 60: Deleting Switches From A Cisco Sme Cluster
Chapter 3 Cisco SME Interface Configuration Deleting Switches From a Cisco SME Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Note The interface is removed while the node remains defined.
Page 61 Chapter 3 Cisco SME Interface Configuration Deleting Switches From a Cisco SME Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m View the notification that the switch was deleted.
Page 62 Chapter 3 Cisco SME Interface Configuration Deleting Switches From a Cisco SME Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 3-10 OL-18091-01, Cisco MDS NX-OS Release 4.x...
Page 63: About Sme Cluster Management
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Cisco SME Cluster Management The Cisco Fabric Manager provides a web-browser interface that displays real-time views of your...
Page 64: Chapter 4 Cisco Sme Cluster Management
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Launching Cisco SME Wizard, page 4-2 •...
Page 65: Choosing A Cluster Name
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m In the Fabric Manager Web Client, click the SME tab.
Page 66: Selecting Fabrics
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Selecting Fabrics In the Select Fabrics screen, highlight the fabric you want to include in the cluster.
Page 67: Selecting Master Key Security Levels
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Selecting Master Key Security Levels There are three master key security levels: Basic, Standard, and Advanced.
Page 68: Selecting Basic Security
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Selecting Basic Security In the Master Key Security screen, select Basic.
Page 69: Selecting Advanced Security
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Selecting Advanced Security When Advanced security is selected, you need to designate the number of cards that are required to recover the master key.
Page 70: Selecting Media Key Settings
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Selecting Media Key Settings You cannot modify the media key settings after a cluster is created.
Page 71: Specifying The Key Management Center Server
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Table 4-2 Media Key Settings Media Key Setting...
Page 72: Selecting Transport Settings
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m For information about primary and secondary servers, see the “High Availability Key Management Center”...
Page 73: Confirming The Cluster Creation
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m For more information on viewing or editing the transport settings in the cluster details page, see the “Viewing and Modifying Transport Settings in Cluster Detail Page”...
Page 74: Downloading Key File And Storing Keyshares
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Downloading Key File and Storing Keyshares This section describes how to download the key file for basic security level and store keyshares for the standard and advanced security level.
Page 75: Standard Security Confirmation And Stored Keyshares
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Standard Security Confirmation and Stored Keyshares For the standard security level, follow these steps: Step 1...
Page 76 Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Finish to create a cluster.
Page 77: Advanced Security Confirmation And Stored Keyshares
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Step 6 View the smart card information.
Page 78 Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Step 2 A Store Keyshares screen opens.
Page 79 Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m You will see a notification that the keyshare is being stored.
Page 80 Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the switch credentials and PIN information for the third recovery officer.
Page 81 Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the switch credentials and PIN information for the fifth recovery officer.
Page 82: Deactivating And Purging A Cisco Sme Cluster
Chapter 4 Cisco SME Cluster Management Deactivating and Purging a Cisco SME Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m View the smart card information by selecting Smartcards.
Page 83: Deactivating A Cisco Sme Cluster
Chapter 4 Cisco SME Cluster Management Deactivating and Purging a Cisco SME Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Deactivating a Cisco SME Cluster, page 4-21 •...
Page 84: Purging A Cisco Sme Cluster
Chapter 4 Cisco SME Cluster Management Deactivating and Purging a Cisco SME Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Purging a Cisco SME Cluster Purging a Cisco SME cluster includes the following steps: Delete all cluster elements (tape paths, tape devices, volume groups, tape groups, and switches)
Page 85: Viewing Cisco Sme Cluster Details
Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Viewing Cisco SME Cluster Details To view cluster details, click the cluster name and the cluster detail page displays.
Page 86: Viewing Members In A Cluster
Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Deactivated—The Cisco SME cluster has been removed from the switches;...
Page 87 Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The transport settings details are dsiplayed when SSL is Off.
Page 88 Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Select SSL and choose a Trust Point from the drop-down menu.
Page 89: Viewing And Modifying Key Management Servers Settings
Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Viewing and Modifying Key Management Servers Settings To view and modify the primary and secondary key management servers settings, follow these steps: Select the cluster in the navigation pane to display the cluster detail page.
Page 90: Viewing Cluster Information Using Fabric Manager Client
Chapter 4 Cisco SME Cluster Management Viewing Cluster Information Using Fabric Manager Client S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Viewing Cluster Information Using Fabric Manager Client To view Cisco SME cluster information using Fabric Manager Client, follow these steps: In the Physical Attributes pane, select End Devices >...
Page 91: Viewing Cluster Information Using Device Manager
Chapter 4 Cisco SME Cluster Management Viewing Cluster Information Using Device Manager S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click the Interfaces tab to view information about SME interfaces.
Page 92: Cluster Quorum And Master Switch Election Overview
Chapter 4 Cisco SME Cluster Management Cluster Quorum and Master Switch Election Overview S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Select Interfaces to view cluster interface information.
Page 93: Cluster Quorum
Chapter 4 Cisco SME Cluster Management Cluster Quorum and Master Switch Election Overview S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cluster Quorum For a cluster to be operational, it must include more than half the number of configured switches in the cluster view.
Page 94: Three-Switch Cluster Scenarios
Chapter 4 Cisco SME Cluster Management Cluster Quorum and Master Switch Election Overview S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m When the switches lose connectivity between them, the master switch S1 continues to be operational since it has the lower node ID and can form an (N/2) switch cluster.
Page 95: Four-Switch Cluster Scenarios
Chapter 4 Cisco SME Cluster Management In-Service Software Upgrade (ISSU) in a Two-Node Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m In a three-switch operational cluster, if the master switch S1 fails or loses connectivity with the other two switches, then S1 becomes nonoperational.
Page 96 Chapter 4 Cisco SME Cluster Management In-Service Software Upgrade (ISSU) in a Two-Node Cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The upgrading node sends a message to the other node of the intent to leave the cluster.
Page 97: About Cisco Storage Media Encryption Tape Management
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Cisco SME Tape Configuration This chapter contains information about managing tapes that are encrypted using Cisco SME.
Page 98: Adding Tape Groups
Chapter 5 Cisco SME Tape Configuration Adding Tape Groups S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Figure 5-1 shows the Cisco SME tape backup environment.
Page 99 Chapter 5 Cisco SME Tape Configuration Adding Tape Groups S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m To add a tape group, follow these steps: Select Tape Groups.
Page 100 Chapter 5 Cisco SME Tape Configuration Adding Tape Groups S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Select specific VSANs for the tape group.
Page 101 Chapter 5 Cisco SME Tape Configuration Adding Tape Groups S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Select the tape drives for the tape group.
Page 102: Deleting Tape Groups
Chapter 5 Cisco SME Tape Configuration Deleting Tape Groups S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m View the hosts, tape devices, and volume groups that belong to the tape group.
Page 103: Adding Tape Devices
Chapter 5 Cisco SME Tape Configuration Adding Tape Devices S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Adding Tape Devices To add tape devices to an existing tape group, follow these steps: Step 1...
Page 104: Adding Tape Devices
Chapter 5 Cisco SME Tape Configuration Adding Tape Devices S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Select the hosts that you would like to discover paths from.
Page 105 Chapter 5 Cisco SME Tape Configuration Adding Tape Devices S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Select the paths that Cisco SME would use for encrypted data between the host and tape devices.
Page 106: Deleting Tape Devices
Chapter 5 Cisco SME Tape Configuration Deleting Tape Devices S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m View the new tape device that was added to the cluster.
Page 107: Adding Tape Paths
Chapter 5 Cisco SME Tape Configuration Adding Tape Paths S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Adding Tape Paths Use the Tape Path Wizard to quickly add or modify tape paths between hosts and target backup devices.
Page 108: Adding Tape Paths
Chapter 5 Cisco SME Tape Configuration Adding Tape Paths S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Add.
Page 109: Deleting Paths From A Device
Chapter 5 Cisco SME Tape Configuration Adding Tape Paths S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Confirm the addition of the new tape path.
Page 110: Adding Tape Volume Groups
Chapter 5 Cisco SME Tape Configuration Adding Tape Volume Groups S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Adding Tape Volume Groups To add tape volume groups to an existing tape group, follow these steps: Click Volume Groups.
Page 111 Chapter 5 Cisco SME Tape Configuration Adding Tape Volume Groups S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Confirm the addition of the new volume group.
Page 112: Deleting Tape Volume Groups
Chapter 5 Cisco SME Tape Configuration Deleting Tape Volume Groups S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Deleting Tape Volume Groups To delete a tape volume group from a Cisco SME cluster, follow these steps: Step 1...
Page 113: Viewing Host Details
Chapter 5 Cisco SME Tape Configuration Viewing Host Details S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Viewing Host Details You can view detailed information about hosts in a Cisco SME cluster.
Page 114 Chapter 5 Cisco SME Tape Configuration Viewing Tape Device Details S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-18 OL-18091-01, Cisco MDS NX-OS Release 4.x...
Page 115: Key Hierarchy
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Cisco SME Key Management This chapter contains information about Cisco Storage Media Encryption comprehensive key...
Page 116: Chapter 6 Cisco Sme Key Management
Chapter 6 Cisco SME Key Management Cisco Key Management Center S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Master Key When a Cisco SME cluster is created, a security engine generates the master key.
Page 117: Master Key Security Modes
Chapter 6 Cisco SME Key Management Master Key Security Modes S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Master Key Security Modes To recover encrypted data-at-rest from a specific tape, you need access to the keys that are created for the specific tape cartridge.
Page 118: Key Management Settings
Chapter 6 Cisco SME Key Management Key Management Settings S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Key Management Settings When creating a tape volume group, you will need to determine whether to enable or disable the key management settings.
Page 119: High Availability Key Management Center
Chapter 6 Cisco SME Key Management High Availability Key Management Center S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The default setting is Yes.
Page 120 Chapter 6 Cisco SME Key Management High Availability Key Management Center S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Step 4 Click OK to save the settings to view the notification that the settings have been saved.
Page 121: Key Management Operations
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Key Management Operations This section describes the following key management operations: Viewing Standard Security Mode Smart Cards, page 6-7...
Page 122: Viewing Advanced Security Mode Smart Cards
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Viewing Advanced Security Mode Smart Cards To view Advanced security smart card information, select Smartcards in the navigation pane to view the smart card information.
Page 123: Purging Volumes
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click the Deactivated tab to view all keys that have been marked as deactivated and stored in the Cisco Step 3 KMC.
Page 124: Exporting Volume Groups
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Confirm.
Page 125 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Download to download the volume group file.
Page 126: Importing Volume Groups
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The exported volume group file can be used by the Offline Data Restore Tool (ODRT) software to Note convert the Cisco SME encrypted tape back to clear-text when the Cisco SME line card or the Cisco...
Page 127 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Locate the file to import.
Page 128: Rekeying Tape Volume Groups
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Confirm to begin the import process or click Back to choose another volume group file.
Page 129: Auto Key Replication Of Keys Across Data Centers
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Rekey.
Page 130: Auto Replicating Keys In Fabric Manager Web Client
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A replication relationship is set between the volume groups in the different clusters and the replication context for the destination clusters need to be acquired.
Page 131 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Create to create a remote replication relationship.
Page 132 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Removing Remote Replication Relationships To remove a remote replication relationship, follow these steps: Click Clusters in the navigation pane to display the clusters and select Remote Replication.
Page 133: Basic Mode Master Key Download
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Step 4 A notification window appears that indicates the removal of the remote replication relationship.
Page 134 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Step 3 Enter the password to protect the master key file.
Page 135 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Close to close the wizard.
Page 136: Replacing Smart Cards
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Replacing Smart Cards This section describes how to replace smart cards for clusters in the following modes.
Page 137 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Finish to close the wizard.
Page 138: Advanced Mode
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Advanced Mode In Advanced security mode, the master key is stored on five smart cards.
Page 139 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The Cisco SME Recovery Officer who owns the replacement smart card is prompted to log in and to insert the smart card to download the master key.
Page 140 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Insert one of the smart cards that stores the master key.
Page 141 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the switch login information and the smart card PIN and label.
Page 142 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m To store the new master keyshares, follow these steps: Enter the switch login information, the PIN number for the smart card, and a label that will identify the smart card.
Page 143 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the switch credentials and PIN information for the second recovery officer.
Page 144 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A notification is shown that the third keyshare is successfully stored.
Page 145 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the switch credentials and PIN information for the fifth recovery officer.
Page 146 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m You will see an indication that the operation is in progress until the synchronization of volume groups is completed.
Page 147: Exporting Volume Groups From Archived Clusters
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m To view the new smart card information, select Smartcards.
Page 148 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Browse to locate the volume group master key file.
Page 149 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the password that protects the master key for the archived volume group.
Page 150: Standard Mode
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Download to begin downloading the volume group file.
Page 151 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Insert one of the five smart cards into the smart card reader.
Page 152 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the password to encrypt the volume group file.
Page 153: Advanced Mode
Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Save the .dat file.
Page 154 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Step 2 Insert one of the five smart cards into the smart card reader.
Page 155 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Insert the next smart card into the smart card reader.
Page 156 Chapter 6 Cisco SME Key Management Key Management Operations S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Step 7 Click Download to begin downloading the volume group.
Page 157: Accounting Log Information
Chapter 6 Cisco SME Key Management Accounting Log Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Save to save the .dat file.
Page 158: Kmc Accounting Log Messages
Chapter 6 Cisco SME Key Management Accounting Log Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Clear Filter to display the complete accounting log information.
Page 159 Chapter 6 Cisco SME Key Management Accounting Log Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m ------------------------------------- Operation: STORE_KEY...
Page 160 Chapter 6 Cisco SME Key Management Accounting Log Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Operation: ARCHIVE_ALL_KEYS Logged as: "Archive all keys"...
Page 161 Chapter 6 Cisco SME Key Management Accounting Log Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Description: All wrap keys for the given tape volume are removed from the keystore.
Page 162: Migrating A Kmc Server
Chapter 6 Cisco SME Key Management Migrating a KMC Server S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Operation: ABORT_REKEY_MASTER_KEY Logged as: "Abort master key rekey"...
Page 163 Chapter 6 Cisco SME Key Management Migrating a KMC Server S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Update the cluster with the new KMC server details when the new KMC server is active.
Page 164 Chapter 6 Cisco SME Key Management Migrating a KMC Server S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-50 OL-18091-01, Cisco MDS NX-OS Release 4.x...
Page 165 S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Using the Command Line Interface to Configure This chapter contains information about Cisco Storage Media Encryption basic configuration using the...
Page 166: Chapter 7 Using The Command Line Interface To Configure Sme
Chapter 7 Using the Command Line Interface to Configure SME Enabling and Disabling SME Clustering S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enable SME on the MDS-18/4 module switch.
Page 167: Deleting The Sme Interface
Chapter 7 Using the Command Line Interface to Configure SME Deleting the SME Interface S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m To configure the SME interface, follow these steps: Command Purpose...
Page 168: Setting The Sme Cluster Security Level
Chapter 7 Using the Command Line Interface to Configure SME Setting the SME Cluster Security Level S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Volume tape groups •...
Page 169: Setting Up The Cisco Sme Administrator And Recovery Officer Roles
Chapter 7 Using the Command Line Interface to Configure SME Setting Up the Cisco SME Administrator and Recovery Officer Roles S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Command Purpose Step 2...
Page 170: Configuring Unique Or Shared Key Mode
Chapter 7 Using the Command Line Interface to Configure SME Configuring Unique or Shared Key Mode S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Command Purpose Step 3...
Page 171: Enabling And Disabling Tape Compression
Chapter 7 Using the Command Line Interface to Configure SME Enabling and Disabling Tape Compression S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Command Purpose Step 3...
Page 172: Configuring A Tape Volume Group
Chapter 7 Using the Command Line Interface to Configure SME Configuring a Tape Volume Group S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Configuring a Tape Volume Group A tape volume group is a group of tapes that are categorized usually by function.
Page 173: Viewing Cisco Sme Cluster Details
Chapter 7 Using the Command Line Interface to Configure SME Viewing Cisco SME Cluster, Internal, and Transport Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Viewing Cisco SME Cluster Details Additional cluster information can be displayed with the show sme cluster command.
Page 174: Viewing Cluster Node Information
Chapter 7 Using the Command Line Interface to Configure SME Viewing Cisco SME Cluster, Internal, and Transport Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Tape volumegroup is Default Key Type is tape volumegroup wrap key GUID is 3e9ef70e0185bb3c-ad12-c4e489069634...
Page 175: Viewing Tape Information
Chapter 7 Using the Command Line Interface to Configure SME Viewing Cisco SME Cluster, Internal, and Transport Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Viewing Tape Information Use the show sme cluster tape command to view summary or detailed information about tapes.
Page 176 Chapter 7 Using the Command Line Interface to Configure SME Viewing Cisco SME Cluster, Internal, and Transport Information S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m SME setup done.
Page 177: Chapter 8 Cisco Sme Best Practices
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Cisco SME Best Practices This chapter describes Cisco Storage Media Encryption best practices.
Page 178: Cisco Kmc Practices
Chapter 8 Cisco SME Best Practices Overview of Best Practices S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Refer to the Cisco Storage Media Encryption Design Guide for guidelines on sizing and placements...
Page 179: Troubleshooting Resources
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m C H A P T E R Cisco SME Troubleshooting This chapter describes basic troubleshooting methods used to resolve issues with Cisco Storage Media...
Page 180: Deleting A Cisco Sme Cluster With One Or More Offline Switches While The Master Switch Is Online
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The Cisco SME cluster configuration for an offline switch must be done using the CLI.
Page 181: Chapter 9 Cisco Sme Troubleshooting
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m On the offline switch (switch2), shut down the cluster by performing this task: Command Purpose...
Page 182: Reviving A Cisco Sme Cluster
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m On the cluster master switch, shut down the cluster and then delete the cluster by performing this task: Command Purpose...
Page 183: Reassigning The Cisco Sme Cluster Master Switch
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m On switch1, shut down the cluster by performing this task: Command Purpose...
Page 184 Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m On switch2, shut down the cluster by performing this task: Command Purpose...
Page 185: Troubleshooting General Issues
Chapter 9 Cisco SME Troubleshooting Troubleshooting General Issues S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Troubleshooting General Issues The Cisco SME naming convention includes alphanumeric, dash, and underscore characters.
Page 186 Chapter 9 Cisco SME Troubleshooting Troubleshooting Scenarios S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m If you need to replace an MSM-18/4 module with another MSM-18/4 module In the existing MDS 9000 Family platform, a module can be replaced with another module and there is no change in configuration.
Page 187 Chapter 9 Cisco SME Troubleshooting Troubleshooting Scenarios S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m If you need to contact your customer support representative or Cisco TAC At some point, you may need to contact your customer support representative or Cisco TAC for some additional assistance.
Page 188 Chapter 9 Cisco SME Troubleshooting Troubleshooting Scenarios S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 9-10 OL-18091-01 Cisco MDS NX-OS Release 4.x...
Page 189: Appendix
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A P P E N D I X Cisco SME CLI Commands The commands in this chapter apply to the Cisco MDS 9000 Family of multilayer directors and fabric...
Page 190: Appendix A Cisco Sme Cli Command
Appendix A Cisco SME CLI Commands auto-volgrp S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m auto-volgrp To configure the automatic volume grouping, use the auto-volgrp command.
Page 191 Appendix A Cisco SME CLI Commands clear fc-redirect config S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m clear fc-redirect config To delete a FC-Redirect configuration on a switch, use the clear fc-redirect config command.
Page 192 Appendix A Cisco SME CLI Commands cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m cluster To configure a cluster feature, use the cluster command.
Page 193: Sme Commands
Appendix A Cisco SME CLI Commands debug sme S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m debug sme To enable debugging for the Cisco SME features, use the debug sme command.
Page 194 Appendix A Cisco SME CLI Commands debug sme S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m switch# debug sme all 2007 Sep 23 15:44:44.490796 sme: fu_priority_select: - setting fd[5] for select...
Page 195 Appendix A Cisco SME CLI Commands discover S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m discover To initiate the discovery of hosts, use the discovery command.
Page 196 Appendix A Cisco SME CLI Commands S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Use the do command to execute an EXEC-level show command from any configuration mode or submode.
Page 197 Appendix A Cisco SME CLI Commands S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m SME statistics input 0 bytes, 5 second rate 0 bytes/sec, 0.00 KB/sec clear 0 bytes, encrypt 0 bytes, decrypt 0...
Page 198 Appendix A Cisco SME CLI Commands fabric S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m fabric To add a fabric to the cluster, use the fabric command in the Cisco SME cluster configuration submode.
Page 199 Appendix A Cisco SME CLI Commands fabric-membership S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m fabric-membership To add a node to a fabric, use the fabric-membership command.
Page 200 Appendix A Cisco SME CLI Commands fc-redirect version2 enable S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m fc-redirect version2 enable To enable the version2 mode in FC-Redirect, use the fc-redirect version2 enable command in configuration mode.
Page 201 Appendix A Cisco SME CLI Commands fc-redirect version2 enable S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m 1) This is a Fabric wide configuration.
Page 202 Appendix A Cisco SME CLI Commands feature S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m feature To enable and disable Cisco SME features, use the feature command.
Page 203: Interface Sme
Appendix A Cisco SME CLI Commands interface sme S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m interface sme To configure the Cisco SME interface on a switch, use the interface sme command.
Page 204 Appendix A Cisco SME CLI Commands interface sme (Cisco SME cluster node configuration submode) S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m interface sme (Cisco SME cluster node configuration submode) To add a Cisco SME interface from a local or a remote switch to a cluster, use the interface sme command.
Page 205 Appendix A Cisco SME CLI Commands interface sme (Cisco SME cluster node configuration submode) S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Related Commands Command Description...
Page 206 Appendix A Cisco SME CLI Commands key-ontape S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m key-ontape To configure keys on the tape mode and store the encrypted security keys on the backup tapes, use the key-ontape command.
Page 207 Appendix A Cisco SME CLI Commands key-ontape S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Related Commands Command Description...
Page 208 Appendix A Cisco SME CLI Commands link-state-trap S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m link-state-trap To enable an Simple Network Management Protocol (SNMP) link state trap on an interface, use the link-state-trap command.
Page 209 Appendix A Cisco SME CLI Commands load-balancing S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m load-balancing To enable cluster load balancing for all targets or specific targets, use the load-balancing command.
Page 210 Appendix A Cisco SME CLI Commands node S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m node To configure Cisco SME switch, use the node command.
Page 211 Appendix A Cisco SME CLI Commands odrt.bin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m odrt.bin To perform offline data recovery of tape encrypted by Cisco SME, use the odrt.bin command on Linux-based systems.
Page 212 Appendix A Cisco SME CLI Commands odrt.bin S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Examples The following command reads and prints the Cisco tape header information on the tape: odrt -h if=/dev/sg0...
Page 213 Appendix A Cisco SME CLI Commands rule S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m rule To specify the tape volume group regular expression, use the rule command.
Page 214: Scaling Batch Enable
Appendix A Cisco SME CLI Commands scaling batch enable S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m scaling batch enable To enable scalability in the Cisco SME configuration, use the scaling batch enable command.
Page 215 Appendix A Cisco SME CLI Commands security-mode S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m security-mode To configure the Cisco SME security settings, use the security-mode command.
Page 216 Appendix A Cisco SME CLI Commands setup S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m setup To run the basic setup facility, use the setup command.
Page 217 Appendix A Cisco SME CLI Commands shared-keymode S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m shared-keymode To configure the shared key mode, use the shared-keymode command.
Page 218: Show Debug
Appendix A Cisco SME CLI Commands show debug S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show debug To display all Cisco SME-related debug commands configured on the switch, use the show debug command.
Page 219 Appendix A Cisco SME CLI Commands show fc-redirect active-configs S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show fc-redirect active-configs To display all active configurations on a switch, use the show fc-redirect active-configs command.
Page 220 Appendix A Cisco SME CLI Commands show fc-redirect active-configs S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m ========== Appl UUID = 0x00D8 (ISAPI CFGD Service) SSM Slot = 2...
Page 221 Appendix A Cisco SME CLI Commands show fc-redirect configs S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show fc-redirect configs To display all the current configuration mode on a switch, use the show fc-redirect configs command.
Page 222 Appendix A Cisco SME CLI Commands show fc-redirect peer-switches S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show fc-redirect peer-switches To display all the peer switches in the fabric running FC-Redirect, use the show fc-redirect peer-switches command.
Page 223 Appendix A Cisco SME CLI Commands show fc-redirect peer-switches S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Related Commands Command Description...
Page 224: Show Interface Sme
Appendix A Cisco SME CLI Commands show interface sme S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show interface sme To display the information about Cisco SME interface, use the show interface sme command.
Page 225 Appendix A Cisco SME CLI Commands show interface sme S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m clear luns 0, encrypted luns 0 errors 0 CTH, 0 authentication...
Page 226: Show Role
Appendix A Cisco SME CLI Commands show role S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show role To display the description about the various Cisco SME role configurations, use the show role command.
Page 227 Appendix A Cisco SME CLI Commands show role S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Role: sme-kmc-admin Description: new role Vsan policy: permit (default)
Page 228: Show Sme Cluster
Appendix A Cisco SME CLI Commands show sme cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show sme cluster To display the information about the Cisco SME cluster, use the show sme cluster command.
Page 229 Appendix A Cisco SME CLI Commands show sme cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m volgrp volume group Displays tape volume group name.
Page 230 Appendix A Cisco SME CLI Commands show sme cluster S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The following example displays the specific recovery officer of a cluster: switch# show sme cluster clustername1 recovery officer Recovery Officer 1 is set...
Page 231: Show Sme Transport
Appendix A Cisco SME CLI Commands show sme transport S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show sme transport To display the Cisco SME cluster transport information, use the show sme transport command.
Page 232 Appendix A Cisco SME CLI Commands show tech-support sme S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m show tech-support sme To display the information for Cisco SME technical support, use the show tech-support sme command.
Page 233 Appendix A Cisco SME CLI Commands shutdown (interface configuration submode) S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m shutdown (interface configuration submode) To disable an Cisco SME interface, use the shutdown command.
Page 234 Appendix A Cisco SME CLI Commands shutdown (Cisco SME cluster configuration submode) S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m shutdown (Cisco SME cluster configuration submode) To disable a cluster for recovery, use the shutdown command.
Page 235 Appendix A Cisco SME CLI Commands S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m To enable or disable the Cisco SME services, use the sme command.
Page 236 Appendix A Cisco SME CLI Commands S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m To configure Secure Sockets Layer (SSL), use the ssl command.
Page 237 Appendix A Cisco SME CLI Commands tape-bkgrp S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m tape-bkgrp To configure a crypto tape backup group, use the tape-bkgrp command.
Page 238 Appendix A Cisco SME CLI Commands tape-compression S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m tape-compression To configure tape compression, use the tape-compression command.
Page 239 Appendix A Cisco SME CLI Commands tape-device S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m tape-device To configure a crypto tape device, use the tape-device command.
Page 240 Appendix A Cisco SME CLI Commands tape-keyrecycle S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m tape-keyrecycle To configure a tape key recycle policy, use the tape-keyrecycle command.
Page 241 Appendix A Cisco SME CLI Commands tape-volgrp S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m tape-volgrp To configure the crypto tape volume group, use the tape-volgrp command.
Page 242 Appendix A Cisco SME CLI Commands tune-timer S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m tune-timer To tune the Cisco SME timers, use the tune-timer command.
Page 243 Appendix A Cisco SME CLI Commands tune-timer S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m switch(config-sme-cl)# tune-timer rscn_suppression_timer 2 switch(config-sme-cl)# The following example configures a target load balancing timer value:...
Page 244 Appendix A Cisco SME CLI Commands tune-timer S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-56 OL-18091-01, Cisco MDS NX-OS Release 4.x...
Page 245: Offline Data Recovery In Cisco Sme
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A P P E N D I X Offline Data Recovery in Cisco SME The Cisco SME solution provides seamless encryption service through a hardware-based encryption...
Page 246 Appendix B Offline Data Recovery in Cisco SME About Offline Data Restore Tool S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m For more information about the odrt.bin command, see Appendix A, “Cisco SME CLI Commands.”...
Page 247: Provisioning Self-Sign Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A P P E N D I X Provisioning Self-Sign Certificates The Secure Socket Layer (SSL) protocol secures the network communication and allows data to be...
Page 248: Creating Ca Certificates
Appendix C Provisioning Self-Sign Certificates Configuring SSL for Cisco SME S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Creating CA Certificates To generate the CA certificates, follow these steps: Create a CA certificate using the OpenSSL application.
Page 249 Appendix C Provisioning Self-Sign Certificates Configuring SSL for Cisco SME S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Generate a certificate request for enrolling with the trustpoint created in Step 3.
Page 250: Generating Kmc Certificate
Appendix C Provisioning Self-Sign Certificates Generating and Installing Self-Signed Certificates S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Generating KMC Certificate To generate the KMC server certificate, follow these steps: Generate KMC certificate by entering the following commands in the OpenSSL application:...
Page 251 Appendix C Provisioning Self-Sign Certificates Generating and Installing Self-Signed Certificates S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Generate all certificates and configure switch Print this usage screen switch:./createSmeCerts.tcl a...
Page 252: Editing Ssl Settings In Cisco Fabric Manager Web Client
Appendix C Provisioning Self-Sign Certificates Editing SSL Settings in Cisco Fabric Manager Web Client S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Run ./Encrypter.sh ssl Edit <FMInstall>/conf/server.properties;...
Page 253 Appendix C Provisioning Self-Sign Certificates Editing SSL Settings in Cisco Fabric Manager Web Client S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Click Edit SSL Settings.
Page 254 Appendix C Provisioning Self-Sign Certificates Editing SSL Settings in Cisco Fabric Manager Web Client S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m New clusters are created.
Page 255: Selecting Rkm
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A P P E N D I X RSA Key Manager and Cisco SME This appendix describes the procedures to be followed to set up the RSA Key Manager (RKM) to work...
Page 256: Generating Ca Certificates
Appendix D RSA Key Manager and Cisco SME Generating CA Certificates S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Generating CA Certificates Generating CA certificates requires access to an OpenSSL system.
Page 257 Appendix D RSA Key Manager and Cisco SME Generating CA Certificates S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m OpenSSL>...
Page 258: Creating Jks Files Using The Java Keytool
Appendix D RSA Key Manager and Cisco SME Creating JKS Files Using the Java Keytool S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m An optional company name []: Set the duration the certificate will be valid.
Page 259: Placing Certificates In Rkm
Appendix D RSA Key Manager and Cisco SME Placing Certificates in RKM S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Placing Certificates in RKM To place certificates in the RKM, follow these steps: Step 1...
Page 260: Selecting Rkm
Appendix D RSA Key Manager and Cisco SME Selecting RKM S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The Identities-Create screen is displayed.
Page 261 Appendix D RSA Key Manager and Cisco SME Selecting RKM S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Enter the RKM server IP address.
Page 262: Migrating From Cisco Kmc To Rkm
Appendix D RSA Key Manager and Cisco SME Migrating From Cisco KMC to RKM S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The confirmation window displays the RKM server IP address and the RKM port number.
Page 263 Appendix D RSA Key Manager and Cisco SME Migrating From Cisco KMC to RKM S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Run the following database scripts from the database administrative console: Step 5 For the key catalog on PostgresSQL, run postgres-kmc-rkm-pre-migrate.sql.
Page 264 Appendix D RSA Key Manager and Cisco SME Migrating From Cisco KMC to RKM S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide D-10 OL-18091-01, Cisco MDS NX-OS Release 4.x...
Page 265: Database Backup And Restore
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A P P E N D I X Database Backup and Restore Databases need to have a well-defined and thoroughly tested backup and restore plan so that access to...
Page 266: Restoring Fabric Manager Server Database
Appendix E Database Backup and Restore Restoring Fabric Manager Server Database S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Restoring Fabric Manager Server Database To restore the Fabric Manager Server database, use the pg_restore command.
Page 267: Planning For Cisco Sme Installation
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A P P E N D I X Planning For Cisco SME Installation This appendix outlines the steps and guidelines that you need to be follow to ensure a successful Cisco...
Page 268: Interoperability Matrix
Appendix F Planning For Cisco SME Installation Interoperability Matrix S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Number of hosts and tape drives.
Page 269 Appendix F Planning For Cisco SME Installation Security S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m For more information about key policies, refer to the Storage Media Encryption Key Note...
Page 270: Preinstallation Requirements
Appendix F Planning For Cisco SME Installation Preinstallation Requirements S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Ports 9333 to 9339 for TCP and UDP for Cisco SME cluster communication –...
Page 271: Configuring Cfs Regions For Fc-Redirect
Appendix F Planning For Cisco SME Installation Preconfiguration Tasks S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Ensure that the Cisco Fabric Manager login name and password is the same as the switch login name •...
Page 272: Assigning Cisco Sme Roles And Users
Appendix F Planning For Cisco SME Installation Preconfiguration Tasks S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Set the FC Redirect version to 2 (if you are using SAN-OS Release 3.1(1a) or later, or NX-OS 4.x).
Page 273 Appendix F Planning For Cisco SME Installation Provisioning Cisco SME S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Restart the Fabric Manager server and KMC after installing the SSL certificates.
Page 274 Appendix F Planning For Cisco SME Installation Provisioning Cisco SME S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x...
Page 275 S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m A P P E N D I X Migrating Cisco SME Database Tables This appendix describes a database migration utility and also outlines the steps you need to follow to...
Page 276 Appendix G Migrating Cisco SME Database Tables S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m The sample output would be as follows: [root@test-vm-236 SMEdbmigrate]# ./smedbmigrate.sh [INFO] File /root/download/SMEdbmigrate/smedbmigration.properties found...
Page 277 S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m I N D E X Cisco SAN-OS features changed (table)
Page 278 Index S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m quorum 4-30 Fabric Manager Web Client...
Page 279 Index S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m Advanced 4-5, 6-3 Basic...
Page 280 Index S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m troubleshooting tapes recycling tapes...

This manual is also suitable for:

Ap775a - nexus converged network switch 5010 Ap776a - nexus converged network switch 5020 Cisco mds 9124 - fabric switch Cisco mds 9020 - fabric switch Cisco mds 9120 - fabric switch Cisco mds 9140 - fabric switch ... Show all

Cisco AJ732A - MDS 9134 Fabric Switch Configuration Manual

New and Changed Information

Chapter 1 Product Overview

Chapter 2 Getting Started

CHAPTER 3 Cisco SME Interface Configuration

Chapter 4 Cisco SME Cluster Management

Chapter 5 Cisco SME Tape Configuration

Chapter 6 Cisco SME Key Management

Chapter 7 Using the Command Line Interface to Configure SME

Chapter 8 Cisco SME Best Practices

Chapter 9 Cisco SME Troubleshooting

Appendix

Cisco SME CLI Commands

Appendix A Cisco SME CLI Command

Offline Data Recovery in Cisco Sme

Provisioning Self-Sign Certificates

Rsa Key Manager and Cisco Sme

Database Backup and Restore

Planning for Cisco Sme Installation

Quick Links

Troubleshooting

Related Manuals for Cisco AJ732A - Cisco MDS 9134 Fabric Switch

Summary of Contents for Cisco AJ732A - Cisco MDS 9134 Fabric Switch