Transparent Fabric Service; Encryption; Cisco Sme Roles - Cisco AJ732A - MDS 9134 Fabric Switch Configuration Manual

Chapter 1 Product Overview
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Transparent Fabric Service

Cisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an
MSM-18/4 module or an MDS 9222i switch anywhere in the fabric. There are no appliances in-line in
the data path and there is no SAN rewiring or reconfiguration.

Encryption

Cisco SME uses strong, IEEE-compliant AES 256 encryption algorithms to protect data at rest.
Advanced Cisco MDS 9000 SAN-OS and NX-OS software security features, such as Secure Shell
(SSH), Secure Sockets Layer (SSL), RADIUS, and Fibre Channel Security Protocol (FC-SP) provide the
foundation for the secure FIPS Level 3 architecture.
Cisco SME uses the NIST-approved random number standard to generate the keys for encryption.
Encryption and compression services are transparent to the hosts and storage devices.

Cisco SME Roles

Cisco SME services include the following four configuration and security roles:
•
•
•
•
The Cisco SME Administrator configures and maintains Cisco SME. This role can be filled by multiple
storage network administrators. The Cisco SME Storage Administrators are responsible for Cisco SME
provisioning operations and the Cisco SME KMC Administrators are responsible for the Cisco SME
KMC administration operations. The security officer may be assigned the Cisco SME KMC
Administrator role in some scenarios.
Cisco SME Administrator role includes the Cisco SME Storage Administrator and the Cisco SME KMC
Note
Administrator roles.
The Cisco SME Recovery Officers are responsible for key recovery operations. During Cisco SME
configuration, additional Recovery Officers can be added. Cisco SME Recovery Officers play a critical
role in recovering the key database of a deactivated cluster and they are responsible for protecting the
master key. The role of the Cisco SME Recovery Officer separates master key management from Cisco
SME administrations and operations. In some organizations, a security officer may be assigned to this
role.
At the advanced security level, a quorum of Cisco SME Recovery Officers is required to perform
recovery procedures. The default is 2 out of 5. In this case 2 of the 5 recovery officers are required to
unlock the master key.
For additional information on Cisco SME Administrator and Cisco SME Recovery Officer roles, see the
"Creating and Assigning Cisco SME Roles and Cisco SME Users" section on page
OL-18091-01, Cisco MDS NX-OS Release 4.x
Cisco SME Administrator
Cisco SME Storage Administrator
Cisco SME Key Management Center (KMC) Administrator
Cisco SME Recovery Officer
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
About Cisco Storage Media Encryption
2-9.
1-3