Page 1 53-1002721-01 53-1002721-01 ® 14 December 2012 Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments Supporting Fabric OS v7.1.0...
Page 2 Copyright © 2011 - 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, MLX, NetIron, SAN Health, ServerIron, TurboIron, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Page 3: Table Of Contents
Contents About This Document In this chapter ......... . . xiii How this document is organized .
Page 4 Support for virtual fabrics........11 Cisco Fabric Connectivity support ......12 Chapter 2 Configuring Encryption Using the Management Application Encryption Center features.
Page 5 Replacing an encryption engine in an encryption group ..55 High availability (HA) clusters ....... 56 Creating High availability (HA) clusters.
Page 6 Disk device decommissioning ......99 Decommissioning Disk LUNs ......100 Displaying and deleting decommissioned key IDs.
Page 7 Steps for connecting to an SKM or ESKM appliance ...136 Configuring a Brocade group......136 Setting up the local Certificate Authority (CA) .
Page 8 Crypto LUN configuration ....... . .170 Discovering a LUN ........171 Configuring a Crypto LUN .
Page 9 Deployment in Fibre Channel routed fabrics....207 Deployment as part of an edge fabric ..... . .209 Deployment with FCIP extension switches .
Page 10 Rekeying best practices and policies......295 Manual rekey ........295 Latency in rekey operations .
Page 11 General encryption troubleshooting ......325 Troubleshooting examples using the CLI .....328 Encryption Enabled CryptoTarget LUN .
Page 12 Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002721-01...
Page 13: About This Document
About This Document In this chapter • How this document is organized ........xiii •...
Page 14: Supported Hardware And Software
• Chapter 6, “Maintenance and Troubleshooting,” provides information on troubleshooting and the most common commands and procedures to use to diagnose and recover from problems. • Appendix A, “State and Status Information,” lists the encryption engine security processor (SP) states, security processor key encryption key (KEK) status information, and encrypted LUN states.
Page 15: Command Syntax Conventions
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. option, option Command options are printed in bold. argument, arg Arguments. Optional element. variable Variables are printed in italics. In the help pages, variables are underlined or enclosed in angled brackets <...
Page 16: Notice To The Reader
For definitions specific to this document, see “Terminology” on page 2. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.org/education/dictionary Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations.
Page 17: Other Industry Resources
For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location: http://www.brocade.com Release notes are available on the MyBrocade website and are also bundled with the Fabric OS firmware. Other industry resources • White papers, online demos, and data sheets are available through the Brocade website at http://www.brocade.com/products-solutions/products/index.page.
Page 18: Document Feedback
The switch serial number and corresponding bar code are provided on the serial number label, as illustrated below.: *FT00X0054E9* FT00X0054E9 The serial number label is located as follows: • Brocade Encryption Switch—On the switch ID pull-out tab located inside the chassis on the port side of the switch on the left.
Page 19: Encryption Overview
Chapter Encryption Overview In this chapter • Host and LUN considerations ........1 •...
Page 20: Terminology
Terminology Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication.
Page 21 Terminology Opaque Key Vault A storage location that provides untrusted key management functionality. Its contents may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a master key to protect them. Recovery cards A set of smart cards that contain a backup master key.
Page 22: The Brocade Encryption Switch
The Brocade Encryption Switch The Brocade Encryption Switch The Brocade Encryption Switch is a high-performance, 32-port, auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption Standard (AES) 256-bit algorithms.
Page 23: The Fs8-18 Blade
The FS8-18 blade The FS8-18 blade The FS8-18 blade provides the same features and functionality as the Brocade Encryption Switch. The FS8-18 blade installs on the Brocade DCX Backbone chassis, which include the DCX, DCX-4S, DCX 8510-8, and DCX 8510-4 chassis. FIPS mode Both the Brocade Encryption Switch and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled.
Page 24: Recommendation For Connectivity
Recommendation for connectivity Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in data frames on a per-frame basis. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os.
Page 25: Brocade Encryption Solution Overview
Brocade encryption solution overview Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft, or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
Page 26: Data Flow From Server To Storage
Brocade encryption solution overview Data flow from server to storage The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch.
Page 27: Data Encryption Key Life Cycle Management
Data encryption key life cycle management Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created.
Page 28 Data encryption key life cycle management FIGURE 5 DEK life cycle Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002721-01...
Page 29: Master Key Management
Master key management Master key management Communications with opaque key vaults are encrypted using a master key that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM. Master key generation A master key must be generated by the group leader encryption engine.
Page 30: Cisco Fabric Connectivity Support
Cisco Fabric Connectivity support Cisco Fabric Connectivity support The Brocade Encryption Switch provides NPIV mode connectivity to Cisco fabrics. Connectivity is supported for Cisco SAN OS 3.3 and later versions. Cisco fabric connectivity is provided only on the Brocade Encryption Switch. The FS8-18 blade for the Brocade DCX Backbone chassis does not support this feature.
Page 31: Configuring Encryption Using The Management Application
Chapter Configuring Encryption Using the Management Application In this chapter • Encryption Center features ........14 •...
Page 32: Encryption Center Features
Encryption Center features • Viewing and editing encryption group properties ....112 • Encryption-related acronyms in log messages ..... . 125 Encryption Center features The Encryption Center dialog box is the single launching point for all encryption-related configuration in Brocade Network Advisor (BNA)
Page 33: Encryption User Privileges
Encryption user privileges Encryption user privileges In BNA, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time. BNA provides three pre-configured roles: •...
Page 34: Smart Card Usage
Smart card usage TABLE 1 Encryption privileges (Continued) Privilege Read/Write • Storage Encryption Launch the Encryption center dialog box. • View switch, group, or engine properties. Security • View Encryption Group Properties Security tab. • View LUN centric view. • View all rekey sessions.
Page 35: Registering Authentication Cards From A Card Reader
Smart card usage • Establishing a trusted link with the NetApp LKM key vault. • Decommissioning a LUN. When a quorum of authentication cards is registered for use, authentication must be provided before you are granted access. Registering authentication cards from a card reader To register an authentication card or a set of authentication cards from a card reader, have the cards physically available.
Page 36 Smart card usage 3. Locate the Authentication Card Quorum Size and select the quorum size from the list. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Page 37: Registering Authentication Cards From The Database
Smart card usage Registering authentication cards from the database Smart cards that are already in the Management program’s database can be registered as authentication cards. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 1 on page 14).
Page 38: Deregistering An Authentication Card
Smart card usage Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them. Complete the following procedure to deregister an authentication card. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 1 on page 14).
Page 39: Using System Cards
Smart card usage Using system cards System cards are smart cards that can be used to control activation of encryption engines. You can choose whether the use of a system card is required or not. Encryption switches and blades have a card reader that enables the use of a system card.
Page 40: Enabling Or Disabling The System Card Requirement
Smart card usage Enabling or disabling the system card requirement To use a system card to control activation of an encryption engine on a switch, you must enable the system card requirement. If a system card is required, it must be read by the card reader on the switch.
Page 41: Deregistering System Cards
Smart card usage Deregistering system cards System cards can be removed from the database by deregistering them. Use the following procedure to deregister a system card: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box.
Page 42 Smart card usage • Card ID: Lists the smart card ID, prefixed with an ID that identifies how the card id used. For example, rc.123566b700017818, where rc stands for recovery card. • Card Type: Options are: System card, Authentication card, and Recovery set. •...
Page 43 Smart card usage FIGURE 7 Smart Card asset tracking dialog box 3. Select a smart card from the table, then do one of the following: • Click Delete to remove the smart card from the BNA database. Deleting smart cards from the BNA database keeps the Smart Cards table at a manageable size, but does not invalidate the smart card.
Page 44: Editing Smart Cards
Smart card usage Editing smart cards Smart cards can be used for user authentication, master key storage and backup, and as a system card for authorizing use of encryption operations. 1. From the Encryption Center dialog box, select Smart Card > Edit Smart Card from the menu task bar to display the Edit Smart Card dialog box (Figure FIGURE 8...
Page 45: Network Connections
Network connections Network connections Before you use the encryption setup wizard for the first time, you must have the following required network connections: • The management ports on all encryption switches and 8-slot Backbone Chassis CPs that have encryption blades installed must have a LAN connection to the SAN management program, and must be available for discovery.
Page 46: Configuring Blade Processor Links
Encryption node initialization and certificate generation Configuring blade processor links To configure blade processor links, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 1 on page 14.) 2.
Page 47: Setting Encryption Node Initialization
Steps for connecting to an ESKM/SKM appliance Setting encryption node initialization Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a configuration. Encryption nodes may also be initialized from the Encryption Center dialog box. 1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from the menu task bar.
Page 48: Configuring A Brocade Group On Eskm/Skm
Steps for connecting to an ESKM/SKM appliance Configuring a Brocade group on ESKM/SKM A Brocade group is configured on ESKM/SKM for all keys created by encryption switches and blades. This needs to be done only once for each key vault. 1.
Page 49 Steps for connecting to an ESKM/SKM appliance FIGURE 10 Key Vault Credentials dialog box The dialog box contains the following information: • Primary Key Vault: Primary Key Vault is preselected. ESKM/SKM key vaults are clustered, so only one set of credentials is needed. •...
Page 50: Setting Up The Local Certificate Authority (Ca) On Eskm/Skm
Steps for connecting to an ESKM/SKM appliance Setting up the local Certificate Authority (CA) on ESKM/SKM To create and install a local CA, complete the following steps: 1. Log in to the ESKM/SKM management web console using the admin password. 2.
Page 51: Downloading The Local Ca Certificate From Eskm/Skm
Steps for connecting to an ESKM/SKM appliance FIGURE 11 Creating an HP ESKM/SKM local CA 5. Under Certificates & CAs, select Trusted CA Lists to display the Trusted Certificate Authority List Profiles. 6. Click on Default under Profile Name. In the Trusted Certificate Authority List, click Edit. 8.
Page 52: Creating And Installing The Eskm/Skm Server Certificate
Steps for connecting to an ESKM/SKM appliance Creating and installing the ESKM/SKM server certificate To create the ESKM/SKM server certificate, complete the following steps: 1. Click the Security tab. 2. Under Certificates and CAs, select Certificates. 3. Enter the required information under Create Certificate Request. Enter a Certificate Name and Common Name.
Page 53: Server
Steps for connecting to an ESKM/SKM appliance 17. Select the server certificate name you just created from the certificate list, and select Properties. The Certificate Request Information window displays. 18. Click Install Certificate. The Certificate Installation window displays. 19. Paste the signed certificate data you copied under Certificate Response, then click Save. The status of the server certificate should change from Request Pending to Active.
Page 54: Copying The Local Ca Certificate For A Clustered Eskm/Skm Appliance
Steps for connecting to an ESKM/SKM appliance 4. For Local Port, use the default value of 9001 unless you are explicitly directed to use a different value for your site. 5. Type the cluster password in the Create Cluster section of the main window to create the new cluster, then click Create.
Page 55: Signing The Encryption Node Kac Certificates
Steps for connecting to an ESKM/SKM appliance 9. Click Save. 10. Select the Device tab. 11. In the Device Configuration menu, click Cluster. 12. Click Join Cluster. In the Join Cluster section of the window, leave Local IP and Local Port set to their default settings.
Page 56: Importing A Signed Kac Certificate Into A Switch
Steps for connecting to an ESKM/SKM appliance 12. Paste the file contents that you copied in step 3 in the Certificate Request Copy area. 13. Select Sign Request. 14. Download the signed certificate to your local system as signed_kac_eskm_cert.pem or signed_kac_skm_cert.pem, depending on your key vault type.
Page 57 Steps for connecting to an ESKM/SKM appliance Disk keys and tape pool keys support DEK creation, retrieval, and update for disk and tape pool keys are as follows: • DEK creation: The DEK is first archived to the virtual IP address of the ESKM/SKM cluster. The request gets routed to the primary or secondary ESKM/SKM, and is synchronized with other ESKMs or SKMs in the cluster.
Page 58: Encryption Preparation
Encryption preparation Encryption preparation Before you use the encryption setup wizard for the first time, you should have a detailed configuration plan in place and available for reference. The encryption setup wizard assumes the following: • You have a plan in place to organize encryption devices into encryption groups. •...
Page 59 Creating a new encryption group 2. Select a switch from the <NO GROUP DEFINED> encryption group. (The switch must not be assigned to an encryption group.) 3. Select Encryption > Create/Add to Group, from the menu task bar. The Configure Switch Encryption wizard welcome screen displays (Figure 14).
Page 60 Creating a new encryption group 4. From the Configure Switch Encryption welcome screen, click Next to begin. The Designate Switch Membership dialog box displays (Figure 15). The dialog box contains the following options: • Create a new encryption group containing just the switch: Creates an encryption group for the selected switch •...
Page 61 Creating a new encryption group FIGURE 16 Create a New Encryption Group dialog box The dialog box contains the following information: • Encryption Group Name text box: Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed. The group name is case-sensitive. •...
Page 62 Creating a new encryption group FIGURE 17 Select Key Vault dialog box Using this dialog box, you can select a key vault for the encryption group that contains the selected switch. Prior to selecting your Key Vault Type, the selection is shown as None. The dialog box contains the following information: •...
Page 63: Configuring Key Vault Settings For Hp Enterprise Secure Key Manager (Eskm/Skm)
Creating a new encryption group Configuring key vault settings for HP Enterprise Secure Key Manager (ESKM/SKM) The following procedure assumes you have already configured the initial steps in the Configure Switch Encryption wizard. If you have not already done so, go to “Creating a new encryption group”...
Page 64 Creating a new encryption group FIGURE 19 Specify Certificate Signing Request File Name dialog box 8. Enter the location of the file where you want to store the certificate information, or browse to the desired location, then click Next. The Specify Master Key File Name dialog box displays (Figure 20).
Page 65 Creating a new encryption group 10. Re-enter the passphrase for verification, then click Next. The Select Security Settings dialog box displays (Figure 21). FIGURE 21 Select Security Settings dialog box 11. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above.
Page 66 Creating a new encryption group FIGURE 22 Confirm Configuration dialog box The Configuration Status dialog box displays (Figure 23). FIGURE 23 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step.
Page 67: Understanding Configuration Status Results
Creating a new encryption group After configuration of the encryption group is completed, BNA sends API commands to verify the switch configuration. See “Understanding configuration status results” on page 49 for more information. 13. Review important messages, then click Next. The Next Steps dialog box displays (Figure 24).
Page 68: Adding A Switch To An Encryption Group
Adding a switch to an encryption group 5. Create a new master key. (Opaque key vaults only). BNA checks for a new master key. New master keys are generated from the Security tab located in the Encryption Group Properties dialog box. NOTE A master key is not generated if the key vault type is LKM.
Page 69 Adding a switch to an encryption group 3. Click Next. The Designate Switch Membership dialog box displays (Figure 26). FIGURE 26 Designate Switch Membership dialog box 4. For this procedure, select Add this switch to an existing encryption group, then click Next. The Add Switch to Existing Encryption Group dialog box displays (Figure 27).
Page 70 Adding a switch to an encryption group FIGURE 27 Add Switch to Existing Encryption Group dialog box 5. Select the group in which to add the switch, then click Next. The Specify Public Key Certificate (KAC) File Name dialog box displays (Figure 28).
Page 71 Adding a switch to an encryption group 6. Enter the location where you want to store the public key certificate that is used to authenticate connections to the key vault, or browse to the desired location, then click Next. The Confirm Configuration dialog box displays (Figure 29).
Page 72 Adding a switch to an encryption group All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified.
Page 73: Replacing An Encryption Engine In An Encryption Group
Replacing an encryption engine in an encryption group Replacing an encryption engine in an encryption group To replace an encryption engine in an encryption group with another encryption engine within the same DEK Cluster, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box.
Page 74: High Availability (Ha) Clusters
High availability (HA) clusters High availability (HA) clusters A high availability (HA) cluster is a group of exactly two encryption engines (EEs). One encryption engine can take over encryption and decryption tasks for the other encryption engine, if that member fails or becomes unreachable. When creating a new HA Cluster, add one engine to create the cluster, then add the second engine.
Page 75: Removing Engines From An Ha Cluster
High availability (HA) clusters FIGURE 33 Encryption Group Properties dialog box - HA Clusters tab NOTE If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster. HA Cluster names can have up to 31 characters. Letters, digits, and underscores are allowed. Removing engines from an HA cluster Removing the last engine from an HA cluster also removes the HA cluster.
Page 76: Swapping Engines In An Ha Cluster
High availability (HA) clusters Swapping engines in an HA cluster Swapping engines is useful when replacing hardware. Swapping engines is different from removing an engine and adding another because when you swap engines, the configured targets on the former HA cluster member are moved to the new HA cluster member. 1.
Page 77: Configuring Encryption Storage Targets
Configuring encryption storage targets Configuring encryption storage targets Adding an encryption target maps storage devices and hosts to virtual targets and virtual initiators within the encryption switch. The storage encryption wizard enables you to configure encryption for a storage device (target). NOTE It is recommended that you configure the host and target in the same zone before configuring them for encryption.
Page 78 Configuring encryption storage targets FIGURE 34 Encryption Targets dialog box 3. Click Add. The Configure Storage Encryption welcome screen displays (Figure 35). FIGURE 35 Configure Storage Encryption welcome screen 4. Click Next. The Select Encryption Engine dialog box displays (Figure 36).
Page 79 Configuring encryption storage targets FIGURE 36 Select Encryption Engine dialog box The dialog box contains the following information: • Encryption engine: The name of the encryption engine. The list of engines depends on the scope being viewed: • If an encryption group was selected, the list includes all engines in the group. •...
Page 80 Configuring encryption storage targets FIGURE 37 Select Target dialog box The dialog box contains the following information: • Target Port WWN: The world wide name of the target port in the same fabric as the encryption engine. • Target Port Name: The name of the target port in the same fabric as the encryption engine. •...
Page 81 Configuring encryption storage targets FIGURE 38 Select Hosts dialog box The dialog box contains the following information: • Hosts in Fabric table: Lists the available hosts in the fabric. • Selected Hosts table: Lists the hosts that have been selected to access the target. •...
Page 82 Configuring encryption storage targets • Right arrow button: Moves a host from the Host in Fabric table to the Selected Hosts table. • Left arrow button: Removes a host from the Selected Hosts table. • Add button: Click to manually add host port world wide names or host node world wide names to the Selected Hosts table.
Page 83 Configuring encryption storage targets FIGURE 40 Confirmation dialog box The screen contains the following information: • Encryption Engine: The slot location of the encryption engine. • Container Name: The logical encryption name used to map storage targets and hosts to virtual targets and virtual initiators.
Page 84 Configuring encryption storage targets FIGURE 41 Configuration Status screen The screen contains the following information: • Device: The device type (target or host). • Device Port WWN: The port world wide name. • Represented by VI/VT: The virtual target (VT) mapped to the physical target or virtual initiator (VI) representing the host.
Page 85: Configuring Hosts For Encryption Targets
Configuring hosts for encryption targets FIGURE 42 Next Steps screen The screen contains the following information: • Important Instructions: Instructions about post-configuration tasks you must complete after you close the wizard. For example, you must zone the physical hosts and the target together and then you encrypt the LUNs using the Storage Device LUNs dialog box.
Page 86 Configuring hosts for encryption targets NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays (Figure 43). FIGURE 43 Encryption Targets dialog box 3.
Page 87: Adding Target Disk Luns For Encryption
Adding target disk LUNs for encryption NOTE Both the Host Ports in Fabric table and the Selected Hosts table now contain a Port ID column to display the 24-bit PID of the host port. 4. Select one or more hosts in a fabric using either of the following methods: a.
Page 88 Adding target disk LUNs for encryption The Encryption Disk LUN View dialog box displays (Figure 45). FIGURE 45 Encryption Disk LUN View dialog box The dialog box provides a convenient way to view and manage disk LUNs that are provisioned from different hosts, identify conflicts between configuration policies on storage systems, and to provide a launching point for the Add New Path wizard for configuring multiple I/O paths to the LUN.
Page 89 Adding target disk LUNs for encryption FIGURE 46 Select Target Port dialog box The dialog box is used to select a target port when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array The Storage Array selected from the LUN view prior to launching the Add New Path wizard.
Page 90 Adding target disk LUNs for encryption The dialog box is used to select an initiator port when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: Displays the storage array that was selected from the LUN view prior to launching the wizard.
Page 91 Adding target disk LUNs for encryption • LUN table: Available LUNs identified by the following: • Host • LUN Number • LUN Serial Number • Current LUN State: Options are Encrypted, which is automatically selected if the LUN has a key ID; Clear Text, and <select> for LUNs without a key ID. User selection is required.
Page 92: Configuring Storage Arrays
Adding target disk LUNs for encryption FIGURE 49 Correcting an Encryption Mode Mismatch When you correct a policy on a LUN, it is automatically selected for all paths to the selected LUN. When you modify LUN policies, a Modify icon displays to identify the modified LUN entry. 10.
Page 93: Adding Target Tape Luns For Encryption
Adding target tape LUNs for encryption Adding target tape LUNs for encryption You can configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN. You must add LUNs manually. After you add the LUNs, you must specify the encryption settings.
Page 94 Adding target tape LUNs for encryption FIGURE 51 Encryption Target Tape LUNs dialog box 4. Click Add. The Add Encryption Target Tape LUNs dialog box displays (Figure 52). A table of all LUNs in the storage device that are visible to hosts is displayed. LUNs are identified by the Host world wide name, LUN number, Volume Label Prefix number, and Enable Write Early ACK and Enable Read Ahead status.
Page 95 Adding target tape LUNs for encryption When you select a specific host, only the LUNs visible to that host are displayed. If you select All Hosts, LUNs visible to all configured hosts are displayed. If a LUN is visible to multiple hosts, it is listed once for each host.
Page 96: Moving Targets
Moving Targets Moving Targets The Move Targets dialog box is used to redistribute which engine encrypts which targets. It is also useful for transferring all targets to another engine before replacing or removing engine hardware. Moving targets to another engine may be done while traffic is flowing between the host and target. Traffic is interrupted for a short time but resumes before the host applications are affected.
Page 97: Tape Lun Write Early And Read Ahead
Tape LUN write early and read ahead 9. In the Encryption Targets dialog box, select Target Port B, click LUNs, then click Add. Select the LUNs to be encrypted and the encryption policies for the LUNs, making sure that the encryption policies match the policies specified in the other path.
Page 98 Tape LUN write early and read ahead FIGURE 53 Encryption Targets dialog box 3. Select a target tape storage device from the table, then click LUNs. The Encryption Target Tape LUNs dialog box displays (Figure 54). FIGURE 54 Encryption Target Tape LUNs dialog box - Setting tape LUN read ahead and write early 4.
Page 99: Tape Lun Statistics
Tape LUN statistics NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. Select the appropriate CryptoTarget container, then click Commit. Tape LUN statistics This feature enables you to view and clear statistics for tape LUNs. These statistics include the number of compressed blocks, uncompressed blocks, compressed bytes and uncompressed bytes written to a tape LUN.
Page 100 Tape LUN statistics FIGURE 56 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed. • Tape Volume/Pool: The tape volume label of the currently-mounted tape, if a tape session is currently in progress.
Page 101 Tape LUN statistics 3. Select a tape target storage device, then click LUNs. The Target Tape LUNs dialog box displays (Figure 57). A list of the configured tape LUNs is displayed. FIGURE 57 Target Tape LUNs dialog box 4. Select the LUN or LUNs for which to display or clear statistics, then click Statistics. The Tape LUN Statistics dialog box displays (Figure 58).
Page 102: Viewing And Clearing Statistics For Tape Luns In A Container
Tape LUN statistics • Host Port WWN: The WWN of the host port that is being used for the write operation. • A Refresh button updates the statistics on the display since the last reset. • A Clear button resets all statistics in the display. 5.
Page 103: Encryption Engine Rebalancing
Encryption engine rebalancing FIGURE 60 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed. • Tape Volume/Pool: The tape volume label of the currently-mounted tape, if a tape session is currently in progress.
Page 104: Rebalancing An Encryption Engine
Master keys During rebalancing operations, be aware of the following: • You might notice a slight disruption in Disk I/O. In some cases, manual intervention may be needed. • Backup jobs to tapes might need to be restarted after rebalancing is completed. To determine if rebalancing is recommended for an encryption engine, check the encryption engine properties.
Page 105: Active Master Key
Master keys The new master key cannot be used (no new data encryption keys can be created, so no new encrypted LUNs can be configured), until you back up the new master key. After you have backed up the new master key, it is strongly recommended that all encrypted disk LUNs be rekeyed. rekeying causes a new data encryption key to be created and encrypted using the new active master key, thereby removing any dependency on the old master key.
Page 106: Master Key Actions
Master keys Master key actions NOTE Master keys belong to the group and are managed from Group Properties. Master key actions are as follows: • Backup master key: Enabled any time a master key exists. Selecting this option launches the Backup Master Key for Encryption Group dialog box.
Page 107: Saving A Master Key To A Key Vault
Master keys 3. Select Backup Master Key as the Master Key Action. The Master Key Backup dialog box displays (Figure 61), but only if the master key has already been generated. FIGURE 61 Backup Destination (to file) dialog box 4. Select File as the Backup Destination. 5.
Page 108: Saving A Master Key To A Smart Card Set
Master keys 3. Select Backup Master Key as the Master Key Action. The Backup Master Key for Encryption Group dialog box displays (Figure 62). FIGURE 62 Backup Destination (to key vault) dialog box 4. Select Key Vault as the Backup Destination. 5.
Page 109 Master keys FIGURE 63 Backup Destination (to smart cards) dialog box 4. Select A Recovery Set of Smart Cards as the Backup Destination. 5. Enter the recovery card set size. 6. Insert the first blank card and wait for the card serial number to appear. Run the additional cards through the reader that are needed for the set.
Page 110: Restoring A Master Key From A File
Master keys Saving a master key to a smart card set - Overview A card reader must be attached to the SAN Management application PC to save a master key to a recovery card. Recovery cards can only be written once to back up a single master key. Each master key backup operation requires a new set of previously unused smart cards.
Page 111: Restoring A Master Key From A Key Vault
Master keys FIGURE 64 Select a Master Key to Restore (from file) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select File as the Restore From location. 6. Enter a file name, or browse to the desired location. Enter the passphrase.
Page 112: Restoring A Master Key From A Smart Card Set
Master keys FIGURE 65 Select a Master Key to Restore (from key vault) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select Key Vault as the Restore From location. 6. Enter the key ID of the master key that was backed up to the key vault. Enter the passphrase.
Page 113: Creating A New Master Key
Master keys FIGURE 66 Select a Master Key to Restore (from a recovery set of smart cards) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select A Recovery Set of Smart Cards as the Restore From location. 6.
Page 114: Security Settings
Security Settings Security Settings Security settings help you identify if system cards are required to initialize an encryption engine and also determine the number of authentication cards needed for a quorum. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 1 on page 14).
Page 115: Setting Zeroization
Zeroizing an encryption engine NOTE Zeroizing an engine affects the I/Os, but all target and LUN configuration remain intact. Encryption target configuration data is not deleted. You can zeroize an encryption engine only if it is enabled (running), or disabled but ready to be enabled.
Page 116: Using The Encryption Targets Dialog Box
Using the Encryption Targets dialog box Using the Encryption Targets dialog box The Encryption Targets dialog box enables you to send outbound data that you want to store as ciphertext to an encryption device. The encryption target acts as a virtual target when receiving data from a host, and as a virtual initiator when writing the encrypted data to storage.
Page 117: Redirection Zones
Redirection zones Redirection zones It is recommended that you configure the host and target in the same zone before you configure them for encryption. Doing so creates a redirection zone to redirect the host/target traffic through the encryption engine; however, a redirection zone can only be created if the host and target are in the same zone.
Page 118: Decommissioning Disk Luns
Disk device decommissioning Provided that the crypto configuration is not left uncommitted because of any crypto configuration changes or a failed device decommission operation issued on a encryption group leader node, this error message will not be seen for any device decommission operation issued serially on an encryption group member node.
Page 119 Disk device decommissioning In order to delete keys from the key vault, you need to know the Universal ID (UUID) . To display vendor-specific UUIDs of decommissioned key IDs, complete the following procedure: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 1 on page 14).
Page 120: Displaying Universal Ids
Rekeying all disk LUNs manually Displaying Universal IDs In order to delete keys from the key vaults, you need to know the Universal ID (UUID) associated with the decommissioned disk LUN key IDs. To display the Universal IDs, complete the following procedure: 1.
Page 121: Setting Disk Lun Re-Key All
Rekeying all disk LUNs manually Setting disk LUN Re-key All To rekey all disk LUNs on an encryption node, complete these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 1 on page 14).
Page 122: Viewing Disk Lun Rekeying Details
Rekeying all disk LUNs manually FIGURE 71 Pending manual rekey operations Viewing disk LUN rekeying details You can view details related to the rekeying of a selected target disk LUN from the LUN Re-keying Details dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 1 on page 14).
Page 123: Viewing The Progress Of Manual Rekey Operations
Rekeying all disk LUNs manually 4. Click Add. The Add Disk LUNs dialog box displays. This dialog box includes a table of all LUNs in the storage device that are visible to the hosts. 5. Click Re-keying Details. The LUN Re-keying Details dialog box displays. The dialog box contains the following information: •...
Page 124 Rekeying all disk LUNs manually FIGURE 73 Re-Key Sessions Status dialog box The dialog box contains the following information: • LUN #: The LUN number. • LUN Serial #: The LUN serial number. • Re-Key Session #: The number assigned to the rekeying session. •...
Page 125: Thin Provisioned Luns
Thin provisioned LUNs 2. Click Refresh periodically to update the display. Thin provisioned LUNs With the introduction of Fabric OS 7.1.0, the Brocade Encryption Switch can discover if a disk LUN is a thin provisioned LUN. Support for a thin provisioned LUN is limited to disk containers only. Thin provisioned LUNs can be created with the new LUN option.
Page 126: Viewing And Editing Switch Encryption Properties
Viewing and editing switch encryption properties NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays. (Refer to Figure 43.) 3. Select a target disk device from the table, then click LUNs. The Encryption Target Disk LUNs dialog box displays.
Page 127 Viewing and editing switch encryption properties FIGURE 75 Encryption Switch Properties dialog box The dialog box contains the following information: • Switch Properties table: A list of properties associated with the selected switch. • Name: The name of the selected switch •...
Page 128 Viewing and editing switch encryption properties • Encryption Group Status: Status options are: • OK/Converged: the group leader can communicate with all members. • Degraded: the group leader cannot communicate with one or more members. The following operations are not allowed: key vault changes, master key operations, enable/disable encryption engines, Failback mode changes, HA Cluster creation or addition (removal is allowed), tape pool changes, and any configuration changes for storage targets, hosts, and LUNs.
Page 129: Exporting The Public Key Certificate Signing Request (Csr)
Viewing and editing switch encryption properties • HA Cluster Name: The name of the HA cluster (for example, Cluster1), if in an HA configuration. HA Cluster names can have up to 31 characters. Letters, digits, and underscores are allowed. • Media Type: The media type of the encryption engine.
Page 130: Viewing And Editing Encryption Group Properties
Viewing and editing encryption group properties NOTE You can also select a an engine from the Encryption Center Devices table, then click the Targets icon. 3. In the Encryption Engine Properties table, locate Set State To. 4. Click the adjacent Engine field and select Enabled or Disabled accordingly, then click OK. Viewing and editing encryption group properties Whenever you add or change a key vault address, you must also load the corresponding key vault certificate.
Page 131 Viewing and editing encryption group properties FIGURE 77 Encryption Group Properties dialog box The dialog box contains the following information: • General tab: For a description of the dialog box, refer to “General tab” on page 114. • Members tab: For a description of the dialog box, refer to “Members tab”...
Page 132: General Tab
Viewing and editing encryption group properties General tab The General tab (Figure 78) is viewed from the Encryption Group Properties dialog box. To access the General tab, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar.
Page 133: Members Tab
Viewing and editing encryption group properties When the first encryption engine comes back online, the encryption group’s failback setting determines whether the first encryption engine automatically resumes encrypting and decrypting traffic to its encryption targets. In manual mode, the second encryption engine continues handling the traffic until you manually invoke failback using the CLI, or until the second encryption engine fails.
Page 134 Viewing and editing encryption group properties • Node Name: The switch’s node name, if known. If unknown, this field is blank. • Connection Status: The switch’s connection status. Possible values are: Group Leader: The switch designated as the group leader, so there is no connection status.
Page 135: Consequences Of Removing An Encryption Switch
Viewing and editing encryption group properties Members tab Remove button You can click the Remove button to remove a selected switch or group from the encryption group table. • You cannot remove the group leader unless it is the only switch in the group. If you remove the group leader, BNA also removes the HA cluster, the target container, and the tape pool (if configured) that are associated with the switch.
Page 136: Security Tab
Viewing and editing encryption group properties Table 2 explains the impact of removing switches. TABLE 2 Switch removal impact Switch configuration Impact of removal The switch is the only switch in the The encryption group is also removed. encryption group. •...
Page 137 Viewing and editing encryption group properties FIGURE 80 Encryption Group Properties dialog box - Security tab The dialog box contains the following information: • Master Key Status: Displays the status of the master key. Possible values are: • Required but not created: Displays when a master key needs to be created. •...
Page 138: Ha Clusters Tab
Viewing and editing encryption group properties • Registered Authentication Cards table: Lists the registered authentication cards by Group Card number, Card ID, the name of the person to which the card is assigned, and optional notes. • Register from Card Reader button: Launches the Add Authentication Card dialog box. •...
Page 139 Viewing and editing encryption group properties • Right- and Left-arrow buttons: You can select an encryption engine in the Non-HA Encryption Engines table and click the Right-arrow button to add the encryption engine to the High-Availability Clusters. (If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster.) Similarly, you can select an encryption engine in the High-Availability Clusters table and click the Left-arrow button to remove it from a cluster.
Page 140: Tape Pools Tab
Viewing and editing encryption group properties Tape Pools tab Tape pools are managed from the Tape Pools tab. From the Tape Pools tab, you can add, modify, and remove tape pools. • To add a tape pool, click Add, then complete the Add Tape Pool dialog box. •...
Page 141 Viewing and editing encryption group properties All encryption engines in the encryption group share the tape pool definitions. Tapes can be encrypted by any encryption engine in the group where the container for the tape target LUN is hosted. The tape media is mounted on the tape target LUN. Tape pool definitions are not needed to read a tape.
Page 142: Engine Operations Tab
Viewing and editing encryption group properties 4. Based on your selection, do one of the following: • If you selected Name as the Tape Pool Label Type, enter a name for the tape pool. This name must match the tape pool label or tape ID that is configured on the tape backup/restore application.
Page 143: Encryption-Related Acronyms In Log Messages
Encryption-related acronyms in log messages FIGURE 85 Encryption Group Properties Dialog Box - Engine Operations Tab NOTE You cannot replace an encryption engine if it is part of an HA Cluster. Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms embedded that require interpretation.
Page 144 Encryption-related acronyms in log messages Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002721-01...
Page 145: Configuring Encryption Using The Cli
Chapter Configuring Encryption Using the CLI In this chapter • Overview ........... . . 128 •...
Page 146: Overview
Overview Overview This chapter explains how to use the command line interface (CLI) to configure a Brocade Encryption Switch, or an FS8-18 Encryption blade in a DCX Backbone chassis to perform data encryption. This chapter assumes that the basic setup and configuration of the Brocade Encryption Switch and DCX Backbone chassis have been done as part of the initial hardware installation, including setting the management port IP address.
Page 147: Command Rbac Permissions And Ad Types
Command RBAC permissions and AD types 4. PortMember: allows all control operations only if the port or the local switch is part of the current AD. View access is allowed if the device attached to the port is part of the current AD. Command RBAC permissions and AD types Two RBAC roles are permitted to perform Encryption operations.
Page 148 Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type (Continued) Command name User Admin Operator Switch Zone Fabric Basic Security Admin Domain Admin Admin Admin Switch Admin Admin createhacluster Disallowed createtapepool Disallowed decommission Disallowed deletecontainer Disallowed...
Page 149 Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type (Continued) Command name User Admin Operator Switch Zone Fabric Basic Security Admin Domain Admin Admin Admin Switch Admin Admin rebalance Disallowed reclaim Disallowed recovermasterkey Disallowed refreshdek Disallowed...
Page 150: Cryptocfg Help Command Output
Cryptocfg Help command output Cryptocfg Help command output All encryption operations are done using the cryptocfg command. The cryptocfg command has a help output that lists all options. switch:admin> cryptocfg --help Usage: cryptocfg --help -nodecfg: Display the synopsis of node parameter configuration. --help -groupcfg: Display the synopsis of group parameter configuration.
Page 151: Configuring Cluster Links
Configuring cluster links Configuring cluster links Each encryption switch or FS8-18 blade has two gigabit Ethernet ports labeled Ge0 and Ge1. The Ge0 and Ge1 ports connect encryption switches and FS8-18 blades to other encryption switches and FS8-18 blades. These two ports are bonded together as a single virtual network interface. Only one IP address is used.
Page 152: Ip Address Change Of A Node Within An Encryption Group
Configuring cluster links DHCP: Off eth0: 10.33.54.208/20 eth1: none/none Gateway: 10.33.48.1 NOTE The IP address of the cluster link should be configured before enabling the encryption engine for encryption. If the IP address is configured after the encryption engine is enabled for encryption, or if the IP address of the cluster link ports is modified after the encryption engine is enabled for encryption, the encryption switch must be rebooted, and the encryption blade must be powered off and powered on (slotpoweroff/slotpoweron) for the IP address configuration to take effect.
Page 153: Setting Encryption Node Initialization
Setting encryption node initialization 5. Register the node with the group leader using new IP address. Setting encryption node initialization When an encryption node is initialized, the following security parameters and certificates are generated: • FIPS crypto officer • FIPS user •...
Page 154: Steps For Connecting To An Skm Or Eskm Appliance
Steps for connecting to an SKM or ESKM appliance Steps for connecting to an SKM or ESKM appliance The following configuration steps are performed from the SKM/ESKM management web console, which can be accessed from any web browser with Internet access to the SKM/ESKM appliance. The same procedure is used for creating both SKM and ESKM encryption groups.
Page 155: Setting Up The Local Certificate Authority (Ca)
Steps for connecting to an SKM or ESKM appliance 13. Select Save. The Brocade user name and password are now configured on SKM/ESKM. NOTE Fabric OS v6.2.x uses brcduser1 as a standard user name when creating a Brocade group on SKM/ESKM.
Page 156: Downloading The Local Ca Certificate
Steps for connecting to an SKM or ESKM appliance FIGURE 86 Creating an HP SKM/ESKM Local CA 5. Under Certificates & CAs, select Trusted CA Lists to display the Trusted Certificate Authority List Profiles. 6. Click on Default under Profile Name. In the Trusted Certificate Authority List, click Edit.
Page 157: Creating And Installing The Skm Or Eskm Server Certificate
Steps for connecting to an SKM or ESKM appliance Creating and installing the SKM or ESKM server certificate To create the SKM/ESKM server certificate, complete the following steps: 1. Click the Security tab. 2. Under Certificates and CAs, select Certificates. 3.
Page 158: Enabling Ssl On The Key Management System (Kms)
Steps for connecting to an SKM or ESKM appliance 17. Select the server certificate name you just created from the certificate list, and select Properties. The Certificate Request Information window displays. 18. Click Install Certificate. The Certificate Installation window displays. 19.
Page 159: Creating An Skm Or Eskm High Availability Cluster
Steps for connecting to an SKM or ESKM appliance 4. Click Edit. A warning message might display explaining that if you disable SSL, you must have TLS enabled for your web browser. 5. Configure the KMS Server Settings. Ensure that the port and connection timeout settings are 9000 and 3600, respectively.
Page 160: Adding Skm Or Eskm Appliances To The Cluster
Steps for connecting to an SKM or ESKM appliance 3. Select the name of the local CA from the Local Certificate Authority list. The CA Certificate Information is displayed. 4. Copy the certificate request, beginning with and ending ---BEGIN CERTIFICATE REQUEST--- with .
Page 161: Initializing The Fabric Os Encryption Engines
Steps for connecting to an SKM or ESKM appliance 20. Create and install an SKM/ESKM certificate. Refer to “Creating and installing the SKM or ESKM server certificate” on page 139 for a description of this procedure. NOTE An SKM/ESKM cluster may have many members, but the Brocade encryption products support only two as primary and secondary key vaults.
Page 162: Signing The Brocade Encryption Node Kac Certificates
Steps for connecting to an SKM or ESKM appliance SecurityAdmin:switch> cryptocfg --initEE This will overwrite previously generated identification and authentication data ARE YOU SURE (yes, y, no, n): y Operation succeeded. 6. Register the encryption engine by entering the cryptocfg regEE command.
Page 163: Registering Skm Or Eskm On A Brocade Encryption Group Leader
Steps for connecting to an SKM or ESKM appliance 12. Select Sign Request. Upon success, you are presented with the option of downloading the signed certificate. 13. Download the signed certificate to your local system as signed_kac_skm_cert.pem. 14. Import the signed certificate from its location, or from a USB storage device. SecurityAdmin:switch>...
Page 164 Steps for connecting to an SKM or ESKM appliance The switch on which you create the encryption group becomes the designated group leader. Once you have created an encryption group, all group-wide configurations, including key vault configuration, adding member nodes, configuring failover policy settings, and setting up storage devices, as well as all encryption management operations, are performed on the group leader.
Page 165: And Password
Steps for connecting to an SKM or ESKM appliance Time of Day on the Switch: 2010-03-17 17:22:05 Client SDK Version: 4.8.2.000017 Client Username: brcduser1 Client Usergroup: brocade Connection Timeout: 10 seconds Response Timeout: 10 seconds Connection Idle Timeout: Key Vault configuration and connectivity checks successful, ready for key operations.
Page 166: Skm Or Eskm Key Vault High Availability Deployment
Steps for connecting to an SKM or ESKM appliance • Different user names and passwords can never be used within the same encryption group, but each encryption group may have its own user name and password. • If you change the user name and password using the KAClogin option, the keys created by the previous user become inaccessible.
Page 167: Adding A Member Node To An Encryption Group
Steps for connecting to an SKM or ESKM appliance Tape LUN support • DEK Creation: The DEK is created and archived to the SKM/ESKM cluster using the cluster’s virtual IP address. The DEK is synchronized with other SKMs/ESKMs in the cluster. Upon successful archival of the DEK to the SKM/ESKM cluster, the DEK can be used for encryption of the tape LUN.
Page 168 Steps for connecting to an SKM or ESKM appliance CAUTION After adding the member node to the encryption group, you should not use the cryptocfg --zeroizeEE command on that node. Doing so removes critical information from the node and makes it necessary to re-initialize the node and export new KAC certificates to the group leader and the key vault.
Page 169 Steps for connecting to an SKM or ESKM appliance NOTE If the maximum number of certificates is exceeded, the following message is displayed. Maximum number of certificates exceeded. Delete an unused certificate with the ‘cryptocfg –delete –file’ command and then try again 6.
Page 170: Generating And Backing Up The Master Key
Generating and backing up the master key Node Name: 10:00:00:05:1e:39:14:00 State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.244.60 Certificate: enc1_cpcert.pem Current Master Key State: Not configured Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 Alternate Master Key State:Not configured Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 EE Slot: SP state: Unknown State Current Master KeyID:...
Page 171 Generating and backing up the master key NODE LIST Total Number of defined nodes:2 Group Leader Node Name: 10:00:00:05:1e:41:9a:7e Encryption Group state: CLUSTER_STATE_CONVERGED Node Name: 10:00:00:05:1e:41:9a:7e (current node) State: DEF_NODE_STATE_DISCOVERED Role: GroupLeader IP Address: 10.32.244.71 Certificate: GL_cpcert.pem Current Master Key State: Configured Current Master KeyID: 8f:88:45:32:8e:bf:eb:44:c4:bc:aa:2a:c1:69:94:2...
Page 172: High Availability Cluster Configuration
High availability cluster configuration Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 No HA cluster membership Node Name: 10:00:00:05:1e:39:14:00 State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.244.60 Certificate: enc1_cpcert.pem Current Master Key State: Not configured Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 Alternate Master Key State:Not configured Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 EE Slot: SP state:...
Page 173: Creating An Ha Cluster
High availability cluster configuration • It is recommended that the HA cluster configuration be completed before you configure storage devices for encryption. • It is mandatory that the two encryption engines in the HA cluster belong to two different nodes for true redundancy.
Page 174: Adding An Encryption Engine To An Ha Cluster
High availability cluster configuration Adding an encryption engine to an HA cluster 1. Log in to the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg haclustemember command. Specify the HA cluster name and the encryption engine node WWN. Provide a slot number if the encryption engine is a blade. The following example adds a Brocade FS8-18 in slot 5 to the HA cluster HAC2.
Page 175: Re-Exporting A Master Key
Re-exporting a master key Policy Configuration Examples The following examples illustrate the setting of group-wide policy parameters. To set the failback mode to manual failback: SecurityAdmin:switch> cryptocfg --set -failbackmode manual Set failback policy status: Operation Succeeded. To set the Heartbeat misses value to 3: SecurityAdmin:switch>...
Page 176: Exporting An Additional Key Id
Re-exporting a master key The following example lists the exported master key IDs for a given master key ID: SecurityAdmin:switch> cryptocfg --show –mkexported_keyids e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:92 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:92 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:93 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:94 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:95 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:96 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:97 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:98 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:99 e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:9a e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:9b Operation succeeded. The exported key ID is displayed with the master key ID, as shown in the examples to follow: Example: Initial master key export SecurityAdmin:switch>...
Page 177: Viewing The Master Key Ids
Re-exporting a master key Viewing the master key IDs command shows the actual master key IDs, along with the new master key IDs. show localEE Also shown are all exported master key IDs associated with a given (actual) master key. NOTE You will need to remember the exported master key ID and passphrase you used while exporting the master key ID.
Page 178: Enabling The Encryption Engine
Enabling the encryption engine MasterKey ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:7e Exported Key ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:80 Example: Recovering a master key using master key ID from the second master key export SecurityAdmin:switch> cryptocfg --recovermasterkey -currentMK -keyID 15:30:f0:f3:5c:2b:28:ce:cc:a7:b4:cd:7d:2a:91:fc Enter passphrase: Recover master key status: Operation Succeeded. Enabling the encryption engine Enable the encryption engine by entering the cryptocfg enableEE command.
Page 179: Zoning Considerations
Zoning considerations Current Master KeyID: a3:d7:57:c7:54:66:65:05:61:7a:35:2c:59:af:a5:dc Alternate Master KeyID: e9:e4:3a:f8:bc:4e:75:44:81:35:b8:90:d0:1f:6f:4d No HA cluster membership EE Attributes: Media Type DISK EE Slot: SP state: Online Current Master KeyID: a3:d7:57:c7:54:66:65:05:61:7a:35:2c:59:af:a5:dc Alternate Master KeyID: e9:e4:3a:f8:bc:4e:75:44:81:35:b8:90:d0:1f:6f:4d No HA cluster membership EE Attributes: Media Type DISK EE Slot: SP state:...
Page 180: Frame Redirection Zoning
Zoning considerations 2. From any configured primary FCS switch, change the default zoning setting to noAccess. SwitchAdmin:switch> defzone --noaccess SwitchAdmin:switch> cfgfsave The change will be applied within the entire fabric. Frame redirection zoning Name Server-based frame redirection enables the Brocade Encryption Switch or blade to be deployed transparently to hosts and targets in the fabric.
Page 181 Zoning considerations FabricAdmin:switch> nsshow Type Pid COS PortName NodeName TTL(sec) N 010600; 2,3;10:00:00:00:c9:2b:c9:3a;20:00:00:00:c9:2b:c9:3a; na NodeSymb: [35] "Emulex LP9002 FV3.82A1 DV5-4.81A4 " Fabric Port Name: 20:06:00:05:1e:41:9a:7e Permanent Port Name: 10:00:00:00:c9:2b:c9:3a Port Index: 6 Share Area: No Device Shared in Other AD: No Redirect: No The Local Name Server has 1 entry } The nsshow command shows all devices on the switch, and the output can be lengthy.
Page 182: Cryptotarget Container Configuration
CryptoTarget container configuration 6. Enable the zone configuration. FabricAdmin:switch> cfgenable itcfg You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'itcfg' configuration (yes, y, no, n): [no] y zone config"itcfg"...
Page 183: Lun Rebalancing When Hosting Both Disk And Tape Targets
CryptoTarget container configuration FIGURE 88 Relationship between initiator, virtual target, virtual initiator and target CAUTION When configuring a LUN with multiple paths, there is a considerable risk of ending up with potentially catastrophic scenarios where different policies exist for each path of the LUN, or a situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the secured realm of the encryption platform.
Page 184: Gathering Information
CryptoTarget container configuration To determine if rebalancing is recommended for an encryption engine, check the encryption engine properties. Beginning with Fabric OS v6.4, a field is added that indicates whether or not rebalancing is recommended. You may be prompted to rebalance during the following operations: •...
Page 185: Creating A Cryptotarget Container
CryptoTarget container configuration Creating a CryptoTarget container 1. Log in to the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg create container command. Specify the type of container, (disk or tape), followed by a name for the CryptoTarget container, the encryption engine’s node WWN, and the target’s Port WWN and node WWN.
Page 186: Removing An Initiator From A Cryptotarget Container
CryptoTarget container configuration 20:02:00:05:1e:41:4e:1d 20:03:00:05:1e:41:4e:1d Number of LUN(s): Operation Succeeded 6. Display the redirection zone. It includes the host, the target, the virtual initiator, and the virtual target. FabricAdmin:switch> cfgshow Defined configuration: cfg: itcfg itzone cfg: r_e_d_i_r_c__fg red_1109_brcd200c00062b0f726d200200051e414e1d; red_______base zone: itzone 10:00:00:00:c9:2b:c9:3a;...
Page 187: Deleting A Cryptotarget Container
CryptoTarget container configuration 3. Commit the transaction. FabricAdmin:switch> cryptocfg --commit Operation Succeeded CAUTION When configuring a multi-path LUN, you must remove all initiators from all CryptoTarget containers in sequence before committing the transaction. Failure to do so may result in a potentially catastrophic situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the protected realm of the encryption platform.
Page 188: Moving A Cryptotarget Container
Crypto LUN configuration CAUTION When configuring a multi-path LUN, you must remove all necessary CryptoTarget containers in sequence before committing the transaction. Failure to do so may result in a potentially catastrophic situation where one path ends up being exposed through the encryption switch and another path has direct access to the device from a host outside the protected realm of the encryption platform.
Page 189: Discovering A Lun
Crypto LUN configuration • With the introduction of Fabric OS 7.1.0, the maximum number of uncommitted configuration changes per disk LUN (or maximum paths to a LUN) is 512 transactions. This change in commit limit is applicable only when using BNA.The commit limit when using the CLI remains unchanged at 25.
Page 190: Configuring A Crypto Lun
Crypto LUN configuration Configuring a Crypto LUN You configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN. The LUNs of the target that are not enabled for encryption must still be added to the CryptoTarget container with the cleartext policy option.
Page 191: Crypto Lun Parameters And Policies
Crypto LUN configuration 3. Commit the configuration. FabricAdmin:switch> cryptocfg --commit Operation Succeeded CAUTION When configuring a LUN with multiple paths, do not commit the configuration before you have added all the LUNs with identical policy settings and in sequence to each of the CryptoTarget containers for each of the paths accessing the LUNs.
Page 192 Crypto LUN configuration The tape policies specified at the LUN configuration level take effect if you do not create tape pools or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1 MB block size for tape encryption. Also, the Logical Block Address (LBA) 0 block size (I/O size from the host) must be at least 1 K less than the maximum supported backend block size (usually 1 MB).
Page 193: Configuring A Tape Lun
Crypto LUN configuration TABLE 6 LUN parameters and policies (Continued) Policy name Command parameters Description Write Early Ack -write_early_ack Specifies the Tape Write pipelining mode of the LUN. Two Write disable|enable Pipelining modes are supported: Disk LUN: No • disable - Early acknowledgement of commands (internal Tape LUN: Yes buffering) for a tape lun is disabled.
Page 194 Crypto LUN configuration LUN serial number: Key ID state: Key ID not Applicable b. Add the LUN to the tape CryptoTarget container. The following example enables the LUN for encryption. There is a maximum of eight tape LUNs per Initiator in a container. FabricAdmin:switch>...
Page 195: Removing A Lun From A Cryptotarget Container
Crypto LUN configuration Removing a LUN from a CryptoTarget container You can remove a LUN from a given CryptoTarget container if it is no longer needed. Stop all traffic I/O from the initiators accessing the LUN before removing the LUN to avoid I/O failure between the initiators and the LUN.
Page 196: Lun Modification Considerations
Crypto LUN configuration FabricAdmin:switch> cryptocfg --modify -LUN my_disk_tgt 0x0 10:00:00:00:c9:2b:c9:3a -disable_rekey Operation Succeeded 3. Commit the configuration. FabricAdmin:switch> cryptocfg --commit Operation Succeeded CAUTION When configuring a LUN with multiple paths, do not commit the configuration before you have modified all the LUNs with identical policy settings and in sequence for each of the CryptoTarget containers for each of the paths accessing the LUNs.
Page 197: Impact Of Tape Lun Configuration Changes
Impact of tape LUN configuration changes Impact of tape LUN configuration changes LUN-level policies apply when no policies are configured at the tape pool level. The following restrictions apply when modifying tape LUN configuration parameters: • If you change a tape LUN policy from encrypt to cleartext or from cleartext to encrypt while data is written to or read from a tape backup device, the policy change is not enforced until the current process completes and the tape is unmounted, rewound, or overwritten.
Page 198: Multi-Path Lun Configuration Example
Configuring a multi-path Crypto LUN Multi-path LUN configuration example Figure 89 on page 180 shows a single LUN on a dual-port target that is accessed over two paths by a dual-port host. The two encryption switches form an encryption group and an HA cluster. The following example illustrates a simplified version of a multi-path LUN configuration.
Page 199 Configuring a multi-path Crypto LUN Create a CryptoTarget container (CTC2) for target port 2 to be hosted on the encryption engine of encryption switch 2. FabricAdmin:switch> cryptocfg --create -container disk CTC2 \ <switch 2 WWN> 0 <Target Port2 WWN> <Target NWWN> d.
Page 200 Configuring a multi-path Crypto LUN b. Add the same LUN to the CryptoTarget container CTC2. Use exactly the same LUN state and policy settings that you used for the LUN added to CTC1. FabricAdmin:switch> cryptocfg --add -LUN CTC2 0 <Host Port1 WWN> \ <Host NWWN>...
Page 201: Decommissioning Luns
Decommissioning LUNs Decommissioning LUNs A disk device needs to be decommissioned when any of the following occur: • The storage lease expires for an array, and devices must be returned or exchanged. • Storage is reprovisioned for movement between departments. •...
Page 202: Decommissioning Replicated Luns
Decommissioning replicated LUNs Use the following procedure to decommission a LUN. 1. Log in as Admin or FabricAdmin to the node that hosts the container. 2. Enter the cryptocfg decommission command. FabricAdmin:switch> cryptocfg --decommission -container disk_ct0 -initiator 21:01:00:1b:32:29:5d:1c -LUN 0 3.
Page 203: Decommissioning Replicated Luns
Decommissioning replicated LUNs 1. Log in as Admin or FabricAdmin. 2. Split the copy pairs. 3. Make the secondary LUN write-enabled. 4. Execute the rekey command on the secondary LUN. FabricAdmin:switch> cryptocfg --manual_rekey <crypto target container name> <LUN Num> <Initiator PWWN> 5.
Page 204: Force-Enabling A Decommissioned Disk Lun For Encryption
Force-enabling a decommissioned disk LUN for encryption a. Decommission the primary LUN. FabricAdmin:switch> cryptocfg --decommission -container <container name> -initiator <initiator PWWN> -LUN <lun number> b. Display the decommissioned key IDs. FabricAdmin:switch> cryptocfg --show –decommissionedkeyids Delete the respective key from the key vault. On the Brocade Encryption Switch, enter the following command.
Page 205: Force-Enabling A Disabled Disk Lun For Encryption
Force-enabling a disabled disk LUN for encryption 9. Enter the cryptocfg enable LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN. FabricAdmin:switch> cryptocfg --enable -LUN my_disk_tgt 0x0 \ 10:00:00:00:c9:2b:c9:3a Operation Succeeded Force-enabling a disabled disk LUN for encryption You can force a disk LUN to become enabled for encryption when encryption is disabled on the LUN.
Page 206: Tape Pool Configuration
Tape pool configuration Tape pool configuration Tape pools are used by tape backup application programs to group all configured tape volumes into a single backup to facilitate their management within a centralized backup plan. A tape pool is identified by either a name or a number, depending on the backup application. Tape pools have the following properties: •...
Page 207 Tape pool configuration CommVault Galaxy labeling CommVault uses a storage policy for each backup. When configuring a tape pool to work with CommVault Galaxy, first create a storage policy on CommVault and then use the storage_policy_id (sp_id) as the label when creating the tape pool on the encryption switch or blade. 1.
Page 208: Creating A Tape Pool
Tape pool configuration Creating a tape pool Take the following steps to create a tape pool: 1. Log in to the group leader as FabricAdmin. 2. Create a tape pool by entering the cryptocfg create tapepool command. Provide a label or numeric ID for the tape pool and specify the encryption policies.
Page 209: Deleting A Tape Pool
Tape pool configuration Deleting a tape pool This command does not issue a warning if the tape pool being deleted has tape media or volumes that are currently accessed by the host. Be sure the tape media is not currently in use. 1.
Page 210: First-Time Encryption
First-time encryption First-time encryption First-time encryption, also referred to as encryption of existing data, is similar to the rekeying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first-time encryption operation, cleartext data is read from a LUN, encrypted with the current key, and written back to the same LUN at the same logical block address (LBA) location.
Page 211: Thin Provisioned Luns
Thin provisioned LUNs Thin provisioned LUNs With the introduction of Fabric OS 7.1.0, the Brocade Encryption Switch can discover if a disk LUN is thin provisioned LUN. Support for a thin provisioned LUN is limited to disk containers only. NOTE Currently, thin provisioned LUN support is limited to Brocade-tested storage arrays.
Page 212: Space Reclamation
Thin provisioned LUNs LUN serial number: 50002AC000BC0A50 TP LUN: LUN connectivity state: Connected Key ID state: Key ID not Applicable FabricAdmin:switch> cryptocfg --show -rekey –all LUN number: LUN serial number: 50002AC002E70A50 TP LUN:Yes Rekey session number: Percentage complete: Rekey state: Read Phase Rekey role: Primary/Active...
Page 213: Data Rekeying
Data rekeying Data rekeying In a rekeying operation, encrypted data on a LUN is decrypted with the current key, re-encrypted with a new key and written back to the same LUN at the same logical block address (LBA) location. This process effectively re-encrypts the LUN and is referred to as “in-place rekeying.” It is recommended that you limit the practice of rekeying to the following situations: •...
Page 214: Configuring A Lun For Automatic Rekeying
Data rekeying Configuring a LUN for automatic rekeying Rekeying options are configured at the LUN level either during LUN configuration with the cryptocfg LUN command, or at a later time with the cryptocfg modify LUN command. For rekeying of a disk array LUN, the Crypto LUN is configured in the following way: •...
Page 215: Initiating A Manual Rekey Session
Data rekeying Initiating a manual rekey session You can initiate a rekeying session manually at your own convenience. All encryption engines in a given HA cluster, DEK cluster, or encryption group must be online for this operation to succeed. The manual rekeying feature is useful when the key is compromised and you want to re-encrypt existing data on the LUN before taking action on the compromised key.
Page 216: Suspension And Resumption Of Rekeying Operations
Data rekeying Current LBA: 488577 Operation succeeded. Suspension and resumption of rekeying operations A rekey may be suspended or fail to start for several reasons: • The LUN goes offline or the encryption switch fails and reboots. Rekey operations are resumed automatically when the target comes back online or the switch comes back up.
Page 217: Deployment Scenarios
Chapter Deployment Scenarios In this chapter • Single encryption switch, two paths from host to target....200 • Single fabric deployment - HA cluster ......201 •...
Page 218: Single Encryption Switch, Two Paths From Host To Target
Single encryption switch, two paths from host to target Single encryption switch, two paths from host to target Figure 90 shows a basic configuration with a single encryption switch providing encryption between one host and one storage device over two the following two paths: •...
Page 219: Single Fabric Deployment - Ha Cluster
Single fabric deployment - HA cluster Single fabric deployment - HA cluster Figure 91 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology. Key Management Management Management Appliance...
Page 220: Single Fabric Deployment - Dek Cluster
Single fabric deployment - DEK cluster Figure 91, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN. This LAN connection provides the communication needed to distribute and synchronize configuration information, and enable the two switches to act as a high availability (HA) cluster, providing automatic failover if one of the switches fails, or is taken out of service.
Page 221: Dual Fabric Deployment - Ha And Dek Cluster
Dual fabric deployment - HA and DEK cluster Figure 92, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch.
Page 222: Multiple Paths, One Dek Cluster, And Two Ha Clusters
Multiple paths, one DEK cluster, and two HA clusters failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2.
Page 223 Multiple paths, one DEK cluster, and two HA clusters The configuration details shown in Figure 94 are as follows: • There are two fabrics. • There are four paths to the target device, two paths in each fabric. • There are two host ports, one in each fabric. •...
Page 224: Multiple Paths, Dek Cluster, No Ha Cluster
Multiple paths, DEK cluster, no HA cluster Multiple paths, DEK cluster, no HA cluster Figure 95 shows a configuration with a DEK cluster with multiple paths to the same target device. There is one encryption switch in each fabric. Management Network Management Link Management Link...
Page 225: Deployment In Fibre Channel Routed Fabrics
Deployment in Fibre Channel routed fabrics Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 96), or it may form the backbone fabric and directly provide the EX_port connections (Figure 97).
Page 226 Deployment in Fibre Channel routed fabrics The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
Page 227: Deployment As Part Of An Edge Fabric
Deployment as part of an edge fabric Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7800 extension switch or FX8-24 blade in a DCX or DCX 8510 Backbone, or an FCR-capable switch or blade.
Page 228: Deployment With Fcip Extension Switches
Deployment with FCIP extension switches Deployment with FCIP extension switches Encryption switches may be deployed in configurations that use extension switches or extension blades within a DCX or DCX 8510 Backbone to enable long distance connections. Figure 99 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator’s Guide for information about creating FCIP configurations.
Page 229: Vmware Esx Server Deployments
VMware ESX server deployments VMware ESX server deployments VMware ESX servers may host multiple guest operating systems. A guest operating system may have its own physical HBA port connection, or it may use a virtual port and share a physical HBA port with other guest operating systems.
Page 230 VMware ESX server deployments Figure 101 shows a VMware ESX server with two guest operating systems where two guests access a fabric over a shared port. To enable this, both guests are assigned a virtual port. There are two paths to a target storage device: •...
Page 231: Best Practices And Special Topics
Chapter Best Practices and Special Topics In this chapter • Firmware upgrade and downgrade considerations....284 • Configuration upload and download considerations ....287 •...
Page 232: Firmware Upgrade And Downgrade Considerations
Firmware upgrade and downgrade considerations Firmware upgrade and downgrade considerations Before upgrading or downgrading firmware, consider the following: • The encryption engine and the control processor or blade processor are reset after a firmware upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If encryption engines are configured in an HA cluster, perform firmware upgrades one encryption engine at a time so that the partner switch in the HA cluster can take over I/O by failover during a firmware upgrade.
Page 233: General Guidelines
Firmware upgrade and downgrade considerations • When doing a firmware upgrade to Fabric OS 7.0.0 or downgrade from Fabric OS 7.0.0, the message SPM-1016 will be observed on v7.0.0 nodes in the encryption group (EG) when other nodes in that EG that are still running versions earlier than Fabric OS 7.0.0. Although this is a warning message, it is transient and is only observed during a firmware upgrade or downgrade operation.
Page 234: Specific Guidelines For Ha Clusters
Firmware upgrade and downgrade considerations • Do not try registering a node running Fabric OS 6.3.x or earlier to an encryption group when all nodes are running Fabric OS 6.4.0(x) with one or more Fabric OS 6.4.0(x) features enabled. • Disable all Fabric OS 6.4.0(x) features before ejecting a node running Fabric OS 6.4.0(x) and registering the node as a member of an encryption group with nodes running Fabric OS 6.3.x or earlier.
Page 235: Information Not Included In An Upload
Configuration upload and download considerations Configuration upload and download considerations Security information is not included when you upload a configuration from an encryption switch or blade. Extra steps are necessary before and after download to re-establish that information. The following sections describe what information is included in a upload from an encryption group leader and encryption group member load, what information is not included, and the steps to take to re-establish the information.
Page 236: Steps Before Configuration Download
Configuration upload and download considerations Steps before configuration download The configuration download does not have any certificates, public or private keys, master key, or link keys included. Perform following steps prior to configuration download to generate and obtain the necessary certificates and keys: 1.
Page 237: Hp-Ux Considerations
HP-UX considerations 3. If there are containers that belonged to the old encryption switch or blade, then after configdownload is run, use the following command to change the ownership of containers to the new encryption switch or blade, assuming the host and target physical zone exists. Admin:switch>...
Page 238: Aix Considerations
AIX Considerations AIX Considerations For AIX-based PowerHA SystemMirror host clusters, the cluster repository disk should be defined outside of the encryption environment. Ensure that Dynamic Tracking is set to “Yes” for all Fibre Channel adapters on the AIX system. Enabling a disabled LUN When Metadata is found on the LUN, but current LUN state is indicated as cleartext or is being converted from encrypt to cleartext, the LUN is disabled and the LUN status displayed by the LUN Show CLI command is Internal EE LUN state: Encryption disabled <Reason Code>.
Page 239: Tape Pools
Tape pools before logout or after the backup or restore operation is complete, and a second host backup application starts using the same tape device and does not explicitly turn off compression, compression will still be on when the encryption switch or blade issues a Mode Sense command to find target device capabilities, and compression is used.
Page 240: Tape Block Zero Handling
Tape block zero handling Tape block zero handling The block zero of the tape media is not encrypted and the data in the block zero is sent as cleartext along with the block zero metadata header prefixed to the data to the tape device. Tape key expiry When the tape key of native pools expires in the middle of a write operation on the tape, the key is used for the duration of any write operation to append the data on the tape media.
Page 241: Redirection Zones
Redirection zones • To enable host MPIO, LUNs must also be available through a second target port, hosted on a second encryption switch, the same encryption switch or encryption engine. The second encryption switch could be in the same fabric, or a different fabric. •...
Page 242: Ensure Uniform Licensing In Ha Clusters
Ensure uniform licensing in HA clusters Ensure uniform licensing in HA clusters Licenses installed on the nodes should allow for identical performance numbers between HA cluster members. Tape library media changer considerations In tape libraries where the media changer unit is addressed by a target port that is separate from the actual tape SCSI I/O ports, create a CryptoTarget container for the media changer unit and CryptoTarget containers for the SCSI I/O ports.
Page 243: Turn Off Compression On Extension Switches
Turn off compression on extension switches Turn off compression on extension switches We recommend disabling data compression on FCIP links that might carry encrypted traffic to avoid potential performance issues as compression of encrypted data might not yield desired compression ratio. We also recommend that tape pipelining and fastwrite also be disabled on the FCIP link if it is transporting encrypted traffic.
Page 244: Do Not Change Lun Configuration While Rekeying
KAC certificate registration expiry Do not change LUN configuration while rekeying Never change the configuration of any LUN that belongs to a CryptoTarget container/LUN configuration while the rekeying process for that LUN is active. If you change the LUN’s settings during manual or auto, rekeying or first-time encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect.
Page 245: Disabling The Encryption Engine
Disabling the encryption engine Disabling the encryption engine The disable encryption engine interface command cryptocfg disableEE [slot number] should be used only during firmware download, and when the encryption and security capabilities of the encryption engine have been compromised. When disabling the encryption capabilities of the encryption engine, be sure the encryption engine is not hosting any CryptoTarget containers.
Page 246: Best Practices For Host Clusters In An Encryption Environment
Best practices for host clusters in an encryption environment The fan-in ratio for a target can be higher depending on the maximum bandwidth accepted by the target. If the I/O throughput across all initiator ports accessing the target port is well balanced, it is recommended that the maximum fan-in ratio be kept to 8 Initiator ports to 1 target port for optimal performance.
Page 247: Tape Device Lun Mapping
Tape Device LUN Mapping Tape Device LUN Mapping When performing LUN mapping, ensure that a given LUN number from a backend physical target is the same across all initiators in the container. Failure to do so can result in unpredictable switch behavior including blade/switch faults.
Page 248 Tape Device LUN Mapping Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002721-01...
Page 249: Maintenance And Troubleshooting
Chapter Maintenance and Troubleshooting In this chapter • Encryption group and HA cluster maintenance ..... . . 302 • Encryption group merge and split use cases......311 •...
Page 250: Encryption Group And Ha Cluster Maintenance
Encryption group and HA cluster maintenance Encryption group and HA cluster maintenance This section describes advanced configuration options that you can use to modify existing encryption groups and HA clusters, and to recover from problems with one or more member nodes in the group.
Page 251 Encryption group and HA cluster maintenance FIGURE 103 Removing a node from an encryption group The procedure for removing a node depends on the node’s status within an encryption group. HA cluster membership and Crypto LUN configurations must be cleared before you can permanently remove a member node from an encryption group.
Page 252 Encryption group and HA cluster maintenance Role: MemberNode IP Address: 10.32.33.145 Certificate: 10.32.33.145_my_cp_cert.pem Current Master Key State: Saved Current Master KeyID: b8:2a:a2:4f:c8:fd:12:e2:a9:25:d9:5b:58:2c:96:7e Alternate Master Key State: Not configured Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 EE Slot: SP state: Online Current Master KeyID: b8:2a:a2:4f:c8:fd:12:e2:a9:25:d9:5b:58:2c:96:7e Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00...
Page 253: Deleting An Encryption Group
Encryption group and HA cluster maintenance Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes.
Page 254: Displaying The Ha Cluster Configuration
Encryption group and HA cluster maintenance Displaying the HA cluster configuration NOTE The correct failover status of an HA cluster will only be displayed on the HA cluster member nodes in the encryption group. 1. Log in to the group leader as Admin or SecurityAdmin. 2.
Page 255: Replacing An Ha Cluster Member
Encryption group and HA cluster maintenance Replacing an HA cluster member 1. Log in to the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg replace haClusterMember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine.
Page 256 Encryption group and HA cluster maintenance FIGURE 104 Replacing a failed encryption engine in an HA cluster Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002721-01...
Page 257: Deleting An Ha Cluster Member
Encryption group and HA cluster maintenance Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg replace haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
Page 258: Performing A Manual Failback Of An Encryption Engine
Encryption group and HA cluster maintenance Performing a manual failback of an encryption engine By default, failback occurs automatically if an encryption engine that failed was replaced or comes back online. When manual failback policy is set in the encryption group, you must invoke a manual failback of the encryption engine after the failing encryption engine was restored or replaced.
Page 259: Encryption Group Merge And Split Use Cases
Encryption group merge and split use cases • After the failback completes, the cryptocfg show hacluster all command no longer reports active failover. SecurityAdmin:switch> cryptocfg --show -hacluster -all Encryption Group Name: brocade_1 Number of HA Clusters: 1 HA cluster name: HAC3 - 2 EE entries Status: Committed Slot Number...
Page 260: A Member Node Reboots And Comes Back Up
Encryption group merge and split use cases NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg transabort. Doing so will cause subsequent reclaim attempts to fail. 4. Set up the member node: Configure the IP address of the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg initnode command.
Page 261: A Member Node Lost Connection To The Group Leader
Encryption group merge and split use cases Recovery If auto failback policy is set, no intervention is required. After the node has come back up, all devices and associated configurations and services that failed over earlier to N1 fail back to N3. The node resumes its normal function.
Page 262: Several Member Nodes Split Off From An Encryption Group
Encryption group merge and split use cases • The isolation of N3 from the group leader breaks the HA cluster and failover capability between N3 and N1. • You cannot configure any CryptoTargets, LUN policies, tape pools, or security parameters on any of the group leaders.
Page 263: Adjusting Heartbeat Signaling Values
Encryption group merge and split use cases Recovery 1. Restore the connection between the nodes in the separate encryption group islands, that is, between nodes N3, N4 and between nodes N1 and N2. When the lost connection is restored, an automatic split recovery process begins. The two group leaders (N3 and N2 in this example) arbitrate the recovery, and the group leader node with the highest WWN becomes group leader.
Page 264: Eg Split Possibilities Requiring Manual Recovery
Encryption group merge and split use cases NOTE The collective time allowed (the heartbeat time-out value multiplied by the heartbeat misses) cannot exceed 30 seconds (enforced by Fabric OS). The relationship between hbmisses and hbtimeout determines the total amount of time allowed before a node is declared unreachable. If a switch does not sense a heartbeat within the heartbeat timeout value, it is counted as a heartbeat miss.
Page 265 Encryption group merge and split use cases NOTE If one or more EG status displays as CONVERGED contact technical support as the following procedure will not work. To re-converge the EG, you will need to perform a series of steps. The following is a listing of the basic steps involved - this listing is followed by an example with the details of each step: 1.
Page 266 Encryption group merge and split use cases Display the encryption group state again. Node182:admin-> cryptocfg --show -groupcfg Node182 should now show up with an Encryption Group state of CLUSTER_STATE_CONVERGED. In this two node example, there is only one other node in the encryption group, and therefore the is only one node to deregister.
Page 267 Encryption group merge and split use cases Encryption group not defined: Cluster DB and Persistent DB not present, No Encryption Group Created or Defined. The 2:2 EG split exception The encryption group deletion procedure may be done directly in every scenario except when there has been a 2:2 split.
Page 268 Encryption group merge and split use cases The above manual configuration recovery procedure will work nearly identically for all combinations of EG split scenarios. Simply perform the following steps for the other scenarios: • Pick one EG/EG Leader to be maintained. •...
Page 269: Encryption Group Database Manual Operations
Encryption group database manual operations TABLE 8 Disallowed Configuration Changes Configuration Type Disallowed configuration changes • Crypto Device Creating a CryptoTarget container • (target/LUN/tape) Adding initiators or LUNs to a CryptoTarget container • Removing initiators or LUNS from a CryptoTarget container •...
Page 270: Aborting A Pending Database Transaction
Key vault diagnostics Aborting a pending database transaction You can abort a pending database transaction for any device configurations invoked earlier through the CLI or BNA interfaces by completing the following steps. 1. Use the transshow command to determine the currently pending transaction ID. transshow command displays the pending database transaction for any device configurations invoked earlier through the CLI or BNA interfaces.
Page 271: Measuring Encryption Performance
Measuring encryption performance • Time of day on the switch • Key Vault client SDK version • Timeout and retry policy for the client SDK The key vault client SDK version, and timeout and retry policy for the client SDK could differ across encryption nodes, depending on the firmware versions they are running.
Page 272 Measuring encryption performance • rx displays the transmit and receive throughputs of the redirected I/O. • Interval represents a numeric value (in seconds) between refreshes. Examples of the command output are shown below. The port number mentioned is the user port number corresponding to the 8G capable FC platform/port facing towards the Encryption FPGA.
Page 273: General Encryption Troubleshooting
General encryption troubleshooting General encryption troubleshooting Table 9 lists the commands you can use to check the health of your encryption setup. Table 10 provides additional information for failures you might encounter while configuring switches using the CLI. TABLE 9 General troubleshooting tips using the CLI Command Activity...
Page 274 General encryption troubleshooting TABLE 10 General errors and conditions Problem Resolution A backup fails because the LUN is always in the initialize Use one of two resolutions: state for the tape container. • Load the old master key on the switch at an alternate location. The key Tape media is encrypted and gets a key which is archived in for the tape media can then be decrypted.
Page 275 General encryption troubleshooting TABLE 10 General errors and conditions Problem Resolution A performance drop occurs when using DPM on a Microsoft Change the DPM behavior to send one request at a time by adding DWORD Windows system to back up to a Scalar 500i tape library. “BufferQueueSize”...
Page 276: Troubleshooting Examples Using The Cli
Troubleshooting examples using the CLI Troubleshooting examples using the CLI Encryption Enabled CryptoTarget LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN. switch:FabricAdmin> cryptocfg --show -LUN disk_container1 0 21:01:00:e0:8b:a9:ac:d2 -stat Container name: disk_container1 Type: disk EE node:...
Page 277: Encryption Disabled Cryptotarget Lun
Troubleshooting examples using the CLI Encryption Disabled CryptoTarget LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN. > switch:FabricAdmin> cryptocfg --show -LUN disk_container1 0 21:01:00:e0:8b:a9:ac:d2 -stat Container name: disk_container1 Type: disk EE node: 10:00:00:05:1e:43:fe:00...
Page 278: Management Application Encryption Wizard Troubleshooting
Management application encryption wizard troubleshooting Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group ....330 • Errors related to adding a switch to a new group ....331 •...
Page 279: Errors Related To Adding A Switch To A New Group
Management application encryption wizard troubleshooting Errors related to adding a switch to a new group Table 12 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 12 Error recovery instructions for adding a switch to a new group Configuration task Error description...
Page 280 Management application encryption wizard troubleshooting TABLE 12 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (opaque key A failure occurred while attempting to Remove the switch from the group using the Group vaults only) create a new master key.
Page 281: Lun Policy Troubleshooting
LUN policy troubleshooting LUN policy troubleshooting Table 14 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by Action taken If you do not need to save the data: If you need to save the data: the encryption switch The LUN was modified from encrypt...
Page 282: Loss Of Encryption Group Leader After Power Outage
Loss of encryption group leader after power outage Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes might lose information and knowledge about the encryption group.
Page 283: Mpio And Internal Lun States
MPIO and internal LUN states 5. Synchronize the crypto configurations across all member nodes. FabricAdmin:switch> cryptocfg –-commit MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg show LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine.
Page 284: Fs8-18 Blade Removal And Replacement
FS8-18 blade removal and replacement 1. Enter the cryptocfg resume_rekey command, followed by the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch> cryptocfg --resume_rekey my_disk_tgt 0x0 \ 10:00:00:05:1e:53:37:99 Operation Succeeded 2. Check the status of the resumed rekey session. FabricAdmin:switch>...
Page 285 FS8-18 blade removal and replacement 3. If the replaced FS8-18 blade is in member node, invoke the following command to reclaim the base WWN. FabricAdmin:switch> cryptocfg --reclaimWWN –EE <failed EE WWN> <slot number> 4. Issue commit. FabricAdmin:switch> cryptocfg --commit 5. Replace the old FS8-18 blade with the new FS8-18 blade and reconnect the FC cables and I/O Link cables.
Page 286: Single-Node Eg Replacement
FS8-18 blade removal and replacement NOTE Because the FS8-18 blade was inserted in the same slot as the previous blade, no change of HA cluster container ownership is required; the HA cluster configuration is retained. 16. If “manual” failback was set on the HA cluster, you must manually fail back the LUNs owned by the newly replaced EE.
Page 287: Brocade Encryption Switch Removal And Replacement
Brocade Encryption Switch removal and replacement 11. If a master key is not present, restore the master key from a backed up copy. Procedures will differ depending on the backup media used (for example, recovery smart cards, from the key vault, from a file on the network, or a file on a USB-attached device).
Page 288 Brocade Encryption Switch removal and replacement 8. Power on the new Brocade Encryption Switch. Note that the FC cables have not yet been plugged in. 9. Set the IP address for the new Brocade Encryption Switch using the ipAddrSet command for the Mgmt and I/O links.
Page 289 Brocade Encryption Switch removal and replacement 22. Register back the signed KAC CSR/Cert onto the new node using the following command. Admin:switch> cryptocfg --reg –KACcert 23. Register the username and password on the new node with the same username and password as those used by the other nodes in the EG (created on the HP SKM/ESKM appliance) using the following command.
Page 290: Single-Node Eg Replacement
Brocade Encryption Switch removal and replacement 31. If HA cluster membership for the old Brocade Encryption Switch was not in place, move container movement to the new Brocade Encryption Switch using the following procedure. a. Replace the old EE with the new EE using following command on the group leader. Admin:switch>...
Page 291 Brocade Encryption Switch removal and replacement 11. Invoke the following command to cleanup any WWN entries which are used earlier. Admin:switch> cryptocfg --reclaim -cleanup 12. Recreate the EG with the same name as before using the following command. Admin:switch> cryptocfg –create –encgroup <EG name> 13.
Page 292: Reclaiming The Wwn Base Of A Failed Brocade Encryption Switch
Reclaiming the WWN base of a failed Brocade Encryption Switch 29. If HA cluster membership for the old Brocade Encryption Switch was in place. Do the following for moving container movement to the new Brocade Encryption Switch. a. Replace the old EE with the new EE using the following command on the group leader. Admin:switch>...
Page 293: Removing Stale Rekey Information For A Lun
Removing stale rekey information for a LUN NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg transabort. Doing so will cause subsequent reclaim attempts to fail. –- Removing stale rekey information for a LUN To clean up stale rekey information for a LUN, complete one of the following procedures: Procedure 1: 1.
Page 294: Fabric Os And Eskm Compatibility Matrix
Fabric OS and ESKM compatibility matrix NOTE When disabling the firmware consistency check, there should be no LUNs with pending decommission or in a failed state. If the firmware download to a version earlier than Fabric OS 7.1.0 is disallowed because of any LUNs under decommission or in a failed state, you must either complete decommissioning, or remove the offending LUNs before retrying cryptocfg delete decommissionedkeyids to disable the firmware consistency check.
Page 295: Splitting An Encryption Group Into Two Encryption Groups
Splitting an encryption group into two encryption groups Splitting an encryption group into two encryption groups In this example, which is represented in Table 16, you have one encryption group with four nodes from which you want to remove two of the nodes and add them to a new encryption group. TABLE 16 Splitting an encryption group Encryption group...
Page 296: Moving An Encryption Blade From One Eg To Another In The Same Fabric
Moving an encryption blade from one EG to another in the same fabric 8. Add FOS4 as a member node to the new EG. • For details about adding member nodes to an EG, see“Adding a member node to an encryption group”...
Page 297 Moving an encryption switch from one EG to another in the same fabric 1. Enter the following command on FOS1 to reclaim the VI/VT WWN base for the Brocade Encryption Switch to be moved out of EG1. Admin:switch> cryptocfg --reclaimWWN -membernode <FOS1_WWN> When prompted, answer yes.
Page 298 Moving an encryption switch from one EG to another in the same fabric Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 53-1002721-01...
Page 299: State And Status Information
Appendix State and Status Information In this appendix • Encryption engine security processor (SP) states ....301 • Security processor KEK status ........302 •...
Page 300: Security Processor Kek Status
Security processor KEK status Security processor KEK status Table 20 lists security processor KEK status information. TABLE 20 Security processor KEK status KEK type KEK status Description Primary KEK (current MK or None Primary KEK is not configured. primary KV link key) Mismatch Primary KEK mismatch between the CP and the SP.
Page 301 Encrypted LUN states TABLE 21 Encrypted LUN states (Continued) LUN_1ST_TIME_REKEY_IN_PROG First time rekey is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired rekey is in progress. LUN_MANUAL_REKEY_IN_PROG Manual rekey is in progress. LUN_DECRYPT_IN_PROG Data decryption is in progress. LUN_WR_META_PENDING Write metadata is pending. LUN_1ST_TIME_REKEY_PENDING First time rekey is pending.
Page 302 Encrypted LUN states TABLE 21 Encrypted LUN states (Continued) LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure). LUN_DIS_LUN_REMOVED Disabled (LUN re-discovery detects LUN is removed). LUN_DIS_LSN_MISMATCH Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate LUN SN found). LUN_DIS_DISCOVERY_FAIL Disabled (LUN discovery failure). LUN_DIS_NO_LICENSE Disabled (Third party license is required).
Page 303 Encrypted LUN states TABLE 22 Tape LUN states Internal Names Console String Explanation LUN_DIS_LUN_NOT_FOUND Disabled (LUN not found) No logical unit structure in tape module. This is an internal software error. If it occurs, contact Brocade support. LUN_TGT_OFFLINE Target Offline Target port is not currently in the fabric.
Page 304 Encrypted LUN states TABLE 22 Tape LUN states LUN_ENCRYPT Encryption enabled The tape medium is present, and is in ciphertext (encrypted). The encryption switch or blade has full read/write access, because its current tape policy for the medium is also encrypted.

This manual is also suitable for:

Fabric os 7.1.0

Brocade Communications Systems StoreFabric SN6500B Administrator's Manual

Chapter 1 Encryption Overview

Chapter 2 Configuring Encryption Using the Management Application

Chapter 3 Configuring Encryption Using the CLI

Chapter 4 Deployment Scenarios

Chapter 5 Best Practices and Special Topics

Chapter 6 Maintenance and Troubleshooting

Quick Links

Troubleshooting

Related Manuals for Brocade Communications Systems StoreFabric SN6500B

Summary of Contents for Brocade Communications Systems StoreFabric SN6500B