Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide, Release 4.x Cisco MDS NX-OS Release 4.1(3) February 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Contents Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Contents Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Contents Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Contents Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Contents Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Contents Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Contents Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Creating Cisco SME Fabrics F-6 Installing SSL Certificates F-6 Provisioning Cisco SME APPENDIX G F-7 Migrating Cisco SME Database Tables G-1 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide viii OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m New and Changed Information This document provides release-specific information for each new and changed feature in Cisco Storage Media Encryption. The Cisco MDS 9000 Family Storage Media Encryption Configuration Guide applies to Cisco NX-OS Release 4.1(3), but includes all features in Cisco SAN-OS releases. If you are running Cisco SAN-OS 3.
New and Changed Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Table 1 New and Changed Features for Cisco Storage Media Encryption (continued) Changed in Release Where Documented Feature GUI Change Description Auto replication of media keys Remote replication relationship settings available. A remote replication relationship 4.1(3) can be set between volume groups.
New and Changed Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Table 1 New and Changed Features for Cisco Storage Media Encryption (continued) Feature GUI Change Accounting Log Updated accounting log messages Accounting Log information Target-Based Load Balancing Description Changed in Release Where Documented 4.1(1c) Users can view the rekey operations 3.3(1c) and their status in the SME tab of the Fabric Manager Web Client.
New and Changed Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Table 1 New and Changed Features for Cisco Storage Media Encryption (continued) Feature GUI Change Description Changed in Release Where Documented Secure Sockets Layer (SSL) Command Describes the command that enables SSL. 3.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Preface This preface describes the audience, organization, and conventions of the Cisco MDS 9000 Family Storage Media Encryption Configuration Guide. The preface also provides information on how to obtain related documentation.
Preface Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Chapter Title Description Chapter 9 Cisco SME Troubleshooting Describes basic troubleshooting methods used to resolve issues with Cisco SME.
Preface Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Related Documentation The documentation set for the Cisco MDS 9000 Family includes the following documents. To find a document online, use the Cisco MDS NX-OS Documentation Locator at: http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/roadmaps/doclocater.
Preface Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 1 Product Overview This chapter provides an overview of the Storage Media Encryption (SME) and the hardware and software requirements for the product.
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Figure 1-1 shows the integration of Cisco SME with SAN fabrics to offer seamless management of data encryption.
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Transparent Fabric Service Cisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an MSM-18/4 module or an MDS 9222i switch anywhere in the fabric. There are no appliances in-line in the data path and there is no SAN rewiring or reconfiguration.
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Key Management Cisco Key Management Center (KMC) provides essential features such as key archival, secure export and import, and key shredding. Key management features include the following: • Master key resides in smart cards. • Quorum (2 out of 5) of smart cards required to recover the master key. • Unique key per tape.
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Figure 1-2 Multisite Setup in Cisco KMC.
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m FC-Redirect Cisco SME performance can easily be scaled up by adding more Cisco MDS 9000 family switches or modules. The innovative Fibre Channel redirect capabilities in Cisco MDS 9000 NX-OS enable traffic from any switch port to be encrypted without SAN reconfiguration or rewiring.
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • The affinity-based load balancing feature reduces the FC redirect interactions, which reduces the overhead in the existing operation. Cisco SME Terminology The following Cisco SME-related terms are used in this book: • Cisco SME interface—The security engine in the MSM-18/4 module or fixed slot of a Cisco MDS 9222i fabric switch.
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Supported Topologies Cisco SME supports a single-fabric topology. The Cisco MSM-18/4 module and the MDS 9222i switch provides the Cisco SME engines used by Cisco SME to encrypt and compress data-at-rest.
Chapter 1 Product Overview About Cisco Storage Media Encryption S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Figure 1-3 Cisco Storage Media Encryption: Single-Fabric Topology Application servers Email Server HR Server Cisco MDS 9500 Series Cisco MDS 9200 Series MSM-18/4 module switch with SME enabled (cluster mode) MDS switch running SAN-OS 3.
Chapter 1 Product Overview Software and Hardware Requirements S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Note This feature is tied to the internals of ISSU logic and no additional command needs to be executed for this purpose.
Chapter 1 Product Overview Software and Hardware Requirements S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m The MSM-18/4 module provides 18 4-Gbps Fibre Channel interfaces for high-performance SAN and mainframe connectivity and four Gigabit Ethernet ports for FCIP and iSCSI storage services.
Chapter 1 Product Overview Cisco SME Prerequisites S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Smart Card Readers To employ standard and advanced security levels, Cisco SME requires the following: • Smart Card Reader for Cisco SME (DS-SCR-K9) • Smart Card for Cisco SME (DS-SC-K9) The smart card reader is a USB device that is connected to a management workstation. The management workstation is used to configure the Cisco SME cluster.
Chapter 1 Product Overview Cisco Storage Media Encryption Security Overview S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • Each FC-redirected target can be zoned to 16 hosts or less. • CFS should be enabled on all required switches for FC-redirect. • Cisco SME servers and tape devices should not be part of an IVR zone set.
Chapter 1 Product Overview Cisco Storage Media Encryption Security Overview S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 1-14 OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 2 Getting Started This chapter includes information about Cisco SME installation and the preliminary tasks that you must complete before configuring Cisco SME.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Fabric Manager The Cisco Fabric Manager is a set of network management tools that supports Secure Simple Network Management Protocol version 3 (SNMPv3).
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 1 In the Physical Attributes pane, select End Devices > SME Clusters. Step 2 From the Control tab in the information pane, locate the switch. Step 3 From the drop-down menu in the Command column, select enable. The default is noSelection. Note You can select enable on multiple switches, and then click Apply.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click Apply. Enabling Clustering Using Device Manager To enable clustering using Device Manager, do the following for a specific switch: Step 1 From the Admin menu in the device screen, select Feature Control. Step 2 Select cluster. Step 3 From the Action column drop-down menu, select enable. Step 4 Click Apply.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Enabling Cisco SME You can enable Cisco SME using Fabric Manager or Device Manager. Note Be sure to enable clustering first, and then enable Cisco SME.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Note Step 4 You can select enable on multiple switches, and then click Apply. Click Apply. Enabling Cisco SME Using Device Manager To enable Cisco SME using Device Manager, do the following for a specific device: Step 1 From the Admin menu in the device screen, select Feature Control. Step 2 Select sme.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click Apply. Enabling DNS DNS offers services to map a host name to an IP address in the network through a DNS server. When you configure DNS on the switch, you can substitute the host name for the IP address with all IP commands, such as ping, telnet, upload, and download.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m sme.useIP for IP Address or Name Selection If you do not have DNS configured on all switches in the cluster, you can use sme.useIP. For information about sme.useIP, see Chapter 9, “Cisco SME Troubleshooting.” IP Access Lists for the Management Interface Cluster communication requires the user of the Management interface.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Table 2-1 shows a description of the Cisco SME roles and the number of users that should be considered for each role.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Configuring the AAA Roles For information on configuring the AAA roles for the Cisco SME Administrator and the Cisco SME Recovery Officer, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 From the role drop-down menu, select either sme-admin, sme-kmc-admin, sme-stg-admin, or sme-recovery. Step 5 Click Add. Creating and Assigning Cisco SME Roles Using the CLI For detailed information on creating and assigning roles, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Note To configure Cisco SME in a dual fabric environment, all the switches in the cluster should have the same credentials for SME user. Cisco SME requires the HTTPS protocol on the Cisco MDS 9000 switch with an MSM-18/4 module installed. You must enable HTTPS during the Fabric Manager installation.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 5 Enter the fabric seed switch name or IP address and enter the community. Step 6 Click Add. Note It takes a few minutes after you click Add to connect to the seed switch. A notification window indicates that monitoring has started and that the fabric will be available after discover is complete. Step 7 Note Click OK to return to the main screen.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 8 Select the fabric and click Edit. Step 9 Enter a unique fabric name, user name, and password. Step 10 Select Manage Continuously and click Modify. Note Step 11 Cisco SME requires that you select Manage Continuously to receive continuous updates from the switches. Click Close to return to the main screen and view the new fabric name.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Choosing a Key Manager Before configuring Cisco SME, you need to choose a key manager. To use an installation as a key manager, you should configure the settings for the key manager. To choose a key manager using Fabric Manager, follow these steps: Step 1 Log in to Fabric Manager Web Client. Step 2 Click the SME tab and select the Key Manager Settings.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click on Submit Settings to save changes. After you choose a key manager, the key manager cannot be changed. You should be logged into the appropriate role to select or edit any key manager settings.
Chapter 2 Getting Started Before You Begin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m When connecting a new smart card reader after the installation of smart card drivers, you may be required to restart the computer. If the card reader is not recognized on your workstation, you may need to install the latest smart card drivers. You can find the Download link on the Fabric Manager Web Client.
Chapter 2 Getting Started Cisco SME Configuration Restrictions Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco SME configuration tasks listed below provide an overview of the basic Cisco SME configuration process. Complete the Cisco SME configuration tasks on the switch with an installed MSM-18/4 module or on a Cisco MDS 9222i switch.
Chapter 2 Getting Started Cisco SME Configuration Restrictions Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m FC-Redirect Restrictions FC-Redirect is not supported on the following switches: • Cisco MDS 9120 switch • Cisco MDS 9140 switch • Cisco MDS 9124 switch • Cisco MDS 9134 switch • Cisco MDS 9020 switch Cisco SME Configuration Limits Table 2-3 lists the Cisco SME configurations and the corresponding limits.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 3 Cisco SME Interface Configuration This chapter describes how to configure and start Cisco SME interfaces using Fabric Manager and Device Manager. For information on configuring and starting Cisco SME interfaces using the CLI, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
Chapter 3 Cisco SME Interface Configuration Configuring and Starting the Cisco SME Interface Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Note Click Create. A new SME Interfaces window opens. You can only create a Cisco SME interface if there is a license on the switch available for an MSM-18/4 module. One license per MSM-18/4 module and per Cisco MDS 9222i slot 1 is required for the Cisco SME feature.
Chapter 3 Cisco SME Interface Configuration Saving Your Interface Configurations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Viewing Cisco SME Interfaces in Fabric Manager Web Client To view the newly created Cisco SME interfaces, follow these steps: Step 1 In the Physical Attributes pane of the Fabric Manager Web Client, select Interfaces > FC Logical. Step 2 Click the General tab to view the interfaces and their status information.
Chapter 3 Cisco SME Interface Configuration Adding Cisco SME Interfaces to a Cisco SME Configuration Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Adding Cisco SME Interfaces to a Cisco SME Configuration Cisco SME includes an Add Interface Wizard to simplify the process of adding interfaces to an existing cluster. You can add additional interfaces when you add additional MSM-18/4 modules and Cisco MDS 9222i switches.
Chapter 3 Cisco SME Interface Configuration Adding Cisco SME Interfaces to a Cisco SME Configuration Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Select the fabrics you want to add interfaces from. Click Next. Step 4 Select the SME interfaces that you would like to use. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 3 Cisco SME Interface Configuration Viewing Cisco SME Interface Information Using the CLI Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 5 View the interface information. Click Confirm to view the newly added interface. Viewing Cisco SME Interface Information Using the CLI Use the show sme interface CLI command to obtain information about the SME interface configuration and statistics.
Chapter 3 Cisco SME Interface Configuration Removing (Unbinding) Cisco SME Interfaces from a Cisco SME Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Removing (Unbinding) Cisco SME Interfaces from a Cisco SME Cluster Removing a Cisco SME interface from a cluster means that the interface is still up but it is not bound to a cluster.
Chapter 3 Cisco SME Interface Configuration Deleting Switches From a Cisco SME Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Note The interface is removed while the node remains defined. Deleting Switches From a Cisco SME Cluster Note If the cluster includes more than one switch, you must delete all non-master switches first. It is not possible to delete the master switch from a cluster without first deleting all non-master switches.
Chapter 3 Cisco SME Interface Configuration Deleting Switches From a Cisco SME Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Note View the notification that the switch was deleted. The interface and the node are both removed. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 3 Cisco SME Interface Configuration Deleting Switches From a Cisco SME Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 3-10 OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 4 Cisco SME Cluster Management The Cisco Fabric Manager provides a web-browser interface that displays real-time views of your network fabrics and lets you configure Cisco Storage Media Encryption with easy-to-use wizards. This chapter contains information about Cisco SME initial configuration and the tasks that are used to manage Cisco SME clusters using Cisco Fabric Manager.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 In the Fabric Manager Web Client, click the SME tab. Step 3 Select Clusters in the navigation pane. Step 4 Click Create in the information pane. The Cisco SME wizard launches to walk you through the easy configuration process. Choosing a Cluster Name In the Choose Name screen, enter a cluster name.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Selecting Fabrics In the Select Fabrics screen, highlight the fabric you want to include in the cluster. Click Next. Selecting Interfaces In the Select Interfaces screen, highlight the SME interfaces you want to include in your cluster. Click Next.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Selecting Master Key Security Levels There are three master key security levels: Basic, Standard, and Advanced. Standard and Advanced security levels require smart cards. Table 4-1 describes the master key security levels. Caution Note You cannot modify the cluster security level after a cluster is created.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Selecting Basic Security In the Master Key Security screen, select Basic. Click Next. For the Basic security level, after the cluster is created, the switch generates the master key file and you are prompted for a password to protect the file.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Selecting Advanced Security When Advanced security is selected, you need to designate the number of cards that are required to recover the master key. This can be 2 or 3 of 5 smart cards or 2 of 3 smart cards.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Selecting Media Key Settings Caution You cannot modify the media key settings after a cluster is created. In the Media Key Settings screen, select the media key settings. Table 4-2 lists the media key settings and definitions.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Table 4-2 Media Key Settings Media Key Setting Definition Use unique key per media In unique key mode, a unique key is issued for each tape volume. The default is unique key mode.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m For information about primary and secondary servers, see the “High Availability Key Management Center” section on page 6-5. Selecting Transport Settings In the Transport Settings screen, to enable Transport Settings, select On. If enabled, specify the Trust Point from the drop-down menu.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m For more information on viewing or editing the transport settings in the cluster details page, see the “Viewing and Modifying Transport Settings in Cluster Detail Page” section on page 4-24 Confirming the Cluster Creation In the Confirmation screen, review the cluster configuration information.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Downloading Key File and Storing Keyshares This section describes how to download the key file for basic security level and store keyshares for the standard and advanced security level.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Standard Security Confirmation and Stored Keyshares For the standard security level, follow these steps: Step 1 In the Confirmation screen, click Confirm to create the cluster. Step 2 A Store Keyshares screen opens. After the smart card applet finishes loading, click Next.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click Finish to create a cluster. Step 5 After the cluster creation is completed, click Close to return to the Fabric Manager Web Client and to view the smart card information. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-14 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 6 View the smart card information. Advanced Security Confirmation and Stored Keyshares To configure the advanced security level, follow these steps: Step 1 In the Confirmation screen, click Confirm to create the cluster.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 A Store Keyshares screen opens. After the smart card applet finishes loading, click Next.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m You will see a notification that the keyshare is being stored. This notification will be shown after each keyshare is stored. Step 4 Click Next. Step 5 Enter the switch credentials and PIN information for the second recovery officer. Click Next.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 6 Enter the switch credentials and PIN information for the third recovery officer. Click Next. Step 7 Enter the switch credentials and PIN information for the fourth recovery officer. Click Next.
Chapter 4 Cisco SME Cluster Management Creating a Cisco SME Cluster Using the Cisco SME Wizard Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 8 Enter the switch credentials and PIN information for the fifth recovery officer. Click Next. Step 9 Click Finish to return to the Fabric Manager Web Client to view the smart card information. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 4 Cisco SME Cluster Management Deactivating and Purging a Cisco SME Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 10 View the smart card information by selecting Smartcards. Deactivating and Purging a Cisco SME Cluster You can archive clusters that are Online, Pending, or Deprecated. For information on cluster states, see the “Viewing Cluster States” section on page 4-23.
Chapter 4 Cisco SME Cluster Management Deactivating and Purging a Cisco SME Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • Deactivating a Cisco SME Cluster, page 4-21 • Purging a Cisco SME Cluster, page 4-22 Deactivating a Cisco SME Cluster Deactivating deletes the cluster from the switch and retains the keys in the Cisco KMC.
Chapter 4 Cisco SME Cluster Management Deactivating and Purging a Cisco SME Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Viewing Cisco SME Cluster Details To view cluster details, click the cluster name and the cluster detail page displays. Note You can use the links across the top of the information pane to navigate within the cluster.
Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • Deactivated—The Cisco SME cluster has been removed from the switches; however, the keys belonging to the cluster are deactivated in the Cisco KMC. • Pending—The first Cisco SME interface has not been added to a cluster and it is not yet online. • Offline—The switches of the cluster are not reachable from Fabric Manager.
Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m The transport settings details are dsiplayed when SSL is Off. You can also modify the transport settings in the cluster detail page by clicking Modify. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 Select SSL and choose a Trust Point from the drop-down menu. Click Apply to save the settings. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-26 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 4 Cisco SME Cluster Management Viewing Cisco SME Cluster Details Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Viewing and Modifying Key Management Servers Settings To view and modify the primary and secondary key management servers settings, follow these steps: Step 1 Select the cluster in the navigation pane to display the cluster detail page. Click Modify to edit the server settings.
Chapter 4 Cisco SME Cluster Management Viewing Cluster Information Using Fabric Manager Client Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Viewing Cluster Information Using Fabric Manager Client To view Cisco SME cluster information using Fabric Manager Client, follow these steps: Step 1 In the Physical Attributes pane, select End Devices > SME Clusters. Step 2 Click the Members tab to view members in a cluster.
Chapter 4 Cisco SME Cluster Management Viewing Cluster Information Using Device Manager Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Click the Interfaces tab to view information about SME interfaces. Viewing Cluster Information Using Device Manager To view Cisco SME cluster information using Device Manager, follow these steps: Step 1 In the Interface menu, select SME Clusters.
Chapter 4 Cisco SME Cluster Management Cluster Quorum and Master Switch Election Overview Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Select Interfaces to view cluster interface information. Step 5 Select Hosts to view the information about the hosts in the cluster. Cluster Quorum and Master Switch Election Overview This section describes the Cisco SME cluster quorum and the process for electing the master switch in a cluster.
Chapter 4 Cisco SME Cluster Management Cluster Quorum and Master Switch Election Overview Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cluster Quorum For a cluster to be operational, it must include more than half the number of configured switches in the cluster view. In an N-node cluster, N/2 + 1 nodes form a cluster quorum. If N is even, the cluster quorum requires N/2 nodes and also, the presence of the switch with the lowest node ID.
Chapter 4 Cisco SME Cluster Management Cluster Quorum and Master Switch Election Overview Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m When the switches lose connectivity between them, the master switch S1 continues to be operational since it has the lower node ID and can form an (N/2) switch cluster. Switch S2 becomes non-operational. 2.
Chapter 4 Cisco SME Cluster Management In-Service Software Upgrade (ISSU) in a Two-Node Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m 2. In a three-switch operational cluster, if the master switch S1 fails or loses connectivity with the other two switches, then S1 becomes nonoperational. Switches S2 and S3 will form an operational cluster and S2 will be the master. When S1 comes up again, it will rejoin the cluster.
Chapter 4 Cisco SME Cluster Management In-Service Software Upgrade (ISSU) in a Two-Node Cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Note • The upgrading node sends a message to the other node of the intent to leave the cluster. The upgrading node can either be a master node or a slave node. • The remaining node remains in the cluster and performs the role of the master node if it was a slave node.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 5 Cisco SME Tape Configuration This chapter contains information about managing tapes that are encrypted using Cisco SME.
Chapter 5 Cisco SME Tape Configuration Adding Tape Groups Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Figure 5-1 shows the Cisco SME tape backup environment.
Chapter 5 Cisco SME Tape Configuration Adding Tape Groups Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m To add a tape group, follow these steps: Step 1 Note Step 2 Note Select Tape Groups. Click Add. A default volume group is created when the tape group is created; none of the configurations can be changed for the default volume group; however, you can create a new volume group. Enter a name for the tape group. Click Next.
Chapter 5 Cisco SME Tape Configuration Adding Tape Groups Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Select specific VSANs for the tape group. Click Next. Step 4 Select the hosts (backup servers) for the tape group. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-4 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 5 Cisco SME Tape Configuration Adding Tape Groups Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 5 Select the tape drives for the tape group. Click Next. Step 6 Select the paths to use to create the tape group. Click Next. Step 7 Verify the information. Click Confirm to save and activate the changes. Your screen will refresh to the Fabric Manger Server SME screen.
Chapter 5 Cisco SME Tape Configuration Deleting Tape Groups Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 8 Note View the hosts, tape devices, and volume groups that belong to the tape group. Messages are logged to the switch when tapes are bypassing encryption. Deleting Tape Groups Note Before deleting a tape group, you must first delete tape devices and tape volume groups.
Chapter 5 Cisco SME Tape Configuration Adding Tape Devices Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Adding Tape Devices To add tape devices to an existing tape group, follow these steps: Step 1 Click Tape Devices. Click Add. Step 2 Select the VSANs that you would like to discover paths from. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 5 Cisco SME Tape Configuration Adding Tape Devices Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Select the hosts that you would like to discover paths from. Click Next. Step 4 Select the tape drives. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-8 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 5 Cisco SME Tape Configuration Adding Tape Devices Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 5 Select the paths that Cisco SME would use for encrypted data between the host and tape devices. Click Next. Step 6 Confirm the addition of the new tape device. Click Confirm to close the Cisco SME wizard and to return to the Fabric Manager Server SME screen.
Chapter 5 Cisco SME Tape Configuration Deleting Tape Devices Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 7 View the new tape device that was added to the cluster. Deleting Tape Devices To delete a tape device from an existing tape group, follow these steps: Step 1 Click Tape Devices, and then select the device you want to remove. Step 2 Click Remove. Step 3 Click OK to delete the tape device.
Chapter 5 Cisco SME Tape Configuration Adding Tape Paths Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Adding Tape Paths Use the Tape Path Wizard to quickly add or modify tape paths between hosts and target backup devices. To add a tape path to a tape device, follow these steps: Step 1 Select a tape device. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 5 Cisco SME Tape Configuration Adding Tape Paths Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 Click Add. Step 3 Select the appropriate fabric and enter the VSAN, initiator and target WWNs, and the LUN. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-12 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 5 Cisco SME Tape Configuration Adding Tape Paths Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Confirm the addition of the new tape path. Click Confirm to close the Cisco SME wizard and to return to the Fabric Manager Server SME screen. Deleting Paths from a Device To delete a tape path from a device, follow these steps: Step 1 Click a tape device name to display the tape device details and the paths.
Chapter 5 Cisco SME Tape Configuration Adding Tape Volume Groups Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Adding Tape Volume Groups To add tape volume groups to an existing tape group, follow these steps: Step 1 Click Volume Groups. Click Create. Step 2 Enter the new volume group name and configure a filter that Cisco SME will use to match volumes for that volume group.
Chapter 5 Cisco SME Tape Configuration Adding Tape Volume Groups Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Confirm the addition of the new volume group. Click Confirm to close the Cisco SME wizard and to return to the Fabric Manager Server SME screen. Step 4 View the new volume group added to the tape group. Note For information on importing and exporting volume groups, see Chapter 6, “Cisco SME Key Management.
Chapter 5 Cisco SME Tape Configuration Deleting Tape Volume Groups Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Deleting Tape Volume Groups To delete a tape volume group from a Cisco SME cluster, follow these steps: Step 1 Click Volume Groups to display the tape volume groups in the cluster. Step 2 Select a tape volume group and click Remove. Step 3 Click OK to delete the tape volume group and to view the volume group notification.
Chapter 5 Cisco SME Tape Configuration Viewing Host Details Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Viewing Host Details You can view detailed information about hosts in a Cisco SME cluster. Information for a specific host includes the tape group membership, paths from the host to the target, VSAN, fabric, status, and the tape device. To view the host details, select a host in the navigation pane.
Chapter 5 Cisco SME Tape Configuration Viewing Tape Device Details Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-18 OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 6 Cisco SME Key Management This chapter contains information about Cisco Storage Media Encryption comprehensive key management.
Chapter 6 Cisco SME Key Management Cisco Key Management Center Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Master Key When a Cisco SME cluster is created, a security engine generates the master key. Considering that a single fabric can host more than one cluster, for example, to support the needs of multiple business groups within the same organization, there will be as many master keys as there are clusters.
Chapter 6 Cisco SME Key Management Master Key Security Modes Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Master Key Security Modes To recover encrypted data-at-rest from a specific tape, you need access to the keys that are created for the specific tape cartridge. Because the master key is used to protect all other keys, Cisco SME provides three master key security modes to protect the master key: Basic, Standard, and Advanced.
Chapter 6 Cisco SME Key Management Key Management Settings Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Key Management Settings When creating a tape volume group, you will need to determine whether to enable or disable the key management settings. Table 6-2 provides a description of the key settings, considerations, and the type of keys that can be purged if a particular setting is chosen. All key settings are configured at the cluster level.
Chapter 6 Cisco SME Key Management High Availability Key Management Center Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m The default setting is Yes. Setting this option to No is required only if tape cloning is done outside of the Cisco SME tape group. High Availability Key Management Center The Cisco KMC server consists of a pair of KMC servers (KMS) that provides high availability and reliability.
Chapter 6 Cisco SME Key Management High Availability Key Management Center Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click OK to save the settings to view the notification that the settings have been saved. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-6 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Viewing Advanced Security Mode Smart Cards To view Advanced security smart card information, select Smartcards in the navigation pane to view the smart card information. Viewing Keys You can view information about unique tape volume keys, tape volume group keys, and shared tape volume group keys.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Click the Deactivated tab to view all keys that have been marked as deactivated and stored in the Cisco KMC. You can view the barcode, GUID (the unique key identifier generated by the switch), deactivated date, and version (the version of the tape key generated for the same barcode).
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 Click Confirm. Exporting Volume Groups Exporting tape volume groups can be advantageous when tapes are moved to a different cluster. In that scenario, you will need the keys if you have to restore those tapes. If the source cluster is online, follow the steps in this section.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 5 Click Download to download the volume group file. Step 6 Save the .dat file. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Note The exported volume group file can be used by the Offline Data Restore Tool (ODRT) software to convert the Cisco SME encrypted tape back to clear-text when the Cisco SME line card or the Cisco MDS switch is unavailable. For more information about Offline Data Restore Tool (ODRT), see Appendix B, “Offline Data Recovery in Cisco SME.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Locate the file to import. Enter the password that was assigned to encrypt the file. Click Next. Step 4 Select the volume group .dat file. Click Open. I Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 5 Note Click Confirm to begin the import process or click Back to choose another volume group file. The imported keys in tape volume groups are read-only by default. However, if the entry “sme.retain.imported.key.state=true” is set in the conf/smeserver.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Click Rekey. A confirmation dialog box is displayed asking if the rekey operation is to be performed. Click OK to rekey the selected volume groups. Auto Key Replication of Keys Across Data Centers The auto replication of media keys enables the moving of tapes from one data center to another.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A replication relationship is set between the volume groups in the different clusters and the replication context for the destination clusters need to be acquired. Once the relationship is set up between the clusters, whenever a key is generated in the source cluster, the key is automatically translated to the destination cluster.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click Create to create a remote replication relationship. A Create Replication Relationship area appears where the source cluster and the destination clusters are displayed. Step 5 Select the clusters to expand or collapse the list of the Source Volume Group and the Destination Volume Group.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Removing Remote Replication Relationships To remove a remote replication relationship, follow these steps: Step 1 Click Clusters in the navigation pane to display the clusters and select Remote Replication. The Remote Replication Relationships area appears on the right-hand pane. .
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 A notification window appears that indicates the removal of the remote replication relationship. Basic Mode Master Key Download In Basic security mode, the master key file can be downloaded multiple times from the Fabric Manager Web Client. The cluster detail view includes a button to download the master key file.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Enter the password to protect the master key file. Click Download to begin downloading the encrypted file. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-20 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click Close to close the wizard. Step 5 Click Save to save the downloaded master key file. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Replacing Smart Cards This section describes how to replace smart cards for clusters in the following modes. • Standard Mode, page 6-22 • Advanced Mode, page 6-24 Standard Mode In Standard security mode, the master key can be downloaded to a replacement smart card from the Fabric Manager Web Client.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click Finish to close the wizard. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Advanced Mode In Advanced security mode, the master key is stored on five smart cards. Depending on the quorum required to recover the master key, two or three of the five smart cards or two of the three smart cards will be required to unlock the master key. The master key is stored securely on a PIN-protected smart card.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m The Cisco SME Recovery Officer who owns the replacement smart card is prompted to log in and to insert the smart card to download the master key. Step 4 Enter the switch login information and the smart card PIN and label. Click Next.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 5 Insert one of the smart cards that stores the master key. Click Next. Step 6 Enter the switch login information and the smart card PIN and label. Click Next. ) Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-26 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 7 Enter the switch login information and the smart card PIN and label. Click Next. Step 8 Enter the switch login information and the smart card PIN and label. Click Next. Step 9 Insert the smart cards belonging to each recovery officer in any random order.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m To store the new master keyshares, follow these steps: a. Enter the switch login information, the PIN number for the smart card, and a label that will identify the smart card. Click Next. A notification is shown that the first keyshare is successfully stored.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m b. Enter the switch credentials and PIN information for the second recovery officer. Click Next. A notification is shown that the second keyshare is successfully stored. c. Enter the switch credentials and PIN information for the third recovery officer. Click Next.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A notification is shown that the third keyshare is successfully stored. d. Enter the switch credentials and PIN information for the fourth recovery officer. Click Next. A notification is shown that the fourth keyshare is successfully stored.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m e. Enter the switch credentials and PIN information for the fifth recovery officer. Click Next. A notification is shown that the fifth keyshare is successfully stored. Click Next to begin the automatic synchronization of volume groups. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m You will see an indication that the operation is in progress until the synchronization of volume groups is completed. Step 10 The smart card replacement is completed. Click Close to return to the Fabric Manager Web Client and to view the smart card information.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 11 To view the new smart card information, select Smartcards. The smart card details displays the old recovery shares and the new recovery shares. Exporting Volume Groups From Archived Clusters When a Cisco SME cluster is archived, all key management operations such as exporting volume groups, are performed at the Cisco KMC.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 Click Browse to locate the volume group master key file. Step 3 Select the master key file. Click Open. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-34 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Enter the password that protects the master key for the archived volume group. Click Next. Step 5 Enter the password that will be used to encrypt the exported file. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 6 Click Download to begin downloading the volume group file. Step 7 To save the exported volume group, click Save. Standard Mode To export a volume group from an archived cluster (Standard security mode), follow these steps: Step 1 Select Volume Groups (in an archived cluster) to display the volume groups in the cluster.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 Insert one of the five smart cards into the smart card reader. Click Next. Step 3 Enter the smart card PIN and label. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Enter the password to encrypt the volume group file. Click Next. Step 5 Click Download to begin downloading the file. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-38 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 6 Save the .dat file. Click Next. Advanced Mode To export a volume group from an archived cluster (Advanced security mode), follow these steps: Step 1 Select Volume Groups (in an archived cluster) to display the volume groups in the cluster. Select a volume group and click Export.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 Insert one of the five smart cards into the smart card reader. Click Next. Step 3 Enter the smart card PIN and label. Click Next. The keyshare is retrieved. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-40 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Insert the next smart card into the smart card reader. Click Next. Note Repeat this step for each smart card that is required to unlock the master key. The number of required smart cards depends on the quorum number selected during the cluster creation, for example, two of five smart cards. Step 5 Enter the smart card PIN and label.
Chapter 6 Cisco SME Key Management Key Management Operations Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 7 Click Download to begin downloading the volume group. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-42 OL-18091-01, Cisco MDS NX-OS Release 4.
Chapter 6 Cisco SME Key Management Accounting Log Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 8 Click Save to save the .dat file. Accounting Log Information This section describes how to view the accounting information and how the accounting log messages display.
Chapter 6 Cisco SME Key Management Accounting Log Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 4 Click Clear Filter to display the complete accounting log information. KMC Accounting Log Messages The accounting.log file in the FM log directory displays the KMC accounting log messages. The accounting log records key-related operations, their resulting status, and any related information.
Chapter 6 Cisco SME Key Management Accounting Log Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m ------------------------------------Operation: STORE_KEY Logged as: "Store key" Description: A new key is being written to the keystore. The details for the accounting log of a STORE_KEY operation depends upon the KEY_TYPE and the STATUS for the operation.
Chapter 6 Cisco SME Key Management Accounting Log Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Operation: ARCHIVE_ALL_KEYS Logged as: "Archive all keys" Description: All keys are archived for an instance of a KEY_TYPE. The details for the accounting log of a ARCHIVE_ALL_KEYS operation depends upon the KEY_TYPE and the STATUS for the operation.
Chapter 6 Cisco SME Key Management Accounting Log Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Description: All wrap keys for the given tape volume are removed from the keystore. Details: SUCCESS: "tape group: tape volume group: " ------------------------------------Operation: EXPORT_ARCHIVED Logged as: "Export archived cluster" Description: An archived cluster is being exported.
Chapter 6 Cisco SME Key Management Migrating a KMC Server Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Operation: ABORT_REKEY_MASTER_KEY Logged as: "Abort master key rekey" Description: A re-key operation has been aborted. If the operation cannot be aborted, the failure is logged.
Chapter 6 Cisco SME Key Management Migrating a KMC Server Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Update the cluster with the new KMC server details when the new KMC server is active. a. Go to the Fabric Manager Web Client and click the SME tab. b. Select the cluster. The cluster details page displays. c. Click Modify and choose the new KMC server.
Chapter 6 Cisco SME Key Management Migrating a KMC Server Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-50 OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 7 Using the Command Line Interface to Configure SME This chapter contains information about Cisco Storage Media Encryption basic configuration using the command line interface (CLI).
Chapter 7 Using the Command Line Interface to Configure SME Enabling and Disabling SME Clustering Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m 2. Enable SME on the MDS-18/4 module switch. 3. Add the SME interface to the MDS-18/4 module switch. 4. Add a fabric that includes the MDS-18/4 module switch with the SME interface. 5. Create a cluster. a. Name the cluster. b. Select the fabrics that you want to create a cluster from. c.
Chapter 7 Using the Command Line Interface to Configure SME Deleting the SME Interface Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m To configure the SME interface, follow these steps: Command Purpose Step 1 switch# config t Enters configuration mode. Step 2 switch(config)# interface sme x/y Configures the SME interface on slot x, port y where x is the MSM-18/4 module slot and port y is the default SME port. Enters the interface submode.
Chapter 7 Using the Command Line Interface to Configure SME Setting the SME Cluster Security Level Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • Volume tape groups • Tape compression To create an SME cluster, follow these steps: Command Purpose Step 1 switch# config t Enters configuration mode. Step 2 switch(config)# sme cluster clustername1 switch(config-sme-cl)# Specifies the cluster name and enters SME cluster configuration submode.
Chapter 7 Using the Command Line Interface to Configure SME Setting Up the Cisco SME Administrator and Recovery Officer Roles Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Command Purpose Step 2 switch(config)# sme cluster clustername1 switch(config-sme-cl)# Specifies the cluster and enters SME cluster configuration submode. Step 3 switch(config-sme-cl)# security-mode basic Sets the cluster security level to Basic.
Chapter 7 Using the Command Line Interface to Configure SME Configuring Unique or Shared Key Mode Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Command Purpose Step 3 switch(config-sme-cl)# fabric clustername1 Specifies the fabric. Step 4 switch(config-sme-cl)# node A.B.C.D|X:X::X|DNS name switch(config-sme-cl-node)# Enters the SME cluster node submode and specifies a remote switch. The format is A.B.C.D | X:X::X | DNS name.
Chapter 7 Using the Command Line Interface to Configure SME Enabling and Disabling Tape Compression Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Command Purpose Step 3 switch(config-sme-cl)# auto-volgrp switch(config-sme-cl)# Specifies automatic volume grouping. Step 4 switch(config-sme-cl)# no auto-volgrp switch(config-sme-cl)# Specifies no automatic volume grouping.
Chapter 7 Using the Command Line Interface to Configure SME Configuring a Tape Volume Group Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Configuring a Tape Volume Group A tape volume group is a group of tapes that are categorized usually by function. For example, HR1 could be the designated tape volume group for all Human Resource backup tapes; EM1 could be the designated tape volume group for all e-mail backup tapes.
Chapter 7 Using the Command Line Interface to Configure SME Viewing Cisco SME Cluster, Internal, and Transport Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Viewing Cisco SME Cluster Details Additional cluster information can be displayed with the show sme cluster command.
Chapter 7 Using the Command Line Interface to Configure SME Viewing Cisco SME Cluster, Internal, and Transport Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Chapter 7 Using the Command Line Interface to Configure SME Viewing Cisco SME Cluster, Internal, and Transport Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Viewing Tape Information Use the show sme cluster tape command to view summary or detailed information about tapes.
Chapter 7 Using the Command Line Interface to Configure SME Viewing Cisco SME Cluster, Internal, and Transport Information Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m SME setup done.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 8 Cisco SME Best Practices This chapter describes Cisco Storage Media Encryption best practices. You can avoid problems when configuring Cisco SME if you observe the best practices described in this chapter. Overview of Best Practices Best practices are the recommended steps you should take to ensure the proper operation of Cisco SME.
Chapter 8 Cisco SME Best Practices Overview of Best Practices Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • Refer to the Cisco Storage Media Encryption Design Guide for guidelines on sizing and placements of Cisco SME interfaces. Cisco KMC Practices Note • As your data storage grows, the number of tape keys will also grow over time. This is especially the case when you select the unique key mode.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m CH A P T E R 9 Cisco SME Troubleshooting This chapter describes basic troubleshooting methods used to resolve issues with Cisco Storage Media Encryption.
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Note The Cisco SME cluster configuration for an offline switch must be done using the CLI. Cisco SME cluster configuration for an online switch can be done using Fabric Manager or the CLI.
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m On the offline switch (switch2), shut down the cluster by performing this task: Command Purpose Step 1 switch# config t Enters configuration mode. Step 2 switch(config)# sme cluster ABC switch(config-sme-cl)# shutdown Shuts down the ABC cluster on the offline switch Note Repeat the procedure for every offline switch.
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m On the cluster master switch, shut down the cluster and then delete the cluster by performing this task: Command Purpose Step 1 switch# config t Enters configuration mode. Step 2 switch(config)#sme cluster ABC switch(config-sme-cl)#shutdown Shuts down the ABC cluster.
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m On switch1, shut down the cluster by performing this task: Command Purpose Step 1 switch# config t Enters configuration mode. Step 2 switch(config)# sme cluster ABC switch(config-sme-cl)# shutdown Shuts down the ABC cluster.
Chapter 9 Cisco SME Troubleshooting Cluster Recovery Scenarios Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m On switch2, shut down the cluster by performing this task: Command Purpose Step 1 switch# config t Enters configuration mode. Step 2 switch(config)# sme cluster ABC switch(config-sme-cl)#shutdown Shuts down the ABC cluster on the switch2.
Chapter 9 Cisco SME Troubleshooting Troubleshooting General Issues Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Troubleshooting General Issues The Cisco SME naming convention includes alphanumeric, dash, and underscore characters. Other types of characters will cause problems in the cluster configuration.
Chapter 9 Cisco SME Troubleshooting Troubleshooting Scenarios Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m If you need to replace an MSM-18/4 module with another MSM-18/4 module In the existing MDS 9000 Family platform, a module can be replaced with another module and there is no change in configuration.
Chapter 9 Cisco SME Troubleshooting Troubleshooting Scenarios Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m If you need to contact your customer support representative or Cisco TAC At some point, you may need to contact your customer support representative or Cisco TAC for some additional assistance.
Chapter 9 Cisco SME Troubleshooting Troubleshooting Scenarios Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 9-10 OL-18091-01 Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A P P E N D I X A Cisco SME CLI Commands The commands in this chapter apply to the Cisco MDS 9000 Family of multilayer directors and fabric switches. See the “Command Modes” section to determine the appropriate mode for each command. For more information, refer to the “Command Modes” section of the Cisco MDS 9000 Family CLI Configuration Guide.
Appendix A Cisco SME CLI Commands auto-volgrp Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m auto-volgrp To configure the automatic volume grouping, use the auto-volgrp command. To disable this feature, use the no form of the command. auto-volgrp no auto-volgrp Syntax Description This command has no arguments or keywords. Defaults Disabled. Command Modes Cisco SME cluster configuration submode. Command History Release Modification 3.
Appendix A Cisco SME CLI Commands clear fc-redirect config Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m clear fc-redirect config To delete a FC-Redirect configuration on a switch, use the clear fc-redirect config command. clear fc-redirect {config vt vt-pwwn local-switch-only} vt vt-pwwn Specifies the virtual target (VT) of the configuration to be deleted. The format is hh:hh:hh:hh:hh:hh:hh:hh.
Appendix A Cisco SME CLI Commands cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m cluster To configure a cluster feature, use the cluster command. cluster enable Syntax Description enable Defaults None. Command Modes Configuration mode. Command History Release Modification 3.2(2) This command was introduced. NX-OS 4.1(1b) This command was deprecated. Enables or disables a cluster. Usage Guidelines Starting from Cisco NX-OS 4.
Appendix A Cisco SME CLI Commands debug sme Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m debug sme To enable debugging for the Cisco SME features, use the debug sme command. To disable a debug command, use the no form of the command.
Appendix A Cisco SME CLI Commands debug sme Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m switch# debug sme all 2007 Sep 23 15:44:44.490796 sme: fu_priority_select: - setting fd[5] for select call 2007 Sep 23 15:44:44.490886 sme: fu_priority_select_select_queue: round credit(8 ) 2007 Sep 23 15:44:44.490918 sme: curr_q - FU_PSEL_Q_CAT_CQ, usr_q_info(2), p riority(7), credit(4), empty 2007 Sep 23 15:44:44.
Appendix A Cisco SME CLI Commands discover Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m discover To initiate the discovery of hosts, use the discovery command. To disable this feature, use the no form of the command. discover host host port target target port vsan vsan id fabric fabric name no discover host host port target target port vsan vsan id fabric fabric name Syntax Description host host port Identifies the host port WWN.
Appendix A Cisco SME CLI Commands do Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m do Use the do command to execute an EXEC-level show command from any configuration mode or submode. do command Syntax Description command Defaults None. Command Modes All configuration modes. Command History Release Modification 1.1(1) This command was introduced. Specifies the EXEC command to be executed.
Appendix A Cisco SME CLI Commands do Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m SME statistics input 0 bytes, 5 second rate 0 bytes/sec, 0.00 KB/sec clear 0 bytes, encrypt 0 bytes, decrypt 0 compress 0 bytes, decompress 0 bytes output 0 bytes, 5 second rate 0 bytes/sec, 0.
Appendix A Cisco SME CLI Commands fabric Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m fabric To add a fabric to the cluster, use the fabric command in the Cisco SME cluster configuration submode. fabric fabric name Syntax Description fabric name Defaults None. Command Modes Cisco SME cluster configuration submode. Command History Release Modification 3.2(2c) This command was introduced. Specifies the fabric name.
Appendix A Cisco SME CLI Commands fabric-membership Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m fabric-membership To add a node to a fabric, use the fabric-membership command. To remove the node from the fabric, use the no form of the command. fabric-membership fabric name no fabric-membership fabric name Syntax Description fabric name Defaults None. Command Modes Cisco SME cluster node configuration submode.
Appendix A Cisco SME CLI Commands fc-redirect version2 enable Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m fc-redirect version2 enable To enable the version2 mode in FC-Redirect, use the fc-redirect version2 enable command in configuration mode. To disable the version2 mode in FC-Redirect, use the no form of the command. fc-redirect version2 enable no fc-redirect version2 enable Syntax Description This command has no arguments or keywords.
Appendix A Cisco SME CLI Commands fc-redirect version2 enable Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m 1) This is a Fabric wide configuration. All the switches in the fabric will be configured in Version2 mode.Any new switches added to the fabric will automatically be configured in version2 mode. 2) SanOS 3.2.x switches CANNOT be added to the Fabric after Version2 mode is enabled. If any 3.2.
Appendix A Cisco SME CLI Commands feature Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m feature To enable and disable Cisco SME features, use the feature command. To remove the feature, use the no form of the command. feature {cluster | sme} no feature {cluster | sme} Syntax Description cluster Enables or disables the clustering feature. sme Enables or disables the storage media encryption (SME) services. Defaults Disabled.
Appendix A Cisco SME CLI Commands interface sme Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m interface sme To configure the Cisco SME interface on a switch, use the interface sme command. To remove the interface, use the no form of the command. interface sme slot /port no interface sme slot /port Syntax Description slot Identifies the number of the MSM-18/4 module slot. port Identifies the number of the Cisco SME port. Defaults Disabled.
Appendix A Cisco SME CLI Commands interface sme (Cisco SME cluster node configuration submode) Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m interface sme (Cisco SME cluster node configuration submode) To add a Cisco SME interface from a local or a remote switch to a cluster, use the interface sme command. To delete the interface, use the no form of the command.
Appendix A Cisco SME CLI Commands interface sme (Cisco SME cluster node configuration submode) Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Related Commands Command Description fabric-membership Adds the node to a fabric. show interface Displays Cisco SME interface details. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Appendix A Cisco SME CLI Commands key-ontape Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m key-ontape To configure keys on the tape mode and store the encrypted security keys on the backup tapes, use the key-ontape command. To disable this feature, use the no form of the command. key-ontape no key-ontape Syntax Description This command has no arguments or keywords. Defaults Disabled. Command Modes Cisco SME cluster configuration submode.
Appendix A Cisco SME CLI Commands key-ontape Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Related Commands Command Description no auto-volgrp Disables automatic volume grouping. no shared-key Specifies unique key mode. show sme cluster key Displays information about cluster key database. show sme cluster tape Displays information about tapes.
Appendix A Cisco SME CLI Commands link-state-trap Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m link-state-trap To enable an Simple Network Management Protocol (SNMP) link state trap on an interface, use the link-state-trap command. To disable this feature, use the no form of the command. link-state-trap no link-state-trap Syntax Description This command has no arguments or keywords. Defaults None.
Appendix A Cisco SME CLI Commands load-balancing Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m load-balancing To enable cluster load balancing for all targets or specific targets, use the load-balancing command. To disable this command, use the no form of the command. load-balancing {enable | target wwn} no load-balancing {enable | target wwn} Syntax Description enable Enables cluster load balancing.
Appendix A Cisco SME CLI Commands node Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m node To configure Cisco SME switch, use the node command. To disable this command, use the no form of the command. node {local | {A.B.C.D | X:X::X /n| DNS name}} no node {local | {A.B.C.D | X:X::X /n| DNS name}} Syntax Description local Configures the local switch. A.B.C.D Specifies the IP address of the remote switch in IPv4 format.
Appendix A Cisco SME CLI Commands odrt.bin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m odrt.bin To perform offline data recovery of tape encrypted by Cisco SME, use the odrt.bin command on Linux-based systems. This command allows you to recover data when the MSM-18/4 module or the Cisco MDS 9222i fabric switch is not available. odrt.
Appendix A Cisco SME CLI Commands odrt.bin Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Appendix A Cisco SME CLI Commands rule Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m rule To specify the tape volume group regular expression, use the rule command. To disable this feature, use the no form of the command. rule {range range | regexp regular expression} no rule {range range | regexp regular expression} Syntax Description range range Specifies the crypto tape volume barcode range. The maximum length is 32 characters.
Appendix A Cisco SME CLI Commands scaling batch enable Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m scaling batch enable To enable scalability in the Cisco SME configuration, use the scaling batch enable command. To disable this feature, use the no form of the command. scaling batch enable no scaling batch enable Syntax Description This command has no arguments or keywords. Defaults None.
Appendix A Cisco SME CLI Commands security-mode Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m security-mode To configure the Cisco SME security settings, use the security-mode command. To delete the security settings, use the no form of the command.
Appendix A Cisco SME CLI Commands setup Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m setup To run the basic setup facility, use the setup command. setup ficon | sme Syntax Description ficon Runs the basic FICON setup command facility. sme Runs the basic Cisco SME setup command facility. Defaults None. Command Modes EXEC. Command History Release Modification 3.3(1c) This command was introduced.
Appendix A Cisco SME CLI Commands shared-keymode Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m shared-keymode To configure the shared key mode, use the shared-keymode command. To specify the unique key mode, use the no form of the command. shared-keymode no shared-keymode Syntax Description This command has no arguments or keywords. Defaults None. Command Modes Cisco SME cluster configuration submode.
Appendix A Cisco SME CLI Commands show debug Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show debug To display all Cisco SME-related debug commands configured on the switch, use the show debug command. show debug {cluster {bypass | sap sap bypass} | sme bypass} Syntax Description cluster Displays all the debugging flags. bypass Displays the bypass flags. sap sap Displays all debugging flags of SAP.
Appendix A Cisco SME CLI Commands show fc-redirect active-configs Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show fc-redirect active-configs To display all active configurations on a switch, use the show fc-redirect active-configs command. show fc-redirect active-configs Syntax Description This command has no arguments or keywords. Defaults None. Command Modes EXEC mode. Command History Release Modification 3.
Appendix A Cisco SME CLI Commands show fc-redirect active-configs Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m ========== Appl UUID = 0x00D8 (ISAPI CFGD Service) SSM Slot = 2 SSM Switch WWN = 20:00:00:0d:EC:20:13:00 (REMOTE) Vt PWWN = 2f:ea:00:05:30:00:71:66 Tgt PWWN = 21:00:00:20:37:18:64:92 Local Host PWWN = 21:00:00:e0:8B:0d:12:c6 Related Commands Command Description clear fc-redirect vt Clears the active configurations on the local switch.
Appendix A Cisco SME CLI Commands show fc-redirect configs Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show fc-redirect configs To display all the current configuration mode on a switch, use the show fc-redirect configs command. show fc-redirect configs Syntax Description This command has no arguments or keywords. Defaults None. Command Modes EXEC mode Command History Release Modification 3.2(2c) This command was introduced.
Appendix A Cisco SME CLI Commands show fc-redirect peer-switches Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show fc-redirect peer-switches To display all the peer switches in the fabric running FC-Redirect, use the show fc-redirect peer-switches command. show fc-redirect peer-switches Syntax Description This command has no other keywords or arguments. Defaults None. Command Modes EXEC mode. Command History Release Modification 3.
Appendix A Cisco SME CLI Commands show fc-redirect peer-switches Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Related Commands Command Description clear fc-redirect vt Clears the active configurations on the local switch. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Appendix A Cisco SME CLI Commands show interface sme Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show interface sme To display the information about Cisco SME interface, use the show interface sme command. show interface sme slot/port {brief | counters brief | description} Syntax Description slot Identifies the number of the MSM-18/4 module slot. port Identifies the number of the Cisco SME port.
Appendix A Cisco SME CLI Commands show interface sme Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m clear luns 0, encrypted luns 0 errors 0 CTH, 0 authentication 0 key generation, 0 incorrect read 0 incompressible, 0 bad target responses Related Commands Command Description interface sme Configures the Cisco SME interface on the switch. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.
Appendix A Cisco SME CLI Commands show role Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show role To display the description about the various Cisco SME role configurations, use the show role command. show role Syntax Description This command has no arguments or keywords. Defaults None. Command Modes EXEC mode. Command History Release Modification 3.3(1c) This command was introduced. NX-OS 4.1(1b) The sample output was changed.
Appendix A Cisco SME CLI Commands show role Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Appendix A Cisco SME CLI Commands show sme cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show sme cluster To display the information about the Cisco SME cluster, use the show sme cluster command. show sme cluster {cluster name {detail | interface {detail | node {A.B.C.
Appendix A Cisco SME CLI Commands show sme cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m volgrp volume group name Displays tape volume group name. The maximum length is 32 characters. detail Displays Cisco SME cluster details. summary Shows Cisco SME cluster summary. Defaults None. Command Modes EXEC mode. Command History Release Modification 3.2(2c) This command was introduced. Usage Guidelines None.
Appendix A Cisco SME CLI Commands show sme cluster Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Appendix A Cisco SME CLI Commands show sme transport Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show sme transport To display the Cisco SME cluster transport information, use the show sme transport command. show sme transport ssl truspoint Syntax Description ssl Displays transport Secure Sockets Layer (SSL) information. trustpoint Displays transport SSL trustpoint information. Defaults None. Command Modes EXEC mode.
Appendix A Cisco SME CLI Commands show tech-support sme Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m show tech-support sme To display the information for Cisco SME technical support, use the show tech-support sme command. show tech-support sme compressed bootflash: | tftp: Syntax Description compressed Saves the compressed Cisco SME bootflash: Specifies the filename that need to be stored.
Appendix A Cisco SME CLI Commands shutdown (interface configuration submode) Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m shutdown (interface configuration submode) To disable an Cisco SME interface, use the shutdown command. To enable the interface, use the no form of the command. shutdown no shutdown Syntax Description This command has no arguments or keywords. Defaults None. Command Modes Interface configuration submode.
Appendix A Cisco SME CLI Commands shutdown (Cisco SME cluster configuration submode) Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m shutdown (Cisco SME cluster configuration submode) To disable a cluster for recovery, use the shutdown command. To enable the cluster for recovery, use the no form of the command. shutdown no shutdown Syntax Description This command has no arguments or keywords. Defaults None.
Appendix A Cisco SME CLI Commands sme Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m sme To enable or disable the Cisco SME services, use the sme command. sme {cluster name | transport ssl trustpoint trustpoint label} Syntax Description cluster Configures the cluster. name Identifies the cluster name. transport Configures the transport information. ssl Configures the transport SSL information.
Appendix A Cisco SME CLI Commands ssl Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m ssl To configure Secure Sockets Layer (SSL), use the ssl command. Use the no form of this command to disable this feature. ssl kmc no ssl kmc Syntax Description kmc Defaults None. Command Modes Cisco SME cluster configuration mode submode. Command History Release Modification 3.3(1c) This command was introduced.
Appendix A Cisco SME CLI Commands tape-bkgrp Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m tape-bkgrp To configure a crypto tape backup group, use the tape-bkgrp command. To disable this feature, use the no form of the command. tape-bkgrp groupname no tape-bkgrp groupname Syntax Description groupname Defaults None. Command Modes Cisco SME cluster configuration mode submode. Command History Release Modification 3.
Appendix A Cisco SME CLI Commands tape-compression Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m tape-compression To configure tape compression, use the tape-compression command. To disable this feature, use the no form of the command. tape-compression no tape-compression Syntax Description This command has no arguments or keywords. Defaults None. Command Modes Cisco SME cluster configuration submode.
Appendix A Cisco SME CLI Commands tape-device Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m tape-device To configure a crypto tape device, use the tape-device command. To disable this feature, use the no form of the command. tape-device device name no tape-device device name Syntax Description device name Defaults None. Command Modes Cisco SME tape volume configuration submode. Command History Release Modification 3.
Appendix A Cisco SME CLI Commands tape-keyrecycle Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m tape-keyrecycle To configure a tape key recycle policy, use the tape-keyrecycle command. To disable this feature, use the no form of the command. tape-keyrecycle no tape-keyrecycle Syntax Description This command has no arguments or keywords. Defaults None. Command Modes Cisco SME cluster configuration submode.
Appendix A Cisco SME CLI Commands tape-volgrp Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m tape-volgrp To configure the crypto tape volume group, use the tape-volgrp command. To disable this command, use the no form of the command. tape-volgrp group name no tape-volgrp group name Syntax Description group name Defaults None. Command Modes Cisco SME crypto backup tape group configuration submode. Command History Release Modification 3.
Appendix A Cisco SME CLI Commands tune-timer Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m tune-timer To tune the Cisco SME timers, use the tune-timer command. To disable this command, use the no form of the command.
Appendix A Cisco SME CLI Commands tune-timer Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Appendix A Cisco SME CLI Commands tune-timer Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-56 OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A P P E N D I X B Offline Data Recovery in Cisco SME The Cisco SME solution provides seamless encryption service through a hardware-based encryption engine. However, when the MSM-18/4 module or the Cisco MDS 9222i fabric switch is not available, you can use the Offline Data Restore Tool (ODRT). This appendix describes the basic functionalities and operations of this software application.
Appendix B Offline Data Recovery in Cisco SME About Offline Data Restore Tool Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m For more information about the odrt.bin command, see Appendix A, “Cisco SME CLI Commands.” Note The Offline Data Restore Tool (ODRT) is currently supported only in Red Hat Enterprise Linux 5. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide B-2 OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A P P E N D I X C Provisioning Self-Sign Certificates The Secure Socket Layer (SSL) protocol secures the network communication and allows data to be encrypted before transmission and provides security. Many application servers and Web servers support the use of keystores for SSL configuration. This appendix also includes information on how to select the RSA Key Manager.
Appendix C Provisioning Self-Sign Certificates Configuring SSL for Cisco SME Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Creating CA Certificates To generate the CA certificates, follow these steps: Step 1 Create a CA certificate using the OpenSSL application. Issue the following command for the 365 day certificate: OpenSSL> req -x509 -days 365 -newkey rsa -out cacert.pem -outform PEM This creates a cacert.pem file in the directory with OpenSSL.
Appendix C Provisioning Self-Sign Certificates Configuring SSL for Cisco SME Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 7 Generate a certificate request for enrolling with the trustpoint created in Step 3. switch(config)# crypto ca enroll my_ca Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
Appendix C Provisioning Self-Sign Certificates Generating and Installing Self-Signed Certificates Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Generating KMC Certificate To generate the KMC server certificate, follow these steps: Step 1 Generate KMC certificate by entering the following commands in the OpenSSL application: OpenSSL> genrsa -out sme_kmc_server.key 1024 OpenSSL> req -new -key sme_kmc_server.key -out sme_kmc_server.
Appendix C Provisioning Self-Sign Certificates Generating and Installing Self-Signed Certificates Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m a h Generate all certificates and configure switch Print this usage screen switch:./createSmeCerts.tcl a Dir to store certificates [] :.
Appendix C Provisioning Self-Sign Certificates Editing SSL Settings in Cisco Fabric Manager Web Client Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Run ./Encrypter.sh ssl Edit /conf/server.properties; set useSSL=true Step 4 Run the following commands for KMC (whether KMC is standalone or integrated with Fabric Manager server): Copy sme_kmc_server.jks to /conf/cert/sme_kmc_server.jks Copy sme_kmc_trust.
Appendix C Provisioning Self-Sign Certificates Editing SSL Settings in Cisco Fabric Manager Web Client Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 3 Click Edit SSL Settings. Step 4 In the KMC SSL settings area, select the SME KMC Trust certificate from the drop-down menu. This is the switch root certificate. Note You must copy the acerts to the /mds9000/conf/cert directory.
Appendix C Provisioning Self-Sign Certificates Editing SSL Settings in Cisco Fabric Manager Web Client Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • New clusters are created. If Off is selected, cluster creation fails. • Previously created clusters are updated by enabling SSL with trustpoint on the switches. KMC server connection state remains as none until the cluster is updated.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A P P E N D I X D RSA Key Manager and Cisco SME This appendix describes the procedures to be followed to set up the RSA Key Manager (RKM) to work with Cisco SME. In order to implement a complete working security solution between Cisco KMC and RKM, install and set up the RKM application. The following applications are required: • Windows WK2, XP, or W2K3 host • Fabric Manager Server, Release, 3.
Appendix D RSA Key Manager and Cisco SME Generating CA Certificates Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Generating CA Certificates Generating CA certificates requires access to an OpenSSL system. You can obtain a Windows version at http://gnuwin32.sourceforge.net/packages/openssl.htm. The files that are created during this process are stored in the /bin directory of the OpenSSL program.
Appendix D RSA Key Manager and Cisco SME Generating CA Certificates Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m OpenSSL> req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
Appendix D RSA Key Manager and Cisco SME Creating JKS Files Using the Java Keytool Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m An optional company name []: Step 10 Set the duration the certificate will be valid. Keep track of this date. OpenSSL> x509 -req -days 365 -in server.csr -CA rt.cert -CAkey rt.key -CAcreateserial -out server.
Appendix D RSA Key Manager and Cisco SME Placing Certificates in RKM Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Placing Certificates in RKM To place certificates in the RKM, follow these steps: Step 1 After generating all certificates, copy the rt.p12 file to the C:\rkm-2.1.2-trial\certs\rt directory. Step 2 Copy the server.p12 file to the C:\rkm-2.1.2-trial\certs\server directory. Step 3 Restart the RKM.
Appendix D RSA Key Manager and Cisco SME Selecting RKM Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m The Identities-Create screen is displayed. Step 3 Enter a name for the identity. Step 4 Select the appropriate Identity Group. Step 5 Enter an Identity Certificate. This is the client.cert. Step 6 Click Save to save the new user to the RKM.
Appendix D RSA Key Manager and Cisco SME Selecting RKM Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 2 Enter the RKM server IP address. Step 3 Enter the RKM ports. Step 4 Enter the Client Keystore Password. The password is supplied by the user security team that generated the certificate for Cisco SME. Retype the password to confirm. Step 5 Click Submit Settings. A warning is displayed requesting you to confirm the settings.
Appendix D RSA Key Manager and Cisco SME Migrating From Cisco KMC to RKM Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m The confirmation window displays the RKM server IP address and the RKM port number. Migrating From Cisco KMC to RKM You can use RKM at the time of Cisco SME installation, or you can choose to deploy Cisco SME with the integrated Cisco KMC later.
Appendix D RSA Key Manager and Cisco SME Migrating From Cisco KMC to RKM Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Step 5 Run the following database scripts from the database administrative console: • For the key catalog on PostgresSQL, run postgres-kmc-rkm-pre-migrate.sql. • For the key catalog on Oracle Express, run oracle-kmc-rkm-pre-migrate.sql. These scripts are packaged in Cisco Fabric Manager CD as of NX-OS Software Release 4.1(1).
Appendix D RSA Key Manager and Cisco SME Migrating From Cisco KMC to RKM Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide D-10 OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A P P E N D I X E Database Backup and Restore Databases need to have a well-defined and thoroughly tested backup and restore plan so that access to data is not at risk. The backup and recovery of databases involve the process of making a copy of a database in case of an equipment failure or disaster, then retrieving the copied database if needed.
Appendix E Database Backup and Restore Restoring Fabric Manager Server Database Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Restoring Fabric Manager Server Database To restore the Fabric Manager Server database, use the pg_restore command. cd $ INSTALLDIR/bin ./pgrestore.sh 02252008.data (on Linux and Solaris operating systems) pgrestore.bat 02252008.data (on Windows operating system) The backup restore process requires the server to be stopped.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A P P E N D I X F Planning For Cisco SME Installation This appendix outlines the steps and guidelines that you need to be follow to ensure a successful Cisco SME installation.
Appendix F Planning For Cisco SME Installation Interoperability Matrix Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • Number of hosts and tape drives. • SAN topology diagram. • Types of modules used for ISL connectivity (Generation 1 or Generation 2). Note • This information is required for large Cisco SME setups. Zoning of the hosts and tape drives and if all the drives are accessible to all the hosts.
Appendix F Planning For Cisco SME Installation Security Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m For more information about key policies, refer to the Storage Media Encryption Key Management White Paper and Chapter 6, “Cisco SME Key Management.” Note • Use basic or standard or advanced key security mode. To learn more about master key security modes, refer to Chapter 4, “Cisco SME Cluster Management.
Appendix F Planning For Cisco SME Installation Preinstallation Requirements Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m – Ports 9333 to 9339 for TCP and UDP for Cisco SME cluster communication – Ports 8800 and 8900 for Cisco KMC communication – Ports HTTP (80) and HTTPS (443) for Cisco SME web-client communication • Note Use either DNS or IP address (not a mix) for the SAN and KMC communication If you are using IP addresses, refer to the “sme.
Appendix F Planning For Cisco SME Installation Preconfiguration Tasks Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Note • Ensure that the Cisco Fabric Manager login name and password is the same as the switch login name and password. • Select the appropriate database. • Select the appropriate authentication mode. • Select HTTPS during the installation.
Appendix F Planning For Cisco SME Installation Preconfiguration Tasks Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • Note Set the FC Redirect version to 2 (if you are using SAN-OS Release 3.1(1a) or later, or NX-OS 4.x). To learn more about enabling the version2 mode, refer to the “fc-redirect version2 enable” section on page A-12. To learn about enabling these services, refer to Chapter 2, “Getting Started.
Appendix F Planning For Cisco SME Installation Provisioning Cisco SME Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m • Restart the Fabric Manager server and KMC after installing the SSL certificates. Provisioning Cisco SME When provisioning and configuring Cisco SME, do the following tasks: • Create a Cisco SME interface for each of the MSM-18/4 modules that will be used for storage media encryption.
Appendix F Planning For Cisco SME Installation Provisioning Cisco SME Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m Cisco MDS 9000 Family Storage Media Encryption Configuration Guide F-8 OL-18091-01, Cisco MDS NX-OS Release 4.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m A P P E N D I X G Migrating Cisco SME Database Tables This appendix describes a database migration utility and also outlines the steps you need to follow to migrate Cisco SME tables from one database to another database. The database migration utility transfers contents of database tables in Oracle Express installation or in PostgreSQL to an Oracle Enterprise installation.
Appendix G Migrating Cisco SME Database Tables Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m The sample output would be as follows: [root@test-vm-236 SMEdbmigrate]# ./smedbmigrate.sh [INFO] File /root/download/SMEdbmigrate/smedbmigration.properties found Please enter the passsword for user admin on source database jdbc:postgresql://172.28.233.
Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Index Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Index Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
Index Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .