Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - Release 4.x (OL-18091-01, February 2009)

ManualsBrandsHP ManualsStorageCisco MDS 9140 Multilayer Fabric Switch Chassis

261

262

263

264

265

266

267

268

269

270

Send documentation comments to mdsfeedback-doc@cisco.com

F-3

Cisco MDS 9000 Family Storage Media Encryption Configuration Guide

OL-18091-01, Cisco MDS NX-OS Release 4.x

Appendix F Planning For Cisco SME Installation

Security

Note For more information about key policies, refer to the Storage Media Encryption Key

Management White Paper and Chapter 6, “Cisco SME Key Management.”

• Use basic or standard or advanced key security mode.

To learn more about master key security modes, refer to Chapter 4, “Cisco SME Cluster

Management.”

If you are using smart cards in the standard or advanced security mode, ensure that you do the following:

• Install the GemPlus smart card reader drivers on the host used for Cisco SME provisioning. These

card reader drivers are included in the Cisco MDS 9000 Management Software and Documentation

CD-ROM.

• Order the required number of smart cards and readers.

• Identify a host in the customer environment for setting up the Fabric Manager server and KMC.

Refer to Chapter 1, “Product Overview” to learn about the server requirements.

Security

Determine whether you will use SSL for switch-to-KMC communication. If you are using SSL, then do

the following tasks:

• Identify whether a self-signed certificate is required or whether the customer will use their own

certificate as the root certificate.

• List the names and IP addresses of the switches where the certificates will be installed.

• Install OpenSSL. This application could be installed on the server used for Fabric Manager server

and KMC.

–

For the server running Windows operating system, download and install OpenSSL from the

following locations:

http://gnuwin32.sourceforge.net/packages/openssl.htm

http://www.slproweb.com/products/Win32OpenSSL.html

The SSL installed should be used to generate keys.

–

Use the OpenSSL application installed at the following location:

C:\Program Files\GnuWin32\bin\openssl.exe

Note For a server running on Linux, the OpenSSL application should already be available on the

server.

• Identify the authentication modes used in the SAN, that is local database, TACACS+, or RADIUS.

Communication

Verify that you do the following tasks:

• Allow the following ports on the firewall server: