53-1001341-02 August 7, 2009 Fabric OS Encryption Administrator’s Guide Supporting Fabric OS v6.3.
Copyright © 2008-2009 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Document History Title Publication number Summary of changes Date Fabric OS Encryption Administrator’s Guide 53-1001114-01 New document. August 2008 Fabric OS Encryption Administrator’s Guide 53-1001114-02 Revised document to include additional best practices. September 2008 Fabric OS Encryption Administrator’s Guide 53-1001114-03 Revised document to include new performance licensing information.
iv Encryption Administrator’s Guide 53-1001341-02
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Encryption configuration using the Management application In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Gathering information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Smart card usage . . . . . . . . . . . . . . . .
Master keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Active master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Alternate master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Master key actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Reasons master keys can be disabled . . . . . . . . . . . . . . . . . . . . 68 Saving the master key to a file . . . . . . . .
CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . .102 Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Frame redirection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Creating an initiator - target zone . . . . . . . . . . . . . . . . . . . . . . .104 Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .105 Removing an initiator from a CryptoTarget container . . . . . . .
Deployment in Fibre Channel routed fabrics. . . . . . . . . . . . . . . . . .139 Deployment as part of an edge fabric . . . . . . . . . . . . . . . . . . . . . . . 141 Deployment with FCIP extension switches . . . . . . . . . . . . . . . . . . .142 Data mirroring deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 If metadata is not present on the LUN . . . . . . . . . . . . . . . . . . .144 VmWare ESX server deployments . . . . . . . . . . . . . . . . . . . . . . . . . .
Turn off compression on extension switches . . . . . . . . . . . . . . . . .158 Re-keying best practices and policies . . . . . . . . . . . . . . . . . . . . . . .159 Manual re-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Latency in re-key operations . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Allow re-key to complete before deleting a container . . . . . . .159 Re-key operations and firmware upgrades . . . . . . . . . . . . . . .
Appendix A State and Status Information In this appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Encryption engine security processor (SP) states. . . . . . . . . . . . . .189 Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Appendix B LUN Policies In this appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The HP Secure Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Obtaining a signed certificate from the HP SKM appliance software . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Importing a signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . .220 Exporting the KAC certificate request . . . . . . . . . . . . . . . . . . .221 Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Notice to the reader . . . . . . . . . . . .
• Appendix D, “Supported Key Management Systems,” describes supported key management systems, and provides procedures for certificate exchanges to enable mutual authentication of encryption switches or blades and key management appliances. Supported hardware and software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX and DCX-4S with an FS8-18 encryption blade. • Brocade Encryption Switch.
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. --option, option Command options are printed in bold. -argument, arg Arguments. [] Optional element. variable Variables are printed in italics. In the help pages, variables are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font.
For definitions specific to this document, see “Terminology” on page 3. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.org/education/dictionary Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only.
Other industry resources • White papers, online demos, and data sheets are available through the Brocade Web site at http://www.brocade.com/products-solutions/products/index.page. • Best practice guides, white papers, data sheets, and other documentation is available through the Brocade Partner Web site. For additional resource information, visit the Technical Committee T11 Web site.
3. World Wide Name (WWN) Use the licenseIdShow command to display the WWN of the chassis. If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis.
Chapter Encryption overview 1 In this chapter • Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Encryption configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 • The Brocade encryption switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • The FS8-18 blade .
1 Encryption configuration tasks Encryption configuration tasks Table 1 provides a high level overview and checklist of encryption configuration tasks. These tasks must be done in the order presented in the table. If the tasks are done out of order, unexpected errors may be encountered, and the results may be unpredictable. Some tasks can be done only at the command line interface (CLI). Other tasks may be done at the CLI, or at the Data Center Fabric Manager (DCFM) management program.
Terminology 1 Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication. Data Encryption Key (DEK) An encryption key generated by the encryption engine.
1 4 Terminology Recovery cards A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the Brocade SAN Management Application to restore the master key. Recovery cards may be stored in different locations, making it very difficult to steal the master key. The cards should not be stored together, as that defeats the purpose.
The Brocade encryption switch 1 The Brocade encryption switch The Brocade encryption switch (Figure 1) is a high performance 32 port auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data, using Advanced Encryption Standard (AES) 256-bit algorithms.
1 The FS8-18 blade The FS8-18 blade The FS8-18 blade provides the same features and functionality as the encryption switch. The FS8-18 blade installs on the Brocade DCX and DCX-4S. Four FS8-18 blades may be installed in a single DCX or DCX-4S. Performance licensing Encryption processing power is scalable, and may be increased by purchasing and installing an encryption performance license.
Recommendation for connectivity 1 Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms this is achieved by encrypting the data in data frames on a per frame basis. This enables the encryption engine to buffer only a frame, encrypt it and send the frame out to the target on write I/Os. For read I/Os the reverse is done.
1 Brocade encryption solution overview Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
Brocade encryption solution overview 1 Data flow from server to storage The Brocade encryption switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
1 Data encryption key life cycle management Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed.
Data encryption key life cycle management FIGURE 5 Encryption Administrator’s Guide 53-1001341-02 1 DEK life cycle 11
1 Key management systems Key management systems Key management systems are available from several vendors. This release supports the following leading key management systems: • • • • The NetApp LIfetime Key Manager (LKM) version 4.0 or later. The RSA Key Manager (RKM) version 2.1.3 or later, available through EMC. The HP Secure Key Manager (SKM) version 1.1 or later, available through Hewlett Packard.
Encryption switch initialization 1 Encryption switch initialization Each encryption switch must be pre-initialized to be able to participate in a secure encryption environment. Pre-initialization establishes critical security parameters, such as certificates, and key pairs that are used to mutually authenticate each participating entity. Certificates and key pairs are needed to enable the following: • Communication between the encryption engine and the switch control processor (CP).
1 14 Support for Virtual Fabrics Encryption Administrator’s Guide 53-1001341-02
Chapter 2 Encryption configuration using the Management application In this chapter • Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Encryption user privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Encryption Center features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Gathering information Gathering information Before you use the encryption setup wizard for the first time, you should also have a detailed configuration plan in place and available for reference. The encryption setup wizard assumes the following: • You have a plan in place to organize encryption devices into encryption groups.
Encryption user privileges 2 Encryption user privileges In the Management application, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time. The Management application provides three pre-configured roles: • Storage encryption configuration. • Storage encryption key operations. • Storage encryption security.
2 Encryption Center features Encryption Center features The Encryption Center dialog box (Figure 6) is the single launching point for all encryption-related configuration in the Management application. It also provides a table that shows the general status of all encryption-related hardware and functions at a glance. FIGURE 6 Encryption Center dialog box The Encryption Center dialog box differs from the previous Configure Encryption dialog box.
Smart card usage 2 Registering authentication cards from a card reader When authentication cards are used, one or more authentication cards must be read by a card reader attached to a Management application PC to enable certain security sensitive operations. These include the following: • • • • • Master key generation, backup, and restore operations. Replacement of authentication card certificates. Enabling and disabling the use of system cards. Changing the quorum size for authentication cards.
2 Smart card usage 9. Repeat steps 7 through 10 until you have registered all the cards, and they all display in the Registered Authentication Cards table on the Authentication Cards dialog box. Remember that you need to register the number selected as the quorum size plus one. Registering authentication cards from the database Smart cards that are already in the Management program’s database can be registered as authentication cards. 1.
Smart card usage 2 5. Wait for the confirmation dialog box, and click OK. 6. Repeat steps two through five for each card until the quorum is reached. 7. Click OK. Registering system cards from a card reader System cards are smart cards that can be used to control activation of encryption engines. Encryption switches and blades have a card reader that enables the use of a system card.
2 Viewing and editing switch encryption properties 1. From the Encryption Center select an encryption group, and select the Security menu. The Select Security Settings dialog is displayed. 2. Set System Cards to Required to require the use a system card to control activation of an encryption engine. If System Cards is set to Not Required, the encryption engine activates without the need to read a system card first. 3. Click OK.
Viewing and editing switch encryption properties 2 • Node WWN - the world wide name of the node. • Switch Status - the health status of the switch. Possible values are Healthy, Marginal, Down, Unknown, Unmonitored, and Unreachable. • Switch Membership Status - the alert or informational message description which details the health status of the switch. Possible values are Group Member, Leader-Member Comm, Error, Discovering, and Not a member.
2 Viewing and editing switch encryption properties • Backup Key Vault Connection Status - whether the backup key vault link is connected. Possible values are Unknown, Key Vault Not Configured, No Response, Failed authentication, and Connected. • Public Key Certificate text box - the switch’s KAC certificate, which must be installed on the primary and backup key vaults. • Save As button - saves the certificate to a file in PEM format. The file may be loaded into the key vault using the key vault’s tools.
Viewing and editing group properties 2 Viewing and editing group properties To view encryption group properties, complete the following steps. 1. Select Configure > Encryption. The Encryption Center dialog box displays. 2. If groups are not visible in the Encryption Devices table, select View > Groups from the menu bar. The encryption groups display in the Encryption Devices table. 3.
2 Viewing and editing group properties General tab The properties displayed in the General tab are described below. • Encryption group name - the name of the encryption group. • Group status - the status of the encryption group, which can be OK-Converged or Degraded. Degraded means the group leader cannot contact all of the configured group members. • Deployment mode - the group’s deployment mode, which is transparent. • Failback mode - The group’s failback mode, which can be automatic or manual.
Viewing and editing group properties 2 Members tab Remove button You can click the Remove button to remove a selected switch or an encryption group from the encryption group table. • You cannot remove the group leader unless it is the only switch in the group. If you remove the group leader, the Management application also removes the HA cluster, the target container, and the tape pool (if configured) that are associated with the switch.
2 Viewing and editing group properties FIGURE 9 Removal of switch warning Figure 10 shows the warning message that displays if you click Remove to remove an encryption group.
Viewing and editing group properties 2 Security tab The Security tab (Figure 11) displays the status of the master key for the encryption group. NOTE You must enable encryption engines before you back up or restore master keys. Master key actions are as follows: • Back up a master key, which is enabled any time a master key exists. • Restore a master key, which is enabled when either no master key exists or the previous master key has been backed up.
2 Viewing and editing group properties FIGURE 12 Encryption Group Properties - HA Clusters tab Engine Operations tab The Engine Operations tab (Figure 13) enables you to replace an encryption engine in an encryption switch with another encryption engine in another switch within a DEK Cluster environment. A DEK Cluster is a set of encryption engines that encrypt the same target storage device.
Viewing and editing group properties 2 2. If groups are not visible in the Encryption Devices table, select View > Groups from the menu bar. The encryption groups display in the Encryption Devices table. 3. Select an encryption group from the tree, and select Group > Properties from the menu bar, or right-click the encryption group and select Properties. The Encryption Group Properties dialog box displays. 4. Click the Engine Operations tab. 5. Select the engine you want to replace in the Engine list. 6.
2 Viewing and editing group properties Tape Pools tab Tape pools are managed from the Tape Pools tab. Figure 14 displays the tape pools tab. FIGURE 14 Encryption Group Properties - Tape Pools tab • If you want to remove a tape pool, select one or more tape pools in the list and click Remove. • To modify the tape pool, remove the entry and add a new tape pool. See “Adding tape pools” on page 33 for more information.
Viewing and editing group properties 2 Adding tape pools A tape pool can be identified by either a name or a number, but not both. Tape pool names and numbers must be unique within the encryption group. When a new encryption group is created, any existing tape pools in the switch are removed and must be added. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. If groups are not visible in the Encryption Devices table, select View > Groups from the menu bar.
2 Encryption Targets dialog box Choices include Clear Text, DF-Compatible Encryption, and Native Encryption. DF-Compatible Encryption is valid only when LKM is the key vault. The Key Lifespan (days) field is editable only if the tape pool is encrypted. If Clear Text is selected as the encryption mode, the key lifespan is disabled. NOTE You cannot change the encryption mode after the tape pool I/O begins. 7.
Encryption Targets dialog box FIGURE 17 Encryption Targets dialog box TABLE 4 Encryption Targets dialog box functionality 2 Feature Description Add button Launches the Storage Encryption Setup Wizard, which enables you to configure a new target for encryption. It is the first step in configuring encryption for a storage device. It is recommended that you zone the host and target together before you add container information.
2 Encryption Targets dialog box TABLE 4 Encryption Targets dialog box functionality (Continued) Feature Description Move button Moves one encryption target to a different encryption engine. The target and engine must be in the same encryption group. Hosts button Launches the Encryption Target Hosts dialog box, where you can configure hosts to access the selected encryption target. LUNs button Launches the Encryption Target LUNs dialog box, where you can display existing LUNs and add new LUNs.
Creating a new encryption group 2 Creating a new encryption group The following steps describe how to start and run the encryption setup wizard, and then create a new encryption group. NOTE When a new encryption group is created, any existing tape pools in the switch are removed. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. FIGURE 18 Encryption Center - No Group Defined dialog box 2. Select a switch from the encryption group.
2 Creating a new encryption group 4. Click Next. Create a new encryption Group is pre-selected. This is the correct selection for creating a new group. FIGURE 19 Designate Switch Membership dialog box 5. Click Next. The Create a New Encryption Group dialog box displays.
Creating a new encryption group 2 6. Enter an Encryption Group Name for the encryption group (the maximum length of the group name is 15 characters; letters, digits, and underscores are allowed) and select the Automatic failback mode. NOTE If the name you enter for the encryption group already exists, a pop-up warning message displays. Although unique group names avoid confusion while managing multiple groups, you are not prevented from using duplicate group names.
2 Creating a new encryption group Key vault address changes Before you add or change a key vault address, you must install the public key certificates for all switches in the encryption group on the key vault. Use the Encryption Group Properties dialog box to check a switch’s connection status to the new key vault and to obtain the switch’s public key certificate.
Creating a new encryption group FIGURE 23 2 Specify Master Key File Name dialog box 14. Enter a file name, or browse to the desired location. 15. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 16. Re-type the passphrase for verification. 17. Click Next.
2 Creating a new encryption group The Select Security Settings dialog box displays (Figure 24). FIGURE 24 Select Security Settings dialog box 18. If you are using smart cards for authentication, specify a quorum size. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards.
Creating a new encryption group FIGURE 25 2 Authentication Cards dialog box 21. Select Register from Card Reader to register a new card. The Add Authentication Card dialog box is displayed. 22. Insert a smart card into the card reader. Be sure to wait for the card serial number to appear, and then enter card assignment information, as directed. 23. Click OK. 24. Wait for the confirmation dialog box indicating initialization is done, and click OK.
2 Creating a new encryption group The Confirm Configuration panel displays the encryption group name and switch public key certificate file name you specified, shown in Figure 26. FIGURE 26 Confirm Configuration dialog box 27. Click Next to confirm the displayed information. The Configuration Status displays, as shown in Figure 27. The configuration status steps vary slightly depending on the key vault type. • A progress indicator shows that a configuration step is in progress.
Creating a new encryption group FIGURE 27 2 Configuration Status dialog box The Management application sends API commands to verify the switch configuration. The CLI commands are detailed in the Fabric OS Encryption Administrator’s Guide, “Key vault configuration.” • Initialize the switch If the switch is not already in the initiated state, the Management application performs the cryptocfg --initnode command.
2 Creating a new encryption group • Create a new master key The Management application checks for a new master key. New master keys are generated from the Encryption Group Properties dialog box, Security tab. See “Creating a new master key” on page 76 for more information. • Save the switch’s public key certificate to a file The Management application saves the KAC certificate into the specified file.
Adding a switch to an encryption group 2 Adding a switch to an encryption group The setup wizard allows you to either create a new encryption group, or add an encryption switch to an existing encryption group. Use the following procedure to add a switch to an encryption group. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select the switch to be to be added to the group. The switch must not already be in an encryption group. 3.
2 Adding a switch to an encryption group FIGURE 30 Add Switch to Existing Encryption Group dialog box 5. Select the group to which you want to add the switch, and click Next. The Specify Public Key Certificate Filename panel displays. FIGURE 31 Add switch to an encryption group - Specify Public Key Certificate filename dialog box 6. Specify the name of the file where you want to store the public key certificate that is used to authenticate connections to the key vault, and click Next.
Adding a switch to an encryption group FIGURE 32 7. 2 Add switch to an encryption group - Confirm Configuration dialog box Click Next to confirm the displayed information. The Configuration Status displays. • A progress indicator shows that a configuration step is in progress. A green check mark indicates successful completion of all steps for that Configuration Item. A red stop sign indicates a failed step. • All Configuration Items have green check marks if the configuration is successful.
2 Creating high availability (HA) clusters 8. Note Important Next Steps! below this message, and click Next. Instructions for installing public key certificates for the encryption switch are displayed. These instructions are specific to the key vault type. Copy or print these instructions. FIGURE 34 Add switch to an encryption group - Next Steps dialog box 9. Click Finish to exit the Configure Switch Encryption wizard.
Creating high availability (HA) clusters 2 When creating a new HA Cluster, add one engine to create the cluster and then add the second engine. You can make multiple changes to the HA Clusters list; the changes are not applied to the switch until you click OK. Both engines in an HA cluster must be in the same fabric as well as the same encryption group. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2.
2 Creating high availability (HA) clusters 1. Select an encryption engine from the right tree (see Figure 35) and click the left arrow button. 2. Either remove the second engine or add a replacement second engine, making sure all HA clusters have exactly two engines. 3. Click OK. Swapping engines in an HA cluster Swapping engines is useful when replacing hardware.
Creating high availability (HA) clusters 2 Invoking failback To invoke failback to the restarted encryption engine from the Management application, complete the following steps. 1. Select Configure > Encryption. The Encryption Center dialog box displays. 2. Select the group to which the encryption engine belongs from the Encryption Devices table, and click Properties. The Encryption Group Properties dialog box displays. 3. Click the HA Clusters tab. 4.
2 Adding encryption targets Adding encryption targets Adding an encryption target maps storage devices and hosts to virtual targets and virtual initiators within the encryption switch. NOTE It is recommended that you zone the host and target together before configuring them for encryption. If the host and target are not already zoned, you can still configure them for encryption, but afterward you will need to zone the host and target together, and then click the Commit button to commit the changes.
Adding encryption targets 2 5. Click Next to begin. The Select Encryption Engine dialog box displays. The list of engines depends on the scope being viewed. • If the Targets dialog box is showing all targets in an encryption group, the list includes all engines in the group. • If the Targets dialog box is showing all targets for a switch, the list includes all encryption engines for the switch.
2 Adding encryption targets 6. Select the encryption engine (blade or switch) you want to configure, and click Next. The Select Target panel displays. This panel lists all target ports and target nodes in the same fabric as the encryption engine. The Select Target list does not show targets that are already configured in an encryption group. There are two available methods for selecting targets: select from the list of known targets or manually enter the port and node WWNs.
Adding encryption targets 7. 2 Click Next. The Select Hosts panel displays. This panel lists all hosts in the same fabric as the encryption engine. There are two available methods for selecting hosts: select from a list of known hosts or manually enter the port and node world wide names. FIGURE 39 Select Hosts dialog box a. Select a maximum of 1024 hosts from the Host Ports in Fabric list, and click the right arrow to move the host to the Selected Hosts list.
2 Adding encryption targets FIGURE 40 Name Container dialog box 10. Click Next. The Confirmation panel displays.
Adding encryption targets 2 11. Click Next to confirm the displayed information. The Configuration Status displays the target and host that are configured in the target container, as well as the virtual targets (VT) and virtual initiators (VI). NOTE If you can view the VI/VT Port WWNs and VI/VT Node WWNs, the container has been successfully added to the switch. FIGURE 42 Configuration Status dialog box 12. Review the configuration.
2 Adding encryption targets 13. Click Next to confirm the configuration. The Important Instructions dialog box displays. FIGURE 43 Important Instructions dialog box 14. Review the instructions about post-configuration tasks you must complete after you close the wizard. 15. Click Finish to exit the Configure Storage Encryption wizard.
Configuring hosts for encryption targets 2 Configuring hosts for encryption targets Use the Encryption Target Hosts dialog box to edit (add or remove) hosts for an encrypted target. NOTE Hosts are normally selected as part of the Configure Storage Encryption wizard but you can also edit hosts later using the Encryption Target Hosts dialog box. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2.
2 Adding Target Disk LUNs for encryption Adding Target Disk LUNs for encryption The Encryption Target LUNs dialog box lists configured LUNs. The displayed information is different for disk and tape devices. For example, tape volume and label information is included for tape devices. Initially, this list is empty. NOTE If you are using VMware virtualization software or any other configuration that involves mounted file systems on the LUN, you must enable first-time encryption when you create the LUN.
Adding Target Disk LUNs for encryption FIGURE 45 2 Encryption Target Disk LUNs dialog box 5. Click Add. The Add LUNs dialog box displays. This dialog box includes a table of all LUNs in the storage device that are visible to hosts. LUNs are identified by serial number, or by host WWN and LUN number. The LUN numbers may be different for different hosts.
2 Adding Target Disk LUNs for encryption 6. Select a host from the Host list. There are two possible sources for the list of LUNs: • Specify a range of LUN numbers and click Show LUNs. This fills the table with dummy LUN information. This method works even if the target is offline. You can specify a range of LUN numbers only if a host is chosen from the list. If All Hosts is selected, you will not be able to specify a range but can discover LUNs. • Request discovery and click Show LUNs.
Adding Target Tape LUNs for encryption 2 Adding Target Tape LUNs for encryption You configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN. You must add LUNs manually. After you add the LUNs, you must specify the encryption settings. When configuring a LUN with multiple paths, the same LUN policies must be configured on all the LUN’s paths.
2 Configuring encrypted storage in a multi-path environment 8. Select the desired encryption mode. • If you change a LUN policy from Native Encryption or DF-Compatible Encryption to Clear Text, you disable encryption. • The LUNs of the target which are not enabled for encryption must still be added to the CryptoTarget container with the Clear Text encryption mode option. NOTE The Re-keying interval can only be changed for disk LUNs.
Master keys 2 9. Select target port B, click LUNs, then click Add. Select the LUNs to be encrypted and the encryption policies for the LUNs, making sure that the encryption policies match the policies specified in the other path. 10. Click Commit to make the LUN configuration changes effective in both paths simultaneously. The Management application does not automatically commit LUN configuration changes.
2 Master keys Alternate master key The alternate master key is used to decrypt data encryption keys that were not encrypted with the active master key. Restore the alternate master key for the following reasons: • To read an old tape that was created when the group used a different active master key. • To read a tape (or disk) from a different encryption group that uses a different active master key.
Master keys FIGURE 47 2 Backup Destination (to file) dialog box 5. Select File as the Backup Destination. 6. Enter a file name, or browse to the desired location. 7. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 8. Re-type the passphrase for verification. 9. Click OK. ATTENTION Save the passphrase. This passphrase is required if you ever need to restore the master key from the file.
2 Master keys Saving a master key to a key vault Use the following procedure to save the master key to a key vault. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Backup Master Key as the Master Key Action. The Backup Master Key for Encryption Group dialog box displays. FIGURE 48 Backup Destination (to key vault) dialog box 5.
Master keys 2 Saving a master key to a smart card set A card reader must be attached to the SAN Management application PC to complete this procedure. Recovery cards can only be written once to back up a single master key. Each master key backup operation requires a new set of previously unused smart cards. NOTE Windows operating systems do not require smart card drivers to be installed separately; the driver is bundled with the operating system.
2 Master keys FIGURE 49 Backup Destination (to smart cards) dialog box 5. Select A Recovery Set of Smart Cards as the Backup Destination. 6. Enter the recovery card set size. 7. Insert the first blank card and wait for the card serial number to appear. 8. Run the additional cards needed for the set through the reader. As you read each card, the card ID displays in the Card Serial# field. Be sure to wait for the ID to appear. 9.
Master keys 2 Restoring a master key from a file Use the following procedure to restore the master key from a file. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Restore Master Key as the Master Key Action. The Restore Master Key for Encryption Group dialog box displays. FIGURE 50 Select a Master Key to Restore (from file) dialog box 5.
2 Master keys Restoring a master key from a key vault Use the following procedure to restore the master key from a key vault. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Restore Master Key as the Master Key Action. The Restore Master Key for Encryption Group dialog box displays. FIGURE 51 Select a Master Key to Restore (from key vault) dialog box 5.
Master keys 2 Restoring a master key from a smart card set A card reader must be attached to the SAN Management application PC to complete this procedure. Use the following procedure to restore the master key from a set of smart cards. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Restore Master Key as the Master Key Action.
2 Master keys 11. Continue until all the cards in the set have been read. 12. Click OK. Creating a new master key Though it is generally not necessary to create a new master key, you may be required to create one due to circumstances such as the following: • The previous master key has been compromised. • Corporate policy might require a new master key every year for security purposes. When you create a new master key, the former active master key automatically becomes the alternate master key.
Zeroizing an encryption engine 2 Zeroizing an encryption engine Zeroizing is the process of erasing all data encryption keys and other sensitive encryption information in an encryption engine. You can zeroize an encryption engine manually to protect encryption keys. No data is lost because the data encryption keys for the encryption targets are stored in the key vault. Zeroizing has the following effects: • All copies of data encryption keys kept in the encryption switch or encryption blade are erased.
2 Zeroizing an encryption engine 3. Initialize the encryption engine. An automatic power cycle and reboot occurs on the encryption blade and encryption switch. 4. Enable the encryption engine using the Switch Encryption Properties dialog box: a. Select the encryption engine from the Encryption Center dialog box. b. Click the Properties button. The Switch Encryption Properties dialog box displays. FIGURE 54 78 Switch Encryption Properties dialog box c.
Tracking Smart Cards 2 Tracking Smart Cards Smart Cards, which are credit card-sized cards that contain a CPU and persistent memory, are a secure way to back up and restore a master key. Using Smart Cards is optional. Master keys can also be backed up to a file or key vaults and are only used for encryption groups using RKM or HP SKM key vaults. Even if an encryption group is deleted, the smart cards are still displayed. You must manually delete them.
2 Encryption-related acronyms in log messages Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms embedded that require interpretation. Table 5 lists some of those acronyms.
Chapter Encryption configuration using the CLI 3 In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 • Command validation checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 • Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . . . . . . . . 83 • Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Command validation checks Command validation checks Before a command is executed, it is validated against the following checks. 1. Active or Standby availability: on enterprise-class platforms, checks that the command is available on the Control Processor (CP). 2. Role Based Access Control (RBAC) availability: checks that the invoking user’s role is permitted to invoke the command. If the command modifies system state, the user's role must have modify permission for the command.
Command RBAC permissions and AD types 3 Command RBAC permissions and AD types There are two RBAC roles that are permitted to perform Encryption operations. 1. Admin and SecurityAdmin Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic functions assigned to the FIPS Crypto Officer including the following: • • • • • • • • • Perform encryption node initialization. Enable cryptographic operations. Manage input/output functions of critical security parameters (CSPs).
3 Command RBAC permissions and AD types TABLE 6 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain createtapepool N OM N N N OM N O Disallowed deletecontainer N OM N N N OM N O Disallowed deleteencgroup N OM N N N O N OM Disallowed deletefile N OM N N N O N OM Disallowed deletehacluster N OM N N N OM N O Disal
Command RBAC permissions and AD types TABLE 6 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain reggroupleader N OM N N N O N OM Disallowed regkeyvault N OM N N N O N OM regmembernode N OM N N N O N OM removehaclustermember N OM N N N OM N O removeinitiator N OM N N N OM N O removeLUN N OM N N N OM N O r
3 Cryptocfg Help command output Cryptocfg Help command output All encryption operations are done using the cryptocfg command. The cryptocfg command has an help output that lists all options. switch:admin> cryptocfg --help Usage: cryptocfg --help -nodecfg: Display the synopsis of --help -groupcfg: Display the synopsis of --help -hacluster: Display the synopsis of --help -devicecfg: Display the synopsis of --help -transcfg: Display the synopsis of node parameter configuration.
Setting default zoning to no access 3 Setting default zoning to no access Initially, default zoning for all Brocade switches is set to All Access. This is generally the default zoning setting within a fabric. The All Access setting allows the Brocade Encryption Switch, DCX, or DCX-4S to join the fabric (If there is a difference in this setting within the fabric, the fabric will segment). Before committing an encryption configuration in a fabric, default zoning must be set to No Access within the fabric.
3 I/O sync link configuration I/O sync link configuration Each encryption switch or FS8-18 blade has two GbE ports labeled Ge0 and Ge1. The Ge0 and Ge1 ports connect encryption switches and FS8-18 blades to other encryption switches and FS8-18 blades. These two ports provide link layer redundancy rather than being used for the IP network redundancy. The the ports are bonded together as a single virtual network interface, and are collectively referred to as the I/O sync link. Only one IP address is used.
I/O sync link configuration 3 There are additional considerations if blades are removed and replaced, or moved to a different slot. On chassis-based systems, IP addresses are assigned to the slot rather than the blade, and are saved in non-volatile storage on the control processor blades. IP addresses may be assigned even if no blade is present.
3 Encryption switch initialization Encryption switch initialization When setting up a Brocade Encryption Switch or FS8-18 blade for the first time during deployment for encryption services, and before encryption can be enabled on the switch or blade, you must perform a series of initialization steps. These steps are performed only once and must be executed in the order indicated below. Initialization must be performed on every node that is expected to perform encryption within the fabric.
Encryption switch initialization 3 NOTE Node initialization overwrites any existing authentication data on the node. SecurityAdmin:switch>cryptocfg --initnode This will overwrite all identification and authentication data ARE YOU SURE (yes, y, no, n): [no] y Notify SPM of Node Cfg Operation succeeded. 6. Initialize the encryption engine by entering the cryptocfg --initEE command. Provide a slot number if the encryption engine is a blade.
3 Encryption switch initialization Checking encryption engine status You can verify the encryption engine status at any point in the setup process and get information about the next required configuration steps or to troubleshoot an encryption engine that behaves in unexpected ways. Use the cryptocfg --show -localEE command to check the encryption engine status. SecurityAdmin:switch>cryptocfg --show -localEE EE Slot: 0 SP state: Waiting for initEE EE key status not available: SP TLS connection is not up.
Encryption switch initialization • • • • • 3 After issuing regEE. After issuing enableEE. After power cycling an FS8-18 blade. After power cycling a DCX or DCX-4S with one or more FS8-18 blades To diagnose a “split group” condition where the encryption group status shows DEGRADED but the encryption engine shows online status. Refer to the section “Encryption group merge and split use cases” on page 171 for more information.
3 Encryption switch initialization NOTE When exporting a certificate to a location other than your home directory, you must specify a fully qualified path that includes the target directory and file name. When exporting to USB storage, certificates are stored by default in a predetermined directory, and you only need to provide a file name for the certificate. An easy way to track exported certificates is by using the base certificate name with the appropriate file extension (*.
Basic encryption group configuration 3 Viewing imported certificates 1. Log into the switch to which you imported the certificates. 2. Enter the cryptocfg --show -file -all command to view all imported certificates. The following example shows the member node CP certificate that was imported earlier to the group leader. SecurityAdmin:switch>cryptocfg --show -file -all File name: enc_switch1_cp_cert.
3 Basic encryption group configuration 3. Enter the cryptocfg --create -encgroup command followed by a name of your choice. The name can be up to 15 characters long, and it can include any alphanumeric characters and underscores. White space or other special characters are not permitted. Successful execution creates an encryption group with the specified name and assigns the role of the group leader to the local node. The following example creates the encryption group "brocade".
Basic encryption group configuration 3 6. Display encryption group member information. This example shows the encryption group "brocade" with two member nodes, one group leader and one regular member. No key vault or HA cluster is configured, and the values for master key IDs are zero.
3 Basic encryption group configuration Group-wide policy configuration The group-wide policy parameters as outlined in Table 7 can be set for the entire encryption group on the group leader. Use the cryptocfg --set command with the appropriate parameter to set the values for the policy. Policies are automatically propagated to all member nodes in the encryption group.
Basic encryption group configuration 3 Key vault configuration Fabric OS 6.3.0 supports four third-party key management and archival solutions, the NetApp Lifetime Key Management (LKM) appliance, the RSA Key Manager (RKM) appliance, the Hewlett Packard Secure Key Manager (SKM), and the Thales nCipher Key Authority (NCKA). Specific operations must be performed at the key manager to be able to exchange certificates and enable the key vault and the switch to mutually authenticate each other.
3 High Availability (HA) cluster configuration High Availability (HA) cluster configuration An HA cluster consists of two encryption engines configured to host the same CryptoTargets and to provide Active/Standby failover and failback capabilities in a single fabric. Failover is automatic (not configurable). Failback occurs automatically by default, but is configurable with a manual failback option. All encryption engines in an HA cluster share the same DEK for a disk or tape LUN.
High Availability (HA) cluster configuration 3 Creating an HA cluster 1. Log into the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --create -hacluster command. Specify a name for the HA cluster and optionally add the node WWN of the encryption engine you wish to include in the HA cluster. Provide a slot number if the encryption engine is a blade. The following example creates an HA cluster named “HAC1” with two encryption engines.
3 CryptoTarget container configuration CryptoTarget container configuration A CryptoTarget container is a configuration of “virtual devices” that is created for each target port hosted on a Brocade Encryption Switch or FS8-18 blade. The container holds the configuration information for a single target, including associated hosts and LUN settings.
CryptoTarget container configuration 3 Gathering information Before you begin, have the following information ready: • The switch WWNs of all nodes in the encryption group. Use the cryptocfg --show -groupmember -all command to gather this information. • The port WWNs of the targets whose LUNs are being enabled for data-at-rest encryption. • The port WWNs of the hosts (initiators) which should gain access to the LUNs hosted on the targets.
3 CryptoTarget container configuration Creating an initiator - target zone 1. Log into the group leader as Admin or FabricAdmin. 2. Determine the initiator PWWN. Enter the nsshow command to view the devices connected to this switch. In the following example, the port name 10:00:00:00:c9:2b:c9:3a is the initiator PWWN. FabricAdmin:switch>nsshow { Type Pid COS PortName NodeName TTL(sec) N 010600; 2,3;10:00:00:00:c9:2b:c9:3a;20:00:00:00:c9:2b:c9:3a; na NodeSymb: [35] "Emulex LP9002 FV3.82A1 DV5-4.
CryptoTarget container configuration 3 4. Create a zone that includes the initiator and a LUN target. Enter the zonecreate command followed by a zone name, the initiator PWWN and the target PWWN. FabricAdmin:switch>zonecreate itzone, "10:00:00:00:c9:2b:c9:3a; \ 20:0c:00:06:2b:0f:72:6d" 5. Create a zone configuration that includes the zone you created in step 4. Enter the cfgcreate command followed by a configuration name and the zone member name. FabricAdmin:switch>cfgcreate itcfg, itzone 6.
3 CryptoTarget container configuration CAUTION When configuring a multi-path LUN, you must complete the CryptoTarget container configuration for ALL target ports in sequence and add the hosts that should gain access to these ports before committing the container configuration. Failure to do so results in data corruption. Refer to the section “Configuring a multi-path Crypto LUN” on page 117 for specific instructions. 5. Display the CryptoTarget container configuration.
CryptoTarget container configuration 3 Removing an initiator from a CryptoTarget container You may remove one or more initiators from a given CryptoTarget container. This operation removes the initiators’ access to the target port. If the initiator has access to multiple targets and you wish to remove access to all targets, follow the procedure described to remove the initiator from every CryptoTarget container that is configured with this initiator.
3 CryptoTarget container configuration 1. Log into the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --delete -container command followed by the CryptoTarget container name. The following example removes the CryptoTarget container “my_disk_tgt”. FabricAdmin:switch>cryptocfg --delete -container my_disk_tgt Operation Succeeded 3. Commit the transaction.
Crypto LUN configuration 3 Crypto LUN configuration A Crypto LUN is the LUN of a target disk or tape storage device that is enabled for and capable of data-at-rest encryption. Crypto LUN configuration is done on a per-LUN basis. You configure the LUN for encryption by explicitly adding the LUN to the CryptoTarget container and turning on the encryption property and policies on the LUN.
3 Crypto LUN configuration CAUTION When configuring a LUN with multiple paths, perform the LUN discovery on each of the Crypto Target containers for each of the paths accessing the LUN and verify that the serial number for these LUNs discovered from these Crypto Target containers are the same. This indicates and validates that these Crypto Target containers are indeed paths to the same LUN. Refer to the section “Configuring a multi-path Crypto LUN” on page 117 for more information.
Crypto LUN configuration 3 Log into the group leader as Admin or FabricAdmin. 3. Enter the cryptocfg --add -LUN command followed by the CryptoTarget container Name, the LUN number or a range of LUN numbers, the PWWN and NWWN of the initiators that should be able to access the LUN. If you are using Datafort encryption format, you can use the -encryption_format option to set the format to DF_compatible (the default is Native). The following example adds a disk LUN enabled for encryption.
3 Crypto LUN configuration FabricAdmin:switch>cryptocfg --remove -LUN my_disk_tgt 0x0 10:00:00:00:c9:2b:c9:3a Operation Succeeded 3. Commit the configuration with the -force option to completely remove the LUN and all associated configuration data in the configuration database. The data remains on the removed LUN in an encrypted state.
Crypto LUN configuration TABLE 8 3 LUN parameters and policies Policy name Command parameters Description LUN state Disk LUN: yes Tape LUN: No Modify? No -lunstate encrypted | cleartext • Key ID Disk LUN: yes Tape LUN: No Modify? No -keyID Key_ID Specifies the key ID. Use this option only if the LUN was encrypted but does not include the metadata containing the key ID for the LUN. This is a rare case for LUNs encrypted in Native (Brocade) mode. However for LUNS encrypted with DataFort v2.
3 Crypto LUN configuration Modifying Crypto LUN parameters You can modify one or more policies of an existing Crypto LUN with the cryptocfg --modify -LUN command. If the modification applies to multiple LUNs, you may specify a LUN number range. NOTE A maximum of 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations or modifications that exceed this maximum fail with a warning. Note that there is a five second delay before the commit operation takes effect.
Crypto LUN configuration 3 For specific handling of encryption policy changes when using DF-compatible encryption format, refer to Appendix D “DF-compatibility support for disk LUNs” on page 195 and “DF-compatibility support for tape LUNs” on page 199. Force-enabling a disabled disk LUN for encryption You can force a disk LUN to become enabled for encryption when encryption is disabled on the LUN.
3 Crypto LUN configuration a. Discover the LUN. FabricAdmin:switch>cryptocfg --discoverLUN my_tape_tgt Container name: my_tape_tgt Number of LUN(s): 1 Host: 10:00:00:00:c9:2b:c9:3a LUN number: 0x0 LUN serial number: Key ID state: Key ID not Applicable b. Add the LUN to the tape CryptoTarget container. The following example enables the LUN for encryption. There is a maximum of eight tape LUNs per Initiator in a container.
Configuring a multi-path Crypto LUN 3 Configuring a multi-path Crypto LUN A single LUN may be accessed over multiple paths. A multi-path LUN is exposed and configured on multiple CryptoTarget Containers located on the same encryption switch or blade or on different encryption switches or blades.
3 Configuring a multi-path Crypto LUN c. Add host port 1 to the container CTC1. FabricAdmin:switch>cryptocfg --add -initiator \ d. Add host port 2 to the container CTC2. FabricAdmin:switch>cryptocfg --add -initiator e. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Upon commit, redirection zones are created for target port 1, host port 1 and target port 2, host port 2.
Configuring a multi-path Crypto LUN 3 6. Validate the LUN policies for all containers. Display the LUN configuration for ALL CryptoTarget containers to confirm that the LUN policy settings are the same for all CryptoTarget containers.
3 Tape pool configuration FIGURE 57 A LUN accessible through multiple paths Tape pool configuration Tape pools are used by tape backup application programs to group all configured tape volumes into a single backup to facilitate their management within a centralized backup plan. A tape pool is identified by either a name or a number, depending on the backup application. Tape pools have the following properties: • They are configured and managed per encryption group at the group leader level.
Tape pool configuration 3 NOTE Tape pool configurations must be committed to take effect. There is an upper limit of 25 on the number of tape pools you can add or modify in a single commit operation. Attempts to commit a configuration that exceeds this maximum fails with a warning. Note that there is also a five second delay before the commit operation takes effect. Tape pool labeling Tape pools may be identified by either a name or a number depending on your backup application.
3 Tape pool configuration a. Right-click the view and select Edit. b. Add the following (sp_id= ARG.id) as follows: • SELECT Distinct • storagepolicy= ARG.name, • sp_id= ARG.id, 5. Save the query by selecting File > Save SQLQuery1.sql 6. Execute the query by right-clicking the query window and selecting Execute. 7. Open the dbo.CommCellStoragePolicy view. 8. Right-click the view dbo.CommCellStoragePolicy and select Open View. 9. Note down the sp_id for the storage policy you created.
Tape pool configuration 3 Creating a tape pool Take the following steps to create a tape pool: 1. Log into the group leader as FabricAdmin. 2. Create a tape pool by entering the cryptocfg --create -tapepool command. Provide a label or numeric ID for the tape pool and specify the encryption policies. For policies not specified at this time, LUN-level settings apply. • Set the tape pool policy to either encrypt or cleartext (default).
3 Tape pool configuration Deleting a tape pool This command does not issue a warning if the tape pool being deleted has tape media or volumes that are currently accessed by the host. Be sure the tape media is not currently in use. 1. Log into the group leader as FabricAdmin. 2. Enter the cryptocfg --delete -tapepool command followed by a tape pool label or number. Use cryptocfg --show -tapepool -all to display all configured tape pool names and numbers.
Data re-keying 3 Impact of tape pool configuration changes Tape pool-level policies overrule policy configurations at the LUN level, when no policies are configured at the tape pool level.
3 Data re-keying Re-keying modes Re-keying operations can be performed under the following conditions: • Offline re-keying - The hosts accessing the LUN are offline, or host I/O is halted. • Online re-keying - The hosts accessing the LUN are online, and host I/O is active. Configuring a LUN for automatic re-keying Re-keying options are configured at the LUN level either during LUN configuration with the cryptocfg --add -LUN command, or at a later time with the cryptocfg --modify -LUN command.
Data re-keying 3 Initiating a manual re-key session If auto re-keying is disabled, you can initiate a re-keying session manually at your own convenience. All encryption engines in a given HA cluster, DEK cluster, or encryption group must be online for this operation to succeed. The manual re-keying feature is useful when the key is compromised and you want to re-encrypt existing data on the LUN before taking action on the compromised key.
3 Data re-keying Suspension and resumption of re-keying operations A re-key may be suspended or fail to start for several reasons: • The LUN goes offline or the encryption switch fails and reboots. Re-key operations are resumed automatically when the target comes back online or the switch comes back up. You cannot abort an in-progress re-key operation. • An unrecoverable error is encountered on the LUN and the in-progress re-key operation halts.
First time encryption 3 First time encryption First time encryption, also referred to as encryption of existing data, is similar to the re-keying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first time encryption operation, cleartext data is read from a LUN, encrypted with the current key and written back to the same LUN at the same logical block address (LBA) location.
3 130 First time encryption Encryption Administrator’s Guide 53-1001341-02
Chapter 4 Deployment Scenarios In this chapter • Single encryption switch, two paths from host to target. . . . . . . . . . . . . . . • Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dual fabric deployment - HA and DEK cluster . . . . . . . . . . . . . . . . . . . . . . . • Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . . . . . . . .
4 Single encryption switch, two paths from host to target Single encryption switch, two paths from host to target Figure 58 shows a basic configuration with a single encryption switch providing encryption between one host and one storage device over two the following two paths: • Host port 1 to target port 1, redirected through CTC T1. • Host port 2 to target port 2, redirected through CTC T2.
Single fabric deployment - HA cluster 4 Single fabric deployment - HA cluster Figure 59 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology.
4 Single fabric deployment - DEK cluster In Figure 59, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN.
Dual fabric deployment - HA and DEK cluster 4 In Figure 60, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths.
4 Multiple paths, one DEK cluster, and two HA clusters failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2. All four encryption switches provide an encryption path to the same LUN, and use the same DEK for that LUN, forming a DEK cluster.
Multiple paths, one DEK cluster, and two HA clusters 4 The configuration details shown in Figure 62 are as follows: • • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port 1 is zoned to target port 1 and target port 2 in fabric 1. Host port 2 is zoned to target port 3and target port 4 in fabric 2. There are four Brocade encryption switches organized in HA clusters.
4 Multiple paths, DEK cluster, no HA cluster Multiple paths, DEK cluster, no HA cluster Figure 63 shows a configuration with a DEK cluster with multiple paths to the same target device. There is one encryption switch in each fabric.
Deployment in Fibre Channel routed fabrics 4 Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 64), or it may form the backbone fabric and directly provide the EX_port connections (Figure 65). The encryption resources can be shared with the host and target edge fabrics using device sharing between backbone and edge fabrics.
4 Deployment in Fibre Channel routed fabrics The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
Deployment as part of an edge fabric 4 Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7500 extension switch or FR4-18i blade in a 48000 director, DCX, or DCX-4S, or an FCR-capable switch or blade. The encryption resources of the encryption switch can be shared with the other edge fabrics using FCR in the backbone fabric (Figure 66). .
4 Deployment with FCIP extension switches Deployment with FCIP extension switches Encryption switches may be deployed in configurations that use extension switches or extension blades within a DCX, DCX-4S or 48000 chassis to enable long distance connections. Figure 67 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator’s Guide for information about creating FCIP configurations.
Data mirroring deployment 4 Data mirroring deployment Figure 68 shows a data mirroring deployment. In this configuration, the host only knows about target1 and LUN1, and the I/O path to target1 and LUN1. When data is sent to target1, it is written to LUN1, and also sent on to LUN2 for replication. Target1 acts as an initiator to enable the replication I/O path.
4 Data mirroring deployment If metadata is not present on the LUN In very rare cases, metadata may not be present on the LUN. The record archived in the key vault refers only to the primary LUN, and not to the LUN replication. With no metadata present in the replicated blocks, there is no key ID to use to retrieve the DEK from the key vault. User intervention is needed to query the key vault to get the key ID. 1. Map the primary LUN to the replicated or snapshot LUN. 2.
VmWare ESX server deployments 4 VmWare ESX server deployments VM ESX servers may host multiple guest operating systems. A guest operating system may have its own physical HBA port connection, or it may use a virtual port and share a physical HBA port with other guest operating systems. Figure 69 shows a VmWare ESX server with two guest operating systems where each guest accesses a fabric over separate host ports.
4 VmWare ESX server deployments Figure shows a VmWare ESX server with two guest operating systems where two guests access a fabric over a shared port. To enable this, both guests are assigned a virtual port. There are two paths to a target storage device: • Virtual host port 1, through the shared host port, to target port 1, redirected through CTC T1. • Virtual host port 2, through the shared host port, to target port 2, redirected through CTC T2.
Chapter 5 Best Practices and Special Topics In this chapter • Firmware download considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enable of a disabled LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Disk metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Tape metadata. . . . . . .
5 Firmware download considerations Firmware download considerations The encryption engine and the control processor or blade processor are reset after a firmware upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If encryption engines are configured in an HA cluster, perform firmware upgrades one encryption engine at a time so that the partner switch in the HA cluster can take over I/O by failover during firmware upgrade.
Firmware download considerations 5 Specific guidelines and procedures The following are specific guidelines for a firmware upgrade of the encryption switch or blade when deployed in HA cluster. The guidelines are based on the following scenario: • There are 2 nodes (BES1 and BES2) in the HA cluster. • Each node hosts certain number of CryptoTarget containers and associated LUNs. • node 1 (BES1) needs to be upgraded first. 1.
5 Configuration upload and download considerations Configuration upload and download considerations Important information is not included when you upload a configuration from an encryption switch or blade. Extra steps are necessary before and after download to re-establish that information.
Configuration upload and download considerations 5 Steps before configuration download The configuration download does not have any certificates, public or private keys, master key, or link keys included. Perform following steps prior to configuration download to generate and obtain the necessary certificates and keys: 1.
5 Configuration upload and download considerations Steps after configuration download For all key vaults except LKM, restore or generate and backup the master key. In cluster environments, the master key is propagated from group leader node. 1. Use the following command to enable the encryption engine. cryptocfg --enableEE [slot num] 2. Commit the configuration. cryptocfg --commit 3.
HP-UX considerations 5 HP-UX considerations The HP-UX OS requires LUN 0 to be present. LUNs are scanned differently based on the type value returned for LUN 0 by the target device. • If the type is 0, then HP-UX only scans LUNs from 0 to 7. That is the maximum limit allowed by HP-UX for device type for type 0. • If the type is 0xC, then HP-UX scans all LUNs. Best practices are as follows: • Create a cryptoTarget container for the target WWN. • Add the HP-UX initiator WWN to the container.
5 Tape data compression Tape data compression Data is compressed by the encryption switch or blade before encrypting only if the tape device supports compression, and compression is explicitly enabled by the host backup application. That means if the tape device supports compression, but is not enabled by the host backup application, then compression is not performed by the encryption switch or blade before encrypting the data.
Tape key expiry 5 Tape key expiry When the tape key expires in the middle of a write operation on the tape, the key is used for the duration of any write operation to append the data on the tape media. On any given tape medium, the same key is used for all written blocks, regardless of the time in between append operations. With the exception of native pools, whenever you rewind a tape and write to block zero, a new key will be generated, unique to that tape.
5 Configuring CryptoTarget containers and LUNs Configuring CryptoTarget containers and LUNs The following are best practices to follow when configuring CryptoTarget containers and crypto LUNs: • Host a target port on only one encryption switch, or one HA cluster. All LUNs visible through the target port are hosted on the same encryption switch, and are available for storing cipher text. • Be sure all nodes in a given DEK or HA cluster are up and enabled before creating an encrypted LUN.
Redirection zones 5 Redirection zones Redirection zones should not be deleted. If a redirection zone is accidentally deleted, I/O traffic cannot be redirected to encryption devices, and encryption is disrupted. To recover, re-enable the existing device configuration by invoking the cryptocfg --commit command. If no changes have taken place since the last commit, you should use the cryptocfg --commit -force command.
5 Tape library media changer considerations Tape library media changer considerations In tape libraries where the media changer unit is addressed by a target port that is separate from the actual tape SCSI I/O ports, create a CryptoTarget container for the media changer unit and CryptoTarget containers for the SCSI I/O ports. If a CryptoTarget container is created only for the media changer unit target port, no encryption is performed on this device.
Re-keying best practices and policies 5 Re-keying best practices and policies Re-keying should be done only when necessary. In key management systems, DEKs are never exposed in an unwrapped or unencrypted state. When using RKM or SKM as the key management system, you must re-key if the master key is compromised. The practice of re-keying should be limited to the following cases: • Master key compromise in the case of RKM and SKM. • Insider security breaches.
5 Changing IP addresses in encryption groups Do not change LUN configuration while re-keying Never change the configuration of any LUN that belongs to a Crypto Target Container/LUN configuration while the re-keying process for that LUN is active. If you change the LUN’s settings during manual or auto, re-keying or first time encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect.
Recommendations for Initiator Fan-Ins 5 Recommendations for Initiator Fan-Ins For optimal performance at reasonable scaling factors of initiators, targets, and LUNs accessed, Brocade Encryption Engines (EEs) are designed to support a fan-In ratio of between four and eight initiator ports to one target port, in terms of the number of distinct initiator ports to a Crypto Container (i.e., a virtual target port corresponding to the physical target port).
5 Best practices for host clusters in an encryption environment Best practices for host clusters in an encryption environment When host clusters are deployed in a encryption environment, please follow these recommendations: • If two encryption engines are part of an HA cluster, configure the host/target pair so they have different paths from both encryption engines. Avoid connecting both the host/target pairs to the same encryption engine.
Chapter 6 Maintenance and Troubleshooting In this Chapter • Encryption group and HA cluster maintenance . . . . . . . . . . . . . . . . . . . . . . • Troubleshooting examples using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management application encryption wizard troubleshooting . . . . . . . . . . • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . • LUN policy troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Encryption group and HA cluster maintenance SecurityAdmin:switch>cryptocfg --show -groupmember \ 10:00:00:05:1e:41:99:bc Node Name: 10:00:00:05:1e:41:99:bc (current node) State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.33.145 Certificate: 10.32.33.145_my_cp_cert.
Encryption group and HA cluster maintenance FIGURE 72 6 Removing a node from an encryption group Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes.
6 Encryption group and HA cluster maintenance Removing an HA cluster member Removing an encryption engine from an HA cluster “breaks” the HA cluster by removing the failover/failback capability for the removed encryption engines, However, the removal of an encryption engine does not affect the relationship between configured containers and the encryption engine that is removed from the HA cluster. The containers still belong to this encryption engine and encryption operations continue.
Encryption group and HA cluster maintenance 6 Replacing an HA cluster member 1. Log into the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haclustermember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine. Provide a slot number if the encryption engine is a blade. The replacement encryption engine must be part of the same encryption group as the encryption engine that is replaced.
6 Encryption group and HA cluster maintenance FIGURE 73 168 Replacing a failed encryption engine in an HA cluster Encryption Administrator’s Guide 53-1001341-02
Encryption group and HA cluster maintenance 6 Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
6 Encryption group and HA cluster maintenance Deleting an HA cluster member This command dissolves the HA cluster and removes failover capability from the participating encryption engines. 1. Log into the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --delete -hacluster command. Specify the name of the HA cluster you wish to delete. SecurityAdmin:switch>cryptocfg --delete -hacluster HAC1 Delete HA cluster status: Operation succeeded. 3.
Encryption group and HA cluster maintenance 6 • The failed EE2 has come back online, Failover is still active: SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade Number of HA Clusters: 1 HA cluster name: HAC3 - 2 EE entries Status: Committed WWN Slot Number EE1 => 10:00:00:05:1e:53:89:dd 0 EE2 => 10:00:00:05:1e:53:fc:8a 0 Status Online - Failover active Online • A manual failback is issued.
6 Encryption group and HA cluster maintenance Recovery 1. Configure the IP address 0f the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. Refer to “I/O sync link configuration” on page 88 and “Encryption switch initialization” on page 90. 2. Register the new node IP address and CP certificate with the group leader node.
Encryption group and HA cluster maintenance 6 A member node reboots and comes back up Assumptions N1, N2 and N3 form an encryption group and N2 is the group leader node. N3 and N1 are part of an HA cluster. Assume that N3 reboots and comes back up. Impact When N3 reboots, all devices hosted on the encryption engines of this node automatically fail over to the peer encryption engine N1, and N1 now performs all of the rebooted node’s encryption services. Any re-key sessions in progress continue.
6 Encryption group and HA cluster maintenance A member node lost connection to all other nodes in the encryption group Assumptions N1, N2 and N3 form an encryption group and N2 is the group leader node. N3 and N1 are part of an HA cluster. Assume that N3 lost connection with all other nodes in the group. Node N3 finds itself isolated from the encryption group and, following the group leader succession protocol, elects itself as group leader.
Encryption group and HA cluster maintenance 6 • Each encryption group registers the missing members as “offline”. • The isolation of N3 from the original encryption group breaks the HA cluster and failover capability between N3 and N1. • You cannot configure any CryptoTargets, LUN policies, tape pools, or security parameters on any of the group leaders. This would require communication with the “offline” member nodes. You cannot start any re-key operations (auto or manual) on any of the nodes.
6 Encryption group and HA cluster maintenance Configuration impact of encryption group split or node isolation When a node is isolated from the encryption group or the encryption group is split to form separate encryption group islands, the defined or registered node list in the encryption group is not equal to the current active node list, and the encryption group is in a DEGRADED state rather than in a CONVERGED state.
General encryption troubleshooting using the CLI 6 General encryption troubleshooting using the CLI Table 11 lists the commands you can use to check the health of your encryption setup. Table 12 provides additional information for failures you might encounter while configuring switches using the CLI. TABLE 11 General troubleshooting tips using the CLI Command Activity supportsave Check whole system configuration. Run RAS logs. Run RAS traces. Run Security Processor (SP) logs (mainly kpd.log).
6 General encryption troubleshooting using the CLI TABLE 12 General errors related to using the CLI (Continued) Problem Resolution A backup fails because the LUN is always in the initialize state for the tape container. Use one of two resolutions: Tape media is encrypted and gets a key which is archived in the key vault. The key is encrypted with a master key. At a later point in time you generate a new master key. You decide to use this tape media to back up other data.
Troubleshooting examples using the CLI 6 Troubleshooting examples using the CLI Encryption Enabled Crypto Target LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN.
6 Troubleshooting examples using the CLI Encryption Disabled Crypto Target LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN.
Management application encryption wizard troubleshooting 6 Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . 181 • Errors related to adding a switch to a new group . . . . . . . . . . . . . . . . . . . . 182 • General errors related to the Configure Switch Encryption wizard . . . . . .
6 Errors related to adding a switch to an existing group Errors related to adding a switch to a new group Table 14 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 14 Error recovery instructions for adding a switch to a new group Configuration task Error description Instructions Initialize the switch Unable to initialize the switch due to an error response from the switch.
Errors related to adding a switch to an existing group TABLE 14 6 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (if the key vault type is not NetApp) A failure occurred while attempting to create a new master key. 1 Save the switch’s public key certificate to a file. The switch’s public key certificate could not be saved to a file.
6 Errors related to adding a switch to an existing group General errors related to the Configure Switch Encryption wizard Table 15 provides additional information for failures you might encounter while configuring switches using the Configure Switch Encryption wizard. TABLE 15 General errors related to the Configure Switch Encryption wizard Problem Resolution Initialization fails on the encryption engine after the encryption engine is zeroized. Reboot the switch.
LUN policy troubleshooting 6 LUN policy troubleshooting Table 16 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 16 LUN policy troubleshooting Case Reasons for the LUN getting disabled by the encryption switch Action taken If you do not need to save the data: If you need to save the data: 1 The LUN was modified from encrypt policy to cleartext policy but metadata exists. LUN is disabled. Reason code: Metadata exists but the LUN policy is cleartext.
6 Loss of encryption group leader after power outage Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes lose information and knowledge about the encryption group.
MPIO and internal LUN states 6 MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg -show -LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine. Due to the transparent and embedded nature of this encryption solution, the host-to-storage array LUN path status can only be displayed by using host MPIO software.
6 MPIO and internal LUN states FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN. In this case, you can cancel the re-key session by removing the LUN from its container and force committing the transaction. Refer to the section “Removing a LUN from a CryptoTarget container” on page 111 for instructions on how to remove a LUN by force.
Appendix A State and Status Information In this appendix • Encryption engine security processor (SP) states . . . . . . . . . . . . . . . . . . . . 189 • Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 • Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Encryption engine security processor (SP) states Table 17 lists the encryption engine security processor (SP) states.
A Security processor KEK status Security processor KEK status Table 18 lists security processor KEK status information. TABLE 18 Security processor KEK status KEK type KEK status1 Description Primary KEK (current MK or primary KV link key) None Primary KEK is not configured. Mismatch Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK at CP matches the one in the SP and is valid. Secondary KEK (alternate None MK or secondary KV link key) Mismatch Group KEK 1.
Encrypted LUN states TABLE 19 A Encrypted LUN states (Continued) LUN_1ST_TIME_REKEY_IN_PROG First time re-key is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired re-key is in progress. LUN_MANUAL_REKEY_IN_PROG Manual re-key is in progress. LUN_DECRYPT_IN_PROG Data decryption is in progress. LUN_WR_META_PENDING Write metadata is pending. LUN_1ST_TIME_REKEY_PENDING First time re-key is pending. LUN_KEY_EXPR_REKEY_PENDING Key expired re-key is pending.
A Encrypted LUN states TABLE 19 192 Encrypted LUN states (Continued) LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure). LUN_DIS_LUN_REMOVED Disabled (LUN re-discovery detects LUN is removed). LUN_DIS_LSN_MISMATCH Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate LUN SN found). LUN_DIS_DISCOVERY_FAIL Disabled (LUN discovery failure). LUN_DIS_NO_LICENSE Disabled (Third party license is required).
Encrypted LUN states TABLE 20 A Tape LUN states Internal Names Console String Explanation LUN_DIS_LUN_NOT_FOUND Disabled (LUN not found) No logical unit structure in tape module. This is an internal software error. If it occurs, contact Brocade support. LUN_TGT_OFFLINE Target Offline Target port is not currently in the fabric. Check connections and L2 port state.
A Encrypted LUN states TABLE 20 194 Tape LUN states LUN_ENCRYPT Encryption enabled The tape medium is present, and is in ciphertext (encrypted). The encryption switch or blade has full read/write access, because its current tape policy for the medium is also encrypted. See the Encryption Format field to find out if tape is encrypted in native mode or DataFort-compatible mode.
Appendix B LUN Policies In this appendix The following topics are covered in this appendix: • DF-compatibility support for disk LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 • DF-compatibility support for tape LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 DF-compatibility support for disk LUNs Table 21 and Table 22 may be used as a reference for establishing disk LUN policies in support of DataFort firmware versions.
B DF-compatibility support for disk LUNs TABLE 22 Support matrix for disk LUNs for various configuration and modify options LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results Native (Brocade) Encrypted Encrypt NA when LUN State = encrypt NA Yes No error.
DF-compatibility support for disk LUNs TABLE 22 B Support matrix for disk LUNs for various configuration and modify options (Continued) LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results Native (Brocade) Cleartext Cleartext NA in case of cleartext policy NA Yes The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state.
B DF-compatibility support for disk LUNs TABLE 22 Support matrix for disk LUNs for various configuration and modify options (Continued) LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results DF compatible Cleartext Encrypt Yes NA Yes The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state.
DF-compatibility support for tape LUNs B DF-compatibility support for tape LUNs Table 23 and Table 24 may be used as a reference for establishing tape LUN policies in support of DataFort firmware versions. NOTE On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt files with a block size of one MB or greater.
B TABLE 24 DF-compatibility support for tape LUNs Compatibility support matrix for tape pools (Continued) Tape pool encryption format Tape pool policy Metadata present Results DF-compatible Encrypt No (new tape) No error. A new key is generated and both read and write are allowed in DF-compatible format. DF-compatible Cleartext Brocade metadata Reads are allowed in Brocade format using the key from the metadata. Writes are rejected if the tape is not positioned at the beginning of the tape.
Appendix C NS-Based Transparent Frame Redirection Table 25 provides the NS-based transparent frame redirection interoperability matrix. TABLE 25 Frame redirection support NS-based transparent frame redirection interoperability matrix1 FOS version Host and target edge switches/directors FOS only Layer 2 SAN FOS 6.2.0 FOS 5.3.1x for legacy Bloom-based switches and directors. FOS and EOSc and EOSn interop mode 2 “native FOS and EOSc and EOSn interop mode 3 “open” EOSc and EOSn only FOS 6.1.
C 202 NS-Based Transparent Frame Redirection Encryption Administrator’s Guide 53-1001341-02
Appendix D Supported Key Management Systems In this appendix • Key management systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The NetApp Lifetime Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The RSA Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The HP Secure Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Thales Encryption Manager for Storage. .
D The NetApp Lifetime Key Manager The NetApp Lifetime Key Manager The NetApp Lifetime Key Manager (LKM) resides on an FIPS 140-2 Level 3-compliant network appliance. The encryption engine and LKM appliance communicate over a trusted link. A trusted link is a secure connection established between the Encryption switch or blade and the NetApp LKM appliance, using a shared secret called a link key. One link key per encryption switch is established with each LKM appliance.
The NetApp Lifetime Key Manager D Obtaining and importing the LKM certificate Certificates must be exchanged between LKM and the encryption switch to enable mutual authentication. You must obtain a certificate from LKM, and import it into the encryption group leader. The encryption group leader exports the certificate to other encryption group members. To obtain and import an LKM certificate, do the following. 1. Open an SSH connection to the NetApp LKM appliance and log in. host$ssh admin@10.33.54.
D The NetApp Lifetime Key Manager Registering the certificates The switch’s KAC certificate must be registered on the LKM appliance, and the LKM certificate must be registered on the switch. 1. From the external host, register the KAC certificate you exported from the group leader with the NetApp LKM appliance. host$echo lkmserver certificate set 10.32.244.71 \ ‘cat kac_lkm_cert.pem‘ | ssh -l admin 10.33.54.231 Pseudo-terminal will not be allocated because stdinis not a terminal. admin@10.33.54.
The NetApp Lifetime Key Manager D NODE LIST Total Number of defined nodes: 2 Group Leader Node Name: 10:00:00:05:1e:41:7e Encryption Group state: CLUSTER_STATE_CONVERGED Node Name IP address Role 10:00:00:05:1e:41:9a:7e 10.32.244.71 GroupLeader 10:00:00:05:1e:39:14:00 10.32.244.60 MemberNode (current node) 5. Exchange certificates between the LKM key vault and the member node, starting with exporting the KAC certificate from the member node to an SCP-capable external host.
D The NetApp Lifetime Key Manager Establishing the trusted link You must generate the trusted link establishment package (TEP) on all nodes to obtain a trusted acceptance package (TAP) before you can establish a trusted link between each node and the NetApp LKM appliance. You must have a card reader attached to your PC or workstation to complete the procedure.
The NetApp Lifetime Key Manager D 3. From the external host, enter echo lkmserver set ‘cat kac_cert_lkm.pem’ | ssh -l admin to register the KAC LKM certificate you exported from the group leader with the NetApp LKM appliance. host$echo lkmserver certificate set 10.32.244.71 \ ‘cat kac_lkm_cert.pem‘ | ssh -l admin 10.33.54.231 Pseudo-terminal will not be allocated because stdinis not a terminal. admin@10.33.54.
D The NetApp Lifetime Key Manager When LKM appliances are clustered, both LKMs in the cluster must be registered and configured with the link keys before starting any crypto operations. If two LKM key vaults are configured, they must be clustered. If only a single LKM key vault is configured, it may be clustered for backup purposes, but it will not be directly used by the switch. When dual LKMs are used with the encryption switch or blade, the dual LKMs must be clustered.
The NetApp Lifetime Key Manager D LKM Key Vault Deregistration Deregistration of either Primary or Secondary LKM KV from an encryption switch or blade is allowed independently. • Deregistration of Primary LKM - You can deregister the Primary LKM from an encryption switch or blade without deregistering the backup or secondary LKM for maintenance or replacement purposes.
D The RSA Key Manager The RSA Key Manager Communication with the RSA Key Manager (RKM) is secured by wrapping DEKs in a master key. The encryption engine must generate its own master key, send DEKs to RKM encrypted in the master key, and decrypt DEKs received from RKM using the same master key. The master key may optionally be stored as a key record in the RKM key vault as a backup, but RKM does not assume responsibility for the master key.
The RSA Key Manager D If you export the CSR to a USB storage device, you will need to remove the storage device from the switch, and then attach it to a computer that has access to a third party certificate authority (CA). If you are using the SAN Management application, this can be your SAN Management application workstation. The CSR must be submitted to a CA. NOTE The CSR is exported in Privacy Enhanced Mail (.pem) format. The is the format required in exchanges with certificate authorities.
D The RSA Key Manager If you are using the CLI, you can import the signed KAC certificate to the switch from a file on a LAN attached host, or you can write it to a USB storage device, attach the USB storage device to the switch or blade, and import the certificate from that device. The following describes both options. 1. Log into the switch to which you wish to import the certificate as Admin or SecurityAdmin. 2. Enter the cryptocfg --import command with the appropriate parameters.
The RSA Key Manager D Uploading the KAC and CA certificates onto the RKM appliance After an encryption group is created, you need to install the switch public key certificate (KAC certificate) and signing authority certificate (CA certificate) on the RKM appliance. 1. Start a web browser, and connect to the RKM appliance setup page. You will need the URL, and have the proper authority level, a user name, and a password. 2. Select the Operations tab. 3. Select Certificate Upload. 4.
D The RSA Key Manager h. Click Next. i. Repeat a. through h. for each key class. j. Click Finish. 9. For each node, create an identity as follows. a. Select the Identities tab. b. Click Create. c. Enter a label for the node in the Name field. This is a user-defined identifier. d. Select the Hardware Retail Group in the Identity Groups field. e. Select the Operational User role in the Authorization field. f. Click Browse and select the imported certificate _kac_cert.
The RSA Key Manager D DEK retrieval The DEK is retrieved from the floating IP Address of the Clustered RKM appliances, or IP Load Balancer Cluster. If the DEK retrieval fails, then the DEK retrieval is retried. DEK Update DEK Update behavior is same as DEK Creation.
D The HP Secure Key Manager The HP Secure Key Manager The HP StorageWorks Secure Key Manager (SKM) is a security appliance providing centralized key management operations. SKM runs on a stand-alone FIPS 140-2 level 2 compliant hardware platform that is isolated from the other applications, and runs a hardened operating system. SKM offers high availability, clustering and failover options.
The HP Secure Key Manager D Obtaining a signed certificate from the HP SKM appliance software The following steps describe how to get a signed certificate from the Hewlett Packard Secure Key Manager (HP SKM) appliance. You will need this information when you create a new encryption group with the HP SKM key vault, and you must obtain a signed certificate for each switch. 1. Select Tools > Internet Options on your Internet browser. Click the Advanced tab, and select the Use TLS 1.0 option.
D The HP Secure Key Manager Importing a signed certificate After a signed certificate is obtained, it must be imported and registered. 1. Select a switch from the Encryption Targets dialog box, and click the Properties tab. FIGURE 76 Switch Properties dialog box 2. Click the Import button. The Import Signed Certificate dialog box displays. FIGURE 77 Import Signed Certificate dialog box 3. Browse to the location of the stored, signed certificate, and click OK.
The HP Secure Key Manager D Exporting the KAC certificate request A KAC certificate request must be exported for each encryption node to an SCP-capable host. 1. Log into the group leader as Admin or SecurityAdmin. 2. Set the SKM key vault type by entering the cryptocfg --set -keyvault command with the SKM option. Successful execution sets the key vault type for the entire encryption group. SecurityAdmin:switch>cryptocfg --set -keyvault SKM Set key vault status: Operation Succeeded. 3.
D The HP Secure Key Manager Registering the Brocade user name and password in encryption groups The Brocade group user name and password you created in “Configuring a Brocade group” must also be registered on the encryption group leader, and each node in an encryption group. 1. Starting with the encryption group leader, register the user password and user name by issuing the following command.
The HP Secure Key Manager D 3. Enter the following in the Create Local Certificate Authority dialog box: - Certificate Authority Name - HPSKM_CA1 Common Name - HPSKM_CA1 Organization Name - Brocade Organizational Unit Name - Storage Software Locality Name - SJC State or Province Name - CA Country Name - US Email Address - support@brocade.com Key Size - 2048 Certificate Authority Type - Select Self-Assigned Root CA.
D The HP Secure Key Manager Adding a server certificate for the SKM appliance A server certificate must be created for the SKM appliance. 1. Select the Security tab on the SKM key manager. 2. Select Certificates under Certificates and CAs. The Certificate and CA Configuration page is displayed. This page includes a Create Request Information dialog box. 3.
The HP Secure Key Manager D 15. Copy the key contents, beginning with ---BEGIN CERTIFICATE REQUEST--- and ending with ---END CERTIFICATE REQUEST---. Be careful not to include any extra characters. 16. From the Security tab, Certificates and CAs, select Certificates. From the certificate list, select the name of the certificate being signed. 17. Select Install Certificate. 18. Paste the certificate data from step 15, and select Save. The certificate status is now Active.
D The HP Secure Key Manager Creating an SKM Key vault High Availability cluster The HP SKM key vault supports clustering of HP SKM appliances for high availability. If two SKM key vaults are configured, they must be clustered. If only a single LKM key vault is configured, it may be clustered for backup purposes, but it will not be directly used by the switch. To create a cluster, perform the following steps on one of the HP SKM appliances that is to be a member of the cluster 1.
The HP Secure Key Manager D 4. Select Known CAs under Certificates & CAs. The Certificate and CA Configuration page is displayed. 5. Type the certificate name in the Certificate Name field under Install CA certificate. 6. Paste the certificate data you copied previously in the “Copying the local CA certificate” procedure. If you kept the browser window open as suggested in “Copying the local CA certificate”, the same data is available in that browser window. 7. Select Install. 8.
D The HP Secure Key Manager 7. Select Sign with Certificate Authority using the CA name with the maximum of 3649 days option. 8. Select Client as Certificate Purpose. 9. Allow Certificate Duration to default to 3649. 10. Paste the file contents that you copied in step 2 in the Certificate Request Copy area. 11. Select Sign Request. Upon success, you are presented with the option of downloading the signed certificate. 12. Download the signed certificate to your local system as signed_kac_skm_cert.pem.
The HP Secure Key Manager D Importing a signed certificate (SAN Management program) The public key certificate from the switch is used to authenticate connections to the key vault. 1. Select a switch from the Encryption Targets dialog box, and click the Properties tab. FIGURE 78 Switch Properties dialog box 2. Click the Import button. The Import Signed Certificate dialog box displays. FIGURE 79 Import Signed Certificate dialog box 3.
D The HP Secure Key Manager Configured primary and secondary HPSKM appliances must be registered with the Brocade encryption switch or blade to begin key operations. The user can register only a single SKM if desired. In that case, the HA features are lost, but the archived keys are backed up to any other non-registered cluster members. Beginning with Fabric OS version 6.3.0, the primary and secondary appliances must be clustered.
The HP Secure Key Manager D • Deregistration of Secondary SKM - You can deregister the Secondary SKM independently. Future key operations will use only the Primary SKM until the secondary SKM is reregistered on the encryption switch or blade. When the Secondary SKM is replaced with a different SKM, you must first synchronize the DEKs from Primary SKM before reregistering the secondary SKM.
D Thales Encryption Manager for Storage Thales Encryption Manager for Storage Communication with the Thales Encryption Manager for Storage (TEMS) is referred to as NCKA in operational descriptions in this appendix. NCKA is secured by wrapping DEKs in a master key. The encryption engine must generate its own master key, send DEKs to NCKA encrypted in the master key, and decrypt DEKs received from NCKA using the same master key.
Thales Encryption Manager for Storage D 1. Invoke the Thales key vault web browser and log in as manager. 2. Create a group to be used for managing Brocade encryption switches and blades. This group must be named brocade. This only needs to be done once for each key vault. 3. Click the Client tab. 4. Click the Add Client tab. 5. Enter the Brocade user name from the previous procedure “Generating the Brocade user name and password” in the Name field. 6.
D Thales Encryption Manager for Storage NOTE On some systems the scp (secure copy) may not work, in this case copy the signed certificate file above to: /etc/fabos/certs/mace/ 8. Register the signed certificate for each key vault using the following command, specifying either the primary or, if used, the secondary key vault. cryptocfg --reg -KACcert 9. Repeat steps one through eight for all member nodes in the encryption group.
Thales Encryption Manager for Storage D Registering the certificates Examples below are for the two Thales key vaults installed. Commands assume the exported signed certificates were saved as brcduser1@ncka-1 and brcduser1@ncka-2 for the primary and secondary key vaults and the data port IP addresses are 10.32.44.112 and 10.32.44.114. 1. Set the key vault type. cryptocfg --set -keyvault NCKA 2. Register the signed KAC certificates. cryptocfg --reg -KACcert brcduser1@ncka-1.
D Thales Encryption Manager for Storage DEK retrieval The DEK is retrieved from the primary Thales key vault if the primary is online and reachable. If the primary Thales key vault is not online or not reachable, the DEK is retrieved from the secondary Thales key vault. DEK update DEK update behavior is same as DEK creation. Thales key vault deregistration Deregistration of either Primary or Secondary Thales key vault from the Brocade encryption switch or blade is allowed independently.
Index A add commands --add -haclustermember, 101 --add -initiator, 105, 115, 118 --add -LUN, 111, 118, 126, 129 --add -membernode, 172 B Brocade Encryption Switch See switch C certificates exporting using the CLI, 93 exporting, importing, and loading, 13 file names, 93 importing using the CLI, 94, 214 purpose for encryption, 13 storing the public key, 40 viewing imported, 95 CLI general errors and resolution, 177 using to configure encryption switch or blade, 81 command RBAC permissions, 83 command valid
cryptocfg command --add -haclustermember, 101 --add -initiator, 105, 115, 118 --add -LUN, 111, 118, 126, 129 --add -membernode, 172 --commit, 170 --create -container, 105, 115, 117 --create -encgroup, 96 --create -hacluster, 101 --create -tapepool, 123 --delete -container, 108, 163 --delete -encgroup, 165 --delete -hacluster, 170 --delete -tapepool, 124 --dereg -membernode, 164 --discover -LUN, 118 --discoverLUN, 109, 116 --eject -membernode, 164 --enable -LUN, 115 --enable -rekey, 126 --enable_rekey, 129 -
enable commands --enable -LUN, 115 --enable -rekey, 126 --enable_rekey, 129 --enableEE, 172 enableEE, 91 encrypted LUN states, 190 encryption adding a license, 6 adding a target, 35 adding new LUNs, 36 best practices for licensing, 6 configuration planning for the management application, 16 configure dialog box, 18 configuring LUNs for first-time encryption, 129 configuring hosts to access encryption targets, 36 configuring in a multi-path environment, 59 definition of terms, 3 description of blade, 6 engin
2 setting up and configuring key vaults, 2 encryption switch definition of, 5 initialization, 90 port labeling, 88 encryption switch or group, removing using the management application, 27 encryption targets adding to virtual targets and virtual initiators within the encryption switch, 54 configuring hosts for, 61 using the dialog box, 34 using the dialog box to add Disk LUNs, 62 ensure uniform licensing in HA clusters, 157 error recovery instructions for adding a switch to a new group, 182 for adding a swi
111, 112, 114, 117 configuring for first-time encryption, 129 configuring for multi-path example, 117 configuring policies using the CLI, 112 editing a re-keying interval, 64 force-enabling for encryption, 115 impact of policy changes, 124 modifying parameters using the CLI, 114 multi-path configuration requirements, 103 policy for DF-compatibility disk LUNs, 195 policy for DF-compatibility tape LUNs, 199 policy for DF-compatibility tape pools, 199 policy parameters, 114 removing Crypto LUN to CryptoTarget
N NetApp Lifetime Key Manager (LKM), description of, 204 NetApp LKM key vaults effects of zeroizing, 77 NetBackup labeling, 122 NetWorker labeling, 122 NS-based transparent frame redirection interop matrix, 201 P PID failover, 158 policies configuration examples, 98 for Crypto LUN, 112 impact of LUN policy changes, 124 impact of tape pool policy changes, 125 modifying for LUNs using the CLI, 114 setting for LUN re-keying, 126 privileges, user, 17 R redirection zones, 157 register commands --reg -keyvault,
storage encryption configuration privileges, 17 configuring, 55 confirming the configuration status, 59 selecting the encryption engine for configuration, 56 selecting the hosts, 57 specifying a name for the target container, 57 storage encryption security privileges for, 17 switch encryption configuration confirm configuration using the management application, 48 designate switch membership using the management application, 47 specify public key certificate filename using the management application, 48 swi
244 Encryption Administrator’s Guide 53-1001341-02
