53-1001864-01 March 30, 2010 Fabric OS Encryption Administrator’s Guide Supporting Fabric OS v6.4.
Copyright © 2008-2010 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Document History Title Publication number Summary of changes Date Fabric OS Encryption Administrator’s Guide 53-1001114-01 New document. August 2008 Fabric OS Encryption Administrator’s Guide 53-1001114-02 Revised document to include additional best practices. September 2008 Fabric OS Encryption Administrator’s Guide 53-1001114-03 Revised document to include new performance licensing information.
iv Fabric OS Encryption Administrator’s Guide 53-1001864-01
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Encryption configuration using the Management application In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding Target Tape LUNs for encryption . . . . . . . . . . . . . . . . . . . . . . 59 Configuring encrypted tape storage in a multi-path environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Re-balancing the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . 61 Master keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Active master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring cluster links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Special consideration for blades . . . . . . . . . . . . . . . . . . . . . . . . 98 IP Address change of a node within an encryption group. . . . . 99 Steps for connecting to an SKM appliance . . . . . . . . . . . . . . . . . . .100 Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .100 Setting up the local Certificate Authority (CA) . . . . . . . . . . . . .
Tape pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Tape pool labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Creating a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Deleting a tape pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Modifying a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Impact of tape pool configuration changes . . . . . . .
Configuration upload and download considerations . . . . . . . . . . .168 Configuration Upload at an encryption group leader node. . .168 Configuration upload at an encryption group member node .168 Information not included in an upload . . . . . . . . . . . . . . . . . . .168 Steps before configuration download. . . . . . . . . . . . . . . . . . . .169 Configuration download at the encryption group leader. . . . .169 Configuration download at an encryption group member . . .
Best practices for host clusters in an encryption environment . . .180 HA Cluster Deployment Considerations and Best Practices . . . . .180 Chapter 6 Maintenance and Troubleshooting In this Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . .181 Removing a node from an encryption group . . . . . . . . . . . . . .181 Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . .
Appendix C NS-Based Transparent Frame Redirection Index xii Fabric OS Encryption Administrator’s Guide 53-1001864-01
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv • Notice to the reader . . . . . . . . . . . .
Supported hardware and software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX and DCX-4S with an FS8-18 encryption blade. • Brocade Encryption Switch. What’s new in this document Information about decommissioning a encrypted LUN, hosting disk and tape containers on the same encryption engine and support for replicated LUN environments is included in this document..
[] Optional element. variable Variables are printed in italics. In the help pages, variables are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font. For example, --show WWN | Boolean. Elements are exclusive. Example: --show -mode egress | ingress \ Backslash. Indicates that the line continues through the line break.
Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only.
• Best practice guides, white papers, data sheets, and other documentation is available through the Brocade Partner Web site. For additional resource information, visit the Technical Committee T11 Web site. This Web site provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications: http://www.t11.org For information about the Fibre Channel industry, visit the Fibre Channel Industry Association Web site: http://www.fibrechannel.
If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis. Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document.
Chapter Encryption overview 1 In this chapter • Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • The Brocade encryption switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Terminology Terminology The following are definitions of terms used extensively in this document. ciphertext Encrypted data. cleartext Unencrypted data. CryptoModule The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication. Data Encryption Key (DEK) An encryption key generated by the encryption engine.
Terminology 1 Recovery cards A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the Brocade SAN Management Application to restore the master key. Recovery cards may be stored in different locations, making it very difficult to steal the master key. The cards should not be stored together, as that defeats the purpose.
1 The Brocade encryption switch The Brocade encryption switch The Brocade encryption switch (Figure 1) is a high performance 32 port auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data, using Advanced Encryption Standard (AES) 256-bit algorithms.
The FS8-18 blade 1 The FS8-18 blade The FS8-18 blade provides the same features and functionality as the encryption switch. The FS8-18 blade installs on the Brocade DCX and DCX-4S. Four FS8-18 blades may be installed in a single DCX or DCX-4S. Performance licensing Encryption processing power is scalable, and may be increased by purchasing and installing an encryption performance license.
1 Recommendation for connectivity Recommendation for connectivity In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms this is achieved by encrypting the data in data frames on a per frame basis. This enables the encryption engine to buffer only a frame, encrypt it and send the frame out to the target on write I/Os. For read I/Os the reverse is done.
Brocade encryption solution overview 1 Brocade encryption solution overview The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data.
1 Brocade encryption solution overview Data flow from server to storage The Brocade encryption switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
Data encryption key life cycle management 1 Data encryption key life cycle management Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed.
1 Data encryption key life cycle management FIGURE 5 10 DEK life cycle Fabric OS Encryption Administrator’s Guide 53-1001864-01
Key management systems 1 Key management systems Key management systems are available from several vendors. This release supports the following leading key management systems: • • • • The NetApp LIfetime Key Manager (LKM) version 4.0 or later. The RSA Key Manager (RKM) version 2.1.3 or later, available through EMC. The HP Secure Key Manager (SKM) version 1.1 or later, available through Hewlett Packard. The Thales Encryption Manager for Storage (TEMS).
1 Support for Virtual Fabrics Support for Virtual Fabrics The Brocade encryption switch does not support the logical switch partitioning capability and can not be partitioned, but the switch can be connected to any Logical Switch partition or Logical Fabric using an E-Port. The FS8-18 encryption blades are supported in only in a default switch partition All FS8-18 blades must be placed in a default switch partition in DCX or DCX-4S.
Chapter 2 Encryption configuration using the Management application In this chapter • Encryption Center features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Encryption user privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Encryption Center features Encryption Center features The Encryption Center dialog box (Figure 6) is the single launching point for all encryption-related configuration in the Management application. It also provides a table that shows the general status of all encryption-related hardware and functions at a glance. FIGURE 6 Encryption Center dialog box Beginning with Fabric OS version 6.
Encryption user privileges 2 Encryption user privileges In the Management application, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time. The Management application provides three pre-configured roles: • Storage encryption configuration. • Storage encryption key operations. • Storage encryption security.
2 Smart card usage Smart card usage Smart Cards are credit card-sized cards that contain a CPU and persistent memory. Smart cards can be used as security devices. You must have Storage Encryption Security user privileges to activate, register, and configure smart cards. Smart cards can be used to do the following: • Control user access to the Management application security administrator roles. • Control activation of encryption engines. • Securely store backup copies of master keys.
Smart card usage 2 3. Select the Quorum Size. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps. NOTE Ignore the System Cards setting.
2 Smart card usage De-registering an authentication card Authentication cards can be removed from the database and the switch by de-registering them. Use the following procedure to de-register an authentication card. 1. Select the authentication card on the Authentication Card table. 2. Click Deregister. 3. A confirmation dialog box is displayed. Click OK to confirm de-registration. The Encryption Group dialog box displays. 4. Click OK on the Encryption Group dialog box.
Smart card usage 2 Enabling or disabling the system card requirement If you want to use a system card to control activation of an encryption engine on a switch, you must enable the system card requirement. You can use the following procedure to enable or disable the system card requirement. 1. From the Encryption Center select an encryption group, and select the Security menu. The Select Security Settings dialog is displayed. 2.
2 Smart card usage De-registering a system card System cards can be removed from the database by de-registering them. Use the following procedure to de-register a system card. 1. From the Register System Card dialog box, select the system card you want to de-register. 2. Click Deregister. 3. A confirmation dialog box is displayed. Click OK to confirm de-registration. The card is removed to the Registered System Cards table.
Smart card usage 2 Editing smart cards Use the Edit Smart Card dialog box to edit smart card details. 1. From the Encryption Center, select Smart Card > Edit Smart Card. The Edit Smart Card dialog box displays(Figure 8). FIGURE 8 Edit Smart Card dialog box 2. Insert the smart card into the card reader. 3. After the card’s ID is displayed in the Card ID field, enter the Card Password and click Login. 4. Edit the card assignment user information as needed. 5. Click OK.
2 Network connections Network connections Before you use the encryption setup wizard for the first time, you must have the following required network connections: • The management ports on all encryption switches and 384-port Backbone Chassis CPs that have encryption blades installed must have a LAN connection to the SAN management program, and must be available for discovery.
Encryption node initialization and certificate generation 2 Encryption node initialization and certificate generation When an encryption node is initialized, the following security parameters and certificates are generated: • • • • • FIPS crypto officer FIPS user Node CP certificate A self-signed Key authentication center (KAC) certificate A Key authentication center (KAC) signing request (CSR) From the standpoint of external SAN management application operations, the FIPS crypto officer, FIPS user, an
2 Steps for connecting to an SKM appliance Steps for connecting to an SKM appliance The SKM management web console can be accessed from any web browser with Internet access to the SKM appliance. The URL for the appliance is as follows: https://: Where: - is the hostname or IP address when installing the SKM appliance. is 9443 by default.
Steps for connecting to an SKM appliance 2 Configuring a Brocade group on SKM A Brocade group is configured on SKM for all keys created by Brocade encryption switches and blades. This needs to be done only once for each key vault. 1. Login to the SKM management web console using the admin password. 2. Select the Security tab. 3. Select Local Users & Groups under Users and Groups. The User & Group Configuration page displays. 4. Select Add under Local Users. 5. Create a Brocade user name and password. 6.
2 Steps for connecting to an SKM appliance Registering the SKM Brocade group user name and password The Brocade group user name and password you created when configuring a Brocade group on SKM must also be registered on each Brocade encryption node. 1. From the Encryption Center, select Key Vault Credentials. 2. Enter the Brocade group user name and password.
Steps for connecting to an SKM appliance 2 Setting up the local Certificate Authority (CA) on SKM To create and install a local CA, perform the following steps: 1. Login to the SKM management web console using the admin password. 2. Select the Security tab. 3. Under Certificates & CAs, click Local CAs. 4. Enter information required by the Create Local Certificate Authority section of the window to create your local CA. - Enter a Certificate Authority Name and Common Name. These may be the same value..
2 Steps for connecting to an SKM appliance 7. In the Trusted Certificate Authority List, click Edit. 8. From the list of Available CAs in the right panel, select the CA you just created. Repeat these steps any time another local CA is needed. Downloading the local CA certificate from SKM The local CA certificate you created using the procedure for “Setting up the local Certificate Authority (CA) on SKM” on page 27 must be saved to your local system.
Steps for connecting to an SKM appliance 2 11. Enter the required data in the Sign Certificate Request section of the window. - Select the CA name from the Sign with Certificate Authority drop down box. Select Server as the Certificate Purpose. Enter the number of days before the certificate must be renewed based on your site's security policies. The default value is 3649 or 10 years. 12. Paste the copied certificate request data into the Certificate Request box. 13. Click Sign Request.
2 Steps for connecting to an SKM appliance Creating an SKM High Availability cluster The HP SKM key vault supports clustering of HP SKM appliances for high availability. If two SKM key vaults are configured, they must be clustered. If only a single SKM appliance is configured, it may be clustered for backup purposes, but the backup appliance will not be directly used by the switch.
Steps for connecting to an SKM appliance 2 Adding SKM appliances to the cluster If you are adding an appliance to an existing cluster, select the Cluster Settings section of the window, click Download Cluster Key and save the key to a convenient location, such as your computer's desktop.
2 Steps for connecting to an SKM appliance Signing the Brocade encryption node KAC certificates The KAC certificate signing request generated when the encryption node is initialized must be exported for each encryption node and signed by the Brocade local CA on SKM. The signed certificate must then be imported back into the encryption node. 1. From the Encryption Center, select Switch > Export Certificate. The Export Switch Certificate dialog box displays. 2.
Gathering information 2 Gathering information Before you use the encryption setup wizard for the first time, you should also have a detailed configuration plan in place and available for reference. The encryption setup wizard assumes the following: • You have a plan in place to organize encryption devices into encryption groups.
2 Creating a new encryption group Creating a new encryption group The following steps describe how to start and run the encryption setup wizard, and then create a new encryption group. NOTE When a new encryption group is created, any existing tape pools in the switch are removed. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. FIGURE 10 Encryption Center - No Group Defined dialog box 2. Select a switch from the encryption group.
Creating a new encryption group 2 4. Click Next. Create a new encryption Group is pre-selected. This is the correct selection for creating a new group. FIGURE 11 Designate Switch Membership dialog box 5. Enter an Encryption Group Name for the encryption group (the maximum length of the group name is 15 characters; letters, digits, and underscores are allowed) and select the Automatic failback mode. NOTE If the name you enter for the encryption group already exists, a pop-up warning message displays.
2 Creating a new encryption group FIGURE 12 7. 36 Select Key Vault dialog box Select SKM as the Key Vault Type.
Creating a new encryption group 2 When you select SKM, the options are as shown in Figure 13. a. Enter the IP address or host name for the primary key vault. b. Enter the name of the file that holds the primary key vault’s public key certificate or browse to the location by clicking the Browse button. c. Enter the user name and password you established for the Brocade user group. d.
2 Creating a new encryption group FIGURE 14 Specify Public Key Certificate filename dialog box 8. Specify the name of the file where you want to store the public key certificate that is used to authenticate connections to the key vault, and click Next. The certificate stored in this file is the switch’s public key certificate. You will need to know this path and file name to install the switch’s public key certificate on the key management appliance. 9. Click Next.
Creating a new encryption group 2 10. Enter a file name, or browse to the desired location. 11. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 12. Re-type the passphrase for verification. 13. Click Next. The Confirm Configuration panel displays the encryption group name and switch public key certificate file name you specified, shown in Figure 16. FIGURE 16 Confirm Configuration dialog box 14.
2 Creating a new encryption group FIGURE 17 Configuration Status dialog box The Management application sends API commands to verify the switch configuration. The CLI commands are detailed in the Fabric OS Encryption Administrator’s Guide, “Key vault configuration.” • Initialize the switch If the switch is not already in the initiated state, the Management application performs the cryptocfg --initnode command.
Adding a switch to an encryption group 2 • Save the switch’s public key certificate to a file The Management application saves the KAC certificate into the specified file. • Back up the master key to a file The Management application saves the master key into the specified file. 15. Click Next. The Read Instructions dialog box displays instructions for installing public key certificates for the encryption switch. These instructions are specific to the key vault type. Copy or print these instructions. 16.
2 Adding a switch to an encryption group FIGURE 18 Add switch to an encryption group - Designate Switch Membership dialog box a. Select Add this switch to an existing encryption group. b. Click Next. The Add Switch to Existing Encryption Group dialog box displays. FIGURE 19 Add Switch to Existing Encryption Group dialog box 5. Select the group to which you want to add the switch, and click Next. The Specify Public Key Certificate Filename panel displays.
Adding a switch to an encryption group FIGURE 20 2 Add switch to an encryption group - Specify Public Key Certificate filename dialog box 6. Specify the name of the file where you want to store the public key certificate that is used to authenticate connections to the key vault, and click Next. The Confirm Configuration panel displays the encryption group name and switch public key certificate file name you specified.
2 Adding a switch to an encryption group 7. Click Next to confirm the displayed information. The Configuration Status displays. • A progress indicator shows that a configuration step is in progress. A green check mark indicates successful completion of all steps for that Configuration Item. A red stop sign indicates a failed step. • All Configuration Items have green check marks if the configuration is successful.
Replacing an encryption engine in an encryption group FIGURE 23 2 Add switch to an encryption group - Next Steps dialog box 9. Click Finish to exit the Configure Switch Encryption wizard. Replacing an encryption engine in an encryption group To replace an encryption engine in an encryption group with another encryption engine within the same DEK Cluster, complete the following steps. 1.
2 Creating high availability (HA) clusters FIGURE 24 Engine Operations tab 2. Select the engine you want to replace in the Engine list. 3. Select the engine you want to use as the replacement in the Replacement list. 4. Click Replace. All containers hosted by the current engine (Engine list) are replaced by the new engine (Replacement list). Creating high availability (HA) clusters A high availability (HA) cluster is a group of exactly two encryption engines.
Creating high availability (HA) clusters 2 4. Select an available encryption engine, and a destination HA cluster under High-Availability Clusters. Select New HA Cluster if you are creating a new cluster. 5. Click the right arrow to add the encryption engine to the selected HA cluster. FIGURE 25 HA Clusters tab NOTE If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster. HA Cluster names can have up to 31 characters.
2 Creating high availability (HA) clusters Swapping engines in an HA cluster Swapping engines is useful when replacing hardware. Swapping engines is different from removing an engine and adding another because when you swap engines, the configured targets on the former HA cluster member are moved to the new HA cluster member. To swap engines, select one engine from the right tree (see Figure 25) and one unclustered engine from the list on the left, and click the double-arrow button.
Adding encryption targets 2 Adding encryption targets Adding an encryption target maps storage devices and hosts to virtual targets and virtual initiators within the encryption switch. NOTE You must zone the physical host and physical target together to enable creation of a re-direction zone. The re-direction zone is used to redirect the host-target traffic through the encryption engine.
2 Adding encryption targets 5. Click Next to begin. The Select Encryption Engine dialog box displays. The list of engines depends on the scope being viewed. • If the Targets dialog box is showing all targets in an encryption group, the list includes all engines in the group. • If the Targets dialog box is showing all targets for a switch, the list includes all encryption engines for the switch.
Adding encryption targets 2 6. Select the encryption engine (blade or switch) you want to configure, and click Next. The Select Target panel displays. This panel lists all target ports and target nodes in the same fabric as the encryption engine. The Select Target list does not show targets that are already configured in an encryption group. There are two available methods for selecting targets: select from the list of known targets or manually enter the port and node WWNs.
2 Adding encryption targets 7. Click Next. The Select Hosts panel displays. This panel lists all hosts in the same fabric as the encryption engine. There are two available methods for selecting hosts: select from a list of known hosts or manually enter the port and node world wide names. FIGURE 29 Select Hosts dialog box a. Select a maximum of 1024 hosts from the Host Ports in Fabric list, and click the right arrow to move the host to the Selected Hosts list.
Adding encryption targets FIGURE 30 2 Name Container dialog box 10. Click Next. The Confirmation panel displays.
2 Adding encryption targets 11. Click Next to confirm the displayed information. The Configuration Status displays the target and host that are configured in the target container, as well as the virtual targets (VT) and virtual initiators (VI). NOTE If you can view the VI/VT Port WWNs and VI/VT Node WWNs, the container has been successfully added to the switch. FIGURE 32 Configuration Status dialog box 12. Review the configuration.
Adding encryption targets 2 13. Click Next to confirm the configuration. The Important Instructions dialog box displays. FIGURE 33 Important Instructions dialog box 14. Review the instructions about post-configuration tasks you must complete after you close the wizard. 15. Click Finish to exit the Configure Storage Encryption wizard.
2 Configuring hosts for encryption targets Configuring hosts for encryption targets Use the Encryption Target Hosts dialog box to edit (add or remove) hosts for an encrypted target. NOTE Hosts are normally selected as part of the Configure Storage Encryption wizard but you can also edit hosts later using the Encryption Target Hosts dialog box. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2.
Adding target disk LUNs for encryption 2 Adding target disk LUNs for encryption You can add a new path to an existing disk LUN or add a new LUN and path by launching the Add New Path wizard. Take the following steps to launch the Add New Path wizard. 1. Select Configure > Encryption. The Encryption Center dialog box displays. 2. Right-click a group, switch, or encryption engine or select a group, switch, or encryption engine from the Encryption Devices table and select Disk LUNs.
2 Adding target disk LUNs for encryption 5. Click Next. The Select Initiator Port dialog box displays. 6. Select the initiator port from the Initiator Port list. 7. Click Next. LUN discovery is launched, and a progress bar displays. There are four possible outcomes: - A message displays indicating No LUNs are discovered. Click OK to dismiss the message and exit the wizard. - A message displays indicating LUNs are discovered, but are already configured.
Adding Target Tape LUNs for encryption 2 Adding Target Tape LUNs for encryption You configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN. You must add LUNs manually. After you add the LUNs, you must specify the encryption settings. When configuring a LUN with multiple paths, the same LUN policies must be configured on all the LUN’s paths.
2 Re-balancing the encryption engine 8. Select the desired encryption mode. • If you change a LUN policy from Native Encryption or DF-Compatible Encryption to Clear Text, you disable encryption. • The LUNs of the target which are not enabled for encryption must still be added to the CryptoTarget container with the Clear Text encryption mode option. NOTE The Re-keying interval can only be changed for disk LUNs.
Master keys 2 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption engine and select Engine > Re-Balance from the menu bar, or right click on the encryption engine, and select Re-Balance. A warning message displays, cautioning you about the potential disruption of disk and tape I/O, and telling you that the operation may take several minutes. 3. Click Yes to begin re-balancing.
2 Master keys • Backup master key, which is enabled any time a master key exists. • Restore master key, which is enabled when no master key exists or the previous master key has been backed up. • Create new master key, which is enabled when no master key exists or the previous master key has been backed up. Reasons master keys can be disabled Master key actions are disabled if unavailable.
Master keys 2 4. Select Backup Master Key as the Master Key Action. The Master Key Backup dialog box displays, but only if the master key has already been generated. FIGURE 38 Backup Destination (to file) dialog box 5. Select File as the Backup Destination. 6. Enter a file name, or browse to the desired location. 7. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 8.
2 Master keys Saving a master key to a key vault Use the following procedure to save the master key to a key vault. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Backup Master Key as the Master Key Action. The Backup Master Key for Encryption Group dialog box displays. FIGURE 39 Backup Destination (to key vault) dialog box 5.
Master keys 2 Saving a master key to a smart card set A card reader must be attached to the SAN Management application PC to complete this procedure. Recovery cards can only be written once to back up a single master key. Each master key backup operation requires a new set of previously unused smart cards. NOTE Windows operating systems do not require smart card drivers to be installed separately; the driver is bundled with the operating system.
2 Master keys FIGURE 40 Backup Destination (to smart cards) dialog box 5. Select A Recovery Set of Smart Cards as the Backup Destination. 6. Enter the recovery card set size. 7. Insert the first blank card and wait for the card serial number to appear. 8. Run the additional cards needed for the set through the reader. As you read each card, the card ID displays in the Card Serial# field. Be sure to wait for the ID to appear. 9.
Master keys 2 Restoring a master key from a file Use the following procedure to restore the master key from a file. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Restore Master Key as the Master Key Action. The Restore Master Key for Encryption Group dialog box displays. FIGURE 41 Select a Master Key to Restore (from file) dialog box 5.
2 Master keys Restoring a master key from a key vault Use the following procedure to restore the master key from a key vault. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Restore Master Key as the Master Key Action. The Restore Master Key for Encryption Group dialog box displays. FIGURE 42 Select a Master Key to Restore (from key vault) dialog box 5.
Master keys 2 Restoring a master key from a smart card set A card reader must be attached to the SAN Management application PC to complete this procedure. Use the following procedure to restore the master key from a set of smart cards. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select an encryption group from the tree, and click Properties. 3. Select the Security tab. 4. Select Restore Master Key as the Master Key Action.
2 Master keys 10. Insert the next card, and repeat step 8 and step 9. 11. Continue until all the cards in the set have been read. 12. Click OK. Creating a new master key Though it is generally not necessary to create a new master key, you may be required to create one due to circumstances such as the following: • The previous master key has been compromised. • Corporate policy might require a new master key every year for security purposes.
Zeroizing an encryption engine 2 Zeroizing an encryption engine Zeroizing is the process of erasing all data encryption keys and other sensitive encryption information in an encryption engine. You can zeroize an encryption engine manually to protect encryption keys. No data is lost because the data encryption keys for the encryption targets are stored in the key vault. Zeroizing has the following effects: • All copies of data encryption keys kept in the encryption switch or encryption blade are erased.
2 Encryption Targets dialog box 4. Click YES to zeroize the encryption engine. Encryption Targets dialog box The Encryption Targets dialog box enables you to send outbound data that you want to store as ciphertext to an encryption device. The encryption target acts as a virtual target when receiving data from a host, and as a virtual initiator when writing the encrypted data to storage. To access the Encryption Targets dialog box, complete the following steps. 1.
Encryption Targets dialog box FIGURE 45 Encryption Targets dialog box TABLE 1 Encryption Targets dialog box fields and components 2 Feature Description Add button Launches the Storage Encryption Setup Wizard, which enables you to configure a new target for encryption. It is the first step in configuring encryption for a storage device. It is recommended that you zone the host and target together before you add container information.
2 Encryption Targets dialog box TABLE 1 74 Encryption Targets dialog box fields and components (Continued) Feature Description Hosts button Launches the Encryption Target Hosts dialog box, where you can configure hosts to access the selected encryption target. LUNs button Launches the Encryption Target LUNs dialog box, where you can display existing LUNs and add new LUNs. The button is enabled only if there are hosts associated with the targets.
Disk device decommissioning 2 Disk device decommissioning A disk device needs to be decommissioned when any of the following occur: • The storage lease expires for an array, and devices must be returned or exchanged. • Storage is reprovisioned for movement between departments. • An array or device is removed from service. In all cases, all data on the disk media must be rendered inaccessible. Device decommissioning deletes all information that could be used to recover the data.
2 Viewing and editing switch encryption properties Displaying and deleting decommissioned key IDs When disk LUNs are decommissioned, the process includes the disabling of the key record in the key vault and indicating that the key has been decommissioned. These decommissioned keys are still stored on the switch. You can display them, copy them, and delete them as an additional security measure. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2.
Viewing and editing switch encryption properties FIGURE 46 • • • • 2 Encryption Properties dialog box Switch Properties table - the properties associated with the selected switch. Name - the name of the selected switch. Node WWN - the world wide name of the node. Switch Status - the health status of the switch. Possible values are Healthy, Marginal, Down, Unknown, Unmonitored, and Unreachable.
2 Viewing and editing switch encryption properties • Domain ID - the domain ID of the selected switch. • Firmware Version - the current encryption firmware on the switch. • Primary Key Vault Link Key Status - the possible statuses are as follows: - Not Used – the key vault type is not LKM. - No Link Key – no access request was sent to an LKM yet, or a previous request was not accepted. - Waiting for LKM approval – a request was sent to LKM and is waiting for the LKM administrator’s approval.
Viewing and editing switch encryption properties 2 • HA Cluster Name - the name of the HA cluster (for example, Cluster1), if in an HA configuration. The name can have a maximum of 31 characters. Only letters, digits, and underscores are allowed. • Media Type - the media type of the encryption engine. Possible values are Disk and Tape. • Re-Balance Recommended - A value of Yes or No indicating whether or not LUN re-balancing is recommended for an encryption engine that is hosting both disk and tape LUNs.
2 Viewing and editing group properties Enabling the encryption engine state from Properties To enable the encryption engine, complete the following steps. 1. Find the Set State To entry under Encryption Engine Properties. 2. Click the field and select Enabled. 3. Click OK. Disabling the encryption engine state from Properties To disable the encryption engine, complete the following steps. 1. Find the Set State To entry under Encryption Engine Properties. 2. Click the field and select Disabled. 3.
Viewing and editing group properties FIGURE 47 2 Encryption Group Properties dialog box General tab The properties displayed in the General tab are described below. • Encryption group name - the name of the encryption group. • Group status - the status of the encryption group, which can be OK-Converged or Degraded. Degraded means the group leader cannot contact all of the configured group members. • Deployment mode - the group’s deployment mode, which is transparent.
2 Viewing and editing group properties Members tab The Group Members tab lists group switches, their role, and their connection status with the group leader. The tab displays the configured membership for the group (none of the table columns are editable). The list can be different from the members displayed in the Encryption Center dialog box if some configured members are unmanaged, missing, or in a different group.
Viewing and editing group properties 2 Consequences of removing an encryption switch Table 2 explains the impact of removing switches. TABLE 2 Switch removal impact Switch configuration Impact of removal The switch is the only switch in the encryption group. The encryption group is also removed. The switch has configured encryption targets on encryption engines. • • • The switch is configured to encrypt traffic to one or more encryption targets. The target container configuration is removed.
2 Viewing and editing group properties Figure 49 shows the warning message that displays if you click Remove to remove an encryption group.
Viewing and editing group properties 2 Security tab The Security tab (Figure 50) displays the status of the master key for the encryption group. NOTE You must enable encryption engines before you back up or restore master keys. Master key actions are as follows: • Create a new master key, which is enabled when no master key exists or the previous master key has been backed up. • Back up a master key, which is enabled any time a master key exists.
2 Viewing and editing group properties HA Clusters tab HA clusters are groups of encryption engines that provide high availability features. If one of the engines in the group fails or becomes unreachable, the other cluster member takes over the encryption and decryption tasks of the failed encryption engine. An HA cluster consists of exactly two encryption engines. See “Creating high availability (HA) clusters” on page 46.
Viewing and editing group properties 2 Tape Pools tab Tape pools are managed from the Tape Pools tab. Figure 52 displays the tape pools tab. FIGURE 52 Encryption Group Properties - Tape Pools tab • If you want to remove a tape pool, select one or more tape pools in the list and click Remove. • To modify the tape pool, remove the entry and add a new tape pool. See “Adding tape pools” on page 88 for more information.
2 Viewing and editing group properties Adding tape pools A tape pool can be identified by either a name or a number, but not both. Tape pool names and numbers must be unique within the encryption group. When a new encryption group is created, any existing tape pools in the switch are removed and must be added. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. If groups are not visible in the Encryption Devices table, select View > Groups from the menu bar.
Encryption-related acronyms in log messages 2 Choices include Clear Text, DF-Compatible Encryption, and Native Encryption. DF-Compatible Encryption is valid only when LKM is the key vault. The Key Lifespan (days) field is editable only if the tape pool is encrypted. If Clear Text is selected as the encryption mode, the key lifespan is disabled. NOTE You cannot change the encryption mode after the tape pool I/O begins.
2 90 Encryption-related acronyms in log messages Fabric OS Encryption Administrator’s Guide 53-1001864-01
Chapter Configuring Brocade encryption using the CLI 3 In this chapter • Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 • Command validation checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 • Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . . . . . . . . 93 • Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Command validation checks Command validation checks Before a command is executed, it is validated against the following checks. 1. Active or Standby availability: on enterprise-class platforms, checks that the command is available on the Control Processor (CP). 2. Role Based Access Control (RBAC) availability: checks that the invoking user’s role is permitted to invoke the command. If the command modifies system state, the user's role must have modify permission for the command.
Command RBAC permissions and AD types 3 Command RBAC permissions and AD types There are two RBAC roles that are permitted to perform Encryption operations. 1. Admin and SecurityAdmin Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic functions assigned to the FIPS Crypto Officer including the following: • • • • • • • • • Perform encryption node initialization. Enable cryptographic operations. Manage input/output functions of critical security parameters (CSPs).
3 Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain createtapepool N OM N N N OM N O Disallowed decommission N OM N N N OM N O Disallowed deletecontainer N OM N N N OM N O Disallowed deleteencgroup N OM N N N O N OM Disallowed deletefile N OM N N N O N OM Disallow
Command RBAC permissions and AD types TABLE 4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Admin Zone Admin Fabric Admin Basic Switch Admin Security Admin Admin Domain recovermasterkey N OM N N N O N OM Disallowed refreshDEK N OM N N N OM N O Disallowed regEE N OM N N N O N OM Disallowed reggroupleader N OM N N N O N OM Disallowed regkeyvault N OM N N N O N OM regmembernode N OM
3 Cryptocfg Help command output Cryptocfg Help command output All encryption operations are done using the cryptocfg command. The cryptocfg command has an help output that lists all options. switch:admin> cryptocfg --help Usage: cryptocfg --help -nodecfg: Display the synopsis of node parameter configuration. --help -groupcfg: Display the synopsis of group parameter configuration. --help -hacluster: Display the synopsis of hacluster parameter configuration.
Management LAN configuration 3 --export -scp [-dhchallenge | -currentMK | -KACcert | -KACcsr | -CPcert] : Export a specified file to an external host via scp. --export -usb [-dhchallenge | -currentMK | -KACcert | -KACcsr | -CPcert] : Export a specified file to a mounted USB storage device. --delete -file : Delete a file previously imported to the switch.
3 Configuring cluster links Configuring cluster links Each encryption switch or FS8-18 blade has two GbE ports labeled Ge0 and Ge1. The Ge0 and Ge1 ports connect encryption switches and FS8-18 blades to other encryption switches and FS8-18 blades. These two ports are bonded together as a single virtual network interface. Only one IP address is used. The ports provide link layer redundancy, and are collectively referred to as the cluster link.
Configuring cluster links 3 NOTE The IP address of the cluster link should be configured before enabling the encryption engine for encryption.
3 Steps for connecting to an SKM appliance Steps for connecting to an SKM appliance The following configuration steps are performed from the SKM management web console, which can be accessed from any web browser with Internet access to the SKM appliance. The URL for the appliance is as follows: https://: Where: - is the hostname or IP address when installing the SKM appliance. is 9443 by default.
Steps for connecting to an SKM appliance 3 1. Login to the SKM management web console using the admin password. 2. Select the Security tab. 3. Under Certificates & CAs, click Local CAs. 4. Enter information required by the Create Local Certificate Authority section of the window to create your local CA. - Enter a Certificate Authority Name and Common Name. These may be the same value.. Enter your organizational information. Enter the Email Address where you want messages to the Security Officer to go.
3 Steps for connecting to an SKM appliance Repeat these steps any time another local CA is needed. Downloading the local CA certificate The local CA certificate you created using the procedure for “Setting up the local Certificate Authority (CA)” on page 100 must be saved to your local system. Later, this certificate must be imported onto the Brocade encryption group leader nodes. 1. From the Security tab, select Local CAs under Certificates and CAs. 2. Select the CA certificate you created. 3.
Steps for connecting to an SKM appliance 3 11. Enter the required data in the Sign Certificate Request section of the window. - Select the CA name from the Sign with Certificate Authority drop down box. Select Server as the Certificate Purpose. Enter the number of days before the certificate must be renewed based on your site's security policies. The default value is 3649 or 10 years. 12. Paste the copied certificate request data into the Certificate Request box. 13. Click Sign Request.
3 Steps for connecting to an SKM appliance Creating an SKM High Availability cluster The HP SKM key vault supports clustering of HP SKM appliances for high availability. If two SKM key vaults are configured, they must be clustered. If only a single SKM appliance is configured, it may be clustered for backup purposes, but the backup appliance will not be directly used by the switch.
Steps for connecting to an SKM appliance 3 Adding SKM appliances to the cluster If you are adding an appliance to an existing cluster, select the Cluster Settings section of the window, click Download Cluster Key and save the key to a convenient location, such as your computer's desktop.
3 Steps for connecting to an SKM appliance Initializing the Brocade encryption engines You must perform a series of encryption engine initialization steps on every Brocade encryption node (switch or blade) that is expected to perform encryption within the fabric. NOTE The initialization process overwrites any authentication data and certificates that reside on the node and the security processor.
Steps for connecting to an SKM appliance 3 ARE YOU SURE (yes, y, no, n): y Operation succeeded. 7. Register the encryption engine by entering the cryptocfg --regEE command. Provide a slot number if the encryption engine is a blade. This step registers the encryption engine with the CP or chassis. Successful execution results in a certificate exchange between the encryption engine and the CP through the FIPS boundary. SecurityAdmin:switch>cryptocfg --regEE Operation succeeded. 8.
3 Steps for connecting to an SKM appliance Signing the Brocade encryption node KAC certificates The KAC certificate signing request generated when the encryption node is initialized must be exported for each encryption node and signed by the Brocade local CA on SKM. The signed certificate must then be imported back into the encryption node. 1. Export the KAC sign request to an SCP-capable host. SecurityAdmin:switch>cryptocfg --export -scp -KACcsr 192.168.38.245 mylogin /tmp/certs/kac_skm.csr 2.
Steps for connecting to an SKM appliance 3 Registering SKM on a Brocade encryption group leader An encryption group consists of one or more encryption engines. Encryption groups can provide failover/failback capabilities by organizing encryption engines into Data Encryption Key (DEK) clusters. An encryption group has the following properties: • • • • • It is identified by a user-defined name. When there is more than one member, the group is managed from a designated group leader.
3 Steps for connecting to an SKM appliance 6. Use the cryptocfg - - show groupcfg command to verify that the key vault state is Connected. Mace_127:admin> cryptocg --show groupcfg rbash: cryptocg: command not found Mace_127:admin> cryptocfg --show -groupcfg Encryption Group Name: mace127_mace129 Failback mode: Auto Replication mode: Disabled Heartbeat misses: 3 Heartbeat timeout: 2 Key Vault Type: SKM System Card: Disabled Primary Key Vault: IP address: Certificate ID: Certificate label: State: Type: 10.
Generating and backing up the master key 3 Generating and backing up the master key You must generate a master key on the group leader, and export it to a secure backup location so that it can be restored, if necessary. The master key is used to encrypt DEKs for transmission to and from SKM. The backup location may SKM, a local file, or a secure external SCP-capable host. All three options are shown in the following procedure.
3 Generating and backing up the master key State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.244.60 Certificate: enc1_cpcert.
High Availability (HA) cluster configuration 3 High Availability (HA) cluster configuration An HA cluster consists of two encryption engines configured to host the same CryptoTargets and to provide Active/Standby failover and failback capabilities in a single fabric. Failover is automatic (not configurable). Failback occurs automatically by default, but is configurable with a manual failback option. All encryption engines in an HA cluster share the same DEK for a disk or tape LUN.
3 High Availability (HA) cluster configuration 3. Enter cryptocfg --commit to commit the transaction. Any transaction remains in the defined state until it is committed. The commit operation fails if the HA cluster has less than two members. 4. Display the HA cluster configuration by entering the cryptocfg --show -hacluster -all command. In the following example, the encryption group brocade has one committed HAC1 with two encryption engines.
High Availability (HA) cluster configuration 3 Failover/failback policy configuration Failover/failback policy parameters as outlined in Table 5 can be set for the entire encryption group on the group leader. Use the cryptocfg --set command with the appropriate parameter to set the values for the policy. Policies are automatically propagated to all member nodes in the encryption group.
3 Enabling the encryption engine Enabling the encryption engine Enable the encryption engine by entering the cryptocfg --enableEE command. Provide a slot number if the encryption engine is a blade.
Zoning considerations 3 Link IP Addr : 10.32.72.76 Link GW IP Addr : 10.32.64.1 Link Net Mask : 255.255.240.0 Link MAC Addr : 00:05:1e:53:89:03 Link MTU : 1500 Link State : UP Media Type : DISK Rebalance Recommended: NO System Card Label : System Card CID : Remote EE Reachability : Node WWN/Slot EE IP Addr EE State IO Link State 10:00:00:05:1e:54:22:36/0 10.32.72.62 EE_STATE_ONLINE Reachable 10:00:00:05:1e:47:30:00/1 10.32.72.104 EE_STATE_ONLINE Reachable 10:00:00:05:1e:47:30:00/3 10.32.72.
3 Zoning considerations Frame redirection zoning Name Server-based frame redirection enables the Brocade encryption switch or blade to be deployed transparently to hosts and targets in the fabric. NS-based frame redirection is enabled as follows: • You first create a zone that includes host (H) and target (T). This may cause temporary traffic disruption to the host. • You then create a CryptoTarget container for the target and configure the container to allow access to the initiator.
Zoning considerations 3 The nsshow command shows all devices on the switch, and the output can be lengthy. To retrieve only the initiator PWWN, do a pattern search of the output based on the initiator Port ID (a hex number). In the following example, The PID is 010600, where 01 indicates the domain and 06 the port number. FabricAdmin:switch>nsshow | grep 0106 N 010600; 2,3;10:00:00:00:c9:2b:c9:3a;20:00:00:00:c9:2b:c9:3a; na 3. Determine the target PWWN.
3 Zoning considerations 7. Create a zone that includes the initiator and a LUN target. Enter the zonecreate command followed by a zone name, the initiator PWWN and the target PWWN. FabricAdmin:switch>zonecreate itzone, "10:00:00:00:c9:2b:c9:3a; \ 20:0c:00:06:2b:0f:72:6d" 8. Create a zone configuration that includes the zone you created in step 4. Enter the cfgcreate command followed by a configuration name and the zone member name. FabricAdmin:switch>cfgcreate itcfg, itzone 9.
CryptoTarget container configuration 3 CryptoTarget container configuration A CryptoTarget container is a configuration of virtual devices created for each target port hosted on a Brocade Encryption Switch or FS8-18 blade. The container holds the configuration information for a single target, including associated hosts and LUN settings.
3 CryptoTarget container configuration LUN re-balancing when hosting both disk and tape If you are currently using encryption and running Fabric OS version 6.3.x or earlier, you are hosting tape and disk target containers on different encryption switches or blades. Beginning with Fabric OS version 6.4, disk and tape target containers can be hosted on the same switch or blade.
CryptoTarget container configuration 3 Creating a CryptoTarget container Before you begin, have the following information ready: • The switch WWNs of all nodes in the encryption group. Use the cryptocfg --show -groupmember -all command to gather this information. • The port WWNs of the targets whose LUNs are being enabled for data-at-rest encryption. • The port WWNs of the hosts (initiators) which should gain access to the LUNs hosted on the targets.
3 CryptoTarget container configuration CAUTION When configuring a multi-path LUN, you must complete the CryptoTarget container configuration for ALL target ports in sequence and add the hosts that should gain access to these ports before committing the container configuration. Failure to do so results in data corruption. Refer to the section “Configuring a multi-path Crypto LUN” on page 141 for specific instructions. 5. Display the CryptoTarget container configuration.
CryptoTarget container configuration 3 Removing an initiator from a CryptoTarget container You may remove one or more initiators from a given CryptoTarget container. This operation removes the initiators’ access to the target port. If the initiator has access to multiple targets and you wish to remove access to all targets, follow the procedure described to remove the initiator from every CryptoTarget container that is configured with this initiator.
3 CryptoTarget container configuration 1. Log into the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --delete -container command followed by the CryptoTarget container name. The following example removes the CryptoTarget container “my_disk_tgt”. FabricAdmin:switch>cryptocfg --delete -container my_disk_tgt Operation Succeeded 3. Commit the transaction.
Crypto LUN configuration 3 Crypto LUN configuration A Crypto LUN is the LUN of a target disk or tape storage device that is enabled for and capable of data-at-rest encryption. Crypto LUN configuration is done on a per-LUN basis. You configure the LUN for encryption by explicitly adding the LUN to the CryptoTarget container and turning on the encryption property and policies on the LUN.
3 Crypto LUN configuration CAUTION When configuring a LUN with multiple paths, perform the LUN discovery on each of the Crypto Target containers for each of the paths accessing the LUN and verify that the serial number for these LUNs discovered from these Crypto Target containers are the same. This indicates and validates that these Crypto Target containers are indeed paths to the same LUN. Refer to the section “Configuring a multi-path Crypto LUN” on page 141 for more information.
Crypto LUN configuration 3 Log into the group leader as Admin or FabricAdmin. 3. Enter the cryptocfg --add -LUN command followed by the CryptoTarget container Name, the LUN number or a range of LUN numbers, the PWWN and NWWN of the initiators that should be able to access the LUN. If you are using Datafort encryption format, you can use the -encryption_format option to set the format to DF_compatible (the default is Native). The following example adds a disk LUN enabled for encryption.
3 Crypto LUN configuration NOTE LUN policies are configured at the LUN-level but apply to the entire HA or DEK cluster. For multi-path LUNs exposed through multiple target ports and thus configured on multiple Crypto Target containers on different encryption engines in an HA cluster or DEK cluster, the same LUN policies must be configured. Failure to do so results in unexpected behavior and may lead to data corruption.
Crypto LUN configuration TABLE 6 3 LUN parameters and policies (Continued) Policy name Command parameters Description Re-key policy Disk LUN: yes Tape LUN: No Modify? Yes -enable_rekey time_period | -disable_rekey Enables or disables the auto re-keying feature on a specified disk LUN. This policy is not valid for tape LUNs. By Default, the automatic re-key feature is disabled. Enabling automatic re-keying is valid only if the LUN policy is set to -encrypt.
3 Crypto LUN configuration 10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a -encrypt Operation Succeeded NOTE When changing the tape LUN policy from encrypt to cleartext or from cleartext to encrypt, or the encryption format from Brocade native to DF-compatible while data is being written to or read from a tape backup device, the policy change is not enforced until the current process completes and the tape is unmounted, rewound, or overwritten.
Crypto LUN configuration 3 Removing a LUN from a CryptoTarget container You can remove a LUN from a given CryptoTarget container if it is no longer needed. Stop all traffic I/O from the initiators accessing the LUN before removing the LUN to avoid I/O failure between the initiators and the LUN. If the LUN is exposed to more than one initiator under different LUN Numbers, remove all exposed LUN Numbers. 1. Log into the group leader as Admin or FabricAdmin. 2.
3 Crypto LUN configuration Modifying Crypto LUN parameters You can modify one or more policies of an existing Crypto LUN with the cryptocfg --modify -LUN command. If the modification applies to multiple LUNs, you may specify a LUN number range. NOTE A maximum of 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations or modifications that exceed this maximum fail with a warning. Note that there is a five second delay before the commit operation takes effect.
Crypto LUN configuration 3 Impact of tape LUN configuration changes LUN-level policies apply when no policies are configured at the tape pool level.
3 Crypto LUN configuration When a device decommission operation fails on the encryption group leader for any reason, the crypto configuration remains uncommitted until a user-initiated commit or a subsequent device decommission operation issued on the encryption group leader completes successfully. Device decommission operations should always be issued from a committed configuration. If not, the operation will fail with the error message An outstanding transaction is pending in Switch/EG.
Tape pool configuration 3 Tape pool configuration Tape pools are used by tape backup application programs to group all configured tape volumes into a single backup to facilitate their management within a centralized backup plan. A tape pool is identified by either a name or a number, depending on the backup application. Tape pools have the following properties: • They are configured and managed per encryption group at the group leader level.
3 Tape pool configuration CommVault Galaxy labeling CommVault uses a storage policy for each backup. When configuring a tape pool to work with CommVault Galaxy, first create a storage policy on CommVault and then use the storage_policy_id (sp_id) as the label when creating the tape pool on the encryption switch or blade. 1. Open CommCellExplorer Views by selecting Start > Programs >Microsoft SQL Server 2005 >SQL ServerManagement Studio. 2.
Tape pool configuration 3 Creating a tape pool Take the following steps to create a tape pool: 1. Log into the group leader as FabricAdmin. 2. Create a tape pool by entering the cryptocfg --create -tapepool command. Provide a label or numeric ID for the tape pool and specify the encryption policies. For policies not specified at this time, LUN-level settings apply. • Set the tape pool policy to either encrypt or cleartext (default).
3 Tape pool configuration Deleting a tape pool This command does not issue a warning if the tape pool being deleted has tape media or volumes that are currently accessed by the host. Be sure the tape media is not currently in use. 1. Log into the group leader as FabricAdmin. 2. Enter the cryptocfg --delete -tapepool command followed by a tape pool label or number. Use cryptocfg --show -tapepool -all to display all configured tape pool names and numbers.
Configuring a multi-path Crypto LUN 3 Configuring a multi-path Crypto LUN A single LUN may be accessed over multiple paths. A multi-path LUN is exposed and configured on multiple CryptoTarget Containers located on the same encryption switch or blade or on different encryption switches or blades.
3 Configuring a multi-path Crypto LUN FIGURE 57 A LUN accessible through multiple paths The following steps may be used to configure multiple path access to the LUN in Figure 57. 1. Create zoning between host port 1 and target port 1. Refer to the section “Creating an initiator - target zone” on page 118 for instructions. 2. Create zoning between host port 2 and target port 2. Refer to the section “Creating an initiator - target zone” on page 118 for instructions. 3.
Configuring a multi-path Crypto LUN c. 3 Add host port 1 to the container CTC1. FabricAdmin:switch>cryptocfg --add -initiator \ d. Add host port 2 to the container CTC2. FabricAdmin:switch>cryptocfg --add -initiator e. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Upon commit, redirection zones are created for target port 1, host port 1 and target port 2, host port 2.
3 Configuring a multi-path Crypto LUN 6. Validate the LUN policies for all containers. Display the LUN configuration for ALL CryptoTarget containers to confirm that the LUN policy settings are the same for all CryptoTarget containers.
First time encryption 3 First time encryption First time encryption, also referred to as encryption of existing data, is similar to the re-keying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first time encryption operation, cleartext data is read from a LUN, encrypted with the current key and written back to the same LUN at the same logical block address (LBA) location.
3 Data re-keying Data re-keying In a re-keying operation, encrypted data on a LUN is decrypted with the current key, re-encrypted with a new key and written back to the same LUN at the same logical block address (LBA) location. This process effectively re-encrypts the LUN and is referred to as “in-place re-keying.” It is recommended you limit the practice of re-keying to the following situations: • Key compromise as a result of a security breach.
Data re-keying 3 Configuring a LUN for automatic re-keying Re-keying options are configured at the LUN level either during LUN configuration with the cryptocfg --add -LUN command, or at a later time with the cryptocfg --modify -LUN command. For re-keying of a disk array LUN, the Crypto LUN is configured in the following way: • Set LUN policy as either cleartext or encrypt. • If cleartext is enabled (default), all encryption-related options are disabled and no DEK is associated with the LUN.
3 Data re-keying Initiating a manual re-key session If auto re-keying is disabled, you can initiate a re-keying session manually at your own convenience. All encryption engines in a given HA cluster, DEK cluster, or encryption group must be online for this operation to succeed. The manual re-keying feature is useful when the key is compromised and you want to re-encrypt existing data on the LUN before taking action on the compromised key.
Data re-keying 3 Suspension and resumption of re-keying operations A re-key may be suspended or fail to start for several reasons: • The LUN goes offline or the encryption switch fails and reboots. Re-key operations are resumed automatically when the target comes back online or the switch comes back up. You cannot abort an in-progress re-key operation. • An unrecoverable error is encountered on the LUN and the in-progress re-key operation halts.
3 150 Data re-keying Fabric OS Encryption Administrator’s Guide 53-1001864-01
Chapter 4 Deployment Scenarios In this chapter • Single encryption switch, two paths from host to target. . . . . . . . . . . . . . . • Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Dual fabric deployment - HA and DEK cluster . . . . . . . . . . . . . . . . . . . . . . . • Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . . . . . . . .
4 Single encryption switch, two paths from host to target Single encryption switch, two paths from host to target Figure 58 shows a basic configuration with a single encryption switch providing encryption between one host and one storage device over two the following two paths: • Host port 1 to target port 1, redirected through CTC T1. • Host port 2 to target port 2, redirected through CTC T2.
Single fabric deployment - HA cluster 4 Single fabric deployment - HA cluster Figure 59 shows an encryption deployment in a single fabric with dual core directors and several host and target edge switches in a highly redundant core-edge topology.
4 Single fabric deployment - DEK cluster In Figure 59, the two encryption switches provide a redundant encryption path to the target devices. The encryption switches are interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN.
Dual fabric deployment - HA and DEK cluster 4 In Figure 60, two encryption switches are required, one for each target path. The path from host port 1 to target port 1 is defined in a CryptoTarget container on one encryption switch, and the path from host port 2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths.
4 Multiple paths, one DEK cluster, and two HA clusters failover for the encryption path between the host and target in fabric 1. Encryption switches 2 and 4 act as a high availability cluster in fabric 2, providing automatic failover for the encryption path between the host and target in fabric 2. All four encryption switches provide an encryption path to the same LUN, and use the same DEK for that LUN, forming a DEK cluster.
Multiple paths, one DEK cluster, and two HA clusters 4 The configuration details shown in Figure 62 are as follows: • • • • • • • • There are two fabrics. There are four paths to the target device, two paths in each fabric. There are two host ports, one in each fabric. Host port 1 is zoned to target port 1 and target port 2 in fabric 1. Host port 2 is zoned to target port 3and target port 4 in fabric 2. There are four Brocade encryption switches organized in HA clusters.
4 Multiple paths, DEK cluster, no HA cluster Multiple paths, DEK cluster, no HA cluster Figure 63 shows a configuration with a DEK cluster with multiple paths to the same target device. There is one encryption switch in each fabric.
Deployment in Fibre Channel routed fabrics 4 Deployment in Fibre Channel routed fabrics In this deployment, the encryption switch may be connected as part of the backbone fabric to another switch or blade that provides the EX_port connections (Figure 64), or it may form the backbone fabric and directly provide the EX_port connections (Figure 65). The encryption resources can be shared with the host and target edge fabrics using device sharing between backbone and edge fabrics.
4 Deployment in Fibre Channel routed fabrics The following is a summary of steps for creating and enabling the frame redirection zoning features in the FCR configuration (backbone to edge). • The encryption device creates the frame redirection zone automatically consisting of host, target, virtual target, and virtual initiator in the backbone fabric when the target and host are configured on the encryption device.
Deployment as part of an edge fabric 4 Deployment as part of an edge fabric In this deployment, the encryption switch is connected to either the host or target edge fabric. The backbone fabric may contain a 7500 extension switch or FR4-18i blade in a 48000 director, DCX, or DCX-4S, or an FCR-capable switch or blade. The encryption resources of the encryption switch can be shared with the other edge fabrics using FCR in the backbone fabric (Figure 66). .
4 Deployment with FCIP extension switches Deployment with FCIP extension switches Encryption switches may be deployed in configurations that use extension switches or extension blades within a DCX, DCX-4S or 48000 chassis to enable long distance connections. Figure 67 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator’s Guide for information about creating FCIP configurations.
VmWare ESX server deployments 4 VmWare ESX server deployments VM ESX servers may host multiple guest operating systems. A guest operating system may have its own physical HBA port connection, or it may use a virtual port and share a physical HBA port with other guest operating systems. Figure 68 shows a VmWare ESX server with two guest operating systems where each guest accesses a fabric over separate host ports.
4 VmWare ESX server deployments Figure shows a VmWare ESX server with two guest operating systems where two guests access a fabric over a shared port. To enable this, both guests are assigned a virtual port. There are two paths to a target storage device: • Virtual host port 1, through the shared host port, to target port 1, redirected through CTC T1. • Virtual host port 2, through the shared host port, to target port 2, redirected through CTC T2.
Chapter 5 Best Practices and Special Topics In this chapter • Firmware download considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enable of a disabled LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Disk metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Tape metadata. . . . . . .
5 Firmware download considerations Firmware download considerations The encryption engine and the control processor or blade processor are reset after a firmware upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If encryption engines are configured in an HA cluster, perform firmware upgrades one encryption engine at a time so that the partner switch in the HA cluster can take over I/O by failover during firmware upgrade.
Firmware download considerations 5 • A firmware consistency check for Fabric OS version 6.4.0 is enforced in an encryption group if any of the Fabric OS version 6.4.0 features are enabled. If any Fabric OS version 6.4.0 feature is in an enabled state then any firmware download to Fabric OS version 6.3.x or earlier versions is blocked. - Do not try to use configupload from Fabric OS version 6.4.0 and then configdownload to Fabric OS version 6.3.x or earlier versions with any Fabric OS version 6.4.
5 Configuration upload and download considerations 10. After all nodes in the Encryption Group have been upgraded, change back the failback mode to auto from manual, if required by issuing the following command. cryptocfg --set -failback auto Configuration upload and download considerations Important information is not included when you upload a configuration from an encryption switch or blade. Extra steps are necessary before and after download to re-establish that information.
Configuration upload and download considerations 5 Steps before configuration download The configuration download does not have any certificates, public or private keys, master key, or link keys included. Perform following steps prior to configuration download to generate and obtain the necessary certificates and keys: 1.
5 Configuration upload and download considerations Steps after configuration download For all key vaults except LKM, restore or generate and backup the master key. In cluster environments, the master key is propagated from group leader node. 1. Use the following command to enable the encryption engine. cryptocfg --enableEE [slot num] 2. Commit the configuration. cryptocfg --commit 3.
HP-UX considerations 5 HP-UX considerations The HP-UX OS requires LUN 0 to be present. LUNs are scanned differently based on the type value returned for LUN 0 by the target device. • If the type is 0, then HP-UX only scans LUNs from 0 to 7. That is the maximum limit allowed by HP-UX for device type for type 0. • If the type is 0xC, then HP-UX scans all LUNs. Best practices are as follows: • Create a cryptoTarget container for the target WWN. • Add the HP-UX initiator WWN to the container.
5 Tape data compression Tape data compression Data is compressed by the encryption switch or blade before encrypting only if the tape device supports compression, and compression is explicitly enabled by the host backup application. That means if the tape device supports compression, but is not enabled by the host backup application, then compression is not performed by the encryption switch or blade before encrypting the data.
Tape key expiry 5 Tape key expiry When the tape key expires in the middle of a write operation on the tape, the key is used for the duration of any write operation to append the data on the tape media. On any given tape medium, the same key is used for all written blocks, regardless of the time in between append operations. With the exception of native pools, whenever you rewind a tape and write to block zero, a new key will be generated, unique to that tape.
5 Configuring CryptoTarget containers and LUNs Configuring CryptoTarget containers and LUNs The following are best practices to follow when configuring CryptoTarget containers and crypto LUNs: • Host a target port on only one encryption switch, or one HA cluster. All LUNs visible through the target port are hosted on the same encryption switch, and are available for storing cipher text. • Be sure all nodes in a given DEK or HA cluster are up and enabled before creating an encrypted LUN.
Redirection zones 5 Redirection zones Redirection zones should not be deleted. If a redirection zone is accidentally deleted, I/O traffic cannot be redirected to encryption devices, and encryption is disrupted. To recover, re-enable the existing device configuration by invoking the cryptocfg --commit command. If no changes have taken place since the last commit, you should use the cryptocfg --commit -force command.
5 Tape library media changer considerations Tape library media changer considerations In tape libraries where the media changer unit is addressed by a target port that is separate from the actual tape SCSI I/O ports, create a CryptoTarget container for the media changer unit and CryptoTarget containers for the SCSI I/O ports. If a CryptoTarget container is created only for the media changer unit target port, no encryption is performed on this device.
Re-keying best practices and policies 5 Re-keying best practices and policies Re-keying should be done only when necessary. In key management systems, DEKs are never exposed in an unwrapped or unencrypted state. You must re-key if the master key is compromised. The practice of re-keying should be limited to the following cases: • Master key compromise. • Insider security breaches. • As a general security policy as infrequently as every six months or once per year.
5 Changing IP addresses in encryption groups Do not change LUN configuration while re-keying Never change the configuration of any LUN that belongs to a Crypto Target Container/LUN configuration while the re-keying process for that LUN is active. If you change the LUN’s settings during manual or auto, re-keying or first time encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect.
Recommendations for Initiator Fan-Ins 5 Recommendations for Initiator Fan-Ins For optimal performance at reasonable scaling factors of initiators, targets, and LUNs accessed, Brocade Encryption Engines (EEs) are designed to support a fan-In ratio of between four and eight initiator ports to one target port, in terms of the number of distinct initiator ports to a Crypto Container (i.e., a virtual target port corresponding to the physical target port).
5 Best practices for host clusters in an encryption environment Best practices for host clusters in an encryption environment When host clusters are deployed in a encryption environment, please follow these recommendations: • If two encryption engines are part of an HA cluster, configure the host/target pair so they have different paths from both encryption engines. Avoid connecting both the host/target pairs to the same encryption engine.
Chapter 6 Maintenance and Troubleshooting In this Chapter • Encryption group and HA cluster maintenance . . . . . . . . . . . . . . . . . . . . . . • Troubleshooting examples using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management application encryption wizard troubleshooting . . . . . . . . . . • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . • LUN policy troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Encryption group and HA cluster maintenance SecurityAdmin:switch>cryptocfg --show -groupmember \ 10:00:00:05:1e:41:99:bc Node Name: 10:00:00:05:1e:41:99:bc (current node) State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.33.145 Certificate: 10.32.33.145_my_cp_cert.
Encryption group and HA cluster maintenance FIGURE 71 6 Removing a node from an encryption group Deleting an encryption group You can delete an encryption group after removing all member nodes following the procedures described in the previous section. The encryption group is deleted on the group leader after you have removed all member nodes.
6 Encryption group and HA cluster maintenance Removing an HA cluster member Removing an encryption engine from an HA cluster “breaks” the HA cluster by removing the failover/failback capability for the removed encryption engines, However, the removal of an encryption engine does not affect the relationship between configured containers and the encryption engine that is removed from the HA cluster. The containers still belong to this encryption engine and encryption operations continue.
Encryption group and HA cluster maintenance 6 Replacing an HA cluster member 1. Log into the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haclustermember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine. Provide a slot number if the encryption engine is a blade. The replacement encryption engine must be part of the same encryption group as the encryption engine that is replaced.
6 Encryption group and HA cluster maintenance FIGURE 72 186 Replacing a failed encryption engine in an HA cluster Fabric OS Encryption Administrator’s Guide 53-1001864-01
Encryption group and HA cluster maintenance 6 Case 2: Replacing a “live” encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine (EE3). This operation effectively removes EE2 from the HA cluster and adds the replacement encryption engine (EE3) to the HA cluster.
6 Encryption group and HA cluster maintenance Deleting an HA cluster member This command dissolves the HA cluster and removes failover capability from the participating encryption engines. 1. Log into the group leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --delete -hacluster command. Specify the name of the HA cluster you wish to delete. SecurityAdmin:switch>cryptocfg --delete -hacluster HAC1 Delete HA cluster status: Operation succeeded. 3.
Encryption group and HA cluster maintenance 6 • The failed EE2 has come back online, Failover is still active: SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade Number of HA Clusters: 1 HA cluster name: HAC3 - 2 EE entries Status: Committed WWN Slot Number EE1 => 10:00:00:05:1e:53:89:dd 0 EE2 => 10:00:00:05:1e:53:fc:8a 0 Status Online - Failover active Online • A manual failback is issued.
6 Encryption group and HA cluster maintenance Recovery 1. Configure the IP address 0f the new node that is replacing the failed node, and the IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. 2. Register the new node IP address and CP certificate with the group leader node. 3. On the group leader node, export the member node certificate. 4. On the group leader node, import the member node certificate. 5.
Encryption group and HA cluster maintenance 6 A member node reboots and comes back up Assumptions N1, N2 and N3 form an encryption group and N2 is the group leader node. N3 and N1 are part of an HA cluster. Assume that N3 reboots and comes back up. Impact When N3 reboots, all devices hosted on the encryption engines of this node automatically fail over to the peer encryption engine N1, and N1 now performs all of the rebooted node’s encryption services. Any re-key sessions in progress continue.
6 Encryption group and HA cluster maintenance A member node lost connection to all other nodes in the encryption group Assumptions N1, N2 and N3 form an encryption group and N2 is the group leader node. N3 and N1 are part of an HA cluster. Assume that N3 lost connection with all other nodes in the group. Node N3 finds itself isolated from the encryption group and, following the group leader succession protocol, elects itself as group leader.
Encryption group and HA cluster maintenance 6 • Each encryption group registers the missing members as “offline”. • The isolation of N3 from the original encryption group breaks the HA cluster and failover capability between N3 and N1. • You cannot configure any CryptoTargets, LUN policies, tape pools, or security parameters on any of the group leaders. This would require communication with the “offline” member nodes. You cannot start any re-key operations (auto or manual) on any of the nodes.
6 Encryption group and HA cluster maintenance Configuration impact of encryption group split or node isolation When a node is isolated from the encryption group or the encryption group is split to form separate encryption group islands, the defined or registered node list in the encryption group is not equal to the current active node list, and the encryption group is in a DEGRADED state rather than in a CONVERGED state.
General encryption troubleshooting I 6 General encryption troubleshooting I Table 9 lists the commands you can use to check the health of your encryption setup. Table 10 provides additional information for failures you might encounter while configuring switches using the CLI. TABLE 9 General troubleshooting tips using the CLI Command Activity supportsave Check whole system configuration. Run RAS logs. Run RAS traces. Run Security Processor (SP) logs (mainly kpd.log).
6 TABLE 10 General encryption troubleshooting I General errors and conditions Problem Resolution LUN state for some LUNS remains in "initialize" state on the passive path. This is expected behavior. The LUNs exposed through Passive paths of the target array will be in either Initialize or LUN Discovery Complete state so long as the paths remain n passive condition. When the passive path becomes active, the LUN changes to Encryption Enabled.
General encryption troubleshooting I TABLE 10 6 General errors and conditions Problem Resolution Searching or viewing key IDs on an LKM server returns “Not Responding” or “Unknown/Busy” for 20 or more minutes while searching for decommissioned key records. In cases where there are many keys to search through (e.g., one MB or more) LKM database searches may get queued and may not get serviced fast enough, and the request times out. There is no workaround other than retrying.
6 Troubleshooting examples using the CLI Troubleshooting examples using the CLI Encryption Enabled Crypto Target LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN.
Troubleshooting examples using the CLI 6 Encryption Disabled Crypto Target LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN.
6 Management application encryption wizard troubleshooting Management application encryption wizard troubleshooting • Errors related to adding a switch to an existing group . . . . . . . . . . . . . . . . 200 • Errors related to adding a switch to a new group . . . . . . . . . . . . . . . . . . . . 201 • General errors related to the Configure Switch Encryption wizard . . . . . .
Errors related to adding a switch to an existing group 6 Errors related to adding a switch to a new group Table 12 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 12 Error recovery instructions for adding a switch to a new group Configuration task Error description Instructions Initialize the switch Unable to initialize the switch due to an error response from the switch.
6 Errors related to adding a switch to an existing group TABLE 12 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (if the key vault type is not NetApp) A failure occurred while attempting to create a new master key. 1 Save the switch’s public key certificate to a file. The switch’s public key certificate could not be saved to a file.
Errors related to adding a switch to an existing group 6 General errors related to the Configure Switch Encryption wizard Table 13 provides additional information for failures you might encounter while configuring switches using the Configure Switch Encryption wizard. TABLE 13 General errors related to the Configure Switch Encryption wizard Problem Resolution Initialization fails on the encryption engine after the encryption engine is zeroized. Reboot the switch.
6 LUN policy troubleshooting LUN policy troubleshooting Table 14 may be used as an aid in troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by the encryption switch Action taken If you do not need to save the data: If you need to save the data: 1 The LUN was modified from encrypt policy to cleartext policy but metadata exists. LUN is disabled. Reason code: Metadata exists but the LUN policy is cleartext.
Loss of encryption group leader after power outage 6 Loss of encryption group leader after power outage When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to catastrophic disaster or power outage to whole data center, and the group leader node either fails to come back up when the other nodes are powered on, or the group leader is kept powered down, the member nodes lose information and knowledge about the encryption group.
6 MPIO and internal LUN states MPIO and internal LUN states The Internal LUN State field displayed within the cryptocfg -show -LUN command output does not indicate the host-to-storage path status for the displayed LUN, but rather the internal LUN state as known by the given encryption engine. Due to the transparent and embedded nature of this encryption solution, the host-to-storage array LUN path status can only be displayed by using host MPIO software.
MPIO and internal LUN states 6 FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to another LUN. In this case, you can cancel the re-key session by removing the LUN from its container and force committing the transaction. Refer to the section “Removing a LUN from a CryptoTarget container” on page 133 for instructions on how to remove a LUN by force.
6 208 MPIO and internal LUN states Fabric OS Encryption Administrator’s Guide 53-1001864-01
Appendix A State and Status Information In this appendix • Encryption engine security processor (SP) states . . . . . . . . . . . . . . . . . . . . 209 • Security processor KEK status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 • Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Encryption engine security processor (SP) states Table 15 lists the encryption engine security processor (SP) states.
A Security processor KEK status Security processor KEK status Table 16 lists security processor KEK status information. TABLE 16 Security processor KEK status KEK type KEK status1 Description Primary KEK (current MK or primary KV link key) None Primary KEK is not configured. Mismatch Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK at CP matches the one in the SP and is valid. Secondary KEK (alternate None MK or secondary KV link key) Mismatch Group KEK 1.
Encrypted LUN states TABLE 17 A Encrypted LUN states (Continued) LUN_1ST_TIME_REKEY_IN_PROG First time re-key is in progress. LUN_KEY_EXPR_REKEY_IN_PROG Key expired re-key is in progress. LUN_MANUAL_REKEY_IN_PROG Manual re-key is in progress. LUN_DECRYPT_IN_PROG Data decryption is in progress. LUN_WR_META_PENDING Write metadata is pending. LUN_1ST_TIME_REKEY_PENDING First time re-key is pending. LUN_KEY_EXPR_REKEY_PENDING Key expired re-key is pending.
A Encrypted LUN states TABLE 17 212 Encrypted LUN states (Continued) LUN_DIS_WR_META_DONE_ERR Disabled (Write metadata done with failure). LUN_DIS_LUN_REMOVED Disabled (LUN re-discovery detects LUN is removed). LUN_DIS_LSN_MISMATCH Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate LUN SN found). LUN_DIS_DISCOVERY_FAIL Disabled (LUN discovery failure). LUN_DIS_NO_LICENSE Disabled (Third party license is required).
Encrypted LUN states TABLE 18 A Tape LUN states Internal Names Console String Explanation LUN_DIS_LUN_NOT_FOUND Disabled (LUN not found) No logical unit structure in tape module. This is an internal software error. If it occurs, contact Brocade support. LUN_TGT_OFFLINE Target Offline Target port is not currently in the fabric. Check connections and L2 port state.
A Encrypted LUN states TABLE 18 214 Tape LUN states LUN_ENCRYPT Encryption enabled The tape medium is present, and is in ciphertext (encrypted). The encryption switch or blade has full read/write access, because its current tape policy for the medium is also encrypted. See the Encryption Format field to find out if tape is encrypted in native mode or DataFort-compatible mode.
Appendix B LUN Policies In this appendix The following topics are covered in this appendix: • DF-compatibility support for disk LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 • DF-compatibility support for tape LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 DF-compatibility support for disk LUNs Table 19 and Table 20 may be used as a reference for establishing disk LUN policies in support of DataFort firmware versions.
B DF-compatibility support for disk LUNs TABLE 20 Support matrix for disk LUNs for various configuration and modify options LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results Native (Brocade) Encrypted Encrypt NA when LUN State = encrypt NA Yes No error.
DF-compatibility support for disk LUNs TABLE 20 B Support matrix for disk LUNs for various configuration and modify options (Continued) LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results Native (Brocade) Cleartext Cleartext NA in case of cleartext policy NA Yes The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state.
B DF-compatibility support for disk LUNs TABLE 20 Support matrix for disk LUNs for various configuration and modify options (Continued) LUN encryption format LUN state LUN policy Encrypt existing data Key ID Metadata on LUN Results DF compatible Cleartext Encrypt Yes NA Yes The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state.
DF-compatibility support for tape LUNs B DF-compatibility support for tape LUNs Table 21 and Table 22 may be used as a reference for establishing tape LUN policies in support of DataFort firmware versions. NOTE On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt files with a block size of one MB or greater.
B DF-compatibility support for tape LUNs TABLE 22 Compatibility support matrix for tape pools (Continued) Tape pool encryption format Tape pool policy Metadata present Results DF-compatible Encrypt No (new tape) No error. A new key is generated and both read and write are allowed in DF-compatible format. DF-compatible Cleartext Brocade metadata Reads are allowed in Brocade format using the key from the metadata. Writes are rejected if the tape is not positioned at the beginning of the tape.
Appendix C NS-Based Transparent Frame Redirection Table 23 provides the NS-based transparent frame redirection interoperability matrix. TABLE 23 Frame redirection support NS-based transparent frame redirection interoperability matrix1 FOS version Host and target edge switches/directors FOS only Layer 2 SAN FOS 6.2.0 FOS 5.3.1x for legacy Bloom-based switches and directors. FOS and EOSc and EOSn interop mode 2 “native FOS and EOSc and EOSn interop mode 3 “open” EOSc and EOSn only FOS 6.1.
C 222 NS-Based Transparent Frame Redirection Fabric OS Encryption Administrator’s Guide 53-1001864-01
Index A add commands --add -haclustermember, 114 --add -initiator, 123, 131, 143 --add -LUN, 129, 143, 145, 147 --add -membernode, 190 B Brocade Encryption Switch See switch C certificates storing the public key, 38 CLI general errors and resolution, 195 using to configure encryption switch or blade, 91 command RBAC permissions, 93 command validation checks, 92 commands ipaddrset, 98 ipaddrshow, 98 commit command, --commit, 188 CommVault Galaxy labeling, 138 configuration of encryption group-wide policie
cryptocfg command --add -haclustermember, 114 --add -initiator, 123, 131, 143 --add -LUN, 129, 143, 145, 147 --add -membernode, 190 --commit, 188 --create -container, 123, 131, 142 --create -encgroup, 109 --create -hacluster, 113 --create -tapepool, 139 --delete -container, 126, 181 --delete -encgroup, 183 --delete -hacluster, 188 --delete -tapepool, 140 --dereg -membernode, 182 --discover -LUN, 143 --discoverLUN, 127, 131 --eject -membernode, 182 --enable -LUN, 135 --enable -rekey, 147 --enable_rekey, 145
enable commands --enable -LUN, 135 --enable -rekey, 147 --enable_rekey, 145 --enableEE, 190 enableEE, 116 encrypted LUN states, 210 encryption adding a license, 5 adding a target, 74 adding new LUNs, 75 best practices for licensing, 5 configuration planning for the management application, 22, 33 configure dialog box, 14 configuring LUNs for first-time encryption, 145 configuring hosts to access encryption targets, 75 configuring in a multi-path environment, 54 definition of terms, 2 description of blade, 5
F I failback command, --failback -EE, 188 failover and failback, states of encryption engines during, 188 field replaceable unit See FRU firmware download considerations, 166 frame redirection creating and enabling in an FCR configuration (edge to edge), 161 deploying the encryption switch or blade to hosts and targets, 118 enabling, 118 interop matrix, 221 prerequesites, 118 viewing the zone using the CLI, 124 frame redirection zoning creating and enabled in a FCR configuration, 160 import commands, --i
129, 133, 134, 141 configuring for first-time encryption, 145 configuring for multi-path example, 141 configuring policies using the CLI, 130 force-enabling for encryption, 135 impact of policy changes, 135 modifying parameters using the CLI, 134 multi-path configuration requirements, 123 policy for DF-compatibility disk LUNs, 215 policy for DF-compatibility tape LUNs, 219 policy for DF-compatibility tape pools, 219 policy parameters, 134 removing Crypto LUN to CryptoTarget container, 133 setting policy for
resume commands --resume_rekey, 149, 206 RKM key management system, 11 role based access control (RBAC) permissions for cryptoCfg commands, 93 S security processor (SP) KEK status, 210 states for encryption engines, 209 security tab on management application using to back up a master key, 86 using to create a master key, 86 using to restore a master key, 86 set commands --set -failback, 115 --set -keyvault LKM, 109 show commands --show, 116 --show -container, 124 --show -groupmember, 111, 112, 123, 181 --s
V validating commands, 92 verifying encryption engine status using the CLI, 116 virtual initiators, description of in an encryption configuration, 121 virtual targets, description of in an encryption configuration, 121 Z zeroize command --zeroize, 106 zeroizing effects of using on encryption engine, 72 zone creating an initiator-target using the CLI, 118 Fabric OS Encryption Administrator’s Guide 53-1001864-01 229
230 Fabric OS Encryption Administrator’s Guide 53-1001864-01