Brocade Fabric OS Encryption Administrator's Guide v7.1.0 (53-1002721-01, March 2013)
Table Of Contents
- Contents
- About This Document
- Encryption Overview
- In this chapter
- Host and LUN considerations
- Terminology
- The Brocade Encryption Switch
- The FS8-18 blade
- FIPS mode
- Performance licensing
- Recommendation for connectivity
- Usage limitations
- Brocade encryption solution overview
- Data encryption key life cycle management
- Master key management
- Support for virtual fabrics
- Cisco Fabric Connectivity support
- Configuring Encryption Using the Management Application
- In this chapter
- Encryption Center features
- Encryption user privileges
- Smart card usage
- Using authentication cards with a card reader
- Registering authentication cards from a card reader
- Registering authentication cards from the database
- Deregistering an authentication card
- Setting a quorum for authentication cards
- Using system cards
- Enabling or disabling the system card requirement
- Registering systems card from a card reader
- Deregistering system cards
- Using smart cards
- Tracking smart cards
- Editing smart cards
- Network connections
- Blade processor links
- Encryption node initialization and certificate generation
- Steps for connecting to an ESKM/SKM appliance
- Configuring a Brocade group on ESKM/SKM
- Registering the ESKM/SKM Brocade group user name and password
- Setting up the local Certificate Authority (CA) on ESKM/SKM
- Downloading the local CA certificate from ESKM/SKM
- Creating and installing the ESKM/SKM server certificate
- Enabling SSL on the Key Management System (KMS) Server
- Creating an ESKM/SKM High Availability cluster
- Copying the local CA certificate for a clustered ESKM/SKM appliance
- Adding ESKM/SKM appliances to the cluster
- Signing the encryption node KAC certificates
- Importing a signed KAC certificate into a switch
- ESKM/SKM key vault high availability deployment
- Encryption preparation
- Creating a new encryption group
- Adding a switch to an encryption group
- Replacing an encryption engine in an encryption group
- High availability (HA) clusters
- Configuring encryption storage targets
- Configuring hosts for encryption targets
- Adding target disk LUNs for encryption
- Adding target tape LUNs for encryption
- Moving Targets
- Configuring encrypted tape storage in a multi-path environment
- Tape LUN write early and read ahead
- Tape LUN statistics
- Encryption engine rebalancing
- Master keys
- Active master key
- Alternate master key
- Master key actions
- Saving the master key to a file
- Saving a master key to a key vault
- Saving a master key to a smart card set
- Restoring a master key from a file
- Restoring a master key from a key vault
- Restoring a master key from a smart card set
- Creating a new master key
- Security Settings
- Zeroizing an encryption engine
- Using the Encryption Targets dialog box
- Redirection zones
- Disk device decommissioning
- Rekeying all disk LUNs manually
- Thin provisioned LUNs
- Viewing time left for auto rekey
- Viewing and editing switch encryption properties
- Viewing and editing encryption group properties
- Encryption-related acronyms in log messages
- Configuring Encryption Using the CLI
- In this chapter
- Overview
- Command validation checks
- Command RBAC permissions and AD types
- Cryptocfg Help command output
- Management LAN configuration
- Configuring cluster links
- Setting encryption node initialization
- Steps for connecting to an SKM or ESKM appliance
- Configuring a Brocade group
- Setting up the local Certificate Authority (CA)
- Downloading the local CA certificate
- Creating and installing the SKM or ESKM server certificate
- Enabling SSL on the Key Management System (KMS) Server
- Creating an SKM or ESKM high availability cluster
- Copying the local CA certificate
- Adding SKM or ESKM appliances to the cluster
- Initializing the Fabric OS encryption engines
- Signing the Brocade encryption node KAC certificates
- Registering SKM or ESKM on a Brocade encryption group leader
- Registering the SKM/ESKM Brocade group user name and password
- SKM or ESKM key vault high availability deployment
- Adding a member node to an encryption group
- Generating and backing up the master key
- High availability cluster configuration
- Re-exporting a master key
- Enabling the encryption engine
- Zoning considerations
- CryptoTarget container configuration
- Crypto LUN configuration
- Impact of tape LUN configuration changes
- Configuring a multi-path Crypto LUN
- Decommissioning LUNs
- Decommissioning replicated LUNs
- Force-enabling a decommissioned disk LUN for encryption
- Force-enabling a disabled disk LUN for encryption
- Tape pool configuration
- First-time encryption
- Thin provisioned LUNs
- Data rekeying
- Deployment Scenarios
- In this chapter
- Single encryption switch, two paths from host to target
- Single fabric deployment - HA cluster
- Single fabric deployment - DEK cluster
- Dual fabric deployment - HA and DEK cluster
- Multiple paths, one DEK cluster, and two HA clusters
- Multiple paths, DEK cluster, no HA cluster
- Deployment in Fibre Channel routed fabrics
- Deployment as part of an edge fabric
- Deployment with FCIP extension switches
- VMware ESX server deployments
- Best Practices and Special Topics
- In this chapter
- Firmware upgrade and downgrade considerations
- Configuration upload and download considerations
- Configuration upload at an encryption group leader node
- Configuration upload at an encryption group member node
- Information not included in an upload
- Steps before configuration download
- Configuration download at the encryption group leader
- Configuration download at an encryption group member
- Steps after configuration download
- HP-UX considerations
- AIX Considerations
- Enabling a disabled LUN
- Disk metadata
- Tape metadata
- Tape data compression
- Tape pools
- Tape block zero handling
- Tape key expiry
- Configuring CryptoTarget containers and LUNs
- Redirection zones
- Deployment with Admin Domains (AD)
- Do not use DHCP for IP interfaces
- Ensure uniform licensing in HA clusters
- Tape library media changer considerations
- Turn off host-based encryption
- Avoid double encryption
- PID failover
- Turn off compression on extension switches
- Rekeying best practices and policies
- KAC certificate registration expiry
- Changing IP addresses in encryption groups
- Disabling the encryption engine
- Recommendations for Initiator Fan-Ins
- Best practices for host clusters in an encryption environment
- HA Cluster deployment considerations and best practices
- Key Vault Best Practices
- Tape Device LUN Mapping
- Maintenance and Troubleshooting
- In this chapter
- Encryption group and HA cluster maintenance
- Displaying encryption group configuration or status information
- Removing a member node from an encryption group
- Deleting an encryption group
- Removing an HA cluster member
- Displaying the HA cluster configuration
- Replacing an HA cluster member
- Deleting an HA cluster member
- Performing a manual failback of an encryption engine
- Encryption group merge and split use cases
- A member node failed and is replaced
- A member node reboots and comes back up
- A member node lost connection to the group leader
- A member node lost connection to all other nodes in the encryption group
- Several member nodes split off from an encryption group
- Adjusting heartbeat signaling values
- EG split possibilities requiring manual recovery
- Configuration impact of encryption group split or node isolation
- Encryption group database manual operations
- Key vault diagnostics
- Measuring encryption performance
- General encryption troubleshooting
- Troubleshooting examples using the CLI
- Management application encryption wizard troubleshooting
- LUN policy troubleshooting
- Loss of encryption group leader after power outage
- MPIO and internal LUN states
- FS8-18 blade removal and replacement
- Brocade Encryption Switch removal and replacement
- Reclaiming the WWN base of a failed Brocade Encryption Switch
- Removing stale rekey information for a LUN
- Downgrading firmware from Fabric OS 7.1.0
- Fabric OS and ESKM compatibility matrix
- Splitting an encryption group into two encryption groups
- Moving an encryption blade from one EG to another in the same fabric
- Moving an encryption switch from one EG to another in the same fabric
- State and Status Information
172 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
53-1002721-01
Crypto LUN configuration
3
Configuring a Crypto LUN
You configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the
encryption property on the Crypto LUN. The LUNs of the target that are not enabled for encryption
must still be added to the CryptoTarget container with the cleartext policy option.
You can add a single LUN to a CryptoTarget container, or you can add multiple LUNs by providing a
range of LUN Numbers. When adding a single LUN, you can either provide a 16-bit (2 byte) hex
value of the LUN Number, for example, 0x07. Alternately you can provide a 64-bit (8 byte) value in
WWN or LUN ID format, for example, 00:07:00:00:00:00:00:00. When adding a range of LUN
Numbers, you may use two byte hex values or decimal numbers.
LUN configurations and modifications must be committed to take effect. The commit limit when
using the CLI is 25. If the number of paths for a LUN exceeds the limit, then more than one
transaction must be sent. Attempts to commit configurations or modifications that exceed the
maximum commit allowed will fail with a warning. There is also a five-second delay before the
commit operation takes effect. In addition to the commit limits, make sure the LUNs in previously
committed LUN configurations and LUN modifications have a LUN state of Encryption Enabled
before creating and committing another batch of LUN configurations or LUN modifications.
NOTE
There is a maximum of 512 disk LUNs per Initiator in a container. With the introduction of Fabric
OS 7.1.0, the maximum number of uncommitted configuration changes per disk LUN (or maximum
paths to a LUN) is 512 transactions. This change in commit limit is applicable only when using BNA.
The commit limit when using the CLI remains unchanged at 25.
NOTE
The maximum of number of tape LUNs that can be added or modfied in a single commit operation
remains unchanged at eight.
The device type (disk or tape) is set at the CryptoTarget container level. You cannot add a tape LUN
to a CryptoTarget container of type “disk” and vice versa.
It is recommended that you configure the LUN state and encryption policies at this time. You can
add these settings later with the cryptocfg
--modify -LUN command, but not all options are
modifiable. Refer to the section “Crypto LUN parameters and policies” on page 173 for LUN
configuration parameters. Refer to the section “Creating a tape pool” on page 190 for tape pool
policy parameters.
NOTE
If you are using VMware virtualization software or any other configuration that involves mounted file
systems on the LUN, you must enable first-time encryption at the time when you create the LUN by
setting the
–-enable_encexistingdata option with the –-add -LUN command. Failure to do so
permanently disconnects the LUN from the host and causes data to be lost and unrecoverable.
1. Log in to the group leader as Admin or FabricAdmin.
2. Enter the cryptocfg
--add -LUN command followed by the CryptoTarget container Name, the
LUN number or a range of LUN numbers, the PWWN and NWWN of the initiators that should be
able to access the LUN. The following example adds a disk LUN enabled for encryption.
FabricAdmin:switch> cryptocfg --add -LUN my_disk_tgt 0x0 \
10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a -encrypt
Operation Succeeded