Brocade Fabric OS Encryption Administrator's Guide v7.1.0 (53-1002721-01, March 2013)
Table Of Contents
- Contents
- About This Document
- Encryption Overview
- In this chapter
- Host and LUN considerations
- Terminology
- The Brocade Encryption Switch
- The FS8-18 blade
- FIPS mode
- Performance licensing
- Recommendation for connectivity
- Usage limitations
- Brocade encryption solution overview
- Data encryption key life cycle management
- Master key management
- Support for virtual fabrics
- Cisco Fabric Connectivity support
- Configuring Encryption Using the Management Application
- In this chapter
- Encryption Center features
- Encryption user privileges
- Smart card usage
- Using authentication cards with a card reader
- Registering authentication cards from a card reader
- Registering authentication cards from the database
- Deregistering an authentication card
- Setting a quorum for authentication cards
- Using system cards
- Enabling or disabling the system card requirement
- Registering systems card from a card reader
- Deregistering system cards
- Using smart cards
- Tracking smart cards
- Editing smart cards
- Network connections
- Blade processor links
- Encryption node initialization and certificate generation
- Steps for connecting to an ESKM/SKM appliance
- Configuring a Brocade group on ESKM/SKM
- Registering the ESKM/SKM Brocade group user name and password
- Setting up the local Certificate Authority (CA) on ESKM/SKM
- Downloading the local CA certificate from ESKM/SKM
- Creating and installing the ESKM/SKM server certificate
- Enabling SSL on the Key Management System (KMS) Server
- Creating an ESKM/SKM High Availability cluster
- Copying the local CA certificate for a clustered ESKM/SKM appliance
- Adding ESKM/SKM appliances to the cluster
- Signing the encryption node KAC certificates
- Importing a signed KAC certificate into a switch
- ESKM/SKM key vault high availability deployment
- Encryption preparation
- Creating a new encryption group
- Adding a switch to an encryption group
- Replacing an encryption engine in an encryption group
- High availability (HA) clusters
- Configuring encryption storage targets
- Configuring hosts for encryption targets
- Adding target disk LUNs for encryption
- Adding target tape LUNs for encryption
- Moving Targets
- Configuring encrypted tape storage in a multi-path environment
- Tape LUN write early and read ahead
- Tape LUN statistics
- Encryption engine rebalancing
- Master keys
- Active master key
- Alternate master key
- Master key actions
- Saving the master key to a file
- Saving a master key to a key vault
- Saving a master key to a smart card set
- Restoring a master key from a file
- Restoring a master key from a key vault
- Restoring a master key from a smart card set
- Creating a new master key
- Security Settings
- Zeroizing an encryption engine
- Using the Encryption Targets dialog box
- Redirection zones
- Disk device decommissioning
- Rekeying all disk LUNs manually
- Thin provisioned LUNs
- Viewing time left for auto rekey
- Viewing and editing switch encryption properties
- Viewing and editing encryption group properties
- Encryption-related acronyms in log messages
- Configuring Encryption Using the CLI
- In this chapter
- Overview
- Command validation checks
- Command RBAC permissions and AD types
- Cryptocfg Help command output
- Management LAN configuration
- Configuring cluster links
- Setting encryption node initialization
- Steps for connecting to an SKM or ESKM appliance
- Configuring a Brocade group
- Setting up the local Certificate Authority (CA)
- Downloading the local CA certificate
- Creating and installing the SKM or ESKM server certificate
- Enabling SSL on the Key Management System (KMS) Server
- Creating an SKM or ESKM high availability cluster
- Copying the local CA certificate
- Adding SKM or ESKM appliances to the cluster
- Initializing the Fabric OS encryption engines
- Signing the Brocade encryption node KAC certificates
- Registering SKM or ESKM on a Brocade encryption group leader
- Registering the SKM/ESKM Brocade group user name and password
- SKM or ESKM key vault high availability deployment
- Adding a member node to an encryption group
- Generating and backing up the master key
- High availability cluster configuration
- Re-exporting a master key
- Enabling the encryption engine
- Zoning considerations
- CryptoTarget container configuration
- Crypto LUN configuration
- Impact of tape LUN configuration changes
- Configuring a multi-path Crypto LUN
- Decommissioning LUNs
- Decommissioning replicated LUNs
- Force-enabling a decommissioned disk LUN for encryption
- Force-enabling a disabled disk LUN for encryption
- Tape pool configuration
- First-time encryption
- Thin provisioned LUNs
- Data rekeying
- Deployment Scenarios
- In this chapter
- Single encryption switch, two paths from host to target
- Single fabric deployment - HA cluster
- Single fabric deployment - DEK cluster
- Dual fabric deployment - HA and DEK cluster
- Multiple paths, one DEK cluster, and two HA clusters
- Multiple paths, DEK cluster, no HA cluster
- Deployment in Fibre Channel routed fabrics
- Deployment as part of an edge fabric
- Deployment with FCIP extension switches
- VMware ESX server deployments
- Best Practices and Special Topics
- In this chapter
- Firmware upgrade and downgrade considerations
- Configuration upload and download considerations
- Configuration upload at an encryption group leader node
- Configuration upload at an encryption group member node
- Information not included in an upload
- Steps before configuration download
- Configuration download at the encryption group leader
- Configuration download at an encryption group member
- Steps after configuration download
- HP-UX considerations
- AIX Considerations
- Enabling a disabled LUN
- Disk metadata
- Tape metadata
- Tape data compression
- Tape pools
- Tape block zero handling
- Tape key expiry
- Configuring CryptoTarget containers and LUNs
- Redirection zones
- Deployment with Admin Domains (AD)
- Do not use DHCP for IP interfaces
- Ensure uniform licensing in HA clusters
- Tape library media changer considerations
- Turn off host-based encryption
- Avoid double encryption
- PID failover
- Turn off compression on extension switches
- Rekeying best practices and policies
- KAC certificate registration expiry
- Changing IP addresses in encryption groups
- Disabling the encryption engine
- Recommendations for Initiator Fan-Ins
- Best practices for host clusters in an encryption environment
- HA Cluster deployment considerations and best practices
- Key Vault Best Practices
- Tape Device LUN Mapping
- Maintenance and Troubleshooting
- In this chapter
- Encryption group and HA cluster maintenance
- Displaying encryption group configuration or status information
- Removing a member node from an encryption group
- Deleting an encryption group
- Removing an HA cluster member
- Displaying the HA cluster configuration
- Replacing an HA cluster member
- Deleting an HA cluster member
- Performing a manual failback of an encryption engine
- Encryption group merge and split use cases
- A member node failed and is replaced
- A member node reboots and comes back up
- A member node lost connection to the group leader
- A member node lost connection to all other nodes in the encryption group
- Several member nodes split off from an encryption group
- Adjusting heartbeat signaling values
- EG split possibilities requiring manual recovery
- Configuration impact of encryption group split or node isolation
- Encryption group database manual operations
- Key vault diagnostics
- Measuring encryption performance
- General encryption troubleshooting
- Troubleshooting examples using the CLI
- Management application encryption wizard troubleshooting
- LUN policy troubleshooting
- Loss of encryption group leader after power outage
- MPIO and internal LUN states
- FS8-18 blade removal and replacement
- Brocade Encryption Switch removal and replacement
- Reclaiming the WWN base of a failed Brocade Encryption Switch
- Removing stale rekey information for a LUN
- Downgrading firmware from Fabric OS 7.1.0
- Fabric OS and ESKM compatibility matrix
- Splitting an encryption group into two encryption groups
- Moving an encryption blade from one EG to another in the same fabric
- Moving an encryption switch from one EG to another in the same fabric
- State and Status Information
viii Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
53-1002721-01
Crypto LUN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Discovering a LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Configuring a Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Crypto LUN parameters and policies . . . . . . . . . . . . . . . . . . . .173
Configuring a tape LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Removing a LUN from a CryptoTarget container . . . . . . . . . . . 177
Modifying Crypto LUN parameters . . . . . . . . . . . . . . . . . . . . . . 177
LUN modification considerations . . . . . . . . . . . . . . . . . . . . . . .178
Impact of tape LUN configuration changes. . . . . . . . . . . . . . . . . . .179
Configuring a multi-path Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . .179
Multi-path LUN configuration example. . . . . . . . . . . . . . . . . . .180
Decommissioning LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Decommissioning replicated LUNs . . . . . . . . . . . . . . . . . . . . . . . . .185
Decommissioning primary LUNs only . . . . . . . . . . . . . . . . . . . .185
Decommissioning secondary LUNs only . . . . . . . . . . . . . . . . .185
Decommissioning primary and secondary LUN pairs . . . . . . .186
Force-enabling a decommissioned disk LUN for encryption . . . . .186
Force-enabling a disabled disk LUN for encryption . . . . . . . . . . . .187
Tape pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Tape pool labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Creating a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Deleting a tape pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Modifying a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Impact of tape pool configuration changes . . . . . . . . . . . . . . .191
First-time encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Resource allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
First-time encryption modes . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Configuring a LUN for first-time encryption . . . . . . . . . . . . . . .192
Thin provisioned LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Space reclamation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Data rekeying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Resource allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Rekeying modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Configuring a LUN for automatic rekeying . . . . . . . . . . . . . . . .196
Initiating a manual rekey session . . . . . . . . . . . . . . . . . . . . . . .197
Suspension and resumption of rekeying operations. . . . . . . .198
Chapter 4 Deployment Scenarios
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Single encryption switch, two paths from host to target . . . . . . . .200
Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . .201
Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . .202
Dual fabric deployment - HA and DEK cluster. . . . . . . . . . . . . . . . .203
Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . .204
Multiple paths, DEK cluster, no HA cluster . . . . . . . . . . . . . . . . . . .206