HP 8/24 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June
HP 8/24 Manual
View all HP 8/24 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 8/24 manual content summary:
- HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 1
53-1001864-01 ® March 30, 2010 Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.4.0, Supporting HP StorageWorks Secure Key Manager (SKM) Environments - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 2
or service offered or to be offered by Brocade. Brocade license from the United States government. The authors and Brocade brocade.com/support/oscd. Brocade Communications Systems, Incorporated Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 1745 Technology Drive San - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 3
information for HP and Thales key vaults, and other various updates. August 2009 Revised document for Fabric OS version 6.4.0. Began the practice of creating separate manuals for each supported Key Manager. This is the SKM manual. March 2010 Fabric OS Encryption Administrator's Guide iii 53 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 4
iv Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 5
chapter 1 Host and LUN considerations 1 Terminology 2 The Brocade encryption switch 4 The FS8-18 blade 5 Performance licensing 5 Adding a license 5 Licensing best practices 5 Recommendation for connectivity 6 Usage limitations 6 Brocade encryption solution overview 7 Data flow from server - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 6
18 Enabling or disabling 24 Configuring a Brocade group on SKM 25 Registering the SKM Brocade group user name and password Brocade encryption node KAC certificates 32 Importing a signed KAC certificate into a switch 32 Gathering information 33 Creating a new encryption group 34 Adding a switch - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 7
80 Enabling the encryption encryption switch 84 Brocade encryption using the CLI In this chapter 91 Overview 91 Command validation checks 92 Command RBAC permissions and AD types 93 Cryptocfg Help command output 96 Management LAN configuration 97 Fabric OS Encryption Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 8
102 Enabling SSL on the Key Management System (KMS) Server 103 Creating an SKM High Availability cluster 104 Copying the local CA certificate 104 Adding SKM appliances to the cluster 105 Initializing the Brocade encryption engines 106 Registering the SKM Brocade group user name and password - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 9
147 Initiating a manual re-key switches 162 VmWare ESX server deployments 163 Best Practices and Special Topics In this chapter 165 Firmware download considerations 166 Firmware Upgrades and Downgrades 166 Specific guidelines for HA clusters 167 Fabric OS Encryption Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 10
on extension switches 176 Re-keying best practices and policies 177 Manual re-key 177 Latency in re-key operations 177 Allow re-key to complete before deleting a container 177 Re-key operations and firmware upgrades 177 Do not change LUN configuration while re-keying 178 Brocade native mode - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 11
switch to a new group 201 General errors related to the Configure Switch Encryption wizard 203 LUN policy troubleshooting 204 Loss of encryption group leader after power support for disk LUNs 215 DF-compatibility support for tape LUNs 219 Fabric OS Encryption Administrator's Guide xi - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 12
Appendix C Index NS-Based Transparent Frame Redirection xii Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 13
DataFort compatibility support matrix for disk and tape LUNs, and includes LUN policy troubleshooting information. • Appendix C, "NS-Based Transparent Frame Redirection," provides a name server (NS)-based transparent frame redirection interop matrix. Fabric OS Encryption Administrator's Guide xiii - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 14
hardware and software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX and DCX-4S with an FS8-18 encryption blade. • Brocade Encryption Switch. What's new in this document Information about decommissioning a encrypted LUN, hosting disk and - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 15
line break. For command line input, type used in this manual. They are listed hardware, firmware, software, Brocade Connect. See "Brocade resources" on page xvi for instructions on accessing Brocade Connect. For definitions specific to this document, see "Terminology" on page 2. For definitions of SAN - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 16
at no cost for a user ID and password. For practical discussions about SAN design, implementation, and maintenance, you can obtain Building SANs with Brocade Fabric Switches through: http://www.amazon.com For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 17
• Switch model • Switch operating system version • Error numbers and messages received • supportSave command output • Detailed description of the problem, including the switch or fabric behavior immediately following the problem, and specific questions • Description of any troubleshooting steps - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 18
command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port feedback to: [email protected] Provide the - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 19
Brocade encryption switch 4 •The FS8-18 blade 5 •Performance licensing 5 •Recommendation for connectivity 6 •Usage limitations 6 •Brocade encryption solution overview 7 •Data encryption key life cycle management 9 •Key management systems 11 •Support Administrator's Guide 1 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 20
be in the same or different fabrics. DEK clusters enable host MPIO failover. Encryption Engine The entity within a switch recovers. Devices that were transferred to another switch by failover processing may automatically be transferred back, or they may be manually switched 's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 21
together from a card reader attached to a PC running the Brocade SAN Management Application to restore the master key. Recovery cards may be targets. Redirection zones are automatically created to enable frame redirection to the virtual initiators and virtual Administrator's Guide 3 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 22
firmware upgrades and other support services. 8 Fibre Channel ports (0-31) - 1, 2, 4, or 8 Gbps auto-sensing F, FL, E, EX, or M ports to connect host servers, SAN disks, SAN tapes, edge switches, or core switches. FIGURE 1 Brocade encryption switch 4 Fabric OS Encryption Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 23
may be installed in a single DCX or DCX-4S. Performance licensing Encryption processing power is scalable, and may be increased by purchasing and installing an encryption performance license. The base unit Brocade Encryption Switch and FS8-18 Encryption Blade have a standard capacity of 48 Gbps - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 24
ports with respect to encryption flows are as follows: - Only ISLs are connected to the Brocade Encryption Switch an encryption switch or blade. Quality of Service (QoS) enabled when an encryption switch or blade is present in the fabric. 6 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 25
Encryption is a powerful tool for data protection. Brocade provides an encryption solution that resides in a Storage Area Network (SAN) fabric. This . Host Cleartext Encryption Switch Ciphertext based on AES256-XTS Disk Storage Ciphertext Cleartext DEKs Ciphertext based on AES256-GCM Key - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 26
encryption solution overview Data flow from server to storage The Brocade encryption switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 27
must be used one more time to decrypt the data, and the resulting cleartext is encrypted with a new key (re-keyed). Fabric OS Encryption Administrator's Guide 9 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 28
1 Data encryption key life cycle management FIGURE 5 DEK life cycle 10 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 29
(RKM) version 2.1.3 or later, available through EMC. • The HP Secure Key Manager (SKM) version 1.1 or later, available through Hewlett encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp Guide 11 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 30
The Brocade encryption switch does not support the logical switch partitioning capability and can not be partitioned, but the switch can be connected to any Logical Switch partition or Logical Fabric using an E-Port. The FS8-18 encryption blades are supported in only in a default switch partition - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 31
Steps for connecting to an SKM appliance 24 •Gathering information 33 •Gathering information 33 •Creating a new encryption group 34 •Adding a switch to an encryption group 41 •Creating keys 61 •Zeroizing an encryption engine 71 Fabric OS Encryption Administrator's Guide 13 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 32
changes based -based enable encryption. • "Configuring blade processor links" on page 22 describes the steps for interconnecting encryption switches or blades in an encryption group through a dedicated LAN. This must be done before their encryption engines are enabled 24 lists the supported - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 33
• View switch, group, or engine properties, • View the Encryption Group Properties Security tab. • View encryption targets, hosts, and LUNs. • Initiate manual LUN re-keying. • Enable and disable Establish link keys for LKM key managers. Fabric OS Encryption Administrator's Guide 15 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 34
smart card. The following smart card readers are supported: • GemPlus GemPC USB http://www.gemalto. ?PID=2 See the following procedures for instructions about how to manage smart cards: to a Management application PC to enable certain security sensitive operations. These include Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 35
Select the Quorum Size. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size to the Registered Authentication Cards table. Fabric OS Encryption Administrator's Guide 17 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 36
from the database and the switch by de-registering them. Use number of cards needed, as directed by instructions on the dialog box. The currently registered cards to appear in the Card ID field. 3. Enter the assigned password. 4. Click Authenticate. 5. Wait for the confirmation dialog box, - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 37
theft of encryption switches or blades by requiring the use of a system card at the switch or blade to enable the encryption engine. When the switch or blade is powered off, the location, not in the proximity of the switch or blade. Fabric OS Encryption Administrator's Guide 19 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 38
the entire list of smart cards to a file. The available formats are comma-separated values (.csv) and HTML files (.html). 20 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 39
Card dialog box 2. Insert the smart card into the card reader. 3. After the card's ID is displayed in the Card ID field, enter the Card Password and click Login. 4. Edit the card assignment user information as needed. 5. Click OK. Fabric OS Encryption Administrator - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 40
supported key management appliance must be connected on the same LAN as the management port of the encryption switches, 384-port Backbone Chassis CPs, and the SAN Link dialog box displays. 3. Enter the link IP address and mask, and the gateway IP address. 4. Click OK. The Blade Processor Link - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 41
center (KAC) signing request (CSR) From the standpoint of external SAN management application operations, the FIPS crypto officer, FIPS user, and node select Switch > Init Node. The following warning displays. 2. Select Yes to initialize the node. Fabric OS Encryption Administrator's Guide 23 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 42
when installing the SKM appliance, use that port number. The following configuration steps are performed from the SKM management web console and from the Management application. • Configure a Brocade group on SKM. • Register the Brocade group user name and password on the encryption node. • Set up - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 43
group is configured on SKM for all keys created by Brocade encryption switches and blades. This needs to be done only once for each key vault. 1. Login to the SKM management web console using the admin password. 2. Select the Security tab. 3. Select Local Users & Groups under Users and Groups - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 44
password to ensure they are the same on each node. - Different user names and passwords password. - If you change the user name and password, the keys created by the previous user become inaccessible. The Brocade group user name and password and password, the Brocade group user name and password must - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 45
management web console using the admin password. 2. Select the Security tab Certificate Authority section of the window to create your local the Key Size. HP recommends using 2048 for security policies. The default value for both is 9). FIGURE 9 Creating an HP SKM Local CA 5. Under Certificates - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 46
your local system. Later, this certificate must be imported onto the Brocade encryption group leader nodes. 1. From the Security tab, select Local Officer to go. - Enter the Key Size. HP recommends using the default value: 1024. 4. Click Create Certificate Request. Successful Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 47
before the certificate must be renewed based on your site's security policies. The default value is 3649 or 10 Services Configuration window. 3. In the KMS Server Settings section of the window, click Edit. The following warning may display. 4. Configure the KMS Server Settings. Ensure that the port - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 48
Local IP address. You will need this address when you add an appliance to the cluster. 4. For Local Port, use the default value of 9001 unless you are explicitly directed to use a different value for your site. 5. Type the cluster password in the Create Cluster section of the main window to create - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 49
Cluster. In the Join Cluster section of the window, leave Local IP and Local Port set to their defaults. 14. Type the original cluster member's local IP address into Cluster Member IP. 15. Type the original cluster member's local Port into Cluster Member Port. 16. Click Browse and select the Cluster - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 50
Sign Certificate Request page is displayed. 8. Select Sign with Certificate Authority using the Brocade CA name with the maximum of 3649 days option. 9. Select Client as Certificate Purpose. 10. Allow Certificate Duration to default to 3649. 11. Paste the file contents that you copied in step 3 in - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 51
blades installed have a LAN connection to the SAN management program, and are available for discovery. • A supported key management appliance is connected on the same LAN as the encryption switches, 384-port Backbone Chassis CPs, and the SAN Management program. • An external host is available - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 52
not be in an encryption group already. 3. Select a switch and select Encryption > Create/Add to Group, from the menu bar, or right-click the switch and select Create/Add to Group. The Configure Switch Encryption welcome panel displays. 34 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 53
pre-selected. This is the correct selection for creating a new group. FIGURE 11 Designate Switch Membership dialog box 5. Enter an Encryption Group Name for the encryption group (the maximum length Vault dialog box displays (Figure 12). Fabric OS Encryption Administrator's Guide 35 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 54
2 Creating a new encryption group FIGURE 12 Select Key Vault dialog box 7. Select SKM as the Key Vault Type. 36 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 55
key certificate or browse to the location by clicking the Browse button. c. Enter the user name and password you established for the Brocade user group. d. If you are using a backup key vault, also enter the IP address or host name, and the name of the file holding the backup key vault's public key - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 56
know this path and file name to install the switch's public key certificate on the key management appliance. 9. Click Next. The Specify Master Key File Name panel displays (Figure 15). FIGURE 15 Specify Master Key File Name dialog box 38 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 57
key. The passphrase can be between eight and 40 characters, and any character is allowed. 12. Configuration panel displays the encryption group name and switch public key certificate file name you specified, below the table, indicating that the encryption switch was added to the group you named, and - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 58
Status dialog box The Management application sends API commands to verify the switch configuration. The CLI commands are detailed in the Fabric OS Encryption Administrator's Guide, "Key vault configuration." • Initialize the switch If the switch is not already in the initiated state, the - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 59
key to a file The Management application saves the master key into the specified file. 15. Click Next. The Read Instructions dialog box displays instructions for installing public key certificates for the encryption switch. These instructions are specific to the key vault type. Copy or print these - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 60
Encryption Group dialog box displays. FIGURE 19 Add Switch to Existing Encryption Group dialog box 5. Select the group to which you want to add the switch, and click Next. The Specify Public Key Certificate Filename panel displays. 42 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 61
group 2 FIGURE 20 Add switch to an encryption group - Specify Public Key Certificate filename dialog Configuration panel displays the encryption group name and switch public key certificate file name you specified. FIGURE 21 Add switch to an encryption group - Confirm Configuration dialog box - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 62
Next Steps! below this message, and click Next. Instructions for installing public key certificates for the encryption switch are displayed. These instructions are specific to the key vault type. Copy or print these instructions. 44 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 63
23 Add switch to an encryption group - Next Steps dialog box 9. Click Finish to exit the Configure Switch Encryption wizard. Operations tab of the Encryption Group Properties dialog box displays (Figure 24). You can also display the Engine Operations tab by selecting an Guide 45 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 64
clusters FIGURE 24 Engine Operations HA Clusters list; the changes are not applied to the switch until you click OK. Both engines in an HA as the same encryption group. NOTE An IP address is required for the management port for any cluster-related operations. 1. Select Configure Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 65
. 2. Either remove the second engine or add a replacement second engine, making sure all HA clusters have exactly two engines. 3. Click OK. Fabric OS Encryption Administrator's Guide 47 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 66
first encryption engine comes back online, the encryption group's failback setting (auto or manual) determines how the encryption engine resumes encrypting and decrypting traffic to its encryption targets the Encryption Center dialog box. 48 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 67
to virtual targets and virtual initiators within the encryption switch. NOTE You must zone the physical host and physical target together to enable creation of a re-direction zone. The re- 26 Configure Storage Encryption welcome panel Fabric OS Encryption Administrator's Guide 49 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 68
group, the list includes all engines in the group. • If the Targets dialog box is showing all targets for a switch, the list includes all encryption engines for the switch. • If the Targets dialog box is showing targets for a single encryption engine, the list contains only that engine. FIGURE - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 69
does not show targets that are already configured in an encryption group. There are two available methods for selecting targets: select from the list of known targets or manually enter the port and node WWNs. FIGURE 28 Select Target dialog box a. Select a target from the list. (The Target - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 70
. This panel lists all hosts in the same fabric as the encryption engine. There are two available methods for selecting hosts: select from a list of known hosts or manually enter the port and node world wide names. FIGURE 29 Select Hosts dialog box a. Select a maximum of 1024 hosts from the Host - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 71
Adding encryption targets 2 FIGURE 30 Name Container dialog box 10. Click Next. The Confirmation panel displays. FIGURE 31 Confirmation dialog box Fabric OS Encryption Administrator's Guide 53 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 72
(VI). NOTE If you can view the VI/VT Port WWNs and VI/VT Node WWNs, the container has been successfully added to the switch. FIGURE 32 Configuration Status dialog box 12. Review the configuration. If you want to save a copy of the instructions, click the Copy to Clipboard button. 54 Fabric OS - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 73
encryption targets 2 FIGURE 33 Important Instructions dialog box 14. Review the instructions about post-configuration tasks you must complete after you close the wizard. 15. Click Finish to exit the Configure Storage Encryption wizard. Fabric OS Encryption Administrator's Guide 55 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 74
dialog box displays. 2. Select the encryption group, switch, or encryption engine containing the storage device to be configured.Right-click, or select Group, Switch, or Engine from the menu bar. 3. 34 Encryption Target Hosts dialog box 56 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 75
displays. 2. Right-click a group, switch, or encryption engine or select a group, switch, or encryption engine from the Encryption Port dialog box displays (Figure 36). FIGURE 36 Add New Path Wizard 4. Select the target port from the Target Port list. Fabric OS Encryption Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 76
target disk LUNs for encryption 5. Click Next. The Select Initiator Port dialog box displays. 6. Select the initiator port from the Initiator Port list. 7. Click Next. LUN discovery is launched, and a or Apply to apply the modifications. 58 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 77
to the CryptoTarget container and enabling the encryption property on the Crypto LUN. You must add LUNs manually. After you add the LUNs port). 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select the encryption group, switch Guide 59 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 78
of the target which are not enabled for encryption must still be added the number of switches or blades needed to support encrypted I/O in upgraded to Fabric OS version 6.4 or a later release to support in Disk I/O. In some cases, manual intervention may be needed. • Backup Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 79
(or disk) from a different encryption group that uses a different active master key. Master key actions Master key actions are as follows: Fabric OS Encryption Administrator's Guide 61 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 80
or the previous master key has been backed up. • Create new master key, which is enabled when no master key exists or the previous master key has been backed up. Reasons master keys from the group properties. 3. Select the Security tab. 62 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 81
to the desired location. 7. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 8. Re-type the passphrase for verification. 9. Click OK. ATTENTION Save the passphrase. This passphrase is required - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 82
Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 7. Re-type the passphrase for verification. 8. Click OK. A have copied the key ID. 64 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 83
Windows operating systems do not require smart card drivers to be installed separately; the driver is bundled with the operating system. You must install a smart card driver for Linux and Solaris operating systems, however. For instructions, see the Data Center Fabric Manager Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 84
2 Master keys FIGURE 40 Backup Destination (to smart cards) dialog to whom the card is assigned. 10. Type a Card Password. 11. Re-type the password for verification. 12. Record and store the password in a secure location. 13. Click Write Card. The OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 85
. The passphrase that was used to back up the master key must be used to restore the master key. 9. Click OK. Fabric OS Encryption Administrator's Guide 67 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 86
passphrase that was used to back up the master key must be used to restore the master key. 9. Click OK. 68 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 87
smart card set A card reader must be attached to the SAN Management application PC to complete this procedure. Use the following procedure to appear. 8. Enter the password that was used to create the card. After five unsuccessful attempts to enter the correct password, the card becomes locked and - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 88
Creation dialog box displays. FIGURE 44 Confirm master key creation dialog box 5. Read the information, and click Yes to proceed. 70 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 89
. You can zeroize an encryption engine manually to protect encryption keys. No data encryption engine are erased and the encryption switch or the encryption blade is in the service. • The master key (for other key vaults) is erased from the encryption engine. Once enabled, Guide 71 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 90
dialog box The Encryption Targets dialog box enables you to send outbound data that Switch > Targets, or Engine > Targets, from the tool bar menu, or right-click on the group, switch switch is selected, all configured targets for the switch are displayed. The Encryption Targets dialog box enables - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 91
be configured for encryption again on some other encryption engine. If the LUN data is to be enabled and later accessed by way of another encryption engine, you should unzone the host with the encryption be in the same encryption group. Fabric OS Encryption Administrator's Guide 73 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 92
LUNs and add new LUNs. The button is enabled only if there are hosts associated with the targets to multiple target containers (one target per storage device port). When adding, modifying, or removing multi-pathed LUNs, switches. 74 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 93
. • An array or device is removed from service. In all cases, all data on the disk issued from a committed configuration. If not, the operation will fail with the error message An outstanding transaction is pending in Switch/EG. IF this happens, you can resolve the problems Guide 75 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 94
still stored on the switch. You can display on the switch, and switch. As a precaution, you may want to copy the keys to a secure location before deleting them from the switch switch encryption properties To view switch switch or encryption engine from the Encryption Devices table, and select Switch - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 95
the following operations are not allowed: key vault changes, master key operations, enable/disable encryption engines, Failback mode changes, HA Cluster creation or addition (removal - the name of the fabric to which the switch belongs. Fabric OS Encryption Administrator's Guide 77 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 96
ID - the domain ID of the selected switch. • Firmware Version - the current encryption firmware on the switch. • Primary Key Vault Link Key Status link key, and Online. • Set State To - enter a new value, enabled or disabled, and click OK to apply the change. • Total Targets - the Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 97
manager appliance. Refer to "Steps for connecting to an SKM appliance" on page 24 and look through the following sections to find the procedure that applies. Importing a certificate. 3. Click OK. The file is imported onto the switch. Fabric OS Encryption Administrator's Guide 79 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 98
Find the Set State To entry under Encryption Engine Properties. 2. Click the field and select Enabled. 3. Click OK. Disabling the encryption engine state from Properties To disable the encryption engine, key vault type is NetApp LKM. 80 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 99
failback mode, which can be automatic or manual. The failback mode can be changed by Support - whether or not remote replication LUNs support is enabled or disabled. You can change the current setting by clicking on the field and selecting the desired state. • Primary Key Vault IP address - The IP - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 100
switch is switch is not reachable by way of the management port, or if the member switch does not believe it is part of the encryption group. • Configuring - the member switch switch switch. • If you remove a switch switch. In this case, a pop-up error message displays. • If you remove the last switch - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 101
but is not usable until the encryption target is manually configured on another encryption switch. The switch has encryption engines in HA Clusters. CAUTION The encryption Remove to remove a switch. FIGURE 48 Removal of switch warning Fabric OS Encryption Administrator's Guide 83 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 102
2 Viewing and editing group properties Figure 49 shows the warning message that displays if you click Remove to remove an encryption group. FIGURE 49 Removal of switch in encryption group warning 84 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 103
(Figure 50) displays the status of the master key for the encryption group. NOTE You must enable encryption engines before you back up or restore master keys. Master key actions are as follows: • Group Properties - Security tab Fabric OS Encryption Administrator's Guide 85 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 104
tab Engine Operations tab The Engine Operations tab enables you to replace an encryption engine in an encryption switch with another encryption engine in another switch within a DEK Cluster environment. A DEK "HA Clusters tab" on page 86. 86 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 105
encrypted according to the tape pool settings instead of the tape LUN settings. Encryption switches and encryption blades support tape encryption at the tape pool level (for most backup applications) and at the used when writing to tape. Fabric OS Encryption Administrator's Guide 87 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 106
a new encryption group is created, any existing tape pools in the switch are removed and must be added. 1. Select Configure > Encryption from Pool dialog box displays. The Name tape pool label type is the default; however, you can change the tape pool label type to its number Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 107
switch. If the license is not present, a warning message displays. 7. Enter the number of days that you want to use a key before obtaining a new key, if you want to enforce a key lifespan. The default HAC High Availability Cluster Fabric OS Encryption Administrator's Guide 89 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 108
2 Encryption-related acronyms in log messages 90 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 109
the Brocade Encryption Switch, DCX, or DCX-4S has been done as part of the initial hardware installation, including setting the management port IP address. For command syntax and description of parameters, refer to the Fabric OS Command Reference Manual. Fabric OS Encryption Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 110
the device attached to the port is part of the current AD. • AD0Disallowed = Allowed to execute only in AD255 and AD0 (if no ADs are configured). • AD0Only = Allowed to execute only in AD0 when ADs are not configured. 4. Command-specific: checks whether the command is supported on the platform for - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 111
Command Enable cryptographic Switch management • Perform firmware download. commands. TABLE 4 Encryption command RBAC availability and admin domain type1 Command name User Admin Operator Switch OM N N N O N OM N N N OM Basic Switch Admin N N N N N N N N N Security Admin Domain - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 112
command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Zone Fabric Basic Admin Admin Admin Switch N OM N N N OM N eject N OM N N N O N enable N OM N N N O N enableEE N OM N N N O N export Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 113
4 Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Zone Fabric Basic Admin Admin Admin Switch Admin recovermasterkey , OM = observe-modify, N = none/not available Fabric OS Encryption Administrator's Guide 95 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 114
[]: This command reboots the Mace switch or power cycle the Lance blade in case of chassis system. --enableEE []: Enables the system to perform encryption. --zeroizeEE []: Zeroize all critical security parameter. --import -scp - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 115
of EEs on the local node. Management LAN configuration Each encryption switch has one GbE management port. In the case of a DCX or DCX-4S with FS8-18 blades installed, management ports are located on the CP blades. The management port IP address is normally set as part of the hardware installation - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 116
in an encryption group must be interconnected by their cluster links through a dedicated LAN. Both ports of each encryption switch or blade must be connected to the same IP network, and the same subnet. Static IP addresses should be assigned. VLANs should not be used, and DHCP should not be used - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 117
the encryption engine is enabled for encryption, or if the IP address of the cluster link ports is modified after encryption engine is enabled for encryption, the encryption switch needs to be rebooted, and the encryption blade needs to be powered off and powered on (slotpoweroff/slotpoweron) for - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 118
SKM appliance. - is 9443 by default. If a different port number was specified when installing the SKM appliance, use that port number. Configuring a Brocade group A Brocade group is configured on SKM for all keys created by Brocade encryption switches and blades. This needs - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 119
Login to the SKM management web console using the admin password. 2. Select the Security tab. 3. Under Certificates & CAs, click Local CAs. 4. Enter information required by the Create Local Certificate Authority section of the window to create your local CA. - Enter a Certificate Authority Name and - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 120
your local system. Later, this certificate must be imported onto the Brocade encryption group leader nodes. 1. From the Security tab, select Local Officer to go. - Enter the Key Size. HP recommends using the default value: 1024. 4. Click Create Certificate Request. Successful 's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 121
before the certificate must be renewed based on your site's security policies. The default value is 3649 or 10 Services Configuration window. 3. In the KMS Server Settings section of the window, click Edit. The following warning may display. 4. Configure the KMS Server Settings. Ensure that the port - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 122
Local IP address. You will need this address when you add an appliance to the cluster. 4. For Local Port, use the default value of 9001 unless you are explicitly directed to use a different value for your site. 5. Type the cluster password in the Create Cluster section of the main window to create - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 123
Cluster. In the Join Cluster section of the window, leave Local IP and Local Port set to their defaults. 14. Type the original cluster member's local IP address into Cluster Member IP. 15. Type the original cluster member's local Port into Cluster Member Port. 16. Click Browse and select the Cluster - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 124
engine initialization steps on every Brocade encryption node (switch or blade) that is switch, reboot the switch. • When the encryption engine is on an FS8-18 blade, issue the slotpoweroff slot number command followed by the slotpoweron slot number command. 4. Synchronize the time on the switch - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 125
Brocade encryption node. 1. Log into the switch as Admin or SecurityAdmin. 2. Register the HP SKM Brocade group user password and user name by issuing the following command. SecurityAdmin:switch>cryptocfg --reg -KAClogin primary NOTE This command password, the Brocade group user name and password - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 126
Brocade SecurityAdmin:switch> Brocade Brocade CA name with the maximum of 3649 days option. 9. Select Client as Certificate Purpose. 10. Allow Certificate Duration to default switch>cryptocfg --import -scp signed_kac_skm_cert.pem \ 192.168.38.245 mylogin /tmp/certs/kac_skm_cert.pem Password switch - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 127
file> primary At this point, it may take around one minute to fully configure the switch with SKM. 5. As the switches come up, enable the encryption engines. SecurityAdmin:switch>cryptocfg --enableEE Operation succeeded. Fabric OS Encryption Administrator's Guide 109 53-1001864 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 128
--show groupcfg rbash: cryptocg: command not found Mace_127:admin> cryptocfg Switch: 2010-03-17 17:22:05 Client SDK Version: 4.8.2.000017 Client Username: brcduser1 Client Usergroup: brocade 53:8a:67 EE Slot: SP state: IP address 10.32.71.127 0 Online 10.32.71.129 0 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 129
options are shown in the following procedure. Note that the Brocade SAN management application provides the additional option of backing up the host: SecurityAdmin:switch>cryptocfg --export -scp -currentMK \ 192.168.38.245 mylogin GL_MK.mk Password: Operation succeeded Guide 111 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 130
. This example shows the encryption group brocade with two member nodes, one group for master key IDs are zero. SecurityAdmin:switch>cryptocfg --show -groupmember -all NODE LIST 14:00 State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32.244.60 Certificate: Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 131
default, but is configurable with a manual instructions. • Configuration changes must be committed before they take effect. Any operation related to an HA cluster that is performed without a commit operation will not survive across switch reboots, power Brocade encryption switches hacluster command. - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 132
by entering the cryptocfg --show -hacluster -all command. In the following example, the encryption group brocade has one committed HAC1 with two encryption engines. SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade Number of HA Clusters: 1 HA cluster name - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 133
entire encryption group on the group leader. Use the cryptocfg --set command with the appropriate parameter to set the values for the policy. mode is enabled by default. • manual - Enables manual failback mode. In this mode, failback must be initiated manually when an encryption switch or blade - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 134
a Brocade Encryption Switch or DCX or DCX-4S chassis containing one or more FS8-18 blade goes through power cycle event, or after issuing slotpoweroff followed by slotpoweron for an FS8-18 blade in DCX or DCX-4S Chassis, the encryption engine must be enabled manually by - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 135
Node WWN/Slot EE IP Addr EE State IO switch default zoning to no access Initially, default zoning for all Brocade switches is set to All Access. The All Access setting allows the Brocade Encryption Switch switch, change the default zoning setting to No Access. switch:admin> defzone --noaccess switch - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 136
, and the Brocade Intrepid 10000 support frame redirection. Creating an initiator - target zone 1. Log into the group leader as Admin or FabricAdmin. 2. Determine the initiator PWWN. Enter the nsshow command to view the devices connected to this switch. In the following example, the port name 10 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 137
PWWN. Enter the nsscamshow command to review the remote switch information. In the following example, the port name 20:0c:00:06:2b:0f:72:6d is the target PWWN. FabricAdmin:switch>nscamshow nscamshow for remote switches: Switch entry for 2 state rev owner known v611 0xfffc01 Device list: count - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 138
you created in step 4. Enter the cfgcreate command followed by a configuration name and the zone member name. FabricAdmin:switch>cfgcreate itcfg, itzone 9. Enable the zone configuration. FabricAdmin:switch>cfgenable itcfg You are about to enable a new zoning configuration. This action will replace - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 139
port hosted on a Brocade Encryption Switch ports, each target port is hosted on a separate encryption switch or blade. There is a one-to-one mapping between virtual target and physical target to the fabric whose LUNs are being enabled switch instructions described in the section "Configuring a multi - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 140
must be upgraded to Fabric OS version 6.4.0 or a later release to support hosting disk a slight disruption in Disk I/O. In some cases, manual intervention may be needed. • Backup jobs to tapes into the switch as Admin or SecurityAdmin. 2. Issue the cryptocfg - -show - -localEE command. 3. Look - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 141
the following information ready: • The switch WWNs of all nodes in the encryption group. Use the cryptocfg --show -groupmember -all command to gather this information. • The port WWNs of the targets whose LUNs are being enabled for data-at-rest encryption. • The port WWNs of the hosts (initiators - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 142
ports before committing the container configuration. Failure to do so results in data corruption. Refer to the section "Configuring a multi-path Crypto LUN" on page 141 for specific instructions :switch> frame redirection zone with the cfgshow command, but you cannot use the Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 143
command. Specify the CryptoTarget container name followed by one or more initiator port WWNs. The following example removes one initiator from the CryptoTarget container "my_disk_tgt". FabricAdmin:switch -key session on clear text LUNs. Fabric OS Encryption Administrator's Guide 125 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 144
command followed by the CryptoTarget container name. The following example removes the CryptoTarget container "my_disk_tgt". FabricAdmin:switch encryption switch and and manually created page 159 for instructions on configuring encryption container command FabricAdmin:switch>cryptocfg -- - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 145
is not enabled for encryption per HA cluster pair is supported. When an actual LUN has hosts, follow the instructions described in the section Brocade Encryption platform provides LUN discovery services command followed by the CryptoTarget container Name. FabricAdmin:switch Guide 127 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 146
configurations and LUN modifications have a LUN state of Encryption Enabled before creating and committing another batch of 25 LUN command. Failure to do so permanently disconnects the LUN from the host and causes data to be lost and unrecoverable. 128 Fabric OS Encryption Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 147
command default is Native). The following example adds a disk LUN enabled for encryption. FabricAdmin:switch The following example shows default values. FabricAdmin:switch>cryptocfg --show -LUN enabled --add LUN command). Some policies command. You can use the cryptocfg --modify -LUN command - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 148
case as label operations are small I/O operations. If this support requirement is not met, the Brocade encryption solution will not allow the backup operation to start to that tape. TABLE 6 LUN parameters and policies Policy name Command parameters Description LUN state Disk LUN: yes Tape LUN - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 149
container of type tape. Refer to the section "Creating a CryptoTarget container" on page 123 for instructions. a. Create the container, allowing the encryption format to default to Native. FabricAdmin:switch>cryptocfg --create -container tape my_tape_tgt \ 10:00:00:05:1e:41:9a:7e 20:0c:00 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 150
to encrypt, or the encryption format from Brocade native to DF-compatible while data is :switch>cryptocfg --commit Operation Succeeded d. Display the LUN configuration FabricAdmin:switch> command. This example changes the encryption format from Brocade native to DF-compatible. FabricAdmin:switch - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 151
command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN. FabricAdmin:switch the configuration. FabricAdmin:switch>cryptocfg --commit encryption switch or blade or on different encryption switches or exposed through the encryption switch and another path has direct - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 152
command followed by the CryptoTarget container name, the LUN Number, the initiator PWWN, and the parameter you wish to modify. FabricAdmin:switch> for example, by force-enabling the LUN, -enable_encexistingdata and -enable_rekey are disabled by default, and you must configure Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 153
Brocade troubleshooting" on page 204 for a description of conditions under which a LUN may be disabled, and for recommendations on re-enabling enable after executing this command. 1. Log into the switch that hosts the LUN as Admin or FabricAdmin. 2. Enter the cryptocfg --enable -LUN command service - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 154
issued from a committed configuration. If not, the operation will fail with the error message An outstanding transaction is pending in Switch/EG. IF this happens, you can resolve the problems issued cryptocfg -decommission command. cryptocfg --decommission operation manually from command command to - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 155
enable (defaults or switch instructions switch or blade. • A tape pool must first be created on the encryption switch or blade before you can label the tape media and assign them to the tape pool. Failure to observe this sequence invalidates tape pool-level settings and policies, and default - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 156
Execute the query by right-clicking the query window and selecting Execute. 6. Open the dbo.CommCellStoragePolicy Files\VERITAS\Volmgr\bin and enter the following command: C:\Program Files\VERITAS\Volmgr\bin>vmpool -listall switch. 138 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 157
tapepool command. default). • Set the encryption format to DF_compatible or Brocade native (default default is no expiration). If the key_lifespan parameter is set at the tape pool level to other than none (default switch or blade. Refer to the manufacturer's product documentation for instructions - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 158
a tape pool This command does not issue a warning if the command followed by a tape pool label or number. Then specify a new policy, encryption format, or both. The following example changes the encryption format from Brocade native to DF-compatible. FabricAdmin:switch 's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 159
switch or blade or on different encryption switches up being exposed through the encryption switch and other path has direct ports in sequence and add the hosts that should gain access to these ports port target that is accessed over two paths by a dual-port host. The two encryption switches - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 160
2. Refer to the section "Creating an initiator - target zone" on page 118 for instructions. 3. On the group leader encryption switch (switch 1), create a CryptoTarget container for each target port and add the hosts in sequence. Do NOT commit the configuration until you have created all CryptoTarget - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 161
command output displays the LUNs present in the target as exposed from target port and as seen by host port 2, the LUN Number, host port1 WWN, and the LUN Serial Number. FabricAdmin:switch>cryptocfg --discoverLUN CTC2 c. Review . Fabric OS Encryption Administrator's Guide 143 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 162
: enabled Rekey: enabled Key ID: not available Key life: 47 (minute) Rekey status: 0 Operation succeeded. 7. Commit the LUN configuration. FabricAdmin:switch>cryptocfg -commit NOTE There is a 25 LUN transaction limit per commit operation. Make sure to issue commit after adding 24 LUNs - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 163
at which the key expires and automatic re-keying should take place (time period in days) Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and the encryption format is Brocade native. Refer to the section "Crypto LUN parameters and policies" on page 129 for more - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 164
disk array LUNs or fixed block devices. There is no re-keying support for tape media. If there is a need to re-encrypt encrypted encryption sessions. This includes both re-key (auto and manual) and first time encryption sessions. When scheduled re-key Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 165
command. For re-keying of a disk array LUN, the Crypto LUN is configured in the following way: • Set LUN policy as either cleartext or encrypt. • If cleartext is enabled (default for more information. • When using Brocade native mode in LKM installations, manual rekey is highly recommended. If auto - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 166
for this operation to succeed. The manual re-keying feature is useful when the issuing the cryptocfg --show -groupmember -all command. 4. Enter the cryptocfg --manual_rekey command. Specify the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 167
are supported for command to succeed. If successful, this command command, followed by the CryptoTarget container name, the LUN number and the initiator PWWN. FabricAdmin:switch session. FabricAdmin:switch> cryptocfg instructions on how to remove a LUN by force. Fabric OS Encryption - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 168
3 Data re-keying 150 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 169
Deployment Scenarios Chapter 4 In this chapter •Single encryption switch, two paths from host to target 152 •Single fabric deployment part of an edge fabric 161 •Deployment with FCIP extension switches 162 •VmWare ESX server deployments 163 •VmWare ESX server deployments 163 Fabric OS - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 170
T2. Host port 1 is zoned with target port 1, and host port 2 is zoned with target port 2 to enable the redirection zoning needed to redirect traffic to the correct CTC. FIGURE 58 Single encryption switch, two paths from host to target 152 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 171
Edge Switch Host Edge Switch Target Edge Switch Virtual Target Encryption Switch Virtual Initiator Target Target Cluster Link Dedicated Cluster Network LAN Cluster Link Ciphertext Cleartext FIGURE 59 Single fabric deployment - HA cluster Fabric OS Encryption Administrator's Guide 153 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 172
the communication needed to distribute and synchronize configuration information, and enable the two switches to act as a high availability (HA) cluster, providing automatic failover if one of the switches fails, or is taken out of service. Single fabric deployment - DEK cluster Figure 60 shows an - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 173
2 to target port 2 is defined in a CryptoTarget container on the other encryption switch. This forms a DEK cluster between encryption switches for both target paths. Please note that configuring an HA cluster between the two encryption switches in the above configuration is not supported. The DEK - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 174
DEK Cluster Host Port 1 Encryption Switch 2 GE Port(s) HA Cluster1 Encryption Switch 1 Fabric1 Host Port 2 CTC3 Encryption Switch 3 Fabric2 GE Port(s) HA Cluster2 Encryption Switch 4 GE Port(s) CTC1 Target Target Port 2 Port 3 Target Port 1 Target Port 4 CTC4 GE Port(s) IO Sync Link - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 175
to target port 3and target port 4 in fabric 2. • There are four Brocade encryption switches organized in HA clusters. • HA cluster 1 is in fabric 1, and HA cluster 2 is in fabric 2. • There is one DEK cluster, and one encryption group. Fabric OS Encryption Administrator's Guide 157 53-1001864 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 176
Port 1 DEK Cluster Encryption Switch 1 Fabric1 Ecryption Group Host Port 2 Fabric2 Encryption Switch 2 CTC3 Target Target Port 2 Port 3 Target Port 1 Target Port There are two host ports, one in each fabric. • Host port 3 and target port 4 in fabric 2. • There are two encryption switches - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 177
with the host and target edge fabrics using device sharing between backbone and edge fabrics. FIGURE 64 Encryption switch connected to FC router as part of backbone fabric FIGURE 65 Encryption switch as FC router and backbone fabric Fabric OS Encryption Administrator's Guide 159 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 178
creating and enabling the port WWNs can be obtained by running the cryptocfg --show -container -cfg command on the encryption switch Guide for information about LSANs, LSAN zoning, and Fibre Channel routing (FCR) configurations. 160 Fabric OS Encryption Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 179
Target FIGURE 66 Encryption switch as part of an edge fabric The following is a summary of steps for creating and enabling the frame redirection and VT port WWNs can be obtained by running the cryptocfg --show -container -cfg command on the encryption switch or blade. - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 180
enable long distance connections. Figure 67 shows an encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator's Guide link. If the encryption services are enabled for the host and the remote target, the encryption switch can take clear text - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 181
physical HBA port connection, or it may use a virtual port and share a physical HBA port with port 1 to target port 1, redirected through CTC T1. • Host port 2 to target port 2, redirected through CTC T2. Host port 1 is zoned with target port 1, and host port 2 is zoned with target port 2 to enable - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 182
port 2, through the shared host port, to target port 2, redirected through CTC T2. In this case, the virtual host port 1 is zoned with target port 1, and the virtual host port 2 is zoned with target port 2 to enable for Target Port T1 hosted on BES1 in DEK Cluster CTC2 - CTC for Target Port T2 hosted - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 183
•Ensure uniform licensing in HA clusters 175 •Tape library media changer considerations 176 •Turn off host-based encryption 176 •Avoid double encryption 176 •PID failover 176 •Turn off compression on extension switches 176 •Re-keying best practices and policies 177 •Changing IP addresses in - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 184
results in a loss of encryption services. • Fabric OS version 6.2.0 supports only one HP SKM key vault. Registering of a second HP SKM key vault will be blocked , and the Brocade group user name must be changed to brcduser1. • General guidelines for a firmware upgrade of encryption switches and a DCX - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 185
4. On node 1 (BES1) enable the Encryption Engine, by issuing the following command. cryptocfg --enableEE 5. Start firmware download (upgrade) on the node 1 (BES1). Refer to the Fabric OS Administrator's Guide if necessary to review firmware download procedures. 6. After firmware download is complete - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 186
been upgraded, change back the failback mode to auto from manual, if required by issuing the following command. encryption group leader node contains the following: • The local switch configuration. • Encryption group-related configuration. • The encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 187
commands to initialize the encryption engine cryptocfg -InitNode cryptocfg -initEE cryptocfg -regEE Initializing the switch Certificates onto the switch prior to layer-2 and switch specific configuration information Switch specific configuration information pertaining to the member switch - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 188
enable the encryption engine. cryptocfg --enableEE [slot num] 2. Commit the configuration. cryptocfg --commit 3. If there are containers that belonged to the old encryption switch or blade, then after configdownload is run, use the following command OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 189
HP-UX initiator WWN to the container. • Issue the discover LUN CLI command on the container to discover the LUNs present in the target. • Based switch software, and some additional latency should be expected. Tape metadata One kilobyte of metadata is added per tape block for both the native Brocade - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 190
supports compression, but is not enabled by the host backup application, then compression is not performed by the encryption switch switch or blade issues a Mode Sense command format (such as native Brocade format or DF-compatible policies are ignored and default LUN level policies Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 191
LUNs. DF 1.x version disks are not supported for reading. Only DF version 3.x-compatible disk block formats and metaheaders are supported for writing and encrypting disk LUNs in DF-compatible format. A DF-compatible license is required. Fabric OS Encryption Administrator's Guide 173 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 192
issuing cfgtransshow CLI command. • LUNs are uniquely identified by the encryption switch switch or FS8-18 blade. • To enable host MPIO, LUNs must also be available through a second target port, hosted on a second encryption switch. The second encryption switch by the encryption switch or FS8-18 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 193
enable the existing device configuration by invoking the cryptocfg --commit command commit -force command. This recreates encryption device do not support the AD feature in of encryption services. Master key IP interfaces Do not IP addresses. Ensure uniform licensing in HA clusters Licenses - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 194
are enabled on an extension switch, data compression may also be enabled. If data has been encrypted in its path prior to running through the extension switch, data compression should be turned off on the extension switch to increase performance. 176 Fabric OS Encryption Administrator's Guide 53 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 195
Manual re-key Ensure that the link to the key management system is up and running before you attempt a manual ports labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to enable and firmware upgrades All nodes in an encryption group must be at the same firmware - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 196
commit command halts all active re-keying progresses running in all Crypto Target Containers and corrupts any LUN engaged in a re-keying operation. There is no recovery for this type of failure. Brocade native mode in LKM installations When using Brocade native mode in LKM installations, manual re - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 197
targets, and LUNs accessed, Brocade Encryption Engines (EEs) are designed to support a fan-In ratio of between four and eight initiator ports to one target port, in terms of the number of distinct initiator ports to a Crypto Container (i.e., a virtual target port corresponding to the physical target - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 198
and failover to another encryption engine in an HA cluster. • For Windows-based host clusters, when a quorum disk is used, the quorum disk two different nodes for true redundancy. This is always the case for Brocade encryption switches, but is not true if two FS8-18 blades in the Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 199
a switch to an existing group 200 •LUN policy troubleshooting 204 •MPIO and internal LUN states 206 Encryption group and HA cluster maintenance This section describes advanced configuration options that you can use to modify existing encryption groups and HA clusters, and to recover from problems - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 200
switch>cryptocfg --show -groupmember \ 10:00:00:05:1e:41:99:bc Node Name: 10:00:00:05:1e:41:99:bc (current node) State: DEF_NODE_STATE_DISCOVERED Role: MemberNode IP the cryptocfg --dereg -membernode command followed by the node WWN. SecurityAdmin:switch>cryptocfg --dereg -membernode 10: - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 201
leader as Admin or SecurityAdmin 2. Enter the cryptocfg --delete -encgroup command followed by the encryption group name. SecurityAdmin:switch>cryptocfg --delete -encgroup brocade Encryption group create status: Operation Succeeded. Fabric OS Encryption Administrator's Guide 183 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 202
and encryption operations continue. The remove command should not be used if an HA cluster member" on page 185 for instructions on replacing a failed encryption engine in an committed. SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade Number of Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 203
Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haclustermember command. Specify the HA cluster name, the node WWN of same encryption group as the encryption engine that is replaced. SecurityAdmin:switch>cryptocfg --replace -haclustermember HAC2 \ 10:00:00:05:1e:53 Guide 185 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 204
6 Encryption group and HA cluster maintenance FIGURE 72 Replacing a failed encryption engine in an HA cluster 186 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 205
"live" encryption engine in an HA cluster 1. Invoke the cryptocfg --replace -haclustermember command on the group leader to replace the live encryption engine EE2 with another encryption engine "live" encryption engine in an HA cluster. Fabric OS Encryption Administrator's Guide 187 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 206
cluster you wish to delete. SecurityAdmin:switch>cryptocfg --delete -hacluster HAC1 Delete HA cluster status: Operation succeeded. 3. Enter the cryptocfg --commit command to commit the transaction. Performing a manual failback of an encryption engine By default, failback occurs automatically if an - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 207
Name: brocade Number of HA Clusters: 1 HA cluster name: HAC3 - 2 EE entries Status: Committed WWN Slot Number EE1 => 10:00:00:05:1e:53:89:dd 0 EE2 => 10:00:00:05:1e:53:fc:8a 0 Status Online - Failover active Online • A manual failback is issued. SecurityAdmin:switch>cryptocfg --failback - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 208
IP addresses of the I/O cluster sync ports (Ge0 and Ge1), and initialize the node with the cryptocfg --initnode command. 2. Register the new node IP SecurityAdmin:switch>cryptocfg --add -membernode 10:00:00:05:1e:39:14:00 Add node status: Operation Succeeded. 7. Initialize and enable the - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 209
, and N1 now performs all of the rebooted node's encryption services. Any re-key sessions in progress continue. Re-key sessions invoke a manual failback if required. Refer to the section "Performing a manual failback of an encryption engine" on page 188 for instructions. A Guide 191 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 210
member nodes. You cannot start any re-key operations (auto or manual) on any of the nodes. Refer to the section "Configuration impact group enters the converged state, execute the cryptocfg --commit command on the group leader node to distribute the crypto-device configuration Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 211
offline" member nodes. You cannot start any re-key operations (auto or manual) on any of the nodes. Refer to the section"Configuration impact of encryption group enters the converged state, execute the cryptocfg --commit command on the group leader node to distribute the crypto-device configuration - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 212
a node leave command • Deleting an encryption group • Registering a member node (IP address, certificates) a master key • Restoring a master key • Enabling or disabling encryption on an encryption engine • Creating • Starting a manual re-keying session • Performing a manual failback of containers - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 213
the console. Determine if the default port has been changed on the key vault. Power cycle the DCX chassis and then issue the cryptocfg --enableEE [slot number] command to bring the container's LUN state to Encryption Enabled.If the eth0 IP address on the Brocade Encryption Switch or on the FS8-18 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 214
for these ports were configured after the EE is enabled, reboot the encryption switch or slotpoweroff/slotpoweron the encryption blade to sync up the IP address information to the EE. Re-keying fails with error "Disabled (Key not in sync)". cryptocfg --commit fails with message "Default zone set - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 215
troubleshooting I 6 TABLE 10 Problem get queued and may not get serviced fast enough, and the request times enable the LUN. 3 Decommission the LUN. When a Brocade switch/blade are not in the same data path. A performance drop occurs when using DPM on a Microsoft Windows Guide 197 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 216
CLI Troubleshooting examples using the CLI Encryption Enabled Crypto Target LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN. switch:FabricAdmin> data: disabled Rekey: disabled LUN state: Encryption enabled Encryption algorithm: AES256-XTS Key ID state: - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 217
Troubleshooting examples using the CLI 6 Encryption Disabled Crypto Target LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN. switch:FabricAdmin>> cryptocfg --show - Operation succeeded Fabric OS Encryption Administrator's Guide 199 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 218
, and describes how to troubleshoot them. TABLE 11 Error recovery instructions for adding a switch to an existing group Configuration task Error description Instructions Initialize the switch Initialize the switch Add the switch to the encryption group Enable the encryption engines Save the - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 219
description Instructions Initialize the switch Create encryption group on the switch Register one or more key vaults Enable the encryption engines Unable to initialize the switch due to an Diagnose the problem using standard switch CLI error response from the switch. commands. The switch was - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 220
dialog box. 2 Re-run the Configure Switch Encryption wizard for the switch. Manual Option: 1 Save the switch's public key certificate to a file using the Switch Encryption Properties dialog box. 2 Follow the Key Vault instructions 202 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 221
wizard. TABLE 13 Problem General errors related to the Configure Switch Encryption wizard Resolution Initialization fails on the encryption engine after the encryption engine is zeroized. Reboot the switch. Configuration Commit fails with message "Default zone set to all Default zoning must be - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 222
ID from of the paths of the LUN to enable vault. the metadata does not exist. the LUN: • Issue the cryptocfg -discoverLUN command • Remove the LUN from the container and then add it back • Bounce the target port Then issue the cryptocfg -discoverLUN command on other paths of the LUN in the - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 223
, no crypto operations or commands (except node initialization) are available on the member node after the power-cycle. This condition persists any containers hosted on the failed group leader node, issue the cryptocfg - -replace command to change the WWN association of containers from failed group - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 224
that only one path is active to the LUN, but the Brocade encryption switch internal LUN states for both paths will now likely be displayed as Encryption Enabled. In active/passive storage array environments, for troubleshooting purposes, you may want to update the encryption engine Internal LUN - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 225
MPIO and internal LUN states 6 FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it to . Refer to the section "Removing a LUN from a CryptoTarget container" on page 133 for instructions on how to remove a LUN by force. Fabric OS Encryption Administrator - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 226
6 MPIO and internal LUN states 208 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 227
state Description Not available Not Brocade Encryption Switch or DCX Not Ready Fail to is faulty (BP fault or SP fault). Issue reboot. SP is awaiting initialization. Run certificates. Run regEE. Awaiting the explicit enabling of encryption engine. Run enableEE. Encryption Guide 209 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 228
LUN_READONLY_3 LUN_WR_META_IN_PROG Unknown LUN state unavailable. Initialize LUN discovery in progress. LUN discovery complete. LUN setup cleartext encryption enabled. Encryption enabled. Read only (found native metadata while LUN is in DF mode). Read only (found DF metadata while LUN - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 229
pending. LUN_KEY_EXPR_REKEY_PENDING Key expired re-key is pending. LUN_MANUAL_REKEY_PENDING Manual re-key is pending. LUN_DECRYPT_PENDING Data decryption is pending Disabled (Write metadata back with failure). Fabric OS Encryption Administrator's Guide 211 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 230
Third party license is required). LUN_DIS_WRONG_DEV_TYPE Disabled (Wrong device type found). LUN_DIS_NOT_SUPPORTED Disabled (LUN not connected or supported). LUN_DIS_CFG_KEY_NOT_FOUND Disabled State of the LUN is unknown. 212 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 231
Brocade support. Target port is not currently in the fabric. Check connections and L2 port state. The target port is active, but this particular Logical Unit is not supported Clear text A host can issue a READ or WRITE or WRITE command that triggers the encryption switch or blade has - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 232
tape policy is DataFort-compatible mode, but The encryption switch or blade does not have the appropriate license to enable this feature. The tape medium is neither readable write result in a RASLOG and ABORTED COMMAND returned to host. 214 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 233
. The encryption switch will support writing and encrypting the disk LUNs in this version format when DF-compatible encryption mode is set and DF-compatible License is present. Note: Brocade also supports creating new DataFort version 3.x LUNs. Fabric OS Encryption Administrator's Guide 215 53 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 234
Only until you either remove the LUN and add it back with the native Brocade encryption format, or issue the runtime CLI command to force the change. The data encryption key is retrieved from the key vault based on the LUN serial number, and used for further encryption and decryption. An attempt - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 235
to cleartext. Error is returned from the CLI. No error. If the LUN was previously Brocade encrypted, the LUN is set to Read Only until you either modify the encryption format or user the runtime cryptocfg --enable -LUN command to force the change. The LUN is disabled for encryption. The key ID is - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 236
Brocade support in DF-compatibility mode is rejected from the CLI. The LUN is disabled for encryption. Metadata is present on the LUN and the LUN is in encrypted state. You need to either modify the LUN state to "encrypted" or use the runtime cryptocfg --enable -LUN command --enable -LUN command to - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 237
firmware versions Brocade handling for DataFort written tapes - Read Brocade handling for DataFort-compatible encryption - Write DF SAN version 1.x DF SAN version 2.x/3.x 1.x tape support in DF-compatible mode is not supported in Fabric OS v6.1.1_enc. The encryption switch supports reading - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 238
support matrix for tape pools (Continued) Tape pool encryption format Tape pool policy Metadata present Results DF-compatible DF-compatible DF-compatible DF-compatible Encrypt Cleartext Cleartext Cleartext No (new tape) Brocade . 220 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 239
, McDATA 4400, and Brocade Intrepid 10000 are supported for frame redirection. NOTE When an EOSc switch is powered down and powered up again, redirection zone information is erased. No devices are allowed to log in at this stage. To enable all devices to log in, issue a cfgsave command from the FOS - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 240
C NS-Based Transparent Frame Redirection 222 Fabric OS Encryption Administrator's Guide 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 241
Brocade Encryption Switch See switch C certificates storing the public key, 38 CLI general errors and resolution, 195 using to configure encryption switch or blade, 91 command RBAC permissions, 93 command validation checks, 92 commands configuring target ports, 174 container Guide 223 53-1001864-01 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 242
in fibre channel routed fabrics, 159 deployment with FCIP extension switches, 162 dual fabric deployment, 155 single fabric deployment, 153, IP interfaces, 175 discover commands --discover -LUN, 143 --discoverLUN, 127, 131 disk metadata, 171 E eject commands -eject -membernode, 182 enable - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 243
recovery instructions for adding a switch to a new group, 201 for adding a switch to an existing group, 200 error recovery instructions for adding a switch to an existing group, 200 errors related to the CLI, 195 export commands --exportmasterkey, 111 Fabric OS Encryption Administrator's Guide 225 - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 244
F failback command, --failback -EE, 188 failover and failback, states of encryption engines during, 188 field replaceable unit See FRU firmware download considerations, 166 frame redirection creating and enabling in an FCR configuration (edge to edge), 161 deploying the encryption switch or blade to - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 245
enabling manual command, --manual_rekey, 148 manual commands --modify -LUN, 132, 134, 145, 147 --modify -tapepool, 140 move commands based 175 register commands --reg manual commands --rem -haclustermember, 181 --rem -LUN, 133 --remove -haclustermember, 184 --remove -initiator, 125 replace commands - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 246
command, 195 troubleshooting examples using the CLI, 198 turn off compression on extension switches, 176 turn off host-based encryption, 176 U user privileges defined, 15 resource groups, 15 using from encryption group properties dialog, 72 228 Fabric OS Encryption Administrator's Guide - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 247
the CLI, 116 virtual initiators, description of in an encryption configuration, 121 virtual targets, description of in an encryption configuration, 121 Z zeroize command --zeroize, 106 zeroizing effects of using on encryption engine, 72 zone creating an initiator-target using the CLI, 118 Fabric OS - HP 8/24 | Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 248
230 Fabric OS Encryption Administrator's Guide 53-1001864-01
53-1001864-01
March 30, 2010
®
53-1001864-01
Fabric OS Encryption
Administrator’s Guide
Supporting Fabric OS v6.4.0, Supporting HP StorageWorks Secure Key
Manager (SKM) Environments