HP Brocade 8/12c Fabric OS Encryption Administrator's Guide
HP Brocade 8/12c Manual
View all HP Brocade 8/12c manuals
Add to My Manuals
Save this manual to your list of manuals |
HP Brocade 8/12c manual content summary:
- HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 1
5533--11000022115599--0033 ® 28 July 2011 Fabric OS Encryption Administrator's Guide Supporting HP Secure Key Manager (SKM) Environments and HP Enterprise Secure Key Manager (ESKM) Environments Supporting Fabric OS v7.0.0 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 2
copy of the programming source code, please visit http://www.brocade.com/support/oscd. Brocade Communications Systems, Incorporated Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: info - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 3
Fabric OS Encryption Administrator's Guide iii 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 4
iv Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 5
overview 7 Data flow from server to storage 8 Data encryption key life cycle management 9 Master key management 10 Master key generation 10 Master key backup 10 Support for Virtual Fabrics 11 Cisco Fabric Connectivity support 11 Fabric OS Encryption Administrator's Guide v 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 6
CLI 36 Steps required using Brocade Management application . . . . . 37 Encryption preparation 38 Creating a new encryption group 38 Understanding configuration status results 46 Adding a switch to an encryption group 47 Replacing an encryption engine in an encryption group 53 vi Fabric OS - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 7
switch encryption properties 95 Exporting the public key certificate signing request (CSR) from Properties 97 Importing a signed public key certificate from Properties . . . . 97 Enabling and disabling the encryption engine state from Properties 97 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 8
command output 115 Management LAN configuration 116 Configuring cluster links 116 Special consideration for blades 117 IP Address change of a node within an encryption group. . . . 117 Steps for connecting to an SKM or ESKM appliance 119 Configuring a Brocade group 119 Setting up the local - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 9
first time encryption 170 Data re-keying 170 Resource Allocation 171 Re-keying modes 171 Configuring a LUN for automatic re-keying 171 Initiating a manual re-key session 172 Suspension and resumption of re-keying operations 173 Fabric OS Encryption Administrator's Guide ix 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 10
with FCIP extension switches 186 VMware ESX server deployments 187 Best Practices and Special Topics In this chapter 189 Firmware download considerations 190 Firmware upgrades and downgrades 190 Data-at-rest encryption support for IBM SVC LUNs configuration 191 Specific guidelines for HA - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 11
group 208 Removing an HA cluster member 208 Displaying the HA cluster configuration 208 Replacing an HA cluster member 209 Deleting an HA cluster member 211 Performing a manual failback of an encryption engine . . . . .212 Fabric OS Encryption Administrator's Guide xi 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 12
Management application encryption wizard troubleshooting . . . .231 Errors related to adding a switch to an existing group . . . . . .231 Errors related to adding a switch to a new group 232 General errors related to the Configure Switch xii Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 13
Index Security processor KEK status 250 Encrypted LUN states 250 Fabric OS Encryption Administrator's Guide xiii 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 14
xiv Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 15
how to configure and manage encryption features using Brocade Network Advisor. • Chapter 3, "Configuring Brocade Encryption Using the CLI," describes how to configure and manage encryption features using the command line interface. • Chapter 4, "Deployment Scenarios," describes SAN configurations in - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 16
software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX and DCX-4S with an FS8-18 encryption blade. • Brocade Encryption Switch. What's new in this document The purpose of this release is to note that HP Enterprise Secure Key Manager (ESKM) is - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 17
to warn of these conditions or situations. Key terms For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See "Brocade resources" on page xvi for instructions on accessing MyBrocade. Fabric OS Encryption Administrator's Guide xv 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 18
, you can obtain Building SANs with Brocade Fabric Switches through: http://www.amazon.com For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location: http://www.brocade.com xvi Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 19
for Fibre Channel, storage management, and other applications: http://www.t11.org For information about the Fibre Channel industry, visit the Fibre Channel Industry Association website: http://www.fibrechannel.org Getting technical help Contact your switch support supplier for hardware, firmware - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 20
port side of the switch on the left. • Brocade DCX-On the bottom right on the port side of the chassis • Brocade DCX-4S-On the bottom right on the port side of the chassis, directly above the cable management . Forward your feedback to: [email protected] Provide the title and version number - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 21
to avoid data corruption. If a host, possibly in another fabric, writes cleartext to an encrypted LUN, the data on the LUN will be lost. The user must ensure that all hosts that can access a LUN are configured in the same manner. Fabric OS Encryption Administrator's Guide 1 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 22
means all node encryption engines within an encryption group use the same master key to encrypt and decrypt the DEKs. In terms of encryption, a Brocade Encryption Switch, DCX, or DCX-4S through which users can manage an encryption engine. 2 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 23
a PC running the Brocade Data Center Fabric Manager (DCFM) application to refers to decrypting data with the current Data Encryption Key (DEK), and encrypting it with a new DEK. This is done when the security of the current key is compromised, or when a DEK is configured to expire in a specific - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 24
Fabric Manager (DCFM). 6 RJ45 serial console port. 7 USB port for firmware upgrades and other support services. 8 Fibre Channel ports (0-31) - 1, 2, 4, or 8 Gbps auto-sensing F, FL, E, EX, or M ports to connect host servers, SAN disks, SAN tapes, edge switches, or core switches. 4 Fabric OS - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 25
performance upgrade license is applied, encryption processing power of up to 96 Gbps is available for disk encryption. Note that when the license is applied OS Administrator's Guide for information about obtaining and adding licenses. Licensing best practices Licenses installed on the switches and - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 26
. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done. This puts some constraints on the topology and the container configurations to support acceptable performance for encrypted and decrypted - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 27
by a third-party vendor. Host Cleartext Encryption Switch Ciphertext based on AES256-XTS Disk Storage Ciphertext Cleartext DEKs Ciphertext based on AES256-GCM Key Management System Tape Storage FIGURE 2 Encryption overview Fabric OS Encryption Administrator's Guide 7 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 28
encryption solution overview Data flow from server to storage The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 29
management 1 Data encryption key life cycle management management systems provide life cycle management for all DEKs created by the encryption engine. Key management between encryption nodes. Key Management System LAN Node 1 EE many times. A DEK may be configured to expire in a certain time frame - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 30
by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM. Master key an encrypted key • The key management system as an encrypted key record 10 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 31
refer to Fabric OS Administrator's Guide for more details on how to configure the DCX and DCX-4S in virtual fabrics environments, including configuration of default switch partition and any other logical switch partitions. Cisco Fabric Connectivity support The Brocade Encryption Switch provides - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 32
1 Cisco Fabric Connectivity support 12 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 33
connections 24 •Configuring blade processor links 24 •Encryption node initialization and certificate generation 25 •Steps for connecting to an SKM or ESKM appliance 26 •Steps for Migrating from SKM to ESKM 36 •Encryption preparation 38 •Creating a new encryption group 38 •Adding a switch to - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 34
Smart Cards for user authentication, system access control, and storing backup copies of data encryption master keys. • "Network connections" on page 24 describes the network connections that must be in place to enable encryption. • "Configuring blade processor links" on page 24 describes the steps - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 35
A user can only belong to one resource group at a time. The Management application provides three pre-configured roles: • Storage encryption configuration. • Storage encryption key operations. • Storage encryption security. Table 1 lists the associated roles and their read/write access to specific - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 36
www.scmmicro.com/security/view_product_en.php?PID=2 NOTE Only the Brocade smart cards that are included with the BES/FS8-18 are supported. See the following procedures for instructions about how to manage smart cards: • "Registering authentication cards from a card reader" on page 16 • "Registering - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 37
Smart card usage 2 1. Select Configure > Encryption from the menu task bar. The Encryption Center the System Cards setting for now. 4. Click Register from Card Reader to register a new card. The Add Authentication Card dialog box displays. Fabric OS Encryption Administrator's Guide 17 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 38
information, see "Tracking smart cards" on page 22. Registering authentication cards from the database Smart cards that are already in the Management program's database can be registered as authentication cards. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 39
the Encryption Group Properties dialog box. Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them. Use the following procedure to deregister an authentication card. 1. Select Configure > Encryption from the menu task bar. The - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 40
Required. - Authentication Card Quorum authenticate using a quorum of authentication cards, complete the following steps: 1. When the Authenticate dialog box is displayed, gather the number of cards needed, per instructions on a switch, you must following: • Set System Cards • Set System Cards - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 41
. If someone removes a switch or blade with the intent of accessing the encryption engine, it will function as an ordinary FC switch or blade when it is Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. Fabric OS Encryption Administrator's Guide 21 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 42
task bar, or right-click the switch and select System Cards. The System Cards card from the Management application database. Deleting smart cards from the Management application database keeps the Smart Cards table at a manageable size, but Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 43
the card reader. 3. After the card's ID is displayed in the Card ID field, enter the Card Password, then click Login. 4. Edit the card assignment user information as needed. 5. Click OK. Fabric OS Encryption Administrator's Guide 23 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 44
: • The management ports on all devices that will perform encryption (Brocade Encryption Switches, or DCX and DCX-4S chassis with encryption blades installed) must have a LAN connection to the SAN management program, and must be available for discovery. • A supported key management appliance must be - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 45
with key managers. In most cases, KAC certificate signing requests must be sent to a Certificate Authority (CA) for signing to provide authentication before the certificate can be used. In all cases, signed KACs must be present on each switch. Encryption nodes are initialized by the Configure Switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 46
installing the SKM/ESKM appliance, use that port number. The following configuration steps are performed from the SKM/ESKM management web console and from the Management application. • Configure a Brocade group on SKM/ESKM. • Register the Brocade group user name and password on the encryption node - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 47
created by Brocade encryption switches and blades. This needs to be done only once for each key vault. 1. Log in to the SKM/ESKM management web console using the admin password. 2. Select the Security tab. 3. Select Local Users & Groups under Users and Groups. The User & Group Configuration page - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 48
another, and the new encryption group uses different user name and password, the Brocade group user name and password must also be changed to the same values on SKM/ESKM to make the keys accessible. 5. Repeat the procedure for each node. 28 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 49
should be set in accordance with your company's security policies. The default value for both is 3650 days or 10 years. 5. Click Create. The new local CA displays under Local Certificate Authority List. . FIGURE 16 Creating an HP SKM/ESKM local CA Fabric OS Encryption Administrator's Guide 29 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 50
& CAs, select Local CAs. The Certificate and CA Configuration page is displayed. 9. From the CA Name column, select the name of the local CA you just created in "Setting up the local Certificate Authority (CA) on SKM or ESKM" on page 29. 30 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 51
enabled on the other cluster members. To configure and enable SSL, complete the following steps: 1. Select the Device tab. 2. In the Device Configuration menu, click KMS Server to display the Key Management Services Configuration window. Fabric OS Encryption Administrator's Guide 31 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 52
have TLS enabled for your web browser. 5. Configure the KMS Server Settings. Ensure that the port and connection timeout settings are 9000 and 3600, it into the management console for each of the SKM/ESKM appliances added to the cluster. 32 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 53
the Local CA certificate open. 2. In the new browser window, log into the management console of the SKM/ESKM appliance that is being added to the cluster, then click the Security tab. 3. In the Certificates & CAs menu, click Known CAs. Fabric OS Encryption Administrator's Guide 33 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 54
tab. 12. In the Device Configuration menu, click Cluster. 13. Click Join Cluster. In the Join Cluster section of the window, leave Local IP and Local Port set to their default settings. 14. Enter the original cluster member's local IP address into Cluster Member IP. 15. Enter the original cluster - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 55
web browser and log in. 5. Select the Security tab. 6. Select Local CAs under Certificates & CAs. The Certificate and CA Configuration page displays. 7. Under Local Certificate Authority List, select the Brocade is stored on the switch. Fabric OS Encryption Administrator's Guide 35 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 56
synchronously hardened to the cluster pairs. Please refer to the HP SKM/ESKM appliance user documentation for configuration requirements and procedures. Configured primary and secondary HPSKM/ESKM appliances must be registered with the Brocade encryption switch or blade to begin key operations. The - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 57
Enter the new ESKM key vault IP address in the Primary Key Vault IP Address field. 4. Download the ESKM local CA certificate. a. From the Security tab, select Local CAs under Certificates and CAs. b. Select the CA certificate you created. Fabric OS Encryption Administrator's Guide 37 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 58
, and create a new encryption group. NOTE When a new encryption group is created, any existing tape pools in the switch are removed. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 38 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 59
right-click the switch and select Create/Add to Group. The Configure Switch Encryption wizard welcome panel displays. FIGURE 21 Configure Switch Encryption wizard - welcome panel 4. Click Next. The Designate Switch Membership dialog box displays. Fabric OS Encryption Administrator's Guide 39 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 60
23 Create a New Encryption Group dialog box 7. Enter an Encryption Group Name for the encryption group and select Automatic failback mode. Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed. 40 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 61
same name for the new encryption group, or click No to enter another name. 8. Click Next. The Select Key Vault dialog box displays. FIGURE 24 Select Key Vault dialog box for SKM/ESKM 9. Select SKM as the Key Vault Type, which is used for both HP Secure Key Manager (SKM) and HP Enterprise Secure Key - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 62
2 Creating a new encryption group FIGURE 25 Specify Public Key Certificate filename dialog box 11. Enter the location of the file The Specify Master Key File Name dialog box displays. FIGURE 26 Specify Master Key File Name dialog box 42 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 63
and/or setting system cards to Required launches additional wizard dialog boxes. 17. Click Next. The Confirm Configuration dialog box displays. The dialog box displays the encryption group name and switch public key certificate file name you specified. Fabric OS Encryption Administrator's Guide 43 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 64
2 Creating a new encryption group FIGURE 28 Confirm Configuration dialog box 18. Verify the information, then click Next. The Configuration Status dialog box displays. 44 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 65
configuration status results" on page 46 for more information. 19. Review important messages, then click Next. The Next Steps dialog box displays. Instructions for installing public key certificates for the encryption switch are displayed. Fabric OS Encryption Administrator's Guide 45 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 66
of the encryption group is completed, the Management application sends API commands to verify the switch configuration. The CLI commands are detailed in encryption administrator's guide for your key vault management system. • Initialize the switch. If the switch is not already in the initiated state - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 67
that it is connected to the SKM/ESKM. Refer to the Next Steps dialog box in the Configure Switch Encryption wizard for brief instructions that are specific to certificate exchanges between the switch and key manager you are using. Adding a switch to an encryption group The setup wizard allows you - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 68
31 Configure Switch Encryption wizard - welcome panel 3. Click Next. The Designate Switch Membership dialog box displays. FIGURE 32 Designate Switch Membership dialog box a. Select Add this switch to an existing encryption group. b. Click Next. 48 Fabric OS Encryption Administrator's Guide 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 69
Existing Encryption Group dialog box 4. Select the group in which to add the switch, then click Next. The Specify Public Key Certificate Filename dialog box displays. FIGURE 34 Specify Public Key Certificate (KAC) File Name dialog box Fabric OS Encryption Administrator's Guide 49 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 70
Confirm Configuration panel displays. The dialog box shows the encryption group name and switch public key certificate file name you specified. FIGURE 35 Confirm Configuration dialog box 6. Click Next. The Configuration Status dialog box displays. 50 Fabric OS Encryption Administrator's Guide 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 71
certificate is stored in the location you specified. 7. Review important messages, then click Next. The Error Instructions dialog box displays. Instructions for installing public key certificates for the encryption switch are displayed. Fabric OS Encryption Administrator's Guide 51 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 72
show that it is connected to the SKM/ESKM. Refer to the Next Steps dialog box in the Configure Switch Encryption wizard for brief instructions that are specific to certificate exchanges between the switch and key manager you are using. 52 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 73
engine within the same DEK Cluster, complete the following steps. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays engine (Engine list) are replaced by the new engine (Replacement list). Fabric OS Encryption Administrator's Guide 53 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 74
changes are not applied to the switch until you click OK. Both engines in an HA cluster must be in the same fabric, as well as the same encryption group. NOTE An IP address is required for the management port for any cluster-related operations. 1. Select Configure > Encryption from the menu task bar - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 75
is useful when replacing hardware. Swapping engines is different from removing an engine and adding another because when you swap engines, the configured targets on the former HA cluster member are moved to the new HA cluster member. Fabric OS Encryption Administrator's Guide 55 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 76
setting (auto or manual) manually invoke failback using the CLI or Management application, or until the second encryption engine fails. When the encryption engine recovers, it can automatically fail back its Crypto Target containers if the second encryption engine is not hosting them. 56 Fabric OS - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 77
box without committing the changes, you are reminded of uncommitted changes in the Management application. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group, switch, or engine from the Encryption Center Devices table to which to add - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 78
dialog box explains the wizard's purpose, which is to configure encryption for a storage device (target). FIGURE 43 Configure Storage Encryption wizard dialog box 4. Click Next to begin. The Select Encryption Engine dialog box displays. 58 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 79
same fabric as the encryption engine. The Targets in Fabric table does not show targets that are already configured in an encryption group. You can select targets from the list of known targets, or manually enter the port and node WWNs. Fabric OS Encryption Administrator's Guide 59 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 80
from the list. (The Target Port WWN and Target Node WWN fields contain all target information that displays when using the nsshow command.) You can also enter WWNs manually, for example, to specify a target 46 Select Hosts dialog box 60 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 81
the Selected Hosts table. (The Port WWN column contains all target information that displays when using the nsshow command.) b. Manually enter world wide names in the Port WWN and Node WWN text . The Confirmation dialog box displays. Fabric OS Encryption Administrator's Guide 61 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 82
container, as well as the virtual targets (VT) and virtual initiators (VI). NOTE If you can view the VI/VT Port WWNs and VI/VT Node WWNs, the container has been successfully added to the switch. FIGURE 49 Configuration Status dialog box 62 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 83
13. Review the post-configuration instructions, which you can copy to a clipboard or print for later. 14. Click Finish to exit the Configure Switch Encryption wizard. 15. Review "Understanding configuration status results" on page 46. Fabric OS Encryption Administrator's Guide 63 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 84
, or manually enter world wide names in the Port WWN and Node WWN text boxes if the hosts are not included in the list. You must fill in both the Port WWN and the Node WWN. Click Add to move the host to the Selected Hosts list. 64 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 85
a group, switch, or engine and select Disk LUNs. The Encryption Disk LUN View dialog box displays. FIGURE 52 Encryption Disk LUN view dialog box 3. Click Add. The Select Target Port dialog box displays. FIGURE 53 Select Target Port dialog box Fabric OS Encryption Administrator's Guide 65 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 86
port from the Target Port table. 5. Click Next. The Select Initiator Port dialog box displays. FIGURE 54 Select Initiator Port dialog box 6. Select the initiator port from the Initiator Port are already configured. Click OK Click Finish. The new LUN path is configured on all are configuration - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 87
LUN already has an existing key ID, the State field is automatically set to Encrypted. You can accept this state or change it as desired CLI and it should help resolve the issue. When the command finishes, refresh the screen to check the new status of LUNs. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 88
, refer to the chapter describing storage arrays in this administrator's guide. Adding target tape LUNs for encryption You configure a manually. After you add the LUNs, you must specify the encryption settings. When configuring a LUN with multiple paths, the same LUN policies must be configured - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 89
are identified by the Host world wide name, LUN number, Volume Label Prefix number, and Enable Write Early ACK and Enable Read Ahead status. Fabric OS Encryption Administrator's Guide 69 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 90
initiator representing the selected host, or enter a range of LUN numbers to be configured for the selected host. 6. Choose a LUN to be added to an with the new key. 8. Click OK. The selected tape LUNs are added to the encryption target container. 70 Fabric OS Encryption Administrator's Guide 53- - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 91
Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group, switch, or engine from the Encryption Center Devices table, then select Group/Switch/ Target Tape LUNs dialog box displays. Fabric OS Encryption Administrator's Guide 71 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 92
read ahead for a specific LUN, clear Enable Read Ahead for that LUN. 5. Click OK. 6. Commit the changes on the related crypto target container: a. Select Configure > Encryption from the menu Encryption Targets dialog box" on page 90 72 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 93
host I/O. The encryption management application allows you to select specific tape LUNs" on page 75 Viewing and clearing tape container statistics To view or clear statistics for tape LUNs in a container, follow these steps: 1. Select Configure OS Encryption Administrator's Guide 73 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 94
a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays. The dialog box lists configured crypto target containers. FIGURE 63 Encryption Targets dialog box 74 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 95
Viewing and clearing statistics for specific tape LUNs To view or clear statistics for tape LUNs in a container, complete these steps: 1. Select Configure > Encryption from the box displays. The dialog box lists configured tape LUNs. Fabric OS Encryption Administrator's Guide 75 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 96
clear the tape LUN statistics, click Clear. 7. When prompted with a confirmation dialog box, click Yes. 8. To update the tape LUN statistics, click Refresh. 76 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 97
OS 6.4, disk and tape target containers can be hosted on the same switch or blade. Hosting both disk and tape target containers on the same switch or blade might result in a drop in throughput, but it can reduce cost by reducing the number of switches or blades needed to support a new disk Configure - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 98
set is set of smart cards. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the Management application to restore the master key. Master keys belong to the group and are managed with new hardware at - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 99
new user privileges" on page 15 for more information. • The group leader is not discovered or managed by the Management application. Saving the master key to a file Use the following procedure to save the master key to a file. 1. Select Configure OS Encryption Administrator's Guide 79 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 100
passphrase for verification. 9. Click OK. ATTENTION Save the passphrase. This passphrase is required if you ever need to restore the master key from the file. 80 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 101
a key vault Use the following procedure to save the master key to a key vault. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group OK after you have copied the Key ID. Fabric OS Encryption Administrator's Guide 81 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 102
driver for Unix operating systems. For instructions, refer to the Installation Guide. The key is divided among the cards in the card set, up to 10. The quorum of , and you will need to discard them and create a new set. 1. Select Configure > Encryption from the menu task bar. The Encryption Center - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 103
4. Select A Recovery Set of Smart Cards as the Backup Destination. 5. Enter the recovery card set size. 6. Insert the . 7. Run the additional cards needed for the set through the reader. As you read each card, written to all the cards in the set. 15. After the last card is written, click OK - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 104
from a file Use the following procedure to restore the master key from a file. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a on page 78 • "Alternate master key" on page 78 84 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 105
vault Use the following procedure to restore the master key from a key vault: 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a on page 78 • "Alternate master key" on page 78 Fabric OS Encryption Administrator's Guide 85 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 106
set A card reader must be attached to the SAN Management application PC to complete this procedure. Use the following procedure to restore the master key from a set of smart cards. 1. Select Configure all cards in the set have been read. 86 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 107
new master key Although it is generally not necessary to create a new new master key cannot be used (no new data encryption keys can be created, so no new encrypted LUNs can be configured), until you back up the new master key. After you have backed up the new Select Create a New Master Key from the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 108
, follow these steps: 1. Select Configure > Encryption from the menu task an encryption engine manually to protect encryption kept in the encryption switch or encryption blade are erased and the encryption switch or the encryption blade removed from the fabric's name service. • The master key is - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 109
an engine affects the I/Os but all target and LUN configuration is intact. Encryption target configuration data is not deleted generate a new master key and back it up. Restoring the master key from a backup copy or generating a new master key OS Encryption Administrator's Guide 89 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 110
selected group, switch, or encryption engine. If a group is selected, all configured targets in the group are displayed. If a switch is selected, all configured targets for the switch are displayed. FIGURE 75 Encryption Targets dialog box 90 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 111
key vault configured. • The node must be running Fabric OS 7.0.0 or later. • The encryption group must be in the converged state. • The target container that hosts the LUN must be online. In addition to providing the ability to launch manual re-key operations, the management application also enables - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 112
the switch and select Targets. The Encryption Targets dialog box displays. 6. Select a disk LUN device from the table, then click LUNs. The Encryption Targets Disk LUNs dialog box displays.The dialog box lists the status of the re-key operation. 92 Fabric OS Encryption Administrator's Guide 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 113
information, refer to the following topics: • "Re-keying all disk LUNs manually" on page 91 • "Viewing the progress of manual re-key operations" on page 93 Viewing the progress of manual re-key operations To monitor the progress of manual re-key operations, complete these steps: 1. Select Configure - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 114
modify the time left using CLI. For more information, see Chapter 3, "Configuring Brocade encryption using the CLI." To view the time left for auto re-key, follow these steps: 1. Select Configure > Encryption. The Encryption Center dialog box displays. 2. Select a group, switch, or engine from the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 115
Center dialog box displays. The dialog box shows the status of all encryption-related hardware and functions at a glance. It is the single launching point for all encryption-related configuration. 2. Select a switch or encryption engine from the Encryption Center Devices table, then select - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 116
tape pool changes, and any configuration changes for storage targets, hosts, and LUNs. • Fabric - the name of the fabric to which the switch belongs. • Domain ID - the domain ID of the selected switch. • Firmware Version - the current encryption firmware on the switch. • Primary Key Vault Link Key - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 117
onto the switch. Enabling and disabling the encryption engine state from Properties To enable the encryption engine, complete the following steps: 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. Fabric OS Encryption Administrator's Guide 97 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 118
3. In the Encryption Engine Properties table, locate Set State To. 4. Click the adjacent Engine field and group properties, complete the following steps. 1. Select Configure > Encryption from the menu task bar. The Encryption 103 98 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 119
environment, the status should be Connected. • Backup key vault IP address - the IP address of the backup key vault. • Backup Key Vault Connection Status - the status of the connection to the backup key vault, if a backup is configured. Fabric OS Encryption Administrator's Guide 99 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 120
not responding to the group leader. This may occur if the member switch is not reachable by way of the management port, or if the member switch does not believe it is part of the encryption group. • Configuring - the member switch has responded and the group leader is exchanging information. This is - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 121
the last switch from a group, the Management application also deletes the group. Consequences of removing an encryption switch Table 2 explains the impact of removing switches. TABLE 2 Switch removal impact Switch configuration Impact of removal The switch is the only switch in the encryption - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 122
2 Viewing and editing group properties FIGURE 84 Removal of switch warning A warning message displays when you attempt to remove an encryption group. Click Yes to proceed. FIGURE 85 Removal of switch in encryption group warning 102 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 123
follows: • Create a new master key, which is authentication cards must be read by a card reader attached to a Management application PC to enable certain security-sensitive operations. NOTE Encryption is not allowed until the master key has been backed up. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 124
consists of exactly two encryption engines. For related information, see the following topics: • "Failback option" on page 56 • "Invoking failback" on page 57 104 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 125
are managed from pool, you must remove the entry, then add a new tape pool. See "Adding tape pools" on page 106 configured for an encryption group, tapes in that tape pool are encrypted according to the tape pool settings instead of the tape LUN settings. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 126
editing group properties Encryption switches and encryption blades support tape encryption at the . When a new encryption group is created, any existing tape pools in the switch are removed and must be added. 1. Select Configure > Encryption from OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 127
in another switch within a DEK Cluster environment. A DEK Cluster is a set of encryption engines that encrypt the same target storage device. DEK Clusters do not display in the Management application, they are an internal implementation feature and have no user-configurable properties. Refer to - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 128
Dialog Box - Engine Operations Tab NOTE You cannot replace an encryption engine if it is part of an HA Cluster. For information about HA Clusters, refer to "HA Clusters tab" on page 104. For related information, see "Replacing an encryption engine in an encryption group" on page 53. 108 Fabric - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 129
acronyms in log messages 2 Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms Encryption Engine EG Encryption Group HAC High Availability Cluster Fabric OS Encryption Administrator's Guide 109 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 130
2 Encryption-related acronyms in log messages 110 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 131
Chapter Configuring Brocade Encryption Using the CLI 3 In this chapter •Overview 112 •Command validation checks 112 •Command RBAC permissions and AD types 113 •Cryptocfg Help command output 115 •Management LAN configuration 116 •Configuring cluster links 116 •Steps for connecting to an SKM - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 132
setup and configuration of the Brocade Encryption Switch (BES), DCX, or DCX-4S has been done as part of the initial hardware installation, including setting the management port IP address. For command syntax and description of parameters, refer to the Fabric OS Command Reference Manual. Command - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 133
firmware download. • Perform regular Fabric OS management functions. See Table 4 for the RBAC permissions when using the encryption configuration commands. TABLE 4 Encryption command RBAC availability and admin domain type1 Command name User Admin Operator Switch Zone Fabric Admin Admin - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 134
Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Zone Fabric Basic Admin Admin Admin Switch Admin delete --container N OM Disallowed O Disallowed OM Disallowed 114 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 135
of device container parameter configuration. --help -transcfg: Display the synopsis of transaction management. switch:admin> cryptocfg --help -nodecfg Usage: cryptocfg --help -nodecfg: Display the synopsis of node parameter configuration. Fabric OS Encryption Administrator's Guide 115 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 136
addresses are supported for cluster links. The following example configures a static IP address and gateway address for the bonded interface. switch:admin> ipaddrset -eth0 --add 10.32.33.34/23 switch:admin> ipaddrset -gate --add 10.32.1.1 116 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 137
7 SWITCH Ethernet IP Address: 10.33.54.207 Ethernet Subnetmask: 255.255.240.0 Fibre Channel IP Address: none Fibre Channel Subnetmask: none Gateway IP Address: 10.33.48.1 DHCP: Off eth0: 10.33.54.208/20 eth1: none/none Gateway: 10.33.48.1 NOTE The IP address of the cluster link should be configured - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 138
node using the new IP address. 4. Reboot the member node (the node on which the IP address has been modified). 5. Re-register the node with the Group Leader using new IP address. NOTE A reboot is not needed beginning with Fabric OS v6.4.0. 118 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 139
is not supported. 1. Log in to the SKM/ESKM management web console using the admin password. 2. Select the Security tab. 3. Select Local Users & Groups under Users and Groups. The User & Group Configuration page displays. 4. Select Add under Local Users. 5. Create a Brocade user name and password - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 140
, and the Brocade group user name must be changed to brcduser1. Also, the password must be changed to !Brocade@3. Setting up the local Certificate Authority (CA) To create and install a local CA, perform the following steps: 1. Log in to the SKM/ESKM management web console using the admin password - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 141
new local CA displays under Local Certificate Authority List (Figure 92). FIGURE 92 Creating an HP you created using the procedure for "Setting up the local Certificate Authority (CA)" Brocade encryption group leader" on page 128. Fabric OS Encryption Administrator's Guide 121 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 142
HP recommends using the default value: 1024. 4. Click Create Certificate Request. Successful completion is indicated when the new CA Configuration page is displayed. 9. From the CA Name column, select the local CA name you created in "Setting up the OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 143
steps: 1. Select the Device tab. 2. In the Device Configuration menu, click KMS Server to display the Key Management Services Configuration window. FIGURE 93 SKM Key Management Services Configuration window 3. In the KMS Server Settings section of the window, select the following check boxes: • Use - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 144
vault supports clustering of HP SKM/ESKM appliances for high availability. If two SKM/ESKM key vaults are configured, they must be clustered. If only a single SKM/ESKM appliance is configured, it may be clustered for backup purposes, but the backup appliance will not be directly used by the switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 145
in the right panel. 9. Click Add. 10. Click Save. 11. Select the Device tab. 12. In the Device Configuration menu, click on Cluster. 13. Click on Join Cluster. In the Join Cluster section of the window, leave Local IP and Local Port set to their defaults. 14. Type the original cluster member's local - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 146
any existing authentication data on the node. SecurityAdmin:switch>cryptocfg --initnode This will overwrite all identification and authentication data ARE YOU SURE (yes, y, no, n): [no] y Notify SPM of Node Cfg Operation succeeded. 126 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 147
3. Launch the SKM/ESKM administration console in a web browser and log in. 4. Select the Security tab. 5. Select Local CAs under Certificates & CAs. The Certificate and CA Configuration page displays. 6. Under Local Certificate Authority List, select the Brocade CA name. 7. Select Sign Request. The - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 148
. White space or other special characters are not permitted. The following example creates the encryption group "brocade". SecurityAdmin:switch>cryptocfg --create -encgroup brocade Encryption group create status: Operation Succeeded. 128 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 149
System Card: Disabled Primary Key Vault: IP address: Certificate ID: Certificate label: State: Type: 10.32.53.55 Brocade skmcert Connected SKM Secondary Key Vault not configured Additional Key Vault/Cluster Information: Key Vault/CA Certificate Validity: Port for Key Vault Connection: Time of - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 150
ESKM Brocade group user name and password The Brocade group user name and password you created when configuring a Brocade group on the SKM/ESKM must also be registered on each Brocade encryption node. 1. Log in to the switch as Admin or SecurityAdmin. 2. Register the HP SKM/ESKM Brocade group user - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 151
synchronously hardened to the cluster pairs. Please refer to the HP SKM/ESKM appliance user documentation for configuration requirements and procedures. Configured primary and secondary HP SKM/ESKM appliances must be registered with the Brocade encryption switch or blade to begin key operations. The - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 152
appliance Tape LUN support • DEK Creation - The DEK is created and archived to the SKM/ESKM cluster using the cluster's virtual IP address. The new encryption is done to avoid possible failures. • Deregistration of Primary SKM/ESKM - You can deregister the primary SKM/ESKM from an encryption switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 153
node and export the new CP certificates and KAC certificates switch on which the certificate was generated as Admin or such as the switch name or IP address. The switch>cryptocfg --import -usb enc_switch1_cp_cert.pem \ enc_switch1_cp_cert.pem Operation succeeded. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 154
member information. This example shows the encryption group brocade with two member nodes, one group leader and one regular member. No key vault or HA cluster is configured, and the values for master key IDs are zero. SecurityAdmin:switch>cryptocfg --show -groupmember -all NODE LIST Total Number - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 155
IP Address: 10.32.244.60 Certificate: enc1_cpcert.pem Current Master Key State: Not configured Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 Alternate Master Key State:Not configured procedure. Note that the Brocade SAN management application provides the additional - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 156
encryption group brocade with two member nodes, one group leader and one regular member. No key vault or HA cluster is configured, and the values for master key IDs are zero. SecurityAdmin:switch>cryptocfg -- 00:00:00:00:00:00:00:00:00 136 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 157
for instructions. • Configuration changes must be committed before they take effect. Any operation related to an HA cluster that is performed without a commit operation will not survive across switch reboots, power cycles, CP failover, or HA reboots. Fabric OS Encryption Administrator's Guide 137 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 158
Brocade encryption switches, but is not true if two FS8-18 blades in the same DCX or DCX-4S chassis are configured in the same HA cluster. In Fabric OS resulting configuration will not be functional and provide no failover/failback capabilities. 138 Fabric OS Encryption Administrator's Guide 53- - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 159
Admin or SecurityAdmin. 2. Enter the cryptocfg --add -haclustemember command. Specify the HA cluster name and the encryption engine node WWN. Provide a slot number if the encryption engine is a blade. The following example adds a Brocade FS8-18 in slot 5 to the HA cluster HAC2. SecurityAdmin:switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 160
need to remember the exported master key ID and passphrase you used while exporting the master key ID. A new subcommand is available to support exporting master key IDs for a given master key. cryptocfg --show -mkexported_keyids 140 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 161
ID: 1a:e6:e4:26:6b:f3:81:f7:d8:eb:cc:0f:09:7a:a4:80 Example: Recovering a master key using master key ID from the second master key export cryptocfg :a7:b4:cd:7d:2a:91:fc Enter passphrase: Recover master key status: Operation Succeeded. Fabric OS Encryption Administrator's Guide 141 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 162
key ID and passphrase you used while exporting the master key ID. A new subcommand is available to support exporting master key IDs for a given master key. cryptocfg --show -mkexported_keyids Confirm passphrase: Master key exported. 142 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 163
7a:a4:80 Example: fc Brocade Encryption Switch configuration steps or to troubleshoot an encryption engine that behaves in unexpected ways. Use the cryptocfg --show -localEE command to check the encryption engine status. SecurityAdmin:switch OS Encryption Administrator's Guide 143 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 164
going through a regular zone or a redirection zone. 1. Check the default zoning setting. Commonly, it will be set to All Access. switch:admin> defzone --show Default Zone Access Mode committed - All Access transaction - No Transaction 144 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 165
From any configured primary FCS switch, change the default zoning setting to No Access. switch:admin> defzone --noaccess switch:admin> cfgfsave The change will be applied within the entire fabric. Frame redirection zoning Name Server-based frame redirection enables the Brocade Encryption Switch or - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 166
a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'itcfg' configuration (yes, y, no, n): [no] y zone config"itcfg" is in effect Updating flash ... 146 Fabric OS Encryption Administrator's Guide 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 167
of virtual devices created for each target port hosted on a Brocade Encryption Switch or FS8-18 blade. The container holds the configuration information for a single target, including associated hosts and LUN settings. A CryptoTarget container interfaces between the encryption engine, the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 168
in the section "Configuring a multi-path Crypto LUN" on page 166. LUN re-balancing when hosting both disk and tape targets If you are currently using encryption and running Fabric OS v6.3.x or earlier, you are hosting tape and disk target containers on different encryption switches or blades - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 169
in the same fabric or in a different fabric based on host MPIO configuration. A given host port through which the LUNs are accessible is hosted on the same encryption switch on which the target port (CryptoTarget container) of the LUNs is hosted. NOTE It is recommended you complete the encryption - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 170
gain access to these ports before committing the container configuration. Failure to do so results in data corruption. Refer to the section "Configuring a multi-path Crypto LUN" on page 166 for specific instructions. 5. Display the CryptoTarget container configuration. The virtual initiator and - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 171
group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --remove -initiator command. Specify the CryptoTarget container name followed by one or more initiator port WWNs. The following example removes one initiator from the CryptoTarget container "my_disk_tgt". FabricAdmin:switch>cryptocfg --rem - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 172
through the encryption switch and another path has direct access to the device from a host outside the protected realm of the encryption platform. Refer to the section "Configuring a multi-path Crypto LUN" on page 166 for more information. 152 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 173
and manually created redirect zones will need to be reconfigured with new VI and VT WWNs. Refer to the section "Deployment in Fibre Channel routed fabrics" on page 183 for instructions on configuring encryption in an FCR deployment scenario. 1. Log in to the group leader as Admin or FabricAdmin - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 174
container, you must specify a LUN Number. The LUN Number needed for configuring a given Crypto LUN is the LUN Number as exposed to a particular initiator. The Brocade Encryption platform provides LUN discovery services through which you can identify the exposed LUN number for a specified initiator - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 175
results in data corruption. Refer to the section "Configuring a multi-path Crypto LUN" on page 166. 4. Display the LUN configuration. The following example shows default values. FabricAdmin:switch>cryptocfg --show -LUN :00:05:1e:41:4e:1d Fabric OS Encryption Administrator's Guide 155 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 176
and may lead to data corruption. The tape policies specified at the LUN configuration level take effect if you do not create tape pools or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1 MB block size for tape encryption. Also, the LBA 0 block size - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 177
modes are supported: • disable - The LUN disables the Tape read ahead and Tape LUN will be operated in unbuffered mode. • enable - The LUN enables the Tape read ahead and Tape LUN will be operated in buffered mode. The default value is enable. Fabric OS Encryption Administrator's Guide 157 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 178
of configuration options and policy settings are available for tape LUNs. Refer to Table 6 on page 156 for tape LUN configuration options. 1. Create a zone that includes the initiator (host) and the target port. Refer to the section "Creating an initiator - target zone" on page 145 for instructions - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 179
leader as Admin or FabricAdmin. 2. Enter the cryptocfg --remove -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN. FabricAdmin:switch>cryptocfg --remove -LUN my_disk_tgt 0x0 10:00:00:00:c9:2b:c9:3a Operation Succeeded 3. Commit the configuration with - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 180
policy settings and in sequence for each of the Crypto Target containers for each of the paths accessing the LUNs. Failure to do so results in data corruption. Refer to the section "Configuring a multi-path Crypto LUN" on page 166. 160 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 181
and -enable_rekey are disabled by default, and you must configure both options again. • When you add a LUN as change the LUN policy from cleartext to encrypt, you must set the -enable_encexistingdata option. If you do not, all data on OS Encryption Administrator's Guide 161 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 182
LUN as Admin or FabricAdmin. 2. Enter the cryptocfg --enable -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN. FabricAdmin:switch>cryptocfg --enable -LUN my_disk_tgt 0x0 \ 10:00:00:00:c9:2b:c9:3a Operation Succeeded Tape pool configuration Tape pools - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 183
encryption switch or blade must be the be same tape pool label configured on the tape backup application. • Refer to the tape backup product documentation for detailed instructions for pool label on the encryption switch or blade. Fabric OS Encryption Administrator's Guide 163 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 184
The following example creates a tape pool named "my_tapepool". FabricAdmin:switch>cryptocfg --create -tapepool -label my_tapepool Operation succeeded. 3. Commit the transaction. FabricAdmin:switch>cryptocfg --commit Operation succeeded. 164 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 185
within the pool: Operation succeeded. 5. Configure the tape pool on your backup application with the same tape pool label you used to create the tape pool on the encryption switch or blade. Refer to the manufacturer's product documentation for instructions. 6. On your backup application, label - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 186
on a dual-port target that is accessed over two paths by a dual-port host. The two encryption switches form an encryption group and an HA cluster. The following example illustrates a simplified version of a multi-path LUN configuration. 166 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 187
host port 2 and target port 2. Refer to the section "Creating an initiator - target zone" on page 145 for instructions. 3. On the group leader encryption switch (switch 1), create a CryptoTarget container for each target port and add the hosts in sequence. Do NOT commit the configuration until - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 188
from target-port 1 to host-Port 1 path and from target-port 2 to host-port 2. Identical LUN serial numbers validate the multi-path configuration. 5. Configure the LUN for all CryptoTarget containers in sequence by adding the LUN to each CryptoTarget container with identical policy settings. Refer to - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 189
Key ID: not available New LUN: No Key life: 30 (days) 0 (minutes) Operation succeeded. 7. Commit the LUN configuration. FabricAdmin:switch>cryptocfg --commit NOTE There is a 25 LUN transaction limit per commit operation. Make sure to issue commit after adding 24 LUNs (12 LUNs to each - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 190
policy is set to encrypt and the encryption format is Brocade native. Refer to the section "Crypto LUN parameters and policies" on page 156 for more information. The following example configures a as every six months or once per year. 170 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 191
time period in days) Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and the encryption format is Brocade native. Refer to the section "Crypto LUN parameters and policies" on page 156 for more information. Fabric OS Encryption Administrator's Guide 171 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 192
configured. Refer to the section "Management LAN configuration" on page 116 for more information. 1. Log in to the group leader as FabricAdmin. 2. Enable automatic re-keying by setting to succeed. The manual re-keying feature is :switch>cryptocfg - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 193
switch fails and reboots. Re-key operations are resumed automatically when the target comes back online or the switch comes regions of the LUN is halted. Only READ operations are supported for the scratch space region of the LUN used for storing OS Encryption Administrator's Guide 173 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 194
:37:99 Operation Succeeded 2. Check the status of the resumed re-key session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it " on page 159 for instructions on how to remove a LUN by force. 174 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 195
clusters 180 •Multiple paths, DEK cluster, no HA cluster 182 •Deployment in Fibre Channel routed fabrics 183 •Deployment as part of an edge fabric 185 •Deployment with FCIP extension switches 186 •VMware ESX server deployments 187 Fabric OS Encryption Administrator's Guide 175 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 196
T2. Host port 1 is zoned with target port 1, and host port 2 is zoned with target port 2 to enable the redirection zoning needed to redirect traffic to the correct CTC. FIGURE 96 Single encryption switch, two paths from host to target 176 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 197
Core Target Edge Switch Target Edge Switch Virtual Target Encryption Switch Virtual Initiator Target Target Cluster Link Dedicated Cluster Network LAN Cluster Link Ciphertext Cleartext FIGURE 97 Single fabric deployment - HA cluster Fabric OS Encryption Administrator's Guide 177 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 198
provides the communication needed to distribute and synchronize configuration information, and enable the two switches to act as a high availability (HA) cluster, providing automatic failover if one of the switches fails, or is taken out of service. Single fabric deployment - DEK cluster Figure 98 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 199
, interconnected through a dedicated cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN. encryption switches 1 and 3 act as a high availability cluster in fabric 1, providing automatic Fabric OS Encryption Administrator's Guide 179 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 200
configuration with a DEK cluster that includes two HA clusters, with multiple paths to the same target device. Management Link Management Link Management Network LAN Host Management Link Management Link CTC2 DEK Cluster Host Port 1 Encryption Switch 2 GE Port(s) HA Cluster1 Encryption Switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 201
to target port 3and target port 4 in fabric 2. • There are four Brocade encryption switches organized in HA clusters. • HA cluster 1 is in fabric 1, and HA cluster 2 is in fabric 2. • There is one DEK cluster, and one encryption group. Fabric OS Encryption Administrator's Guide 181 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 202
cluster Figure 101 shows a configuration with a DEK cluster with multiple paths to the same target device. There is one encryption switch in each fabric. Management Link Management Network LAN Host Management Link CTC2 CTC1 Host Port 1 DEK Cluster Encryption Switch 1 Fabric1 Ecryption Group - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 203
with the host and target edge fabrics using device sharing between backbone and edge fabrics. FIGURE 102 Encryption switch connected to FC router as part of backbone fabric FIGURE 103 Encryption switch as FC router and backbone fabric Fabric OS Encryption Administrator's Guide 183 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 204
, virtual target, and virtual initiator in both the backbone fabric and the target edge fabrics. Refer to the Fabric OS Administrator's Guide for information about LSANs, LSAN zoning, and Fibre Channel routing (FCR) configurations. 184 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 205
, virtual target, and virtual initiator in both the backbone fabric and the target edge fabrics. Refer to the Fabric OS Administrator's Guide for information about LSANs, LSAN zoning, and Fibre Channel routing (FCR) configurations. Fabric OS Encryption Administrator's Guide 185 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 206
switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator's Guide for information about creating FCIP configurations FCIP link. If the encryption services are enabled for the host and the remote target, the encryption switch can take clear text from the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 207
Io Sync Link Dedicated Cluster Network LAN IO Sync Link CTC1 - CTC for Target Port T1 hosted on BES1 in DEK Cluster CTC2 - CTC for Target Port T2 hosted on BES2 in DEK Cluster FIGURE 106 VMware ESX server, One HBA per guest OS Fabric OS Encryption Administrator's Guide 187 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 208
Sync Link Dedicated Cluster Network LAN IO Sync Link CTC1 - CTC for Target Port T1 hosted on BES1 in DEK Cluster CTC2 - CTC for Target Port T2 hosted on BES2 in DEK Cluster FIGURE 107 VMware ESX server, One HBA shared by two guest OS 188 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 209
chapter •Firmware download considerations 190 •Configuration upload and download considerations 192 •HP-UX Configuring CryptoTarget containers and LUNs 197 •Redirection zones 198 •Deployment with Admin Domains (AD 199 •Do not use DHCP for IP OS Encryption Administrator's Guide 189 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 210
in the loss of the following functionality: • Fabric OS v6.2.0 supports only one HP SKM/ESKM key vault. Registering a second HP SKM/ESKM key vault will be blocked. • Fabric OS v6.2.0 uses brcduser1 as a standard user name when creating a Brocade group on SKM/ESKM. If you downgrade from version - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 211
general IBM SVC best practices. SAN Volume Controller Best Practices and Performance Guidelines (http://www.redbooks.ibm.com/abstracts/sg247521.html) Specific guidelines for HA clusters The following are specific guidelines for a firmware upgrade of the encryption switch or blade when deployed in - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 212
the node 1 (BES1). Refer to the Fabric OS Administrator's Guide if necessary to review firmware download procedures. 6. After firmware download is complete and node 1 (BES1) is back up, make sure the encryption engine is online. 7. On node 1 (BES1) initiate manual failback of CryptoTarget containers - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 213
switch prior to configuration download. 4. Create an encryption group with same name as in configuration upload information for the encryption group leader node. 5. Import Authentication Card Certificates onto the switch prior to configuration download. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 214
generate the master key and back it up. If authentication cards are used, set the authentication quorum size from the encryption group leader node after importing and registering the necessary number of Authentication Card certificates. 194 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 215
the CX3 array exposes both 0x0 and 0x4000 LUNs to the HP-UX host. 0x0 and 0x4000 LUNs have the same LSN. Both must be added as cleartext. AIX Considerations Ensure that Dynamic Tracking is set to "Yes" for all Fibre Channel adapters on the AIX system. Enable of a disabled LUN When Metadata is - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 216
format (such as native Brocade format or DF-compatible), and optionally specify a key life span for the tape pool. Tape pools are unique across an encryption group. Tape pool configuration takes precedence over LUN level configuration. 196 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 217
has a user-determined lifespan, which applies to the elapsed time between write operations to new tapes Configuring CryptoTarget containers and LUNs The following are best practices to follow when configuring CryptoTarget containers and crypto LUNs: • Host a target port on only one encryption switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 218
issuing cfgtransshow CLI command. • LUNs are uniquely identified by the encryption switch or FS8 ports) are connected to an edge switch in a fabric, and not directly to Encryption switch/blade ports. • Always use the following process when configuring OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 219
, and does not cause problems with decrypting the data. However, double encryption adds the unnecessary need to manage two sets of encryption keys, increases the risk of losing data, may reduce performance, and does not add security. Fabric OS Encryption Administrator's Guide 199 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 220
. The I/O sync links (the Ethernet ports labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to enable proper handling of re-key state synchronization in high availability (HA cluster) configurations. 200 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 221
configuration while re-keying Never change the configuration of any LUN that belongs to a Crypto Target Container/LUN configuration while the re-keying process for that LUN is active. If you change the LUN's settings during manual . Fabric OS Encryption Administrator's Guide 201 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 222
5 Changing IP addresses in encryption groups NOTE In the event that the signed KAC certificate must be re-registered, you will need to log in to the key vault web interface and upload the new signed KAC certificate for the corresponding Brocade Encryption Switch Identity. You can change the value of - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 223
performance license is not installed, 48 Gbps of full duplex encryption bandwidth is available of the encryption engine, Each of the six encryption blocks will use two ports instead of four, reducing the fan-in ratio by a factor of two. Fabric OS Encryption Administrator's Guide 203 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 224
to two different nodes for true redundancy. This is always the case for Brocade encryption switches, but is not true if two FS8-18 blades in the same DCX or DCX-4S chassis are configured in the same HA cluster. In Fabric OS OS v6.3.0 and later releases, HA cluster creation is blocked when encryption - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 225
use cases 213 •Encryption group database manual operations 223 •Key vault diagnostics 223 •General encryption troubleshooting 226 •Troubleshooting examples using the CLI 229 •Management application encryption wizard troubleshooting 231 •LUN policy troubleshooting 234 •Loss of encryption group - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 226
command. Refer to the section "Replacing an HA cluster member" on page 209 for instructions. FIGURE 109 Removing a node from an encryption group The procedure for removing a node depends on the node's status within an encryption group. HA cluster membership and Crypto LUN configurations must be - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 227
DEF_NODE_STATE_DISCOVERED Role: MemberNode IP Address: 10.32. Key State: Not configured Alternate Master KeyID node WWN. SecurityAdmin:switch>cryptocfg --dereg - the VI/VT WWN's are reclaimed. Refer to "cryptocfg --reclaimWWN" commands. OS Encryption Administrator's Guide 207 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 228
group "brocade". 1. Log in to the Group Leader as Admin or SecurityAdmin 2. Enter the cryptocfg --delete -encgroup command followed by the encryption group name. SecurityAdmin:switch> cryptocfg --delete -encgroup CRYPTO_LSWAT This will permanently delete the encryption group configuration ARE YOU - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 229
fc:8a it is offline. SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade in to the Group Leader as Admin or SecurityAdmin. 2. Enter the and target T2 is hosted on EE2. Refer to Figure 110. EE2 fails and OS Encryption Administrator's Guide 209 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 230
replacement encryption engine (EE3). 2. Commit the transaction. If failback mode is set to auto, the target (T2) which failed over earlier to EE1 be removed. 4. Invoke the cryptocfg --commit command to sync the configuration in the encryption group. 5. After the transaction is committed, remove the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 231
commit command to sync the configuration in the encryption group. 5. leader as Admin or SecurityAdmin switch>cryptocfg --delete -hacluster HAC1 Delete HA cluster status: Operation succeeded. 3. Enter the cryptocfg --commit command to commit the transaction. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 232
leader as Admin or SecurityAdmin switch>cryptocfg --failback -EE 10:00:00:05:1e:53:89:dd 0 \ 10:00:00:05:1e:53:fc:8a 0 Operation succeeded. • After the failback completes, the cryptocfg --show -hacluster -all command no longer reports active failover. 212 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 233
's encryption services. Re-key configurations across all member nodes. cryptocfg --commit NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg --transabort. Doing so will cause subsequent reclaim attempts to fail. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 234
configurations and services that failed over earlier to N1 fail back to N3. The node resumes its normal function. If auto failback policy is not set, invoke a manual failback if required. Refer to the section "Performing a manual failback of an encryption engine" on page 212 for instructions - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 235
encryption engines' encryption services continue to function manual) on any of the nodes. Refer to the section "Configuration impact of encryption group split or node isolation" on page 222 for more information on which configuration changes are allowed. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 236
cannot start any re-key operations (auto or manual) on any of the nodes. Refer to the section"Configuration impact of encryption group split or node isolation" the crypto-device configuration from the group leader to all member nodes. 216 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 237
switch:admin->cryptocfg --set -hbtimeout Where: Sets the number of heartbeat misses allowed in a node that is part of an encryption group before the node is declared unreachable. This value is set in conjunction with the time-out value. It must be configured at the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 238
is a group leader. EG split manual recovery steps Regardless of which particular or more EG status displays as CONVERGED contact technical support as the following procedure will not work. To re is addressed in the "Two node EG split manual recovery example". 5. Re-register all Nodes from that - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 239
CLUSTER_STATE_DEGRADED then contact technical support. In our case, assume the User has performed this WWN 10:00:00:05:1e:c1:9a:86 needs to be deregistered. Switch:admin > cryptocfg --show -groupmember -all NODE LIST Total Number of defined OS Encryption Administrator's Guide 219 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 240
that have split into a pair of two node encryption groups, refer to "The 2:2 EG split exception" on page 220 for Node181:admin->cryptocfg --delete -encgroup This will permanently delete the encryption group configuration ARE OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 241
admin->cryptocfg --show -groupcfg Node182:admin->cryptocfg --show -groupcfg Both nodes will now show a two node CONVERGED EG in which Node182 is the group leader ode and Node181 is a member Node. The above manual configuration converged. Fabric OS Encryption Administrator's Guide 221 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 242
container • Modifying LUNs or LUN policies • Creating or deleting a tape pool • Modifying a tape pool policy • Starting a manual re-keying session • Performing a manual failback of containers • Deleting a CryptoTarget container 222 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 243
new group leader's database information may be different from what was set up before the group leader was rebooted. Manually synchronizing the security database This operation can resolve problems for any device configurations invoked earlier through the CLI or Management application interfaces by - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 244
• CA Certificate and its validity (for example, valid header and expiry date) • Key Vault IP/Port • KV firmware version • Time of day on the KV • Key class and format on the KV configured for the user group • Client session timeout • Encryption node scope • Node KAC certificate and its validity (for - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 245
for manual synchronization of keys depends on the point of key vault connectivity failure or user-initiated the possible issue with configuration or setup that needs manual intervention, such as refer to the Fabris OS Command Reference v7.0.0. Fabric OS Encryption Administrator's Guide 225 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 246
for failures you might encounter while configuring switches using the CLI. TABLE 9 Command General troubleshooting tips using the CLI Activity supportsave configshow cfgshow nsshow switch:SecurityAdmin> cryptocfg --show -groupcfg switch:SecurityAdmin> cryptocfg --show -groupmember -all Check - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 247
so results in unsuccessful HA Cluster creation. If the IP addresses for these ports were configured after the encryption engine is enabled, reboot the encryption switch or slotpoweroff/slotpoweron the encryption blade to sync up the IP address information to the encryption engine. Re-keying fails - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 248
General encryption troubleshooting TABLE 10 Problem General errors and DWORD "BufferQueueSize" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent, and set the value to 1. Then restart DPM servers: MSDPM, Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 249
using the CLI 6 Troubleshooting examples using the CLI Encryption Enabled Crypto Target LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN. switch:FabricAdmin> 26 19:28:27 2008 Operation succeeded Fabric OS Encryption Administrator's Guide 229 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 250
6 Troubleshooting examples using the CLI Encryption Disabled Crypto Target LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN. switch:FabricAdmin>> cryptocfg :28:27 2008 Operation succeeded 230 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 251
dialog box. 2 Re-run the Configure Switch Encryption wizard for the switch. Manual Option: 1 Save the switch's public key certificate to a file using the Switch Encryption Properties dialog box. 2 Follow the Key Vault instructions. Fabric OS Encryption Administrator's Guide 231 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 252
6 Management application encryption wizard troubleshooting Errors related to adding a switch to a new group Table 12 lists configuration task errors you might encounter while adding a switch to a new group, and describes how to troubleshoot them. TABLE 12 Error recovery instructions for adding a - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 253
Management application encryption wizard troubleshooting 6 TABLE 12 Error recovery instructions for adding a switch to a new group (Continued) Configuration task Error description Instructions Create a new master key (opaque key A failure occurred while attempting to vaults only) create a - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 254
troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by Action taken the encryption switch the target port Then issue the cryptocfg --discoverLUN command on other paths of the LUN in the DEK cluster. 3 The LUN was set up - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 255
of the failed Brocade Encryption Switch. cryptocfg --reclaimWWN -membernode 3. Synchronize the crypto configurations across all member nodes node to the new group leader node for all containers on the encryption engine. Fabric OS Encryption Administrator's Guide 235 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 256
that only one path is active to the LUN, but the Brocade Encryption Switch internal LUN states for both paths will now likely be displayed as Encryption Enabled. In active/passive storage array environments, for troubleshooting purposes, you may want to update the encryption engine Internal LUN - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 257
this example, slot 4) in the chassis. 6. Connect the IO sync ports to the same private LAN as IO sync ports of the failed blade, and confirm that the IP address of the I/O sync ports (Ge0 and Ge1) are same as the previous IP addresses. Fabric OS Encryption Administrator's Guide 237 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 258
slot as the previous one, no change of HAC container ownership is required. The HAC configuration is retained as is. If manual failback was set on the HAC, then user intervention is required to manually failback the LUNs owned by the newly replaced encryption engine. There is no change in crypto - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 259
same private LAN as the IO sync port of the failed node. 7. Run the following command on the ejected member node: cryptocfg --reclaimWWN -cleanup NOTE Do not reconnect the FC cables yet. 8. Power on the new Brocade Encryption Switch. Fabric OS Encryption Administrator's Guide 239 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 260
engine. 12. Initialize the new Brocade Encryption Switch node. cryptocfg --initnode 13. From the New Brocade Encryption Switch node, run the following command to export the CP certificate of the New Brocade Encryption Switch: cryptocfg --export -scp -CPcert 14 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 261
"Brocade." 24. Create the username and password on the new node same as created on the HP SKM/ESKM appliances. Use the following command: cryptocfg --reg -KACLogin 25. From the new Brocade Encryption Switch, run the following command to set the default zone as "allaccess" so the configuration from - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 262
from the previous uploaded configuration. 8. Zeroize the new Brocade Encryption Switch. cryptocfg --zeroizeEE The Brocade Encryption Switch reboots automatically. 9. If system card authentication was enabled, you must re-register the system card through the Management application client for the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 263
the defzone as allaccess on the new Brocade Encryption Switch, so the configuration from Fabric is pushed to new Brocade Encryption Switch. 23. Run the following command on the new Brocade Encryption Switch: cfgsave 24. Connect the FC Cables to the new Brocade Encryption Switch. 25. Run the cfgsave - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 264
Brocade Encryption Switch. cryptocfg --reclaimWWN -membernode [-list] 3. Synchronize the crypto configurations to a new encryption group. TABLE 15 Splitting an encryption group Encryption group Nodes Original EG New EG1 New EG2 BES1 OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 265
following command on BES3 to clean up the encryption configuration on the deregistered node: cryptocfg --reclaimWWN -cleanup BES4. 7. Create a new EG on BES3: a. Create the group: cryptocfg --create -encgroup BES3 b. Set the key vault type. The OS Encryption Administrator's Guide 245 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 266
BES2 from EG1 to EG2. TABLE 17 Moving a Brocade Encryption Switch from one EG to another EG Encryption group Nodes the VI/VT WWN base for the Brocade Encryption Switch to be moved out of EG1. on BES2 to clean up the encryption configuration on the deregistered node: cryptocfg --reclaimWWN - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 267
the Crypto Target Container and commit. 2. Add the LUN back to the Crypto Target Container with LUN State="clear-text", policy="encrypt" and "enable_encexistingdata" set for enabling the first-time encryption, then commit. This will clear the stale rekey metadata on the LUN and the LUN can be used - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 268
6 Removing stale rekey information for a LUN 248 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 269
engine security processor (SP) state Description Not available Not Brocade Encryption Switch or DCX Not Ready Fail to connect to blade Starting for more details. Encryption engine is operational, but EG is not configured or EG information is not available. Check EG status. Encryption engine - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 270
(current MK or None primary KV link key) Mismatch Primary KEK is not configured. Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK Table 21 lists LUN states that are specific to tape LUNs. TABLE 20 LUN state . 250 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 271
. LUN_MANUAL_REKEY_PENDING Manual re-key new key failure). LUN_DIS_REKEY_ACK_ERR Disabled (Re-key back with failure). LUN_DIS_REKEY_DONE_ERR Disabled (Re-key done with failure). LUN_DIS_WR_META_ACK_ERR Disabled (Write metadata back with failure). Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 272
Disabled (LUN re-discovery detects new device ID). LUN_DIS_DUP_LSN Disabled (Duplicate or supported). LUN_DIS_CFG_KEY_NOT_FOUND Disabled (Unable to retrieve key by key ID specified from configuration). is unknown. 252 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 273
software error. If it occurs, contact Brocade support. Target port is not currently in the fabric. Check connections and L2 port state. The target port is active, but this particular Logical Unit is not supported by that target. This indicates a user configuration error. The logical unit on target - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 274
The tape medium or its current tape policy is DataFort-compatible mode, but The encryption switch or blade does not have the appropriate license to enable this feature. The tape medium in a RASLOG and ABORTED COMMAND returned to host. 254 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 275
-haclustermember, 139 --add -initiator, 150, 158, 168 --add -LUN, 155, 168, 170, 171 B Brocade Encryption Switch See switch C CLI general errors and resolution, 226 using to configure encryption switch or blade, 112 command RBAC permissions, 113 command validation checks, 112 commands ipaddrset, 116 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 276
fabric, 185 deployment in fibre channel routed fabrics, 183 deployment with FCIP extension switches, 186 dual fabric deployment, 179 single fabric deployment, 177, 178 deployment with admin domains (AD), 199 deregister command,--dereg -membernode, 207 DHCP for IP interfaces, 199 discover commands - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 277
for adding a switch to a new group, 232 for adding a switch to an existing group, 231 error recovery instructions for adding a switch to an existing group, 231 errors related to the CLI, 226 export commands --export, 133 --exportmasterkey, 135 Fabric OS Encryption Administrator's Guide 257 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 278
support for high availability (HA), 32, 124 LUN adding Crypto LUN to CryptoTarget container, 154 adding to a CryptoTarget container, 154 choosing to be added to an encryption target container, 70 configuration warning, 148, 150, 151, 152, 153, 154, 258 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 279
CLI, 160 multi-path configuration requirements, 149 policy parameters, 161 removing Crypto LUN to CryptoTarget container, 159 setting policy for automatic re-keying, 171 M manual command, --manual_rekey, 172 manual (RBAC) permissions for Fabric OS Encryption Administrator's Guide 259 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 280
errors related to the Configure Switch Encryption wizard, 233 management application wizard, 231 nsshow command, 226 supportsave command, 226 troubleshooting examples using the CLI, 229 turn off compression on extension switches, 200 turn off host-based encryption, 199 U user privileges defined, 15 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 281
configuration, 147 virtual targets, description of in an encryption configuration, 147 Z zeroize command --zeroize, 126 zeroizing effects of using on encryption engine, 88 zone creating an initiator-target using the CLI, 145 Fabric OS Encryption Administrator's Guide 261 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 282
262 Fabric OS Encryption Administrator's Guide 53-1002159-03
53-1002159-03
28 July 2011
®
53-1002159-03
Fabric OS Encryption
Administrator’s Guide Supporting
HP Secure Key Manager (SKM)
Environments and HP Enterprise Secure
Key Manager (ESKM) Environments
Supporting Fabric OS v7.0.0