Home » HP Manuals » Storage Devices » HP Cisco MDS 9020 » Manual Viewer

HP Cisco MDS 9020 Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 249

Ensure that you include the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST

Add to My Manuals
Save this manual to your list of manuals

Page 249 highlights

Appendix C Provisioning Self-Sign Certificates Configuring SSL for Cisco SME Send documentation comments to [email protected] Step 7 Generate a certificate request for enrolling with the trustpoint created in Step 3. switch(config)# crypto ca enroll my_ca Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password:nbv123 The subject name in the certificate will be: ips-vegas8.cisco.com Include the switch serial number in the subject name? [yes/no]:no Include an IP address in the subject name [yes/no]:no The certificate request will be displayed... ----BEGIN CERTIFICATE REQUEST---MIIBJTCB0AIBADAfMR0wGwYDVQQDExRpcHMtdmVnYXM4LmNpc2NvLmNvbTBcMA0G CSqGSIb3DQEBAQUAA0sAMEgCQQCeAzv5w9d32YpPfYdNYoFjOW0yRVbYEe+mNHi8 b2VPOVZ6UOFdhIS1Im0/Xv1Bpcuy4TRktu7whNyyvvu3niVdAgMBAAGgTDAVBgkq hkiG9w0BCQcxCBMGbmJ2MTIzMDMGCSqGSIb3DQEJDjEmMCQwIgYDVR0RAQH/BBgw FoIUaXBzLXZlZ2FzOC5jaXNjby5jb20wDQYJKoZIhvcNAQEEBQADQQBzPcKE3Eje TjODnPXNkz1WsU3oUdsuxOT/m1OSBZvhBfHICQZZpfS2ILqaQP16LiZCZydHWViN Q+9LmHUZ4BDG ----END CERTIFICATE REQUEST---- switch(config)# Step 8 Create a file named switch.csr in the OpenSSL.exe directory. Cut and paste the certificate request created in Step 7. Ensure that you include the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines in the file content. Step 9 Generate an identity certificate for this certificate request in the OpenSSL application by entering the following command: OpenSSL> x509 -req -days 365 -in switch.csr -CA cacert.pem -CAkey privkey.pem -set_serial 01 -out switch.pem Step 10 Import the trustpoint certificate at the switch by cutting and pasting the contents of the switch.pem file that was created in Step 9. switch(config)# crypto ca import my_ca certificate input (cut & paste) certificate in PEM format: ----BEGIN CERTIFICATE---MIIB4jCCAUsCAQEwDQYJKoZIhvcNAQEEBQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEaMBgGA1UEChMRQ2lz Y28gU3lzdGVtcyBJbmMxDjAMBgNVBAsTBURldmVsMREwDwYDVQQDEwhtYW1hc3Nl eTEhMB8GCSqGSIb3DQEJARYSbWFtYXNzZXlAY2lzY28uY29tMB4XDTA3MTIxNDAy MzIzOVoXDTA4MTIxMzAyMzIzOVowHzEdMBsGA1UEAxMUaXBzLXZlZ2FzOC5jaXNj by5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAngM7+cPXd9mKT32HTWKBYzlt MkVW2BHvpjR4vG9lTzlWelDhXYSEtSJtP179QaXLsuE0ZLbu8ITcsr77t54lXQID AQABMA0GCSqGSIb3DQEBBAUAA4GBAKR3WAAF/9zMb2u9A42I2cB2G5lucSzndc4P +O4sYZF5pBt7UpyAs1GKAqivGXVq2FJ2JetX78Fqy7jYCzanWm0tck0/G1dSfr/X lCFXUuVed9de02yqxARSEx8mX4ifqzYHErHdbi+vDAaMzkUEvHWthOuUZ7fvpoNH +xhRAuBo ----END CERTIFICATE---- Step 11 Repeat steps 2 through 9 for all the switches managed by a Fabric Manager server. Ensure that the same trustpoint is used for all the switches in this Fabric Manager server. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide C-3

Section	Page
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide, Release 4.x	1
Contents	3
New and Changed Information	11
Preface	15
Product Overview	19
About Cisco Storage Media Encryption	19
Cisco Storage Media Encryption Features	20
Cisco SME Terminology	25
Supported Topologies	26
In-Service Software Upgrade in Cisco SME	27
Software and Hardware Requirements	28
Software Requirements	28
Hardware Requirements	28
Cisco SME Prerequisites	30
Java Cryptography Extension Requirement	30
Zoning Requirement	30
FC-Redirect Requirements	30
Cisco Storage Media Encryption Security Overview	31
Additional Security Capabilities	31
Getting Started	33
Cisco SME Installation	33
Cisco MDS 9000 Fabric Manager	34
Command Line Interface	34
Before You Begin	34
Enabling Clustering	35
Enabling Cisco SME	38
Enabling DNS	40
IP Access Lists for the Management Interface	41
Creating and Assigning Cisco SME Roles and Cisco SME Users	41
Installing Fabric Manager, Fabric Manager Client, and Enabling HTTPS	44
Choosing a Key Manager	48
Using FC-Redirect with CFS Regions	49
Installing Smart Card Drivers	49
Obtaining and Installing Licenses	50
Cisco SME Configuration Overview	50
Cisco SME Configuration Restrictions	51
FICON Restriction	51
iSCSI Restriction	51
FC-Redirect Restrictions	52
Cisco SME Configuration Limits	52
Cisco SME Interface Configuration	53
Configuring and Starting the Cisco SME Interface	53
Configuring and Starting an Cisco SME Interface Using Device Manager	53
Viewing Cisco SME Interfaces in Fabric Manager Web Client	55
Saving Your Interface Configurations	55
Adding Cisco SME Interfaces to a Cisco SME Configuration	56
Viewing Cisco SME Interface Information Using the CLI	58
Removing (Unbinding) Cisco SME Interfaces from a Cisco SME Cluster	59
Deleting Switches From a Cisco SME Cluster	60
Cisco SME Cluster Management	63
About SME Cluster Management	63
Creating a Cisco SME Cluster Using the Cisco SME Wizard	63
Launching Cisco SME Wizard	64
Choosing a Cluster Name	65
Selecting Fabrics	66
Selecting Interfaces	66
Selecting Master Key Security Levels	67
Selecting Media Key Settings	70
Specifying the Key Management Center Server	71
Selecting Transport Settings	72
Confirming the Cluster Creation	73
Downloading Key File and Storing Keyshares	74
Deactivating and Purging a Cisco SME Cluster	82
Deactivating a Cisco SME Cluster	83
Purging a Cisco SME Cluster	84
Viewing Cisco SME Cluster Details	85
Viewing Cluster States	85
Viewing Members in a Cluster	86
Viewing and Modifying Transport Settings in Cluster Detail Page	86
Viewing and Modifying Key Management Servers Settings	89
Viewing Cluster Information Using Fabric Manager Client	90
Viewing Cluster Information Using Device Manager	91
Cluster Quorum and Master Switch Election Overview	92
Cluster Quorum	93
Master Switch Election	93
In-Service Software Upgrade (ISSU) in a Two-Node Cluster	95
Cisco SME Tape Configuration	97
About Cisco Storage Media Encryption Tape Management	97
Adding Tape Groups	98
Deleting Tape Groups	102
Adding Tape Devices	103
Deleting Tape Devices	106
Adding Tape Paths	107
Deleting Paths from a Device	109
Adding Tape Volume Groups	110
Deleting Tape Volume Groups	112
Viewing Host Details	113
Viewing Tape Device Details	113
Cisco SME Key Management	115
Key Hierarchy	115
Master Key	116
Tape Volume Group Key	116
Tape Volume Key	116
Cisco Key Management Center	116
Master Key Security Modes	117
Key Management Settings	118
Tape Recycling	118
High Availability Key Management Center	119
Choosing High Availability Settings	119
Key Management Operations	121
Viewing Standard Security Mode Smart Cards	121
Viewing Advanced Security Mode Smart Cards	122
Viewing Keys	122
Purging Volumes	123
Purging Volume Groups	123
Exporting Volume Groups	124
Importing Volume Groups	126
Rekeying Tape Volume Groups	128
Auto Key Replication of Keys Across Data Centers	129
Basic Mode Master Key Download	133
Replacing Smart Cards	136
Exporting Volume Groups From Archived Clusters	147
Accounting Log Information	157
Viewing Accounting Log Information	157
KMC Accounting Log Messages	158
Migrating a KMC Server	162
Using the Command Line Interface to Configure SME	165
SME Configuration Tasks	165
Enabling and Disabling SME Clustering	166
Enabling and Disabling the Cisco SME Service	166
Creating the SME Interface	166
Deleting the SME Interface	167
Creating the SME Cluster	167
Setting the SME Cluster Security Level	168
Setting Up the Cisco SME Administrator and Recovery Officer Roles	169
Adding an SME Interface from a Local or Remote Switch	169
Configuring Unique or Shared Key Mode	170
Enabling and Disabling Automatic Volume Groups	170
Enabling and Disabling Tape Compression	171
Enabling and Disabling Key-on-Tape	171
Configuring a Tape Volume Group	172
Viewing Cisco SME Cluster, Internal, and Transport Information	172
Viewing Cisco SME Cluster Details	173
Viewing Cluster Key Information	173
Viewing Cluster Node Information	174
Viewing Recovery Officer Information	174
Viewing Tape Information	175
Viewing Cisco SME Role Configurations	175
Cisco SME Best Practices	177
Overview of Best Practices	177
General Practices	177
Cisco SME Configuration Practices	177
Cisco KMC Practices	178
Fabric Management Practices	178
Cisco SME Troubleshooting	179
Troubleshooting Resources	179
Cluster Recovery Scenarios	179
Troubleshooting General Issues	185
Troubleshooting Scenarios	185
Cisco SME CLI Commands	189
SME Commands	189
auto-volgrp	190
clear fc-redirect config	191
cluster	192
debug sme	193
discover	195
do	196
fabric	198
fabric-membership	199
fc-redirect version2 enable	200
feature	202
interface sme	203
interface sme (Cisco SME cluster node configuration submode)	204
key-ontape	206
link-state-trap	208
load-balancing	209
node	210
odrt.bin	211
rule	213
scaling batch enable	214
security-mode	215
setup	216
shared-keymode	217
show debug	218
show fc-redirect active-configs	219
show fc-redirect configs	221
show fc-redirect peer-switches	222
show interface sme	224
show role	226
show sme cluster	228
show sme transport	231
show tech-support sme	232
shutdown (interface configuration submode)	233
shutdown (Cisco SME cluster configuration submode)	234
sme	235
ssl	236
tape-bkgrp	237
tape-compression	238
tape-device	239
tape-keyrecycle	240
tape-volgrp	241
tune-timer	242
Offline Data Recovery in Cisco SME	245
About Offline Data Restore Tool	245
Provisioning Self-Sign Certificates	247
Configuring SSL for Cisco SME	247
Creating CA Certificates	248
Generating KMC Certificate	250
Generating and Installing Self-Signed Certificates	250
Editing SSL Settings in Cisco Fabric Manager Web Client	252
RSA Key Manager and Cisco SME	255
Installing the RKM Application	255
Generating CA Certificates	256
Creating JKS Files Using the Java Keytool	258
Placing Certificates in RKM	259
Adding the Cisco SME User to RKM	259
Selecting RKM	260
Migrating From Cisco KMC to RKM	262
Database Backup and Restore	265
Backing Up Fabric Manager Server Database	265
Restoring Fabric Manager Server Database	266
Database Backup and Restore Operations	266
Planning For Cisco SME Installation	267
SAN Considerations	267
Interoperability Matrix	268
MSM-18/4 Modules	268
Key Management Center and Fabric Manager Server	268
Security	269
Communication	269
Preinstallation Requirements	270
Preconfiguration Tasks	270
Installing Fabric Manager	270
Configuring CFS Regions For FC-Redirect	271
Enabling Cisco SME Services	271
Assigning Cisco SME Roles and Users	272
Creating Cisco SME Fabrics	272
Installing SSL Certificates	272
Provisioning Cisco SME	273
Migrating Cisco SME Database Tables	275

Match case Limit results 1 per page

Send documentation comments to [email protected]

C-3

Cisco MDS 9000 Family Storage Media Encryption Configuration Guide

OL-18091-01, Cisco MDS NX-OS Release 4.x

Appendix C

Provisioning Self-Sign Certificates

Configuring SSL for Cisco SME

Step 7

Generate a certificate request for enrolling with the trustpoint created in Step 3.

switch(config)#

crypto ca enroll my_ca

Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password:nbv123

The subject name in the certificate will be: ips-vegas8.cisco.com

Include the switch serial number in the subject name? [yes/no]:

Include an IP address in the subject name [yes/no]:

The certificate request will be displayed...

----BEGIN CERTIFICATE REQUEST----

MIIBJTCB0AIBADAfMR0wGwYDVQQDExRpcHMtdmVnYXM4LmNpc2NvLmNvbTBcMA0G

CSqGSIb3DQEBAQUAA0sAMEgCQQCeAzv5w9d32YpPfYdNYoFjOW0yRVbYEe+mNHi8

b2VPOVZ6UOFdhIS1Im0/Xv1Bpcuy4TRktu7whNyyvvu3niVdAgMBAAGgTDAVBgkq

hkiG9w0BCQcxCBMGbmJ2MTIzMDMGCSqGSIb3DQEJDjEmMCQwIgYDVR0RAQH/BBgw

FoIUaXBzLXZlZ2FzOC5jaXNjby5jb20wDQYJKoZIhvcNAQEEBQADQQBzPcKE3Eje

TjODnPXNkz1WsU3oUdsuxOT/m1OSBZvhBfHICQZZpfS2ILqaQP16LiZCZydHWViN

Q+9LmHUZ4BDG

----END CERTIFICATE REQUEST----

switch(config)#

Step 8

Create a file named switch.csr in the OpenSSL.exe directory. Cut and paste the certificate request created

in Step 7.

Ensure that you include the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST

lines in the file content.

Step 9

Generate an identity certificate for this certificate request in the OpenSSL application by entering the

following command:

OpenSSL>

x509 -req -days 365 -in switch.csr -CA cacert.pem -CAkey privkey.pem -set_serial 01

-out switch.pem

Step 10

Import the trustpoint certificate at the switch by cutting and pasting the contents of the switch.pem file

that was created in Step 9.

switch(config)#

crypto ca import my_ca certificate

input (cut & paste) certificate in PEM format:

----BEGIN CERTIFICATE----

MIIB4jCCAUsCAQEwDQYJKoZIhvcNAQEEBQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYD

VQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEaMBgGA1UEChMRQ2lz

Y28gU3lzdGVtcyBJbmMxDjAMBgNVBAsTBURldmVsMREwDwYDVQQDEwhtYW1hc3Nl

eTEhMB8GCSqGSIb3DQEJARYSbWFtYXNzZXlAY2lzY28uY29tMB4XDTA3MTIxNDAy

MzIzOVoXDTA4MTIxMzAyMzIzOVowHzEdMBsGA1UEAxMUaXBzLXZlZ2FzOC5jaXNj

by5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAngM7+cPXd9mKT32HTWKBYzlt

MkVW2BHvpjR4vG9lTzlWelDhXYSEtSJtP179QaXLsuE0ZLbu8ITcsr77t54lXQID

AQABMA0GCSqGSIb3DQEBBAUAA4GBAKR3WAAF/9zMb2u9A42I2cB2G5lucSzndc4P

+O4sYZF5pBt7UpyAs1GKAqivGXVq2FJ2JetX78Fqy7jYCzanWm0tck0/G1dSfr/X

lCFXUuVed9de02yqxARSEx8mX4ifqzYHErHdbi+vDAaMzkUEvHWthOuUZ7fvpoNH

+xhRAuBo

----END CERTIFICATE----

Step 11

Repeat steps 2 through 9 for all the switches managed by a Fabric Manager server. Ensure that the same

trustpoint is used for all the switches in this Fabric Manager server.