HP Cisco MDS 9216 Cisco MDS 9000 Family Storage Media Encryption Configuration
HP Cisco MDS 9216 - Fabric Switch Manual
View all HP Cisco MDS 9216 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP Cisco MDS 9216 manual content summary:
- HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 1
comments to [email protected] Cisco MDS 9000 Family Storage Media Encryption Configuration Guide, Release 4.x Cisco MDS NX-OS Release 4.1(3) February 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 2
, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide, Release 4.x © 2009 Cisco Systems, Inc. All rights reserved. - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 3
1-6 SME Scalability 1-6 Cisco SME Terminology 1-7 Supported Topologies 1-8 Single-Fabric Topology 1-8 In-Service Software Upgrade in Cisco SME 1-9 Software and Hardware Requirements 1-10 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide i - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 4
Software Requirements 1-10 Hardware Requirements 1-10 Cisco MDS 9000 Family 18/4-Port Multiservice Module (MSM-18/4) 1-10 Cisco MDS 9222i Multiservice Modular Switch 1-11 FC-Redirect-Capable Switches 1-11 Smart Card Readers 1-12 Cisco SME Prerequisites 1-12 Java Cryptography Extension Requirement - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 5
Download Key File 4-12 Standard Security Confirmation and Stored Keyshares 4-13 Advanced Security Confirmation and Stored Keyshares 4-15 Deactivating and Purging a Cisco SME Cluster 4-20 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide iii - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 6
17 6 C H A P T E R Cisco SME Key Management 6-1 Key Hierarchy 6-1 Master Key 6-2 Tape Volume Group Key 6-2 Tape Volume Key 6-2 Cisco Key Management Center 6-2 Master Key Security Modes 6-3 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide iv OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 7
Keys in Fabric Manager Web Client Cisco SME Service 7-2 Creating the SME Interface 7-2 Deleting the SME Interface 7-3 Creating the SME Cluster 7-3 Setting the SME Cluster Security Level 7-4 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 8
9-4 Reassigning the Cisco SME Cluster Master Switch 9-5 Troubleshooting General Issues 9-7 Troubleshooting Scenarios 9-7 A A P P E N D I X Cisco SME CLI Commands A-1 SME Commands A-1 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide vi OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 9
F-4 Preconfiguration Tasks F-4 Installing Fabric Manager F-4 Configuring CFS Regions For FC-Redirect F-5 Enabling Cisco SME Services F-5 Assigning Cisco SME Roles and Users F-6 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide vii - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 10
comments to [email protected] Creating Cisco SME Fabrics F-6 Installing SSL Certificates F-6 Provisioning Cisco SME F-7 G A P P E N D I X Migrating Cisco SME Database Tables G-1 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide viii OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 11
.html Table 1 summarizes the new and changed features as described in the Cisco MDS 9000 Family Storage Media Encryption Configuration Guide, each supported Cisco MDS SAN-OS release and NX-OS release for the Cisco MDS 9500 Series, with the latest release first. The table includes a brief description - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 12
" Generating and Installing Self-Signed Certificates How to configure SSL when KMC 4.1(1c) is separated from Fabric Manager Server. Appendix C, "Provisioning Self-Sign Certificates" Cisco MDS 9000 Family Storage Media Encryption Configuration Guide x OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 13
SME Key Management" Target-Based Load Balancing Clustering offers target-based load 3.3(1c) Chapter 1, "Product balancing of Cisco SME services. Overview" Enabling Clustering Using Fabric Manager Change in Command Users can select enable to enable menu of the Control tab. clustering. 3.3(1c - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 14
in the Cisco SME wizard. Appendix C, "Provisioning Self-Sign Certificates" Describes how to back up and restore Fabric Manager Server databases. 3.3(1c) Appendix E, "Database Backup and Restore" Cisco MDS 9000 Family Storage Media Encryption Configuration Guide xii OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 15
how to use SME CLI commands to Configure SME configure and monitor Cisco SME clusters. Cisco SME Best Practices Describes recommended steps to ensure proper operation of Cisco SME. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide xiii - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 16
Cisco SME Troubleshooting Describes basic troubleshooting methods used to resolve issues with Cisco SME. Cisco SME CLI Commands Includes syntax and usage guidelines for the Cisco MDS the switch manual. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide xiv OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 17
Storage Service Interface Images Regulatory Compliance and Safety Information • Regulatory Compliance and Safety Information for the Cisco MDS 9000 Family Hardware Installation • Cisco MDS 9124 Multilayer Fabric Switch Quick Start Guide • Cisco MDS 9500 Series Hardware Installation Guide • Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 18
Networking Services Configuration Guides • Cisco MDS 9000 Family Data Mobility Manager Configuration Guide • Cisco MDS 9000 Family Secure Erase Configuration Guide - For Cisco MDS 9500 and 9200 Series Troubleshooting and Reference • Cisco MDS 9000 Family Troubleshooting Guide • Cisco MDS 9000 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 19
multiple SANs. • No additional software is required for provisioning, key, and user role management; Cisco SME is integrated into Cisco Fabric Manager, which reduces operating expenses. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 1-1 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 20
Media Encryption Features, page 1-2 • Cisco SME Terminology, page 1-7 • Supported Topologies, page 1-8 • In-Service Software Upgrade in Cisco SME, page 1-9 Cisco Storage Media Encryption Features The Cisco MDS 9000 Family of intelligent directors and fabric switches provide an open, standards-based - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 21
Media Encryption Send documentation comments to [email protected] Transparent Fabric Service Cisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an MSM-18/4 module or an MDS 9222i switch anywhere in the fabric. There are no appliances in-line in - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 22
local fabrics and provision storage media encryption. The storage media encryption provisioning is performed in each of the data centers and the tape devices and backup groups in each of the data centers are managed independently. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 23
Key Management Center" section on page 6-5. Cluster technology provides reliability and availability, automated load balancing, failover capabilities, and a single point of management. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 1-5 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 24
-Based Load Balancing The Cisco SME cluster consists of a set of switches (in a dual-fabric environment) running the Cisco SME application. Clustering offers target-based load balancing of Cisco SME application services. The cluster infrastructure allows the Cisco SME application to communicate - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 25
in the MSM-18/4 module or fixed slot of a Cisco MDS 9222i fabric switch. Each MSM-18/4 module and MDS 9222i switch has one security engine. • Cisco SME cluster-A network of MDS switches that are configured to provide the Cisco SME functionality; each switch includes one or more MSM-18/4 modules and - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 26
any host and tape on the fabric can utilize the Cisco SME services. Required Cisco SME engines are included in the following Cisco products: • Cisco MDS 9000 Family 18/4-port Multiservice Module (MSM-18/4) • Cisco MDS 9222i Multiservice Module Switch Single-Fabric Topology Figure 1-3 shows a single - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 27
MDS 9500 Series switch or an MDS 9216 or MDS 9222i switch running Cisco SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x. Encryption and compression services are transparent to the hosts and storage devices. These services are available for devices in any virtual SANs (VSANs) in a physical fabric - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 28
running the current release of Fabric Manager and Cisco SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x software. This includes the following: • The Fabric Manager server must be running Cisco SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x. • The Cisco MDS switches attached to tape devices - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 29
9120 switch • Cisco MDS 9140 switch • Cisco MDS 9124 switch • Cisco MDS 9134 switch • Cisco MDS 9020 switch Note Tape devices and tape libraries are not supported in these edge switches. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 30
is supported on Windows-only platforms. Cisco SME MDS 95XX/9216/9222i switch running Cisco MDS SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x. • 32 targets per MSM-18/4 module can be FC-redirected. 1-12 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 31
Cisco KMC by the Cisco SME services in the fabric if needed again. A single Cisco KMC can be used as a centralized key repository for multiple fabrics with Cisco SME services . OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 1-13 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 32
Cisco Storage Media Encryption Security Overview Chapter 1 Product Overview Send documentation comments to [email protected] 1-14 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 33
Cisco MDS SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x must be installed on the Cisco MDS 9222i switch or the Cisco MDS 9000 Family switch with an MSM-18/4 module. • Cisco Fabric Manager Server must be installed on a computer that you want to use to provide centralized MDS management services - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 34
Manager applications are an alternative to the CLI for most switch configuration commands. For more information on configuring the Cisco MDS switch using Fabric Manager, refer to the Cisco MDS 9000 Fabric Manager Configuration Guide. Command Line Interface With the CLI, you can type commands at - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 35
SME are only available when these are enabled on a switch. Enabling Clustering You can enable clustering on the Cisco MDS 9000 switch with an installed MSM-18/4 module using Fabric Manager and Device Manager 3.2(2c) or later, or Cisco NX-OS 4.x. Note Be sure to enable clustering first, then enable - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 36
, locate the switch. Step 3 From the drop-down menu in the Command column, select enable. The default is noSelection. Note You can select enable on multiple switches, and then click Apply. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 2-4 OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 37
switch: Step 1 Step 2 Step 3 From the Admin menu in the device screen, select Feature Control. Select cluster. From the Action column drop-down menu, select enable. Step 4 Click Apply. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 38
> SME Clusters. Step 2 From the Control tab in the information pane, locate the switch. Step 3 From the drop-down menu in the Command column, select enable. The default is noSelection. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 2-6 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 39
@cisco.com Note You can select enable on multiple switches, and then click Apply. Step 4 Click Apply. Enabling Cisco SME Using Device Manager To enable Cisco down menu, select enable. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 2-7 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 40
to the "Configuring IP Services" chapter in the Cisco MDS 9000 Family CLI Configuration Guide. To verify that DNS is enabled everywhere in the cluster, ping between the Fabric Manager server and the MDS switches and also between the MDS switches with DNS names. Cisco MDS 9000 Family Storage Media - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 41
.useIP for IP Address or Name Selection If you do not have DNS configured on all switches in the cluster, you can use sme.useIP. For information about sme.useIP, see Chapter 9, "Cisco SME Troubleshooting." IP Access Lists for the Management Interface Cluster communication requires the user of the - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 42
be present during the cluster creation to provide the user login and password information and smart card pin. • Master key recovery • Replace smart card 2-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 43
Officer, refer to the Cisco MDS 9000 Family CLI Configuration Guide. Creating and Assigning Cisco SME Roles Using Fabric Manager For detailed information on creating and assigning roles, refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide. Note Cisco SME role names must begin - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 44
installation chapters of the Cisco MDS 9000 Family Fabric Manager Configuration Guide. Note To configure Cisco SME, the Fabric Manager user credentials must be the same as the switch user. 2-12 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 45
Guide. Adding a Fabric and Changing the Fabric Name You need to add the fabric that includes the Cisco MDS switch with the MSM-18/4 module installed. Or you also can add a fabric that includes an MDS 9222i switch. Note Cisco MDS SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x supports - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 46
do not manually change the fabric name and you reopen the fabric with a different seed switch, the fabric may be renamed to show the new switch name. Choose a unique name that is easily identifiable. 2-14 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 47
Note Cisco SME requires that you select Manage Continuously to receive continuous updates from the switches. Step 11 Click Close to return to the main screen and view the new fabric name. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 48
SME before choosing a key manager, Fabric Manager redirects you to the Key Cisco if you want to use the installation as a Cisco key manager c. Select RSA if you want to choose the RSA key manager. 2-16 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 49
FC-Redirect capable switches in the fabric. CFS regions can be used to restrict the distribution of the FC-Redirect configuration. Note Using FC-Redirect with CFS regions is an optional procedure. To learn more about CFS regions, refer to Cisco MDS 9000 Family CLI Configuration Guide. Guidelines for - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 50
SME licenses, refer to the licensing chapter in the Cisco MDS 9000 Family CLI Configuration Guide. Cisco SME Configuration Overview Before configuring Cisco SME on your switch, it is important to become familiar with the Cisco SME configuration process. This section provides an overview of the - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 51
SME configuration tasks listed below provide an overview of the basic Cisco SME configuration process. Complete the Cisco SME configuration tasks on the switch with an installed MSM-18/4 module or on a Cisco MDS 9222i switch. Cisco SME basic configuration tasks include the following: • Create the - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 52
-Redirect Restrictions FC-Redirect is not supported on the following switches: • Cisco MDS 9120 switch • Cisco MDS 9140 switch • Cisco MDS 9124 switch • Cisco MDS 9134 switch • Cisco MDS 9020 switch Cisco SME Configuration Limits Table 2-3 lists the Cisco SME configurations and the corresponding - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 53
, refer to the Cisco MDS 9000 Family CLI Configuration Guide. After completing the preliminary tasks described in Chapter 2, "Getting Started," you need to configure the Cisco SME interface on a Cisco MDS switch with an installed MSM-18/4 module or on a Cisco MDS 9222i switch. This section contains - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 54
1 is required for the Cisco SME feature. Step 5 Click the up radio button and click Create. Step 6 Open the Fabric Manager Web Client window to view the configured Cisco SME interfaces. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 3-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 55
to [email protected] Viewing Cisco SME Interfaces in Fabric Manager Web Client To view the newly created Cisco SME interfaces, switches as described by the following scenario. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 56
steps: Step 1 From the SME navigation pane, click Members to display the switches and interfaces already configured in the cluster. Step 2 Click Add to display the Add Interface Wizard. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 3-4 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 57
comments to [email protected] Step 3 Select the fabrics you want to add interfaces from. Click Next. Step 4 Select the SME interfaces that you would like to use. Click Next. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 3-5 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 58
1, encrypted luns 1 error statistics 0 CTH, 0 authentication 0 key generation, 0 incorrect read 38294 incompressible, 6 bad target responses last error at Fri Oct 26 15:04:52 2007 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 3-6 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 59
to display the switches and interfaces already configured in the cluster. Select a Cisco SME interface and click Remove. Step 3 Click OK to delete (unbind) the interface. Step 4 View the notification that the interface was removed. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 60
, follow these steps: Step 1 Step 2 Click Members to display the switches that are part of the cluster. Select the switch and click Remove. Step 3 Click OK to delete the switch. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 3-8 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 61
a Cisco SME Cluster Send documentation comments to [email protected] Step 4 View the notification that the switch was deleted. Note The interface and the node are both removed. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 62
Deleting Switches From a Cisco SME Cluster Chapter 3 Cisco SME Interface Configuration Send documentation comments to [email protected] 3-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 63
. The process of configuring Cisco SME on an MDS switch with an installed MSM-18/4 module or on a Cisco MDS 9222i switch involves a number of configuration tasks that should be followed in chronological order. See the topics in the Before You Begin online help in Fabric Manager Web Server. Refer - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 64
the web browser to the Fabric Manager Web Client. Log in with the user name and password. For login information, refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide. . Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 65
cisco.com Step 2 Step 3 In the Fabric Manager Web Client, click the SME tab. Select Clusters in the navigation pane. Step 4 Click Create in the information pane. The Cisco characters. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-3 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 66
about adding interfaces, see Chapter 3, "Cisco SME Interface Configuration." Note Cisco MDS SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x supports one cluster per switch. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-4 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 67
use. You can choose any of the following security levels: • Selecting Basic Security, page 4-6 • Selecting Standard Security, page 4-6 • Selecting Advanced Security, page 4-7 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-5 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 68
Security In the Master Key Security screen, select Standard and click Next. For Standard security, one Cisco SME Recovery Officer must be present to log in and enter the smart card PIN. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-6 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 69
quorum (2 of 3 or 2 of 5 or 3 of 5). Click Next. • For Advanced security, 5 Cisco SME Recovery Officers must be present to login and enter the smart card PIN for each of the 5 . OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-7 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 70
Cluster Management Send documentation comments to [email protected] Selecting Media Key Settings Caution You cannot , see "Key Management Settings" section on page 6-4. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-8 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 71
allows you to store the encrypted media key on the tape volume not in the Cisco KMC. This provides better scaling when your backup environment includes a large number of tapes page 6-5. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-9 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 72
are updated by enabling SSL with trustpoint on the switches. KMC server connection state remains as 'none' until the cluster is updated. To disable Transport Settings, select Off. 4-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 73
SME Wizard Send documentation comments to [email protected] For more information on viewing or editing the transport progress until the entire configuration is applied. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-11 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 74
Cluster Management Send documentation comments to [email protected] Downloading Key File and Storing Keyshares This screen prompts you to open or save the encrypted file. 4-12 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 75
to Fabric Manager), the PIN number for the smart card, and a label that will identify the smart card. The PIN number and label were defined during the smart card initialization. Click Next. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 76
[email protected] Step 4 Click Finish to create a cluster. Step 5 After the cluster creation is completed, click Close to return to the Fabric Manager Web Client and to view the smart card information. 4-14 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 77
Stored Keyshares To configure the advanced security level, follow these steps: Step 1 In the Confirmation screen, click Confirm to create the cluster. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-15 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 78
log in to Fabric Manager), the PIN number for the smart card, and a label that will identify the smart card. The PIN number and label were defined during the smart card initialization. Click Next. 4-16 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 79
stored. This notification will be shown after each keyshare is stored. Click Next. Step 5 Enter the switch credentials and PIN information for the second recovery officer. Click Next. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-17 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 80
6 Enter the switch credentials and PIN information for the third recovery officer. Click Next. Step 7 Enter the switch credentials and PIN information for the fourth recovery officer. Click Next. 4-18 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 81
the switch credentials and PIN information for the fifth recovery officer. Click Next. Step 9 Click Finish to return to the Fabric Manager Web Client to view the smart card information. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 82
(permanently delete) a Cisco SME cluster (see Purging a Cisco SME Cluster, page 4-22) Note You can only purge a cluster that is in the deactivated state. This section covers the following topics: 4-20 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 83
information and the master key from the Cisco KMC. Step 3 Click OK. Step 4 Refresh Fabric Manager Web Client to view the notification that the cluster has been deactivated. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-21 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 84
groups, tape groups, and switches) • Delete (unbind) any Cisco SME interfaces that are Cisco KMC. Step 4 Refresh the Fabric Manager Web Client to view the notification that the cluster has been purged. 4-22 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 85
States Cisco SME clusters can be in one of the following cluster states: • Online-The Cisco SME cluster is available on the switches and is reachable from the Fabric Manager Server. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-23 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 86
yet online. • Offline-The switches of the cluster are not reachable from Fabric Manager. • Deprecated-The Cisco SME cluster with all Cisco SME interfaces removed; the cluster . 4-24 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 87
to [email protected] The transport settings details are dsiplayed when SSL is Off. You can also modify the transport settings in the cluster detail page by clicking Modify. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-25 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 88
Chapter 4 Cisco SME Cluster Management Send documentation comments to [email protected] Step 2 Select SSL and choose a Trust Point from the drop-down menu. Click Apply to save the settings. 4-26 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 89
Apply to save the changes. Click Cancel to revert back to previous settings. Step 3 Refresh the Fabric Manager Web Client to view the notification that the cluster has been modified. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-27 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 90
information using Fabric Manager Client, follow these steps: Step 1 In the Physical Attributes pane, select End Devices > SME Clusters. Step 2 Click the Members tab to view members in a cluster. 4-28 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 91
to view the cluster name, state, and Master IP address. Step 3 Select the Members tab to view the cluster name, switch, fabric name, and whether or not the cluster/fabric is local. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-29 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 92
cluster it gets the node ID of 2 and the third switch gets the node ID of 3, and so on. Cluster View The cluster view is the set of switches that are part of the operational cluster. 4-30 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 93
examples consider single switch failures. 1. Assume that in a two-switch cluster with switches S1 (node ID 1) and S2 (node ID 2), S1 is the master (the master has the lower node ID). OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 4-31 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 94
loses connectivity with the other two switches, then S3 becomes nonoperational. Switches S1 and S2 will form an operational cluster. When S3 comes up again, it will rejoin the cluster. 4-32 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 95
the recovery procedures described in Chapter 9, "Cisco SME Troubleshooting" to bring this switch back into the cluster. Caution It is critical that you save the running configuration on all switches before a reboot. Four-Switch Cluster Scenarios The four-switch cluster scenario is very similar to - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 96
completed and the switches boot up, the upgraded node rejoins the cluster as a slave node. Note This feature is tied to the internals of ISSU logic and no additional commands need to be executed. 4-34 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 97
tape volume group can be the volume pool name configured at the backup application. Cisco SME provides the capability to export a volume group with an encryption password. barcode range. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-1 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 98
tape when it is reformatted or relabeled on a tape drive that is defined in an active Cisco SME environment. Note Messages are logged to the switch when the tapes bypass encryption. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 99
SME Tape Configuration Adding Tape Groups Send documentation comments to [email protected] To add a tape group, follow these steps: Step 1 can specify the devices later. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-3 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 100
comments to [email protected] Step 3 Select specific VSANs for the tape group. Click Next. Step 4 Select the hosts (backup servers) for the tape group. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-4 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 101
to create the tape group. Click Next. Step 7 Verify the information. Click Confirm to save and activate the changes. Your screen will refresh to the Fabric Manger Server SME screen. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-5 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 102
[email protected] Step 8 View the hosts, tape devices, and volume groups that belong to the tape group. Note Messages are logged to the switch when . Click OK to delete the tape group. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-6 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 103
these steps: Step 1 Click Tape Devices. Click Add. Step 2 Select the VSANs that you would like to discover paths from. Click Next. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-7 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 104
Send documentation comments to [email protected] Step 3 Select the hosts that you would like to discover paths from. Click Next. Step 4 Select the tape drives. Click Next. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-8 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 105
host and tape devices. Click Next. Step 6 Confirm the addition of the new tape device. Click Confirm to close the Cisco SME wizard and to return to the Fabric Manager Server SME screen. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-9 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 106
SME Tape Configuration Send documentation comments to [email protected] Step 7 View the new tape device that was View the notification that the tape drive has been removed. 5-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 107
tape paths between hosts and target backup devices. To add a tape path to a tape device, follow these steps: Step 1 Select a tape device. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-11 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 108
documentation comments to [email protected] Step 2 Click Add. Step 3 Select the appropriate fabric and enter the VSAN, initiator and target WWNs, and the LUN. Click Next. 5-12 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 109
addition of the new tape path. Click Confirm to close the Cisco SME wizard and to return to the Fabric Manager Server SME screen. Deleting Paths from a Device To delete notification. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-13 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 110
ranges, then Cisco SME places the volume based on the lexicographic ordering of the volume group. Note If there is not a direct match, then the volumes will be placed in the default volume group. 5-14 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 111
to return to the Fabric Manager Server SME screen. View the new volume group added to the tape group. Note For information on importing and exporting volume groups, see Chapter 6, "Cisco SME Key Management." OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 112
. Step 2 Select a tape volume group and click Remove. Step 3 Click OK to delete the tape volume group and to view the volume group notification. 5-16 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 113
hosts in a Cisco SME cluster. Information for a specific host includes the tape group membership, paths from the host to the target, VSAN, fabric, status, and the navigation pane. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 5-17 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 114
Viewing Tape Device Details Chapter 5 Cisco SME Tape Configuration Send documentation comments to [email protected] 5-18 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 115
(GUID). The Cisco SME key management system includes the following types of keys: • Master key • Tape volume group keys • Tape volume keys Every backup tape has an associated tape volume key, tape volume group key, and a master key. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 116
. Note The Cisco KMC listens for key updates and retrieves requests from switches on a TCP port. The default port is 8800; however, the port number can be modified in the smeserver.properties file. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-2 OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 117
the five smart cards to recover the master key. Each smart card is owned by a Cisco SME Recovery Officer. Note The greater the number of required smart cards to recover the master key. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-3 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 118
and new key is created and synchronized to the Cisco KMC. This setting should be selected when you do not need the old keys for previously backed-up data that will be rewritten. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-4 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 119
available. All the switches in a cluster use the same KMC server. When a switch connects to a : Step 1 Step 2 Step 3 Go to the Fabric Manager Web Client and choose Key Manager Settings. In the Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-5 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 120
Center Chapter 6 Cisco SME Key Management Send documentation comments to [email protected] Step 4 Click OK to save the settings to view the notification that the settings have been saved. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-6 OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 121
Management Key Management Operations Send documentation comments to [email protected] Key Management Operations This section describes the following key card information. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-7 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 122
, and shared tape volume group keys. Using Fabric Manager Web Client, you can view keys that are stored in the Cisco KMC. When keys are generated, they are marked view all active keys. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-8 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 123
as deactivated and stored in the Cisco KMC. You can view the barcode, GUID (the unique key identifier generated by the switch), deactivated date, and version (the group and click Remove. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-9 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 124
SME Key Management Send documentation comments to [email protected] Step 2 Click Confirm. Exporting Volume Groups 4 Enter the volume group file password. Click Next. 6-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 125
Management Key Management Operations Send documentation comments to [email protected] Step 5 Click Download to download the volume group file. Step 6 Save the .dat file. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-11 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 126
(ODRT) software to convert the Cisco SME encrypted tape back to clear-text when the Cisco SME line card or the Cisco MDS switch is unavailable. For more information a volume group. 6-12 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 127
[email protected] Step 3 Locate the file to import. Enter the password that was assigned to encrypt the file. Click Next. I Step 4 Select the volume group .dat file. Click Open. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-13 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 128
comments to [email protected] Step 5 Click Fabric Manager Web Client navigation pane, select Volume Groups to display the volume groups in the cluster. Select one or more volume groups. 6-14 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 129
Keys in Fabric Manager Web Client, page 6-16 Translating Media Keys Each cluster is associated with a translation context. The translation context contains the public key for the key pair generated by the crypto-module of one of the clusters. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 130
In the Fabric Manager Web Client, click the SME tab. Select Clusters in the navigation pane to display the clusters. Select a cluster and select Remote Replication. The Remote Replication Relationships pane appears. 6-16 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 131
Management Key Management Operations Send documentation comments to [email protected] Step 4 Click Create to create a remote replication relationship shows as Created. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-17 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 132
SME Key Management Send documentation comments to [email protected] Removing Remote Replication Relationships To remove a remote relationship of the selected volume groups. 6-18 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 133
in the navigation pane to view the cluster details. Step 2 Click the Download Master Key button to download the master key file. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-19 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 134
Management Send documentation comments to [email protected] Step 3 Enter the password to protect the master key file. Click Download to begin downloading the encrypted file. 6-20 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 135
Key Management Operations Send documentation comments to [email protected] Step 4 Click Close to close the wizard. Step 5 Click Save to save the downloaded master key file. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-21 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 136
, the master key can be downloaded to a replacement smart card from the Fabric Manager Web Client. To replace a smart card (Standard security mode), follow these smart card. Click Next. 6-22 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 137
Chapter 6 Cisco SME Key Management Key Management Operations Send documentation comments to [email protected] Step 4 Click Finish to close the wizard. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-23 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 138
protected smart card. To replace a lost or damaged smart card, the quorum of Cisco SME Recovery Officers must be present with their smart cards to authorize the master . Click Next. 6-24 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 139
key. Enter the switch login information and the smart card PIN and label. Click Next. Each member of the Cisco Recovery Officer quorum is requested to log in and present their smart card to authorize and authenticate the operation. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 140
[email protected] Step 5 Insert one of the smart cards that stores the master key. Click Next. ) Step 6 Enter the switch login information and the smart card PIN and label. Click Next. 6-26 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 141
Next. Step 8 Enter the switch login information and the smart card PIN and label. Click Next. Step 9 Insert the smart cards belonging to each recovery officer in any random order. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-27 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 142
the switch login information, the PIN number for the smart card, and a label that will identify the smart card. Click Next. A notification is shown that the first keyshare is successfully stored. 6-28 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 143
. Click Next. A notification is shown that the second keyshare is successfully stored. c. Enter the switch credentials and PIN information for the third recovery officer. Click Next. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-29 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 144
stored. d. Enter the switch credentials and PIN information for the fourth recovery officer. Click Next. A notification is shown that the fourth keyshare is successfully stored. 6-30 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 145
Enter the switch credentials and PIN information for the fifth recovery officer. Click Next. A notification is shown that the fifth keyshare is successfully stored. Click Next to begin the automatic synchronization of volume groups. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 146
of volume groups is completed. Step 10 The smart card replacement is completed. Click Close to return to the Fabric Manager Web Client and to view the smart card information. 6-32 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 147
archived cluster (Basic security mode), follow these steps: Step 1 Select a volume group to display the volume groups in the cluster. Click Export. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-33 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 148
Management Send documentation comments to [email protected] Step 2 Click Browse to locate the volume group master key file. Step 3 Select the master key file. Click Open. 6-34 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 149
for the archived volume group. Click Next. Step 5 Enter the password that will be used to encrypt the exported file. Click Next. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-35 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 150
SME Key Management Send documentation comments to [email protected] Step 6 Click Download to begin downloading the volume cluster. Select a volume group and click Export. 6-36 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 151
comments to [email protected] Step 2 Insert one of the five smart cards into the smart card reader. Click Next. Step 3 Enter the smart card PIN and label. Click Next. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-37 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 152
Send documentation comments to [email protected] Step 4 Enter the password to encrypt the volume group file. Click Next. Step 5 Click Download to begin downloading the file. 6-38 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 153
Key Management Key Management Operations Send documentation comments to [email protected] Step 6 Save the .dat file. Click Next. Advanced a volume group and click Export. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-39 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 154
to [email protected] Step 2 Insert one of the five smart cards into the smart card reader. Click Next. Step 3 Enter the smart card PIN and label. Click Next. The keyshare is retrieved. 6-40 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 155
Management Key Management Operations Send documentation comments to [email protected] Step 4 Insert the next smart card into the the volume group file password. Click Next. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-41 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 156
Key Management Operations Chapter 6 Cisco SME Key Management Send documentation comments to [email protected] Step 7 Click Download to begin downloading the volume group. 6-42 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 157
the Fabric Manager Web Cisco KMC database is displayed in the KMC Log Location. Enter a pattern in the Filter and click Go. The accounting pattern is displayed based on the selected pattern. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 158
Key Management Send documentation comments to [email protected] Step 4 Click Clear Filter to display the complete of the operation and/or other criteria documented below. 6-44 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 159
Logged as: "Archive key" Description: A key is removed from "active" state and moved to "archived" state. Details: SUCCESS: "GUID: " FAILURE: "GUID: error: " OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 160
"tape group: tape volume group: " Operation: DELETE_ALL_TAPE_VOLUME_WRAP_KEYS Tape Volume Group Wrap Keys for cluster" Logged as: "Delete 6-46 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 161
Management Accounting Log Information Send documentation comments to [email protected] Description: All wrap keys for the given tape : "" FAILURE: "error: " OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-47 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 162
the database, install Fabric Manager in the new KMC server and point the Fabric Manager to the database. This ensures that all the keys are maintained across the KMC migration. 6-48 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 163
with RSA Key Manager, modify the settings and select the RKM server. Uninstall the Fabric Manager server instance of the previous KMC server. This removes the previous KMC server. . OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 6-49 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 164
Migrating a KMC Server Chapter 6 Cisco SME Key Management Send documentation comments to [email protected] 6-50 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 165
• Enabling and Disabling SME Clustering, page 7-2 • Enabling and Disabling the Cisco SME Service, page 7-2 • Creating the SME Interface, page 7-2 • Deleting the the MDS-18/4 module switch. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 166
on clusters, see Chapter 4, "Cisco SME Cluster Management." Creating the SME Interface After enabling the cluster and enabling SME, configure the SME interface on the switch. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 7-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 167
switch# config t switch( fabrics that you want to include in the cluster and you configure the following: • Automatic volume grouping • Key Management Center (KMC) • Target discovery • Tape groups • Key-on-tape mode • Recovery • Shared key mode • Shutdown cluster for recovery OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 168
cards that could be used to recover the master key. To set the SME cluster security level, follow these steps: Step 1 Command switch# config t Purpose Enters configuration mode. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 7-4 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 169
switch# config t switch(config)# sme cluster clustername1 switch(config-sme-cl)# Purpose Enters configuration mode. Specifies the cluster and enters SME cluster configuration submode. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 170
2 Command switch# config t switch(config)# sme cluster clustername1 switch(config-sme-cl)# Purpose Enters configuration mode. Specifies the cluster and enters SME cluster configuration submode. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 7-6 OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 171
switch(config-sme-cl)# Purpose Enters configuration mode. Specifies the cluster and enters SME cluster configuration submode. Enables the key-on-tape feature. Disables tape compression. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 172
is 1 out of 1 Fabric[0] is f1 CKMC server has not been provisioned Master Key GUID is 8c57a8d82d2098ee-3b27-6c2b116a950e, Version: 0 Shared Key Mode is Enabled Auto Vol Group is Not Enabled Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 7-8 OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 173
show sme cluster key command follows: switch# show sme cluster clustername1 key database Key Type is tape volumegroup shared key GUID is 3b6295e111de8a93-e3f9-e4ae372b1626 Cluster is clustername1, Tape backup group is HR1 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 174
Share Version is 0, Share Index is 1 switch# show sme cluster clustername1 summary Cluster ID Security Mode Status clustername1 2e:00:00:05:30:01:ad:f4 basic online 7-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 175
Cisco SME role configurations. switch(config)# setup sme Set up four roles necessary for SME, sme-admin, sme-stg-admin, sme-kmc-admin and sme-recovery? (yes/no) [no] yes If CFS is enabled, please commit the roles so that they can be available. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 176
to Configure SME Send documentation comments to [email protected] SME setup done. switch# show role Role: sme-admin Description: new permit config sme-recovery-officer 7-12 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 177
-OS release across all your Cisco MDS switches. • Refer to the"Planning For Cisco SME Installation" appendix for preconfiguration information and procedures. • Enable system message logging. For information on system messages, refer to the Cisco MDS 9000 Family Troubleshooting Guide. • Refer to the - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 178
your fabric and detect possible problems before they become critical. Note For details on SME sizing and topology guidelines and case studies, refer to the Cisco Storage Media Encryption Design Guide. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 8-2 OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 179
may appear when deploying a storage area network (SAN) using the Cisco MDS 9000 Family of switches. The Cisco MDS 9000 Family Troubleshooting Guide introduces tools and methodologies that are used to recognize a problem, determine its cause, and find possible solutions. Cluster Recovery Scenarios - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 180
the cluster master may have progressed beyond what is in the offline switch's state. Deleting the cluster master and reviving the cluster on an offline switch can lead to data corruption. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 9-2 OL-18091-01 Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 181
sme cluster ABC switch(config-sme-cl)#shutdown Purpose Enters configuration mode. Shuts down the ABC cluster on the offline switch. Note Repeat this procedure for every offline switch. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 9-3 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 182
)# sme cluster ABC switch(config-sme-cl)# shutdown Purpose Enters configuration mode. Shuts down the ABC cluster on the offline switch. Note Repeat this procedure for every offline switch. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 9-4 OL-18091-01 Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 183
ABC switch(config-sme-cl)# shutdown Purpose Enters configuration mode. Shuts down the ABC cluster on all switches other than the current master switch and the desired new master switch. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 9-5 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 184
cluster ABC switch(config-sme-cl)# no shutdown Purpose Enters configuration mode. Restarts the cluster on all remaining switches and synchronizes the configuration from the new master switch: switch2. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 9-6 OL-18091-01 Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 185
type of configuration. Otherwise, switches will not be able to communicate with other switches to form the cluster and Fabric Manager Server will not be able to resolve the switch name. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide 9-7 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 186
be successfully created: • SSH must be enabled on every switch that is part of a Cisco SME cluster. Note Only SSH/dsa or SSH/rsa are supported for Cisco SME cluster configurations using Fabric Manager Web Client. SSH/rsa1 is not supported for SME cluster config via FM web client in 3.2.2 (release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 187
from the C:\Program Files\Cisco Systems\MDS 9000\logs directory before contacting your support organization. A syslog message is displayed when a Cisco MDS switch configured with Cisco SME in the startup configuration boots up When you reboot a Cisco MDS switch that has the cluster configuration - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 188
Troubleshooting Scenarios Chapter 9 Cisco SME Troubleshooting Send documentation comments to [email protected] 9-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01 Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 189
apply to the Cisco MDS 9000 Family of multilayer directors and fabric switches. See the "Command Modes" section to determine the appropriate mode for each command. For more information, refer to the "Command Modes" section of the Cisco MDS 9000 Family CLI Configuration Guide. SME Commands This - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 190
: switch# config t switch(config)# sme cluster c1 switch(config-sme-cl)# auto-volgrp switch(config-sme-cl)# Related Commands Command show sme cluster Description Displays Cisco SME cluster information. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-2 OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 191
to talk to the storage array, which directly bypasses the individual Intelligent Service Applications (ISAs), and causes data corruption. You must use this configurations on the switch. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-3 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 192
the Cisco SME clustering: switch# config terminal switch(config)# cluster enable switch(config)# Related Commands Command show sme cluster Description Displays information about the Cisco SME cluster. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-4 OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 193
) Modification This command was introduced. Usage Guidelines None. Examples The following example displays the system output from the debug sme all command: OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-5 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 194
SME CLI Commands Send documentation comments to [email protected] switch# debug sme all 2007 Sep 23 15:44:44.490796 sme: debugging. Displays all information about Cisco SME. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-6 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 195
2345 fabric sw-xyz The following example disables the discovery feature: switch# config t switch(config)# sme cluster clustername1 switch(config-sme-cl)# no discover Related Commands Command show sme cluster Description Displays information about the Cisco SME cluster. OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 196
t1 switch(config-sme-cl-tape-bkgrp-volgrp)#do show interface sme 3/1 description sme3/1 5 minutes input rate 0 bits/sec, 0 bytes/sec, 0.00 KB/sec 5 minutes output rate 0 bits/sec, 0 bytes/sec, 0.00 KB/sec Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-8 OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 197
compression ratio 0:0 flows 0 encrypt, 0 clear clear luns 0, encrypted luns 0 errors 0 CTH, 0 authentication 0 key generation, 0 incorrect read 0 incompressible, 0 bad target responses OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-9 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 198
# config terminal switch(config)# sme cluster c1 switch(config-sme-cl)# fabric sw-xyz Related Commands Command show sme cluster Description Displays information about Cisco SME cluster. A-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 199
switch(config-sme-cl-node)# fabric-membership f1 Related Commands Command interface sme show interface sme shutdown Description Configures the Cisco SME interface to a cluster. Displays interface information. Enables or disables an interface. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 200
the fabric. Examples The following example shows how to enable version2 mode in FC-Redirect: switch# fc-redirect version2 enable Please make sure to read and understand the following implications before proceeding further: A-12 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 201
is stable ie., No fabric changes/upgrades in progress Do you want to continue? (Yes/No) [No] Yes Related Commands Command no fc-redirect version2 enable mode Description Disables version2 mode in FC-Redirect. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 202
configure Cisco SME services: switch# config terminal switch(config)# feature cluster switch(config)# feature sme switch(config)# Related Commands Command show sme cluster Description Displays Cisco SME cluster information. A-14 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 203
Cisco SME services must switch(config-if)# no shutdown Related Commands Command show interface sme shutdown Description Displays interface information. Enables or disables an interface. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 204
(config)# sme cluster clustername1 switch(config-sme-cl)# node 171.71.23.33 switch(config-sme-cl-node)# fabric-membership f1 switch(config-sme-cl-node)# interface sme 4/1 fabric sw-xyz A-16 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 205
comments to [email protected] Related Commands Command fabric-membership show interface Description Adds the node to a fabric. Displays Cisco SME interface details. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-17 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 206
on the backup tapes. Note This feature is supported only for unique keys. Before using this command, switch# config terminal switch(config)# sme cluster clustername1 switch(config-sme0-cl)# no key-ontape A-18 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 207
sme cluster tape Description Disables automatic volume grouping. Specifies unique key mode. Displays information about cluster key database. Displays information about tapes. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-19 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 208
-if)# link-state-trap The following example disables the link-state-trap on the SME interface: switch# config t switch(config)# interface sme 4/1 switch(config-if)# no link-state-trap A-20 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 209
c1 switch(config-sme-cl)# load-balancing 17:11:34:44:44:12:14:10 switch(config-sme-cl-node)# Related Commands Command show sme cluster OL-18091-01, Cisco MDS NX-OS Release 4.x Description Displays Cisco SME information. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-21 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 210
sme-cl)# node 171.71.23.33 switch(config-sme-cl-node)# Related Commands Command Description show sme cluster node Displays Cisco SME node information about a local or remote switch. A-22 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 211
you to recover data when the MSM-18/4 module or the Cisco MDS 9222i fabric switch is not available. odrt.bin [--help][--version]{-h | -l | , see Chapter 6, "Cisco SME Key Management." OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-23 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 212
=3 Log file: odrt30072 Please enter key export password: Elapsed 0:3:39.28, Read 453.07 MB, 2.07 MB/s, Write 2148.27 MB, 9.80 MB/s Done A-24 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 213
tape-bkgrp groupname tape-volgrp volume groupname Description Displays information about Cisco SME cluster. Configures crypto backup group. Configures crypto backup volume group. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-25 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 214
None. Examples The following example enables Cisco SME scalability: switch# config t switch(config)# sme cluster c1 switch(config-sme-cl)# scaling batch enable switch(config-sme-cl)# A-26 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 215
c1 switch(config-sme-cl)# security-mode advanced schema threshold 3 total 5 Related Commands Command show sme cluster Description Displays information about the security settings. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-27 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 216
admin and sme-recovery roles for Cisco SME. Examples The following example creates the sme-admin and sme-recovery roles: switch(config)# setup sme Set up four various Cisco SME role configurations. A-28 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 217
: switch# config t switch(config)# sme cluster c1 switch(config-sme-cl)# no shared-keymode Related Commands Command show sme cluster Description Displays Cisco SME cluster information. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 218
on the switch: switch# show debug ILC helper: ILC_HELPER errors debugging is on ILC_HELPER info debugging is on Related Commands Commands debug sme Description Debugs Cisco SME features. A-30 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 219
CFGD Service) SSM Slot = 2 SSM Switch WWN = 20:00:00:05:30:00:90:9e (LOCAL) Vt PWWN = 2f:ea:00:05:30:00:71:65 Tgt PWWN = 21:00:00:20:37:18:67:2c Local Host PWWN = 21:00:00:e0:8B:0d:12:c6 Config#3 OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 220
Commands Send documentation comments to [email protected] ========== Appl UUID = 0x00D8 (ISAPI CFGD Service) SSM Slot = 2 SSM Switch WWN = 20:00:00:0d:EC: on the local switch. A-32 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 221
:00:05:30:00:71:61 Config#2 ========== Appl UUID = 0x00D8 (ISAPI CFGD Service) SSM Slot = 2 SSM Switch WWN = 20:00:00:05:30:00:90:9e (LOCAL) Vt PWWN = on a switch. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-33 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 222
with the local switch. The communication with peer switch is broken. The local switch is syncing its configuration with the peer switch. Connection with peer switch is not available. A-34 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 223
peer-switches Send documentation comments to [email protected] Related Commands Command clear fc-redirect vt Description Clears the active configurations on the local switch. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 224
example displays the brief description of the Cisco SME interface: switch# show interface sme 3/1 brief Interface decompress 0 bytes compression ratio 0:0 flows 0 encrypt, 0 clear A-36 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 225
0 key generation, 0 incorrect read 0 incompressible, 0 bad target responses Related Commands Command interface sme Description Configures the Cisco SME interface on the switch. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-37 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 226
enabled, please commit the roles so that they can be available. SME setup done. switch# show role Role: sme-admin Description: new role Vsan policy: permit (default) sme-stg-admin A-38 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 227
Type Command-type Feature 1 permit config sme-recovery-officer Related Commands Command setup sme Description Sets up the Cisco SME administrator and Cisco SME recovery roles. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-39 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 228
officer summary index. The range is 1 to 8. Displays Cisco SME tape detail. Displays the tape summary. Displays the crypto tape backup group name. The maximum length is 32 characters. A-40 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 229
sme cluster clustername1 interface it-nexus Host WWN VSAN Status Switch Interface Target WWN 10:00:00:00:c9:4e:19:ed, 2f:ff:00:06:2b:10:c2:e2 4093 online switch sme4/1 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-41 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 230
to [email protected] The following example displays the specific recovery officer of a cluster: switch# show sme cluster Cisco SME configuration. Displays information about Cisco SME cluster. A-42 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 231
: switch# show sme transport ssl trustpoint SME Transport SSL trustpoint is trustpoint-label Related Commands Command clear sme show sme cluster Description Clears Cisco SME configuration. Displays all information of Cisco SME cluster. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 232
The following example displays the information for SME technical support: sw-sme-n1# show tech-support sme 'show startup-config' version 4.1(1b) username :2b:0d:39:08 --More-- A-44 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 233
: switch# config t switch(config)# interface sme 4/1 switch(config-if)# shutdown Related Commands Command show interface sme Description Displays information about the Cisco SME interface. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 234
recovery: switch# config t switch(config))# sme cluster c1 switch(config-sme-cl)# shutdown Related Commands Command show sme cluster Description Displays information about the Cisco SME cluster. A-46 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 235
This command was introduced. Usage Guidelines Cisco SME services must be enabled to take advantage of switch# config t sw-sme-n1(config)# sme cluster clustername sw-sme-n1(config-sme-cl)# OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 236
CLI Commands ssl Send documentation comments to [email protected] ssl To configure Secure Sockets Layer (SSL), switch# config t switch(config)# sme cluster c1 switch(config-sme-cl)# ssl kmc A-48 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 237
group1 switch(config-sme-cl-tape-bkgrp)# Related Commands Command clear sme show sme cluster Description Clears Cisco SME configuration. Displays information about the Cisco SME cluster. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 238
sme cluster tape Description Clears Cisco SME configuration. Displays information about the Cisco SME cluster. Displays information about all tape volume groups or a specific group. A-50 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 239
sme cluster tape Description Clears Cisco SME configuration. Displays information about the Cisco SME cluster. Displays information about all tape volume groups or a specific group. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-51 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 240
c1 switch(config-sme-cl)# no tape-keyrecycle Related Commands Command clear sme show sme cluster Description Clears Cisco SME configuration. Displays information about the Cisco SME cluster. A-52 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 241
switch(config-sme-cl-tape-bkgrp)# no tape-volgrp tv1 Related Commands Command clear sme show sme cluster tape Description Clears Cisco SME configuration. Displays information about tapes. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 242
c1 switch(config-sme-cl)# tune-timer tgt_lb_timer 6 switch(config-sme-cl)# The following example configures a Cisco SME RSCN suppression timer value: switch# config t switch(config))# sme cluster c1 A-54 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 243
configures a target load balancing timer value: switch# config t switch(config))# sme cluster c1 switch(config-sme-cl)# tune-timer rscn_suppression_timer 2 switch(config-sme-cl)# OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide A-55 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 244
tune-timer Appendix A Cisco SME CLI Commands Send documentation comments to [email protected] A-56 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 245
comments to [email protected] B A P P E N D I X Offline Data Recovery in Cisco SME The Cisco SME solution provides seamless encryption service through a hardware-based encryption engine. However, when the MSM-18/4 module or the Cisco MDS 9222i fabric switch is not available, you - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 246
information about the odrt.bin command, see Appendix A, "Cisco SME CLI Commands." Note The Offline Data Restore Tool (ODRT) is currently supported only in Red Hat Enterprise Linux 5. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide B-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 247
in all the switches, Fabric Manager server and the supported for importing PKCS12 certificates to Java Keystores (JKS) files. This section describes the following topics: • Creating CA Certificates, page C-2 • Generating KMC Certificate, page C-4 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 248
trustpoint by cutting and pasting the contents of the cacert.pem created in Step 1. switch(config)# crypto ca authenticate my_ca input (cut & paste) CA certificate (chain) in yes/no]:yes Cisco MDS 9000 Family Storage Media Encryption Configuration Guide C-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 249
Step 11 Repeat steps 2 through 9 for all the switches managed by a Fabric Manager server. Ensure that the same trustpoint is used for all the switches in this Fabric Manager server. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide C-3 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 250
KMC SSL settings in the Key Manager Settings in Fabric Manager Web Client. Restart the Fabric Manager server. Note You can also use sme_kmc_server.p12 Switch certificate and configure switch trust point Cisco MDS 9000 Family Storage Media Encryption Configuration Guide C-4 OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 251
/./sme_KMC_server.p12 switch:./createSmeCerts.tcl Fabric Manager server: Copy sme_fm_server.jks to /jboss/server/default/conf/fmserver.jks Copy fmtrust.jks to /jboss/server/default/conf/fmtrust.jks Go to /bin OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 252
in the Cisco SME wizard, follow these steps: Step 1 Log into the Fabric Manager. Step 2 Click the SME tab and select the Key Manager Settings. The Key Manager Settings window displays. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide C-6 OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 253
editing the SSL settings, restart the Fabric Manager Server. If On is selected in the Transport Settings during cluster creation, then SSL is enabled on KMC with the following results: OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide C-7 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 254
SSL with trustpoint on the switches. KMC server connection state remains as none until the cluster is updated. For more information, refer to Selecting Transport Settings, page 4-10. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide C-8 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 255
to select RSA as the key manager for Cisco SME and then create a cluster. Installing the RKM Application To install the RKM application, follow the instructions provided in the RSA Install Guide. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 256
Create the proper pkcs12 certificate. The export password is the password needed by the Cisco SME RSA installation. OpenSSL> pkcs12 -export -in rt.cert -inkey rt.key - the issuer home. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide D-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 257
) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide D-3 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 258
serverpub.p12 -srcstoretype PKCS12 -destkeystore sme_rkm_trust.jks -deststoretype JKS Place these keystore files in the mds9000/conf/cert directory and restart Fabric Manager server. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide D-4 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 259
[email protected] Cisco SME User to RKM To add a Cisco SME user to the RKM, follow these steps: Step 1 Step 2 Log in to RKM and click the Identities tab. Click Create to create a new identity. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 260
. To change the Key Manager setting to RSA, follow these steps: Step 1 Select Key Manager Settings and click RSA. The RSA settings fields are displayed. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide D-6 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 261
. The password is supplied by the user security team that generated the certificate for Cisco SME. Retype the password to confirm. Step 5 Click Submit Settings. A warning Key Manager. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide D-7 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 262
of the keys in case any problems arise during migration. Export all volume Cisco Fabric Manager, which shuts down the Cisco KMC. This step prevents any key operation from being performed during migration. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide D-8 OL-18091-01, Cisco MDS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 263
packaged in Cisco Fabric Manager CD Cisco Fabric in the Cisco KMC key Cisco Fabric Manager CD as of NX-OS Software Release 4.1(1) Restart any backup applications and jobs that were deactivated or suspended before the migration. Note In Cisco MDS encryption. Note In Cisco MDS 9000 NX-OS Software - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 264
Migrating From Cisco KMC to RKM Appendix D RSA Key Manager and Cisco SME Send documentation comments to [email protected] D-10 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 265
02252008.data (on Windows operating system) The INSTALLDIR is the top directory of Fabric Manager Installation and a backup file (02252008.data) is created in the $INSTALLDIR database. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide E-1 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 266
the property should be set to true in smeserver.properties before starting the Fabric Manager Server. This will synchronize the new volume group keys to the KMC previous database backup. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide E-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 267
may also be supported on a case-by-case basis. • SAN topology, including the placement of hosts and targets and number of fabrics. • Backup host operating system. • Backup application type and version. • HBA type and firmware version. • Tape library and drive types. OL-18091-01, Cisco MDS NX-OS - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 268
versions. Refer to the Cisco MDS 9000 Family Interoperability Support Matrix. MSM-18/4 Cisco Storage Media Encryption Design Guide for details. Note Generation 2 modules are recommended for ISL connectivity. • Order the appropriate number of Cisco SME licenses. Key Management Center and Fabric - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 269
. These card reader drivers are included in the Cisco MDS 9000 Management Software and Documentation CD-ROM. • Order the required number of smart cards and readers. • Identify a host in the customer environment for setting up the Fabric Manager server and KMC. Refer to Chapter 1, "Product - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 270
Services, page F-5 • Assigning Cisco SME Roles and Users, page F-6 • Creating Cisco SME Fabrics, page F-6 • Installing SSL Certificates, page F-6 Installing Fabric Manager While installing the Fabric Manager, do the following tasks: Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 271
on all the Cisco SME switches. For more information, refer to the "Enabling Clustering" section on page 2-3. • Enable Cisco SME services using either Fabric Manager or Device Manager. For more information, refer to the "Enabling Cisco SME" section on page 2-6. OL-18091-01, Cisco MDS NX-OS Release - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 272
MDS 9000 Family Fabric Manager Configuration Guide and the Cisco MDS 9000 Family CLI Configuration Guide. Creating Cisco SME Fabrics When creating Cisco SME fabrics, note the following guidelines: • Add the Cisco SME fabrics using the Fabric Manager Web client. Modify the names to exclude switch - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 273
in Chapter 4, "Cisco SME Cluster Management," including cluster creation and tape backup group configuration procedures. • Save the running configuration to startup configuration. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide F-7 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 274
Provisioning Cisco SME Appendix F Planning For Cisco SME Installation Send documentation comments to [email protected] Cisco MDS 9000 Family Storage Media Encryption Configuration Guide F-8 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 275
PostgreSQL to an Oracle Enterprise installation. This utility is packaged in the Cisco Fabric Manager CD starting from NX-OS Software Release 4.1(3) and is available when prompted. OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide G-1 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 276
SME Database Tables Send documentation comments to [email protected] The sample output would be as follows: [root operation to confirm that the migration has been successful. Cisco MDS 9000 Family Storage Media Encryption Configuration Guide G-2 OL-18091-01, Cisco MDS NX-OS Release 4.x - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 277
Fabric Name 2-13 Cisco Key Management Center about 1-4, 6-2 advantages 6-2 features 1-4 Cisco MDS 9000 Family 18/4-Port Multiservice Module (MSM-18/4) 1-10 replacing 9-8 Cisco 20, 4-22 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide IN-1 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 278
2-13 changing a fabric name 2-13 manage continuously 2-15 selecting 4-4 FC Redirect 1-6 FC redirect requirements 1-12 unsupported switches 2-20 FC redirect restrictions 2-20 FICON Limitation 2-19 H hardware requirements 1-10 Cisco MDS 18/4-port Multiservice Module (MSM-18/4) 1-10 Cisco MDS 9222i - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 279
licenses for fixed slot - MDS 9222i Switch 2-18 for MSM-18/4 module-MDS 9200 Series with SSM 2-18 for MSM-18/4 module - MDS 9500 Series with SSM Tool about B-1 P purging clusters 4-20 OL-18091-01, Cisco MDS NX-OS Release 4.x Cisco MDS 9000 Family Storage Media Encryption Configuration Guide IN-3 - HP Cisco MDS 9216 | Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 280
smart cards 4-13, 6-28 stored keyshares 4-13 supported topologies single-fabric 1-8 troubleshooting 9-8 tapes recycling 6-4 tape volume group key 6-2 tape volume key 6-2 translation context 6-15 transparent fabric service 1-3 troubleshooting 9-1 "no paths found" 9-8 cluster recovery scenarios
Send documentation comments to [email protected]
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco MDS 9000 Family Storage Media
Encryption Configuration Guide, Release
4.x
Cisco MDS NX-OS Release 4.1(3)
February 2009
Text Part Number: OL-18091-01