HP Brocade 8/12c Fabric OS Encryption Administrator's Guide
HP Brocade 8/12c Manual
View all HP Brocade 8/12c manuals
Add to My Manuals
Save this manual to your list of manuals |
HP Brocade 8/12c manual content summary:
- HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 1
5533--11000022115599--0033 ® 28 July 2011 Fabric OS Encryption Administrator's Guide Supporting HP Secure Key Manager (SKM) Environments and HP Enterprise Secure Key Manager (ESKM) Environments Supporting Fabric OS v7.0.0 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 2
copy of the programming source code, please visit http://www.brocade.com/support/oscd. Brocade Communications Systems, Incorporated Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: info - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 3
Fabric OS Encryption Administrator's Guide iii 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 4
iv Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 5
this document is organized xiii Supported hardware and software xiv What's and LUN considerations 1 Terminology 2 The Brocade Encryption Switch 4 The FS8-18 blade 5 FIPS 10 Support for Virtual Fabrics 11 Cisco Fabric Connectivity support 11 Fabric OS Encryption Administrator's Guide v - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 6
CLI 36 Steps required using Brocade Management application . . . . . 37 Encryption preparation 38 Creating a new encryption group 38 Understanding configuration status results 46 Adding a switch to an encryption group 47 Replacing an encryption engine in an encryption group 53 vi Fabric OS - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 7
switch encryption properties 95 Exporting the public key certificate signing request (CSR) from Properties 97 Importing a signed public key certificate from Properties . . . . 97 Enabling and disabling the encryption engine state from Properties 97 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 8
tab 100 Consequences of removing an encryption switch 101 Security tab 103 HA Clusters tab 104 Tape Pools tab 105 Engine Operations tab 107 Encryption-related acronyms in log messages 109 Configuring Brocade Encryption Using the CLI In this chapter 111 Overview 112 Command validation - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 9
first time encryption 170 Data re-keying 170 Resource Allocation 171 Re-keying modes 171 Configuring a LUN for automatic re-keying 171 Initiating a manual re-key session 172 Suspension and resumption of re-keying operations 173 Fabric OS Encryption Administrator's Guide ix 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 10
with FCIP extension switches 186 VMware ESX server deployments 187 Best Practices and Special Topics In this chapter 189 Firmware download considerations 190 Firmware upgrades and downgrades 190 Data-at-rest encryption support for IBM SVC LUNs configuration 191 Specific guidelines for HA - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 11
Turn off compression on extension switches 200 Re-keying best practices and policies 200 Manual re-key 200 Latency in re-key operations 200 Allow re-key to complete before deleting a container 201 Re-key operations and firmware upgrades 201 Do not change LUN configuration while re-keying 201 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 12
to an existing group . . . . . .231 Errors related to adding a switch to a new group 232 General errors related to the Configure Switch Encryption wizard 233 LUN policy troubleshooting 234 Loss of encryption group leader after power outage 235 MPIO and internal LUN states 236 Suspension and - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 13
Index Security processor KEK status 250 Encrypted LUN states 250 Fabric OS Encryption Administrator's Guide xiii 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 14
xiv Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 15
switch and the encryption solution, and the terminology used in this document. • Chapter 2, "Encryption configuration using the Management application," describes how to configure and manage encryption features using Brocade Network Advisor. • Chapter 3, "Configuring Brocade Encryption Using the CLI - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 16
and software . The following hardware platforms support data encryption as described in this manual. • Brocade DCX and DCX-4S with an FS8-18 encryption blade. • Brocade Encryption Switch. What's new in this document The purpose of this release is to note that HP Enterprise Secure Key Manager (ESKM - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 17
to warn of these conditions or situations. Key terms For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See "Brocade resources" on page xvi for instructions on accessing MyBrocade. Fabric OS Encryption Administrator's Guide xv 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 18
, you can obtain Building SANs with Brocade Fabric Switches through: http://www.amazon.com For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location: http://www.brocade.com xvi Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 19
://www.t11.org For information about the Fibre Channel industry, visit the Fibre Channel Industry Association website: http://www.fibrechannel.org Getting technical help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 20
Brocade Encryption Switch-On the switch ID pull-out tab located inside the chassis on the port side of the switch on the left. • Brocade DCX-On the bottom right on the port side of the chassis • Brocade DCX-4S-On the bottom right on the port feedback to: [email protected] Provide the title - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 21
cleartext to an encrypted LUN, the data on the LUN will be lost. The user must ensure that all hosts that can access a LUN are configured in the same manner. Fabric OS Encryption Administrator's Guide 1 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 22
, or they may be manually switched back. This is determined as a configuration option. Failover In the context of this implementation of encryption, failover refers to the automatic transfer of devices hosted by one encryption switch to another encryption switch within a high availability cluster - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 23
initiators and virtual targets. Re-keying refers to decrypting data with the current Data Encryption Key (DEK), and encrypting it with a new DEK. This is done when the security of the current key is compromised, or when a DEK is configured to expire in a specific time frame. The re-keying operation - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 24
console port. 7 USB port for firmware upgrades and other support services. 8 Fibre Channel ports (0-31) - 1, 2, 4, or 8 Gbps auto-sensing F, FL, E, EX, or M ports to connect host servers, SAN disks, SAN tapes, edge switches, or core switches. 4 Fabric OS Encryption Administrator's Guide 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 25
Brocade Encryption Switch and FS8-18 Encryption Blade have a standard capacity of 48 Gbps of encryption processing power. Additional encryption processing power OS Administrator's Guide for information about obtaining and adding licenses. Licensing best practices Licenses installed on the switches - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 26
. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done. This puts some constraints on the topology and the container configurations to support acceptable performance for encrypted and decrypted - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 27
Encryption is a powerful tool for data protection. Brocade provides an encryption solution that resides in a Storage Area Network (SAN) fabric. This is provided by a third-party vendor. Host Cleartext Encryption Switch Ciphertext based on AES256-XTS Disk Storage Ciphertext Cleartext DEKs - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 28
encryption solution overview Data flow from server to storage The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 29
, distributed, then stored in a key vault. The key is used to encrypt and decrypt data at least once, and possibly many times. A DEK may be configured to expire in a certain time frame to avoid becoming compromised. Under those conditions, it must be used one more time to decrypt the data, and - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 30
that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM. Master key generation A management system as an encrypted key record 10 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 31
. NOTE Please refer to Fabric OS Administrator's Guide for more details on how to configure the DCX and DCX-4S in virtual fabrics environments, including configuration of default switch partition and any other logical switch partitions. Cisco Fabric Connectivity support The Brocade Encryption Switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 32
1 Cisco Fabric Connectivity support 12 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 33
connections 24 •Configuring blade processor links 24 • manually 91 •Viewing time left for auto re-key 94 •Viewing and editing switch encryption properties 95 •Viewing and editing group properties 98 •Encryption-related acronyms in log messages 109 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 34
Smart Cards for user authentication, system access control, and storing backup copies of data encryption master keys. • "Network connections" on page 24 describes the network connections that must be in place to enable encryption. • "Configuring blade processor links" on page 24 describes the steps - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 35
to specific operations. The functions are enabled from the Encryption Center dialog box: TABLE 1 Privilege Encryption User Privileges Read/Write Storage Encryption Configuration Storage Encryption Key Operations Storage Encryption Security • Launch the Encryption center dialog box. • View switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 36
http://www.scmmicro.com/security/view_product_en.php?PID=2 NOTE Only the Brocade smart cards that are included with the BES/FS8-18 are supported. See the following procedures for instructions about how to manage smart cards: • "Registering authentication cards from a card reader" on page 16 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 37
Smart card usage 2 1. Select Configure > Encryption from the menu task bar. The Encryption Center NOTE Ignore the System Cards setting for now. 4. Click Register from Card Reader to register a new card. The Add Authentication Card dialog box displays. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 38
from Archive. The Authentication Cards dialog box displays. The dialog box lists the smart cards that are in the database. The Authentication Cards dialog box displays. The dialog box lists the smart cards that are in the database. 18 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 39
the Encryption Group Properties dialog box. Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them. Use the following procedure to deregister an authentication card. 1. Select Configure > Encryption from the menu task bar. The - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 40
needed, per instructions in the dialog box. The currently registered cards and the assigned owners are listed in the table near the bottom of the dialog box. 2. Insert a card, then wait for the ID to appear in the Card ID field. 3. Enter the assigned password. 4. Click Authenticate. 5. Wait for - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 41
function as an ordinary FC switch or blade when it is powered up, but use of the encryption engine is denied. To register a system card from a card reader, a smart card must physically available. System cards can be registered during encryption group creation or member configuration when running the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 42
Cards from the menu task bar, or right-click the switch and select System Cards. The System Cards dialog box displays. 3. Select the system card to deregister. available formats are comma-separated values (.csv) and HTML files (.html). 22 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 43
Card dialog box 2. Insert the smart card into the card reader. 3. After the card's ID is displayed in the Card ID field, enter the Card Password, then click Login. 4. Edit the card assignment user information as needed. 5. Click OK. Fabric OS Encryption Administrator's Guide 23 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 44
: • The management ports on all devices that will perform encryption (Brocade Encryption Switches, or DCX and DCX-4S chassis with encryption blades installed) must have a LAN connection to the SAN management program, and must be available for discovery. • A supported key management appliance must - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 45
Authority (CA) for signing to provide authentication before the certificate can be used. In all cases, signed KACs must be present on each switch. Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a configuration. Encryption nodes may also be initialized - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 46
the SKM/ESKM appliance, use that port number. The following configuration steps are performed from the SKM/ESKM management web console and from the Management application. • Configure a Brocade group on SKM/ESKM. • Register the Brocade group user name and password on the encryption node. • Set up - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 47
on page 36 Configuring a Brocade group on SKM or ESKM A Brocade group is configured on SKM/ESKM for all keys created by Brocade encryption switches and blades. This needs to be done only once for each key vault. 1. Log in to the SKM/ESKM management web console using the admin password. 2. Select the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 48
Brocade group user name and password The Brocade group user name and password you created when configuring a Brocade group on SKM/ESKM must also be registered on each Brocade encryption node. NOTE This operation can be performed only after the switch password, the Brocade group user name and password - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 49
the SKM/ESKM management web console using the admin password. 2. Select the default value for both is 3650 days or 10 years. 5. Click Create. The new local CA displays under Local Certificate Authority List. . FIGURE 16 Creating an HP SKM/ESKM local CA Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 50
List Profiles. 7. Click on Default under Profile Name. 8. In this certificate must be imported onto the Brocade encryption group leader nodes. For more the Key Size. HP recommends using the default value: 1024. Local CAs. The Certificate and CA Configuration page is displayed. 9. From the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 51
enabled on the other cluster members. To configure and enable SSL, complete the following steps: 1. Select the Device tab. 2. In the Device Configuration menu, click KMS Server to display the Key Management Services Configuration window. Fabric OS Encryption Administrator's Guide 31 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 52
vault supports clustering of HP SKM/ESKM appliances for high availability. If two SKM/ESKM key vaults are configured, they must be clustered. If only a single SKM/ESKM appliance is configured, it may be clustered for backup purposes, but the backup appliance will not be directly used by the switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 53
Configuration menu, click Cluster. The Create Cluster section displays. 3. Select and note the Local IP address. You will need this address when you add an appliance to the cluster. 4. For Local Port, use the default , click Known CAs. Fabric OS Encryption Administrator's Guide 33 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 54
. The Export Switch Certificate dialog box displays. 3. Select Public Key Certificate Request (CSR), then click OK. You are prompted to save the CSR, which can be saved to your SAN Management Program client PC, or an external host of your choosing. 34 Fabric OS Encryption Administrator's Guide 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 55
using the Brocade CA name and maximum of 3649 days. 10. Select Client as Certificate Purpose. 11. Allow Certificate Duration to default to 3649. imported into the switch. NOTE This operation can be performed only after the switch is added to the encryption group. 1. Select Configure > Encryption from - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 56
synchronously hardened to the cluster pairs. Please refer to the HP SKM/ESKM appliance user documentation for configuration requirements and procedures. Configured primary and secondary HPSKM/ESKM appliances must be registered with the Brocade encryption switch or blade to begin key operations. The - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 57
SKM to ESKM 2 NOTE If the earlier configuration was done for SKM using CLI and if the cryptocfg --reg -keyvault. Steps required using Brocade Management application 1. Select Configure > Encryption from the menu task bar created. Fabric OS Encryption Administrator's Guide 37 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 58
, and create a new encryption group. NOTE When a new encryption group is created, any existing tape pools in the switch are removed. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 38 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 59
right-click the switch and select Create/Add to Group. The Configure Switch Encryption wizard welcome panel displays. FIGURE 21 Configure Switch Encryption wizard - welcome panel 4. Click Next. The Designate Switch Membership dialog box displays. Fabric OS Encryption Administrator's Guide 39 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 60
Membership dialog box 5. Verify that Create a new encryption group containing just this switch is selected. 6. Click Next. The Create a New Encryption Group dialog box displays 15 characters. Letters, digits, and underscores are allowed. 40 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 61
24 Select Key Vault dialog box the password you established for the Brocade user group password used for the primary key vault are automatically applied to the backup key vault. 10. Click Next. The Specify Public Key Certificate File Name dialog box displays. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 62
desired location. 12. Click Next. The Specify Master Key File Name dialog box displays. FIGURE 26 Specify Master Key File Name dialog box 42 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 63
size is five cards. The actual number of authentication cards registered is always more than the quorum size, Configuration dialog box displays. The dialog box displays the encryption group name and switch public key certificate file name you specified. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 64
2 Creating a new encryption group FIGURE 28 Confirm Configuration dialog box 18. Verify the information, then click Next. The Configuration Status dialog box displays. 44 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 65
configuration status results" on page 46 for more information. 19. Review important messages, then click Next. The Next Steps dialog box displays. Instructions for installing public key certificates for the encryption switch are displayed. Fabric OS Encryption Administrator's Guide 45 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 66
, the Management application sends API commands to verify the switch configuration. The CLI commands are detailed in encryption administrator's guide for your key vault management system. • Initialize the switch. If the switch is not already in the initiated state, the Management application - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 67
the user name and password. When completed, all operations should be successful and the switch should show that it is connected to the SKM/ESKM. Refer to the Next Steps dialog box in the Configure Switch Encryption wizard for brief instructions that are specific to certificate exchanges between - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 68
31 Configure Switch Encryption wizard - welcome panel 3. Click Next. The Designate Switch Membership dialog box displays. FIGURE 32 Designate Switch Membership dialog box a. Select Add this switch to an existing encryption group. b. Click Next. 48 Fabric OS Encryption Administrator's Guide 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 69
Existing Encryption Group dialog box 4. Select the group in which to add the switch, then click Next. The Specify Public Key Certificate Filename dialog box displays. FIGURE 34 Specify Public Key Certificate (KAC) File Name dialog box Fabric OS Encryption Administrator's Guide 49 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 70
Confirm Configuration panel displays. The dialog box shows the encryption group name and switch public key certificate file name you specified. FIGURE 35 Confirm Configuration dialog box 6. Click Next. The Configuration Status dialog box displays. 50 Fabric OS Encryption Administrator's Guide 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 71
certificate is stored in the location you specified. 7. Review important messages, then click Next. The Error Instructions dialog box displays. Instructions for installing public key certificates for the encryption switch are displayed. Fabric OS Encryption Administrator's Guide 51 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 72
show that it is connected to the SKM/ESKM. Refer to the Next Steps dialog box in the Configure Switch Encryption wizard for brief instructions that are specific to certificate exchanges between the switch and key manager you are using. 52 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 73
encryption engine within the same DEK Cluster, complete the following steps. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. list) are replaced by the new engine (Replacement list). Fabric OS Encryption Administrator's Guide 53 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 74
switch until you click OK. Both engines in an HA cluster must be in the same fabric, as well as the same encryption group. NOTE An IP address is required for the management port for any cluster-related operations. 1. Select Configure tab 54 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 75
is useful when replacing hardware. Swapping engines is different from removing an engine and adding another because when you swap engines, the configured targets on the former HA cluster member are moved to the new HA cluster member. Fabric OS Encryption Administrator's Guide 55 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 76
Configure button. NOTE The manually invoke failback using the CLI or Management application, or until the second encryption engine fails. When the encryption engine recovers, it can automatically fail back its Crypto Target containers if the second encryption engine is not hosting them. 56 Fabric OS - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 77
bar, or right-click a group, switch, or engine and select Targets. NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays. Fabric OS Encryption Administrator's Guide 57 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 78
dialog box explains the wizard's purpose, which is to configure encryption for a storage device (target). FIGURE 43 Configure Storage Encryption wizard dialog box 4. Click Next to begin. The Select Encryption Engine dialog box displays. 58 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 79
or switch) to configure, then click Next. The Select Target dialog box displays. The dialog box lists all target ports and configured in an encryption group. You can select targets from the list of known targets, or manually enter the port and node WWNs. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 80
from the list. (The Target Port WWN and Target Node WWN fields contain all target information that displays when using the nsshow command.) You can also enter WWNs manually, for example, to specify a target 46 Select Hosts dialog box 60 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 81
Port WWN column contains all target information that displays when using the nsshow command.) b. Manually enter world wide names in the Port engine to hold the target configuration data. The container name defaults to the target WWPN. You OS Encryption Administrator's Guide 61 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 82
container, as well as the virtual targets (VT) and virtual initiators (VI). NOTE If you can view the VI/VT Port WWNs and VI/VT Node WWNs, the container has been successfully added to the switch. FIGURE 49 Configuration Status dialog box 62 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 83
13. Review the post-configuration instructions, which you can copy to a clipboard or print for later. 14. Click Finish to exit the Configure Switch Encryption wizard. 15. Review "Understanding configuration status results" on page 46. Fabric OS Encryption Administrator's Guide 63 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 84
, or manually enter world wide names in the Port WWN and Node WWN text boxes if the hosts are not included in the list. You must fill in both the Port WWN and the Node WWN. Click Add to move the host to the Selected Hosts list. 64 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 85
a group, switch, or engine and select Disk LUNs. The Encryption Disk LUN View dialog box displays. FIGURE 52 Encryption Disk LUN view dialog box 3. Click Add. The Select Target Port dialog box displays. FIGURE 53 Select Target Port dialog box Fabric OS Encryption Administrator's Guide 65 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 86
port from the Target Port table. 5. Click Next. The Select Initiator Port dialog box displays. FIGURE 54 Select Initiator Port dialog box 6. Select the initiator port from the Initiator Port , but are already configured. Click OK to configured on all instances there are configuration mismatches. Check - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 87
. NOTE If the LUN state is not showing correctly (for example, Not Ready), enter the cryptocfg --discoverLUN command from the CLI and it should help resolve the issue. When the command finishes, refresh the screen to check the new status of LUNs. Fabric OS Encryption Administrator's Guide 67 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 88
bar, or right-click a group, switch, or engine and select Targets. NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays. 68 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 89
are identified by the Host world wide name, LUN number, Volume Label Prefix number, and Enable Write Early ACK and Enable Read Ahead status. Fabric OS Encryption Administrator's Guide 69 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 90
selected host, or enter a range of LUN numbers to be configured for the selected host. 6. Choose a LUN to be added the CryptoTarget container with the Clear Text encryption mode option. NOTE The Re-keying interval can only be changed for disk LUNs OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 91
Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group, switch, or engine from the Encryption Center Devices table, then select Group/Switch/ Target Tape LUNs dialog box displays. Fabric OS Encryption Administrator's Guide 71 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 92
be configured, then select Group/Switch/Engine > Targets from the menu task bar, or right-click a group, switch, or engine and select Targets. NOTE You can also select a group, switch, "Using the Encryption Targets dialog box" on page 90 72 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 93
for specific tape LUNs" on page 75 Viewing and clearing tape container statistics To view or clear statistics for tape LUNs in a container, follow these steps: 1. Select Configure > Encryption members of the selected tape container. Fabric OS Encryption Administrator's Guide 73 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 94
Targets. NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays. The dialog box lists configured crypto target containers. FIGURE 63 Encryption Targets dialog box 74 Fabric OS Encryption - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 95
configured, then select Group/Switch/Engine > Targets from the menu task bar, or right-click a group, switch, or engine and select Targets. NOTE You can also select a group, switch box displays. The dialog box lists configured tape LUNs. Fabric OS Encryption Administrator's Guide 75 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 96
clear the tape LUN statistics, click Clear. 7. When prompted with a confirmation dialog box, click Yes. 8. To update the tape LUN statistics, click Refresh. 76 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 97
Fabric OS 6.4, disk and tape target containers can be hosted on the same switch or blade. Hosting both disk and tape target containers on the same switch or blade might result in a drop in throughput, but it can reduce cost by reducing the number of switches or blades needed to support encrypted - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 98
the master key. Master keys belong to the group and are managed from Group Properties. NOTE It is important to back up the master key because if the master key is lost, different encryption group that uses a different active master key. 78 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 99
to a file Use the following procedure to save the master key to a file. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group if the master key has already been generated. Fabric OS Encryption Administrator's Guide 79 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 100
verification. 9. Click OK. ATTENTION Save the passphrase. This passphrase is required if you ever need to restore the master key from the file. 80 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 101
a key vault Use the following procedure to save the master key to a key vault. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a group OK after you have copied the Key ID. Fabric OS Encryption Administrator's Guide 81 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 102
unused smart cards. NOTE Windows operating systems do not require smart card drivers to be installed separately; the driver is bundled with the operating system. However, you must install a smart card driver for Unix operating systems. For instructions, refer to the Installation Guide. The key is - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 103
the person to whom the card is assigned. 9. Type a Card Password. 10. Re-enter the password for verification. 11. Record and store the password in a secure location. 12. Click Write Card. The dialog box dialog box to finish the operation. Fabric OS Encryption Administrator's Guide 83 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 104
from a file Use the following procedure to restore the master key from a file. 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a on page 78 • "Alternate master key" on page 78 84 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 105
vault Use the following procedure to restore the master key from a key vault: 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. 2. Select a on page 78 • "Alternate master key" on page 78 Fabric OS Encryption Administrator's Guide 85 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 106
attempts to enter the correct password, the card becomes locked and unusable. 8. Click Restore. The dialog box prompts you to insert the next card, if needed. 9. Repeat step 6 through step 8 until all cards in the set have been read. 86 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 107
be used (no new data encryption keys can be created, so no new encrypted LUNs can be configured), until you back up the new master key. After you have backed up the new master key, box 4. Read the information, then click Yes to proceed. Fabric OS Encryption Administrator's Guide 87 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 108
, follow these steps: 1. Select Configure > Encryption from the menu task an encryption engine manually to protect encryption kept in the encryption switch or encryption blade are erased and the encryption switch or the encryption blade removed from the fabric's name service. • The master key is - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 109
encryption virtual targets will be offline. NOTE Zeroizing an engine affects the I/Os but all target and LUN configuration is intact. Encryption target configuration data is not deleted. You can Click YES to zeroize the encryption engine. Fabric OS Encryption Administrator's Guide 89 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 110
selected group, switch, or encryption engine. If a group is selected, all configured targets in the group are displayed. If a switch is selected, all configured targets for the switch are displayed. FIGURE 75 Encryption Targets dialog box 90 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 111
Center dialog box displays. 2. Select the switch on which to perform a manual re-key from the Encryption Center Devices table, then select Switch > Re-Key All from the menu task bar, or right-click the switch and select Re-Key All. Fabric OS Encryption Administrator's Guide 91 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 112
keying all disk LUNs manually FIGURE 76 Selecting the Re-Key All operation If REPL support is enabled on begin on up to 10 LUNs. If more than 10 LUNs are configured on the switch, the remaining rekey operations are held in the pending state. 5. Open OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 113
information, refer to the following topics: • "Re-keying all disk LUNs manually" on page 91 • "Viewing the progress of manual re-key operations" on page 93 Viewing the progress of manual re-key operations To monitor the progress of manual re-key operations, complete these steps: 1. Select Configure - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 114
modify the time left using CLI. For more information, see Chapter 3, "Configuring Brocade encryption using the CLI." To view the time left for auto re-key, follow these steps: 1. Select Configure > Encryption. The Encryption Center dialog box displays. 2. Select a group, switch, or engine from the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 115
Center dialog box displays. The dialog box shows the status of all encryption-related hardware and functions at a glance. It is the single launching point for all encryption-related configuration. 2. Select a switch or encryption engine from the Encryption Center Devices table, then select - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 116
key vault link is connected. Possible values are Unknown, Key Vault Not Configured, No Response, Failed authentication, and Connected. - Not Used - not used for SKM/ESKM key vaults. • Public Key Certificate text box - the switch's KAC certificate, which must be installed on the primary and backup - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 117
appliance. Refer to switch. Enabling and disabling the encryption engine state from Properties To enable the encryption engine, complete the following steps: 1. Select Configure > Encryption from the menu task bar. The Encryption Center dialog box displays. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 118
group properties, complete the following steps. 1. Select Configure > Encryption from the menu task bar. The task bar, or right-click a group and select Properties. NOTE If groups are not visible in the Encryption Center Devices table, 98 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 119
, or right-click a group and select Properties. NOTE You can also select a group from the Encryption mode - The group's failback mode, which can be automatic or manual. The failback mode can be changed by clicking on the field configured. Fabric OS Encryption Administrator's Guide 99 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 120
and select Properties. NOTE You can also select Configuring - the member switch has responded and the group leader is exchanging information. This is a transient condition that exists for a short time after a switch is added or restored to a group. 100 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 121
target but is not usable until the encryption target is manually configured on another encryption switch. CAUTION The encryption target data is visible in encrypted format when you attempt to remove a switch. Click Yes to proceed. Fabric OS Encryption Administrator's Guide 101 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 122
2 Viewing and editing group properties FIGURE 84 Removal of switch warning A warning message displays when you attempt to remove an encryption group. Click Yes to proceed. FIGURE 85 Removal of switch in encryption group warning 102 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 123
if one or more authentication cards must be read by a card reader attached to a Management application PC to enable certain security-sensitive operations. NOTE Encryption is not allowed until the master key has been backed up. Fabric OS Encryption Administrator's Guide 103 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 124
HA Clusters from the menu task bar, or right-click a group and select HA Clusters. NOTE You can also select a group from the Encryption Center Devices table, then click the Properties icon " on page 56 • "Invoking failback" on page 57 104 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 125
the menu task bar, or right-click a group and select Tape Pools. NOTE You can also select a group from the Encryption Center Devices table, then host backup application. If the same tape pool name or number is configured for an encryption group, tapes in that tape pool are encrypted according to - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 126
tape pools in the switch are removed and must be added. 1. Select Configure > Encryption from default; however, you can change the tape pool label type to Number. FIGURE 89 Add Tape Pool by name dialog box FIGURE 90 Add Tape Pool by number dialog box 106 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 127
in another switch within a DEK Cluster environment. A DEK Cluster is a set of encryption engines that encrypt the same target storage device. DEK Clusters do not display in the Management application, they are an internal implementation feature and have no user-configurable properties. Refer to - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 128
NOTE You cannot replace an encryption engine if it is part of an HA Cluster. For information about HA Clusters, refer to "HA Clusters tab" on page 104. For related information, see "Replacing an encryption engine in an encryption group" on page 53. 108 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 129
acronyms in log messages 2 Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms Encryption Engine EG Encryption Group HAC High Availability Cluster Fabric OS Encryption Administrator's Guide 109 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 130
2 Encryption-related acronyms in log messages 110 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 131
144 •CryptoTarget container configuration 147 •Crypto LUN configuration 153 •Impact of tape LUN configuration changes 161 •Tape pool configuration 162 •Configuring a multi-path Crypto LUN 166 •First-time encryption 169 •Data re-keying 170 Fabric OS Encryption Administrator's Guide 111 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 132
setup and configuration of the Brocade Encryption Switch (BES), DCX, or DCX-4S has been done as part of the initial hardware installation, including setting the management port IP address. For command syntax and description of parameters, refer to the Fabric OS Command Reference Manual. Command - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 133
Users authenticated with the Admin and FabricAdmin RBAC roles may perform routine Encryption Switch management functions, including the following: • Configure virtual devices and crypto LUNs. • Configure LUN and tape associations. • Perform re-keying operations. • Perform firmware download - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 134
Encryption command RBAC availability and admin domain type1 (Continued) Command name User Admin Operator Switch Zone Fabric Basic Admin Admin Admin Switch Admin delete --container N OM Disallowed O Disallowed OM Disallowed 114 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 135
of device container parameter configuration. --help -transcfg: Display the synopsis of transaction management. switch:admin> cryptocfg --help -nodecfg Usage: cryptocfg --help -nodecfg: Display the synopsis of node parameter configuration. Fabric OS Encryption Administrator's Guide 115 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 136
addresses are supported for cluster links. The following example configures a static IP address and gateway address for the bonded interface. switch:admin> ipaddrset -eth0 --add 10.32.33.34/23 switch:admin> ipaddrset -gate --add 10.32.1.1 116 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 137
7 SWITCH Ethernet IP Address: 10.33.54.207 Ethernet Subnetmask: 255.255.240.0 Fibre Channel IP Address: none Fibre Channel Subnetmask: none Gateway IP Address: 10.33.48.1 DHCP: Off eth0: 10.33.54.208/20 eth1: none/none Gateway: 10.33.48.1 NOTE The IP address of the cluster link should be configured - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 138
3 Configuring cluster links Node is a group leader node 1. Log in to the group leader as Admin or SecurityAdmin. 2. Reboot the encryption switch/DCX (both using new IP address. NOTE A reboot is not needed beginning with Fabric OS v6.4.0. 118 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 139
all keys created by Brocade encryption switches and blades. This needs to be done only once for each key vault. NOTE Currently, an encryption group containing both SKM and ESKM key vault types is not supported. 1. Log in to the SKM/ESKM management web console using the admin password. 2. Select the - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 140
3 Steps for connecting to an SKM or ESKM appliance The Brocade user name and password are now configured on SKM/ESKM. NOTE Fabric OS v6.2.x uses brcduser1 as a standard user name when creating a Brocade group on SKM/ESKM. If you downgrade to version 6.2.x, the user name is overwritten to brcduser1, - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 141
(Figure 92). FIGURE 92 Creating an HP SKM/ESKM Local CA 5. Under Certificates Certificate Authority List Profiles. 6. Click on Default under Profile Name. 7. In the Trusted Certificate Brocade encryption group leader" on page 128. Fabric OS Encryption Administrator's Guide 121 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 142
to go. - Enter the Key Size. HP recommends using the default value: 1024. 4. Click Create Certificate Request. Under Certificates & CAs, select Local CAs. The Certificate and CA Configuration page is displayed. 9. From the CA Name column, select OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 143
the following check boxes: • Use SSL • Allow Key and Policy Configuration Operations • Allow Key Export 4. Click Edit. A warning message might display explaining that if you disable SSL, you must have TLS enabled for your web browser. Fabric OS Encryption Administrator's Guide 123 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 144
, click the Device tab. 2. In the Device Configuration menu, click Cluster. The Create Cluster section displays. 3. Select and note the Local IP address. You will need this address when you add an appliance to the cluster. 4. For Local Port, use the default value of 9001 unless you are explicitly - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 145
10. Click Save. 11. Select the Device tab. 12. In the Device Configuration menu, click on Cluster. 13. Click on Join Cluster. In the Join Cluster section of the window, leave Local IP and Local Port set to their defaults. 14. Type the original cluster member's local IP address into Cluster Member IP - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 146
encryption engines You must perform a series of encryption engine initialization steps on every Brocade encryption node (switch or blade) that is expected to perform encryption within the fabric. NOTE The initialization process overwrites any authentication data and certificates that reside on - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 147
3. Launch the SKM/ESKM administration console in a web browser and log in. 4. Select the Security tab. 5. Select Local CAs under Certificates & CAs. The Certificate and CA Configuration page displays. 6. Under Local Certificate Authority List, select the Brocade CA name. 7. Select Sign Request. The - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 148
SecurityAdmin:switch>cryptocfg --import -scp signed_kac_skm_cert.pem \ 192.168.38.245 mylogin /tmp/certs/kac_skm_cert.pem Password: brocade". SecurityAdmin:switch>cryptocfg --create -encgroup brocade Encryption group create status: Operation Succeeded. 128 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 149
: Port for Key Vault Connection: Time of Day on Key Server: Server SDK Version: Yes 9000 2010-03-17 17:51:31 4.8.1 Encryption Node (Key Vault Client) Information: Node KAC Certificate Validity: Yes Time of Day on the Switch: 2010-03-17 17:22:05 Fabric OS Encryption Administrator's Guide 129 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 150
user name and password The Brocade group user name and password you created when configuring a Brocade group on the SKM/ESKM must also be registered on each Brocade encryption node. 1. Log in to the switch as Admin or SecurityAdmin. 2. Register the HP SKM/ESKM Brocade group user password and user - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 151
refer to the HP SKM/ESKM appliance user documentation for configuration requirements and procedures. Configured primary and secondary HP SKM/ESKM appliances must be registered with the Brocade encryption switch is same as DEK Creation. Fabric OS Encryption Administrator's Guide 131 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 152
appliance Tape LUN support • DEK Creation or secondary SKM/ESKM key vault from an encryption switch or blade is allowed independently. Both the primary in an enabled state. See "Initializing the Brocade encryption engines" on page 126. After adding OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 153
are stored by default in a predetermined switch>cryptocfg --export -scp CPcert \ 192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem Password switch>cryptocfg --import -usb enc_switch1_cp_cert.pem \ enc_switch1_cp_cert.pem Operation succeeded. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 154
execution of this command distributes all necessary node authentication data to the other members of the group. SecurityAdmin:switch>cryptocfg --reg -membernode \ 10:00:00:05:1e:39:14:00 enc_switch1_cert.pem 10.32.244.60 Operation succeeded. NOTE The order in which member node registration is - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 155
Not configured Alternate Note that the Brocade SAN Password: Operation succeeded. 5. Display the group membership information. Verify that the master key ID for all member nodes is the same. SecurityAdmin:switch>cryptocfg --show -groupmember -all NODE LIST Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 156
encryption group brocade with two member nodes, one group leader and one regular member. No key vault or HA cluster is configured, and the values for master key IDs are zero. SecurityAdmin:switch>cryptocfg -- 00:00:00:00:00:00:00:00:00 136 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 157
for instructions. • Configuration changes must be committed before they take effect. Any operation related to an HA cluster that is performed without a commit operation will not survive across switch reboots, power cycles, CP failover, or HA reboots. Fabric OS Encryption Administrator's Guide 137 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 158
nodes for true redundancy. This is always the case for Brocade encryption switches, but is not true if two FS8-18 blades in the same DCX or DCX-4S chassis are configured in the same HA cluster. In Fabric OS v6.3.0 and later releases, HA cluster creation is blocked when encryption engines belonging - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 159
transaction. NOTE You cannot add the same node to the HA cluster. Failover/failback policy configuration Failover/ default. • manual - Enables manual failback mode. In this mode, failback must be initiated manually when an encryption switch OS Encryption Administrator's Guide 139 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 160
NOTE You will need to remember the exported master key ID and passphrase you used while exporting the master key ID. A new subcommand is available to support exporting master key IDs for a given master key. cryptocfg --show -mkexported_keyids 140 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 161
from the second master key export cryptocfg --recovermasterkey currentMK -keyID 15:30:f0:f3:5c:2b:28:ce:cc:a7:b4:cd:7d:2a:91:fc Enter passphrase: Recover master key status: Operation Succeeded. Fabric OS Encryption Administrator's Guide 141 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 162
exported master key IDs associated with a given (actual) master key. NOTE You will need to remember the exported master key ID and passphrase the master key ID. A new subcommand is available to support exporting master key IDs for a given master key. OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 163
cryptocfg --enableEE command. Provide a slot number if the encryption engine is a blade. NOTE Every time a Brocade Encryption Switch or DCX or DCX-4S chassis containing one or more FS8-18 blade goes through power cycle event, or after issuing slotpoweroff followed by slotpoweron - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 164
going through a regular zone or a redirection zone. 1. Check the default zoning setting. Commonly, it will be set to All Access. switch:admin> defzone --show Default Zone Access Mode committed - All Access transaction - No Transaction 144 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 165
ALL target ports in sequence, including adding the hosts that should gain access to these targets. Host-target zoning must precede any CryptoTarget configuration. NOTE To enable frame redirection, the host and target edge switches must run Fabric OS v6.1.1 and Fabric OS v5.3.1.b or later firmware to - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 166
new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'itcfg' configuration (yes, y, no, n): [no] y zone config"itcfg" is in effect Updating flash ... 146 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 167
" is in effect Updating flash ... CryptoTarget container configuration A CryptoTarget container is a configuration of virtual devices created for each target port hosted on a Brocade Encryption Switch or FS8-18 blade. The container holds the configuration information for a single target, including - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 168
multiple hosts, follow the instructions described in the section "Configuring a multi-path Crypto OS v6.4 or a later release to support manual intervention may be needed. • Backup jobs to tapes may need to be restarted after rebalancing completes. 148 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 169
fabric or in a different fabric based on host MPIO configuration. A given host port through which the LUNs are accessible is hosted on the same encryption switch on which the target port (CryptoTarget container) of the LUNs is hosted. NOTE It is recommended you complete the encryption group and HA - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 170
. Refer to the section "Configuring a multi-path Crypto LUN" on page 166 for specific instructions. 5. Display the CryptoTarget container configuration. The virtual initiator and virtual target have been created automatically upon commit, and there are no LUNs configured yet. FabricAdmin:switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 171
every CryptoTarget container that is configured with this initiator. NOTE Stop all traffic between the initiator you intend to remove and its respective target ports. Failure to do so path ends up being exposed through the encryption Fabric OS Encryption Administrator's Guide 151 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 172
leader as Admin or FabricAdmin. switch and another path has direct access to the device from a host outside the protected realm of the encryption platform. Refer to the section "Configuring a multi-path Crypto LUN" on page 166 for more information. 152 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 173
engine. NOTE If a CryptoTarget container is moved in a configuration involving FCR, the LSAN zones and manually created redirect zones will need to be reconfigured with new VI and VT WWNs. Refer to the section "Deployment in Fibre Channel routed fabrics" on page 183 for instructions on configuring - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 174
container, you must specify a LUN Number. The LUN Number needed for configuring a given Crypto LUN is the LUN Number as exposed to a particular initiator. The Brocade Encryption platform provides LUN discovery services through which you can identify the exposed LUN number for a specified initiator - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 175
configuration that exceeds this maximum will fail. Note leader as Admin or Refer to the section "Configuring a multi-path Crypto LUN" on page 166. 4. Display the LUN configuration. The following example shows default values. FabricAdmin:switch OS Encryption Administrator's Guide 155 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 176
I/O operations. If this support requirement is not met, the Brocade encryption solution will not values are: • cleartext - Default LUN state. Refer to policy configuration considerations for compatibility with other policy Brocade) mode. 156 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 177
modes are supported: • disable - The LUN disables the Tape read ahead and Tape LUN will be operated in unbuffered mode. • enable - The LUN enables the Tape read ahead and Tape LUN will be operated in buffered mode. The default value is enable. Fabric OS Encryption Administrator's Guide 157 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 178
c. Commit the transaction. FabricAdmin:switch>cryptocfg --commit Operation Succeeded 3. Configure the Crypto tape LUN. Refer to the section "Configuring a Crypto LUN" on page 154 for instructions. a. Discover the LUN. FabricAdmin:switch>cryptocfg --discoverLUN my_tape_tgt Container name - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 179
leader as Admin or FabricAdmin. 2. Enter the cryptocfg --remove -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN. FabricAdmin:switch>cryptocfg --remove -LUN my_disk_tgt 0x0 10:00:00:00:c9:2b:c9:3a Operation Succeeded 3. Commit the configuration with - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 180
in sequence for each of the Crypto Target containers for each of the paths accessing the LUNs. Failure to do so results in data corruption. Refer to the section "Configuring a multi-path Crypto LUN" on page 166. 160 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 181
and -enable_rekey are disabled by default, and you must configure both options again. • When NOTE Make sure all the outstanding backup and recovery operations on the media are completed before changing the LUN configuration OS Encryption Administrator's Guide 161 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 182
LUN as Admin or FabricAdmin. 2. Enter the cryptocfg --enable -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN. FabricAdmin:switch>cryptocfg --enable -LUN my_disk_tgt 0x0 \ 10:00:00:00:c9:2b:c9:3a Operation Succeeded Tape pool configuration Tape pools - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 183
switch or blade must be the be same tape pool label configured on the tape backup application. • Refer to the tape backup product documentation for detailed instructions for creating tape pool labels and numbers. NOTE switch or blade. Fabric OS Encryption Administrator's Guide 163 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 184
The following example creates a tape pool named "my_tapepool". FabricAdmin:switch>cryptocfg --create -tapepool -label my_tapepool Operation succeeded. 3. Commit the transaction. FabricAdmin:switch>cryptocfg --commit Operation succeeded. 164 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 185
within the pool: Operation succeeded. 5. Configure the tape pool on your backup application with the same tape pool label you used to create the tape pool on the encryption switch or blade. Refer to the manufacturer's product documentation for instructions. 6. On your backup application, label - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 186
on a dual-port target that is accessed over two paths by a dual-port host. The two encryption switches form an encryption group and an HA cluster. The following example illustrates a simplified version of a multi-path LUN configuration. 166 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 187
Creating an initiator - target zone" on page 145 for instructions. 3. On the group leader encryption switch (switch 1), create a CryptoTarget container for each target port and add the hosts in sequence. Do NOT commit the configuration until you have created all CryptoTarget containers and added all - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 188
add -initiator e. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Upon commit, redirection zones are created for target port 1, host port 1 and target port 2, host port 2. These redirection zones include the virtual target VT1 for CTC1, the virtual - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 189
Commit the LUN configuration. FabricAdmin:switch>cryptocfg --commit NOTE There is a 25 LUN transaction limit per commit operation. Make sure to issue commit after adding 24 LUNs (12 LUNs and is referred to as "in-place encryption." Fabric OS Encryption Administrator's Guide 169 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 190
encrypt and the encryption format is Brocade native. Refer to the section "Crypto LUN parameters and policies" on page 156 for more information. The following example configures a LUN for first time as every six months or once per year. 170 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 191
re-keying support for tape media configured in the following way: • Set LUN policy as either cleartext or encrypt. • If cleartext is enabled (default Brocade native. Refer to the section "Crypto LUN parameters and policies" on page 156 for more information. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 192
00:00:00:c9:2b:c9:3a -enable_rekey 90 Operation Succeeded 3. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Operation Succeeded Initiating a manual re-key session You can initiate a re-keying session manually at your own convenience. All encryption engines in a given HA cluster, DEK - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 193
or the switch comes back up. You cannot abort an in-progress re-key operation. • An unrecoverable error is encountered on the LUN and the in-progress re-key operation halts. The following LUN errors are considered unrecoverable: SenseKey: 0x3 - Medium Error. SenseKey: 0x4 - Hardware Error. SenseKey - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 194
:37:99 Operation Succeeded 2. Check the status of the resumed re-key session. FabricAdmin:switch> cryptocfg --show -rekey -all • Read all data off the LUN and write it " on page 159 for instructions on how to remove a LUN by force. 174 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 195
clusters 180 •Multiple paths, DEK cluster, no HA cluster 182 •Deployment in Fibre Channel routed fabrics 183 •Deployment as part of an edge fabric 185 •Deployment with FCIP extension switches 186 •VMware ESX server deployments 187 Fabric OS Encryption Administrator's Guide 175 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 196
T2. Host port 1 is zoned with target port 1, and host port 2 is zoned with target port 2 to enable the redirection zoning needed to redirect traffic to the correct CTC. FIGURE 96 Single encryption switch, two paths from host to target 176 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 197
Core Target Edge Switch Target Edge Switch Virtual Target Encryption Switch Virtual Initiator Target Target Cluster Link Dedicated Cluster Network LAN Cluster Link Ciphertext Cleartext FIGURE 97 Single fabric deployment - HA cluster Fabric OS Encryption Administrator's Guide 177 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 198
cluster LAN. The Ge1 and Ge0 gigabit Ethernet ports on each of these switches are attached to this LAN. This LAN connection provides the communication needed to distribute and synchronize configuration information, and enable the two switches to act as a high availability (HA) cluster, providing - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 199
dual fabric SAN. Both fabrics have dual core directors and several host and target edge switches in a ports on each of these switches are attached to this LAN. encryption switches 1 and 3 act as a high availability cluster in fabric 1, providing automatic Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 200
configuration with a DEK cluster that includes two HA clusters, with multiple paths to the same target device. Management Link Management Link Management Network LAN Host Management Link Management Link CTC2 DEK Cluster Host Port 1 Encryption Switch 2 GE Port(s) HA Cluster1 Encryption Switch - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 201
to target port 3and target port 4 in fabric 2. • There are four Brocade encryption switches organized in HA clusters. • HA cluster 1 is in fabric 1, and HA cluster 2 is in fabric 2. • There is one DEK cluster, and one encryption group. Fabric OS Encryption Administrator's Guide 181 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 202
port1 and target port2 in fabric 1. • Host port2 is zoned with target port 3 and target port 4 in fabric 2. • There are two encryption switches, one in each fabric (no HA cluster). • There is one DEK Cluster and one encryption group. 182 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 203
with the host and target edge fabrics using device sharing between backbone and edge fabrics. FIGURE 102 Encryption switch connected to FC router as part of backbone fabric FIGURE 103 Encryption switch as FC router and backbone fabric Fabric OS Encryption Administrator's Guide 183 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 204
initiator in both the host and target edge fabrics. The CLI command is zone --rdcreate [host wwn] [target wwn] Refer to the Fabric OS Administrator's Guide for information about LSANs, LSAN zoning, and Fibre Channel routing (FCR) configurations. 184 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 205
Switch E_Port Backbone Fabric Host Extension Switch in the target edge fabric. The CLI command is zone --rdcreate [host Refer to the Fabric OS Administrator's Guide for information about LSANs, LSAN zoning, and Fibre Channel routing (FCR) configurations. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 206
switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric OS Administrator's Guide for information about creating FCIP configurations. NOTE FCIP link. If the encryption services are enabled for the host and the remote target, the encryption switch can take clear text from - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 207
Io Sync Link Dedicated Cluster Network LAN IO Sync Link CTC1 - CTC for Target Port T1 hosted on BES1 in DEK Cluster CTC2 - CTC for Target Port T2 hosted on BES2 in DEK Cluster FIGURE 106 VMware ESX server, One HBA per guest OS Fabric OS Encryption Administrator's Guide 187 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 208
Sync Link Dedicated Cluster Network LAN IO Sync Link CTC1 - CTC for Target Port T1 hosted on BES1 in DEK Cluster CTC2 - CTC for Target Port T2 hosted on BES2 in DEK Cluster FIGURE 107 VMware ESX server, One HBA shared by two guest OS 188 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 209
and Special Topics 5 In this chapter •Firmware download considerations 190 •Configuration upload and download considerations 192 •HP-UX considerations 195 •AIX Considerations 195 •Enable Practices 204 •Tape Device LUN Mapping 204 Fabric OS Encryption Administrator's Guide 189 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 210
one at a time for all switches in the DEK cluster to ensure that a host MPIO failover path is always available. Firmware upgrades and downgrades A downgrade to Fabric OS v6.2.0 results in the loss of the following functionality: • Fabric OS v6.2.0 supports only one HP SKM/ESKM key vault. Registering - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 211
could lead to IBM SVC nodes going offline and into service mode when there is no encryption engine online. NOTE If IBM SVC nodes go offline and into service mode, all SVC ports are affected and not just those configured for encryption operations. Data-at-rest encryption, crypto target containers - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 212
the node 1 (BES1). Refer to the Fabric OS Administrator's Guide if necessary to review firmware download procedures. 6. After firmware download is complete and node 1 (BES1) is back up, make sure the encryption engine is online. 7. On node 1 (BES1) initiate manual failback of CryptoTarget containers - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 213
switch prior to configuration download. 4. Create an encryption group with same name as in configuration upload information for the encryption group leader node. 5. Import Authentication Card Certificates onto the switch prior to configuration download. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 214
information is applied locally to the encryption group leader. Configuration download at an encryption group member Switch specific configuration information pertaining to the member switch or blade is applied. Information specific to the encryption group leader is filtered out. Steps after - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 215
). NOTE When an EMC-CX3 storage array is used with HP-UX the CX3 array exposes both 0x0 and 0x4000 LUNs to the HP-UX host. 0x0 and 0x4000 LUNs have the same LSN. Both must be added as cleartext. AIX Considerations Ensure that Dynamic Tracking is set to "Yes" for all Fibre Channel adapters - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 216
format (such as native Brocade format or DF-compatible), and optionally specify a key life span for the tape pool. Tape pools are unique across an encryption group. Tape pool configuration takes precedence over LUN level configuration. 196 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 217
and default LUN rewind). Note the following Configuring CryptoTarget containers and LUNs The following are best practices to follow when configuring CryptoTarget containers and crypto LUNs: • Host a target port on only one encryption switch OS Encryption Administrator's Guide 197 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 218
issuing cfgtransshow CLI command. • LUNs are uniquely identified by the encryption switch or FS8 ports) are connected to an edge switch in a fabric, and not directly to Encryption switch/blade ports. • Always use the following process when configuring OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 219
Admin Domains (AD) Virtual devices created by the encryption device do not support the AD feature in this release denial of encryption services. Do not use port as the actual tape SCSI I/O LUN, create a CryptoTarget container for the target port switch or blade capabilities, and does not cause problems - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 220
. The I/O sync links (the Ethernet ports labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to enable proper handling of re-key state synchronization in high availability (HA cluster) configurations. 200 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 221
configuration while re-keying Never change the configuration of any LUN that belongs to a Crypto Target Container/LUN configuration while the re-keying process for that LUN is active. If you change the LUN's settings during manual / - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 222
, Brocade Encryption Engines (EEs) are designed to support a fan-In ratio of between four and eight initiator ports to one target port, in terms of the number of distinct initiator ports to a Crypto Container (i.e., a virtual target port corresponding to the physical target port). 202 Fabric OS - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 223
. NOTE If the performance license is not installed, 48 Gbps of full duplex encryption bandwidth is available of the encryption engine, Each of the six encryption blocks will use two ports instead of four, reducing the fan-in ratio by a factor of two. Fabric OS Encryption Administrator's Guide 203 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 224
for true redundancy. This is always the case for Brocade encryption switches, but is not true if two FS8-18 blades in the same DCX or DCX-4S chassis are configured in the same HA cluster. In Fabric OS OS v6.3.0 and later releases, HA cluster creation is blocked when encryption engines belonging - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 225
wizard troubleshooting 231 •LUN policy troubleshooting 234 •Loss of encryption group leader after power outage 235 •MPIO and internal LUN states 236 •FS8-18 blade removal and replacement 237 •BES removal and replacement 238 •Reclaiming the WWN base of a failed Brocade Encryption Switch 244 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 226
command. Refer to the section "Replacing an HA cluster member" on page 209 for instructions. FIGURE 109 Removing a node from an encryption group The procedure for removing a node depends on the node's status within an encryption group. HA cluster membership and Crypto LUN configurations must be - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 227
58:2c:96:7e Alternate Master Key State: Not configured Alternate by the node WWN. SecurityAdmin:switch>cryptocfg --dereg -membernode 10:00 ensure that the VI/VT WWN's are reclaimed. Refer to "cryptocfg --reclaimWWN" commands. ARE YOU SURE OS Encryption Administrator's Guide 207 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 228
and tape pool configurations for the group. The following example deletes the encryption group "brocade". 1. Log in to the Group Leader as Admin or SecurityAdmin 2. Enter the cryptocfg --delete -encgroup command followed by the encryption group name. SecurityAdmin:switch> cryptocfg --delete - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 229
. SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade Number of HA Clusters: 1 HA cluster name: HAC3- 2 EE entries Status: Committed WWN Slot Number Status 10:00:00:05:1e:53:89:dd 0 Online - Failover active 10:00:00:05:1e:53:fc:8a 0 Offline NOTE In - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 230
the DCX/DCX-4S and the slot number of the encryption engine to be removed. 4. Invoke the cryptocfg --commit command to sync the configuration in the encryption group. 5. After the transaction is committed, remove the failed encryption engine from the encryption group. FIGURE 110 Replacing a failed - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 231
commit command to sync the configuration in the encryption group. 5. leader as Admin or SecurityAdmin switch>cryptocfg --delete -hacluster HAC1 Delete HA cluster status: Operation succeeded. 3. Enter the cryptocfg --commit command to commit the transaction. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 232
leader as Admin or manual failback is issued. SecurityAdmin:switch>cryptocfg --failback -EE 10:00:00:05:1e:53:89:dd 0 \ 10:00:00:05:1e:53:fc:8a 0 Operation succeeded. • After the failback completes, the cryptocfg --show -hacluster -all command no longer reports active failover. 212 Fabric OS - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 233
manual recovery services. configurations across all member nodes. cryptocfg --commit NOTE When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg --transabort. Doing so will cause subsequent reclaim attempts to fail. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 234
configurations and services that failed over earlier to N1 fail back to N3. The node resumes its normal function. If auto failback policy is not set, invoke a manual failback if required. Refer to the section "Performing a manual failback of an encryption engine" on page 212 for instructions - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 235
encryption engines' encryption services continue to function manual) on any of the nodes. Refer to the section "Configuration impact of encryption group split or node isolation" on page 222 for more information on which configuration changes are allowed. Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 236
cannot start any re-key operations (auto or manual) on any of the nodes. Refer to the section"Configuration impact of encryption group split or node isolation" the crypto-device configuration from the group leader to all member nodes. 216 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 237
. The default value is 2 seconds. Valid values are integers in the range between 1 and 30 seconds. NOTE The collective time allowed (the heartbeat time-out value multiplied by the heartbeat misses) cannot exceed 30 seconds (this is enforced by Fabric OS). EG split possibilities requiring manual - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 238
split manual recovery NOTE If one or more EG status displays as CONVERGED contact technical support as the following procedure will not work. To re-converge the EG, you will need to perform a series delete the associated EG. NOTE One additional step is node EG split manual recovery example". 5. - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 239
EG split manual recovery example others as CLUSTER_STATE_DEGRADED then contact technical support. In our case, assume the :00:05:1e:c1:9a:86 needs to be deregistered. Switch:admin > cryptocfg --show -groupmember -all NODE LIST Total Number OS Encryption Administrator's Guide 219 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 240
group. NOTE If you have four encryption nodes that have split into a pair of two node encryption groups, refer to " :admin->cryptocfg --delete -encgroup This will permanently delete the encryption group configuration OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 241
admin->cryptocfg --show -groupcfg Node182:admin->cryptocfg --show -groupcfg Both nodes will now show a two node CONVERGED EG in which Node182 is the group leader ode and Node181 is a member Node. The above manual configuration converged. Fabric OS Encryption Administrator's Guide 221 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 242
an encryption engine TABLE 8 Disallowed Configuration Changes Configuration Type Disallowed configuration changes Security & key vault HA manual re-keying session • Performing a manual failback of containers • Deleting a CryptoTarget container 222 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 243
With the introduction of Fabric OS 7.0.0, you can run key vault diagnostics tests to identify any key vault connectivity or key operation errors. You configure the key vault diagnostic test using the cryptocfg --kvdiag command. Fabric OS Encryption Administrator's Guide 223 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 244
vault connectivity from the Brocade Encryption Switch and possible version, configuration, or cluster information of ) • Key Vault IP/Port • KV firmware version • Time of day on the KV • Key class and format on the KV configured for the user group • OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 245
the key vault and indicates the possible issue with configuration or setup that needs manual intervention, such as synchronization of keys or reissuing certificates command information, refer to the Fabris OS Command Reference v7.0.0. Fabric OS Encryption Administrator's Guide 225 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 246
for failures you might encounter while configuring switches using the CLI. TABLE 9 Command General troubleshooting tips using the CLI Activity supportsave configshow cfgshow nsshow switch:SecurityAdmin> cryptocfg --show -groupcfg switch:SecurityAdmin> cryptocfg --show -groupmember -all Check - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 247
. Failure to do so results in unsuccessful HA Cluster creation. If the IP addresses for these ports were configured after the encryption engine is enabled, reboot the encryption switch or slotpoweroff/slotpoweron the encryption blade to sync up the IP address information to the encryption engine - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 248
6 General encryption troubleshooting TABLE 10 Problem General errors and conditions Resolution A performance drop occurs when using DPM on a Microsoft Windows the cryptocfg --show -hacluster -all command on the group leader node. 228 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 249
using the CLI 6 Troubleshooting examples using the CLI Encryption Enabled Crypto Target LUN The LUN state should be Encryption enabled for the host to see the Crypto LUN. switch:FabricAdmin> 26 19:28:27 2008 Operation succeeded Fabric OS Encryption Administrator's Guide 229 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 250
6 Troubleshooting examples using the CLI Encryption Disabled Crypto Target LUN If the LUN state is Encryption Disabled the host will not be able to access the Crypto LUN. switch:FabricAdmin>> cryptocfg :28:27 2008 Operation succeeded 230 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 251
dialog box. 2 Re-run the Configure Switch Encryption wizard for the switch. Manual Option: 1 Save the switch's public key certificate to a file using the Switch Encryption Properties dialog box. 2 Follow the Key Vault instructions. Fabric OS Encryption Administrator's Guide 231 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 252
the Configure Switch Encryption wizard for the switch. Manual Option: 1 Launch the Switch Encryption Properties dialog box. 2 Save the switch's public key certificate to a file using the Switch Encryption Properties dialog box. 3 Follow the Key Vault instructions for the key vault. 232 Fabric OS - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 253
fails on the encryption engine after the encryption engine is zeroized. Reboot the switch. Configuration Commit fails with message "Default zone set to all Default zoning must be set to no access. access at one of nodes in EG." Fabric OS Encryption Administrator's Guide 233 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 254
troubleshooting problems related to LUN policies. TABLE 14 LUN policy troubleshooting Case Reasons for the LUN getting disabled by Action taken the encryption switch it back • Bounce the target port Then issue the cryptocfg --discoverLUN command OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 255
the power-cycle. Brocade Encryption Switch. cryptocfg --reclaimWWN -membernode 3. Synchronize the crypto configurations across all member nodes. cryptocfg --commit NOTE When attempting to reclaim a failed Brocade Encryption Switch OS Encryption Administrator's Guide 235 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 256
that only one path is active to the LUN, but the Brocade Encryption Switch internal LUN states for both paths will now likely be displayed as Encryption Enabled. In active/passive storage array environments, for troubleshooting purposes, you may want to update the encryption engine Internal LUN - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 257
this example, slot 4) in the chassis. 6. Connect the IO sync ports to the same private LAN as IO sync ports of the failed blade, and confirm that the IP address of the I/O sync ports (Ge0 and Ge1) are same as the previous IP addresses. Fabric OS Encryption Administrator's Guide 237 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 258
• When the Brocade Encryption Switch has failed • When the Brocade Encryption Switch has not failed When BES3 has failed, complete the following steps: 1. Deregister BES3 from the encryption group. cryptocfg --dereg -membernode 238 Fabric OS Encryption Administrator's Guide 53-1002159 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 259
same private LAN as the IO sync port of the failed node. 7. Run the following command on the ejected member node: cryptocfg --reclaimWWN -cleanup NOTE Do not reconnect the FC cables yet. 8. Power on the new Brocade Encryption Switch. Fabric OS Encryption Administrator's Guide 239 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 260
Brocade Encryption Switch. cryptocfg --zeroizeEE The Brocade Encryption Switch reboots automatically. 11. If the encryption group has a system card authentication import the New Brocade Encryption Switch node certificate on register the New Brocade Encryption Switch node as a from the HP SKM/ESKM - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 261
"Brocade." 24. Create the username and password on the new node same as created on the HP SKM/ESKM appliances. Use the following command: cryptocfg --reg -KACLogin 25. From the new Brocade Encryption Switch, run the following command to set the default zone as "allaccess" so the configuration from - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 262
configuration stored on the Brocade Encryption Switch you are replacing using the FOS configupload command. 2. Power off the Brocade Encryption Switch. 3. Remove the Mgmt Link, IO links and FC cables from Brocade Encryption Switch making note Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 263
as allaccess on the new Brocade Encryption Switch, so the configuration from Fabric is pushed to new Brocade Encryption Switch. 23. Run the following command on the new Brocade Encryption Switch: cfgsave 24. Connect the FC Cables to the new Brocade Encryption Switch. 25. Run the cfgsave command - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 264
Brocade Encryption Switch. cryptocfg --reclaimWWN -membernode [-list] 3. Synchronize the crypto configurations across all member nodes. cryptocfg --commit NOTE When attempting to reclaim a failed Brocade Encryption Switch > 244 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 265
membernode 5. Enter the following command on BES3 to clean up the encryption configuration on the deregistered node: cryptocfg --reclaimWWN -cleanup When prompted, enter yes to each 4 When prompted, answer yes. Fabric OS Encryption Administrator's Guide 245 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 266
BES2 from EG1 to EG2. TABLE 17 Moving a Brocade Encryption Switch from one EG to another EG Encryption group Nodes the VI/VT WWN base for the Brocade Encryption Switch to be moved out of EG1. on BES2 to clean up the encryption configuration on the deregistered node: cryptocfg --reclaimWWN - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 267
first-time encryption, then commit. This will clear the stale rekey metadata on the LUN and the LUN can be used again for encryption. Fabric OS Encryption Administrator's Guide 247 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 268
6 Removing stale rekey information for a LUN 248 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 269
engine security processor (SP) state Description Not available Not Brocade Encryption Switch or DCX Not Ready Fail to connect to blade Starting for more details. Encryption engine is operational, but EG is not configured or EG information is not available. Check EG status. Encryption engine - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 270
(current MK or None primary KV link key) Mismatch Primary KEK is not configured. Primary KEK mismatch between the CP and the SP. Match/Valid Primary KEK Table 21 lists LUN states that are specific to tape LUNs. TABLE 20 LUN state . 250 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 271
LUN_KEY_EXPR_REKEY_PENDING Key expired re-key is pending. LUN_MANUAL_REKEY_PENDING Manual re-key is pending. LUN_DECRYPT_PENDING Data decryption is failure). LUN_DIS_WR_META_ACK_ERR Disabled (Write metadata back with failure). Fabric OS Encryption Administrator's Guide 251 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 272
(LUN not connected or supported). LUN_DIS_CFG_KEY_NOT_FOUND Disabled (Unable to retrieve key by key ID specified from configuration). LUN_DIS_META_FOUND Disabled (Data cleartext). LUN_STATE_UNKNOWN State of the LUN is unknown. 252 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 273
Brocade support. Target port is not currently in the fabric. Check connections and L2 port state. The target port is active, but this particular Logical Unit is not supported by that target. This indicates a user configuration text. The encryption switch or blade has full read/write access, because - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 274
The tape medium or its current tape policy is DataFort-compatible mode, but The encryption switch or blade does not have the appropriate license to enable this feature. The tape medium in a RASLOG and ABORTED COMMAND returned to host. 254 Fabric OS Encryption Administrator's Guide 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 275
-haclustermember, 139 --add -initiator, 150, 158, 168 --add -LUN, 155, 168, 170, 171 B Brocade Encryption Switch See switch C CLI general errors and resolution, 226 using to configure encryption switch or blade, 112 command RBAC permissions, 113 command validation checks, 112 commands ipaddrset, 116 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 276
scenarios deployment as part of an edge fabric, 185 deployment in fibre channel routed fabrics, 183 deployment with FCIP extension switches, 186 dual fabric deployment, 179 single fabric deployment, 177, 178 deployment with admin domains (AD), 199 deregister command,--dereg -membernode, 207 DHCP for - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 277
for adding a switch to a new group, 232 for adding a switch to an existing group, 231 error recovery instructions for adding a switch to an existing group, 231 errors related to the CLI, 226 export commands --export, 133 --exportmasterkey, 135 Fabric OS Encryption Administrator's Guide 257 53 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 278
support for high availability (HA), 32, 124 LUN adding Crypto LUN to CryptoTarget container, 154 adding to a CryptoTarget container, 154 choosing to be added to an encryption target container, 70 configuration warning, 148, 150, 151, 152, 153, 154, 258 Fabric OS Encryption Administrator's Guide - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 279
regEE, 127 re-keying configuring a LUN using the CLI, 171 definition of offline, 171 definition of online, 171 encrypted data on a LUN, 170 initiating a manual session, 172 modes, 171 236 role based access control (RBAC) permissions for Fabric OS Encryption Administrator's Guide 259 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 280
, 226 general encryption using the CLI, 226 general errors related to the Configure Switch Encryption wizard, 233 management application wizard, 231 nsshow command, 226 supportsave command, 226 troubleshooting examples using the CLI, 229 turn off compression on extension switches, 200 turn off host - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 281
configuration, 147 virtual targets, description of in an encryption configuration, 147 Z zeroize command --zeroize, 126 zeroizing effects of using on encryption engine, 88 zone creating an initiator-target using the CLI, 145 Fabric OS Encryption Administrator's Guide 261 53-1002159-03 - HP Brocade 8/12c | Fabric OS Encryption Administrator's Guide - Page 282
262 Fabric OS Encryption Administrator's Guide 53-1002159-03
53-1002159-03
28 July 2011
®
53-1002159-03
Fabric OS Encryption
Administrator’s Guide Supporting
HP Secure Key Manager (SKM)
Environments and HP Enterprise Secure
Key Manager (ESKM) Environments
Supporting Fabric OS v7.0.0