Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
RSA Key Manager and Cisco SME
Downloads: This chapterpdf (PDF - 215.0KB) The complete bookPDF (PDF - 10.16MB) | Feedback

RSA Key Manager and Cisco SME

Table Of Contents

RSA Key Manager and Cisco SME

Installing the RKM Application

Generating CA Certificates

Creating JKS Files Using the Java Keytool

Placing Certificates in RKM

Adding the Cisco SME User to RKM

Selecting RKM

Migrating From Cisco KMC to RKM


RSA Key Manager and Cisco SME


This appendix describes the procedures to be followed to set up the RSA Key Manager (RKM) to work with Cisco SME.

In order to implement a complete working security solution between Cisco KMC and RKM, install and set up the RKM application.

The following applications are required:

Windows WK2, XP, or W2K3 host

Fabric Manager Server, Release, 3.2(3)

OpenSSL

JAVA JDK or JRE

The process of setting up the RKM to work with Cisco SME, involves the following tasks:

Installing the RKM Application

Generating CA Certificates

Creating JKS Files Using the Java Keytool

Placing Certificates in RKM

Adding the Cisco SME User to RKM

Selecting RKM

Migrating From Cisco KMC to RKM

After completing these tasks, you will be able to select RSA as the key manager for Cisco SME and then create a cluster.

Installing the RKM Application

To install the RKM application, follow the instructions provided in the RSA Install Guide.

Generating CA Certificates

Generating CA certificates requires access to an OpenSSL system. You can obtain a Windows version at http://gnuwin32.sourceforge.net/packages/openssl.htm.

The files that are created during this process are stored in the /bin directory of the OpenSSL program.

To generate CA certificates, do the following:


Step 1 Double-click openssl.exe in the directory.

Step 2 Create the key using the OpenSSL application. Enter the following command:

OpenSSL> genrsa -out rt.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.++++++
.......++++++
e is 65537 (0x10001)

Step 3 Set how long the certificate will be valid. Keep track of this date.


Note Use a different common name for the client and server certificates.


OpenSSL> req -new -key rt.key -x509 -days 365 -out rt.cert
You are about to be asked to enter information that will be incorporated into your 
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:home
Email Address []:

Step 4 Create the proper pkcs12 certificate. The export password is the password needed by the Cisco SME RSA installation.

OpenSSL> pkcs12 -export -in rt.cert -inkey rt.key -out rt.p12
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:

Step 5 Generate a new key for the client.

OpenSSL> genrsa -out client.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..................++++++
....++++++
e is 65537 (0x10001)

Step 6 Create the client.csr file. This is the owner. The common name must be different from the issuer home.

OpenSSL> req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated into your 
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:cae
Common Name (eg, YOUR name) []:
Email Address []:
 
   
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
   

Step 7 Set the duration the certificate will be valid. Keep track of this date.

OpenSSL> x509 -req -days 365 -in client.csr -CA rt.cert -CAkey rt.key -CAcreateserial -out 
client.cert
Loading 'screen' into random state - done
Signature ok
subject=/C=AU/ST=wi/L=hudson/O=cisco/OU=cae/CN=mikef/emailAddress=mikef@cisco.com
Getting CA Private Key
 
   

Step 8 Create the pkcs12 certificate.

OpenSSL> pkcs12 -export -in client.cert -inkey client.key -out client.p12
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
OpenSSL> genrsa -out server.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..++++++
..................++++++
e is 65537 (0x10001)

Step 9 Create the new server key. This is the owner. The common name must be different from the issuer home.

OpenSSL> req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
 
   
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 10 Set the duration the certificate will be valid. Keep track of this date.

OpenSSL> x509 -req -days 365 -in server.csr -CA rt.cert -CAkey rt.key -CAcreateserial -out 
server.cert
Loading 'screen' into random state - done
Signature ok
subject=/C=AU/ST=wi/L=town/O=cisco/OU=tac/CN=bill/emailAddress=bill@cisco.com
Getting CA Private Key

Step 11 Create the pkcs12 certificate for serverpub.

OpenSSL> pkcs12 -export -in server.cert -inkey server.key -nokeys -out serverpub.p12
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:

Step 12 Create the pkcs12 certificate again for the server.

OpenSSL> pkcs12 -export -in server.cert -inkey server.key -out server.p12
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
OpenSSL>
 
   

Creating JKS Files Using the Java Keytool

To create the JKS files needed by the Fabric Manager server using the JAVA Keytool, do the following:


Step 1 Copy client.p12 and serverpub.p12 that are found in the OpenSSL /bin directory to the Fabric Manager Server Java directory tool directory C:\Program Files\Java\jre1.5.0_11\bin.

Step 2 From a DOS window in the Java /bin directory, create the JKS files needed by the Cisco SME KMC.

Import client PKCS12 keystore to JKS 
keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore 
sme_rkm_client.jks -deststoretype JKS
Import server PKCS12 keystore to JKS 
keytool -importkeystore -srckeystore serverpub.p12 -srcstoretype PKCS12 -destkeystore 
sme_rkm_trust.jks -deststoretype JKS
 
   

Place these keystore files in the mds9000/conf/cert directory and restart Fabric Manager server.


Placing Certificates in RKM

To place certificates in the RKM, follow these steps:


Step 1 After generating all certificates, copy the rt.p12 file to the C:\rkm-2.1.2-trial\certs\rt directory.

Step 2 Copy the server.p12 file to the C:\rkm-2.1.2-trial\certs\server directory.

Step 3 Restart the RKM.


Adding the Cisco SME User to RKM

To add a Cisco SME user to the RKM, follow these steps:


Step 1 Log in to RKM and click the Identities tab.

Step 2 Click Create to create a new identity.

The Identities-Create screen is displayed.

Step 3 Enter a name for the identity.

Step 4 Select the appropriate Identity Group.

Step 5 Enter an Identity Certificate. This is the client.cert.

Step 6 Click Save to save the new user to the RKM.


Note After completing the above tasks, you can select RSA as the key manager in Cisco SME and create a cluster.



Selecting RKM

Selecting the Key Manager can only be done when a Cisco SME cluster is created, and it cannot be changed unless PostgreSQL is reinstalled. The default is the Cisco Key Manager, so if you want to change the Key Manager to RSA, you must do so when the cluster is created.

To change the Key Manager setting to RSA, follow these steps:


Step 1 Select Key Manager Settings and click RSA. The RSA settings fields are displayed.

Step 2 Enter the RKM server IP address.

Step 3 Enter the RKM ports.

Step 4 Enter the Client Keystore Password. The password is supplied by the user security team that generated the certificate for Cisco SME. Retype the password to confirm.

Step 5 Click Submit Settings. A warning is displayed requesting you to confirm the settings. Click OK to use these settings. Click Cancel if you do not want to use the settings.

Once the settings are saved, you cannot change the Key Manager.

The confirmation window displays the RKM server IP address and the RKM port number.


Migrating From Cisco KMC to RKM

You can use RKM at the time of Cisco SME installation, or you can choose to deploy Cisco SME with the integrated Cisco KMC later. If RKM is deployed after Cisco KMC has been used alone, you need to perform an explicit key migration procedure before using RKM with Cisco SME.

This section describes the procedure for migrating encryption keys, wrap keys, and encryption policy information from Cisco KMC to RKM.


Note The migration procedure will differ when Cisco KMC uses the PostgresSQL database or the Oracle Express database for the key catalog. These differences are documented wherever applicable.


To migrate keys from the Cisco KMC to RKM, follow these steps:


Step 1 Suspend all backup applications and jobs.

The migration procedure temporarily suspends access to keys, so the execution of backup operations must be suspended until the migration is completed.

Step 2 Back up the key database.

We recommend that you back up the key database before performing the migration. The backup procedure should have been previously tested to help ensure the correct restoration of the keys in case any problems arise during migration.

Step 3 Export all volume group keys in the cluster.

Each volume group export will generate a separate password-protected file. The password-protected files contain the keys to be imported in RKM.

Step 4 Shut down the Cisco Fabric Manager, which shuts down the Cisco KMC.

This step prevents any key operation from being performed during migration.

Step 5 Run the following database scripts from the database administrative console:

For the key catalog on PostgresSQL, run postgres-kmc-rkm-pre-migrate.sql.

For the key catalog on Oracle Express, run oracle-kmc-rkm-pre-migrate.sql.

These scripts are packaged in Cisco Fabric Manager CD as of NX-OS Software Release 4.1(1).

Step 6 Install RKM on the system allocated for this purpose.

RKM can be installed and configured separately. Ensure that RKM is ready prior to the start of the migration in order to decrease downtime.

Configure the certificates for RKM and identify the following certificate files:

sme_rkm_client.jks

sme_rkm_trust.jks

Step 7 Copy the two certificate files on the Cisco Fabric Manager Server system.

Copy the two files in the certificate store directory. Go to the SME tab on the Fabric Manager Web Client and choose Key Manager Settings to view the actual directory.


Note The default certificate store (Windows) is at C:\Program Files\Cisco Systems\MDS 9000\conf\cert\.


Step 8 Start Cisco Fabric Manager, which starts Cisco KMC.

Step 9 Go to the SME tab on the Fabric Manager Web Client and choose Key Manager Settings.

Step 10 Select RSA as the key manager and configure the IP address and port for RKM.

Step 11 Go to the Accounting Log and monitor the log messages until "Synchronization Complete for Cluster" is displayed.

Step 12 Create and import all the volume group keys from the password-protected files.

Step 13 Run the following post-migration scripts to delete the keys in the Cisco KMC key database:

For the key catalog previously on PostgresSQL, run postgres-kmc-rkm-post-migrate.sql

For the key catalog previously on Oracle Express, run oracle-kmc-rkm-post-migrate.sql

These scripts are packaged in the Cisco Fabric Manager CD as of NX-OS Software Release 4.1(1)

Step 14 Restart any backup applications and jobs that were deactivated or suspended before the migration.



Note In Cisco MDS 9000 SAN-OS Software Releases 3.2(3a) and 3.3(1a), the importing of the volume group leaves all the keys in a deactivated (archived) state, and after the migration, the tapes can be restored but cannot be used for active encryption.



Note In Cisco MDS 9000 NX-OS Software Release 4.1(1c) and later, the keys are restored in the same state (active or deactivated) as before the migration.