Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
Using the CLI to Configure Cisco SME
Downloads: This chapterpdf (PDF - 189.0KB) The complete bookPDF (PDF - 10.16MB) | Feedback

Using the Command Line Interface to Configure SME

Table Of Contents

Using the Command Line Interface to Configure SME

SME Configuration Tasks

Enabling and Disabling SME Clustering

Enabling and Disabling the Cisco SME Service

Creating the SME Interface

Deleting the SME Interface

Creating the SME Cluster

Setting the SME Cluster Security Level

Setting Up the Cisco SME Administrator and Recovery Officer Roles

Adding an SME Interface from a Local or Remote Switch

Configuring Unique or Shared Key Mode

Enabling and Disabling Automatic Volume Groups

Enabling and Disabling Tape Compression

Enabling and Disabling Key-on-Tape

Configuring a Tape Volume Group

Viewing Cisco SME Cluster, Internal, and Transport Information

Viewing Cisco SME Cluster Details

Viewing Cluster Key Information

Viewing Cluster Node Information

Viewing Recovery Officer Information

Viewing Tape Information

Viewing Tape Cartridge Information

Viewing Tape Volume Group Information

Viewing Cisco SME Role Configurations


Using the Command Line Interface to Configure SME


This chapter contains information about Cisco Storage Media Encryption basic configuration using the command line interface (CLI). It contains the following sections:

SME Configuration Tasks

Enabling and Disabling SME Clustering

Enabling and Disabling the Cisco SME Service

Creating the SME Interface

Deleting the SME Interface

Creating the SME Cluster

Setting the SME Cluster Security Level

Setting Up the Cisco SME Administrator and Recovery Officer Roles

Adding an SME Interface from a Local or Remote Switch

Configuring Unique or Shared Key Mode

Enabling and Disabling Automatic Volume Groups

Enabling and Disabling Tape Compression

Enabling and Disabling Key-on-Tape

Configuring a Tape Volume Group

Viewing Cisco SME Cluster, Internal, and Transport Information


Caution Before a reboot or before making any changes to the Cisco SME configuration, including adding or deleting SME interfaces, you must enter the copy running-config startup-config CLI command.

SME Configuration Tasks

The process of configuring SME on an MDS-18/4 module or Cisco MDS 9222i involves a number of configuration tasks that should be followed in chronological order.

The configuration tasks included in this process are the following:

1. Enable clustering on the MDS-18/4 module switch.

2. Enable SME on the MDS-18/4 module switch.

3. Add the SME interface to the MDS-18/4 module switch.

4. Add a fabric that includes the MDS-18/4 module switch with the SME interface.

5. Create a cluster.

a. Name the cluster.

b. Select the fabrics that you want to create a cluster from.

c. Select the SME interfaces from the fabrics that you are including in the cluster.

d. Select the master key security level (Basic, Standard, or Advanced).

e. Select the security key (shared or unique) and tape preferences (store the key on tape, automatic volume grouping, and compression).

f. Specify the Key Management Center server and key certificate file.

g. Specify the password to encrypt the master key and download the key file.

Enabling and Disabling SME Clustering

The first step in the process of configuring Cisco SME is to enable the SME clustering.

To enable or disable the SME cluster, follow these steps:

 
Command
Purpose

Step 1 

switch# conf t

switch(config)#

Enters configuration mode.

Step 2 

switch(config)# feature cluster

Enables clustering.

Step 3 

switch(config)# no feature cluster

Disables clustering.

Enabling and Disabling the Cisco SME Service

Cisco SME services must be enabled to take advantage of the SME encryption and security features. After enabling the SME cluster, the second step in the process of configuring Cisco SME is to enable the SME service.

To enable the SME service, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# feature sme

Enables Cisco SME features.

Step 3 

switch(config)# no feature sme

Disables Cisco SME features

For additional information on clusters, see Chapter 4 "Cisco SME Cluster Management."

Creating the SME Interface

After enabling the cluster and enabling SME, configure the SME interface on the switch.

To configure the SME interface, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# interface sme x/y

Configures the SME interface on slot x, port y where x is the MSM-18/4 module slot and port y is the default SME port. Enters the interface submode.

Step 3 

switch(config-if)# no shutdown

Enables the interface on slot x, port y.

Configure the SME interface on the MSM-18/4 module slot and port 1.

After configuring the SME interface, a show int command will show that the SME interface is down until the interface is added to a cluster.

After configuring the SME interface, a message similar to the following is displayed:

2007 Jun 6 21:34:14 switch %DAEMON-2-SYSTEM_MSG: <<%SME-2-LOG_WARN_SME_LICENSE_GRACE>> No SME Licence. Feature will be shut down after a grace period of approximately 118 days.

Deleting the SME Interface

Before deleting the SME interface, you must remove the switch from the cluster.


Note Deleting an SME interface that is part of a cluster is not allowed. First remove the switch from the cluster by entering the no sme cluster cluster name command, then delete the SME interface.


To delete the SME interface, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# no interface sme x/y

Removes the SME interface from slot x, port y where x is the MSM-18/4 module slot and y is the port number.

Creating the SME Cluster

To create an SME cluster, you identify the fabrics that you want to include in the cluster and you configure the following:

Automatic volume grouping

Key Management Center (KMC)

Target discovery

Tape groups

Key-on-tape mode

Recovery

Shared key mode

Shutdown cluster for recovery

Volume tape groups

Tape compression

To create an SME cluster, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster name and enters SME cluster configuration submode. A cluster name can include a maximum of 32 characters.

Step 3 

switch(config-sme-cl)# fabric f1

Adds fabric f1 to the cluster.

Setting the SME Cluster Security Level

There are 3 levels of security: Basic, Standard, and Advanced. Standard and Advanced security levels require smart cards.

Table 7-1 Master Key Security Levels

Security Level
Definition

Basic

The master key is stored in a file and encrypted with a password. To retrieve the master key, you need access to the file and the password.

Standard

Standard security requires one smart card. When you create a cluster and the master key is generated, you are asked for the smart card. The Master key is then written to the smart card. To retrieve the master key, you need the smart card and the smart card pin.

Advanced

Advanced security requires five smart cards. When you create a cluster and select Advanced security mode, you designate the number of smart cards (two or three of five smart cards or two of three smart cards) that are required to recover the master key when data needs to be retrieved. For example, if you specify two of five smart cards, then you will need two of the five smart cards to recover the master key. Each smart card is owned by a Cisco SME Recovery Officer.


Note The greater the number of required smart cards, the greater the security. However, if smart cards are lost or if they are damaged, this reduces the number of available smart cards that could be used to recover the master key.



To set the SME cluster security level, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster and enters SME cluster configuration submode.

Step 3 

switch(config-sme-cl)# security-mode basic

Sets the cluster security level to Basic.

Setting Up the Cisco SME Administrator and Recovery Officer Roles

To set up the Cisco SME Administrator, Cisco SME Storage Administrator, Cisco SME KMC Administrator and Cisco SME Recovery Officer follow this step:

 
Command
Purpose

Step 1 

switch# setup sme

Sets up the four security roles.

Adding an SME Interface from a Local or Remote Switch

Before adding an SME interface, be sure to enable clustering, enable Cisco SME, and start the Cisco SME interface on the switch, and then add the interface to the cluster.

To add an SME interface from a local switch, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster and enters SME cluster configuration submode.

Step 3 

switch(config-sme-cl)# fabric clustername1

Specifies the fabric.

Step 4 

switch(config-sme-cl)# node local

switch(config-sme-cl-node)#

Enters the SME cluster node submode and specifies the local switch.

Step 5 

switch(config-sme-cl-node)# fabric-membership clustername1

Specifies the fabric membership for the cluster.

Step 6 

switch(config-sme-cl-node)# interface sme 4/1 force

Adds the SME interface (4/1) from a local switch in fabric f1.

To add an SME interface from a remote switch, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster and enters SME cluster configuration submode.

Step 3 

switch(config-sme-cl)# fabric clustername1

Specifies the fabric.

Step 4 

switch(config-sme-cl)# node A.B.C.D|X:X::X|DNS name

switch(config-sme-cl-node)#

Enters the SME cluster node submode and specifies a remote switch. The format is A.B.C.D | X:X::X | DNS name.

Step 5 

switch(config-sme-cl-node)# fabric-membership clustername1

Specifies the fabric membership for the cluster.

Step 6 

switch(config-sme-cl-node)# interface sme 3/1 force

Adds the SME interface (3/1) from a remote switch in fabric f2.

Configuring Unique or Shared Key Mode

Shared key mode is used to generate a single key that is used for a group of backup tapes.

Unique key mode is used to generate unique or specific keys for each tape cartridge.

To configure the shared key or unique key mode, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster and enters SME cluster configuration submode.

Step 3 

switch(config-sme-cl)# shared-key mode

switch(config-sme-cl)#

Specifies shared key mode.

Step 4 

switch(config-sme-cl)# no shared-key mode

switch(config-sme-cl)#

Specifies shared unique key mode.


Note Configure the Cisco KMC before configuring the key mode. See the "Cisco Key Management Center" section.


Enabling and Disabling Automatic Volume Groups

When SME recognizes that a tape barcode does not belong to an exiting volume group, then SME creates a new volume group when automatic volume grouping is enabled.

Automatic volume grouping is disabled by default.

To enable or disable automatic volume grouping, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster and enters SME cluster configuration submode.

Step 3 

switch(config-sme-cl)# auto-volgrp

switch(config-sme-cl)#

Specifies automatic volume grouping.

Step 4 

switch(config-sme-cl)# no auto-volgrp

switch(config-sme-cl)#

Specifies no automatic volume grouping.

Enabling and Disabling Tape Compression

To enable tape compression, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster and enters SME cluster configuration submode.

Step 3 

switch(config-sme-cl)# tape-compression

switch(config-sme-cl)#

Enables tape compression.

Step 4 

switch(config-sme-cl)# no tape-compression

switch(config-sme-cl)#

Disables tape compression.

Enabling and Disabling Key-on-Tape

Cisco SME provides the option to store the encrypted security keys on the backup tapes.

To enable the key-on-tape feature, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster and enters SME cluster configuration submode.

Step 3 

switch(config-sme-cl)# key-ontape

switch(config-sme-cl)#

Enables the key-on-tape feature.

Step 4 

switch(config-sme-cl)# no key-ontape

switch(config-sme-cl)#

Disables tape compression.

Configuring a Tape Volume Group

A tape volume group is a group of tapes that are categorized usually by function. For example, HR1 could be the designated tape volume group for all Human Resource backup tapes; EM1 could be the designated tape volume group for all e-mail backup tapes.

Adding tape groups allows you to select the VSANs, hosts, storage devices, and paths that SME will use for encrypted data. For example, adding a tape group for HR data sets the mapping for SME to transfer data from the HR hosts to the dedicated HR backup tapes.

To configure a tape volume group, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# sme cluster clustername1

switch(config-sme-cl)#

Specifies the cluster and enters SME cluster configuration submode.

Step 3 

switch(config-sme-cl)# tape-bkgrp groupname1

switch(config-sme-cl-tape-bkgrp)#

Specifies the tape volume group and enters the SME tape volume group submode.

Step 4 

switch(config-sme-cl-tape-bkgrp)# tape-device devicename1

switch(config-sme-cl-tape-bkgrp-tapedevice)#

Specifies the tape device name and enters the SME tape device submode.

Step 5 

switch(config-sme-cl-tape-bkgrp-tapedevice)# tape-device devicename1 D

switch(config-sme-cl-tape-bkgrp-tapedevice)#

Specifies the tape cartridge identifier.

Step 6 

switch(config-sme-cl-tape-bkgrp-tapedevice)# host 10:00:00:00:c9:4e:19:ed target 2f:ff:00:06:2b:10:c2:e2 vsan 4093 lun 0 fabric f1

switch(config-sme-cl-tape-bkgrp-tapedevice)#

Specifies the host and target, the VSAN, LUN and the fabric (f1) for the tape volume group.

Step 7 

switch(config-sme-cl-tape-bkgrp-tapedevice)# enable

Enables the tape device.

Viewing Cisco SME Cluster, Internal, and Transport Information

To verify Cisco SME cluster configurations, you can use the show sme command to view a specific cluster configuration, internal information, and transport information.

A sample output of the show sme cluster command follows:

switch# show sme cluster clustername1 
SME Cluster is clustername1 
  Cluster ID is 2e:00:00:05:30:01:ad:f4 
  Cluster is Operational 
  Cluster is Not Shutdown 
  Cluster config version is 27 
  Security mode is basic 
  Cluster status is online 
  Total Nodes are 1 
  Recovery Scheme is 1 out of 1 
  Fabric[0] is f1 
  CKMC server has not been provisioned 
  Master Key GUID is 8c57a8d82d2098ee-3b27-6c2b116a950e, Version: 0 
  Shared Key Mode is Enabled
  Auto Vol Group is Not Enabled

Viewing Cisco SME Cluster Details

Additional cluster information can be displayed with the show sme cluster command. Use this command to show the following:

Cisco SME cluster details

Cisco SME cluster interface information

Hosts and targets in the cluster

Cisco SME cluster key database

Cluster node

Cisco SME cluster Recovery Officer information

Summary of the Cisco SME cluster information

Tapes in a cluster

Tape volume group information

Cisco SME role configuration

Sample outputs of the show sme cluster command follow:

switch# show sme cluster clustername1 ?
  detail      Show sme cluster detail
  interface   Show sme cluster interface
  it-nexus    Show it-nexuses in the cluster
  key         Show sme cluster key database
  node        Show sme cluster node
  recovery    Show sme cluster recovery officer information
  summary     Show sme cluster summary
  tape        Show tapes in the cluster
  tape-bkgrp  Show crypto tape backup group information
  |           Output modifiers.
  >           Output Redirection.
  <cr>        Carriage return.
 
   
switch# show sme cluster clustername1 interface
Interface sme4/1 belongs to local switch 
  Status is up 
switch# show sme cluster clustername1 interface it-nexus 
-------------------------------------------------------------------------------
    Host WWN                 VSAN    Status    Switch        Interface
    Target WWN
-------------------------------------------------------------------------------
 
   
10:00:00:00:c9:4e:19:ed,
2f:ff:00:06:2b:10:c2:e2      4093     online    switch     sme4/1

Viewing Cluster Key Information

Use the show sme cluster key command to view information about the cluster key database.

A sample output of the show sme cluster key command follows:

switch# show sme cluster clustername1 key database 
Key Type is tape volumegroup shared key 
  GUID is 3b6295e111de8a93-e3f9-e4ae372b1626 
    Cluster is clustername1, Tape backup group is HR1 
    Tape volumegroup is Default 
 
   
Key Type is tape volumegroup wrap key 
  GUID is 3e9ef70e0185bb3c-ad12-c4e489069634 
    Cluster is clustername1, Tape backup group is HR1 
    Tape volumegroup is Default 
 
   
Key Type is master key 
  GUID is 8c57a8d82d2098ee-3b27-6c2b116a950e 
    Cluster is clustername1, Master Key Version is 0 
 
   

Viewing Cluster Node Information

Use the show sme cluster node command to view information about a local or remote switch.

A sample output of the show sme cluster node command follows:

switch# show sme cluster clustername1 node 
Node switch is local switch 
  Node ID is 1 
  Status is online 
  Node is the master switch
  Fabric is f1 

Viewing Recovery Officer Information

You can view information about a specific Recover Officer or for all Recovery Officers for a specific cluster.

switch# show sme cluster clustername1 recovery officer 
Recovery Officer 1 is set 
  Master Key Version is 0
  Recovery Share Version is 0
  Recovery Share Index is 1
  Recovery Scheme is 1 out of 1 
  Recovery Officer Label is 
  Recovery share protected by a password 
 
   
Key Type is master key share 
    Cluster is clustername1, Master Key Version is 0 
    Recovery Share Version is 0, Share Index is 1 
switch# show sme cluster clustername1 summary 
-------------------------------------------------------------------------------
Cluster          ID                       Security Mode    Status               
-------------------------------------------------------------------------------
clustername1     2e:00:00:05:30:01:ad:f4  basic            online               

Viewing Tape Information

Use the show sme cluster tape command to view summary or detailed information about tapes.

switch# show sme cluster clustername1 tape summary 
-------------------------------------------------------------------------------
Host WWN                 Description         Crypto-Tape        Status
                                             Backup Group
-------------------------------------------------------------------------------
10:00:00:00:c9:4e:19:ed  HP Ultrium 2-SCSI   HR1                online

Viewing Tape Cartridge Information

Use the show sme cluster tape detail to view information about tape cartridges.

switch# show sme cluster clustername1 tape detail 
Tape 1 is online
    Is a Tape Drive
    HP Ultrium 2-SCSI
    Serial Number is 2b10c2e22f
    Is a member of HR1
    Paths
      Host 10:00:00:00:c9:4e:19:ed Target 2f:ff:00:06:2b:10:c2:e2 LUN 0x0000

Viewing Tape Volume Group Information

Use the show sme cluster tape-bkgrp command to view information about all tape volume groups or about a specific group.

switch# show sme cluster clustername1 tape-bkgrp 
-------------------------------------------------------------------------------
Name          Tape Devices      Volume Groups
-------------------------------------------------------------------------------
HR1          1                 1
 
   
switch# show sme cluster clustername1 tape-bkgrp HR1 
Tape Backupgroup HR1
  Compression is Disabled
  Number of tape devices is 1
  Number of volume groups is 1
 
   
  Tape device td1 is online
    Is a tape drive
    Description is HP Ultrium 2-SCSI
    Serial number is 2b10c2e22f
    Paths
      Host 10:00:00:00:c9:4e:19:ed Target 2f:ff:00:06:2b:10:c2:e2 Lun 0x0000 vsan 4093[f1]
 
   

Viewing Cisco SME Role Configurations

Use the setup sme command to set up the four roles for Cisco SME, and then use the show role command to view the various Cisco SME role configurations.

switch(config)# setup sme
Set up four roles necessary for SME, sme-admin, sme-stg-admin, sme-kmc-admin and 
sme-recovery? (yes/no) [no] yes
If CFS is enabled, please commit the roles so that they can be available. 
SME setup done. 
 
   
switch# show role 
Role: sme-admin
  Description: new role
  Vsan policy: permit (default)
  -------------------------------------------------
  Rule    Type    Command-type    Feature         
  -------------------------------------------------
  1       permit  show            sme             
  2       permit  config          sme             
  3       permit  debug           sme             
 
Role: sme-stg-admin
  Description: new role
  Vsan policy: permit (default)
  -------------------------------------------------
  Rule    Type    Command-type    Feature         
  -------------------------------------------------
  1       permit  show            sme-stg-admin   
  2       permit  config          sme-stg-admin   
  3       permit  debug           sme-stg-admin   
 
   
Role: sme-kmc-admin
  Description: new role
  Vsan policy: permit (default)
  -------------------------------------------------
  Rule    Type    Command-type    Feature         
  -------------------------------------------------
  1       permit  show            sme-kmc-admin   
  2       permit  config          sme-kmc-admin   
  3       permit  debug           sme-kmc-admin   
 
Role: sme-recovery
  Description: new role
  Vsan policy: permit (default)
  -------------------------------------------------
  Rule    Type    Command-type    Feature         
  -------------------------------------------------
  1       permit  config          sme-recovery-officer