Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
Cisco SME Getting Started
Downloads: This chapterpdf (PDF - 581.0KB) The complete bookPDF (PDF - 9.76MB) | Feedback

Getting Started

Table Of Contents

Getting Started

Cisco SME Installation Requirements

Cisco MDS 9000 Fabric Manager

Command Line Interface

Required Pre configuration Tasks

Enabling Clustering

Enabling Clustering Using Fabric Manager

Enabling Clustering Using Device Manager

Enabling Cisco SME

Enabling Cisco SME Using Fabric Manager

Enabling Cisco SME Using Device Manager

Enabling DNS

sme.useIP for IP Address or Name Selection

IP Access Lists for the Management Interface

Creating and Assigning Cisco SME Roles and Cisco SME Users

Configuring the AAA Roles

Creating and Assigning Cisco SME Roles Using Fabric Manager

Creating and Assigning Cisco SME Roles Using the CLI

Installing Fabric Manager, Fabric Manager Client, and Enabling HTTPS

Adding a Fabric and Changing the Fabric Name

Choosing a Key Manager

Using FC-Redirect with CFS Regions

Guidelines for Designing CFS Regions For FC-Redirect

Installing Smart Card Drivers

Obtaining and Installing Licenses

Cisco SME Configuration Process

Initial Cisco SME Configuration

Saving Cisco SME Cluster Configurations

Cisco SME Configuration Restrictions

FICON Restriction

iSCSI Restriction

FCIP Restriction

Cisco SME Configuration Limits

Table 2-3 lists the Cisco SME configurations and the corresponding limits.


Getting Started


This chapter includes information about Cisco SME installation and the preliminary tasks that you must complete before configuring Cisco SME. It includes the following sections:

Cisco SME Installation Requirements

Required Pre configuration Tasks

Cisco SME Configuration Process

Cisco SME Configuration Restrictions

Cisco SME Installation Requirements

Cisco SME has the following installation requirements:

Cisco MDS SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x must be installed on the Cisco MDS 9222i switch or the Cisco MDS 9000 Family switch with an MSM-18/4 module.

Cisco Fabric Manager Server must be installed on a computer that you want to use to provide centralized MDS management services and performance monitoring. The Cisco Key Management Center (Cisco KMC) is on this server.


Note Although you need to install Fabric Manager Server, you do not need a Fabric Manager Server license to use Cisco SME. Additional Fabric Manager Server capabilities are not enabled by default with Cisco SME, so there is no free performance monitoring or other functionality.


Fabric Manager Web Client can be used to configure and manage Cisco SME using a web browser.

Cisco Fabric Manager is installed using the Fabric Manager Installation CD-ROM included with your switch, or you can download Fabric Manager. For information on installing Fabric Manager, and on installing Cisco MDS SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x, see the Cisco Fabric Manager Fundamentals Configuration Guide.

You can use one of two configuration management tools to configure Cisco Storage Media Encryption.

Cisco MDS 9000 Fabric Manager

Command Line Interface.

Cisco MDS 9000 Fabric Manager

The Cisco Fabric Manager is a set of network management tools that supports Secure Simple Network Management Protocol version 3 (SNMPv3). The Cisco Fabric Manager includes the following applications:

Fabric Manager Web Client—Provides a graphical user interface (GUI) that displays real-time views of your network fabric, and lets you manage the configuration of Cisco MDS 9000 Family devices and third-party switches.


Note Cisco SME configuration is supported in Fabric Manager Web Client only.


Fabric Manager Server—Must be started before running the Fabric Manager Client. It can be accessed by up to 16 Fabric Manager Clients at a time.

Device Manager—Provides two views of a switch.

Device View displays a continuously updated physical representation of the switch configuration, and provides access to statistics and configuration information for a single switch.

Summary View displays real-time performance statistics of all active interfaces and channels on the switch for Fibre Channel and IP connections.


Note During the Fabric Manager installation, the use_ip flag in the smeserver.properties file is set to FALSE by default. If you choose to use IP addresses, the DNS server should not be configured on any switch in the fabric and the use_ip flag in the smeserver.properties file must be set to TRUE.


The Cisco Fabric Manager applications are an alternative to the CLI for most switch configuration commands.

For more information on configuring the Cisco MDS switch using Fabric Manager, refer to the Cisco Fabric Manager Fundamentals Configuration Guide.

Command Line Interface

With the CLI, you can type commands at the switch prompt, and the commands are executed when you press the Enter key. The CLI parser provides command help, command completion, and keyboard sequences that allow you to access previously executed commands from the buffer history.

more information on configuring the Cisco MDS switch using the CLI, refer to the "Related Documentation" section on page -xv.

Required Pre configuration Tasks

This section describes the required tasks that must be completed before you configure Cisco SME. It includes the following:

Enabling Clustering

Enabling Cisco SME

Enabling DNS

Creating and Assigning Cisco SME Roles and Cisco SME Users

Installing Fabric Manager, Fabric Manager Client, and Enabling HTTPS

Adding a Fabric and Changing the Fabric Name

Choosing a Key Manager

Using FC-Redirect with CFS Regions

Installing Smart Card Drivers

Obtaining and Installing Licenses

Cisco SME Configuration Process

Before configuring Cisco SME, you must explicitly enable clustering, Cisco SME, SSH, and DNS on the MDS switch with an installed MSM-18/4 module or on the MDS 9222i switch. By default, these are disabled. The configuration and verification operations for Cisco SME are only available when these are enabled on a switch.

Enabling Clustering

You can enable clustering on the Cisco MDS 9000 switch with an installed MSM-18/4 module using Fabric Manager and Device Manager 3.2(2c) or later, or Cisco NX-OS 4.x.


Note Be sure to enable clustering first, and then enable Cisco SME.


This section includes the following topics:

Enabling Clustering Using Fabric Manager

Enabling Clustering Using Device Manager

Enabling Clustering Using Fabric Manager

To enable clustering using Fabric Manager, follow these steps:


Step 1 In the Physical Attributes pane, select End Devices > SME Clusters.

Step 2 From the Control tab in the information pane, locate the switch.

Step 3 From the drop-down menu in the Command column, select enable. The default is noSelection.


Note You can select enable on multiple switches, and then click Apply.


Step 4 Click Apply.


Enabling Clustering Using Device Manager

To enable clustering using Device Manager, follow these steps for a specific switch:


Step 1 From the Admin menu in the device screen, select Feature Control.

Step 2 Select cluster.

Step 3 From the Action column drop-down menu, select enable.

Step 4 Click Apply.


Enabling Cisco SME

You can enable Cisco SME using Fabric Manager or Device Manager.


Note Be sure to enable clustering first, and then enable Cisco SME.


This section includes the following topics:

Enabling Cisco SME Using Fabric Manager

Enabling Cisco SME Using Device Manager

Enabling Cisco SME Using Fabric Manager

To enable Cisco SME using Fabric Manager, follow these steps:


Step 1 In the Physical Attributes pane, select End Devices > SME Clusters.

Step 2 From the Control tab in the information pane, locate the switch.

Step 3 From the drop-down menu in the Command column, select enable. The default is noSelection.


Note You can select enable on multiple switches, and then click Apply.


Step 4 Click Apply.


Enabling Cisco SME Using Device Manager

To enable Cisco SME using Device Manager, do the following for a specific device:


Step 1 From the Admin menu in the device screen, select Feature Control.

Step 2 Select sme.

Step 3 From the Action column drop-down menu, select enable.

Step 4 Click Apply.


Enabling DNS

DNS offers services to map a host name to an IP address in the network through a DNS server. When you configure DNS on the switch, you can substitute the host name for the IP address with all IP commands, such as ping, telnet, upload, and download.

You must decide to use DNS completely or to use IP addresses fully in your fabric. A combination of these will not work with the Cisco SME feature.

If you chose to use DNS, the following requirements apply:

All switches should be configured using DNS.

The domain-name (or the domain list), and the IP name server must be configured to reach remote switches.

The DNS server should be configured on the Fabric Manager server.

If you choose to use IP addresses, the DNS server should not be configured on any switch in the fabric and the use_ip flag in the smeserver.properties must be set to TRUE.

For information on configuring DNS, refer to the Cisco Fabric Manager IP Services Configuration Guide and the Cisco MDS 9000 Family NX-OS IP Services Configuration Guide.

To verify that DNS is enabled everywhere in the cluster, ping between the Fabric Manager server and the MDS switches and also between the MDS switches with DNS names.

sme.useIP for IP Address or Name Selection

If you do not have DNS configured on all switches in the cluster, you can use sme.useIP. For information about sme.useIP, see Chapter 9, "Cisco SME Troubleshooting."

IP Access Lists for the Management Interface

Cluster communication requires the user of the Management interface. IP ACL configurations must allow UDP and TCP traffic on ports 9333, 9334, 9335, and 9336.

Creating and Assigning Cisco SME Roles and Cisco SME Users

The Cisco SME feature provides two primary roles: Cisco SME Administrator and the Cisco SME Recovery Officer. The Cisco SME Administrator role also includes the Cisco SME Storage Administrator and Cisco SME KMC Administrator roles. By default, Cisco SME assigns both the Cisco SME Administrator and the Cisco SME Recovery Officer to the same user. This assignment works well for small scale deployments of Cisco SME.


Note For Basic and Standard security modes, one user should hold both the Cisco SME Administrator and the Cisco SME Recovery Officer roles.



Note Cisco SME is configured from the FM web client. Internally, the actual switch operations are executed on behalf of the user that is logged into the web client and not the user monitoring the fabrics. Therefore, in a multi-fabric configuration the SME administrators must have the same username and password across all the fabrics to perform the SME operations.


Table 2-1 shows a description of the Cisco SME roles and the number of users that should be considered for each role.

Table 2-1 Cisco SME Roles and Responsibilities

Cisco SME Role
Master Key Security Mode
Required # of Users for This Role
What Operations is This Role Responsible For?

Cisco SME Administrator

Basic mode

Standard mode

One user should hold the Cisco SME Administrator and the Cisco SME Recovery officer roles.

One per VSAN is the minimum for day to day operations; must have access to all VSANs (if there are many VSANs and multiple VSAN administrators are assigned, then Cisco SME administrators, then there may be one Cisco SME Administrator per VSAN for key recovery operations.

Cisco SME management

Tape management

Export/Import tape volume groups

Cisco SME KMC Administrator

Basic mode

Standard mode

The number of users is the same as for the Cisco SME Administrator role.

Key Management operations

Archive/purge volumes

Add/remove volume groups

Import/export volume groups

Reeky/replace smart cards

Cisco Storage Administrator

Basic mode

Standard mode

The number of users is the same as for the Cisco SME Administrator role.

Cisco SME provisioning operations

Create/update/delete cluster

Create/update/delete tape backup groups

Add/remove tape devices

Create volume groups

View smart cards

Cisco SME Recovery Officer

Advanced mode

Five users (one for each smart card).

Each smart card holder must be present during the cluster creation to provide the user login and password information and smart card pin.

Master key recovery

Replace smart card


Configuring the AAA Roles

For information on configuring the AAA roles for the Cisco SME Administrator and the Cisco SME Recovery Officer, refer to the Cisco MDS 9000 Family NX-OS Security Configuration Guide and the Cisco Fabric Manager Security Configuration Guide.

Creating and Assigning Cisco SME Roles Using Fabric Manager

For detailed information on creating and assigning roles, refer to the Cisco Fabric Manager Security Configuration Guide and the Cisco MDS 9000 Family NX-OS Security Configuration Guide.


Note Cisco SME role names must begin with "sme." For example, valid role names could be sme-admin, sme-recovery, or sme-admin-vsan1.


You need to create a Cisco SME role and then assign users to the Cisco SME role. To create a Cisco SME role, follow these steps:


Step 1 Click the Admin tab and select Configure > Local Database.

Step 2 Click the Add button.

Step 3 Type in the user name and password.

Step 4 From the role drop-down menu, select either sme-admin, sme-kmc-admin, sme-stg-admin, or sme-recovery.

Step 5 Click Add.


Creating and Assigning Cisco SME Roles Using the CLI

For detailed information on creating and assigning roles, refer to the Cisco Fabric Manager Security Configuration Guide and the Cisco MDS 9000 Family NX-OS Security Configuration Guide.

To create a Cisco SME role or to modify the profile for an existing Cisco SME role, follow these steps

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# role name sme-admin

switch(config-role)#

Places you in the mode for the specified role (sme-admin).

Note: The role submode prompt indicates that you are now in the role submode. This submode is now specific to Cisco SME.

Step 3 

switch(config)# no role name sme-admin

Deletes the role called sme-admin.

Step 4 

switch(config-role)# rule 1 permit read-write feature sme-stg-admin

Allows you to add Cisco SME configuration commands.

Step 5 

switch(config-role)# rule 2 permit read feature sme-stg-admin

Allows you to add Cisco SME show commands.

Step 6 

switch(config-role)# rule 3 permit debug feature sme

Allows you to add Cisco SME debug commands to the sme-admin role.

Step 7 

switch(config-role)# description SME Admins

Assigns a description to the new role. The description is limited to one line and can contain spaces.

Step 8 

switch(config)# username usam role sme-admin

Adds the specified user (usam) to the sme-admin role.

:


Note Only users belonging to the network-admin role can create roles.



Note The four security roles required by Cisco SME can be implicitly created by using the setup sme command. For VSAN-based access control, you must create the custom roles.


Installing Fabric Manager, Fabric Manager Client, and Enabling HTTPS

To be able to manage Cisco SME, you need to install Fabric Manager Server Enterprise edition. For information on installing Cisco Fabric Manager, refer to the installation chapters of the Cisco Fabric Manager Fundamentals Configuration Guide and .


Note To configure Cisco SME, the Fabric Manager user credentials must be the same as the switch user.



Note To configure Cisco SME in a dual fabric environment, all the switches in the cluster should have the same credentials for SME user.


Cisco SME requires the HTTPS protocol on the Cisco MDS 9000 switch with an MSM-18/4 module installed. You must enable HTTPS during the Fabric Manager installation. To enable HTTPS, refer to the installation information in the Cisco Fabric Manager Fundamentals Configuration Guide.

Adding a Fabric and Changing the Fabric Name

You need to add the fabric that includes the Cisco MDS switch with the MSM-18/4 module installed. You also can add a fabric that includes an MDS 9222i switch.


Note Cisco MDS SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x supports one cluster per switch. You will want to consider this during your planning.


To add a fabric using Fabric Manager Web Server, follow these steps:


Step 1 Log in to Fabric Manager Web Client.

Step 2 Click the Admin tab.

Step 3 Click Configure.

Step 4 Click Add.

The Add Fabric seed switch screen displays fields to log in to the fabric seed switch.

Step 5 Enter the fabric seed switch name or IP address and enter the community.

Step 6 Click Add.


Note It takes a few minutes after you click Add to connect to the seed switch.


A notification window indicates that monitoring has started and that the fabric will be available after discover is complete.

Step 7 Click OK to return to the main screen.


Note The fabric name is identified as the fabric plus the switch name. You need to manually change the fabric name so that if you reopen the fabric with a different seed switch, the fabric name will remain the same. If you do not manually change the fabric name and you reopen the fabric with a different seed switch, the fabric may be renamed to show the new switch name. Choose a unique name that is easily identifiable.


Step 8 Select the fabric and click Edit.

Step 9 Enter a unique fabric name, user name, and password.

Step 10 Select Manage Continuously and click Modify.


Note Cisco SME requires that you select Manage Continuously to receive continuous updates from the switches.


Step 11 Click Close to return to the main screen and view the new fabric name.


Choosing a Key Manager

Before configuring Cisco SME, you need to choose a key manager. To use an installation as a key manager, you should configure the settings for the key manager.

To choose a key manager using Fabric Manager, follow these steps:


Step 1 Log in to Fabric Manager Web Client.

Step 2 Click the SME tab and select the Key Manager Settings. The Key Manager Settings window displays.


Note If you try to select SME before choosing a key manager, Fabric Manager redirects you to the Key Manager Settings screen so that a key manager can be selected.


Step 3 Choose any of the available three options.

a. Select None if you do not want to use this installation as a key manager.

b. Select Cisco if you want to use the installation as a Cisco key manager

c. Select RSA if you want to choose the RSA key manager.

Step 4 Click on Submit Settings to save changes.


After you choose a key manager, the key manager cannot be changed. You should be logged into the appropriate role to select or edit any key manager settings.

Using FC-Redirect with CFS Regions

The Fibre Channel redirect (FC-Redirect) feature uses Cisco Fabric Services (CFS) regions to distribute the FC-redirect configuration. By default, the configuration is propagated to all FC-Redirect capable switches in the fabric. CFS regions can be used to restrict the distribution of the FC-Redirect configuration.


Note Using FC-Redirect with CFS regions is an optional procedure.


To learn more about CFS regions, refer to Cisco Fabric Manager System Management Configuration Guide and the Cisco MDS 9000 Family NX-OS System Management Configuration Guide.

Guidelines for Designing CFS Regions For FC-Redirect

To design CFS regions for FC-Redirect, follow these guidelines:

Ensure the CFS region configuration for FC-Redirect can be applied to all FC-Redirect based applications. The applications include Cisco SME, Cisco DMM and any future applications.

Ensure all FC-Redirect capable switches, that are connected to the hosts, targets and the application switches (switches with MSM-18/4 modules in a cluster), are configured in the same region.
Refer to the "FICON Restriction" section for switches that are not capable of FC-Redirect.

If there are multiple Cisco SME clusters in a region, a target can be part of the SME configuration in only one cluster. To change the target to a different cluster, the configuration in the first cluster must be deleted before creating the configuration in the second cluster.

All switches in the region must have a common VSAN.

For existing SME installations, refer to "Configuring CFS Regions For FC-Redirect" section on page F-5 for steps on migrating to CFS regions.

Remove all instances of the previous configurations when a switch is moved to a region or moved out of a region.

To configure a CFS region, refer to the "Configuring CFS Regions For FC-Redirect" section on page F-5.

Installing Smart Card Drivers

The smart card reader must be connected to a management workstation that is used to configure Cisco SME. The smart card driver and the smart card drivers library file must be installed in the workstation. These are found on the Fabric Manager Installation CD.

When connecting a new smart card reader after the installation of smart card drivers, you may be required to restart the computer. If the card reader is not recognized on your workstation, you may need to install the latest smart card drivers. You can find the Download link on the Fabric Manager Web Client.


Note The smart card reader is only supported on Windows platforms.


Obtaining and Installing Licenses

To use the Cisco SME feature, you need the appropriate Cisco SME license; however, enabling Cisco SME without a license key starts a counter on the grace period. You then have 120 days to install the appropriate license keys or disable the use of Cisco SME. If at the end of the 120-day grace period the switch does not have a valid license key for Cisco SME, it will be automatically disabled.

To identify if the Cisco SME feature is active, use the show license usage license-name command.

The Cisco MDS 9000 SME package is licensed on a per-encryption-engine basis. The total number of licenses needed for a SAN fabric is equal to the number of Cisco MDS 9000 18/4-Port Multiservice Modules plus the number of fixed slots on Cisco MDS 9222i switches used for Cisco SME plus the number of encryption engines on Cisco MDS 9000 16-Port Storage Services Nodes (SSN-16).

Each interface in the SSN-16 module is licensed and priced individually.

Table 2-2 lists the three Cisco SME licenses that are available.

Table 2-2 Cisco SME Licenses

Part Number
Description
Applicable Product

M9500SME1MK9

Cisco Storage Media Encryption (SME) package for MSM-18/4 module

MDS 9500 Series with MSM-18/4 module

M9200SME1MK9

Cisco Storage Media Encryption (SME) package for MSM-18/4 module

MDS 9200 Series with MSM-18/4 module

M9200SME1FK9

Cisco Storage Media Encryption (SME) package for fixed slot

MDS 9222i Switch only

M95SMESSNK9=

Cisco Storage Media Encryption (SME) package for one service engine on SSN-16 module, spare

MDS 9500 Series with SSN-16 module

M92SMESSNK9=

Storage Media Encryption package for one service engine on SSN-16 module, spare

MDS 9200 Series with SSN-16 module


To obtain and install Cisco SME licenses, refer to the Cisco MDS 9000 Family NX-OS Licensing Guide.

Cisco SME Configuration Process

Before configuring Cisco SME on your switch, it is important to become familiar with the Cisco SME configuration process. This section provides an overview of the Cisco SME configuration process and includes the following topics:

Initial Cisco SME Configuration

Saving Cisco SME Cluster Configurations

Initial Cisco SME Configuration


Note For information about what you need to do before you initially configure Cisco SME, see the "Required Pre configuration Tasks" section.


Cisco SME configuration tasks listed below provide an overview of the basic Cisco SME configuration process. Complete the Cisco SME configuration tasks on the switch with an installed MSM-18/4 module or on a Cisco MDS 9222i switch.

Cisco SME basic configuration tasks include the following:

Create the Cisco SME interface (Chapter 3, "SME Interface Configuration")

Create a cluster for Cisco SME (Chapter 4, "Cisco SME Cluster Management")

Add the interfaces to the cluster (Chapter 4, "Cisco SME Cluster Management")

Create a tape group (including selecting the backup server and discovering backup libraries) (Chapter 5, "Cisco SME Tape Configuration")

For details about configuration procedures using the CLI, see Chapter 7, "Using the Command Line Interface to Configure SME."

Saving Cisco SME Cluster Configurations


Note Configuration changes must be saved on all switches in the cluster for correct cluster operation. This must be done after the initial cluster creation and after all subsequent changes are made to the cluster configuration.


You must save configuration changes whenever switches or interfaces are added or deleted from a cluster.

Cisco SME Configuration Restrictions

This section includes information on Cisco SME configuration limitations and restrictions. It contains the following:

FICON Restriction

iSCSI Restriction

FCIP Restriction

FICON Restriction

FICON Restriction

Cisco SME is not supported on FICON devices and Cisco SME cluster devices cannot be part of a FICON VSAN.

iSCSI Restriction

You cannot configure Cisco SME and iSCSI on the same Cisco MDS MSM-18/4 module because SME uses the iSCSI port indices.

FCIP Restriction

Cisco SME is not supported on FCIP-Write Acceleration (WA) and FCIP-Tape Acceleration (TA). Cisco SME I/Os cannot be transported over FCIP-WA or FCIP-TA.

Cisco SME Configuration Limits

Table 2-3 lists the Cisco SME configurations and the corresponding limits.

Table 2-3 Cisco SME Configuration Limits 

Configuration
Limit

Number of clusters per switch

1

Switches in a cluster

4

Number of switches in the fabric

10

Fabrics in a cluster

2

Modules in a switch

11

Cisco MSM-18/4 modules in a cluster

32

Initiator-Target-LUNs (ITLs)

512

LUNs behind a target

32

Host and target ports in a cluster

128

Number of hosts per target

128

Tape backup groups per cluster

4

Volume groups in a tape backup group

32

Cisco Key Management Center (number of keys)

32,000

Targets per switch that can be FC-Redirected

32

I-T nexuses per SME interface (soft limit)

256

Note Beyond this limit, a syslog message will be displayed. It is recommended that you provision more SME interfaces in the cluster.1

I-T nexuses per SME interface (hard limit)

512

Note Beyond this limit, new I-T nexuses will not be assigned to that particular SME interface and a critical syslog will be displayed.2

1 Applicable from NX-OS Release 4.2(1) and later

2 Applicable from NX-OS Release 4.2(1) and later