About SME
The SME solution is a comprehensive network-integrated encryption service with enterprise-class key management that works transparently with existing and new SANs. The innovative Cisco network-integrated solution has numerous advantages over competitive solutions available today:
-
SME installation and provisioning are both simple and nondisruptive. Unlike other solutions, SME does not require rewiring or SAN reconfiguration.
-
Encryption engines are integrated on the Cisco MDS 9000 18/4-Port Multiservice Module (MSM-18/4), the Cisco MDS 9222i Multiservice Module Switch, and the 16-Port Gigabit Ethernet Storage Services Node (SSN-16), which eliminates the need to purchase and manage extra switch ports, cables, and appliances.
-
Traffic from any virtual SAN (VSAN) can be encrypted using SME, enabling flexible, automated load balancing through network traffic management across multiple SANs.
-
No additional software is required for provisioning, key, and user role management; SME is integrated into Cisco DCNM for SAN (DCNM-SAN), which reduces operating expenses.
Note |
When using SME, SSI images should not be loaded and installed on 18+4 cards and SSN-16. Also the bootvar should not be set to load these images |
The following figure shows the integration of SME with SAN fabrics to offer seamless management of data encryption.
This section covers the following topics:
SME Features
The Cisco MDS 9000 Family of intelligent directors and fabric switches provide an open, standards-based platform for hosting intelligent fabric applications and services. As a platform, the Cisco MDS 9000 family switches provide all essential features required to deliver secure, highly available, enterprise-class Fibre Channel storage area network (SAN) fabric services. Cisco has integrated encryption for data-at-rest as a transparent fabric service to take full advantage of this platform.
SME is a standards-based encryption solution for heterogeneous disks, tape libraries, and virtual tape libraries. SME is managed with Cisco DCNM-SAN and a command-line interface (CLI) for unified SAN management and security provisioning. SME includes the following comprehensive built-in key management features:
Transparent Fabric Service
Cisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an MSM-18/4 module, a MDS 9222i switch, or a SSN-16 module anywhere in the fabric. There are no appliances in-line in the data path and there is no SAN rewiring or reconfiguration.
Encryption
SME uses strong, IEEE-compliant AES 256 encryption algorithms to protect data at rest. Advanced Cisco MDS 9000 SAN-OS and NX-OS software security features, such as Secure Shell (SSH), Secure Sockets Layer (SSL), RADIUS, and Fibre Channel Security Protocol (FC-SP) provide the foundation for the secure architecture.
SME uses the NIST-approved random number standard to generate the keys for encryption.
Encryption and compression services are transparent to the hosts and storage devices.
Encryption Algorithms
The IEEE-approved standard for encryption of disk drives is IEEE 1619—Standard Architecture for Encrypted Shared Storage Media (1619.1 for tape drives). It specifies the XTS encryption mode commonly used for disk encryption. The IEEE Security in Storage Working Group (SISWG) was investigating the possibility of submitting the XTS mode to NIST for consideration as an Approved Mode of Operation for FIPS 140-2 certification. It uses a narrow-block encryption algorithm, and the standardization process for a wide-block algorithm is currently in progress as 1619.2. Other encryption algorithms for consideration are LRW-AES and AES-CBS. Draft versions of the IEEE 1619 standard had used LRW-AES, which was later replaced by XTS-AES.
SME Roles
SME services include the following four configuration and security roles:
- SME Administrator
- SME Storage Administrator
- SME Key Management Center (KMC) Administrator
- SME Recovery Officer
The SME Administrator configures and maintains SME. This role can be filled by multiple storage network administrators. The SME Storage Administrators are responsible for SME provisioning operations and the SME KMC Administrators are responsible for the SME KMC administration operations. The security officer may be assigned the SME KMC Administrator role in some scenarios.
Note |
SME Administrator role includes the SME Storage Administrator and the SME KMC Administrator roles. |
The SME Recovery Officers are responsible for key recovery operations. During SME configuration, additional Recovery Officers can be added. SME Recovery Officers play a critical role in recovering the key database of a deactivated cluster and they are responsible for protecting the master key. The role of the SME Recovery Officer separates master key management from SME administrations and operations. In some organizations, a security officer may be assigned to this role.
At the advanced security level, a quorum of SME Recovery Officers is required to perform recovery procedures. The default is 2 out of 5. In this case 2 of the 5 recovery officers are required to unlock the master key.
For additional information on SME Administrator and SME Recovery Officer roles, see the Creating and Assigning SME Roles and SME Users.
Key Management
Cisco Key Management Center (KMC) provides essential features such as key archival, secure export and import, and key shredding.
Key management features include the following:
-
Master key resides in password protected file or in smart cards.
-
If the cluster security mode is set to Basic, the master key resides in the password protected file.
-
If the cluster security mode is set to Standard, the master key resides in only one smart card. And the same smart card is required to recover the master key.
-
If the cluster security mode is set to Advanced, the master key resides in multiple smart cards. Quorum (2 out of 3 or 2 out of 5 or 3 out of 5) of smart cards are required to recover the master key based on the user selection.
-
-
Unique key per tape for an SME tape cluster.
-
Unique key per LUN for an SME disk cluster.
-
Keys reside in clear-text only inside a FIPS boundary.
-
Tape keys and intermediate keys are wrapped by the master key and deactivated in the CKMC.
-
Disk keys are wrapped by the cluster master key and deactivated in the CKMC.
-
Option to store tape keys on tape media.
The centralized key lifecycle management includes the following:
-
Archive, shred, recover, and distribute media keys.
-
Integrated into DCNM-SAN.
-
Secure transport of keys.
-
-
End-to-end key management using HTTPS/SSL/SSH.
-
Access controls and accounting.
-
Use of existing AAA mechanisms.
-
The Cisco KMC provides dedicated key management for SME, with support for single and multisite deployments. The Cisco KMC performs key management operations.
The Cisco KMC is either integrated or separated from DCNM-SAN depending on the deployment requirements.
Single site operations can be managed by the integration of the Cisco KMC in DCNM-SAN. In multisite deployments, the centralized Cisco KMC can be used together with the local DCNM-SAN servers that are used for fabric management. This separation provides robustness to the KMC and also supports the SME deployments in different locations sharing the same Cisco KMC.
Figure 1shows how Cisco KMC is separated from DCNM-SAN for a multisite deployment.
A Cisco KMC is configured only in the primary data center and DCNM-SAN servers are installed in all the data centers to manage the local fabrics and provision SME. The SME provisioning is performed in each of the data centers and the tape devices and backup groups in each of the data centers are managed independently.
Need to change all the instances of Fabric Manager to DCNM-SAN. Need to request this by the illustrator. -- before Delhi.
In the case of multisite deployments when the Cisco KMC is separated from DCNM-SAN, fabric discovery is not required on the Cisco KMC installation. The clusters that have connection to the Cisco KMC will be online and the clusters that are not connected, but are not deactivated, appear as offline. The SME clusters that are deleted from the fabric appear as deactivated.
The high availability Cisco KMC server consists of a primary server and a secondary server. When the primary server is unavailable, the cluster connects to the secondary server and fails over to the primary server once the primary server is available. The high availability KMC will be available after you configure the high availability settings in DCNM-SAN Web Client.
Clustering
Cluster technology provides reliability and availability, automated load balancing, failover capabilities, and a single point of management.
FC-Redirect
SME performance can easily be scaled up by adding more Cisco MDS 9000 Family switches or modules. The innovative Fibre Channel redirect capabilities in Cisco MDS 9000 NX-OS enable traffic from any switch port to be encrypted without SAN reconfiguration or rewiring.
Server-Based Discovery for Provisioning Disks and Tapes
SME provides discovery of backend targets using the identity of the host during a session establishment.
Target-Based Load Balancing
The SME cluster consists of a set of switches (in a dual-fabric environment) running the SME application. Clustering offers target-based load balancing of SME application services. The cluster infrastructure allows the SME application to communicate and coordinate to maintain consistency and high availability.
Load balancing is achieved by distributing ownership of the various metadata objects throughout the cluster. SME assigns hosts to the available SME interfaces using the following algorithm:
- All hosts for a given target port are always assigned to the same SME interface.
- If a target port is connected to one of the SME switches, an interface is selected based on the load from the target-connected switch. That is, the target locality is considered when choosing a SME interface for a target.
- If a target is connected to a switch that has no SME interface, then the target is assigned to the least loaded available interface in the SME cluster.
In target-based load balancing, the load on an interface refers to the number of targets assigned to that interface.
Caution |
SME provides a load balancing CLI that allows you to rebalance the targets assigned to the available SME interfaces in the cluster. However, the load balancing command is disruptive to the traffic. Ensure that you execute this command at a scheduled downtime, otherwise, the existing traffic will be affected. |
SME Terminology
The following SME-related terms are used in this book:
- SME interface—The security engine in the MSM-18/4 module or fixed slot of a Cisco MDS 9222i fabric switch. Each MSM-18/4 module and MDS 9222i switch has one security engine.
- SME cluster—A network of MDS switches that are configured to provide the SME functionality; each switch includes one or more MSM-18/4 modules and each module includes a security engine. Includes one or more nodes or switches for high availability (HA) and load balancing.
- Fabric—A physical fabric topology in the SAN as seen by DCNM-SAN. There can be multiple VSANs (logical fabrics) within the physical fabric.
- Tape group—A backup environment in the SAN. This consists of all the tape backup servers and the tape libraries that they access.
- Tape device—A tape drive that is configured for encryption.
- Tape volumes—A physical tape cartridge identified by a barcode for a given use.
- Tape volume group—A logical set of tape volumes that are configured for a specific use, for example, a group of tape volumes used to backup a database.
- Disk group—The disks that are grouped functionally to form disk groups.
- Disk—Disk is a LUN. A LUN is a logical unit that is exported to the host by the storage controller.
- IT-NEXUS—Initiator or Target pWWNs that defines a host to target connection.
- SME node—Each switch in the cluster is called an SME node and plays a role in determining if the cluster has a quorum.
- Cisco Key Management Center (CKMC)—A component of DCNM-SAN that stores the encryption keys.
- Master key—An encryption key generated when an SME cluster is created. The master key encrypts the tape volume keys and tape keys and it is required to decrypt those keys in order to retrieve encrypted data.
- Media key—A key that is used for encrypting and authenticating the data on specific tapes.
- Disk key—A key that is used for encrypting and authenticating the data on specific disks.
- SmartCard—A card (approximately the size of a credit card) with a built-in microprocessor and memory used for authentication.
- SME Administrator—An administrator who configures SME. This role includes the Cisco Storage Administrator role where the administrator manages the SME operations and the SME KMC Administrator role where the administrator is responsible for the SME key management operations.
- Storage Administrator —An administrator who manages the SME operations.
- SME KMC Administrator—An administrator who is responsible for the SME key management operations.
- SME Recovery Officer—A data security officer entrusted with smart cards and the associated PINs. Each smart card stores a share of the cluster master key. Recovery officers must present their cards and PINs to recover the key database of a deactivated cluster. A quorum of recovery officers are required to execute this operation.
Supported Topologies
SME supports single-and dual-fabric topologies. The Cisco MSM-18/4 module, the MDS 9222i switch, and the SSN-16 provides the SME engines used by SME to encrypt and compress data-at-rest. Multiple modules can be deployed in a Fibre Channel fabric to easily scale-up performance, to enable simplified load balancing, and to increase availability. In a typical configuration, one MSM-18/4 module is required in each SME cluster.
SME clusters include designated backup servers, tape libraries, and one or more MDS switches running Cisco SAN-OS Release 3.2(2c) or later or NX-OS 4.x or later. One cluster switch must include an MSM-18/4 module. With easy-to-use provisioning, traffic between any host and tape on the fabric can utilize the SME services.
Required SME engines are included in the following Cisco products:
- Cisco MDS 9000 Family 18/4-Port Multiservice Module (MSM-18/4)
- Cisco MDS 9222i Multiservice Module Switch
- Cisco MDS 16-Port Storage Services Node (SSN-16)
Single-Fabric Topology for Tape
Figure 1 shows a single-fabric topology in which the data from the HR server is forwarded to the Cisco MSM-18/4 module. The Cisco MSM-18/4 module can be anywhere in the fabric. SME does a one-to-one mapping of the information from the host to the target and forwards the encrypted data to the dedicated HR tape. SME also tracks the barcodes on each encrypted tape and associates the barcodes with the host servers.
Figure 1 shows encrypted data from the HR server is compressed and stored in the HR tape library. Data from the email server is not encrypted when backed up to the dedicated email tape library.
Note |
Tape devices should be connected to core switches such as an MDS 9500 Series switch or MDS 9222i switch running Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x or later and also can/should be connected to MDS 9710 Series switch running with Cisco NX-OS 6.2(3) or later. |
Encryption and compression services are transparent to the hosts and storage devices. These services are available for devices in any virtual SANs (VSANs) in a physical fabric and can be used without rezoning.
Single-Fabric Topology for Disk
A single-fabric topology in which the data from the HR server is forwarded to the Cisco MSM-18/4 module, Cisco MDS 922i switch or SSN-16 module. The Cisco MSM-18/4 module, Cisco MDS 9222i switch or SSN-16 module can be anywhere in the fabric. SME does a one-to-one mapping of the information from the host to the target and forwards the encrypted data to the dedicated HR disk.
Note |
SME disk also supports dual-fabric topology with which the data can be encrypted on all the paths. Disk devices should be connected to core switches, such as an MDS 9500 Series switch or an MDS 9222i switch, running on Cisco NX-OS Release 5.2(1) or later. |
Encryptions are transparent to the hosts and storage devices. These services are available for devices in any virtual SANs (VSANs) in a physical fabric and can be used without rezoning.
In-Service Software Upgrade in SME
In-Service Software Upgrade (ISSU) is a comprehensive, transparent software upgrade capability that allows you to add new features and services without any disruption to the traffic.
In a cluster, which has the MDS 9222i switch as nodes, if the nodes are not able to communicate, then the node having the lowest node identifier (node ID) remains in the cluster while the other node leaves the cluster. However, when an ISSU is performed on a node having the lowest node identifier, a complete loss of the cluster results since both the nodes leave the cluster.
This undesirable situation is addressed in a two-node cluster as follows:
-
The upgrading node sends a message to the other node of the intent to leave the cluster. The upgrading node can either be a master node or a slave node.
-
The remaining node remains in the cluster and performs the role of the master node if it was a slave node. This node continues to remain in the cluster with the quorum intact.
-
After the ISSU is completed and the switches boots up, the upgraded node rejoins the cluster as a slave node.
Note |
This feature is tied to the internals of ISSU logic and no additional command needs to be executed for this purpose. |