Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - Planning for Cisco SME Installation [Cisco MDS 9000 NX-OS and SAN-OS Software]

Table Of Contents

Planning For Cisco SME Installation

SAN Considerations

Interoperability Matrix

MSM-18/4 Modules

Key Management Center and Fabric Manager Server

Security

Communication

Preinstallation Requirements

Preconfiguration Tasks

Installing Fabric Manager

Enabling Cisco SME Services

Assigning Cisco SME Roles and Users

Creating Cisco SME Fabrics

Installing SSL Certificates

Provisioning Cisco SME

Planning For Cisco SME Installation

This appendix outlines the steps and guidelines that you need to be follow to ensure a successful Cisco SME installation. Before installing the application, read the requirements and prerequisites for the following services and features:

•SAN Considerations

•Interoperability Matrix

•MSM-18/4 Modules

•Key Management Center and Fabric Manager Server

•Security

•Communication

•Preinstallation Requirements

•Preconfiguration Tasks

•Provisioning Cisco SME

SAN Considerations

Collect the following information about the SAN before installing Cisco SME:

•Version of the SAN operating system.

Note It is suggested that you use version SAN-OS 3.3.(1a) and later.

•SAN switch vendors.

Note Cisco SME is supported on Cisco-only SANs. However, SANs that have switches from other vendors may also be supported on a case-by-case basis.

•SAN topology, including the placement of hosts and targets and number of fabrics.

•Backup host operating system.

•Backup application type and version.

•HBA type and firmware version.

•Tape library and drive types.

•Number of hosts and tape drives.

•SAN topology diagram.

•Types of cards used for ISL connectivity (Generation 1 or Generation 2).

Note This information is required for large Cisco SME setups.

•Zoning of the hosts and tape drives and if all the drives are accessible to all the hosts. It is preferred that there is selective accessibility between the hosts and drives.

Interoperability Matrix

Verify the interoperability matrix to be used. If needed, submit an RPQ for new types and versions of SAN components such as tape libraries and drives, or new backup application software versions.

Refer to Cisco MDS 9000 Family Interoperability Support Matrix

MSM-18/4 Modules

Collect the following information about MSM-18/4 modules:

•Determine the total throughput requirement and the required number of MSM-18/4 modules. The throughput requirement can be based on either meeting the backup window or based on achieving the line rate throughput for each drive. Refer to Cisco Storage Media Encryption Design Guide for details.

•Determine the placement of the MSM-18/4 cards. Consult the design guide for sample topology and recommendations.

•For large Cisco SME setups, determine if the line cards used for ISLs can scale for the FC Redirect configuration (Refer to Cisco Storage Media Encryption Design Guide ).

Note Generation 2 line cards are recommended for ISL connectivity

•Order the appropriate number of Cisco SME licenses.

Key Management Center and Fabric Manager Server

Determine which of the following key management strategies and policies are appropriate for you:

•Use Cisco KMC or KMC with RSA Key Manager for the data center.

•Use PostgreSQL database or Oracle Express as the database.

We recommend that you use PostgreSQL as the database.

•Use shared key mode or unique key per tape.

•Configure key-on-tape mode.

•Use tape recycling.

Note For more information about key policies, refer to Storage Media Encryption Key Management White Paper and Chapter 6, "Cisco SME Key Management."

•Use basic or standard or advanced key security mode.

To learn more about master key security modes, refer to Chapter 3, "Cisco SME Cluster Management."

If you are using smart cards in the standard or advanced security mode, ensure that you do the following:

•Install the GemPlus smart card reader drivers on the host used for Cisco SME provisioning. These card reader drivers are included in the Cisco MDS 9000 Management Software and Documentation CD-ROM.

•Order the required number of smart cards and readers.

•Identify a host in the customer environment for setting up the Fabric Manager server and KMC.

Refer to Chapter 1, "Product Overview" to learn about the server requirements.

Security

Determine whether you will use SSL for switch-to-KMC communication. If you are using SSL, then do the following tasks:

•Identify whether a self-signed certificate is required or whether the customer will use their own certificate as the root certificate.

•List the names and IP addresses of the switches where the certificates will be installed.

•Install OpenSSL. This application could be installed on the server used for Fabric Manager server and KMC.

–For the server running Windows operating system, download and install OpenSSL from the following locations:

http://gnuwin32.sourceforge.net/packages/openssl.htm

http://www.slproweb.com/products/Win32OpenSSL.html

The SSL installed should be used to generate keys.

–Use the OpenSSL application installed at the following location:

C:\Program Files\GnuWin32\bin\openssl.exe

Note For a server running on Linux, the OpenSSL application should already be available on the server.

•Identify the authentication modes used in the SAN, that is local database, TACACS+, or RADIUS.

Communication

Verify that you do the following tasks:

•Allow the following ports on the firewall server:

–Ports 9333 to 9339 for TCP and UDP for Cisco SME cluster communication

–Ports 8800 and 8900 for Cisco KMC communication

–Ports HTTP (80) and HTTPS (443) for Cisco SME web-client communication.

•Use either DNS or IP address (not a mix) for the SAN and KMC communication.

Note If you are using IP addresses, refer to the "sme.useIP for IP Address or Name Selection" section on page 2-14 to learn about sme.useIP.

Preinstallation Requirements

Before installing Cisco SME, ensure that you do the following tasks:

•Install Java 1.5 or 1.6 on the Fabric Manager server.

•If you are using SSL, install OpenSSL on the server to be used for SSL certificate generation.

•Ensure that essential ports are allowed through the firewall and on the management interface.

•If you are using DNS, ensure that all switches and the KMC server, are mutually reachable (through the ping command) using their DNS names.

•Synchronize the time between all the switches, the KMC and the server used for generating SSL certificates. Configure NTP if required.

•Ensure that the hosts and the tape drives are appropriately zoned.

•Ensure that there is CLI access to the switches.

•Install smart card reader drivers.

•Ensure that the required number of smart cards and readers are available.

•Install the MSM- 8/4 modules and Cisco SME licenses on the required set of switches.

Preconfiguration Tasks

Before configuring Cisco SME, you need to install the Fabric Manager, enable the services, assign roles and users, create fabrics, install SSL certificates, and then provision Cisco SME. The following sections describe the steps that you need to follow:

•Installing Fabric Manager

•Assigning Cisco SME Roles and Users

•Creating Cisco SME Fabrics

•Installing SSL Certificates

•Provisioning Cisco SME

Installing Fabric Manager

While installing the Fabric Manager, do the following tasks:

•Ensure that the Cisco Fabric Manager login name and password is the same as the switch login name and password.

•Select the appropriate database.

•Select the appropriate authentication mode.

•Select HTTPS during the installation.

Note To know more about installing Fabric Manager, refer to "Installing Fabric Manager, Fabric Manager Client, and Enabling HTTPS" section on page 2-17 and Installation of Cisco MDS SAN-OS and Fabric Manager.

Enabling Cisco SME Services

To enable services, do the following tasks:

•Enable clustering on all the Cisco SME switches. For more information, refer to "Enabling Clustering" section on page 2-3.

•Enable Cisco SME services using either Fabric Manager or Device Manager. For more information, refer to "Enabling Cisco SME" section on page 2-6.

•Enable SSH on the Cisco SME switches. To know more about enabling SSH, refer to "Enabling SSH" section on page 2-9.

•Set the FC Redirect version to 2 (if you are using SAN-OS version 3.3(1a) or later). To learn more about enabling the version2 mode, refer to "fc-redirect version2 enable" section on page A-12.

Note To learn about enabling these services, refer to Chapter 2, "Getting Started.".

Assigning Cisco SME Roles and Users

To set up roles and users, do the following:

•Create the two Cisco SME roles, sme-admin and sme-recovery-officer. Use the Fabric Manager to create users for the sme-admin role.

Note In the Advanced mode for the master key, create three or five users under the sme-recovery-officer role.

•Create users on the switches for both of these roles.

To set up roles and users, refer to the "Creating and Assigning Cisco SME Roles and Cisco SME Users" section on page 2-14. For detailed information on creating and assigning roles, refer to Cisco MDS 9000 Family Fabric Manager Configuration Guide and Cisco MDS 9000 Family CLI Configuration Guide.

Creating Cisco SME Fabrics

When creating Cisco SME fabrics, note the following guidelines:

•Add the Cisco SME fabrics using the Fabric Manager Web client. Modify the names to exclude switch names from the fabric name.

•The fabric name must remain constant . You cannot change the fabric name after you have configured Cisco SME.

For more information, refer to "Adding a Fabric and Changing the Fabric Name" section on page 2-18.

Installing SSL Certificates

To create SSL certificates, do the following tasks:

•Follow the procedure specified in Appendix C, "Provisioning Self-Sign Certificates," to install SSL certificates on the switches and the KMC.

•Use the same password at every step of the installation procedure to simplify the process.

•Restart the Fabric Manager server and KMC after installing the SSL certificates.

Provisioning Cisco SME

When provisioning and configuring Cisco SME, do the following tasks:

•Create a Cisco SME interface for each of the MSM-18/4 modules that will be used for storage media encryption. For more information, refer to Chapter 4, "Cisco SME Interface Configuration."

•Follow the steps outlined in Chapter 3, "Cisco SME Cluster Management," including cluster creation and tape backup group configuration procedures.

•Save the running configuration to startup configuration.

	Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
	Planning for Cisco SME Installation
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide Index New and Changed Information Preface Cisco SME Overview Cisco SME Getting Started Cisco SME Cluster Management Cisco SME Interface Configuration Cisco SME Tape Management Cisco SME Key Management Using the CLI to Configure Cisco SME Cisco SME Best Practices Cisco SME Troubleshooting Cisco SME CLI Commands Offline Data Restore Tool Creating Self-sign certificates Database Backup and Restore Planning for Cisco SME Installation	Download this chapter Planning for Cisco SME Installation Download the complete book Complete Book PDF (PDF - 7 MB) Feedback Table Of Contents Planning For Cisco SME Installation SAN Considerations Interoperability Matrix MSM-18/4 Modules Key Management Center and Fabric Manager Server Security Communication Preinstallation Requirements Preconfiguration Tasks Installing Fabric Manager Enabling Cisco SME Services Assigning Cisco SME Roles and Users Creating Cisco SME Fabrics Installing SSL Certificates Provisioning Cisco SME Planning For Cisco SME Installation This appendix outlines the steps and guidelines that you need to be follow to ensure a successful Cisco SME installation. Before installing the application, read the requirements and prerequisites for the following services and features: •SAN Considerations •Interoperability Matrix •MSM-18/4 Modules •Key Management Center and Fabric Manager Server •Security •Communication •Preinstallation Requirements •Preconfiguration Tasks •Provisioning Cisco SME SAN Considerations Collect the following information about the SAN before installing Cisco SME: •Version of the SAN operating system. Note It is suggested that you use version SAN-OS 3.3.(1a) and later. •SAN switch vendors. Note Cisco SME is supported on Cisco-only SANs. However, SANs that have switches from other vendors may also be supported on a case-by-case basis. •SAN topology, including the placement of hosts and targets and number of fabrics. •Backup host operating system. •Backup application type and version. •HBA type and firmware version. •Tape library and drive types. •Number of hosts and tape drives. •SAN topology diagram. •Types of cards used for ISL connectivity (Generation 1 or Generation 2). Note This information is required for large Cisco SME setups. •Zoning of the hosts and tape drives and if all the drives are accessible to all the hosts. It is preferred that there is selective accessibility between the hosts and drives. Interoperability Matrix Verify the interoperability matrix to be used. If needed, submit an RPQ for new types and versions of SAN components such as tape libraries and drives, or new backup application software versions. Refer to Cisco MDS 9000 Family Interoperability Support Matrix MSM-18/4 Modules Collect the following information about MSM-18/4 modules: •Determine the total throughput requirement and the required number of MSM-18/4 modules. The throughput requirement can be based on either meeting the backup window or based on achieving the line rate throughput for each drive. Refer to Cisco Storage Media Encryption Design Guide for details. •Determine the placement of the MSM-18/4 cards. Consult the design guide for sample topology and recommendations. •For large Cisco SME setups, determine if the line cards used for ISLs can scale for the FC Redirect configuration (Refer to Cisco Storage Media Encryption Design Guide ). Note Generation 2 line cards are recommended for ISL connectivity •Order the appropriate number of Cisco SME licenses. Key Management Center and Fabric Manager Server Determine which of the following key management strategies and policies are appropriate for you: •Use Cisco KMC or KMC with RSA Key Manager for the data center. •Use PostgreSQL database or Oracle Express as the database. We recommend that you use PostgreSQL as the database. •Use shared key mode or unique key per tape. •Configure key-on-tape mode. •Use tape recycling. Note For more information about key policies, refer to Storage Media Encryption Key Management White Paper and Chapter 6, "Cisco SME Key Management." •Use basic or standard or advanced key security mode. To learn more about master key security modes, refer to Chapter 3, "Cisco SME Cluster Management." If you are using smart cards in the standard or advanced security mode, ensure that you do the following: •Install the GemPlus smart card reader drivers on the host used for Cisco SME provisioning. These card reader drivers are included in the Cisco MDS 9000 Management Software and Documentation CD-ROM. •Order the required number of smart cards and readers. •Identify a host in the customer environment for setting up the Fabric Manager server and KMC. Refer to Chapter 1, "Product Overview" to learn about the server requirements. Security Determine whether you will use SSL for switch-to-KMC communication. If you are using SSL, then do the following tasks: •Identify whether a self-signed certificate is required or whether the customer will use their own certificate as the root certificate. •List the names and IP addresses of the switches where the certificates will be installed. •Install OpenSSL. This application could be installed on the server used for Fabric Manager server and KMC. –For the server running Windows operating system, download and install OpenSSL from the following locations: http://gnuwin32.sourceforge.net/packages/openssl.htm http://www.slproweb.com/products/Win32OpenSSL.html The SSL installed should be used to generate keys. –Use the OpenSSL application installed at the following location: C:\Program Files\GnuWin32\bin\openssl.exe Note For a server running on Linux, the OpenSSL application should already be available on the server. •Identify the authentication modes used in the SAN, that is local database, TACACS+, or RADIUS. Communication Verify that you do the following tasks: •Allow the following ports on the firewall server: –Ports 9333 to 9339 for TCP and UDP for Cisco SME cluster communication –Ports 8800 and 8900 for Cisco KMC communication –Ports HTTP (80) and HTTPS (443) for Cisco SME web-client communication. •Use either DNS or IP address (not a mix) for the SAN and KMC communication. Note If you are using IP addresses, refer to the "sme.useIP for IP Address or Name Selection" section on page 2-14 to learn about sme.useIP. Preinstallation Requirements Before installing Cisco SME, ensure that you do the following tasks: •Install Java 1.5 or 1.6 on the Fabric Manager server. •If you are using SSL, install OpenSSL on the server to be used for SSL certificate generation. •Ensure that essential ports are allowed through the firewall and on the management interface. •If you are using DNS, ensure that all switches and the KMC server, are mutually reachable (through the ping command) using their DNS names. •Synchronize the time between all the switches, the KMC and the server used for generating SSL certificates. Configure NTP if required. •Ensure that the hosts and the tape drives are appropriately zoned. •Ensure that there is CLI access to the switches. •Install smart card reader drivers. •Ensure that the required number of smart cards and readers are available. •Install the MSM- 8/4 modules and Cisco SME licenses on the required set of switches. Preconfiguration Tasks Before configuring Cisco SME, you need to install the Fabric Manager, enable the services, assign roles and users, create fabrics, install SSL certificates, and then provision Cisco SME. The following sections describe the steps that you need to follow: •Installing Fabric Manager •Assigning Cisco SME Roles and Users •Creating Cisco SME Fabrics •Installing SSL Certificates •Provisioning Cisco SME Installing Fabric Manager While installing the Fabric Manager, do the following tasks: •Ensure that the Cisco Fabric Manager login name and password is the same as the switch login name and password. •Select the appropriate database. •Select the appropriate authentication mode. •Select HTTPS during the installation. Note To know more about installing Fabric Manager, refer to "Installing Fabric Manager, Fabric Manager Client, and Enabling HTTPS" section on page 2-17 and Installation of Cisco MDS SAN-OS and Fabric Manager. Enabling Cisco SME Services To enable services, do the following tasks: •Enable clustering on all the Cisco SME switches. For more information, refer to "Enabling Clustering" section on page 2-3. •Enable Cisco SME services using either Fabric Manager or Device Manager. For more information, refer to "Enabling Cisco SME" section on page 2-6. •Enable SSH on the Cisco SME switches. To know more about enabling SSH, refer to "Enabling SSH" section on page 2-9. •Set the FC Redirect version to 2 (if you are using SAN-OS version 3.3(1a) or later). To learn more about enabling the version2 mode, refer to "fc-redirect version2 enable" section on page A-12. Note To learn about enabling these services, refer to Chapter 2, "Getting Started.". Assigning Cisco SME Roles and Users To set up roles and users, do the following: •Create the two Cisco SME roles, sme-admin and sme-recovery-officer. Use the Fabric Manager to create users for the sme-admin role. Note In the Advanced mode for the master key, create three or five users under the sme-recovery-officer role. •Create users on the switches for both of these roles. To set up roles and users, refer to the "Creating and Assigning Cisco SME Roles and Cisco SME Users" section on page 2-14. For detailed information on creating and assigning roles, refer to Cisco MDS 9000 Family Fabric Manager Configuration Guide and Cisco MDS 9000 Family CLI Configuration Guide. Creating Cisco SME Fabrics When creating Cisco SME fabrics, note the following guidelines: •Add the Cisco SME fabrics using the Fabric Manager Web client. Modify the names to exclude switch names from the fabric name. •The fabric name must remain constant . You cannot change the fabric name after you have configured Cisco SME. For more information, refer to "Adding a Fabric and Changing the Fabric Name" section on page 2-18. Installing SSL Certificates To create SSL certificates, do the following tasks: •Follow the procedure specified in Appendix C, "Provisioning Self-Sign Certificates," to install SSL certificates on the switches and the KMC. •Use the same password at every step of the installation procedure to simplify the process. •Restart the Fabric Manager server and KMC after installing the SSL certificates. Provisioning Cisco SME When provisioning and configuring Cisco SME, do the following tasks: •Create a Cisco SME interface for each of the MSM-18/4 modules that will be used for storage media encryption. For more information, refer to Chapter 4, "Cisco SME Interface Configuration." •Follow the steps outlined in Chapter 3, "Cisco SME Cluster Management," including cluster creation and tape backup group configuration procedures. •Save the running configuration to startup configuration.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks