Collect the following information about the SAN before installing SME:

• Version of the SAN or NX-OS operating system.

  Note	We suggest that you use version Cisco SAN-OS Release 3.1(1a) or later or NX-OS Release 4.x or later.

• SAN switch vendors.

  Note	SME is supported on Cisco-only SANs. However, SANs that have switches from other vendors may also be supported on a case-by-case basis.

• SAN topology, including the placement of hosts and targets and number of fabrics.

• Backup host operating system.

• Backup application type and version.

• HBA type and firmware version.

• Tape library and drive types.

• Number of hosts and tape drives.

• SAN topology diagram.

• Types of modules used for ISL connectivity (Generation 1 or Generation 2).

  Note	This information is required for large SME setups.

• Zoning of the hosts and tape drives and if all the drives are accessible to all the hosts. It is preferred that there is selective accessibility between the hosts and drives.

Verify the interoperability matrix to be used. If needed, submit an RPQ for new types and versions of SAN components such as tape libraries and drives, or new backup application software versions.

Refer to the Cisco MDS 9000 Family Interoperability Support Matrix.

Collect the following information about MSM-18/4 modules:

• Determine the total throughput requirement and the required number of MSM-18/4 modules. The throughput requirement can be based on either meeting the backup window or based on achieving the line rate throughput for each drive. Refer to the Cisco Storage Media Encryption Design Guide for details.
• Determine the placement of the MSM-18/4 modules. Consult the design guide for sample topology and recommendations.
• For large SME setups, determine if the line cards used for ISLs can scale for the FC Redirect configuration. Refer to the Cisco Storage Media Encryption Design Guide for details.

Note	Generation 2 modules are recommended for ISL connectivity.

• Order the appropriate number of SME licenses.

Determine which of the following key management strategies and policies are appropriate for you:

• Use Cisco KMC or KMC with RSA Key Manager for the data center.

• Use PostgreSQL database or Oracle Express as the database.

We recommend that you use PostgreSQL as the database.

• Use shared key mode or unique key per tape.

• Configure key-on-tape mode.

• Use tape recycling.

Note	For more information about key policies, refer to the Storage Media Encryption Key Management White Paper and and Chapter 7, “Configuring SME Key Management.”

• Use basic or standard or advanced key security mode.

To learn more about master key security modes, refer to Chapter 4, “Configuring SME Cluster Management.”

If you are using smart cards in the standard or advanced security mode, ensure that you do the following:

• Install the GemPlus smart card reader drivers on the host used for SME provisioning. These card reader drivers are included in the Cisco MDS 9000 Management Software and Documentation CD-ROM.

• Order the required number of smart cards and readers.

• Identify a host in the customer environment for setting up the DCNM-SAN and KMC.

Refer to Chapter 1, “Storage Media Encryption Overview” to learn about the requirements.

Determine whether you will use SSL for switch-to-KMC communication. If you are using SSL, then do the following tasks:

• Identify whether a self-signed certificate is required or whether the customer will use their own certificate as the root certificate.
• List the names and IP addresses of the switches where the certificates will be installed.
• Install OpenSSL. This application could be installed on the server used for DCNM-SAN and KMC.
  • For the server running Windows operating system, download and install OpenSSL from the following locations:

http://gnuwin32.sourceforge.net/packages/openssl.htm

http://www.slproweb.com/products/Win32OpenSSL.html

The SSL installed should be used to generate keys.

• • Use the OpenSSL application installed at the following location:

C:\Program Files\GnuWin32\bin\openssl.exe

Note	For a server running on Linux, the OpenSSL application should already be available on the server.

• Identify the authentication modes used in the SAN, that is local database, TACACS+, or RADIUS.

Verify that you do the following tasks:

• Allow the following ports on the firewall server:
  • Ports 9333 to 9339 for TCP and UDP for SME cluster communication
  • Ports 8800 and 8900 for Cisco KMC communication
  • Ports HTTP (80) and HTTPS (443) for SME web-client communication
• Use either DNS or IP address (not a mix) for the SAN and KMC communication

Note	If you are using IP addresses, refer to the “sme.useIP for IP Address or Name Selection” section on page 2-32 to learn about sme.useIP.

Before installing SME, ensure that you do the following tasks:

• Install Java 1.5 or 1.6 on the DCNM-SAN.
• If you are using SSL, install OpenSSL on the server to be used for SSL certificate generation.
• Ensure that essential ports are allowed through the firewall and on the management interface.
• If you are using DNS, ensure that all switches and the KMC server, are mutually reachable (through the ping command) using their DNS names.
• Synchronize the time between all the switches, the KMC and the server used for generating SSL certificates. Configure NTP if required.
• Ensure that the hosts and the tape drives are appropriately zoned.
• Ensure that there is CLI access to the switches.
• Install smart card reader drivers.
• Ensure that the required number of smart cards and readers are available.
• Install the MSM-18/4 modules and SME licenses on the required set of switches.

Before configuring SME, you need to install DCNM-SAN, enable the services, assign roles and users, create fabrics, install SSL certificates, and then provision SME. The following sections describe the steps that you need to follow:

When provisioning and configuring SME, do the following tasks:

• Create a SME interface for each of the MSM-18/4 modules that will be used for storage media encryption. For more information, refer to Chapter 3 Configuring SME Interfaces

• Follow the steps outlined in Chapter 4 Configuring SME Cluster Management including cluster creation and tape backup group configuration procedures.

• Save the running configuration to startup configuration.

For more informaiton, see the solution guide to SME which contains additional details and requirements for installing SME Disk in specific configurations.