Table Of Contents
Using the Command Line Interface to Configure SME
SME Configuration Tasks
Enabling and Disabling SME Clustering
Enabling and Disabling the Cisco SME Service
Creating the SME Interface
Deleting the SME Interface
Creating the SME Cluster
Setting the SME Cluster Security Level
Setting Up the Cisco SME Adminstrator and Recovery Officer Roles
Adding an SME Interface from a Local or Remote Switch
Configuring Unique or Shared Key Mode
Enabling and Disabling Automatic Volume Groups
Enabling and Disabling Tape Compression
Enabling and Disabling Key-on-Tape
Configuring a Tape Volume Group
Viewing Cisco SME Cluster, Internal, and Transport Information
Viewing Cisco SME Cluster Details
Viewing Cluster Key Information
Viewing Cluster Node Information
Viewing Recovery Officer Information
Viewing Tape Information
Viewing Tape Cartridge Information
Viewing Tape Volume Group Information
Viewing Cisco SME Role Configurations
Using the Command Line Interface to Configure SME
This chapter contains information about Cisco Storage Media Encryption basic configuration using the command line interface (CLI). It contains the following sections:
•SME Configuration Tasks
•Enabling and Disabling SME Clustering
•Enabling and Disabling the Cisco SME Service
•Creating the SME Interface
•Deleting the SME Interface
•Creating the SME Cluster
•Setting the SME Cluster Security Level
•Setting Up the Cisco SME Adminstrator and Recovery Officer Roles
•Adding an SME Interface from a Local or Remote Switch
•Configuring Unique or Shared Key Mode
•Enabling and Disabling Automatic Volume Groups
•Enabling and Disabling Tape Compression
•Enabling and Disabling Key-on-Tape
•Configuring a Tape Volume Group
•Viewing Cisco SME Cluster, Internal, and Transport Information
Caution Before a reboot or before making any changes to the Cisco SME configuration, including adding or deleting SME interfaces, you must enter the
copy running-config startup-config CLI command.
SME Configuration Tasks
The process of configuring SME on an MDS-18/4 module or Cisco MDS 9222i involves a number of configuration tasks that should be followed in chronological order. The configuration tasks included in this process are the following:
•Enable clustering on the MDS-18/4 module switch
•Enable SME on the MDS-18/4 module switch
•Add the SME interface to the MDS-18/4 module switch
•Add a fabric that includes the MDS-18/4 module switch with the SME interface
•Create a cluster
–Name the cluster
–Select the fabrics that you want to create a cluster from
–Select the SME interfaces from the fabrics that you are including in the cluster
–Select the master key security level (Basic, Standard, or Advanced)
–Select the security key (shared or unique) and tape preferences (store the key on tape, automatic volume grouping, and compression)
–Specify the Key Management Center server and key certificate file
–Specify the password to encrypt the master key and download the key file
Enabling and Disabling SME Clustering
The first step in the process of configuring Cisco SME is to enable the SME clustering.
To enable or disable the SME cluster, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# conf t
switch(config)#
|
Enters configuration mode.
|
Step 2
|
switch(config)# cluster enable
|
Enables Cisco SME clustering.
|
Step 3
|
switch(config)# no cluster enable
|
Disables Cisco SME clustering.
|
Enabling and Disabling the Cisco SME Service
Cisco SME services must be enabled to take advantage of the SME encryption and security features. After enabling the SME cluster, the second step in the process of configuring Cisco SME is to enable the SME service.
To enable or disable the SME service, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme enable
|
Enables Cisco SME on the crypto node.
|
Step 3
|
switch(config)# no sme enable
|
Disables Cisco SME on the crypto node.
|
For additional information on clusters, see Chapter 3, "Cisco SME Cluster Management."
Creating the SME Interface
After enabling the cluster and enabling SME, configure the SME interface on the switch.
To configure the SME interface, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# interface sme x/y
|
Configures the SME interface on slot x, port y where x is the MPS-18/4 module slot and port y is the default SME port. Enters the interface submode.
|
Step 3
|
switch(config-if)# no shutdown
|
Enables the interface on slot x, port y.
|
Note Configure the SME interface on the MPS-18/4 module slot and port 1.
Note After configuring the SME interface, a show int command will show that the SME interface is down until the interface is added to a cluster.
Note After configuring the SME interface, a message similar to the following is displayed:
2007 Jun 6 21:34:14 switch %DAEMON-2-SYSTEM_MSG: <<%SME-2-LOG_WARN_SME_LICENSE_GRACE>> No SME Licence. Feature will be shut down after a grace period of approximately 118 days.
Deleting the SME Interface
Before deleting the SME interface, you must remove the switch the cluster.
Note Deleting an SME interface that is part of a cluster is not allowed. First remove the switch from the cluster by entering the no sme cluster cluster name command, then delete the SME interface.
To delete the SME interface, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# no interface sme x/y
|
Removes the SME interface from slot x, port y where x is the MPS-18/4 module slot and y is the port number.
|
Creating the SME Cluster
To create an SME cluster, you identify the fabrics that you want to include in the cluster and you configure the following:
•Automatic volume grouping
•Key Management Center (KMC)
•Target discovery
•Tape groups
•Key-on-tape mode
•Recovery
•Shared key mode
•Shutdown cluster for recovery
•Volume Tape Groups
•Tape Compression
To create an SME cluster, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster
clustername1
switch(config-sme-cl)#
|
Specifies the cluster name and enters SME cluster configuration submode. A cluster name can include a maximum of 32 characters.
|
Step 3
|
switch(config-sme-cl)# fabric f1
|
Adds fabric f1 to the cluster.
|
Setting the SME Cluster Security Level
There are 3 levels of security: Basic, Standard, and Advanced. Standard and Advanced security levels require smart cards
.
Table 7-1 Master Key Security Levels
Security Level
|
Definition
|
Basic
|
The master key is stored in a file and encrypted with a password. To retrieve the master key, you need access to the file and the password.
|
Standard
|
Standard security requires one smart card. When you create a cluster and the master key is generated, you are asked for the smart card. The Master key is then written to the smart card. To retrieve the master key, you need the smart card and the smart card pin.
|
Advanced
|
Advanced security requires 5 smart cards. When you create a cluster and select Advanced security mode, you designate the number of smart cards (2 or 3 of 5 smart cards or 2 of 3 smart cards) that are required to recover the master key when data needs to be retrieved. For example, if you specify 2 of 5 smart cards, then you will need 2 of the 5 smart cards to recover the master key. Each smart card is owned by a Cisco SME Recovery Officer.
Note The greater the number of required smart cards, the greater the security. However, if smart cards are lost or if they are damaged, this reduces the number of available smart cards that could be used to recover the master key.
|
To set the SME cluster security level, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster
clustername1
switch(config-sme-cl)#
|
Specifies the cluster and enters SME cluster configuration submode.
|
Step 3
|
switch(config-sme-cl)# security-mode
basic
|
Sets the cluster security level to Basic.
|
Setting Up the Cisco SME Adminstrator and Recovery Officer Roles
To set up the Cisco SME Administrator and Cisco SME Recovery Officer roles, follow these steps::
|
Command
|
Purpose
|
Step 1
|
switch# setup sme
|
Sets up the two security roles.
|
Adding an SME Interface from a Local or Remote Switch
Before adding an SME interface, be sure to enable clustering, enable Cisco SME, and start the Cisco SME interface on the switch, and then add the interface to the cluster.
To add an SME interface from a local switch, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster
clustername1
switch(config-sme-cl)#
|
Specifies the cluster and enters SME cluster configuration submode.
|
Step 3
|
switch(config-sme-cl)# fabric
clustername1
|
Specifies the fabric.
|
Step 4
|
switch(config-sme-cl)# node local
switch(config-sme-cl-node)#
|
Enters the SME cluster node submode and specifies the local switch.
|
Step 5
|
switch(config-sme-cl-node)#
fabric-membership clustername1
|
Specifies the fabric membership for the cluster.
|
Step 6
|
switch(config-sme-cl-node)#
interface sme 4/1 force
|
Adds the SME interface (4/1) from a local switch in fabric f1.
|
To add an SME interface from a remote switch, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster
clustername1
switch(config-sme-cl)#
|
Specifies the cluster and enters SME cluster configuration submode.
|
Step 3
|
switch(config-sme-cl)# fabric
clustername1
|
Specifies the fabric.
|
Step 4
|
switch(config-sme-cl)# node
A.B.C.D|X:X::X|DNS name
switch(config-sme-cl-node)#
|
Enters the SME cluster node submode and specifies a remote switch. The format is A.B.C.D | X:X::X | DNS name.
|
Step 5
|
switch(config-sme-cl-node)#
fabric-membership clustername1
|
Specifies the fabric membership for the cluster.
|
Step 6
|
switch(config-sme-cl-node)#
interface sme 3/1 force
|
Adds the SME interface (3/1) from a remote switch in fabric f2.
|
Configuring Unique or Shared Key Mode
Shared key mode is used to generate a single key that is used for a group of backup tapes.
Unique key mode is used to generate unique or specific keys for each tape cartridge.
To configure the shared key or unique key mode, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster
clustername1
switch(config-sme-cl)#
|
Specifies the cluster and enters SME cluster configuration submode.
|
Step 3
|
switch(config-sme-cl)# shared-key
mode
switch(config-sme-cl)#
|
Specifies shared key mode.
|
Step 4
|
switch(config-sme-cl)# no shared-key
mode
switch(config-sme-cl)#
|
Specifies shared unique key mode.
|
Note Configure the Cisco KMC before configuring the key mode. See "Cisco Key Management Center" section on page 6-2.
Enabling and Disabling Automatic Volume Groups
When SME recognizes that a tape barcode does not belong to an exiting volume group, then SME creates a new volume group when automatic volume grouping is enabled.
Automatic volume grouping is disabled by default.
To enable or disable automatic volume grouping, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster
clustername1
switch(config-sme-cl)#
|
Specifies the cluster and enters SME cluster configuration submode.
|
Step 3
|
switch(config-sme-cl)# auto-volgrp
switch(config-sme-cl)#
|
Specifies automatic volume grouping.
|
Step 4
|
switch(config-sme-cl)# no
auto-volgrp
switch(config-sme-cl)#
|
Specifies no automatic volume grouping.
|
Enabling and Disabling Tape Compression
To enable tape compression, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster
clustername1
switch(config-sme-cl)#
|
Specifies the cluster and enters SME cluster configuration submode.
|
Step 3
|
switch(config-sme-cl)#
tape-compression
switch(config-sme-cl)#
|
Enables tape compression.
|
Step 4
|
switch(config-sme-cl)# no
tape-compression
switch(config-sme-cl)#
|
Disables tape compression.
|
Enabling and Disabling Key-on-Tape
Cisco SME provides the option to store the encrypted security keys on the backup tapes.
To enable the key-on-tape feature, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster
clustername1
switch(config-sme-cl)#
|
Specifies the cluster and enters SME cluster configuration submode.
|
Step 3
|
switch(config-sme-cl)# key-ontape
switch(config-sme-cl)#
|
Enables the key-on-tape feature.
|
Step 4
|
switch(config-sme-cl)# no key-ontape
switch(config-sme-cl)#
|
Disables tape compression.
|
Configuring a Tape Volume Group
A tape volume group is a group of tapes that are categorized usually by function. For example, HR1 could be the designated tape volume group for all Human Resource backup tapes; EM1 could be the designated tape volume group for all Email backup tapes.
Adding tape groups allows you to select the VSANs, hosts, storage devices, and paths that SME will use for encrypted data. For example, adding a tape group for HR data sets the mapping for SME to transfer data from the HR hosts to the dedicated HR backup tapes.
To configure a tape volume group, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# sme cluster clustername1
switch(config-sme-cl)#
|
Specifies the cluster and enters SME cluster configuration submode.
|
Step 3
|
switch(config-sme-cl)# tape-bkgrp groupname1
switch(config-sme-cl-tape-bkgrp)#
|
Specifies the tape volume group and enters the SME tape volume group submode.
|
Step 4
|
switch(config-sme-cl-tape-bkgrp)# tape-device
devicename1
switch(config-sme-cl-tape-bkgrp-tapedevice)#
|
Specifies the tape device name and enters the SME tape device submode.
|
Step 5
|
switch(config-sme-cl-tape-bkgrp-tapedevice)#
tape-device devicename1 D
switch(config-sme-cl-tape-bkgrp-tapedevice)#
|
Specifies the tape cartridge identifier.
|
Step 6
|
switch(config-sme-cl-tape-bkgrp-tapedevice)#
host 10:00:00:00:c9:4e:19:ed target
2f:ff:00:06:2b:10:c2:e2 vsan 4093 lun 0
fabbric f1
switch(config-sme-cl-tape-bkgrp-tapedevice)#
|
Specifies the host and target, the VSAN, LUN and the fabric (f1) for the tape volume group.
|
Step 7
|
switch(config-sme-cl-tape-bkgrp-tapedevice)#
enable
|
Enables the tape device.
|
Viewing Cisco SME Cluster, Internal, and Transport Information
To verify Cisco SME cluster configurations, you can use the show sme command to view a specific cluster configuration, internal information, and transport information.
A sample output of the show sme cluster command follows:
switch# show sme cluster clustername1
SME Cluster is clustername1
Cluster ID is 2e:00:00:05:30:01:ad:f4
Cluster config version is 27
Recovery Scheme is 1 out of 1
CKMC server has not been provisioned
Master Key GUID is 8c57a8d82d2098ee-3b27-6c2b116a950e, Version: 0
Shared Key Mode is Enabled
Auto Vol Group is Not Enabled
Viewing Cisco SME Cluster Details
Additional cluster information can be displayed with the show sme cluster command. Use this command to show the following:
•Cisco SME cluster details
•Cisco SME cluster interface information
•Hosts and targets in the cluster
•Cisco SME cluster key database
•Cluster node
•Cisco SME cluster Recovery Officer information
•Summary of the Cisco SME cluster information
•Tapes in a cluster
•Tape volume group information
•Cisco SME role configuration
Sample outputs of the show sme cluster command follow:
switch# show sme cluster clustername1 ?
detail Show sme cluster detail
interface Show sme cluster interface
it-nexus Show it-nexuses in the cluster
key Show sme cluster key database
node Show sme cluster node
recovery Show sme cluster recovery officer information
summary Show sme cluster summary
tape Show tapes in the cluster
tape-bkgrp Show crypto tape backup group information
switch# show sme cluster clustername1 interface
Interface sme4/1 belongs to local switch
switch# show sme cluster clustername1 interface it-nexus
-------------------------------------------------------------------------------
Host WWN VSAN Status Switch Interface
-------------------------------------------------------------------------------
2f:ff:00:06:2b:10:c2:e2 4093 online switch sme4/1
Viewing Cluster Key Information
Use the show sme cluster key command to view information about the cluster key database.
A sample output of the show sme cluster key command follows:
switch# show sme cluster clustername1 key database
Key Type is tape volumegroup shared key
GUID is 3b6295e111de8a93-e3f9-e4ae372b1626
Cluster is clustername1, Tape backup group is HR1
Tape volumegroup is Default
Key Type is tape volumegroup wrap key
GUID is 3e9ef70e0185bb3c-ad12-c4e489069634
Cluster is clustername1, Tape backup group is HR1
Tape volumegroup is Default
GUID is 8c57a8d82d2098ee-3b27-6c2b116a950e
Cluster is clustername1, Master Key Version is 0
Viewing Cluster Node Information
Use the show sme cluster node command to view information about a local or remote switch.
A sample output of the show sme cluster node command follows:
switch# show sme cluster clustername1 node
Node switch is local switch
Node is the master switch
Viewing Recovery Officer Information
You can view information about a specific Recover Officer or for all Recovery Officers for a specific cluster.
switch# show sme cluster clustername1 recovery officer
Recovery Officer 1 is set
Recovery Share Version is 0
Recovery Share Index is 1
Recovery Scheme is 1 out of 1
Recovery Officer Label is
Recovery share protected by a password
Key Type is master key share
Cluster is clustername1, Master Key Version is 0
Recovery Share Version is 0, Share Index is 1
switch# show sme cluster clustername1 summary
-------------------------------------------------------------------------------
Cluster ID Security Mode Status
-------------------------------------------------------------------------------
clustername1 2e:00:00:05:30:01:ad:f4 basic online
Viewing Tape Information
Use the show sme cluster tape command to view summary or detailed information about tapes.
switch# show sme cluster clustername1 tape summary
-------------------------------------------------------------------------------
Host WWN Description Crypto-Tape Status
-------------------------------------------------------------------------------
10:00:00:00:c9:4e:19:ed HP Ultrium 2-SCSI HR1 online
Viewing Tape Cartridge Information
switch# show sme cluster clustername1 tape detail
Serial Number is 2b10c2e22f
Host 10:00:00:00:c9:4e:19:ed Target 2f:ff:00:06:2b:10:c2:e2 LUN 0x0000
Viewing Tape Volume Group Information
Use the show sme cluster tape-bkgrp command to view information about all tape volume groups or about a specific group.
switch# show sme cluster clustername1 tape-bkgrp
-------------------------------------------------------------------------------
Name Tape Devices Volume Groups
-------------------------------------------------------------------------------
switch# show sme cluster clustername1 tape-bkgrp HR1
Number of tape devices is 1
Number of volume groups is 1
Tape device td1 is online
Description is HP Ultrium 2-SCSI
Serial number is 2b10c2e22f
Host 10:00:00:00:c9:4e:19:ed Target 2f:ff:00:06:2b:10:c2:e2 Lun 0x0000 vsan 4093[f1]
Viewing Cisco SME Role Configurations
Use the setup sme command to set up the SME-admin and SME-recovery roles and then use the show role command to view the various Cisco SME role configurations.
Set up two roles necessary for SME, sme-admin and sme-recovery? (yes/no) [no] y
Description: Predefined Network Admin group. This role cannot be modified
Access to all the switch commands
Description: Predefined Network Operator group. This role cannot be modified
Access to Show commands and selected Exec commands
Description: Predefined SVC Admin group. This role cannot be modified
Access to all SAN Volume Controller commands
Description: Predefined SVC Operator group. This role cannot be modified
Access to selected SAN Volume Controller commands
Description: This is a system defined role and applies to all users
vsan policy: permit (default)
---------------------------------------------
Rule Type Command-type Feature
---------------------------------------------
5. permit show environment
vsan policy: permit (default)
---------------------------------------------
Rule Type Command-type Feature
---------------------------------------------
vsan policy: permit (default)
---------------------------------------------
Rule Type Command-type Feature
---------------------------------------------
1. permit configsme-recovery-officer