-
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
-
Index
-
New and Changed Information
-
Preface
-
Cisco SME Overview
-
Cisco SME Getting Started
-
Cisco SME Cluster Management
-
Cisco SME Interface Configuration
-
Cisco SME Tape Management
-
Cisco SME Key Management
-
Using the CLI to Configure Cisco SME
-
Cisco SME Best Practices
-
Cisco SME Troubleshooting
-
Cisco SME CLI Commands
-
Offline Data Restore Tool
-
Creating Self-sign certificates
-
Database Backup and Restore
-
Planning for Cisco SME Installation
-
Feedback
Table Of Contents
Using the Command Line Interface to Configure SME
Enabling and Disabling SME Clustering
Enabling and Disabling the Cisco SME Service
Setting the SME Cluster Security Level
Setting Up the Cisco SME Adminstrator and Recovery Officer Roles
Adding an SME Interface from a Local or Remote Switch
Configuring Unique or Shared Key Mode
Enabling and Disabling Automatic Volume Groups
Enabling and Disabling Tape Compression
Enabling and Disabling Key-on-Tape
Configuring a Tape Volume Group
Viewing Cisco SME Cluster, Internal, and Transport Information
Viewing Cisco SME Cluster Details
Viewing Cluster Key Information
Viewing Cluster Node Information
Viewing Recovery Officer Information
Viewing Tape Cartridge Information
Viewing Tape Volume Group Information
Viewing Cisco SME Role Configurations
Using the Command Line Interface to Configure SME
This chapter contains information about Cisco Storage Media Encryption basic configuration using the command line interface (CLI). It contains the following sections:
•
Enabling and Disabling SME Clustering
•
•
•
•
•
•
•
•
•
•
Caution
SME Configuration Tasks
The process of configuring SME on an MDS-18/4 module or Cisco MDS 9222i involves a number of configuration tasks that should be followed in chronological order. The configuration tasks included in this process are the following:
•
•
•
•
•
–
–
–
–
–
–
–
Enabling and Disabling SME Clustering
The first step in the process of configuring Cisco SME is to enable the SME clustering.
To enable or disable the SME cluster, follow these steps:
Enabling and Disabling the Cisco SME Service
Cisco SME services must be enabled to take advantage of the SME encryption and security features. After enabling the SME cluster, the second step in the process of configuring Cisco SME is to enable the SME service.
To enable or disable the SME service, follow these steps:
For additional information on clusters, see Chapter 3, "Cisco SME Cluster Management."
Creating the SME Interface
After enabling the cluster and enabling SME, configure the SME interface on the switch.
To configure the SME interface, follow these steps:
Note
Note
Note
2007 Jun 6 21:34:14 switch %DAEMON-2-SYSTEM_MSG: <<%SME-2-LOG_WARN_SME_LICENSE_GRACE>> No SME Licence. Feature will be shut down after a grace period of approximately 118 days.
Deleting the SME Interface
Before deleting the SME interface, you must remove the switch the cluster.
Note
To delete the SME interface, follow these steps:
Creating the SME Cluster
To create an SME cluster, you identify the fabrics that you want to include in the cluster and you configure the following:
•
•
•
•
•
•
•
•
•
•
To create an SME cluster, follow these steps:
Setting the SME Cluster Security Level
There are 3 levels of security: Basic, Standard, and Advanced. Standard and Advanced security levels require smart cards
.
To set the SME cluster security level, follow these steps:
Setting Up the Cisco SME Adminstrator and Recovery Officer Roles
To set up the Cisco SME Administrator and Cisco SME Recovery Officer roles, follow these steps::
Adding an SME Interface from a Local or Remote Switch
Before adding an SME interface, be sure to enable clustering, enable Cisco SME, and start the Cisco SME interface on the switch, and then add the interface to the cluster.
To add an SME interface from a local switch, follow these steps:
To add an SME interface from a remote switch, follow these steps:
Configuring Unique or Shared Key Mode
Shared key mode is used to generate a single key that is used for a group of backup tapes.
Unique key mode is used to generate unique or specific keys for each tape cartridge.
To configure the shared key or unique key mode, follow these steps:
Note
Enabling and Disabling Automatic Volume Groups
When SME recognizes that a tape barcode does not belong to an exiting volume group, then SME creates a new volume group when automatic volume grouping is enabled.
Automatic volume grouping is disabled by default.
To enable or disable automatic volume grouping, follow these steps:
Enabling and Disabling Tape Compression
To enable tape compression, follow these steps:
Enabling and Disabling Key-on-Tape
Cisco SME provides the option to store the encrypted security keys on the backup tapes.
To enable the key-on-tape feature, follow these steps:
Configuring a Tape Volume Group
A tape volume group is a group of tapes that are categorized usually by function. For example, HR1 could be the designated tape volume group for all Human Resource backup tapes; EM1 could be the designated tape volume group for all Email backup tapes.
Adding tape groups allows you to select the VSANs, hosts, storage devices, and paths that SME will use for encrypted data. For example, adding a tape group for HR data sets the mapping for SME to transfer data from the HR hosts to the dedicated HR backup tapes.
To configure a tape volume group, follow these steps:
Viewing Cisco SME Cluster, Internal, and Transport Information
To verify Cisco SME cluster configurations, you can use the show sme command to view a specific cluster configuration, internal information, and transport information.
A sample output of the show sme cluster command follows:
switch# show sme cluster clustername1SME Cluster is clustername1Cluster ID is 2e:00:00:05:30:01:ad:f4Cluster is OperationalCluster is Not ShutdownCluster config version is 27Security mode is basicCluster status is onlineTotal Nodes are 1Recovery Scheme is 1 out of 1Fabric[0] is f1CKMC server has not been provisionedMaster Key GUID is 8c57a8d82d2098ee-3b27-6c2b116a950e, Version: 0Shared Key Mode is EnabledAuto Vol Group is Not EnabledViewing Cisco SME Cluster Details
Additional cluster information can be displayed with the show sme cluster command. Use this command to show the following:
•
•
•
•
•
•
•
•
•
•
Sample outputs of the show sme cluster command follow:
switch# show sme cluster clustername1 ?detail Show sme cluster detailinterface Show sme cluster interfaceit-nexus Show it-nexuses in the clusterkey Show sme cluster key databasenode Show sme cluster noderecovery Show sme cluster recovery officer informationsummary Show sme cluster summarytape Show tapes in the clustertape-bkgrp Show crypto tape backup group information| Output modifiers.> Output Redirection.<cr> Carriage return.switch# show sme cluster clustername1 interfaceInterface sme4/1 belongs to local switchStatus is upswitch# show sme cluster clustername1 interface it-nexus -------------------------------------------------------------------------------Host WWN VSAN Status Switch InterfaceTarget WWN-------------------------------------------------------------------------------10:00:00:00:c9:4e:19:ed,2f:ff:00:06:2b:10:c2:e2 4093 online switch sme4/1Viewing Cluster Key Information
Use the show sme cluster key command to view information about the cluster key database.
A sample output of the show sme cluster key command follows:
switch# show sme cluster clustername1 key databaseKey Type is tape volumegroup shared keyGUID is 3b6295e111de8a93-e3f9-e4ae372b1626Cluster is clustername1, Tape backup group is HR1Tape volumegroup is DefaultKey Type is tape volumegroup wrap keyGUID is 3e9ef70e0185bb3c-ad12-c4e489069634Cluster is clustername1, Tape backup group is HR1Tape volumegroup is DefaultKey Type is master keyGUID is 8c57a8d82d2098ee-3b27-6c2b116a950eCluster is clustername1, Master Key Version is 0Viewing Cluster Node Information
Use the show sme cluster node command to view information about a local or remote switch.
A sample output of the show sme cluster node command follows:
switch# show sme cluster clustername1 nodeNode switch is local switchNode ID is 1Status is onlineNode is the master switchFabric is f1Viewing Recovery Officer Information
You can view information about a specific Recover Officer or for all Recovery Officers for a specific cluster.
switch# show sme cluster clustername1 recovery officerRecovery Officer 1 is setMaster Key Version is 0Recovery Share Version is 0Recovery Share Index is 1Recovery Scheme is 1 out of 1Recovery Officer Label isRecovery share protected by a passwordKey Type is master key shareCluster is clustername1, Master Key Version is 0Recovery Share Version is 0, Share Index is 1switch# show sme cluster clustername1 summary -------------------------------------------------------------------------------Cluster ID Security Mode Status-------------------------------------------------------------------------------clustername1 2e:00:00:05:30:01:ad:f4 basic onlineViewing Tape Information
Use the show sme cluster tape command to view summary or detailed information about tapes.
switch# show sme cluster clustername1 tape summary -------------------------------------------------------------------------------Host WWN Description Crypto-Tape StatusBackup Group-------------------------------------------------------------------------------10:00:00:00:c9:4e:19:ed HP Ultrium 2-SCSI HR1 onlineViewing Tape Cartridge Information
switch# show sme cluster clustername1 tape detailTape 1 is onlineIs a Tape DriveHP Ultrium 2-SCSISerial Number is 2b10c2e22fIs a member of HR1PathsHost 10:00:00:00:c9:4e:19:ed Target 2f:ff:00:06:2b:10:c2:e2 LUN 0x0000Viewing Tape Volume Group Information
Use the show sme cluster tape-bkgrp command to view information about all tape volume groups or about a specific group.
switch# show sme cluster clustername1 tape-bkgrp -------------------------------------------------------------------------------Name Tape Devices Volume Groups-------------------------------------------------------------------------------HR1 1 1switch# show sme cluster clustername1 tape-bkgrp HR1Tape Backupgroup HR1Compression is DisabledNumber of tape devices is 1Number of volume groups is 1Tape device td1 is onlineIs a tape driveDescription is HP Ultrium 2-SCSISerial number is 2b10c2e22fPathsHost 10:00:00:00:c9:4e:19:ed Target 2f:ff:00:06:2b:10:c2:e2 Lun 0x0000 vsan 4093[f1]Viewing Cisco SME Role Configurations
Use the setup sme command to set up the SME-admin and SME-recovery roles and then use the show role command to view the various Cisco SME role configurations.
switch# setup smeSet up two roles necessary for SME, sme-admin and sme-recovery? (yes/no) [no] ySME setup doneck-sup1-165# show roleRole: network-adminDescription: Predefined Network Admin group. This role cannot be modifiedAccess to all the switch commandsRole: network-operatorDescription: Predefined Network Operator group. This role cannot be modifiedAccess to Show commands and selected Exec commandsRole: svc-adminDescription: Predefined SVC Admin group. This role cannot be modifiedAccess to all SAN Volume Controller commandsRole: svc-operatorDescription: Predefined SVC Operator group. This role cannot be modifiedAccess to selected SAN Volume Controller commandsRole: default-roleDescription: This is a system defined role and applies to all usersvsan policy: permit (default)---------------------------------------------Rule Type Command-type Feature---------------------------------------------1. permit show system2. permit show snmp3. permit show module4. permit show hardware5. permit show environmentRole: sme-adminvsan policy: permit (default)---------------------------------------------Rule Type Command-type Feature---------------------------------------------1. permit show sme2. permit config sme3. permit debug smeRole: sme-recoveryvsan policy: permit (default)---------------------------------------------Rule Type Command-type Feature---------------------------------------------1. permit configsme-recovery-officer
