v
Cable planning for the encryption switch and its backup and for a primary and
secondary key vault manager is critical. These devices can be separated by
distance as long as they can maintain constant communication contact. One
device must back up the other to ensure access to encrypted data. Refer to the
Fabric OS Encryption Administrator’s Guide Supporting Tivoli Key Lifecycle Manager
(TKLM) Environments
for more information on Master Keys (MK).
v
Begin with a limited application of encryption in a test environment and once an
expanded encryption test is successful, move the encryption into production
v
Avoid dual encryption (Fabric encryption and device encryption). While this
should not cause any encryption errors, it will degrade performance.
v
There is no support of Cisco switches at this time by IBM. The section in the
Fabric OS Encryption Administrator’s Guide Supporting Tivoli Key Lifecycle Manager
(TKLM) Environments
related to Cisco Fabric connectivity does not currently
apply.
v
The use of Smart Cards provides additional encryption security management,
and is highly recommended. Smart cards can be ordered as FRUs through IBM.
v
The Top Talker feature is not compatible with redirection zones. The Top Talker
feature should not be enabled when an encryption switch or blade is present in
the fabric.
v
Alias zoning is not supported in encryption environments. You must use the real
WWPN.
v
Refer to the "Steps for connecting to a TKLM appliance" section of the
Fabric OS
Encryption Administrator’s Guide Supporting Tivoli Key Lifecycle Manager (TKLM)
Environments
for detailed information on initial setup. That section includes the
following information:
– All switches you plan to include in an encryption group must have a secure
connection to the Tivoli Key Lifecycle Manager (TKLM). A local LINUX host
must be available to transfer certificates.
– Be sure that the clock time on the TKLM server and on the Brocade
encryption nodes are the same. A difference of only a few minutes can cause
the TLS connectivity to fail.
– Repeat the same steps for configuring both the primary and the secondary
key vault.
– Both the primary and secondary key vaults should be registered before
exporting MK or encrypting LUNs. If the secondary key vault is registered
midway after encryption is done for some of the LUNs, then the key database
should be backed up and restored on the secondary TKLM from the already
registered primary TKLM before registering the secondary TKLM.
– The following is a suggested order for the initial steps needed to create a
secure connection to TKLM. (Refer to the "Steps for connecting to a TKLM
appliance" section of the
Fabric OS Encryption Administrator’s Guide Supporting
Tivoli Key Lifecycle Manager (TKLM) Environments
for additional steps.)
1.
Initialize all encryption nodes to generate Key authentication center (KAC)
certificates and export the signed KAC certificates to a local LINUX host.
2.
Obtain the necessary user credentials and log in to the TKLM server
appliance from the TKLM management web console.
48
SAN768B-2 Installation, Service, and User Guide
Содержание SAN768B-2
Страница 2: ......
Страница 8: ...vi SAN768B 2 Installation Service and User Guide...
Страница 10: ...viii SAN768B 2 Installation Service and User Guide...
Страница 14: ...xii SAN768B 2 Installation Service and User Guide...
Страница 28: ...xxvi SAN768B 2 Installation Service and User Guide...
Страница 40: ...12 SAN768B 2 Installation Service and User Guide...
Страница 108: ...80 SAN768B 2 Installation Service and User Guide...
Страница 182: ...154 SAN768B 2 Installation Service and User Guide...
Страница 186: ...158 SAN768B 2 Installation Service and User Guide...
Страница 196: ...168 SAN768B 2 Installation Service and User Guide...
Страница 202: ...174 SAN768B 2 Installation Service and User Guide...
Страница 220: ...192 SAN768B 2 Installation Service and User Guide...
Страница 226: ...198 SAN768B 2 Installation Service and User Guide...
Страница 227: ......
Страница 228: ...Part Number 00MA746 Printed in USA GA32 0893 06 1P P N 00MA746...