Implementing the Storwize V7000 and the IBM System Storage SAN32B-E4 Encryption Switch

Implementing the Storwize V7000 and the IBM System Storage SAN32B-E4 Encryption Switch

by Jon Tate, Stefan Neff, Glen Routley, Denis Senin
Released February 2012
Publisher(s): IBM Redbooks
ISBN: None

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

In this IBM® Redbooks® publication, we describe how these products can be combined to provide an encryption and virtualization solution:

  • IBM System Storage® SAN32B-E4 Encryption Switch

  • IBM Storwize® V7000

  • IBM Tivoli® Key Lifecycle Manager


    • We describe the terminology that is used in an encrypted and virtualized environment, and we show how to implement these products to take advantage of their strengths.

    This book is intended for anyone who needs to understand and implement the IBM System Storage SAN32B-E4 Encryption Switch, IBM Storwize V7000, IBM Tivoli Key Lifecycle Manager, and encryption.

    Table of contents

    1. Notices
      1. Trademarks
    2. Preface
      1. The team who wrote this book
      2. Now you can become a published author, too!
      3. Comments welcome
      4. Stay connected to IBM Redbooks
    3. Chapter 1: Introduction to SAN encryption using the Storwize V7000 and the SAN32B-E4 Encryption Switch
      1. Why we need SAN security and encryption solutions
        1. Threats and security
      2. Encryption basics
        1. Symmetric key encryption
        2. Asymmetric key encryption
        3. Digital certificates
        4. Encryption algorithms
        5. Encryption challenges
      3. IBM encryption products and software
        1. IBM Tivoli Key Lifecycle Manager
        2. SAN32B-E4 Encryption Switch
        3. IBM Storwize V7000
      4. SAN environment (pre-encryption)
      5. Encrypted SAN environment
    4. Chapter 2: Terminology and technology
      1. Why terminology is important
      2. Basic terminology
        1. Data
        2. LUN
        3. Fabric and SAN
        4. Management network
        5. Private network
        6. Key
        7. Certificate
        8. CryptoModule
        9. Cleartext
        10. Ciphertext
      3. Elements of the encryption process
        1. Encryption group
        2. Group leader
        3. Encryption engine
        4. Encryption node
        5. Encryption certificates
        6. Key vault
        7. Recovery cards
      4. Terminology of the encryption process
        1. Crypto Target Container
        2. Data encryption key
        3. Data encryption key lifecycle management
        4. First-time encryption
        5. Rekeying operation
        6. First-time encryption and rekey operation details
        7. Frame redirection zone
        8. Key encryption key
        9. Master key
        10. Virtual targets and virtual initiators
      5. Cluster technology
        1. High availability cluster configurations
        2. Failover and failback of the HA cluster
        3. Data encryption key cluster
    5. Chapter 3: Initial setup for the IBM Tivoli Key Lifecycle Manager and the SAN32B-E4 Encryption Switch
      1. The need for a key management tool
        1. Why IBM Tivoli Key Lifecycle Manager
      2. Tivoli Key Lifecycle Manager components and resources
      3. Initial setup of Tivoli Key Lifecycle Manager and the Encryption Switch
        1. Basic installation of Tivoli Key Lifecycle Manager
        2. Multiple Tivoli Key Lifecycle Managers for redundancy
        3. Installation of the Encryption Switch
        4. Master key management
        5. Considerations before the first TKLM and SAN32B-E4 Encryption Switch setup
        6. Setting up the SAN32B-E4 Encryption Switch and TKLM using the switch CLI (1/5)
        7. Setting up the SAN32B-E4 Encryption Switch and TKLM using the switch CLI (2/5)
        8. Setting up the SAN32B-E4 Encryption Switch and TKLM using the switch CLI (3/5)
        9. Setting up the SAN32B-E4 Encryption Switch and TKLM using the switch CLI (4/5)
        10. Setting up the SAN32B-E4 Encryption Switch and TKLM using the switch CLI (5/5)
        11. Setting up the SAN32B-E4 Encryption Switch and TKLM using the DCFM GUI (1/4)
        12. Setting up the SAN32B-E4 Encryption Switch and TKLM using the DCFM GUI (2/4)
        13. Setting up the SAN32B-E4 Encryption Switch and TKLM using the DCFM GUI (3/4)
        14. Setting up the SAN32B-E4 Encryption Switch and TKLM using the DCFM GUI (4/4)
    6. Chapter 4: Implementation scenarios and recommendations for managing the SAN32B-E4 Encryption Switch
      1. Configuring encryption on a single fabric
        1. Current configuration
      2. General prerequisites for encryption
        1. Setting the default zone
        2. Synchronizing switch times
        3. Host requirements
      3. Defining the encryption configuration
        1. Creating containers
        2. Adding a host initiator to a container
        3. Adding a target LUN to a container
        4. Displaying a container
        5. Enabling encryption
      4. Data encryption key cluster config: Multiple path/dual fabric
        1. Starting the configuration
        2. Target configuration for a data encryption key cluster environment
        3. Steps to extend a single fabric setup to a DEK cluster environment
        4. Preparing the multipath/dual-fabric configuration
        5. Verifying the current encryption group members
        6. Adding a new host server Fibre Channel port to the existing LUNs
        7. Adding and defining the new CTCs for the second fabric via DCFM (1/2)
        8. Adding and defining the new CTCs for the second fabric via DCFM (2/2)
        9. Adding the existing LUNs for the second fabric CTCs via DCFM
        10. Activating the DEK cluster CTC definitions
        11. Final activation/confirmation of the new paths (via a second fabric)
      5. Adding a second Encryption Switch for high availability (1/2)
      6. Adding a second Encryption Switch for high availability (2/2)
      7. Creating and adding a new LUN to an existing EG
        1. Creating and adding a new LUN in a single-fabric environment
        2. Creating a new LUN in the IBM Storwize V7000
        3. Adding a newly created LUN into an existing encryption group (1/2)
        4. Adding a newly created LUN into an existing encryption group (2/2)
        5. Creating and adding a new LUN in a dual-fabric environment
        6. Creating a new LUN in the IBM Storwize V7000 (dual fabric)
        7. Adding a new LUN into an existing encryption group (dual fabric)
      8. Adding and removing a path to an initiator from a CTC
        1. Adding host paths
        2. Removing host paths
      9. Changing a host HBA (1/2)
      10. Changing a host HBA (2/2)
    7. Chapter 5: Advanced techniques and functionality
      1. Frame redirection zone in detail
        1. Name service
        2. Crypto Target Container
        3. Estimating the number of required CTCs
        4. Estimating the multipathing requirements for the LUN
        5. Adding LUNs to the CTCs
        6. Understanding the structure of the CTC
        7. Changing the fabric configuration
      2. First-time encryption and rekey operation in detail
        1. Performance effect of the first-time encryption and rekey operations
        2. The nature of the first-time encryption and rekey operations (1/2)
        3. The nature of the first-time encryption and rekey operations (2/2)
      3. Designing the encryption solution
        1. Performance effect of encryption operations
        2. Defining the correct number of encryption engines
        3. Connecting the encryption engine
      4. Copy services in the encryption environment
        1. Metro/Global Mirror
      5. External storage virtualization
        1. Thin-provisioned volumes
    8. Chapter 6: Maintenance and troubleshooting
      1. Firmware upgrades
      2. Master key maintenance
        1. Backing up the master key to a file
        2. Backing up the master key to the smart cards
        3. Restoring the master key from a file
        4. Restoring the master key from the smart cards
      3. Configuration upload and download
        1. Uploading the configuration
        2. Configuration download
      4. Adjusting heartbeat signaling values
      5. Removing and replacing the IBM SAN768/384 Encryption Blade
        1. Encryption node removal and replacement in a multinode group
      6. Removing stale rekey information for a LUN
      7. Troubleshooting
        1. Errors when adding a switch to an existing group
        2. Errors related to adding a switch to a new group
        3. LUN policy troubleshooting
    9. Related publications
      1. IBM Redbooks publications
      2. Other publications
      3. Online resources
      4. Help from IBM
    10. Index (1/2)
    11. Index (2/2)
    12. Back cover

    Product information

    • Title: Implementing the Storwize V7000 and the IBM System Storage SAN32B-E4 Encryption Switch
    • Author(s): Jon Tate, Stefan Neff, Glen Routley, Denis Senin
    • Release date: February 2012
    • Publisher(s): IBM Redbooks
    • ISBN: None