Cisco 9134 - MDS Multilayer Fabric Switch Manuel - Page 4

Parcourez en ligne ou téléchargez le pdf Manuel pour {nom_de_la_catégorie} Cisco 9134 - MDS Multilayer Fabric Switch. Cisco 9134 - MDS Multilayer Fabric Switch 16 pages. Mds 9000 series
Également pour Cisco 9134 - MDS Multilayer Fabric Switch : Spécifications (3 pages), Manuel de configuration (49 pages), Note de mise à jour (48 pages), Note de mise à jour (44 pages), Note de mise à jour (22 pages), Note de mise à jour (3 pages), Note de mise à jour (40 pages), Notes de mise à jour (10 pages), Manuel d'installation du matériel (36 pages)

Imprimer la page

Cisco 9134 - MDS Multilayer Fabric Switch Manuel

About SME

At the advanced security level, a quorum of SME Recovery Officers is required to perform recovery

procedures. The default is 2 out of 5. In this case 2 of the 5 recovery officers are required to unlock the

master key.

For additional information on SME Administrator and SME Recovery Officer roles, see the

and Assigning SME Roles and SME Users" section on page

Key Management

Cisco Key Management Center (KMC) provides essential features such as key archival, secure export

and import, and key shredding.

Key management features include the following:

•

The centralized key lifecycle management includes the following:

•

The Cisco KMC provides dedicated key management for SME, with support for single and multisite

deployments. The Cisco KMC performs key management operations.

The Cisco KMC is either integrated or separated from DCNM-SAN depending on the deployment

requirements.

Single site operations can be managed by the integration of the Cisco KMC in DCNM-SAN. In multisite

deployments, the centralized Cisco KMC can be used together with the local DCNM-SAN servers that

are used for fabric management. This separation provides robustness to the KMC and also supports the

SME deployments in different locations sharing the same Cisco KMC.

Figure 1-2

Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide

1-4

Master key resides in password protected file or in smart cards.

If the cluster security mode is set to Basic, the master key resides in the password protected file.

–

If the cluster security mode is set to Standard, the master key resides in only one smart card.

–

And the same smart card is required to recover the master key.

If the cluster security mode is set to Advanced, the master key resides in multiple smart cards.

–

Quorum (2 out of 3 or 2 out of 5 or 3 out of 5) of smart cards are required to recover the master

key based on the user selection.

Unique key per tape for an SME tape cluster.

Unique key per LUN for an SME disk cluster.

Keys reside in clear-text only inside a FIPS boundary.

Tape keys and intermediate keys are wrapped by the master key and deactivated in the CKMC.

Disk keys are wrapped by the cluster master key and deactivated in the CKMC.

Option to store tape keys on tape media.

Archive, shred, recover, and distribute media keys.

–

Integrated into DCNM-SAN.

–

Secure transport of keys.

End-to-end key management using HTTPS/SSL/SSH.

Access controls and accounting.

–

Use of existing AAA mechanisms.

–

shows how Cisco KMC is separated from DCNM-SAN for a multisite deployment.

Chapter 1

Storage Media Encryption Overview

2-32.

"Creating

OL-29289-01