Cisco Cisco Storage Media Encryption Libro bianco
White Paper
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 3
Cisco Storage Media Encryption Key Migration from
Cisco Key Management Center to RSA Key Manager
Cisco Key Management Center to RSA Key Manager
What You Will Learn
Cisco
®
Storage Media Encryption (SME) provides encryption of data at rest for tape drives and
virtual tape libraries. The integrated Cisco Key Manager Center (KMC) offers a basic set of key
management features. Additionally, Cisco SME offers an option to use an enterprise-class key
management solution: RSA Key Manager (RKM) for the Data Center.
Customers can start using RKM at the time of Cisco SME installation, or they can choose to deploy
Cisco SME with the integrated Cisco KMC later. If RKM is deployed after Cisco KMC has been
used alone, it is necessary to perform an explicit key migration procedure before using RKM with
Cisoc SME.
This document describes the procedure for migrating encryption keys, wrap keys, and encryption
policy information from Cisco KMC to RKM.
Migration Procedure
Follow the step-by-step procedure below to migrate keys from the Cisco KMC to RKM.
The migration procedure is slightly different if Cisco KMC is using the PostgresSQL database or
the Oracle Express database for the key catalog. The documentation clearly states the differences
where applicable.
1. Suspend any backup applications and jobs.
The migration procedure temporarily suspends access to keys, so the execution of backup
operations must be suspended until the migration is completed.
operations must be suspended until the migration is completed.
2. Back up the key database.
It is a good practice to back up the key database before performing the migration. The backup
procedure should have been previously tested to help ensure the correct restoration of the
keys in case any problems arise during migration.
procedure should have been previously tested to help ensure the correct restoration of the
keys in case any problems arise during migration.
3. Export all volume group keys in the cluster. Each volume group export will generate a
separate password-protected file.
The password-protected files contain the keys to be imported in RKM.
4. Shut down the Cisco Fabric Manager and consequently the Cisco KMC.
This step prevents any key operation from being performed during migration.
5. Run the appropriate database script from the database administrative console as shown here.
These scripts are packaged in Cisco Fabric Manager CD starting SAN-OS Software Release
4.1(1).
●
Key catalog on PostgresSQL:
◦
Script: postgres-kmc-rkm-pre-migrate.sql
●
Key catalog on Oracle Express:
◦
Script: oracle-kmc-rkm-pre-migrate.sql