Bloombase Interoperability Program   P1                                                                             © 2012...
Bloombase Interoperability Program      P2                                                                                ...
Bloombase Interoperability Program   P3                                                                                 © ...
Bloombase Interoperability Program     P4                                                                                 ...
Bloombase Interoperability Program   P5                                                               © 2012 Bloombase Tec...
Bloombase Interoperability Program   P6                                                             © 2012 Bloombase Techn...
Bloombase Interoperability Program   P7                          © 2012 Bloombase TechnologiesInfrastructureSetupThe valid...
Bloombase Interoperability Program                                           P8                                           ...
Bloombase Interoperability Program   P9                                                © 2012 Bloombase Technologies  Spee...
Bloombase Interoperability Program   P10                                                            © 2012 Bloombase Techn...
Bloombase Interoperability Program   P11                                                  © 2012 Bloombase TechnologiesCon...
Bloombase Interoperability Program    P12                                                               © 2012 Bloombase T...
Bloombase Interoperability Program   P13                                                               © 2012 Bloombase Te...
Bloombase Interoperability Program   P14                                                             © 2012 Bloombase Tech...
Bloombase Interoperability Program   P15                                                           © 2012 Bloombase Techno...
Bloombase Interoperability Program   P16                                                                 © 2012 Bloombase ...
Bloombase Interoperability Program   P17                                                              © 2012 Bloombase Tec...
Bloombase Interoperability Program   P18   © 2012 Bloombase Technologies
Bloombase Interoperability Program   P19                                                              © 2012 Bloombase Tec...
Bloombase Interoperability Program   P20                                                                 © 2012 Bloombase ...
Bloombase Interoperability Program   P21                                                                 © 2012 Bloombase ...
Bloombase Interoperability Program   P22                                                               © 2012 Bloombase Te...
Bloombase Interoperability Program   P23                               © 2012 Bloombase Technologies  File append – by cha...
Bloombase Interoperability Program   P24                                                             © 2012 Bloombase Tech...
Bloombase Interoperability Program   P25                                                             © 2012 Bloombase Tech...
Bloombase Interoperability Program   P26                                                               © 2012 Bloombase Te...
Bloombase Interoperability Program   P27                                                       © 2012 Bloombase Technologi...
Upcoming SlideShare
Loading in …5
×

Bloombase Spitfire StoreSafe QLogic iSCSI HBA Interoperability

404 views

Published on

Interoperability of Bloombase Spitfire StoreSafe Security Server and QLogic iSCSI-HBAs for Transparent IP-Storage Area Network (SAN) Encryption

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
404
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Bloombase Spitfire StoreSafe QLogic iSCSI HBA Interoperability

  1. 1. Bloombase Interoperability Program P1 © 2012 Bloombase TechnologiesInteroperability of BloombaseSpitfire StoreSafe SecurityServer and QLogic iSCSI-HBAsfor Transparent IP-StorageArea Network (SAN)EncryptionFebruary, 2012Executive SummaryQLogic enterprise grade iSCSI host bus adapters (HBA) are validated by Bloombases interopLab to run with Bloombase Spitfire StoreSafeSecurity Server to secure IP storage area network (SAN) by state-of-the-art encryption. This document describes the steps carried out to testinteroperability of QLogic iSCSI HBAs with Bloombase Spitfire StoreSafe Encryption Server on SpitfireOS running on Intel x86-based serverappliances. Host systems on Microsoft Windows and Red Hat Linux are validated with QLogic iSCSI HBA-powered Bloombase SpitfireStoreSafe Storage Encryption appliances securing EMC VNX/VNXe unified storage system.
  2. 2. Bloombase Interoperability Program P2 © 2012 Bloombase TechnologiesInformation in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations,products, people and events depicted herein are fictitious and no association with any real company, organization, product, person or event is intended or should be inferred. Complyingwith all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into aretrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission ofBloombase Technologies.Bloombase Technologies may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except asexpressly provided in any written license agreement from Bloombase Technologies, the furnishing of this document does not give you any license to these patents, trademarks,copyrights, or other intellectual property.This document is the property of Bloombase Technologies. No exploitation or transfer of any information contained herein is permitted in the absence of an agreement with BloombaseTechnologies, and neither the document nor any such information may be released without the written consent of Bloombase Technologies.© 2012 Bloombase TechnologiesBloombase, Bloombase Technologies, Spitfire, StoreSafe are either registered trademarks or trademarks of Bloombase Technologies in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.The interoperability tests in this report are carried out at Bloombase interopLab with sponsor from QLogic Corporation.About QLogicQLogic is a leading supplier of high-performance storage networking solutions, which include controller chips, host adapters and fabric switches that are the backbone of storagenetworks for most Global 2000 corporations. The company delivers a broad and diverse portfolio of products that includes Fibre Channel HBAs, blade server embedded Fibre Channelswitches, Fibre Channel stackable switches, iSCSI HBAs, iSCSI routers and storage services platforms for enabling advanced storage management applications. For more information,refer to http://www.qlogic.comDocument No.
  3. 3. Bloombase Interoperability Program P3 © 2012 Bloombase TechnologiesTable of ContentsTable of Contents 3Purpose and Scope 5Assumptions 6Infrastructure 7Setup ............................................................................................................. 7Bloombase Spitfire StoreSafe Storage Encryption Server Appliance .................. 8iSCSI Host Bus Adapters ................................................................................. 8Ethernet Switch .............................................................................................. 9IP Storage Area Network (IP-SAN) ..................................................................... 9Storage Hosts ................................................................................................. 9Configuration Overview 10QLogic iSCSI-HBA .......................................................................................... 10IP SAN Storage .............................................................................................. 12Bloombase Spitfire StoreSafe Security Server ................................................. 12 Encryption Key Configuration ........................................................................... 13 Virtual iSCSI SAN Configuration ........................................................................ 14 Physical iSCSI Storage Target Configuration ...................................................... 15 Encrypted Virtual Storage Provisioning ............................................................. 16
  4. 4. Bloombase Interoperability Program P4 © 2012 Bloombase TechnologiesValidation Tests 19Test Scenarios ............................................................................................... 19 Validation Matrix ............................................................................................. 19 Raw Storage Device Tests ................................................................................. 20 File System Tests ............................................................................................. 20 Application Tests – Oracle Database Server ....................................................... 21Result .......................................................................................................... 22 Raw Storage Device Tests ................................................................................. 22 File System Tests ............................................................................................. 22 Application Tests – Oracle Database ................................................................. 23Conclusion 24Acknowledgement 25Disclaimer 26Technical Reference 27
  5. 5. Bloombase Interoperability Program P5 © 2012 Bloombase TechnologiesPurpose and ScopeThis document describes the steps necessary to integrate QLogic iSCSI-HBAs with Bloombase Spitfire StoreSafe enterprisestorage security server to secure sensitive corporate business data stored at IP-based storage area network (IP-SAN).Specifically, we cover the following topics: ● Preparing Bloombase Spitfire StoreSafe Security appliance(s) with QLogic iSCSI-HBA(s) ● Preparing IP-SAN storage system ● Interoperability testing on host systems including Red Hat Linux and Microsoft Windows
  6. 6. Bloombase Interoperability Program P6 © 2012 Bloombase TechnologiesAssumptionsThis document describes interoperability testing of QLogic powered Bloombase Spitfire StoreSafe Security Server applianceon IP-SAN storage sub-system. Therefore, it is assumed that you are familiar with operation of storage systems and majoroperating systems including Linux, and Microsoft Windows. It is also assumed that you possess basic UNIX administrationskills. The examples provided may require modifications before they are run under your version of UNIX.As QLogic iSCSI-HBA(s) are hardware option to Bloombase Spitfire StoreSafe storage encryption system, you arerecommended to refer to installation and configuration guides of specific model of QLogic iSCSI-HBA for the platform youare going to test on. We assume you have basic knowledge of storage networking and information cryptography. For specifictechnical product information of Spitfire StoreSafe, please refer to our website at http://www.bloombase.com or BloombaseSupPortal http://supportal.bloombase.com
  7. 7. Bloombase Interoperability Program P7 © 2012 Bloombase TechnologiesInfrastructureSetupThe validation testing environment is setup as in below figure
  8. 8. Bloombase Interoperability Program P8 © 2012 Bloombase Technologies Microsoft Windows Red Hat EL5 on IBM Server 2008 on Dell x3650 with QLogic PowerEdge R510 with iSCSI HBA QLogic iSCSI HBA 0 2 4 1 3 5 xSeries 365 Plain text 1 2 3 4 5 6 7 8 ONLINE HP Speed:Green = 1000Mbps, Yellow = 10/100Mbps Duplex:Green = Full Duplex, Yellow = Half Duplex PoE: Green = Delivering Power,Yellow = Fault,Flashing Green = Over Budget 3CR17771-91 Switch 4200G PWR 24-Port SPARE ProLiant 13 1 14 2 15 3 16 4 17 5 18 6 19 7 20 8 21 9 22 10 23 11 24 12 MIRROR DL380G5 PWR POWER POWER PCI SUPPLY SUPPLY 25/11 26/12 27/23 28/24 RISER CAGE RPS Console(19200.8.1.N) Unit Mode DIMMS Green=Speed Yellow=Duplex MOD1 PPM PPM Flashing=PoE MOD2 10/100/1000Base-T 1000Base-X PROC PROC INTER LOCK FANS OVER TEMP HP/ 3Com Baseline UID 1 2 Plus Switch 2928 Bloombase Spitfire StoreSafe on HP Proliant DL380 with QLogic iSCSI HBA 7^&aK Storage data in `@Y4 ciphered form EMC VNX/VNXeBloombase Spitfire StoreSafe Storage EncryptionServer Appliance Server HP Proliant DL380 Processors 2 x Intel Xeon 5600-series quad-core 3.6 GHz Memory 8 GB Operating System Bloombase SpitfireOS 5.5 – Hardened and customized OS based on Linux kernel version 2.6.26 64-bit Storage Encryption Software Bloombase Spitfire StoreSafe Security ServeriSCSI Host Bus Adapters Model QLogic QLA4052C
  9. 9. Bloombase Interoperability Program P9 © 2012 Bloombase Technologies Speed 1 Gbps Interface PCI-XEthernet Switch Model HP / 3com Baseline Plus Switch 2928 Link Speed 1 GbpsIP Storage Area Network (IP-SAN) IP SAN Storage EMC VNX/VNXe Storage Link Speed 1 GbpsStorage Hosts Model Dell PowerEdge R510 IBM x3650 Operating System Microsoft Windows Server 2008 Red Hat EL5 Host Bus Adapter QLogic QLA4052C QLogic QLA4052C
  10. 10. Bloombase Interoperability Program P10 © 2012 Bloombase TechnologiesConfiguration OverviewQLogic iSCSI-HBAQLogic iSCSI-HBAs ● QLogic QLA4052Care installed onto the Intel x86-based appliance running Bloombase SpitfireOS 5.5 and other storage hosts runningWindows Server 2008 and Red Hat Enterprise Linux 5
  11. 11. Bloombase Interoperability Program P11 © 2012 Bloombase TechnologiesConnection to EMC VNX/VNXe from QLogic iSCSI HBA QLA4052C is tested using iscli command-------------------------------------------------------------Program Version: 1.3.00.20 Driver Version: 5.02.15.01.05.07-k0 IC: 2FW Version: 3.0.1.53 Type: CopperCurrent HBA/Port Information: HBA Alias:HBA: 0 Port: 0 HBA Port Index: 1 HBA Model: QLA4052CIP Address: 192.168.10.133 Link: UpPort iSCSI Name: iuserPort iSCSI Alias:-------------------------------------------------------------List target:Target ID: 0 hba_no: 0 IP: 192.168.10.130 Port: 3260 TGT Instance #: 0 ISCSI Name: iqn.1992-05.com.emc:bb000c2938002b0000-1 Alias: State: Session ActiveLun info:Target ID: 0 hba_no: 0 IP: 192.168.10.130 Port: 3260 TGT Instance #: 0 ISCSI Name: iqn.1992-05.com.emc:bb000c2938002b0000-1 Alias: State: Session ActiveNo dynamic targets to display.Enter a Target ID:0Enter a LUN Number[0,1,(ALL)]:0HBA/Target/Lun Number = 0/0/0 Vend = EMC ProdID = VNX ProdRv = 0 LunSize = 24.937 GB
  12. 12. Bloombase Interoperability Program P12 © 2012 Bloombase TechnologiesIP SAN StorageAn iSCSI LUN is created at EMC VNX/VNXe with below parameters Name iscsi01 Capacity 3 TB Redundancy RAID5Bloombase Spitfire StoreSafe Security ServerSpitfire StoreSafe supports both file-based and block-based on-the-fly storage encryption. In this interoperability testexercise, iSCSI block-based encryption is validated with QLogic iSCSI-HBAs.
  13. 13. Bloombase Interoperability Program P13 © 2012 Bloombase TechnologiesEncryption Key ConfigurationGenerate encryption key with name ‘key’ in bundled Spitfire KeyCastle key life-cycle management tool
  14. 14. Bloombase Interoperability Program P14 © 2012 Bloombase TechnologiesVirtual iSCSI SAN ConfigurationBloombase Spitfire StoreSafe block-based virtual storage and physical storage settings are configured as followings.
  15. 15. Bloombase Interoperability Program P15 © 2012 Bloombase TechnologiesPhysical iSCSI Storage Target ConfigurationEMC VNX/VNXe iSCSI storage LUN is provisioned at Bloombase Spitfire StoreSafe Security Server management console.When EMC VNX/VNXe iSCSI LUN is successfully discovered and connected, it will show up on Storage Device list.
  16. 16. Bloombase Interoperability Program P16 © 2012 Bloombase TechnologiesProvision the connected physical EMC VNX/VNXe iSCSI LUN as physical storage resource which will be piped to StoreSafevirtual storage to encrypt its contents.Bloombase Spitfire StoreSafe secures SAN contents block by block. Volumes can be secured one by one by specificcryptographic cipher, bit length, encryption key, etc.Encrypted Virtual Storage ProvisioningVirtual storage namely ‘iqn.2010-04.com.foo:iscsi01’ of type ‘iSCSI’ is created to virtualize physical storage ‘emc-iscsi01’ forapplication transparent bump-in-the-wire encryption protection over iSCSI
  17. 17. Bloombase Interoperability Program P17 © 2012 Bloombase TechnologiesProtection type is specified as ‘Privacy’ and secure the IP SAN LUN using AES-XTS 256-bit encryption with encryption key‘key’iSCSI relies mainly on CHAP authentication for user based access control and network based access control.
  18. 18. Bloombase Interoperability Program P18 © 2012 Bloombase Technologies
  19. 19. Bloombase Interoperability Program P19 © 2012 Bloombase TechnologiesValidation TestsTest ScenariosValidation MatrixValidation tests span across models of QLogic iSCSI-HBAs and ethernet switches, Bloombase Spitfire StoreSafe SecurityServer, appliance hardware platform, and host platform. Test Condition Candidate HBA ● QLogic QLA4052C Ethernet Switch ● HP/3com Baseline Switch 2928 Storage System ● EMC VNX/VNXe Storage Encryption Appliance ● Bloombase Spitfire StoreSafe Security Server on x86-based HP Proliant DL380 Host Server Hardware ● Dell PowerEdge R510 ● IBM x3650
  20. 20. Bloombase Interoperability Program P20 © 2012 Bloombase Technologies Host Operating Systems ● Microsoft Windows Server 2008 ● Red Hat EL 5Raw Storage Device TestsThe following tests are carried out at storage host operating systems to access encrypted IP SAN storage via QLogicpowered Bloombase Spitfire StoreSafe appliances directly Test Description Write disk with zeros Write zeros into encrypted storage target via Bloombase Spitfire StoreSafe, platform equivalence of UNIX’s dd if=/dev/zero of=/dev/sda Read disk to null device Read from encrypted storage target via Bloombase Spitfire StoreSafe, platform equivalence of UNIX’s dd if=/dev/sda of=/dev/null Wipe disk with random data Write random zeros and ones into encrypted storage target, platform equivalence of UNIX’s dd if=/dev/urandom of=/dev/sda iSCSI boot of operating system iSCSI boot of Windows Server 2008 and RHEL 5 via Bloombase Spitfire StoreSafe with actual system disk contents secured and stored at EMC VNX/VNXeFile System TestsThe following tests are carried out at storage hosts to access encrypted iSCSI SAN storage via QLogic powered BloombaseSpitfire StoreSafe appliances via operating system file-systems ● ext3 for Linux ● NTFS for Microsoft Windows ● JFS for IBM AIX ● UFS for Solaris Test Description Directory creation Platform equivalence of UNIXs mkdir Directory rename Platform equivalence of UNIXs mv
  21. 21. Bloombase Interoperability Program P21 © 2012 Bloombase Technologies Directory removal Platform equivalence of UNIXs rm Directory move Platform equivalence of UNIXs mv File creation Platform equivalence of UNIXs echo XXX > File rename Platform equivalence of UNIXs mv File removal Platform equivalence of UNIXs rm File move Platform equivalence of UNIXs mv File append – by character Platform equivalence of UNIXs echo XXX >> File append – by block Platform equivalence of UNIXs echo XXX >> File parameters inquiry Platform equivalence of UNIXs ls *X File permission configurations ● Platform equivalence of UNIXs chmod ● Valid for UNIX-based storage host systems only (Linux, AIX, HPUX, Solaris) Softlink/Symbolic link removal ● Platform equivalence of UNIXs rm ● Valid for UNIX-based storage host systems only (Linux, AIX, HPUX, Solaris) Softlink/Symbolic link move ● Platform equivalence of UNIXs mv ● Valid for UNIX-based storage host systems only (Linux, AIX, HPUX, Solaris)Application Tests – Oracle Database Server Test Remarks Database creation Version equivalence of CREATE DATABASE Schema creation Version equivalence of CREATE TABLE Database record insert Version equivalence of INSERT INTO Database record query Version equivalence of SELECT * FROM Database record update Version equivalence of UPDATE Database record delete Version equivalence of DELETE FROM
  22. 22. Bloombase Interoperability Program P22 © 2012 Bloombase Technologies Index creation Version equivalence of CREATE INDEX Tablespace alteration Version equivalence of ALTER TABLESPACE Redo log creation Automated by Oracle data server, verify by examining Oracle system log Redo log rotation Automated by Oracle data server, verify by examining Oracle system log Archive log creation Automated by Oracle data server, verify by examining Oracle system logResultRaw Storage Device Tests Test Validation Pass Remarks Write disk with zeros  Read disk to null device  Wipe disk with random data  iSCSI operating system boot File System Tests Test Validation Pass Remarks Directory creation  Directory rename  Directory removal  Directory move  File creation  File rename  File removal  File move 
  23. 23. Bloombase Interoperability Program P23 © 2012 Bloombase Technologies File append – by character  File append – by block  File parameters inquiry  File permission configurations  Softlink/Symbolic link removal  Softlink/Symbolic link move Application Tests – Oracle Database Test Validation Pass Remarks Database creation  Schema creation  Database record insert  Database record query  Database record update  Database record delete  Index creation  Tablespace alteration  Redo log creation  Redo log rotation  Archive log creation 
  24. 24. Bloombase Interoperability Program P24 © 2012 Bloombase TechnologiesConclusionQLogic iSCSI-HBAs ● QLogic QLA4052Cpass all Bloombase interopLabs interoperability tests with Bloombase Spitfire StoreSafe enterprise storage encryptionserver Bloombase Product Operating System QLogic iSCSI-HBAs Bloombase Spitfire StoreSafe Security Server Microsoft Windows Server 2008 QLA4052C Red Hat Enterprise Linux 5 QLA4052C 
  25. 25. Bloombase Interoperability Program P25 © 2012 Bloombase TechnologiesAcknowledgementWe would like to thank QLogic Corporation for sponsoring and supporting the iSCSI HBAs used in tests of this technicalreport.
  26. 26. Bloombase Interoperability Program P26 © 2012 Bloombase TechnologiesDisclaimerThe tests described in this paper were conducted in the Bloombase InteropLab. Bloombase has not tested this configurationwith all the combinations of hardware and software options available. There may be significant differences in yourconfiguration that will change the procedures necessary to accomplish the objectives outlined in this paper. If you find thatany of these procedures do not work in your environment, please contact us immediately.
  27. 27. Bloombase Interoperability Program P27 © 2012 Bloombase TechnologiesTechnical Reference 1. Bloombase Spitfire StoreSafe Security Server Technical Specifications, http://www.bloombase.com/content/8936QA88Dh3lD3kYMVKxe1VGb8UG4900eNL8Dj 2. Bloombase Spitfire StoreSafe Security Server Compatibility Matrix, http://www.bloombase.com/content/e8Gzz281s480J2192FF4Btv5HOpb77vLpt1U8V 3. dd for Microsoft Windows, http://software.intel.com/en-us/articles/dd-for-windows/ 4. Oracle database server, www.oracle.com/us/products/database 5. Transaction Processing Performance Council, http://www.tpc.org/tpcc/ 6. QLogic iSCSI HBAs, http://www.qlogic.com/Products/adapters/Pages/iSCSIAdapters.aspx

×