HP 1606 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 196
Do not change LUN configuration while re-keying, Brocade native mode in LKM installations
View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 196 highlights
5 Changing IP addresses in encryption groups Do not change LUN configuration while re-keying Never change the configuration of any LUN that belongs to a Crypto Target Container/LUN configuration while the re-keying process for that LUN is active. If you change the LUN's settings during manual or auto, re-keying or first time encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect. A forced commit command halts all active re-keying progresses running in all Crypto Target Containers and corrupts any LUN engaged in a re-keying operation. There is no recovery for this type of failure. Brocade native mode in LKM installations When using Brocade native mode in LKM installations, manual re-key is highly recommended. If automatic re-key is desired, the key expiry date should be configured only when the LUN is created. Never modify the expiry date after configuring a LUN. If you modify the expiry time after configuring the LUN, the expiration date will not update properly. Recommendation for Host I/O traffic during online rekeying and first time encryption You may see failed I/Os if writes are done to a LUN that is undergoing first time encryption or rekeying. It is recommended that host I/O operations are quiesced and not started again until re-key operations or first time encryption operations for the LUN are complete. Changing IP addresses in encryption groups Generally, when IP addresses are assigned to the Ge0 and Ge1 ports, they should not be changed. If an encryption group member node IP address must be changed, refer to "IP Address change of a node within an encryption group" on page 99. Disabling the encryption engine The disable EE interface command cryptocfg --disableEE [slot no] should be used only during firmware download, and when the encryption and security capabilities of the encryption engine have been compromised. When disabling the encryption capabilities of the encryption engine, be sure the encryption engine is not hosting any CryptoTarget containers. All Cryptotarget containers hosted on the encryption switch or FS8-18 blade must either be removed from the encryption engine, or be moved to different encryption engine in an HA Cluster or encryption group before disabling the encryption and security capabilities. 178 Fabric OS Encryption Administrator's Guide 53-1001864-01