Home » HP Manuals » Storage Devices » HP 1606 » Manual Viewer

HP 1606 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 214

TABLE 10, General encryption troubleshooting I, General errors and conditions

Add to My Manuals
Save this manual to your list of manuals

Page 214 highlights

6 General encryption troubleshooting I TABLE 10 Problem General errors and conditions Resolution LUN state for some LUNS remains in "initialize" state on the passive path. This is expected behavior. The LUNs exposed through Passive paths of the target array will be in either Initialize or LUN Discovery Complete state so long as the paths remain n passive condition. When the passive path becomes active, the LUN changes to Encryption Enabled. Use the --show -LUN command with the -stat option to check the LUN state. A backup fails because the LUN is always in the initialize state for the tape container. Tape media is encrypted and gets a key which is archived in the key vault. The key is encrypted with a master key. At a later point in time you generate a new master key. You decide to use this tape media to back up other data. You rewind the tape, erase the tape, relabel the tape, and start a backup from the start of the tape. When the first command comes from the host, the key vault is queried for the tape media based on the media serial number. Since this tape media was used previously, the key is already present in the key vault for this media serial number but this key is encrypted with the old master key and that master key is not present in the switch. You cannot create a new key for this tape media because, per policy, there can be only one key per media. Use one of two resolutions: • Load the old master key on the switch at an alternate location. The key for the tape media can then be decrypted. • Delete the key for the tape media from the key vault. This forces the switch to create a new key for the tape media. Until you start the backup, the LUN remains in "initialize" state. "Invalid certificate" error message received when doing a KAC certificate exchange between the Brocade Encryption Switch and a key management system appliance. This error is due to the Brocade Encryption Switch time being ahead of the appliance time. Use one of two resolutions: • Change the appliance time to match the start period of the KAC certificate. • Change the Brocade Encryption Switch time to synchronize with the appliance time. Upon completion, regenerate the KAC certificate and then do another KAC certificate exchange with the appliance. "Temporarily out of resources" message received during re-key or first time encryption. Re-key or first time encryption sessions are pending due to resource unavailability. A maximum of twelve sessions including rekey (manual or auto) and first time encryption sessions are supported per encryption switch or blade and two sessions per target. The system checks once every hour to determine, if there are any re-key or first time encryption sessions pending. If resources are available, the next session in the queue is processed. There may be up to an hour lag before the next session in the queue is processed. It is therefore recommended that you do not schedule more than 12 re-key or first time encryption sessions. HA cluster creation fails with error, Create HA cluster status: The IO link IP address of the EE (online) is not configured, even though both the addresses are set and accessible. The IP addresses for the I/O link ports should be configured before enabling the EE. Failure to do so results in unsuccessful HA Cluster creation. If the IP addresses for these ports were configured after the EE is enabled, reboot the encryption switch or slotpoweroff/slotpoweron the encryption blade to sync up the IP address information to the EE. Re-keying fails with error "Disabled (Key not in sync)". cryptocfg --commit fails with message "Default zone set to all access at one of nodes in EG." Re-keying was started on a remote EE but the local EE is not capable of starting re-key because the key returned from key vault does not match with the Key ID used by remote EE. You will need to re-enable the LUN after the keys are synced between two key vaults properly using the needs to cryptocfg --discoverLUN command. Default zoning must be set to no access. 196 Fabric OS Encryption Administrator's Guide 53-1001864-01

Section	Page
Contents	5
About This Document	13
In this chapter	13
How this document is organized	13
Supported hardware and software	14
What’s new in this document	14
Document conventions	14
Text formatting	14
Command syntax conventions	14
Notes, cautions, and warnings	15
Key terms	15
Notice to the reader	16
Additional information	16
Brocade resources	16
Other industry resources	16
Getting technical help	17
Document feedback	18
Encryption overview	19
In this chapter	19
Host and LUN considerations	19
Terminology	20
The Brocade encryption switch	22
The FS8-18 blade	23
Performance licensing	23
Adding a license	23
Licensing best practices	23
Recommendation for connectivity	24
Usage limitations	24
Brocade encryption solution overview	25
Data flow from server to storage	26
Data encryption key life cycle management	27
Key management systems	29
Master key management	29
Master key generation	29
Master key backup	29
Support for Virtual Fabrics	30
Encryption configuration using the Management application	31
In this chapter	31
Encryption Center features	32
Encryption user privileges	33
Smart card usage	34
Registering authentication cards from a card reader	34
Registering authentication cards from the database	35
De-registering an authentication card	36
Using authentication cards	36
Enabling or disabling the system card requirement	37
Registering system cards from a card reader	37
De-registering a system card	38
Tracking smart cards	38
Editing smart cards	39
Network connections	40
Configuring blade processor links	40
Encryption node initialization and certificate generation	41
Steps for connecting to an SKM appliance	42
Configuring a Brocade group on SKM	43
Registering the SKM Brocade group user name and password	44
Setting up the local Certificate Authority (CA) on SKM	45
Downloading the local CA certificate from SKM	46
Creating and installing the SKM server certificate	46
Enabling SSL on the Key Management System (KMS) Server	47
Creating an SKM High Availability cluster	48
Copying the local CA certificate for a clustered SKM appliance	48
Adding SKM appliances to the cluster	49
Signing the Brocade encryption node KAC certificates	50
Importing a signed KAC certificate into a switch	50
Gathering information	51
Creating a new encryption group	52
Adding a switch to an encryption group	59
Replacing an encryption engine in an encryption group	63
Creating high availability (HA) clusters	64
Removing engines from an HA cluster	65
Swapping engines in an HA cluster	66
Failback option	66
Invoking failback	66
Adding encryption targets	67
Configuring hosts for encryption targets	74
Adding target disk LUNs for encryption	75
Adding Target Tape LUNs for encryption	77
Re-balancing the encryption engine	78
Master keys	79
Active master key	79
Alternate master key	79
Master key actions	79
Reasons master keys can be disabled	80
Saving the master key to a file	80
Saving a master key to a key vault	82
Saving a master key to a smart card set	83
Restoring a master key from a file	85
Restoring a master key from a key vault	86
Restoring a master key from a smart card set	87
Creating a new master key	88
Zeroizing an encryption engine	89
Encryption Targets dialog box	90
Disk device decommissioning	93
Decommissioning LUNs	93
Displaying and deleting decommissioned key IDs	94
Viewing and editing switch encryption properties	94
Exporting the public key certificate signing request (CSR) from Properties	97
Importing a signed public key certificate from Properties	97
Enabling the encryption engine state from Properties	98
Disabling the encryption engine state from Properties	98
Viewing and editing group properties	98
General tab	99
Members tab	100
Consequences of removing an encryption switch	101
Security tab	103
HA Clusters tab	104
Engine Operations tab	104
Tape Pools tab	105
Encryption-related acronyms in log messages	107
Configuring Brocade encryption using the CLI	109
In this chapter	109
Overview	109
Command validation checks	110
Command RBAC permissions and AD types	111
Cryptocfg Help command output	114
Management LAN configuration	115
Configuring cluster links	116
Special consideration for blades	116
IP Address change of a node within an encryption group	117
Steps for connecting to an SKM appliance	118
Configuring a Brocade group	118
Setting up the local Certificate Authority (CA)	118
Downloading the local CA certificate	120
Creating and installing the SKM server certificate	120
Enabling SSL on the Key Management System (KMS) Server	121
Creating an SKM High Availability cluster	122
Copying the local CA certificate	122
Adding SKM appliances to the cluster	123
Initializing the Brocade encryption engines	124
Registering the SKM Brocade group user name and password	125
Signing the Brocade encryption node KAC certificates	126
Registering SKM on a Brocade encryption group leader	127
Generating and backing up the master key	129
High Availability (HA) cluster configuration	131
HA cluster configuration rules	131
Creating an HA cluster	131
Adding an encryption engine to an HA cluster	132
Failover/failback policy configuration	133
Enabling the encryption engine	134
Checking encryption engine status	134
Zoning considerations	135
Setting default zoning to no access	135
Frame redirection zoning	136
Creating an initiator - target zone	136
CryptoTarget container configuration	139
LUN re-balancing when hosting both disk and tape	140
Creating a CryptoTarget container	141
Removing an initiator from a CryptoTarget container	143
Deleting a CryptoTarget container	143
Moving a CryptoTarget container	144
Crypto LUN configuration	145
Discovering a LUN	145
Configuring a Crypto LUN	146
Crypto LUN parameters and policies	147
Configuring a tape LUN	149
Modify example	150
Removing a LUN from a CryptoTarget container	151
Modifying Crypto LUN parameters	152
LUN modification considerations	152
Impact of tape LUN configuration changes	153
Force-enabling a disabled disk LUN for encryption	153
Decommissioning LUNs	153
Tape pool configuration	155
Tape pool labeling	155
Creating a tape pool	157
Deleting a tape pool	158
Modifying a tape pool	158
Impact of tape pool configuration changes	158
Configuring a multi-path Crypto LUN	159
Multi-path LUN configuration example	159
First time encryption	163
Resource allocation	163
First time encryption modes	163
Configuring a LUN for first time encryption	163
Data re-keying	164
Resource Allocation	164
Re-keying modes	164
Configuring a LUN for automatic re-keying	165
Initiating a manual re-key session	166
Suspension and resumption of re-keying operations	167
Deployment Scenarios	169
In this chapter	169
Single encryption switch, two paths from host to target	170
Single fabric deployment - HA cluster	171
Single fabric deployment - DEK cluster	172
Dual fabric deployment - HA and DEK cluster	173
Multiple paths, one DEK cluster, and two HA clusters	174
Multiple paths, DEK cluster, no HA cluster	176
Deployment in Fibre Channel routed fabrics	177
Deployment as part of an edge fabric	179
Deployment with FCIP extension switches	180
VmWare ESX server deployments	181
Best Practices and Special Topics	183
In this chapter	183
Firmware download considerations	184
Firmware Upgrades and Downgrades	184
Specific guidelines for HA clusters	185
Configuration upload and download considerations	186
Configuration Upload at an encryption group leader node	186
Configuration upload at an encryption group member node	186
Information not included in an upload	186
Steps before configuration download	187
Configuration download at the encryption group leader	187
Configuration download at an encryption group member	187
Steps after configuration download	188
HP-UX considerations	189
Enable of a disabled LUN	189
Disk metadata	189
Tape metadata	189
Tape data compression	190
Tape pools	190
Tape block zero handling	190
Tape key expiry	191
DF compatibility for tapes	191
DF compatibility for disk LUNs	191
Configuring CryptoTarget containers and LUNs	192
Redirection zones	193
Deployment with Admin Domains (AD)	193
Master key usage	193
Do not use DHCP for IP interfaces	193
Ensure uniform licensing in HA clusters	193
Tape library media changer considerations	194
Turn off host-based encryption	194
Avoid double encryption	194
PID failover	194
Turn off compression on extension switches	194
Re-keying best practices and policies	195
Manual re-key	195
Latency in re-key operations	195
Allow re-key to complete before deleting a container	195
Re-key operations and firmware upgrades	195
Do not change LUN configuration while re-keying	196
Brocade native mode in LKM installations	196
Recommendation for Host I/O traffic during online rekeying and first time encryption	196
Changing IP addresses in encryption groups	196
Disabling the encryption engine	196
Recommendations for Initiator Fan-Ins	197
Best practices for host clusters in an encryption environment	198
HA Cluster Deployment Considerations and Best Practices	198
Maintenance and Troubleshooting	199
In this Chapter	199
Encryption group and HA cluster maintenance	199
Removing a node from an encryption group	199
Deleting an encryption group	201
Removing an HA cluster member	202
Displaying the HA cluster configuration	202
Replacing an HA cluster member	203
Deleting an HA cluster member	206
Performing a manual failback of an encryption engine	206
Encryption group merge and split use cases	207
Configuration impact of encryption group split or node isolation	212
General encryption troubleshooting I	213
Troubleshooting examples using the CLI	216
Encryption Enabled Crypto Target LUN	216
Encryption Disabled Crypto Target LUN	217
Management application encryption wizard troubleshooting	218
Errors related to adding a switch to an existing group	218
Errors related to adding a switch to a new group	219
General errors related to the Configure Switch Encryption wizard	221
LUN policy troubleshooting	222
Loss of encryption group leader after power outage	223
MPIO and internal LUN states	224
Suspension and resumption of re-keying operations	224
State and Status Information	227
In this appendix	227
Encryption engine security processor (SP) states	227
Security processor KEK status	228
Encrypted LUN states	228
LUN Policies	233
In this appendix	233
DF-compatibility support for disk LUNs	233
DF-compatibility support for tape LUNs	237
NS-Based Transparent Frame Redirection	239

Match case Limit results 1 per page

196

Fabric OS Encryption Administrator’s Guide

53-1001864-01

General encryption troubleshooting I

LUN state for some LUNS remains in "initialize" state on the

passive path.

This is expected behavior. The LUNs exposed through Passive paths of the

target array will be in either Initialize or LUN Discovery Complete state so long

as the paths remain n passive condition. When the passive path becomes

active, the LUN changes to Encryption Enabled. Use the

show -LUN

command with the

-stat

option to check the LUN state.

A backup fails because the LUN is always in the initialize

state for the tape container.

Tape media is encrypted and gets a key which is archived in

the key vault. The key is encrypted with a master key. At a

later point in time you generate a new master key. You

decide to use this tape media to back up other data. You

rewind the tape, erase the tape, relabel the tape, and start

a backup from the start of the tape. When the first

command comes from the host, the key vault is queried for

the tape media based on the media serial number. Since

this tape media was used previously, the key is already

present in the key vault for this media serial number but

this key is encrypted with the old master key and that

master key is not present in the switch. You cannot create a

new key for this tape media because, per policy, there can

be only one key per media.

Use one of two resolutions:

•

Load the old master key on the switch at an alternate location. The key

for the tape media can then be decrypted.

•

Delete the key for the tape media from the key vault. This forces the

switch to create a new key for the tape media.

Until you start the backup, the LUN remains in “initialize” state.

“Invalid certificate” error message received when doing a

KAC certificate exchange between the Brocade Encryption

Switch and a key management system appliance. This

error is due to the Brocade Encryption Switch time being

ahead of the appliance time.

Use one of two resolutions:

•

Change the appliance time to match the start period of the KAC

certificate.

•

Change the Brocade Encryption Switch time to synchronize with the

appliance time.

Upon completion, regenerate the KAC certificate and then do another KAC

certificate exchange with the appliance.

“Temporarily out of resources” message received during

re-key or first time encryption.

Re-key or first time encryption sessions are pending due to resource

unavailability. A maximum of twelve sessions including rekey (manual or auto)

and first time encryption sessions are supported per encryption switch or

blade and two sessions per target. The system checks once every hour to

determine, if there are any re-key or first time encryption sessions pending. If

resources are available, the next session in the queue is processed. There

may be up to an hour lag before the next session in the queue is processed. It

is therefore recommended that you do not schedule more than 12 re-key or

first time encryption sessions.

HA cluster creation fails with error, Create HA cluster

status: The IO link IP address of the EE (online) is not

configured, even though both the addresses are set and

accessible.

The IP addresses for the I/O link ports should be configured before enabling

the EE. Failure to do so results in unsuccessful HA Cluster creation. If the IP

addresses for these ports were configured after the EE is enabled, reboot the

encryption switch or slotpoweroff/slotpoweron the encryption blade to sync

up the IP address information to the EE.

Re-keying fails with error “Disabled (Key not in sync)”.

Re-keying was started on a remote EE but the local EE is not capable of

starting re-key because the key returned from key vault does not match with

the Key ID used by remote EE. You will need to re-enable the LUN after the

keys are synced between two key vaults properly using the needs to

cryptocfg

--discoverLUN <Container Name>

command.

cryptocfg

commit

fails with message “Default zone set

to all access at one of nodes in EG.”

Default zoning must be set to no access.

TABLE 10

General errors and conditions

Problem

Resolution