HP 1606 HP B-series Fabric OS 6.4.1b Release Notes (5697-0886, March 2011-incl - Page 41

Remove the LUN from Crypto Target Container and commit., Method 1

Get HP 1606 PDF manuals and user guides View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 41 highlights

• To clean up the stale rekey information for the LUN, use one of the following methods: ◦ Method 1 1. Modify the LUN policy from encrypt to cleartext and commit. The LUN becomes disabled. 2. Enable the LUN using cryptocfg --enable -LUN. Modify the LUN policy from clear-text to encrypt with enable_encexistingdata to enable the first time encryption and commit. This clears the stale rekey metadata on the LUN and the LUN can be used again for encryption. ◦ Method 2 1. Remove the LUN from Crypto Target Container and commit. 2. Add the LUN back to the Crypto Target Container with LUN State="clear-text", policy="encrypt" and enable_encexistingdata set for enabling the First Time Encryption and commit. This clears the stale rekey metadata on the LUN and the LUN can be used again for encryption. • In an environment with a mixed firmware version (Fabric OS 6.2.x + 6.3.x) Encryption Group, the I/O link state reported for Fabric OS 6.2.x nodes is unreachable. During a rolling upgrade from Fabric OS 6.2.0x to 6.3.1x, you should see the I/O link status reported as Unreachable when the cryptocfg -show -loc command is invoked. However, once all the nodes are upgraded to Fabric OS 6.3.1x, the show command accurately reflects the status of the I/O Link. The I/O link status while performing the rolling upgrade from Fabric OS 6.2.x to 6.3.1x can be ignored until all nodes have been upgraded to 6.3.1x. Mace39:root> cryptocfg --show -loc EE Slot: 0 SP state: Online Current Master KeyID: 43:f1:bd:dc:91:89:f2:f1:6a:a1:48:89:7b:d0:5f:59 Alternate Master KeyID: 3a:a4:5b:86:90:d5:69:26:29:78:f8:3b:f9:b2:9c:b9 HA Cluster Membership: hac39_115 EE Attributes: Link IP Addr : 10.32.50.36 Link GW IP Addr: 10.32.48.1 Link Net Mask : 255.255.240.0 Link MAC Addr : 00:05:1e:53:8a:86 Link MTU : 1500 Link State : UP Media Type : DISK System Card Label : System Card CID : Remote EE Reachability : Node WWN/Slot IO Link State 10:00:00:05:1e:53:77:80/0 10:00:00:05:1e:53:b7:ae/0 EE IP Addr EE State 10.32.53.107 10.32.53.105 EE_STATE_ONLINE EE_STATE_ONLINE Non-Reachable Non-Reachable • When adding Nodes to an Encryption Group, ensure all Node Encryption Engines are in an Enabled state. • When disk and tape CTCs are hosted on the same encryption engine, rekeying cannot be done while tape backup or restore operations are running. Rekeying operations must be scheduled at a time that does not conflict with normal tape I/O operations. The LUNs should not be configured with auto rekey option when single EE has disk and tape CTCs. • For new features added to encryption in Fabric OS 6.4.0, such as, disk device decommissioning, combined disk-tape encryption support on the same encryption engine, and redundant key ID metadata option for replication environments, all the nodes in the encryption group must be running Fabric OS 6.4.0 or higher versions. Firmware downgrade Encryption behavior 41

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
To clean up the stale rekey information for the LUN, use one of the following methods:
Method 1
1.
Modify the LUN policy from
encrypt
to
cleartext
and commit.
The LUN becomes disabled.
2.
Enable the LUN using
cryptocfg --enable
LUN
. Modify the LUN policy from
clear-text
to
encrypt
with
enable_encexistingdata
to enable the first
time encryption and commit.
This clears the stale rekey metadata on the LUN and the LUN can be used again for
encryption.
Method 2
1.
Remove the LUN from Crypto Target Container and commit.
2.
Add the LUN back to the Crypto Target Container with
LUN State=
clear-text
,
policy=
encrypt
and
enable_encexistingdata
set for enabling the First
Time Encryption and commit.
This clears the stale rekey metadata on the LUN and the LUN can be used again for
encryption.
In an environment with a mixed firmware version (Fabric OS 6.2.x + 6.3.x) Encryption Group,
the I/O link state reported for Fabric OS 6.2.x nodes is unreachable. During a rolling upgrade
from Fabric OS 6.2.0x to 6.3.1x, you should see the I/O link status reported as
Unreachable
when the
cryptocfg
show -loc
command is invoked. However, once all the nodes are
upgraded to Fabric OS 6.3.1x, the
show
command accurately reflects the status of the I/O
Link. The I/O link status while performing the rolling upgrade from Fabric OS 6.2.x to 6.3.1x
can be ignored until all nodes have been upgraded to 6.3.1x.
Mace39:root> cryptocfg --show -loc
EE Slot:
0
SP state:
Online
Current Master KeyID:
43:f1:bd:dc:91:89:f2:f1:6a:a1:48:89:7b:d0:5f:59
Alternate Master KeyID: 3a:a4:5b:86:90:d5:69:26:29:78:f8:3b:f9:b2:9c:b9
HA Cluster Membership:
hac39_115
EE Attributes:
Link IP Addr
: 10.32.50.36
Link GW IP Addr: 10.32.48.1
Link Net Mask
: 255.255.240.0
Link MAC Addr
: 00:05:1e:53:8a:86
Link MTU
: 1500
Link State
: UP
Media Type
: DISK
System Card Label
:
System Card CID
:
Remote EE Reachability :
Node WWN/Slot
EE IP Addr
EE State
IO Link State
10:00:00:05:1e:53:77:80/0
10.32.53.107
EE_STATE_ONLINE
Non-Reachable
10:00:00:05:1e:53:b7:ae/0
10.32.53.105
EE_STATE_ONLINE
Non-Reachable
When adding Nodes to an Encryption Group, ensure all Node Encryption Engines are in an
Enabled state.
When disk and tape CTCs are hosted on the same encryption engine, rekeying cannot be
done while tape backup or restore operations are running. Rekeying operations must be
scheduled at a time that does not conflict with normal tape I/O operations. The LUNs should
not be configured with auto rekey option when single EE has disk and tape CTCs.
For new features added to encryption in Fabric OS 6.4.0, such as, disk device
decommissioning, combined disk-tape encryption support on the same encryption engine,
and redundant key ID metadata option for replication environments, all the nodes in the
encryption group must be running Fabric OS 6.4.0 or higher versions. Firmware downgrade
Encryption behavior
41