HP 1606 HP B-series Fabric OS 6.4.1b Release Notes (5697-0886, March 2011-incl - Page 42
SKM FIPS Mode Enablement, Pick from Barcode
View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 42 highlights
is prevented from Fabric OS 6.4.0 to a lower version if one or more of these features are in use. • Special notes for HP Data Protector backup/restore application ◦ Tape Pool encryption policy specification - On Windows Systems, HP Data Protector can be used with tape pool encryption specification only if the following pool label options are used: Pick from Barcode User Supplied - Only 9 characters or less For other options, behavior defaults to Tape LUN encryption policy. - On HP-UX systems, HP Data Protector cannot be used with tape pool encryption specification for any of the pool options. The behavior defaults to Tape LUN Encryption Policy. ◦ Tape LUN encryption policy specification - No restrictions, tape LUN encryption policy specification can be used with HP Data Protector on HP-UX and Windows systems. • Note that the disk device decommission functionality is not currently supported with SKM. • SKM FIPS Mode Enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM user guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. • SKM dual node cluster - Auto failover considerations: In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM nodes are always available and online for proper key archival. If one of the SKM nodes fails, you cannot use the configuration to create new keys. In other words, adding new targets or LUNs to the encryption path will not work until both the SKM nodes are available. However, there will not be any issue for retrieving keys or using the existing setup as long as one SKM node is available. The encryption switch makes sure that any new KEY is hardened (archived) to both SKM Key Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults is down, the key creation will fail because of the hardening check failure. As a result, the new key creation operation will not function. For Key retrieval, this is not the requirement and any one Key Vault being online will get the Key as long as that Key Vault has the Key. • Auto rekeying of encrypted disk LUNs may be delayed when an encryption engine reboots or when HAC failover/failback occurs. Should either of these events delay auto rekeying, use the cryptocfg -manual_rekey command to manually start the rekeying of the affected LUNs. 42