HP 1606 HP B-series Fabric OS 6.4.1b Release Notes (5697-0886, March 2011-incl - Page 42

SKM FIPS Mode Enablement, Pick from Barcode

Get HP 1606 PDF manuals and user guides View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 42 highlights

is prevented from Fabric OS 6.4.0 to a lower version if one or more of these features are in use. • Special notes for HP Data Protector backup/restore application ◦ Tape Pool encryption policy specification - On Windows Systems, HP Data Protector can be used with tape pool encryption specification only if the following pool label options are used: Pick from Barcode User Supplied - Only 9 characters or less For other options, behavior defaults to Tape LUN encryption policy. - On HP-UX systems, HP Data Protector cannot be used with tape pool encryption specification for any of the pool options. The behavior defaults to Tape LUN Encryption Policy. ◦ Tape LUN encryption policy specification - No restrictions, tape LUN encryption policy specification can be used with HP Data Protector on HP-UX and Windows systems. • Note that the disk device decommission functionality is not currently supported with SKM. • SKM FIPS Mode Enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM user guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. • SKM dual node cluster - Auto failover considerations: In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM nodes are always available and online for proper key archival. If one of the SKM nodes fails, you cannot use the configuration to create new keys. In other words, adding new targets or LUNs to the encryption path will not work until both the SKM nodes are available. However, there will not be any issue for retrieving keys or using the existing setup as long as one SKM node is available. The encryption switch makes sure that any new KEY is hardened (archived) to both SKM Key Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults is down, the key creation will fail because of the hardening check failure. As a result, the new key creation operation will not function. For Key retrieval, this is not the requirement and any one Key Vault being online will get the Key as long as that Key Vault has the Key. • Auto rekeying of encrypted disk LUNs may be delayed when an encryption engine reboots or when HAC failover/failback occurs. Should either of these events delay auto rekeying, use the cryptocfg -manual_rekey command to manually start the rekeying of the affected LUNs. 42

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
is prevented from Fabric OS 6.4.0 to a lower version if one or more of these features are in
use.
Special notes for HP Data Protector backup/restore application
Tape Pool encryption policy specification
On Windows Systems, HP Data Protector can be used with tape pool encryption
specification only if the following pool label options are used:
Pick from Barcode
User Supplied – Only 9 characters or less
For other options, behavior defaults to Tape LUN encryption policy.
On HP-UX systems, HP Data Protector cannot be used with tape pool encryption
specification for any of the pool options. The behavior defaults to Tape LUN
Encryption Policy.
Tape LUN encryption policy specification
No restrictions, tape LUN encryption policy specification can be used with HP Data
Protector on HP-UX and Windows systems.
Note that the disk device decommission functionality is not currently supported with SKM.
SKM FIPS Mode Enablement
FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure
described in the SKM user guide, “Configuring the Key Manager for FIPS Compliance” section.
NOTE:
Per FIPS requirements, you cannot enable or disable FIPS when there are keys on
the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it
be performed during the initial SKM configuration, before any key sharing between the switch
and the SKM occurs.
SKM dual node cluster - Auto failover considerations:
In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM
nodes are always available and online for proper key archival. If one of the SKM nodes fails,
you cannot use the configuration to create new keys. In other words, adding new targets or
LUNs to the encryption path will not work until both the SKM nodes are available. However,
there will not be any issue for retrieving keys or using the existing setup as long as one SKM
node is available.
The encryption switch makes sure that any new KEY is hardened (archived) to both SKM Key
Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the
SKM vaults is down, the key creation will fail because of the hardening check failure. As a
result, the new key creation operation will not function. For Key retrieval, this is not the
requirement and any one Key Vault being online will get the Key as long as that Key Vault
has the Key.
Auto rekeying of encrypted disk LUNs may be delayed when an encryption engine reboots
or when HAC failover/failback occurs. Should either of these events delay auto rekeying, use
the
cryptocfg
manual_rekey
command to manually start the rekeying of the affected
LUNs.
42