HP 1606 HP StorageWorks Fabric OS 6.3.1c Release Notes (5697-0509 September 2 - Page 46

Initial setup of encrypted LUNs, Configuring the Key Manager for FIPS Compliance - user guide

Get HP 1606 PDF manuals and user guides View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 46 highlights

Link Net Mask : 255.255.240.0 Link MAC Addr : 00:05:1e:53:8a:86 Link MTU : 1500 Link State : UP Media Type : DISK System Card Label : System Card CID : Remote EE Reachability : Node WWN/Slot IO Link State 10:00:00:05:1e:53:77:80/0 10:00:00:05:1e:53:b7:ae/0 EE IP Addr EE State 10.32.53.107 10.32.53.105 EE_STATE_ONLINE EE_STATE_ONLINE Non-Reachable Non-Reachable • SKM FIPS Mode Enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM user guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. • SKM dual node cluster - Auto failover considerations: In a dual node SKM cluster configuration with the encryption switch, make sure the two SKM nodes are always available and online for proper key archival. If one of the SKM nodes fails, the configuration for creating new keys cannot be used. In other words, adding new targets or LUNs to the encryption path will not work until both the SKM nodes are available. However, there will not be any issue for retrieving keys or using the existing setup as long as one SKM node is available. The encryption switch ensures that any new KEY is hardened (archived) to both SKM Key Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults is down, the key creation fails because of the hardening check failure. As a result, a new key creation operation will not function. For Key retrieval, this is not the requirement and any one Key Vault being online will get the Key as long as that Key Vault has the Key. Initial setup of encrypted LUNs IMPORTANT: While performing first-time encryption to a LUN with more than one initiator active at the time, rekey operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence. 46

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
Link Net Mask
: 255.255.240.0
Link MAC Addr
: 00:05:1e:53:8a:86
Link MTU
: 1500
Link State
: UP
Media Type
: DISK
System Card Label
:
System Card CID
:
Remote EE Reachability :
Node WWN/Slot
EE IP Addr
EE State
IO Link State
10:00:00:05:1e:53:77:80/0
10.32.53.107
EE_STATE_ONLINE
Non-Reachable
10:00:00:05:1e:53:b7:ae/0
10.32.53.105
EE_STATE_ONLINE
Non-Reachable
SKM FIPS Mode Enablement
FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described
in the SKM user guide,
Configuring the Key Manager for FIPS Compliance
section.
NOTE:
Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager.
Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during
the initial SKM configuration, before any key sharing between the switch and the SKM occurs.
SKM dual node cluster - Auto failover considerations:
In a dual node SKM cluster configuration with the encryption switch, make sure the two SKM
nodes are always available and online for proper key archival. If one of the SKM nodes fails, the
configuration for creating new keys cannot be used. In other words, adding new targets or LUNs
to the encryption path will not work until both the SKM nodes are available. However, there will
not be any issue for retrieving keys or using the existing setup as long as one SKM node is available.
The encryption switch ensures that any new KEY is hardened (archived) to both SKM Key Vaults
in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults
is down, the key creation fails because of the hardening check failure. As a result, a new key
creation operation will not function. For Key retrieval, this is not the requirement and any one Key
Vault being online will get the Key as long as that Key Vault has the Key.
Initial setup of encrypted LUNs
IMPORTANT:
While performing first-time encryption to a LUN with more than one initiator active at the time, rekey
operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence.
46