HP 1606 HP StorageWorks Fabric OS 6.3.2b Release Notes (5697-0777, November 20 - Page 34

Add the LUN as clear-text to the Crypto Target Container CTC.

Get HP 1606 PDF manuals and user guides View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 34 highlights

the same EE. This connectivity does not give full redundancy in case of EE failure resulting in HAC failover. • Since the quorum disk plays a vital role in keeping the cluster in sync, configure the quorum disk to be outside of the encryption environment. • LUN configuration • To configure a LUN for encryption: • Add the LUN as clear-text to the Crypto Target Container (CTC). • When the LUN comes online and the clear-text host I/O starts, modify the LUN from cleartext to encrypted, including the enable_encexistingdata option to convert the LUN from clear-text to encrypted. • An exception to this LUN configuration process: If the LUN was previously encrypted by the HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with the -encrypt and -lunstate ="encrypted" options. • LUN configurations must be committed to take effect. No more than 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations that exceed 25 LUNs will fail with a warning. There is also a five-second delay before the commit operation takes effect. Always ensure that any previously committed LUN configurations or LUN modifications have taken effect before committing additional LUN configurations or additions. All LUNs should be in an Encryption Enabled state before committing additional LUN modifications. • The cryptocfg -manual_rekey -all command should not be used in environments with multiple encryption engines (encryption blades) installed in a director-class chassis when more than one encryption engine has access to the same LUN. In such situations, use the cryptocfg -manual_rekey command to manually rekey these LUNs. • If an HA Cluster is configured within an Encryption Group with containers configured for auto Failback Mode, the following procedure must be followed when upgrading from Fabric OS 6.2.x to 6.3.2. Note that the following procedure is required only under the above-mentioned conditions. 1. Before the firmware upgrade, change the Failback Mode to manual for all containers configured as auto. Take note of which Encryption Engines currently own which containers. 2. Upgrade all nodes in the Encryption Group to Fabric OS 6.3.2, one node at a time. 3. After all nodes have been successfully upgraded, using the notes taken in step 1, manually invoke the failback of the containers to the correct Encryption Engine using the command cryptocfg -failback -EE [slot num] [slot num]. 4. Once the manual failback completes, change the Failback Mode back to auto from manual, if it was changed in step 1. • Avoid changing the configuration of any LUN that belongs to a CTC/LUN configuration while the rekeying process for that LUN is active. If the user changes the LUN's settings during manual or auto, rekeying or First Time Encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect. A forced commit command halts all active rekeying processes running in all CTCs and corrupts any LUN engaged in a rekeying operation. There is no recovery for this type of failure. • Configuration of crypto targets on HP StorageWorks encryption switches or encryption blades is accomplished in two stages: entering the configuration changes and issuing a commit operation. Previous to Fabric OS 6.3.1a, if the data encryption group (Encryption Group) became incomplete (one or more members became inaccessible due to network problems and the encryption group becomes "degraded") between these two stages, the commit operation was still executed. While this did not result in any issue for the configured host and targets, it could lead to configuration 34

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
the same EE. This connectivity does not give full redundancy in case of EE failure resulting in
HAC failover.
Since the quorum disk plays a vital role in keeping the cluster in sync, configure the quorum
disk to be outside of the encryption environment.
LUN configuration
To configure a LUN for encryption:
Add the LUN as clear-text to the Crypto Target Container (CTC).
When the LUN comes online and the clear-text host I/O starts, modify the LUN from clear-
text to encrypted, including the
enable_encexistingdata
option to convert the LUN
from clear-text to encrypted.
An exception to this LUN configuration process: If the LUN was previously encrypted by the
HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with the
–encrypt
and
–lunstate =“encrypted”
options.
LUN configurations must be committed to take effect. No more than 25 LUNs can be added
or modified in a single commit operation. Attempts to commit configurations that exceed 25
LUNs will fail with a warning. There is also a five-second delay before the commit operation
takes effect.
Always ensure that any previously committed LUN configurations or LUN modifications have
taken effect before committing additional LUN configurations or additions. All LUNs should be
in an Encryption Enabled state before committing additional LUN modifications.
The
cryptocfg -manual_rekey -all
command should not be used in environments with
multiple encryption engines (encryption blades) installed in a director-class chassis when more
than one encryption engine has access to the same LUN. In such situations, use the
cryptocfg
-manual_rekey <CTC> <LUN Num> <Initiator PWWN>
command to manually rekey these
LUNs.
If an HA Cluster is configured within an Encryption Group with containers configured for
auto
Failback Mode, the following procedure must be followed when upgrading from Fabric OS 6.2.x
to 6.3.2. Note that the following procedure is required only under the above-mentioned conditions.
1.
Before the firmware upgrade, change the Failback Mode to
manual
for all containers con-
figured as
auto
. Take note of which Encryption Engines currently own which containers.
2.
Upgrade all nodes in the Encryption Group to Fabric OS 6.3.2, one node at a time.
3.
After all nodes have been successfully upgraded, using the notes taken in step 1, manually
invoke the failback of the containers to the correct Encryption Engine using the command
cryptocfg -failback -EE <WWN of hosting node> [slot num] <WWN of
second node in HAC> [slot num]
.
4.
Once the manual failback completes, change the Failback Mode back to
auto
from
manual
,
if it was changed in step 1.
Avoid changing the configuration of any LUN that belongs to a CTC/LUN configuration while the
rekeying process for that LUN is active. If the user changes the LUN
s settings during manual or
auto, rekeying or First Time Encryption, the system reports a warning message stating that the
encryption engine is busy and a forced commit is required for the changes to take effect. A forced
commit command halts all active rekeying processes running in all CTCs and corrupts any LUN
engaged in a rekeying operation. There is no recovery for this type of failure.
Configuration of crypto targets on HP StorageWorks encryption switches or encryption blades is
accomplished in two stages: entering the configuration changes and issuing a commit operation.
Previous to Fabric OS 6.3.1a, if the data encryption group (Encryption Group) became incomplete
(one or more members became inaccessible due to network problems and the encryption group
becomes
degraded
) between these two stages, the commit operation was still executed. While
this did not result in any issue for the configured host and targets, it could lead to configuration
34