HP 1606 HP StorageWorks Fabric OS 6.3.2b Release Notes (5697-0777, November 20 - Page 38

Configuring the Key Manager for FIPS Compliance, SKM FIPS Mode Enablement

Get HP 1606 PDF manuals and user guides View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 38 highlights

This will clear the stale rekey metadata on the LUN and the LUN can be used again for encryption. • In an environment with a mixed firmware version (Fabric OS 6.2.x + 6.3.x) Encryption Group, the I/O link state reported for Fabric OS 6.2.x nodes is unreachable. During a rolling upgrade from Fabric OS 6.2.0x to 6.3.2, you should see the I/O link status reported as Unreachable when the cryptocfg -show -loc command is invoked. However, once all the nodes are upgraded to Fabric OS 6.3.2, the show command will accurately reflect the status of the I/O Link. The I/O link status while performing the rolling upgrade from Fabric OS 6.2.x to 6.3.2 can be ignored until all nodes have been upgraded to 6.3.2. Mace39:root> cryptocfg --show -loc EE Slot: 0 SP state: Online Current Master KeyID: 43:f1:bd:dc:91:89:f2:f1:6a:a1:48:89:7b:d0:5f:59 Alternate Master KeyID: 3a:a4:5b:86:90:d5:69:26:29:78:f8:3b:f9:b2:9c:b9 HA Cluster Membership: hac39_115 EE Attributes: Link IP Addr : 10.32.50.36 Link GW IP Addr: 10.32.48.1 Link Net Mask : 255.255.240.0 Link MAC Addr : 00:05:1e:53:8a:86 Link MTU : 1500 Link State : UP Media Type : DISK System Card Label : System Card CID : Remote EE Reachability : Node WWN/Slot IO Link State 10:00:00:05:1e:53:77:80/0 10:00:00:05:1e:53:b7:ae/0 EE IP Addr EE State 10.32.53.107 10.32.53.105 EE_STATE_ONLINE EE_STATE_ONLINE Non-Reachable Non-Reachable • SKM FIPS Mode Enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM user guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. • SKM dual node cluster - Auto failover considerations: In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM nodes are always available and online for proper key archival. If one of the SKM nodes fails, you cannot use the configuration to create new keys. In other words, adding new targets or LUNs to the encryption path will not work until both the SKM nodes are available. However, there will not be any issue for retrieving keys or using the existing setup as long as one SKM node is available. The encryption switch ensures that any new KEY is hardened (archived) to both SKM Key Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults is down, the key creation fails because of the hardening check failure. As a result, the new key 38

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
This will clear the stale rekey metadata on the LUN and the LUN can be used again for
encryption.
In an environment with a mixed firmware version (Fabric OS 6.2.x + 6.3.x) Encryption Group,
the I/O link state reported for Fabric OS 6.2.x nodes is unreachable. During a rolling upgrade
from Fabric OS 6.2.0x to 6.3.2, you should see the I/O link status reported as
Unreachable
when the
cryptocfg –show -loc
command is invoked. However, once all the nodes are up-
graded to Fabric OS 6.3.2, the show command will accurately reflect the status of the I/O Link.
The I/O link status while performing the rolling upgrade from Fabric OS 6.2.x to 6.3.2 can be
ignored until all nodes have been upgraded to 6.3.2.
Mace39:root> cryptocfg --show -loc
EE Slot:
0
SP state:
Online
Current Master KeyID:
43:f1:bd:dc:91:89:f2:f1:6a:a1:48:89:7b:d0:5f:59
Alternate Master KeyID: 3a:a4:5b:86:90:d5:69:26:29:78:f8:3b:f9:b2:9c:b9
HA Cluster Membership:
hac39_115
EE Attributes:
Link IP Addr
: 10.32.50.36
Link GW IP Addr: 10.32.48.1
Link Net Mask
: 255.255.240.0
Link MAC Addr
: 00:05:1e:53:8a:86
Link MTU
: 1500
Link State
: UP
Media Type
: DISK
System Card Label
:
System Card CID
:
Remote EE Reachability :
Node WWN/Slot
EE IP Addr
EE State
IO Link State
10:00:00:05:1e:53:77:80/0
10.32.53.107
EE_STATE_ONLINE
Non-Reachable
10:00:00:05:1e:53:b7:ae/0
10.32.53.105
EE_STATE_ONLINE
Non-Reachable
SKM FIPS Mode Enablement
FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described
in the SKM user guide,
Configuring the Key Manager for FIPS Compliance
section.
NOTE:
Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager.
Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during
the initial SKM configuration, before any key sharing between the switch and the SKM occurs.
SKM dual node cluster - Auto failover considerations:
In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM
nodes are always available and online for proper key archival. If one of the SKM nodes fails, you
cannot use the configuration to create new keys. In other words, adding new targets or LUNs to
the encryption path will not work until both the SKM nodes are available. However, there will not
be any issue for retrieving keys or using the existing setup as long as one SKM node is available.
The encryption switch ensures that any new KEY is hardened (archived) to both SKM Key Vaults
in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults
is down, the key creation fails because of the hardening check failure. As a result, the new key
38