HP 4400 HP B-series Fabric OS 6.3.2d Release Notes (5697-1105, July 2011) - Page 34

Encryption behavior

Get HP 4400 PDF manuals and user guides View all HP 4400 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 34 highlights

[slot_number/]port_number [16-bit_address] command prior to allowing devices to log in to the switch. Once assigned, the PIDs are maintained across reboots and future Fabric OS upgrades. This issue does not impact switches that do not have Fabric OS 6.3.1a factory installed. Field upgrade to a later version of Fabric OS will not resolve this situation. For environments in which this will be an issue, the specified workaround will need to be implemented until a future version of Fabric OS is factory installed. • Beginning with Fabric OS 6.2.0, the data collected by SupportSave operations was greatly expanded to include all readable registers within the ASIC. In cases where some registers may be unused and therefore contain invalid data, a CDR-1003 error message would be issued. Fabric OS 6.3.1b and later now reclassifies these messages as warnings, rather than critical errors. • A new command has been introduced in Fabric OS 6.3.2a that allows configuration of the fault delay on individual ports. The command portCfgFaultDelay allows a port to be configured to a 1.2 second fault delay versus the default setting of R_A_TOV. • NAME: portCfgFaultDelay - Configures the fault delay for a single FC port. • SYNOPSIS: portcfgfaultdelay [slot/]port, mode • DESCRIPTION: Use this command to configure the fault delay of an FC port. In the event that the link is noisy after a host power cycle, the switch may go into a soft fault state, which means a delay of R_A_TOV. Setting the mode value to 1 reduces the fault delay value to 1.2 seconds. The configuration is stored in nonvolatile memory and is persistent across switch reboots and power cycles. Use the portCfgShow command to display user-configured fault delay settings. Encryption behavior • HP recommends that the encrypted LUN containers be created when all of the nodes/encryption engines (EEs) in the Data Encryption Key (DEK)/High Availability Cluster (HAC) are up and enabled. • If two Encryption Engines are part of a High Availability Cluster, configure the host/target pair such that they form a multipath from both EEs. Avoid connecting both the host/target pairs to the same EE. This connectivity does not give full redundancy in case of EE failure resulting in HAC failover. • Since the quorum disk plays a vital role in keeping the cluster in sync, configure the quorum disk to be outside of the encryption environment. • LUN configuration • To configure a LUN for encryption: • Add the LUN as clear-text to the Crypto Target Container (CTC). • When the LUN comes online and the clear-text host I/O starts, modify the LUN from cleartext to encrypted, including the enable_encexistingdata option to convert the LUN from clear-text to encrypted. • An exception to this LUN configuration process: If the LUN was previously encrypted by the HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with the -encrypt and -lunstate ="encrypted" options. • LUN configurations must be committed to take effect. No more than 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations that exceed 25 LUNs will fail with a warning. There is also a five-second delay before the commit operation takes effect. Always ensure that any previously committed LUN configurations or LUN modifications have taken effect before committing additional LUN configurations or additions. All LUNs should be in an Encryption Enabled state before committing additional LUN modifications. • The cryptocfg -manual_rekey -all command should not be used in environments with multiple encryption engines (encryption blades) installed in a director-class chassis when more 34

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
[slot_number/]port_number [16-bit_address]
command prior to allowing devices to
log in to the switch. Once assigned, the PIDs are maintained across reboots and future Fabric OS
upgrades. This issue does not impact switches that do not have Fabric OS 6.3.1a factory installed.
Field upgrade to a later version of Fabric OS will not resolve this situation. For environments in
which this will be an issue, the specified workaround will need to be implemented until a future
version of Fabric OS is factory installed.
Beginning with Fabric OS 6.2.0, the data collected by
SupportSave
operations was greatly
expanded to include all readable registers within the ASIC. In cases where some registers may
be unused and therefore contain invalid data, a CDR-1003 error message would be issued. Fabric
OS 6.3.1b and later now reclassifies these messages as warnings, rather than critical errors.
A new command has been introduced in Fabric OS 6.3.2a that allows configuration of the fault
delay on individual ports. The command
portCfgFaultDelay
allows a port to be configured
to a 1.2 second fault delay versus the default setting of R_A_TOV.
NAME:
portCfgFaultDelay
- Configures the fault delay for a single FC port.
SYNOPSIS:
portcfgfaultdelay [slot/]port, mode
DESCRIPTION:
Use this command to configure the fault delay of an FC port. In the event that
the link is noisy after a host power cycle, the switch may go into a soft fault state, which means
a delay of R_A_TOV. Setting the mode value to 1 reduces the fault delay value to 1.2 seconds.
The configuration is stored in nonvolatile memory and is persistent across switch reboots and
power cycles. Use the
portCfgShow
command to display user-configured fault delay settings.
Encryption behavior
HP recommends that the encrypted LUN containers be created when all of the nodes/encryption
engines (EEs) in the Data Encryption Key (DEK)/High Availability Cluster (HAC) are up and enabled.
If two Encryption Engines are part of a High Availability Cluster, configure the host/target pair
such that they form a multipath from both EEs. Avoid connecting both the host/target pairs to
the same EE. This connectivity does not give full redundancy in case of EE failure resulting in
HAC failover.
Since the quorum disk plays a vital role in keeping the cluster in sync, configure the quorum
disk to be outside of the encryption environment.
LUN configuration
To configure a LUN for encryption:
Add the LUN as clear-text to the Crypto Target Container (CTC).
When the LUN comes online and the clear-text host I/O starts, modify the LUN from clear-
text to encrypted, including the
enable_encexistingdata
option to convert the LUN
from clear-text to encrypted.
An exception to this LUN configuration process: If the LUN was previously encrypted by the
HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with the
–encrypt
and
–lunstate =“encrypted”
options.
LUN configurations must be committed to take effect. No more than 25 LUNs can be added
or modified in a single commit operation. Attempts to commit configurations that exceed 25
LUNs will fail with a warning. There is also a five-second delay before the commit operation
takes effect.
Always ensure that any previously committed LUN configurations or LUN modifications have
taken effect before committing additional LUN configurations or additions. All LUNs should be
in an Encryption Enabled state before committing additional LUN modifications.
The
cryptocfg -manual_rekey -all
command should not be used in environments with
multiple encryption engines (encryption blades) installed in a director-class chassis when more
34