HP 4400 HP B-series Fabric OS 7.0.0a Release Notes (5697-0881, June 2011) - Page 42

There is no outstanding zoning transaction

•

Each LUN is uniquely identified by the HP Encryption Switch or HP Encryption Blade using the

LUN serial number. The LUN serial numbers must be unique for LUNs exposed from the same

target port. The LUN serial numbers must also be unique for LUNs belonging to different target

ports in nonmultipathing configurations. Failure to ensure unique LUN serial numbers results in

nondeterministic behavior and may result in faulting of the HP Encryption Switch or HP Encryption

Blade.

•

When creating an HA cluster or EG with two or more HP Encryption Switch/Encryption Blades,

the GE ports (I/O sync links) must be configured with an IP address for the

eth0

and

eth1

Ethernet

interfaces using

ipaddrset

. In addition, the

eth0

and

eth1

Ethernet ports should be connected

to the network for redundancy. These I/O sync links connections must be established before any

Re-Key, First Time Encryption, or enabling EE for crypto operations. Failure to do so results in HA

Cluster creation failure. If the IP address for these ports is configured after the EE was enabled for

encryption, HP Encryption Switch needs to be rebooted and Encryption Blades should be

slot-

poweroff

/

slotpoweron

to sync up the IP address information to the EEs. If only one Ethernet

port is configured and connected to a network, data loss or suspension of Re-Key may occur when

the network connection toggles or fails.

•

initEE

removes the existing master key or link key. Backup the master key by running

cryptocfg

–exportmasterkey

and

cryptocfg –export –currentMK

before running

initEE

. After

initEE

,

regEE

and

enableEE

, run

cryptocfg –recovermasterkey

to recover the master

key previously backed up, or in the case of fresh install run

cryptocfg – genmasterkey

to

generate a new master key. If you are using SKM/ESKM, establish a trusted link with SKM/ESKM

again. Certificate exchange between key vaults and switches are not required in this case.

•

The disable EE interface CLI

cryptocfg --disableEE [slot no]

should be used only to

disable encryption and security capabilities of the EE from the Fabric OS Security Admin in the

event of a security compromise. When disabling the encryption capabilities of the EE using the

noted commands, the EE should not be hosting any CTCs. Ensure that all CTCs hosted on the HP

Encryption Switch or HP Encryption Blade are either removed or moved to a different EE in the

HA Cluster or EG before disabling the encryption and security capabilities.

•

Whenever

initNode

is performed, new certificates for CP and KAC (SKM/ESKM) are generated.

Hence, each time

InitNode

is performed, the new KAC Certificate must be exported and signed

by SKM/ESKM. Without this step, errors occur, such as key vault not responding and ultimately

key archival and retrieval problems.

•

The HTTP server should be listening to port 9443. SKM/ESKM is supported only when configured

to port 9443.

•

Configuring a Brocade group on SKM/ESKM: As described in the

Fabric OS Encryption Admin-

istrator's Guide

, a Brocade group needs to be configured on SKM/ESKM (under Local Users and

Groups) for managing all keys generated by Brocade encryption switches and blades. It is important

to note that the name for this group is case sensitive and must be

“

brocade,

”

not

“

Brocade.

”

•

The

–key_lifespan

option has no effect for

cryptocfg –add –LUN

, and only has an effect

for

cryptocfg --create –tapepool

for tape pools declared

-encryption_format

native

. For all other encryption cases, a new key is generated each time a medium is rewound

and block zero is written or overwritten. For the same reason, the

Key Life

field in the output of

cryptocfg --show -container -all –stat

should always be ignored, and the

Key Life

field in

cryptocfg --show –tapepool –cfg

is significant only for native-encrypted pools.

•

In a DC SAN Director or DC04 SAN Director with Fabric OS 6.3.1x and DC Switch encryption

FC blades installed, you must set the quorum size to zero and disable the system card on the blade

prior to downgrading to a Fabric OS version earlier than 6.3.0.

•

The System Card feature requires DCFM 10.3.0 or later or HP Network Advisor. Note that all

nodes in the EG must be running Fabric OS 6.3.0 or later for system verification to be properly

supported.

42

Section	Page
HP B-series Fabric OS 7.0.0a Release Notes	1
Version	3
Description	3
Update recommendation	5
Supersedes	6
New features	6
In-flight Encryption and Compression on 16 Gbps capable ISLs	6
Buffer Credit Loss Detection and Automatic Recovery on 16 Gbps capable ISLs	6
10 Gbps FC Capability on 16 Gbps FC Platforms	6
Advanced Diagnostics Support on 16 Gbps FC Platforms	7
Dynamic Fabric Provisioning - Fabric Assigned WWN	7
FCIP Enhancements	7
Configurable QoS on FCIP tunnel	8
Auto-mode option for compression	8
XISL Support ON HP DC SAN Director Multiprotocol Extension Blade – Ability to use VE ports as XISLs	8
InBand Management on HP DC SAN Director Multiprotocol Extension Blade and HP 1606 SAN Extension Switch	8
Relaxing subnet restrictions	9
GigE/xGigE port sharing across Logical Switches	9
Increase in number of circuits on 1 GE ports	9
Encryption Platform Enhancements (HP StorageWorks Encryption SAN Switch / HP StorageWorks DC Switch Encryption FC Blade)	9
Access Gateway Enhancements	9
Detection of Unreliable N_Port Links	9
RADIUS/LDAP support	9
APM (Advanced Performance Monitoring) End to End and Frame Monitoring capability	10
F_Port Static Mapping	10
Fabric Watch Enhancements	10
Switch Status Policy enhancements	10
Support for multiple email recipients for Fabric Watch Events	10
Advanced SFP monitoring based on SFP type	10
SFP monitored as a FRU (Field Replaceable Unit)	11
Additional Fabric Watch Enhancements	11
Advanced Performance Monitoring (APM) Enhancements	11
Coexistence of TopTalkers and FCR on 16 Gbps platforms	11
E_Port TopTalkers support and E_Port End to End monitors support on 16 Gbps platforms	12
Security Enhancements	12
User defined roles/RBAC	12
Switch banner support	12
Removing support for Brocade certificates for FCAP authentication	12
SSH authentication using public keys	12
SFTP support for firmwaredownload, configupload and configdownload	12
IPv6 support for LDAP authentication	12
Fabric Services Enhancements and Updates	12
Allow a switch with default zone “no access” to merge with a fabric	12
Duplicate WWN detection and resolution	13
RASlog upon detecting Invalid TI zones	13
Ability to assign names to logical fabrics	13
No direct E_Port support with legacy M-series (McDATA) switch	13
Additional RAS and Diagnostics Enhancements	13
Spinfab enhancements	13
Frame Viewer	13
Port Decommission	13
Firmware History Log	14
Ability to assign longer port names	14
Fabric OS version in Auditlog message header	14
FCoE Enhancements	14
Optionally licensed software	14
Temporary license support	16
Standards compliance	17
New hardware support	17
Supported product models	17
Unsupported product models	18
Devices supported	18
Operating systems	18
Access Gateway support	18
Access Gateway support in non-Brocade fabrics	20
Zoning and fabric operations	21
Prerequisites	21
DC SAN Backbone and DC04 SAN Director blade support	24
Power supply requirements for Director blades	25
Fibre Channel Routing scalability	27
Important notes and recommendations	27
HP Network Advisor compatibility	27
DCFM Compatibility	28
Fabric OS compatibility	28
Web Tools compatibility	28
SMI compatibility	28
Other recommendations	28
Adaptive Networking/flow-based QoS prioritization	28
Access Gateway device-based mapping in ESX environments	29
Brocade HBA/Adapter Compatibility	29
D_Port	29
Encryption Behavior for the HP StorageWorks Encryption SAN Switch and HP StorageWorks DC Switch Encryption FC Blade	29
FCIP (HP DC SAN Director Multiprotocol Extension Blade, HP 1606 SAN Extension Switch and HP StorageWorks B-series Multi-protocol Router Blade)	32
FCoE/CEE (HP 2408 24-10 GbE w/8-8 Gbps FC Base FCoE Switch and HP DC SAN Director 10/24 FCoE Blade)	33
FCR and Integrated Routing	36
FICON	36
FL_Port (Loop) Support	36
ICLs on HP StorageWorks DC SAN Backbone Director Switch /HP StorageWorks DC04 SAN Director Switch	36
Native Connectivity (M-EOS interoperability)	37
Port Mirroring	37
Virtual Fabrics	37
Zoning	37
Miscellaneous	38
Fabric OS feature compatibility in native connectivity modes	39
Recommended Migration Paths to Fabric OS 7.0.0a	39
Migrating from Fabric OS 6.4.x	39
Migrating from Fabric OS 6.3.x	39
Fabric OS Upgrade and Downgrade Special Considerations	39
Firmware upgrade instructions	40
Scalability	40
Encryption — additional recommendations	40
Initial setup of encrypted LUNs	44
Fabric OS 7.0.0 fixes	44
Fabric OS 7.0.0a fixes	52

HP 4400 HP B-series Fabric OS 7.0.0a Release Notes (5697-0881, June 2011) - Page 42

In a DC SAN Director or DC04 SAN Director with Fabric OS 6.3.1x and DC Switch encryption

Page 42 highlights