HP 4400 HP StorageWorks Fabric OS 6.2.2e Release Notes (5697-0809, February 20 - Page 31
Key Vault for Fabric OS 6.2.2x. Multiple HP SKM Key Vaults can be clustered at the SKM
View all HP 4400 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 31 highlights
• When creating an HA Cluster or EG with two or more HP encryption switch/encryption blades, the GE_Ports (I/O sync links) must be configured with an IP address for the eth0 and eth1 Ethernet interfaces using ipaddrset. In addition, both eth0 and eth1 Ethernet ports should be connected to the network for redundancy. These I/O sync links connections must be established before any Re-Key, First Time Encryption, or enabling EE for crypto operations. Failure to do so results in HA Cluster creation failure. If the IP address for these ports is configured after the EE was enabled for encryption, HP Encryption Switch needs to be rebooted and Encryption blades should be slotpoweroff/slotpoweron to sync up the IP address information to the EEs. If only one Ethernet port is configured and connected to a network, data loss or suspension of Re-Key may occur when the network connection toggles or fails. • initEE will remove the existing master key or link key. Backup the master key by running cryptocfg -exportmasterkey and cryptocfg -export -currentMK before running initEE. After initEE, regEE and enableEE, run cryptocfg -recovermasterkey to recover the master key previously backed up, or in the case of fresh install run cryptocfg - genmasterkey to generate a new master key. If you are using SKM, establish a trusted link with SKM again. Certificate exchange between key vaults and switches are not required in this case. • The disable EE interface CLI cryptocfg --disableEE [slot no] command should be used only to disable encryption and security capabilities of the EE from the Fabric OS Security Admin in the event of a security compromise. When disabling the encryption capabilities of the EE using the noted commands, the EE should not be hosting any CTCs. Ensure that all CTCs hosted on the HP Encryption Switch or HP Encryption Blade are either removed or moved to a different EE in the HA Cluster or EG before disabling the encryption and security capabilities. • Whenever initNode is performed, new certificates for CP and KAC (SKM) are generated. Hence, each time InitNode is performed, the new KAC Certificate must be loaded onto key vaults for Secure Key Manager (SKM). Without this step, errors will occur, such as key vault not responding and ultimately key archival and retrieval problems. • The HTTP server should be listening to port 9443. Secure Key Manager is supported only when configured to port 9443. • The HP Encryption Switch and HP Encryption blade support registration of only one HPSKM Key Vault for Fabric OS 6.2.2x. Multiple HP SKM Key Vaults can be clustered at the SKM server level. Registration of a second SKM key vault is not blocked. When the registered key vault connection goes down or the registered key vault is down, you must correct the connection with Key Vault, or replace the failed SKM and re-register (deregister failed SKM entry and register the new SKM entry) on the HP Encryption Switch or HP Encryption blade. You must ensure that the replaced (new) SKM key vault is in sync with the rest of the SKM units in Cluster in terms of Keys Database (manually sync the Key Database from existing SKM Key Vault in Cluster to new or replacing SKM Key Vault using SKM Admin Guide Provided Key Synchronization methods). • The SKM is supported with Multiple Nodes and Dual SKM Key Vaults. Two-way certificate exchange is supported. See the Encryption Admin Guide for configuration information. • Direct FICON device connectivity is not supported for the HP Encryption Switch, or HP Encryption Blade for front end User Ports. Also, FICON devices as part of Encryption or Clear-Text flows are not supported, which means FICON devices cannot be configured as Crypto Target Containers on the encryption switch or blade. • Ensure that all encryption engines in the HA cluster (HAC), Data Encryption Key (DEK) cluster, or encryption group are online before invoking or starting rekey operations on LUNs. Also ensure that all target paths for a LUN are online before invoking or starting rekey operations on LUNs. Encryption behavior 31