HP 4400 HP StorageWorks Fabric OS 6.4.0c Release Notes (5697-0703, September 2 - Page 39

Encryption behavior

Get HP 4400 PDF manuals and user guides View all HP 4400 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 39 highlights

• Beginning with Fabric OS 6.2.0, the data collected by SupportSave operations was greatly expanded to include all readable registers within the ASIC. In cases where some registers may be unused and therefore contain invalid data, a CDR-1003 error message would be issued. Fabric OS 6.3.1b and later now reclassifies these messages as warnings, rather than critical errors. • HP recommends that no more the 50 F_Port Top Talkers be enabled on a 4/256 Director in a large fabric (>4000 devices). • HP recommends that for directors with more than 300 E_Ports, the switch be disabled prior to executing the switchCfgTrunk command (used to disable or enable trunking on the switch). • For the configure command in Fabric OS 6.4.0x, the default value that displays for Maximum Logins per switch has been corrected. The actual default value is now displayed. The default value itself has not changed. • POST diagnostics for the 8/40 SAN Switch have been modified in Fabric OS 6.3.1b, 6.4.0, and later releases to eliminate an INIT NOT DONE error at the end of an ASIC diagnostic port loopback test. This modification addresses BL-1020 Initialization errors encountered during the POST portloopbacktest. Encryption behavior • HP recommends that the encrypted LUN containers be created when all of the nodes/encryption engines (EEs) in the Data Encryption Key (DEK)/High Availability Cluster (HAC) are up and enabled. • If two Encryption Engines are part of a High Availability Cluster, configure the host/target pair such that they form a multipath from both EEs. Avoid connecting both the host/target pairs to the same EE. This connectivity does not give full redundancy in case of EE failure resulting in HAC failover. • Since the quorum disk plays a vital role in keeping the cluster in sync, configure the quorum disk to be outside of the encryption environment. • LUN configuration • To configure a LUN for encryption: • Add the LUN as clear-text to the Crypto Target Container (CTC). • When the LUN comes online and the clear-text host I/O starts, modify the LUN from cleartext to encrypted, including the enable_encexistingdata option to convert the LUN from clear-text to encrypted. • An exception to this LUN configuration process: If the LUN was previously encrypted by the HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with the -encrypt and -lunstate ="encrypted" options. • LUN configurations must be committed to take effect. No more than 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations that exceed 25 LUNs fail with a warning. There is also a five-second delay before the commit operation takes effect. Always ensure that any previously committed LUN configurations or LUN modifications have taken effect before committing additional LUN configurations or additions. All LUNs should be in an Encryption Enabled state before committing additional LUN modifications. • LUN Size Expansion consideration (as an example for EVA LUNs): When an EVA LUN is encrypted, and then needs to be expanded using HP Command View, no additional configuration is required from the Encryption SAN Switch side. However, make sure not to change the LUN size while any re-key operation is in progress. • The cryptocfg -manual_rekey -all command should not be used in environments with multiple encryption engines (encryption blades) installed in a director-class chassis when more than one encryption engine has access to the same LUN. In such situations, use the cryptocfg HP StorageWorks Fabric OS 6.4.0c Release Notes 39

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
Beginning with Fabric OS 6.2.0, the data collected by
SupportSave
operations was greatly
expanded to include all readable registers within the ASIC. In cases where some registers may
be unused and therefore contain invalid data, a CDR-1003 error message would be issued. Fabric
OS 6.3.1b and later now reclassifies these messages as warnings, rather than critical errors.
HP recommends that no more the 50 F_Port Top Talkers be enabled on a 4/256 Director in a
large fabric (>4000 devices).
HP recommends that for directors with more than 300 E_Ports, the switch be disabled prior to
executing the
switchCfgTrunk
command (used to disable or enable trunking on the switch).
For the configure command in Fabric OS 6.4.0x, the default value that displays for Maximum
Logins per switch has been corrected. The actual default value is now displayed. The default value
itself has not changed.
POST diagnostics for the 8/40 SAN Switch have been modified in Fabric OS 6.3.1b, 6.4.0, and
later releases to eliminate an
INIT NOT DONE
error at the end of an ASIC diagnostic port loop-
back test. This modification addresses BL-1020 Initialization errors encountered during the POST
portloopbacktest
.
Encryption behavior
HP recommends that the encrypted LUN containers be created when all of the nodes/encryption
engines (EEs) in the Data Encryption Key (DEK)/High Availability Cluster (HAC) are up and enabled.
If two Encryption Engines are part of a High Availability Cluster, configure the host/target pair
such that they form a multipath from both EEs. Avoid connecting both the host/target pairs to
the same EE. This connectivity does not give full redundancy in case of EE failure resulting in
HAC failover.
Since the quorum disk plays a vital role in keeping the cluster in sync, configure the quorum
disk to be outside of the encryption environment.
LUN configuration
To configure a LUN for encryption:
Add the LUN as clear-text to the Crypto Target Container (CTC).
When the LUN comes online and the clear-text host I/O starts, modify the LUN from clear-
text to encrypted, including the
enable_encexistingdata
option to convert the LUN
from clear-text to encrypted.
An exception to this LUN configuration process: If the LUN was previously encrypted by the
HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with the
–encrypt
and
–lunstate =“encrypted”
options.
LUN configurations must be committed to take effect. No more than 25 LUNs can be added
or modified in a single commit operation. Attempts to commit configurations that exceed 25
LUNs fail with a warning. There is also a five-second delay before the commit operation takes
effect.
Always ensure that any previously committed LUN configurations or LUN modifications have
taken effect before committing additional LUN configurations or additions. All LUNs should be
in an Encryption Enabled state before committing additional LUN modifications.
LUN Size Expansion consideration (as an example for EVA LUNs): When an EVA LUN is encrypted,
and then needs to be expanded using HP Command View, no additional configuration is required
from the Encryption SAN Switch side. However, make sure not to change the LUN size while any
re-key operation is in progress.
The
cryptocfg -manual_rekey -all
command should not be used in environments with
multiple encryption engines (encryption blades) installed in a director-class chassis when more
than one encryption engine has access to the same LUN. In such situations, use the
cryptocfg
HP StorageWorks Fabric OS 6.4.0c Release Notes
39