HP 4400 HP StorageWorks Fabric OS 6.4.0c Release Notes (5697-0703, September 2 - Page 44
Configuring the Key Manager for FIPS Compliance, SKM FIPS Mode Enablement
View all HP 4400 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 44 highlights
Remote EE Reachability : Node WWN/Slot IO Link State 10:00:00:05:1e:53:77:80/0 10:00:00:05:1e:53:b7:ae/0 EE IP Addr EE State 10.32.53.107 10.32.53.105 EE_STATE_ONLINE EE_STATE_ONLINE Non-Reachable Non-Reachable • When adding Nodes to an Encryption Group, ensure all Node Encryption Engines are in an Enabled state. • When disk and tape CTCs are hosted on the same encryption engine, re-keying cannot be done while tape backup or restore operations are running. Re-keying operations must be scheduled at a time that does not conflict with normal tape I/O operations. The LUNs should not be configured with auto rekey option when single EE has disk and tape CTCs. • For new features added to encryption in Fabric OS 6.4.0, such as, disk device decommissioning, combined disk-tape encryption support on the same encryption engine, and redundant key ID metadata option for replication environments, all the nodes in the encryption group must be running Fabric OS 6.4.0 or higher versions. Firmware downgrade is prevented from Fabric OS 6.4.0 to a lower version if one or more of these features are in use. • Special notes for HP Data Protector backup/restore application • Tape Pool encryption policy specification • On Windows Systems, HP Data Protector can be used with tape pool encryption specification only if the following pool label options are used: Pick from Barcode User Supplied - Only 9 characters or less For other options, behavior defaults to Tape LUN encryption policy. • On HP-UX systems, HP Data Protector cannot be used with tape pool encryption specification for any of the pool options. The behavior defaults to Tape LUN Encryption Policy. • Tape LUN encryption policy specification • No restrictions, tape LUN encryption policy specification can be used with HP Data Protector on HP-UX and Windows systems. • Note that the disk device decommission functionality is not currently supported with SKM. • SKM FIPS Mode Enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM user guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. • SKM dual node cluster - Auto failover considerations: In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM nodes are always available and online for proper key archival. If one of the SKM nodes fails, you cannot use the configuration to create new keys. In other words, adding new targets or LUNs to the encryption path will not work until both the SKM nodes are available. However, there will not be any issue for retrieving keys or using the existing setup as long as one SKM node is available. The encryption switch makes sure that any new KEY is hardened (archived) to both SKM Key Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults 44