HP 4400 HP StorageWorks Fabric OS 6.4.1 Release Notes (5697-0760, November 201 - Page 45

Configuring the Key Manager for FIPS Compliance, SKM FIPS Mode Enablement

Get HP 4400 PDF manuals and user guides View all HP 4400 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 45 highlights

Remote EE Reachability : Node WWN/Slot IO Link State 10:00:00:05:1e:53:77:80/0 10:00:00:05:1e:53:b7:ae/0 EE IP Addr EE State 10.32.53.107 10.32.53.105 EE_STATE_ONLINE EE_STATE_ONLINE Non-Reachable Non-Reachable • When adding Nodes to an Encryption Group, ensure all Node Encryption Engines are in an Enabled state. • When disk and tape CTCs are hosted on the same encryption engine, rekeying cannot be done while tape backup or restore operations are running. Rekeying operations must be scheduled at a time that does not conflict with normal tape I/O operations. The LUNs should not be configured with auto rekey option when single EE has disk and tape CTCs. • For new features added to encryption in Fabric OS 6.4.0, such as, disk device decommissioning, combined disk-tape encryption support on the same encryption engine, and redundant key ID metadata option for replication environments, all the nodes in the encryption group must be running Fabric OS 6.4.0 or higher versions. Firmware downgrade is prevented from Fabric OS 6.4.0 to a lower version if one or more of these features are in use. • Special notes for HP Data Protector backup/restore application • Tape Pool encryption policy specification • On Windows Systems, HP Data Protector can be used with tape pool encryption specification only if the following pool label options are used: Pick from Barcode User Supplied - Only 9 characters or less For other options, behavior defaults to Tape LUN encryption policy. • On HP-UX systems, HP Data Protector cannot be used with tape pool encryption specification for any of the pool options. The behavior defaults to Tape LUN Encryption Policy. • Tape LUN encryption policy specification • No restrictions, tape LUN encryption policy specification can be used with HP Data Protector on HP-UX and Windows systems. • Note that the disk device decommission functionality is not currently supported with SKM. • SKM FIPS Mode Enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM user guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. • SKM dual node cluster - Auto failover considerations: In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM nodes are always available and online for proper key archival. If one of the SKM nodes fails, you cannot use the configuration to create new keys. In other words, adding new targets or LUNs to the encryption path will not work until both the SKM nodes are available. However, there will not be any issue for retrieving keys or using the existing setup as long as one SKM node is available. The encryption switch makes sure that any new KEY is hardened (archived) to both SKM Key Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults HP StorageWorks Fabric OS 6.4.1 Release Notes 45

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
Remote EE Reachability :
Node WWN/Slot
EE IP Addr
EE State
IO Link State
10:00:00:05:1e:53:77:80/0
10.32.53.107
EE_STATE_ONLINE
Non-Reachable
10:00:00:05:1e:53:b7:ae/0
10.32.53.105
EE_STATE_ONLINE
Non-Reachable
When adding Nodes to an Encryption Group, ensure all Node Encryption Engines are in an En-
abled state.
When disk and tape CTCs are hosted on the same encryption engine, rekeying cannot be done
while tape backup or restore operations are running. Rekeying operations must be scheduled at
a time that does not conflict with normal tape I/O operations. The LUNs should not be configured
with auto rekey option when single EE has disk and tape CTCs.
For new features added to encryption in Fabric OS 6.4.0, such as, disk device decommissioning,
combined disk-tape encryption support on the same encryption engine, and redundant key ID
metadata option for replication environments, all the nodes in the encryption group must be running
Fabric OS 6.4.0 or higher versions. Firmware downgrade is prevented from Fabric OS 6.4.0 to
a lower version if one or more of these features are in use.
Special notes for HP Data Protector backup/restore application
Tape Pool encryption policy specification
On Windows Systems, HP Data Protector can be used with tape pool encryption specification
only if the following pool label options are used:
Pick from Barcode
User Supplied
Only 9 characters or less
For other options, behavior defaults to Tape LUN encryption policy.
On HP-UX systems, HP Data Protector cannot be used with tape pool encryption specification
for any of the pool options. The behavior defaults to Tape LUN Encryption Policy.
Tape LUN encryption policy specification
No restrictions, tape LUN encryption policy specification can be used with HP Data Protector
on HP-UX and Windows systems.
Note that the disk device decommission functionality is not currently supported with SKM.
SKM FIPS Mode Enablement
FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described
in the SKM user guide,
Configuring the Key Manager for FIPS Compliance
section.
NOTE:
Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager.
Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during
the initial SKM configuration, before any key sharing between the switch and the SKM occurs.
SKM dual node cluster - Auto failover considerations:
In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM
nodes are always available and online for proper key archival. If one of the SKM nodes fails, you
cannot use the configuration to create new keys. In other words, adding new targets or LUNs to
the encryption path will not work until both the SKM nodes are available. However, there will not
be any issue for retrieving keys or using the existing setup as long as one SKM node is available.
The encryption switch makes sure that any new KEY is hardened (archived) to both SKM Key Vaults
in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults
HP StorageWorks Fabric OS 6.4.1 Release Notes
45