HP StorageWorks 1606 HP StorageWorks Fabric OS 6.3.0c Release Notes (5697-0361 - Page 41

Relative to the Encryption SAN Switch and a DC SAN Director with Encryption FC blade, all nodes

Page 41 highlights

nodes are upgraded to Fabric OS 6.3.0, the command will accurately reflect the status of the I/O Link. The I/O link status should be disregarded during the code upgrade process. • The -key_lifespanoption has no effect for cryptocfg -add -LUN, and only has an effect for cryptocfg --create -tapepool for tape pools declared -encryption_format native. For all other encryption cases, a new key is generated each time a medium is rewound and block zero is written or overwritten. For the same reason, the Key Life field in the output of cryptocfg --show -container -all -stat should always be ignored, and the Key Life field in cryptocfg --show -tapepool -cfg is significant only for native-encrypted pools. • The Quorum Authentication feature requires DCFM 10.3.0 or later. Note that all nodes in the EG must be running Fabric OS 6.3.0 for quorum authentication to be properly supported. • In a DC SAN Director or DC04 SAN Director with Fabric OS 6.3.0 and DC Switch encryption FC blades installed, you must set the quorum size to zero and disable the system card on the blade prior to downgrading to a Fabric OS version earlier than 6.3.0. • The System Card feature requires DCFM 10.3.0 or later. Note that all nodes in the EG must be running Fabric OS 6.3.0 for system verification to be properly supported. • The Encryption SAN Switch and Encryption FC blade do not support QoS. When using encryption or Frame Redirection, participating flows should not be included in QoS Zones. • HP encryption devices can be configured for either disk or tape operation. The ability to configure multiple Crypto-Target Containers defining different media types on a single encryption engine (Encryption SAN Switch or Encryption FC blade) is not supported. Encryption FC blades can be configured to support different media types within a common DC SAN Director/DC04 SAN Director chassis. • SKM is supported with Multiple Nodes and Dual SKM Key Vaults. Two-way certificate exchange is supported. See the Encryption Admin Guide for configuration information. If you are using dual SKMs on Encryption SAN Switch/Encryption FC blade Encryption Group, these SKM Appliances must be clustered. Failure to cluster will result in key creation failure. Otherwise, register only one SKM on the Encryption SAN Switch/Encryption FC blade Encryption Group. • When the tape key expires in the middle of write operation on the tape, the key is used to append the data on the tape media. When the backup application rewinds the media and starts writing to Block-0 again (and if the key is expired), a new key is created and used henceforth. The expired key is then marked as read only and used only for restoring data from previously encrypted tapes. • With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less than 400 MB are presented to the Encryption SAN Switch for encryption, a host panic may occur; this configuration is not supported for the Fabric OS 6.3 release. • HCL from Fabric OS 6.2.x to 6.3.0 is supported. Cryptographic operations and I/O will be disrupted but other layer 2 traffic will not be. • Relative to the Encryption SAN Switch and a DC SAN Director with Encryption FC blade, all nodes in the Encryption Group must be at the same firmware level of Fabric OS 6.2 or 6.3 before starting a rekey or First Time Encryption operation. Make sure that existing rekey or First Time Encryption operations complete before upgrading any of the encryption products in the Encryption Group. Also, make sure that the upgrade of all nodes in the Encryption Group to Fabric OS 6.3.0 completes before starting a rekey or First Time Encryption operation. • To clean up the stale rekey information for the LUN, use one of the following methods: • Method 1 1. Modify the LUN policy from encrypt to cleartext and commit. The LUN will become disabled. 2. Enable the LUN using cryptocfg --enable -LUN. Modify the LUN policy from clear-text to encrypt with enable_encexistingdata to enable the first time encryption and do commit. HP StorageWorks Fabric OS 6.3.0c Release Notes 41

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76

nodes are upgraded to Fabric OS 6.3.0, the command will accurately reflect the status of the I/O
Link. The I/O link status should be disregarded during the code upgrade process.
The
–key_lifespan
option has no effect for
cryptocfg –add –LUN
, and only has an effect
for
cryptocfg --create –tapepool
for tape pools declared
-encryption_format
native
. For all other encryption cases, a new key is generated each time a medium is rewound
and block zero is written or overwritten. For the same reason, the
Key Life
field in the output of
cryptocfg --show -container -all –stat
should always be ignored, and the
Key Life
field in
cryptocfg --show –tapepool –cfg
is significant only for native-encrypted pools.
The Quorum Authentication feature requires DCFM 10.3.0 or later. Note that all nodes in the EG
must be running Fabric OS 6.3.0 for quorum authentication to be properly supported.
In a DC SAN Director or DC04 SAN Director with Fabric OS 6.3.0 and DC Switch encryption
FC blades installed, you must set the quorum size to zero and disable the system card on the blade
prior to downgrading to a Fabric OS version earlier than 6.3.0.
The System Card feature requires DCFM 10.3.0 or later. Note that all nodes in the EG must be
running Fabric OS 6.3.0 for system verification to be properly supported.
The Encryption SAN Switch and Encryption FC blade do not support QoS. When using encryption
or Frame Redirection, participating flows should not be included in QoS Zones.
HP encryption devices can be configured for either disk or tape operation. The ability to configure
multiple Crypto-Target Containers defining different media types on a single encryption engine
(Encryption SAN Switch or Encryption FC blade) is not supported. Encryption FC blades can be
configured to support different media types within a common DC SAN Director/DC04 SAN Dir-
ector chassis.
SKM is supported with Multiple Nodes and Dual SKM Key Vaults. Two-way certificate exchange
is supported. See the Encryption Admin Guide for configuration information. If you are using dual
SKMs on Encryption SAN Switch/Encryption FC blade Encryption Group, these SKM Appliances
must be clustered. Failure to cluster will result in key creation failure. Otherwise, register only one
SKM on the Encryption SAN Switch/Encryption FC blade Encryption Group.
When the tape key expires in the middle of write operation on the tape, the key is used to append
the data on the tape media. When the backup application rewinds the media and starts writing
to Block-0 again (and if the key is expired), a new key is created and used henceforth. The expired
key is then marked as read only and used only for restoring data from previously encrypted tapes.
With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less
than 400 MB are presented to the Encryption SAN Switch for encryption, a host panic may occur;
this configuration is not supported for the Fabric OS 6.3 release.
HCL from Fabric OS 6.2.x to 6.3.0 is supported. Cryptographic operations and I/O will be dis-
rupted but other layer 2 traffic will not be.
Relative to the Encryption SAN Switch and a DC SAN Director with Encryption FC blade, all nodes
in the Encryption Group must be at the same firmware level of Fabric OS 6.2 or 6.3 before starting
a rekey or First Time Encryption operation. Make sure that existing rekey or First Time Encryption
operations complete before upgrading any of the encryption products in the Encryption Group.
Also, make sure that the upgrade of all nodes in the Encryption Group to Fabric OS 6.3.0 completes
before starting a rekey or First Time Encryption operation.
To clean up the stale rekey information for the LUN, use one of the following methods:
Method 1
1.
Modify the LUN policy from
encrypt
to
cleartext
and commit.
The LUN will become disabled.
2.
Enable the LUN using
cryptocfg --enable –LUN
. Modify the LUN policy from
clear-text
to
encrypt
with
enable_encexistingdata
to enable the first time
encryption and do commit.
HP StorageWorks Fabric OS 6.3.0c Release Notes
41