HP StorageWorks 1606 HP StorageWorks FOS 6.3.0b Release Notes (5697-0360, Apri - Page 42

Initial setup of encrypted LUNs, Configuring the Key Manager for FIPS Compliance

Get HP StorageWorks 1606 - Extension SAN Switch PDF manuals and user guides View all HP StorageWorks 1606 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 42 highlights

• In an environment with a mixed firmware version (FOS 6.2.x + 6.3.0) Encryption Group, the I/O link state reported for FOS 6.2.x nodes is unreachable. During a rolling upgrade from FOS 6.2.0x to 6.3.0, you should see the I/O link status reported as Unreachable when the cryptocfg -show -loc command is invoked. However, once all the nodes are upgraded to FOS 6.3.0, the show command will accurately reflect the status of the I/O Link. The I/O link status while performing the rolling upgrade from FOS 6.2.0 to 6.3.0 can be ignored until all nodes have been upgraded to 6.3.0. Mace39:root> cryptocfg --show -loc EE Slot: 0 SP state: Online Current Master KeyID: 43:f1:bd:dc:91:89:f2:f1:6a:a1:48:89:7b:d0:5f:59 Alternate Master KeyID: 3a:a4:5b:86:90:d5:69:26:29:78:f8:3b:f9:b2:9c:b9 HA Cluster Membership: hac39_115 EE Attributes: Link IP Addr : 10.32.50.36 Link GW IP Addr: 10.32.48.1 Link Net Mask : 255.255.240.0 Link MAC Addr : 00:05:1e:53:8a:86 Link MTU : 1500 Link State : UP Media Type : DISK System Card Label : System Card CID : Remote EE Reachability : Node WWN/Slot IO Link State 10:00:00:05:1e:53:77:80/0 10:00:00:05:1e:53:b7:ae/0 EE IP Addr EE State 10.32.53.107 10.32.53.105 EE_STATE_ONLINE EE_STATE_ONLINE Non-Reachable Non-Reachable • SKM FIPS Mode Enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM user guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. Initial setup of encrypted LUNs IMPORTANT: While performing first-time encryption to a LUN with more than one initiator active at the time, rekey operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence. 42

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
In an environment with a mixed firmware version (FOS 6.2.x + 6.3.0) Encryption Group, the I/O
link state reported for FOS 6.2.x nodes is unreachable. During a rolling upgrade from FOS 6.2.0x
to 6.3.0, you should see the I/O link status reported as
Unreachable
when the
cryptocfg
–show -loc
command is invoked. However, once all the nodes are upgraded to FOS 6.3.0,
the show command will accurately reflect the status of the I/O Link. The I/O link status while per-
forming the rolling upgrade from FOS 6.2.0 to 6.3.0 can be ignored until all nodes have been
upgraded to 6.3.0.
Mace39:root> cryptocfg --show -loc
EE Slot:
0
SP state:
Online
Current Master KeyID:
43:f1:bd:dc:91:89:f2:f1:6a:a1:48:89:7b:d0:5f:59
Alternate Master KeyID: 3a:a4:5b:86:90:d5:69:26:29:78:f8:3b:f9:b2:9c:b9
HA Cluster Membership:
hac39_115
EE Attributes:
Link IP Addr
: 10.32.50.36
Link GW IP Addr: 10.32.48.1
Link Net Mask
: 255.255.240.0
Link MAC Addr
: 00:05:1e:53:8a:86
Link MTU
: 1500
Link State
: UP
Media Type
: DISK
System Card Label
:
System Card CID
:
Remote EE Reachability :
Node WWN/Slot
EE IP Addr
EE State
IO Link State
10:00:00:05:1e:53:77:80/0
10.32.53.107
EE_STATE_ONLINE
Non-Reachable
10:00:00:05:1e:53:b7:ae/0
10.32.53.105
EE_STATE_ONLINE
Non-Reachable
SKM FIPS Mode Enablement
FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described
in the SKM user guide,
Configuring the Key Manager for FIPS Compliance
section.
NOTE:
Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager.
Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during
the initial SKM configuration, before any key sharing between the switch and the SKM occurs.
Initial setup of encrypted LUNs
IMPORTANT:
While performing first-time encryption to a LUN with more than one initiator active at the time, rekey
operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence.
42