HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2.0g release notes (5697-0355 - Page 33

Initial setup of encrypted LUNs

Get HP StorageWorks 8/80 - SAN Switch PDF manuals and user guides View all HP StorageWorks 8/80 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 33 highlights

This leads to no crypto operations or commands (except node initialization) being available on the member nodes after the power-cycle. This condition persists until the GL node is back online. • Workaround. In the case of a datacenter power down, bring the GL node online first, before the other member nodes are brought back up. In the event of the GL node failing to come back up, the GL node can be replaced with a new node. The following are the procedures to allow an EG to function with existing member nodes and to replace the failed GL node with a new node • Make one of the existing member nodes the Group Leader node and continue operations: 1. On one of the member nodes, create the Encryption Group with the same Encryption Group name. This will make that node the GL node and the rest of the Crypto Target Container and Tape Pool related configurations will remain intact in this Encryption Group. 2. For any containers hosted on the failed GL node, issue cryptocfg --replace to change the WWN association of containers from the failed GL node to the new GL node. • Replace the failed GL node with a new node: 1. On the new node, follow the switch/node initialization steps. 2. Create an Encryption Group on this fresh switch/node with the same Encryption Group name as before. 3. Perform a configdownload to the new GL node of a previously uploaded configuration file for the EG from an old GL Node. 4. For any containers hosted on the failed GL node, issue cryptocfg --replace to change the WWN association of containers from failed GL node to the new GL node. Initial setup of encrypted LUNs IMPORTANT: While performing first-time encryption to a LUN with more than one initiator active at the time, re-key operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence. NOTE: When configuring multipath LUNs, care should be taken to add LUN0 on all of the paths, subject to the following considerations: • If LUN0 presented by backend target is a controller LUN (not a disk LUN; that is, not visible in the discoverLUN output), add LUN0 to the container as a clear text LUN. Make sure all of the paths have this LUN0 added for MPIO operation (EVA configuration, for example). • If LUN0 presented by the backend target is a disk LUN, LUN0 can be added to the container either as clear text or encrypted (MSA configuration, for example). • For HP-UX, LUN0 can appear as 0x0 or 0x400, but both of them are LUN0 only, and should be treated alike. HP StorageWorks Fabric OS 6.2.0g release notes 33

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
This leads to no crypto operations or commands (except node initialization) being available on
the member nodes after the power-cycle. This condition persists until the GL node is back online.
Workaround.
In the case of a datacenter power down, bring the GL node online first, before
the other member nodes are brought back up.
In the event of the GL node failing to come back up, the GL node can be replaced with a new
node. The following are the procedures to allow an EG to function with existing member nodes
and to replace the failed GL node with a new node
Make one of the existing member nodes the Group Leader node and continue operations:
1.
On one of the member nodes, create the Encryption Group with the same Encryption
Group name. This will make that node the GL node and the rest of the Crypto Target
Container and Tape Pool related configurations will remain intact in this Encryption Group.
2.
For any containers hosted on the failed GL node, issue
cryptocfg --replace
to
change the WWN association of containers from the failed GL node to the new GL node.
Replace the failed GL node with a new node:
1.
On the new node, follow the switch/node initialization steps.
2.
Create an Encryption Group on this fresh switch/node with the same Encryption Group
name as before.
3.
Perform a
configdownload
to the new GL node of a previously uploaded configuration
file for the EG from an old GL Node.
4.
For any containers hosted on the failed GL node, issue
cryptocfg --replace
to
change the WWN association of containers from failed GL node to the new GL node.
Initial setup of encrypted LUNs
IMPORTANT:
While performing first-time encryption to a LUN with more than one initiator active at the time, re-key
operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence.
NOTE:
When configuring multipath LUNs, care should be taken to add LUN0 on all of the paths, subject to
the following considerations:
If LUN0 presented by backend target is a controller LUN (not a disk LUN; that is, not visible in the
discoverLUN
output), add LUN0 to the container as a clear text LUN. Make sure all of the paths
have this LUN0 added for MPIO operation (EVA configuration, for example).
If LUN0 presented by the backend target is a disk LUN, LUN0 can be added to the container
either as clear text or encrypted (MSA configuration, for example).
For HP-UX, LUN0 can appear as 0x0 or 0x400, but both of them are LUN0 only, and should be
treated alike.
HP StorageWorks Fabric OS 6.2.0g release notes
33