Dell Brocade 6520 Release Notes v1.0 - Page 33

If using dual SKMs or ESKMs on BES/FS8-18 Encryption Group, then these SKM / ESKM - admin guide

Get Dell Brocade 6520 PDF manuals and user guides View all Dell Brocade 6520 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 33 highlights

 Adding of 3PAR Session/Enclosure LUNs to CTCs is now supported. Session/Enclosure LUNs (LUN 0xFE) used by 3PAR InServ arrays must be added to CryptoTarget (CTC) containers with LUN state set to "cleartext", encryption policy set to "cleartext". BES/FS8-18 will not perform any explicit enforcement of this requirement.  When host clusters are deployed in an Encryption environment, please note the following recommendations:  If two EEs (encryption engines) are part of a HAC (High Availability Cluster), configure the host/target pair such that they form a multipath from both EEs. Avoid connecting both the host/target pairs to the same EE. This connectivity does not give full redundancy in the case of EE failure resulting in HAC failover.  Since quorum disk plays a vital role in keeping the cluster in sync, please configure the quorum disk to be outside of the encryption environment.  The "-key_lifespan" option has no effect for "cryptocfg -add -LUN", and only has an effect for "cryptocfg --create -tapepool" for tape pools declared "-encryption_format native". For all other encryption cases, a new key is generated each time a medium is rewound and block zero is written or overwritten. For the same reason, the "Key Life" field in the output of "cryptocfg --show -container -all -stat" should always be ignored, and the "Key life" field in "cryptocfg --show -tapepool -cfg" is only significant for native-encrypted pools.  The Quorum Authentication feature requires a compatible DCFM or Brocade Network Advisor release (DCFM 10.3 or later for pre-FOS v7.0 and Network Advisor 11.1 or later for FOS v7.0 or later) that supports this feature. Note, all nodes in the EG must be running FOS v6.3.0 or later for quorum authentication to be properly supported.  The System Card feature requires a compatible DCFM or Brocade Network Advisor release (DCFM 10.3 or later for pre-FOS v7.0 and Network Advisor 11.1 or later for FOS v7.0 or later) that supports this feature. Note, all nodes in the EG must be running FOS v6.3.0 or later for system verification to be properly supported.  The Brocade Encryption switch and FS8-18 blade do not support QoS. When using encryption or Frame Redirection, participating flows should not be included in QoS Zones.  HP SKM & ESKM are supported with Multiple Nodes and Dual SKM/ESKM Key Vaults. Two-way certificate exchange is supported. Please refer to the Encryption Admin Guide for configuration information. If using dual SKMs or ESKMs on BES/FS8-18 Encryption Group, then these SKM / ESKM Appliances must be clustered. Failure to cluster will result in key creation failure. Otherwise, register only one SKM / ESKM on the BES/FS8-18 Encryption Group.  FOS 7.1.0 will use SHA256 signatures for the TLS certificates, used to connect to the ESKM 3.0 Server using ESKM 2.0 client. Upgrade from FOS versions (6.4.x/7.0.x) to FOS 7.1.0 and downgrade from FOS 7.1.0 to FOS versions (6.4.x/7.0.x) would require regeneration and re-registration of CA and signed KAC certificates to restore connectivity to the key vault. Please refer to Encryption AG for more details on ESKM/FOS compatibility matrix  The RSA DPM Appliance SW v3.2 is supported. The procedure for setting up the DPM Appliance with BES or a DCX/DCX-4S/DCX 8510 with FS8-18 blades is located in the Encryption Admin Guide.  Before upgrading from FOS versions (6.4.x/7.0.x) to FOS7.1.0, it is required that the RKM server running SW v2.7.1.1 should be upgraded to DPM server running SW v3.2. Please refer to DPM/FOS compatibility matrix in the Encryption AG for more details.  Support for registering a 2nd DPM Appliance on BES/FS8-18 is blocked. If the DPM Appliances are clustered, then the virtual IP address hosted by a 3rd party IP load balancer for the DPM Cluster must be registered on BES/FS8-18 in the primary slot for Key Vault IP.  With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less than 400MB are presented to BES for encryption, a host panic may occur and this configuration is not supported in the FOS v6.3.1 or later release. Fabric OS v7.1.0a Release Notes v1.0 Page 33 of 41

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
Fabric OS v7.1.0a Release Notes v1.0
Page 33 of 41
Adding of 3PAR Session/Enclosure LUNs to CTCs is now supported.
Session/Enclosure LUNs (LUN
0xFE) used by 3PAR InServ arrays must be added to CryptoTarget (CTC) containers with LUN state set
to
“cleartext”, encryption policy
set to
“cleartext”.
BES/FS8-18 will not perform any explicit
enforcement of this requirement.
When host clusters are deployed in an Encryption environment, please note the following
recommendations:
If two EEs (encryption engines) are part of a HAC (High Availability Cluster), configure the
host/target pair such that they form a multipath from both EEs.
Avoid connecting both
the host/target pairs to the same EE.
This connectivity does not give full redundancy in
the case of EE failure resulting in HAC failover.
Since quorum disk plays a vital role in keeping the cluster in sync, please configure the
quorum disk to be outside of the encryption environment.
The “–
key
_lifespan” option has no effect for “cryptocfg –
add
–LUN”, and only has an effect for
“cryptocfg
--create
–tapepool” for tape pools declared “
-
encryption_format native”.
For all other
encryption cases, a new key is generated each time a medium is rewound and block zero is written or
overwritten.
For the same reason, the “Key Life” field in the output of “cryptocfg
--show -container -all
–stat” should always be ignored, and the “Key life” field in “cryptocfg
--show
tapepool
–cfg” is only
significant for native-encrypted pools.
The Quorum Authentication feature requires a compatible DCFM or Brocade Network Advisor release
(DCFM 10.3 or later for pre-FOS v7.0 and Network Advisor 11.1 or later for FOS v7.0 or later) that
supports this feature.
Note, all nodes in the EG must be running FOS v6.3.0 or later for quorum
authentication to be properly supported.
The System Card feature requires a compatible DCFM or Brocade Network Advisor release (DCFM
10.3 or later for pre-FOS v7.0 and Network Advisor 11.1 or later for FOS v7.0 or later) that supports
this feature.
Note, all nodes in the EG must be running FOS v6.3.0 or later for system verification to
be properly supported.
The Brocade Encryption switch and FS8-18 blade do not support QoS.
When using encryption or
Frame Redirection, participating flows should not be included in QoS Zones.
HP SKM & ESKM are supported with Multiple Nodes and Dual SKM/ESKM Key Vaults.
Two-way
certificate exchange is supported.
Please refer to the Encryption Admin Guide for configuration
information.
If using dual SKMs or ESKMs on BES/FS8-18 Encryption Group, then these SKM / ESKM
Appliances must be clustered.
Failure to cluster will result in key creation failure.
Otherwise, register
only one SKM / ESKM on the BES/FS8-18 Encryption Group.
FOS 7.1.0 will use SHA256 signatures for the TLS certificates, used to connect to the ESKM 3.0 Server
using ESKM 2.0 client. Upgrade from FOS versions (6.4.x/7.0.x) to FOS 7.1.0 and downgrade from
FOS 7.1.0 to FOS versions (6.4.x/7.0.x) would require regeneration and re-registration of CA and
signed KAC certificates to restore connectivity to the key vault. Please refer to Encryption AG for more
details on ESKM/FOS compatibility matrix
The RSA DPM Appliance SW v3.2 is supported.
The procedure for setting up the DPM Appliance with
BES or a DCX/DCX-4S/DCX 8510 with FS8-18 blades is located in the Encryption Admin Guide.
Before upgrading from FOS
versions (6.4.x/7.0.x)
to FOS7.1.0, it is required that the RKM server
running SW v2.7.1.1 should be upgraded to DPM server running SW v3.2. Please refer to DPM/FOS
compatibility matrix in the Encryption AG for more details.
Support for registering a 2nd DPM Appliance on BES/FS8-18 is blocked.
If the DPM Appliances are
clustered, then the virtual IP address hosted by a 3rd party IP load balancer for the DPM Cluster must
be registered on BES/FS8-18 in the primary slot for Key Vault IP.
With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less than
400MB are presented to BES for encryption, a host panic may occur and this configuration is not
supported in the FOS v6.3.1 or later release.