Dell PowerEdge M1000e Fabric OS Release Notes - Page 26

• Disk Encryption Rekey: Configupload/download does not retain the auto rekey value. The first auto rekey after configdownload will occur based on the previously configured key life. The newly configured key life value (as part of configdownload) will be used after the first auto rekey. (Defect 315174) • Disk encryption is not support for IBM iSeries (AS/400) hosts. • 3Par Session/Enclosure LUNs to CTCs are now supported. Session/Enclosure LUNs (LUN 0xFE) used by 3Par InServ arrays must be added to CryptoTarget (CTC) containers with LUN state "cleartext", encryption policy "cleartext". No enforcement will be performed. • The "cryptocfg -manual_rekey -all" command should not be used in environments with multiple encryption engines (FS8-18 blades) installed in a director-class chassis when more than one encryption engine has access to the same LUN. In such situations, use the "cryptocfg - manual_rekey " command to manually rekey these LUNs. • When adding Nodes to an Encryption Group, ensure all Node Encryption Engines are in an Enabled state. • When host clusters are deployed in an Encryption environment, please note the following recommendations: o If two EEs (encryption engines) are part of a HAC, configure the host/target pair such that they form a multipath from both EEs. Avoid connecting both the host/target pairs to the same EE. This connectivity does not give full redundancy in case of EE failure resulting in HAC failover. o Since quorum disk plays a vital role in keeping the cluster in sync, please configure the quorum disk to be outside of the encryption environment. • The "-key_lifespan" option has no effect for "cryptocfg -add -LUN", and only has an effect for "cryptocfg --create -tapepool" for tape pools declared "-encryption_format native". For all other encryption cases, a new key is generated each time a medium is rewound and block zero is written or overwritten. For the same reason, the "Key Life" field in the output of "cryptocfg --show container -all -stat" should always be ignored, and the "Key life" field in "cryptocfg --show - tapepool -cfg" is only significant for native-encrypted pools. • The Quorum Authentication feature requires a compatible DCFM release (DCFM 10.3 or later) that supports this feature. Note, all nodes in the EG must be running FOS v6.3.0 or later for quorum authentication to be properly supported. • The System Card feature requires a compatible DCFM release that supports this feature. Note, all nodes in the EG must be running FOS v6.3.0 or later for system verification to be properly supported. • The Brocade Encryption switch and FS8-18 blade do not support QoS. When using encryption or Frame Redirection, participating flows should not be included in QoS Zones. • When using Brocade Native Mode, in LKM installations, manual rekey is highly recommended. If auto rekey is desired, the key expiry date should be configured only when the LUN is created. Never modify the expiry date after configuring a LUN. If you modify the expiry time, after configuring the LUN the expiration date will not update properly. • SKM is supported with Multiple Nodes and Dual SKM Key Vaults. Two-way certificate exchange is supported. Please refer to the Encryption Admin Guide for configuration information. If using dual SKMs on BES/FS8-18 Encryption Group, then these SKM Appliances must be clustered. Failure to cluster will result in key creation failure. Otherwise, register only one SKM on the BES/FS8-18 Encryption Group. • For dual LKM configuration on the Brocade Encryption Switch (BES) or a DCX/DCX-4S with FS8-18 blades as the primary and secondary key vaults, these LKM appliances must be clustered (linked). Failure to cluster will result in key creation failure. Otherwise, register only one LKM on the Fabric OS v6.4.1 Release Notes v1.0 Page 26 of 62