HP 1606 HP B-series Fabric OS 6.4.1b Release Notes (5697-0886, March 2011-incl - Page 37

LUN Size Expansion consideration as an example for EVA LUNs: When an EVA LUN is

Get HP 1606 PDF manuals and user guides View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 37 highlights

pairs to the same EE. This connectivity does not give full redundancy in case of EE failure resulting in HAC failover. ◦ Since the quorum disk plays a vital role in keeping the cluster in sync, configure the quorum disk to be outside of the encryption environment. • LUN configuration ◦ To configure a LUN for encryption: - Add the LUN as clear-text to the Crypto Target Container (CTC). - When the LUN comes online and the clear-text host I/O starts, modify the LUN from clear-text to encrypted, including the enable_encexistingdata option to convert the LUN from clear-text to encrypted. ◦ An exception to this LUN configuration process: If the LUN was previously encrypted by the HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with the -encrypt and -lunstate ="encrypted" options. ◦ LUN configurations must be committed to take effect. No more than 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations that exceed 25 LUNs fail with a warning. There is also a five-second delay before the commit operation takes effect. Always ensure that any previously committed LUN configurations or LUN modifications have taken effect before committing additional LUN configurations or additions. All LUNs should be in an Encryption Enabled state before committing additional LUN modifications. • LUN Size Expansion consideration (as an example for EVA LUNs): When an EVA LUN is encrypted, and then needs to be expanded using HP Command View, no additional configuration is required from the Encryption SAN Switch side. However, make sure not to change the LUN size while any re-key operation is in progress. • The cryptocfg -manual_rekey -all command should not be used in environments with multiple encryption engines (encryption blades) installed in a director-class chassis when more than one encryption engine has access to the same LUN. In such situations, use the cryptocfg -manual_rekey command to manually rekey these LUNs. • If an HA Cluster is configured within an Encryption Group with containers configured for auto Failback Mode, the following procedure must be followed when upgrading from Fabric OS 6.2.x to 6.3.1x. Note that the following procedure is required only under the above-mentioned conditions. 1. Before the firmware upgrade, change the Failback Mode to manual for all containers configured as auto. Take note of which Encryption Engines currently own which containers. 2. Upgrade all nodes in the Encryption Group to Fabric OS 6.3.1x, one node at a time. 3. After all nodes have been successfully upgraded, using the notes taken in step 1, manually invoke the failback of the containers to the correct Encryption Engine using the cryptocfg -failback -EE [slot num] [slot num] command . 4. Once the manual failback completes, change the Failback Mode back to auto from manual, if it was changed in step 1. • Avoid changing the configuration of any LUN that belongs to a CTC/LUN configuration while the rekeying process for that LUN is active. If you change the LUN settings during manual or auto, rekeying or First Time Encryption, the system reports a warning message stating that the encryption engine is busy and a forced commit is required for the changes to take effect. A forced commit command halts all active rekeying processes running in all CTCs and corrupts any LUN engaged in a rekeying operation. There is no recovery for this type of failure. Encryption behavior 37

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
pairs to the same EE. This connectivity does not give full redundancy in case of EE failure
resulting in HAC failover.
Since the quorum disk plays a vital role in keeping the cluster in sync, configure the
quorum disk to be outside of the encryption environment.
LUN configuration
To configure a LUN for encryption:
Add the LUN as clear-text to the Crypto Target Container (CTC).
When the LUN comes online and the clear-text host I/O starts, modify the LUN from
clear-text to encrypted, including the
enable_encexistingdata
option to convert
the LUN from clear-text to encrypted.
An exception to this LUN configuration process: If the LUN was previously encrypted by
the HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with
the
encrypt
and
lunstate =
encrypted
options.
LUN configurations must be committed to take effect. No more than 25 LUNs can be
added or modified in a single commit operation. Attempts to commit configurations that
exceed 25 LUNs fail with a warning. There is also a five-second delay before the commit
operation takes effect.
Always ensure that any previously committed LUN configurations or LUN modifications
have taken effect before committing additional LUN configurations or additions. All LUNs
should be in an Encryption Enabled state before committing additional LUN modifications.
LUN Size Expansion consideration (as an example for EVA LUNs): When an EVA LUN is
encrypted, and then needs to be expanded using HP Command View, no additional
configuration is required from the Encryption SAN Switch side. However, make sure not to
change the LUN size while any re-key operation is in progress.
The
cryptocfg -manual_rekey -all
command should not be used in environments
with multiple encryption engines (encryption blades) installed in a director-class chassis when
more than one encryption engine has access to the same LUN. In such situations, use the
cryptocfg -manual_rekey <CTC> <LUN Num> <Initiator PWWN>
command to
manually rekey these LUNs.
If an HA Cluster is configured within an Encryption Group with containers configured for
auto
Failback Mode, the following procedure must be followed when upgrading from Fabric OS
6.2.x to 6.3.1x. Note that the following procedure is required only under the above-mentioned
conditions.
1.
Before the firmware upgrade, change the Failback Mode to
manual
for all containers
configured as
auto
. Take note of which Encryption Engines currently own which
containers.
2.
Upgrade all nodes in the Encryption Group to Fabric OS 6.3.1x, one node at a time.
3.
After all nodes have been successfully upgraded, using the notes taken in step 1, manually
invoke the failback of the containers to the correct Encryption Engine using the
cryptocfg
-failback -EE <WWN of hosting node> [slot num] <WWN of second
node in HAC> [slot num]
command .
4.
Once the manual failback completes, change the Failback Mode back to
auto
from
manual
, if it was changed in step 1.
Avoid changing the configuration of any LUN that belongs to a CTC/LUN configuration while
the rekeying process for that LUN is active. If you change the LUN settings during manual or
auto, rekeying or First Time Encryption, the system reports a warning message stating that the
encryption engine is busy and a forced commit is required for the changes to take effect. A
forced commit command halts all active rekeying processes running in all CTCs and corrupts
any LUN engaged in a rekeying operation. There is no recovery for this type of failure.
Encryption behavior
37