HP 4400 HP B-series Fabric OS 6.3.2d Release Notes (5697-1105, July 2011) - Page 39

Initial setup of encrypted LUNs, Configuring the Key Manager for FIPS Compliance

Get HP 4400 PDF manuals and user guides View all HP 4400 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 39 highlights

Remote EE Reachability : Node WWN/Slot IO Link State 10:00:00:05:1e:53:77:80/0 10:00:00:05:1e:53:b7:ae/0 EE IP Addr EE State 10.32.53.107 10.32.53.105 EE_STATE_ONLINE EE_STATE_ONLINE Non-Reachable Non-Reachable • SKM FIPS Mode Enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM user guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. • SKM dual node cluster - Auto failover considerations: In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM nodes are always available and online for proper key archival. If one of the SKM nodes fails, you cannot use the configuration to create new keys. In other words, adding new targets or LUNs to the encryption path will not work until both the SKM nodes are available. However, there will not be any issue for retrieving keys or using the existing setup as long as one SKM node is available. The encryption switch ensures that any new KEY is hardened (archived) to both SKM Key Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults is down, the key creation fails because of the hardening check failure. As a result, the new key creation operation will not function. For Key retrieval, this is not the requirement and any one Key Vault being online will get the Key as long as that Key Vault has the Key. Initial setup of encrypted LUNs IMPORTANT: While performing first-time encryption to a LUN with more than one initiator active at the time, rekey operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence. NOTE: When configuring multipath LUNs, care should be taken to add LUN 0 on all of the paths, subject to the following considerations: • If LUN 0 presented by the back-end target is a controller LUN (not a disk LUN; that is, not visible in the discoverLUN output), add LUN 0 to the container as a clear text LUN. Make sure all of the paths have this LUN 0 added for MPIO operation (EVA configuration, for example). • If LUN 0 presented by the back-end target is a disk LUN, LUN 0 can be added to the container either as clear text or encrypted (MSA configuration, for example). • For HP-UX, LUN 0 can appear as 0x0 or 0x400, but both of them are LUN 0 only and should be treated alike. HP B-series Fabric OS 6.3.2d Release Notes 39

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
Remote EE Reachability :
Node WWN/Slot
EE IP Addr
EE State
IO Link State
10:00:00:05:1e:53:77:80/0
10.32.53.107
EE_STATE_ONLINE
Non-Reachable
10:00:00:05:1e:53:b7:ae/0
10.32.53.105
EE_STATE_ONLINE
Non-Reachable
SKM FIPS Mode Enablement
FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described
in the SKM user guide,
Configuring the Key Manager for FIPS Compliance
section.
NOTE:
Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager.
Therefore, if FIPS enablement is required, HP strongly recommends that it be performed during
the initial SKM configuration, before any key sharing between the switch and the SKM occurs.
SKM dual node cluster - Auto failover considerations:
In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM
nodes are always available and online for proper key archival. If one of the SKM nodes fails, you
cannot use the configuration to create new keys. In other words, adding new targets or LUNs to
the encryption path will not work until both the SKM nodes are available. However, there will not
be any issue for retrieving keys or using the existing setup as long as one SKM node is available.
The encryption switch ensures that any new KEY is hardened (archived) to both SKM Key Vaults
in the SKM Cluster before the key gets used for encryption. In the event that one of the SKM vaults
is down, the key creation fails because of the hardening check failure. As a result, the new key
creation operation will not function. For Key retrieval, this is not the requirement and any one Key
Vault being online will get the Key as long as that Key Vault has the Key.
Initial setup of encrypted LUNs
IMPORTANT:
While performing first-time encryption to a LUN with more than one initiator active at the time, rekey
operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence.
NOTE:
When configuring multipath LUNs, care should be taken to add LUN 0 on all of the paths, subject to
the following considerations:
If LUN 0 presented by the back-end target is a controller LUN (not a disk LUN; that is, not visible
in the
discoverLUN
output), add LUN 0 to the container as a clear text LUN. Make sure all of
the paths have this LUN 0 added for MPIO operation (EVA configuration, for example).
If LUN 0 presented by the back-end target is a disk LUN, LUN 0 can be added to the container
either as clear text or encrypted (MSA configuration, for example).
For HP-UX, LUN 0 can appear as 0x0 or 0x400, but both of them are LUN 0 only and should be
treated alike.
HP B
series Fabric OS 6.3.2d Release Notes
39